IP Firewalling by DNS name

[Oliver Fromme]

Ivan Voras <ivoras at fer.hr> wrote:
 > Is it possible to use ipfw to filter packets by domain name?

No.  That would required the IPFW code to perform reverse
DNS lookups, which isn't really feasable.

(In theory you could write a small filter program that
receives the ssh setup packets via an IPFW divert(4) rule.
However, DNS lookups can take a significant amount of time
which could probably interfere adversely with the TCP
retransmission timeout of the setup (SYN) packets.  But
I could be wrong.)

 > What I need it for: I'd like to allow ssh logins only from a specific 
 > TLD (by reverse lookup...) - maybe there's another way?

If there's a limited number of IP addreses or subnets
within that TLD that you want to allow access, then use
those addresses in IPFW rules.

Another way is to use the TCP wrapper, see hosts_access(5).
However, be aware that this is working at a higher level
than IPFW.

If you want to control logins to a single account only
(which is under your control), you could use public-key-
authentication and put the TLD with your public key in the
~/.ssh/authorized_keys file, like this:

   from="*.org" ssh-dss ... <your key>

and disable password authentication alltogether.  Then you
can only login with your private key _and_ from that TLD.

If it's not your own account and you don't trust the user,
then change his ~/.ssh/authorized_keys file like above,
and then set the system-immutable flags on the file _and_
on the directory ("chflags schg ...").  (Note that chmod
and chown will not be sufficient, because the use can still
rename the ~/.ssh directory and create a new one.)

Best regards
   Oliver


-- 
Oliver Fromme, secnetix GmbH & Co KG, Oettingenstr. 2, 80538 München
Any opinions expressed in this message may be personal to the author
and may not necessarily reflect the opinions of secnetix in any way.

"If Java had true garbage collection, most programs
would delete themselves upon execution."
        -- Robert Sewell