current-users: Re: rc.d/ipfilter with dyndns

Subject: Re: rc.d/ipfilter with dyndns - chicken <-> egg, et all
To: Quentin Garnier <netbsd-current-users@quatriemek.com>
From: Steven M. Bellovin <smb@research.att.com>
List: current-users
Date: 10/30/2003 09:53:18

In message <20031030062107.6480b19c.netbsd-current-users@quatriemek.com>, Quent
in Garnier writes:

>
>IPFilter only gets IP addresses passed by userland utilities. The kernel
>will _not_ perform name resolution.
>
>Besides, it would be a very bad idea to make such a security tool depend
>on an external source of information, and DNS servers are one of the most
>unreliable sources in the world (they can fail, be slightly out of date,
>and there are ways to attack such a setup).
>
>Don't forget about 'ipf -y' with a dynamic address setup, also.
>

Yes -- I have 'ipf -y' in my /etc/dhclient-exit-hooks file, though 
primarily to make NAT work for my vmware hosts.

You're quite right about the risks of relying on the DNS, too.

		--Steve Bellovin, http://www.research.att.com/~smb