Subject: Re: rc.d/ipfilter with dyndns - chicken <-> egg, et all
To: Chris Tribo <>
From: Quentin Garnier <>
List: current-users
Date: 10/30/2003 06:21:07
Le Wed, 29 Oct 2003 20:41:49 -0500 (EST)
Chris Tribo a ecrit :
> 	The other question is, should we be doing something different in 
> rc.d/ipfilter and friends for hostname based filtering? Like parse the 
> rules, try to resolve the hostname using the hosts file or local name 
> server (after bind starts in that case) without complaining about it,
> then try to reload/resync the rules after the interfaces are up and
> before services start binding to ports and complain here if something
> isn't resolvable?
> 	I know this is off the wall, but I don't think it's really going 
> to be an uncommon situation in the near future as people start deploying
> dynamic DNS into their organizations.

IPFilter only gets IP addresses passed by userland utilities. The kernel
will _not_ perform name resolution.

Besides, it would be a very bad idea to make such a security tool depend
on an external source of information, and DNS servers are one of the most
unreliable sources in the world (they can fail, be slightly out of date,
and there are ways to attack such a setup).

Don't forget about 'ipf -y' with a dynamic address setup, also.

Quentin Garnier - -
"Feels like I'm fiddling while Rome is burning down.
Should I lay my fiddle down and take a rifle from the ground ?"
Leigh Nash/Sixpence None The Richer, Paralyzed, Divine Discontents, 2002.