Date: Thu, 16 Mar 2000 14:28:17 -0800 (PST) From: Kris Kennaway <kris@FreeBSD.org> To: bwoods2@uswest.net Cc: Mike Tancsa <mike@sentex.ca>, freebsd-security@FreeBSD.ORG Subject: Re: IPFW...1 more question..... Message-ID: <Pine.BSF.4.21.0003161424390.92566-100000@freefall.freebsd.org> In-Reply-To: <XFMail.000316121228.wwoods@cybcon.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 16 Mar 2000, William Woods wrote:
> Hmmmm, well, I have a list of .com's that I want to block access totally, what
> would be the most effective way then, .htaccess would just block web, and I
> want a bit more totality than that.
Blocking based on DNS source address is quite unreliable, since if e.g.
aol control their DNS servers they could just assign their machine another
reverse DNS name (e.g. happy.friendly.com), and pass your access
restrictions. Further, your ipfw example wouldn't even block based on the
DNS names, but would block based on whatever IP address aol.com happened
to resolve to at the time. DNS is also an insecure protocol. The bottom
line is that you should always do access control based on IP addresses,
not DNS addresses.
Kris
----
In God we Trust -- all others must submit an X.509 certificate.
-- Charles Forsythe <forsythe@alum.mit.edu>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0003161424390.92566-100000>