From owner-freebsd-security Thu Mar 16 14:28:21 2000 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id 42D7637BC40; Thu, 16 Mar 2000 14:28:19 -0800 (PST) (envelope-from kris@FreeBSD.org) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id OAA93428; Thu, 16 Mar 2000 14:28:18 -0800 (PST) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Thu, 16 Mar 2000 14:28:17 -0800 (PST) From: Kris Kennaway To: bwoods2@uswest.net Cc: Mike Tancsa , freebsd-security@FreeBSD.ORG Subject: Re: IPFW...1 more question..... In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 16 Mar 2000, William Woods wrote: > Hmmmm, well, I have a list of .com's that I want to block access totally, what > would be the most effective way then, .htaccess would just block web, and I > want a bit more totality than that. Blocking based on DNS source address is quite unreliable, since if e.g. aol control their DNS servers they could just assign their machine another reverse DNS name (e.g. happy.friendly.com), and pass your access restrictions. Further, your ipfw example wouldn't even block based on the DNS names, but would block based on whatever IP address aol.com happened to resolve to at the time. DNS is also an insecure protocol. The bottom line is that you should always do access control based on IP addresses, not DNS addresses. Kris ---- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message