Ralf Ertzinger wrote:
Hi.
On Tue, 20 Jan 2009 17:18:45 -0500, Warren Togami wrote
* This is inconsistent with iptables. "iptables -A INPUT -p tcp
--dport 22 -s badhost.example.com -j REJECT" might also fail to
reject an incoming connection under similar DNS-related conditions.
It would be clearly wrong for sshd to second-guess and parse iptables
rules, and make its own decision based its own reverse DNS query
matching hostnames found in those iptables rules. Why is it OK to
second guess tcp wrappers but not iptables?
Wait a second. iptables does not support hostnames the same way
tcpwrappers does. The userspace component may, but name resolution is
done on rule creation, not on rule matching later on.
Yes, that is why I said "similar DNS-related conditions". In the case
of iptables it would be cases like forward resolver different from
reverse, or secondary IP from forward resolver, or if the IP address
referenced changed since iptables parsing, or if the DNS server failed
during iptables parsing.
Warren Togami
wtogami@xxxxxxxxxx
--
fedora-devel-list mailing list
fedora-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-devel-list
