Wouldn't it be simpler to do DNS lookups on all the "allowed" sites  
just to get a list of a single IP per site that works, then configure  
DNS to have those entries in as static, then just configure those IPs  
as allowed?

On Aug 11, 2006, at 11:35 PM, Sven Brill wrote:

> Alex M wrote:
>> Also, set my company's IP (that's for sure has only one IP) and  
>> when I typed
>> the name it didn't allow to go through. There is a definet need to  
>> add
>> Domain Pass-through!
>>
>>
>>
>>
> Do you use m0n0 as your DNS forwarder? You probably couldn't get  
> through to the web site because the unauthenticated client was not  
> allowed to contact the DNS server, but that's just a guess.
>
> Adding the feature you describe is probably not as easy as it  
> sounds. the packet filter does not do DNS lookups, so you would  
> have to expand the code so that ANY request from an unauthenticated  
> client first gets checked against the allowed hostnames, THEN the  
> firewall would have to resolve the hostname and dynamically set a  
> rule to allow the result of the DNS lookup, since IPs change  
> (dynamic, round robin, you name it). After that, for security  
> reasons, the dynamically generated rule would probably have to be  
> deleted, so that a future DNS change does not allow the wrong  
> traffic out and the ruleset grows too much. Not a cut-and-dry thing.
>
> Sven
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash dev dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash dev dash help at lists dot m0n0 dot ch
>