Date: Fri, 23 Aug 2002 15:39:35 +0100 From: Marc Silver <marc.silver@uk.easynet.net> To: Jacques Perrolle <yellow@RadOnc.Duke.EDU> Cc: questions@FreeBSD.org Subject: Re: IPFW Message-ID: <20020823143935.GG73684@uk.easynet.net> In-Reply-To: <7CDFAC86-B6A5-11D6-B3F4-003065B4FE54@radonc.duke.edu> References: <7CDFAC86-B6A5-11D6-B3F4-003065B4FE54@radonc.duke.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Aug 23, 2002 at 10:34:53AM -0400, Jacques Perrolle wrote: > Isn't it dangerous to have a firewall that allows the use of domain > names, forcing it to resolve them with DNS? This just begs for someone > to DNS spoof it, rendering the firewall virtually worthless. You seem to answer your own question. Yes, it is bad practice to use hostnames in your ruleset... since it opens you up to spoofing, injection etc... Static IP addresses only as far as I'm concerned should be used. > Also, apparently the rules that I create aren't static? I encountered > this yesterday when my main DNS was having a hiccup and the firewall > rules on all my machines running IPFW were suddenly completely > changed, replaced with root.register.com IP addresses. Is there > someway I've missed in all the docs to keep my rules in effect no > matter what? Not sure how they changed... your ruleset should never change. If you're really paranoid, you could always set securelevel to 3 to ensure that anyway... :) - Marc To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020823143935.GG73684>