Date: Wed, 1 Jun 2005 17:45:25 +0200 From: Roman Neuhauser <neuhauser@sigpipe.cz> To: bruce@nikkel.com Cc: stable@freebsd.org, Ivan Voras <ivoras@fer.hr> Subject: Re: IP Firewalling by DNS name Message-ID: <20050601154524.GH70499@isis.sigpipe.cz> In-Reply-To: <20050531174833.GA24102@nikkel.com> References: <429C7804.8040709@fer.hr> <20050531174833.GA24102@nikkel.com>
next in thread | previous in thread | raw e-mail | index | archive | help
# bruce@nikkel.com / 2005-05-31 19:48:33 +0200:
> On Tue, May 31, 2005 at 04:43:16PM +0200, Ivan Voras wrote:
> > Is it possible to use ipfw to filter packets by domain name?
> >
> > What I need it for: I'd like to allow ssh logins only from a specific
> > TLD (by reverse lookup...) - maybe there's another way?
>
> Access control based on the reverse lookup of an IP address is a
> dangerous idea in general. Anyone who manages their own reverse DNS
> could bypass the security simply by creating a DNS entry. If someone
> controls the in-addr.arpa zone for a particular IP range, they can make
> those IPs resolve with any FQDN they want, even with domains they don't
> own.
When you look at it from the "right" angle, dns actually involves NO
ip adresses (except nothing else makes sense in NS RRs (Resource
Records)). All you have is FQDN -> value mappings. In the case of
PTR RRs (socalled "reverse dns"), the domain name is
D.C.B.A.in-addr.arpa. for an IP address of A.B.C.D (that association
is basically by convention :). The value could be "my grandma is 78
years old" FWIW. Again, there's really nothing special about the
in-addr.arpa. domain: in-addr is a subdomain of arpa just like freebsd
is a subdomain of org, and both org and arpa are children of the
nameless root, which is the empty string to the right of the last dot
(often implied) in each dns record: "www.freebsd.org" is actually
a shorthand for "www.freebsd.org.".
The problem can be mitigated by checking whether there's a
corresponding A or CNAME RR, IOW whether
D.C.B.A.in-addr.arpa. -> whatever.example.org. -> A.B.C.D
(this kind of check is quite common in MTA configurations).
To bring this back closer to the topic: I know for fact that pf (in
OpenBSD at least) accepts hostnames instead of addresses, but you
better make sure your resolv.conf is in good shape, and it resolves
the names when it *loads* the rule (you need to be passing dns
traffic at that point). But this still isn't what the OP asked
for... sorry.
--
How many Vietnam vets does it take to screw in a light bulb?
You don't know, man. You don't KNOW.
Cause you weren't THERE. http://bash.org/?255991
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050601154524.GH70499>