Date: Tue, 31 May 2005 19:48:33 +0200 From: bruce@nikkel.com To: Ivan Voras <ivoras@fer.hr>, stable@freebsd.org Subject: Re: IP Firewalling by DNS name Message-ID: <20050531174833.GA24102@nikkel.com> In-Reply-To: <429C7804.8040709@fer.hr> References: <429C7804.8040709@fer.hr>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, May 31, 2005 at 04:43:16PM +0200, Ivan Voras wrote: > Is it possible to use ipfw to filter packets by domain name? > > What I need it for: I'd like to allow ssh logins only from a specific > TLD (by reverse lookup...) - maybe there's another way? Access control based on the reverse lookup of an IP address is a dangerous idea in general. Anyone who manages their own reverse DNS could bypass the security simply by creating a DNS entry. If someone controls the in-addr.arpa zone for a particular IP range, they can make those IPs resolve with any FQDN they want, even with domains they don't own. Bruce Nikkel
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050531174833.GA24102>