Subject: Re: DNS-based firewalling?
To: Johnny Billquist <bqt@Update.UU.SE>
From: Florian Stoehr <netbsd@wolfnode.de>
List: netbsd-users
Date: 01/10/2005 14:01:42
On Mon, 10 Jan 2005, Johnny Billquist wrote:
> On Mon, 10 Jan 2005, Michael Smith wrote:
>
>> On Mon, 10 Jan 2005 00:35:29 +0100 (CET)
>> Florian Stoehr <netbsd@wolfnode.de> wrote:
>>
>>> I want a "you won't even connect at SMTP" solution in that case
>>
>> I don't think it is a good idea to do a DNS lookup while filtering packets,
>> and judging from the other responses it may not be doable anyway.
>>
>> How about using your smtp daemon to build a list of IP addresses which you
>> don't want to accept connections from and using pf to filter subsequent
>> connections attempts?
>
> Since noone have mentioned /etc/hosts.deny yet, I'll do it.
> Simple, you can do it based on hostnames or ip-address ranges, and while I
> think you do get through the connect stage, the port is immediately
> disconnected again.
>
> Johnny
>
> Johnny Billquist || "I'm on a bus
> || on a psychedelic trip
> email: bqt@update.uu.se || Reading murder books
> pdp is alive! || tryin' to stay hip" - B. Idol
>
Hm -> this is a nice way, anyway it only works from inetd.
So I'll put a portforwarder protected by the hosts.deny into inetd and
forward "successful" connections to the real SMTP somewhere else then.
Yes, I think this will finally solve it.
Thanks for all replies.
-Florian