Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 1 Jun 2005 17:45:25 +0200
From:      Roman Neuhauser <neuhauser@sigpipe.cz>
To:        bruce@nikkel.com
Cc:        stable@freebsd.org, Ivan Voras <ivoras@fer.hr>
Subject:   Re: IP Firewalling by DNS name
Message-ID:  <20050601154524.GH70499@isis.sigpipe.cz>
In-Reply-To: <20050531174833.GA24102@nikkel.com>
References:  <429C7804.8040709@fer.hr> <20050531174833.GA24102@nikkel.com>

next in thread | previous in thread | raw e-mail | index | archive | help
# bruce@nikkel.com / 2005-05-31 19:48:33 +0200:
> On Tue, May 31, 2005 at 04:43:16PM +0200, Ivan Voras wrote:
> > Is it possible to use ipfw to filter packets by domain name?
> > 
> > What I need it for: I'd like to allow ssh logins only from a specific 
> > TLD (by reverse lookup...) - maybe there's another way?
> 
> Access control based on the reverse lookup of an IP address is a
> dangerous idea in general. Anyone who manages their own reverse DNS
> could bypass the security simply by creating a DNS entry. If someone
> controls the in-addr.arpa zone for a particular IP range, they can make
> those IPs resolve with any FQDN they want, even with domains they don't
> own.

    When you look at it from the "right" angle, dns actually involves NO
    ip adresses (except nothing else makes sense in NS RRs (Resource
    Records)). All you have is FQDN -> value mappings. In the case of
    PTR RRs (socalled "reverse dns"), the domain name is
    D.C.B.A.in-addr.arpa. for an IP address of A.B.C.D (that association
    is basically by convention :). The value could be "my grandma is 78
    years old" FWIW. Again, there's really nothing special about the
    in-addr.arpa. domain: in-addr is a subdomain of arpa just like freebsd
    is a subdomain of org, and both org and arpa are children of the
    nameless root, which is the empty string to the right of the last dot
    (often implied) in each dns record: "www.freebsd.org" is actually
    a shorthand for "www.freebsd.org.".

    The problem can be mitigated by checking whether there's a
    corresponding A or CNAME RR, IOW whether

    D.C.B.A.in-addr.arpa. -> whatever.example.org. -> A.B.C.D

    (this kind of check is quite common in MTA configurations).

    To bring this back closer to the topic: I know for fact that pf (in
    OpenBSD at least) accepts hostnames instead of addresses, but you
    better make sure your resolv.conf is in good shape, and it resolves
    the names when it *loads* the rule (you need to be passing dns
    traffic at that point). But this still isn't what the OP asked
    for... sorry.

-- 
How many Vietnam vets does it take to screw in a light bulb?
You don't know, man.  You don't KNOW.
Cause you weren't THERE.             http://bash.org/?255991



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050601154524.GH70499>