Please don't bring facts into a good argument - I'd have thought your
wife would have taught you this by now! :)
Yes, I can see where, since ipfilter can handle only IPs - I was unaware
of this - this could be rather a problem. The remote end changes their
IP after the lookup is performed, and who knows who you are letting
through your firewall.
Hilton Travis Phone: +61 (0)7 3344 3889
(Brisbane, Australia) Phone: +61 (0)419 792 394
Manager, Quark IT http://www.quarkit.com.au
Quark AudioVisual http://www.quarkav.net
http://www.threatcode.com/ <-- its now time to shame poor coders
into writing code that is acceptable for use on today's networks
War doesn't determine who is right. War determines who is left.
> -----Original Message-----
> From: Manuel Kasper [mailto:mk at neon1 dot net]
> Sent: Friday, 22 October 2004 16:12
> To: Quark IT - Hilton Travis
> Cc: m0n0wall dash dev at lists dot m0n0 dot ch
> Subject: Re: [m0n0wall-dev] Name Resolution
> On 22.10.2004 07:55 +1000, Quark IT - Hilton Travis wrote:
> > Anyway, currently m0n0wall doesn't allow a FQDN to be used in its
> > "aliases" section, or in other places in its web interface. I
> > suggest adding this as an option that is disabled by default to
> > keep those who think that this is insecure happy.
> It's not security that is the problem. Have you thought about what
> would happen if you used an alias with an FQDN in a filter rule?
> ipfilter cannot deal with DNS names, only IP addresses. If you give
> it a name, it simply looks up the IP address at the time the rules
> are loaded. If the IP address for the name changes later on (e.g.
> DynDNS), the filter rule stays the same. You can't do this without
> using/writing some kind of daemon that keeps checking such names for
> IP address changes and then updates the corresponding filter rule.
> - Manuel
> To unsubscribe, e-mail: m0n0wall dash dev dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash dev dash help at lists dot m0n0 dot ch
> __________ NOD32 1.901 (20041021) Information __________
> This message was checked by NOD32 antivirus system.