[ previous ] [ next ] [ threads ]
 
 From:  "Lee Sharp" <leesharp at hal dash pc dot org>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] logical name against IP address
 Date:  Thu, 27 Oct 2005 11:57:02 -0500 
From: "Paul Taylor" <PaulTaylor at winn dash dixie dot com>

> If there is a big call for this feature, I'm pretty sure it could be
> implemented...  I'm just not sure that it's a good idea.  A process would
> have to occasionally run to ensure that the IP Address for each FQDN that
> you're using hasn't changed, and if it has you'd have to update all the
> entries pointing to the old address to the new address.  What would you do
> if DNS couldn't be resolved?  Leave the old address?  Time out the rule
> after a certain amount of time?

Here is the real fun...  With inbound traffic do you have the FQDN 
prefetched, or do you do a reverse lookup, which is probably different from 
the forward lookup?  And which ever way you go, someone will say you did it 
wrong. :-)  A lot of work for that 1 time in 10 when it would be handy. 
However, with the popularity of dynamic DNS, it may by required in the 
future.

> Perhaps I'm just "old school" when it comes to firewalls...

And most of the time, that is the correct choice.

                            Lee

PS:  Most people LIKE my car analogy.  Usually brings a laugh... :-)