From owner-freebsd-stable@FreeBSD.ORG Tue May 31 15:12:12 2005 Return-Path: X-Original-To: freebsd-stable@FreeBSD.ORG Delivered-To: freebsd-stable@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5E3EF16A41C for ; Tue, 31 May 2005 15:12:12 +0000 (GMT) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (lurza.secnetix.de [83.120.8.8]) by mx1.FreeBSD.org (Postfix) with ESMTP id 963D643D1F for ; Tue, 31 May 2005 15:12:11 +0000 (GMT) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (jqdovs@localhost [127.0.0.1]) by lurza.secnetix.de (8.13.1/8.13.1) with ESMTP id j4VFC91J023436 for ; Tue, 31 May 2005 17:12:09 +0200 (CEST) (envelope-from oliver.fromme@secnetix.de) Received: (from olli@localhost) by lurza.secnetix.de (8.13.1/8.13.1/Submit) id j4VFC8j4023435; Tue, 31 May 2005 17:12:08 +0200 (CEST) (envelope-from olli) Date: Tue, 31 May 2005 17:12:08 +0200 (CEST) Message-Id: <200505311512.j4VFC8j4023435@lurza.secnetix.de> From: Oliver Fromme To: freebsd-stable@FreeBSD.ORG In-Reply-To: <429C7804.8040709@fer.hr> X-Newsgroups: list.freebsd-stable User-Agent: tin/1.5.4-20000523 ("1959") (UNIX) (FreeBSD/4.11-RELEASE (i386)) MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Cc: Subject: Re: IP Firewalling by DNS name X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-stable@FreeBSD.ORG List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 31 May 2005 15:12:12 -0000 Ivan Voras wrote: > Is it possible to use ipfw to filter packets by domain name? No. That would required the IPFW code to perform reverse DNS lookups, which isn't really feasable. (In theory you could write a small filter program that receives the ssh setup packets via an IPFW divert(4) rule. However, DNS lookups can take a significant amount of time which could probably interfere adversely with the TCP retransmission timeout of the setup (SYN) packets. But I could be wrong.) > What I need it for: I'd like to allow ssh logins only from a specific > TLD (by reverse lookup...) - maybe there's another way? If there's a limited number of IP addreses or subnets within that TLD that you want to allow access, then use those addresses in IPFW rules. Another way is to use the TCP wrapper, see hosts_access(5). However, be aware that this is working at a higher level than IPFW. If you want to control logins to a single account only (which is under your control), you could use public-key- authentication and put the TLD with your public key in the ~/.ssh/authorized_keys file, like this: from="*.org" ssh-dss ... and disable password authentication alltogether. Then you can only login with your private key _and_ from that TLD. If it's not your own account and you don't trust the user, then change his ~/.ssh/authorized_keys file like above, and then set the system-immutable flags on the file _and_ on the directory ("chflags schg ..."). (Note that chmod and chown will not be sufficient, because the use can still rename the ~/.ssh directory and create a new one.) Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co KG, Oettingenstr. 2, 80538 München Any opinions expressed in this message may be personal to the author and may not necessarily reflect the opinions of secnetix in any way. "If Java had true garbage collection, most programs would delete themselves upon execution." -- Robert Sewell