On 22.10.2004 07:55 +1000, Quark IT - Hilton Travis wrote:
> Anyway, currently m0n0wall doesn't allow a FQDN to be used in its
> "aliases" section, or in other places in its web interface. I
> suggest adding this as an option that is disabled by default to
> keep those who think that this is insecure happy.
It's not security that is the problem. Have you thought about what
would happen if you used an alias with an FQDN in a filter rule?
ipfilter cannot deal with DNS names, only IP addresses. If you give
it a name, it simply looks up the IP address at the time the rules
are loaded. If the IP address for the name changes later on (e.g.
DynDNS), the filter rule stays the same. You can't do this without
using/writing some kind of daemon that keeps checking such names for
IP address changes and then updates the corresponding filter rule.