[ previous ] [ next ] [ threads ]
 From:  Manuel Kasper <mk at neon1 dot net>
 To:  Quark IT - Hilton Travis <hilton at quarkit dot com dot au>
 Cc:  m0n0wall dash dev at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall-dev] Name Resolution
 Date:  Fri, 22 Oct 2004 07:33:06 +0200
On 22.10.2004 07:55 +1000, Quark IT - Hilton Travis wrote:

> Anyway, currently m0n0wall doesn't allow a FQDN to be used in its
> "aliases" section, or in other places in its web interface.  I
> suggest adding this as an option that is disabled by default to
> keep those who think that this is insecure happy.

It's not security that is the problem. Have you thought about what
would happen if you used an alias with an FQDN in a filter rule?
ipfilter cannot deal with DNS names, only IP addresses. If you give
it a name, it simply looks up the IP address at the time the rules
are loaded. If the IP address for the name changes later on (e.g.
DynDNS), the filter rule stays the same. You can't do this without
using/writing some kind of daemon that keeps checking such names for
IP address changes and then updates the corresponding filter rule.

- Manuel