Date: Fri, 22 Aug 2003 20:11:04 -0700 (PDT) From: Kelly Yancey <kbyanc@posi.net> To: Marcin Gryszkalis <mg@fork.pl> Cc: freebsd-ipfw@freebsd.org Subject: Re: hostnames resolving problem Message-ID: <20030822200153.V84903-100000@gateway.posi.net> In-Reply-To: <3F466D3B.9090406@fork.pl>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 22 Aug 2003, Marcin Gryszkalis wrote: > On 2003-08-22 01:38, Antonio Torres wrote: > >> (I'm using ipfw2 on 4-STABLE). The ipfw resolves name to > >> *first* ip assigned to the name - but I expect to have *all* > >> ip addresses in the rule. eg. > > > the "name to IP" feature only aplies at rule load ! > > i.e. when, and only when, the ipfw rule is loaded the name is translated > > to IP... > > > > look on `man ipfw` for "me" clause (me= my IP address)... > > yes, I know that - but - isn't my question/description clear? > Maybe I'll extend the example. > > I issue follownig command: > > # ipfw add 10000 allow tcp from any to smtp.o2.pl smtp setup > > Current result is that following rule is loaded: > > 10000 allow tcp from any to 212.126.20.58 dst-port 25 setup > > Expected result is following: > > 10000 allow tcp from any to 212.126.20.58, 212.126.20.60, 212.126.20.61 dst-port 25 setup > > (the name smtp.o2.pl has 3 IP addresses assigned) > The name resolution feature is already questionable: if the DNS mapping changes, should the firewall rule somehow be magically updated? I mean, you *did* ask for packets to be allowed to smtp.o2.pl didn't you? The feature you are requesting would reinforce the notion that a name is being used as the identifer for the host(s), when in fact it is not. For example, what if the Akamai's servers are authoritative for the domain: you might get a different set of hosts depending on where the box was sitting. IPs are the unique identifiers for hosts; use those. If you change your DNS, you'll have to change your firewall either way; this way you won't be lulled into thinking you don't have to. Kelly -- Kelly Yancey -- kbyanc@{posi.net,FreeBSD.org} Visit the BSD driver database: http://www.posi.net/freebsd/drivers/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030822200153.V84903-100000>