IP Firewalling by DNS name

Oliver Fromme olli at lurza.secnetix.de
Tue May 31 08:29:58 PDT 2005

Ivan Voras <ivoras at fer.hr> wrote:
 > Igor Robul wrote:
 > > Ivan Voras wrote:
 > > > What I need it for: I'd like to allow ssh logins only from a specific 
 > > > TLD (by reverse lookup...) - maybe there's another way?
 > > 
 > > /etc/hosts.allow
 > > man 5 hosts_access
 > How safe is it?

It works in userland, so it only kicks in after the TCP
connection has already been established.  IPFW works in
the kernel on a packet level, so it kicks in much earlier.

Whether it's safe enough for you is up to you to decide.

 > As I understand it, sshd actually accepts connections 
 > prior to checking hosts.allow?

Yes, the connection is accepted first, because there is
no information available about it before it is accepted.
But if the check fails, the connection will be closed

 > In hosts.allow, there's an example for sshd but it contains:
 > # Wrapping sshd(8) is not normally a good idea, but if you
 > # need to do it, here's how
 > #sshd : .evil.cracker.example.com : deny
 > Why it's not a good idea? :)

There are several reasons.  First, it relies on DNS, which
is not necessarily a good idea.  If someone can spoof your
DNS (which is not as difficult as many people think it is),
you're toast.

Second, SSH provides authentication mechanisms which are
much more secure, such as public key authentication.
Also, SSH uses host keys for identification, so you don't
have to rely on DNS.

However, in your case I think it's OK to use TCP wrapper,
because you want to use that in _addition_ to the usual SSH
authentication (for pre-filtering, so to speak), but not to
replace it.  Just keep in mind that DNS results might not
be reliable.

Best regards

Oliver Fromme, secnetix GmbH & Co KG, Oettingenstr. 2, 80538 München
Any opinions expressed in this message may be personal to the author
and may not necessarily reflect the opinions of secnetix in any way.

"I made up the term 'object-oriented', and I can tell you
I didn't have C++ in mind."
        -- Alan Kay, OOPSLA '97

More information about the freebsd-stable mailing list