NetBSD-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: blocklistd: How to keep my dynamic IP from getting blocked

On Sat, Apr 03, 2021 at 06:02:03PM +0530, Mayuresh wrote:
> > BTW does blacklistd.conf accept hostname instead of IP, which I can
> > manipulate in /etc/hosts?
> PS: I mean, I tried that way but it didn't work (hostname with /etc/hosts
> entry  didn't work, IP did). Wondering whether it's supposed to be that
> way.

Firewalls (and many other security-related configs) in general
require you to state everything in terms of fixed addresses and
not (DNS-dependent) hostnames, for good reasons:

- There is a chicken and egg problem: the fw system needs working
  DNS in order to insert rules;  the DNS needs a working fw in order
  to resolve names.

- It would be / is expensive to continuously update rules and
  re-resolve symbolic hostnames while the firewall is running.
  Because DNS name resolution is cache-dependend, it also leads
  to ill-defined behaviour.  You usually do not want that with
  a firewall.

- Where the DNS is under external control, your rules suddenly refer
  to addresses under external control.  Again, you do not want that.

I understand that you are trying to use a hostname in /etc/hosts
well under your local control and locally resolvable.  I'm not
suprised though that bl[oa]cklistd requires strictly numeric
addresses, because of the reasons above.

							Martin Neitzel

Home | Main Index | Thread Index | Old Index