netbsd-users: Re: DNS-based firewalling?

Subject: Re: DNS-based firewalling?
To: Johnny Billquist <bqt@Update.UU.SE>
From: Quentin Garnier <cube@cubidou.net>
List: netbsd-users
Date: 01/10/2005 14:56:34
--c8bPn4FL4u+7TADa
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Mon, Jan 10, 2005 at 02:40:33PM +0100, Johnny Billquist wrote:
> On Mon, 10 Jan 2005, Florian Stoehr wrote:
>=20
> >On Mon, 10 Jan 2005, Johnny Billquist wrote:
> >
> >>On Mon, 10 Jan 2005, Michael Smith wrote:
> >>
> >>>On Mon, 10 Jan 2005 00:35:29 +0100 (CET)
> >>>Florian Stoehr <netbsd@wolfnode.de> wrote:
> >>>
> >>>>I want a "you won't even connect at SMTP" solution in that case
> >>>
> >>>I don't think it is a good idea to do a DNS lookup while filtering=20
> >>>packets, and judging from the other responses it may not be doable=20
> >>>anyway.
> >>>
> >>>How about using your smtp daemon to build a list of IP addresses which=
=20
> >>>you don't want to accept connections from and using pf to filter=20
> >>>subsequent connections attempts?
> >>
> >>Since noone have mentioned /etc/hosts.deny yet, I'll do it.
> >>Simple, you can do it based on hostnames or ip-address ranges, and whil=
e=20
> >>I think you do get through the connect stage, the port is immediately=
=20
> >>disconnected again.
> >>
> >>	Johnny
> >>
> >>Johnny Billquist                  || "I'm on a bus
> >>                                 ||  on a psychedelic trip
> >>email: bqt@update.uu.se           ||  Reading murder books
> >>pdp is alive!                     ||  tryin' to stay hip" - B. Idol
> >>
> >
> >Hm -> this is a nice way, anyway it only works from inetd.
>=20
> No, I believe it works for all applications, including sendmail/postfix.

It works for all applications that support libwrap.  That includes
sendmail, but not postfix, AFAICT.

--=20
Quentin Garnier - cube@cubidou.net - cube@NetBSD.org
"Commala-come-five! / Even when the shadows rise!
To see the world and walk the world / Makes ya glad to be alive."
Susannah's Song, The Dark Tower VI, Stephen King, 2004.

--c8bPn4FL4u+7TADa
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (NetBSD)

iQEVAwUBQeKJktgoQloHrPnoAQKqtQf/XckEK/P2tw0UXPO66WnVGCEBv5LRJJ4D
ery40O8fUiRdLlpFEHf5tYXPFC9TmjxTk4x2+Uxn3rRB0O+n9Ll4xf1oTOoTYQux
wUkpjiRdHTdD23+kc+iMRqmCLv9/U8CPZmk5lKRyW4Z/iogp3ACxXEhbTklZyLRv
bVMkYZUSFY20eQpFWpZHg8m8SayQ1NzXcjsQ6eXrWWBFjIJJYJIss2XZhzyKdyFm
T/uQjGdcp5yaIUIhOCHQEHoSxxp47TRkq6W1qFx3QR5wqLQbesT4Ap3FGWhZiuJy
9mD5xtVaHT+dXMatouEbP0PEpLsZJOCyPH1xntP3+RgoqNGa8VQMkA==
=XKBw
-----END PGP SIGNATURE-----

--c8bPn4FL4u+7TADa--