From owner-freebsd-stable@FreeBSD.ORG  Tue May 31 17:48:35 2005
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
X-Original-To: stable@freebsd.org
Delivered-To: freebsd-stable@FreeBSD.ORG
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 4C74116A41C
	for <stable@freebsd.org>; Tue, 31 May 2005 17:48:35 +0000 (GMT)
	(envelope-from bruce@nikkel.com)
Received: from raven.bjn.net (raven.bjn.net [193.73.230.20])
	by mx1.FreeBSD.org (Postfix) with ESMTP id EEDCD43D1D
	for <stable@freebsd.org>; Tue, 31 May 2005 17:48:34 +0000 (GMT)
	(envelope-from bruce@nikkel.com)
Received: by raven.bjn.net (Postfix, from userid 1000)
	id 393B22B83B; Tue, 31 May 2005 19:48:33 +0200 (MEST)
Date: Tue, 31 May 2005 19:48:33 +0200
From: bruce@nikkel.com
To: Ivan Voras <ivoras@fer.hr>, stable@freebsd.org
Message-ID: <20050531174833.GA24102@nikkel.com>
References: <429C7804.8040709@fer.hr>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <429C7804.8040709@fer.hr>
User-Agent: Mutt/1.5.6i
Cc: 
Subject: Re: IP Firewalling by DNS name
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>, 
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 31 May 2005 17:48:35 -0000

On Tue, May 31, 2005 at 04:43:16PM +0200, Ivan Voras wrote:
> Is it possible to use ipfw to filter packets by domain name?
> 
> What I need it for: I'd like to allow ssh logins only from a specific 
> TLD (by reverse lookup...) - maybe there's another way?

Access control based on the reverse lookup of an IP address is a
dangerous idea in general. Anyone who manages their own reverse DNS
could bypass the security simply by creating a DNS entry. If someone
controls the in-addr.arpa zone for a particular IP range, they can make
those IPs resolve with any FQDN they want, even with domains they don't
own.

Bruce Nikkel