[ previous ] [ next ] [ threads ]
 From:  Sven Brill <madde at gmx dot net>
 To:  Alex M <radiussupport at lrcommunications dot net>
 Cc:  Mono Dev List <m0n0wall dash dev at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall-dev] Feature Needed: Passthrough for destanation domain name (CP)
 Date:  Fri, 11 Aug 2006 23:35:00 -0400
Alex M wrote:
> Also, set my company's IP (that's for sure has only one IP) and when I typed
> the name it didn't allow to go through. There is a definet need to add
> Domain Pass-through!
Do you use m0n0 as your DNS forwarder? You probably couldn't get through 
to the web site because the unauthenticated client was not allowed to 
contact the DNS server, but that's just a guess.

Adding the feature you describe is probably not as easy as it sounds. 
the packet filter does not do DNS lookups, so you would have to expand 
the code so that ANY request from an unauthenticated client first gets 
checked against the allowed hostnames, THEN the firewall would have to 
resolve the hostname and dynamically set a rule to allow the result of 
the DNS lookup, since IPs change (dynamic, round robin, you name it). 
After that, for security reasons, the dynamically generated rule would 
probably have to be deleted, so that a future DNS change does not allow 
the wrong traffic out and the ruleset grows too much. Not a cut-and-dry