Subject: Re: rc.d/ipfilter with dyndns - chicken <-> egg, et all
To: Quentin Garnier <firstname.lastname@example.org>
From: Steven M. Bellovin <email@example.com>
Date: 10/30/2003 09:53:18
In message <firstname.lastname@example.org>, Quent
in Garnier writes:
>IPFilter only gets IP addresses passed by userland utilities. The kernel
>will _not_ perform name resolution.
>Besides, it would be a very bad idea to make such a security tool depend
>on an external source of information, and DNS servers are one of the most
>unreliable sources in the world (they can fail, be slightly out of date,
>and there are ways to attack such a setup).
>Don't forget about 'ipf -y' with a dynamic address setup, also.
Yes -- I have 'ipf -y' in my /etc/dhclient-exit-hooks file, though
primarily to make NAT work for my vmware hosts.
You're quite right about the risks of relying on the DNS, too.
--Steve Bellovin, http://www.research.att.com/~smb