[ previous ] [ next ] [ threads ]
 From:  Jeffrey Goldberg <jeffrey at goldmark dot org>
 To:  Monowall Mailing List <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Use hostname (not IP) for address or alias
 Date:  Tue, 1 Mar 2005 12:59:14 -0800
I need to have some pinhole rules for an external user whose IP 
addressed is assigned dynamically.  The user has a dynip.com hostname.  
But I have just discovered that I can't seem to use a hostname as an 
address for a rule.  Nor will m0n0 allow a hostname as an address in an 
alias definition.

The user is in a rural location.  His only option is plain old dial-up. 
  I had advised him to use some dynamic DNS service, and then I would 
configure rules based on that.  However, I m0n0 doesn't allow me to do 
what I want to do here.  The more I think about it, the more I see why. 
  (We certainly don't want the filter to be doing name resolution every 
time it needs to check a packet.)

Can anyone think of any work-arounds.

There were a couple of things that I wanted to open up for this user:
Destination port 22 to some DMZ machines (and maybe some LAN machines)
Dest 443 to the m0n0wall itself.

Here are the (very unpleasent) work-arounds that I can imagine.

(1) Let dst:22 through to the DMZ from WAN, but set up port knocking on 
each machine on the DMZ.

(2) Once user can ssh in to LAN, then have the user tunnel X11 over his 
ssh connection and work from there.

An alternative option is to have him use VPN.

I really don't like any of those.  And I'm hoping that someone is aware 
of a solution that I haven't thought of.