[ previous ] [ next ] [ threads ]
 
 From:  Paul Taylor <PaulTaylor at winn dash dixie dot com>
 To:  Lee Sharp <leesharp at hal dash pc dot org>, m0n0wall at lists dot m0n0 dot ch
 Subject:  RE: [m0n0wall] logical name against IP address
 Date:  Thu, 27 Oct 2005 12:28:55 -0400 
I think your car example is a bit overboard... It's not like I'm suggesting
that you should program your firewall rules using IP addresses in binary
form...  I think that Monowall has about the easiest, most flexible, and
most powerful way to set up firewall rules of all firewalls that I've ran
across.  I don't know of any firewall that lets you program rules using a
FQDN.. (They may exist, but I'm unaware of them)

If there is a big call for this feature, I'm pretty sure it could be
implemented...  I'm just not sure that it's a good idea.  A process would
have to occasionally run to ensure that the IP Address for each FQDN that
you're using hasn't changed, and if it has you'd have to update all the
entries pointing to the old address to the new address.  What would you do
if DNS couldn't be resolved?  Leave the old address?  Time out the rule
after a certain amount of time?

Perhaps I'm just "old school" when it comes to firewalls...  

Paul

-----Original Message-----
From: Lee Sharp [mailto:leesharp at hal dash pc dot org] 
Sent: Thursday, October 27, 2005 12:16 PM
To: m0n0wall at lists dot m0n0 dot ch
Subject: Re: [m0n0wall] logical name against IP address

From: "Paul Taylor" <PaulTaylor at winn dash dixie dot com>

> If you are referring to the firewall rules, you can create aliases,
> then use the alias name in your rules.  The advantage here is that if an 
> IP
> Address changes that you have multiple rules in place for, you can simply
> change the IP that the alias is pointing to...

> You can't simply use DNS names and expect the same behavior...  I
> mean, in that case it might be possible that someone could poison your DNS
> and have your rules allowing things you don't intend.

There is always a balance of security and convenience.  An example I use is 
a car.  If you want to make sure your car isn't stolen, put it up on blocks,

and remove the wheels.  The problem is that it makes for a not very useful 
car. :-)  I think a switch (with a warning) allowing the use of FQDN would 
be a good thing.  There are times I would have liked it.

                        Lee 


---------------------------------------------------------------------
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch