Hi. On Tue, 20 Jan 2009 17:18:45 -0500, Warren Togami wrote > * This is inconsistent with iptables. "iptables -A INPUT -p tcp > --dport 22 -s badhost.example.com -j REJECT" might also fail to > reject an incoming connection under similar DNS-related conditions. > It would be clearly wrong for sshd to second-guess and parse iptables > rules, and make its own decision based its own reverse DNS query > matching hostnames found in those iptables rules. Why is it OK to > second guess tcp wrappers but not iptables? Wait a second. iptables does not support hostnames the same way tcpwrappers does. The userspace component may, but name resolution is done on rule creation, not on rule matching later on. -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
