[ previous ] [ next ] [ threads ]
 From:  Paul Taylor <ptaylor at addressplus dot net>
 To:  Sven Brill <madde at gmx dot net>
 Cc:  Alex M <radiussupport at lrcommunications dot net>, Mono Dev List <m0n0wall dash dev at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall-dev] Feature Needed: Passthrough for destanation domain name (CP)
 Date:  Fri, 11 Aug 2006 23:45:10 -0400
Wouldn't it be simpler to do DNS lookups on all the "allowed" sites  
just to get a list of a single IP per site that works, then configure  
DNS to have those entries in as static, then just configure those IPs  
as allowed?

On Aug 11, 2006, at 11:35 PM, Sven Brill wrote:

> Alex M wrote:
>> Also, set my company's IP (that's for sure has only one IP) and  
>> when I typed
>> the name it didn't allow to go through. There is a definet need to  
>> add
>> Domain Pass-through!
> Do you use m0n0 as your DNS forwarder? You probably couldn't get  
> through to the web site because the unauthenticated client was not  
> allowed to contact the DNS server, but that's just a guess.
> Adding the feature you describe is probably not as easy as it  
> sounds. the packet filter does not do DNS lookups, so you would  
> have to expand the code so that ANY request from an unauthenticated  
> client first gets checked against the allowed hostnames, THEN the  
> firewall would have to resolve the hostname and dynamically set a  
> rule to allow the result of the DNS lookup, since IPs change  
> (dynamic, round robin, you name it). After that, for security  
> reasons, the dynamically generated rule would probably have to be  
> deleted, so that a future DNS change does not allow the wrong  
> traffic out and the ruleset grows too much. Not a cut-and-dry thing.
> Sven
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash dev dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash dev dash help at lists dot m0n0 dot ch