hostnames resolving problem
Kelly Yancey
kbyanc at posi.net
Fri Aug 22 20:11:49 PDT 2003
On Fri, 22 Aug 2003, Marcin Gryszkalis wrote:
> On 2003-08-22 01:38, Antonio Torres wrote:
> >> (I'm using ipfw2 on 4-STABLE). The ipfw resolves name to
> >> *first* ip assigned to the name - but I expect to have *all*
> >> ip addresses in the rule. eg.
>
> > the "name to IP" feature only aplies at rule load !
> > i.e. when, and only when, the ipfw rule is loaded the name is translated
> > to IP...
> >
> > look on `man ipfw` for "me" clause (me= my IP address)...
>
> yes, I know that - but - isn't my question/description clear?
> Maybe I'll extend the example.
>
> I issue follownig command:
>
> # ipfw add 10000 allow tcp from any to smtp.o2.pl smtp setup
>
> Current result is that following rule is loaded:
>
> 10000 allow tcp from any to 212.126.20.58 dst-port 25 setup
>
> Expected result is following:
>
> 10000 allow tcp from any to 212.126.20.58, 212.126.20.60, 212.126.20.61 dst-port 25 setup
>
> (the name smtp.o2.pl has 3 IP addresses assigned)
>
The name resolution feature is already questionable: if the DNS mapping
changes, should the firewall rule somehow be magically updated? I mean, you
*did* ask for packets to be allowed to smtp.o2.pl didn't you?
The feature you are requesting would reinforce the notion that a name is
being used as the identifer for the host(s), when in fact it is not. For
example, what if the Akamai's servers are authoritative for the domain: you
might get a different set of hosts depending on where the box was sitting.
IPs are the unique identifiers for hosts; use those. If you change your
DNS, you'll have to change your firewall either way; this way you won't be
lulled into thinking you don't have to.
Kelly
--
Kelly Yancey -- kbyanc@{posi.net,FreeBSD.org}
Visit the BSD driver database: http://www.posi.net/freebsd/drivers/
More information about the freebsd-ipfw
mailing list