[ previous ] [ next ] [ threads ]
 
 From:  "Alex M" <radiussupport at lrcommunications dot net>
 To:  "'Sven Brill'" <madde at gmx dot net>
 Cc:  "Mono Dev List" <m0n0wall dash dev at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall-dev] Feature Needed: Passthrough for destanation domain name (CP)
 Date:  Fri, 11 Aug 2006 23:45:51 -0400
I haven't looked at CP code for like 6 month but I don't think it uses
firewall rules? Technically it should check if user not auorized then do not
allow pachage delivery, and show dumy page or alow to go through if page is
listed in pass through. And even if firewall is used why is that that hard?


 

-----Original Message-----
From: Sven Brill [mailto:madde at gmx dot net] 
Sent: Friday, August 11, 2006 11:35 PM
To: Alex M
Cc: Mono Dev List
Subject: Re: [m0n0wall-dev] Feature Needed: Passthrough for destanation
domain name (CP)

Alex M wrote:
> Also, set my company's IP (that's for sure has only one IP) and when I
typed
> the name it didn't allow to go through. There is a definet need to add
> Domain Pass-through!
>
>
>
>   
Do you use m0n0 as your DNS forwarder? You probably couldn't get through 
to the web site because the unauthenticated client was not allowed to 
contact the DNS server, but that's just a guess.

Adding the feature you describe is probably not as easy as it sounds. 
the packet filter does not do DNS lookups, so you would have to expand 
the code so that ANY request from an unauthenticated client first gets 
checked against the allowed hostnames, THEN the firewall would have to 
resolve the hostname and dynamically set a rule to allow the result of 
the DNS lookup, since IPs change (dynamic, round robin, you name it). 
After that, for security reasons, the dynamically generated rule would 
probably have to be deleted, so that a future DNS change does not allow 
the wrong traffic out and the ruleset grows too much. Not a cut-and-dry 
thing.

Sven

---------------------------------------------------------------------
To unsubscribe, e-mail: m0n0wall dash dev dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash dev dash help at lists dot m0n0 dot ch