[ previous ] [ next ] [ threads ]
 
 From:  "Quark IT - Hilton Travis" <hilton at quarkit dot com dot au>
 To:  <m0n0wall dash dev at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall-dev] Name Resolution
 Date:  Sat, 23 Oct 2004 05:33:10 +1000
Hi Manuel,

Please don't bring facts into a good argument - I'd have thought your
wife would have taught you this by now!  :)

Yes, I can see where, since ipfilter can handle only IPs - I was unaware
of this - this could be rather a problem.  The remote end changes their
IP after the lookup is performed, and who knows who you are letting
through your firewall.

--

Regards,

Hilton Travis                          Phone: +61 (0)7 3344 3889
(Brisbane, Australia)                  Phone: +61 (0)419 792 394
Manager, Quark IT                      http://www.quarkit.com.au
         Quark AudioVisual             http://www.quarkav.net

http://www.threatcode.com/ <-- its now time to shame poor coders 
into writing code that is acceptable for use on today's networks

War doesn't determine who is right.  War determines who is left. 

> -----Original Message-----
> From: Manuel Kasper [mailto:mk at neon1 dot net] 
> Sent: Friday, 22 October 2004 16:12
> To: Quark IT - Hilton Travis
> Cc: m0n0wall dash dev at lists dot m0n0 dot ch
> Subject: Re: [m0n0wall-dev] Name Resolution
> 
> On 22.10.2004 07:55 +1000, Quark IT - Hilton Travis wrote:
> 
> > Anyway, currently m0n0wall doesn't allow a FQDN to be used in its
> > "aliases" section, or in other places in its web interface.  I
> > suggest adding this as an option that is disabled by default to
> > keep those who think that this is insecure happy.
> 
> It's not security that is the problem. Have you thought about what
> would happen if you used an alias with an FQDN in a filter rule?
> ipfilter cannot deal with DNS names, only IP addresses. If you give
> it a name, it simply looks up the IP address at the time the rules
> are loaded. If the IP address for the name changes later on (e.g.
> DynDNS), the filter rule stays the same. You can't do this without
> using/writing some kind of daemon that keeps checking such names for
> IP address changes and then updates the corresponding filter rule.
> Ugly...
> 
> - Manuel
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash dev dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash dev dash help at lists dot m0n0 dot ch
> 
> 
> 
> 
> __________ NOD32 1.901 (20041021) Information __________
> 
> This message was checked by NOD32 antivirus system.
> http://www.nod32.com
> 
> 
> 
> 
>