Re: Dynamic DNS

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, 9 Mar 2005, Kenneth Kalmer wrote:

On Wed, 09 Mar 2005 08:29:23 +0200, Brent Clark
<bclark@xxxxxxxxxxxxxxxxxxxx> wrote:
Sebastian Docktor wrote: 
Hi,

I want to allow a Dynamic DNS Client to Access the SSH-Server
on my Firewall. But I don't want to open SSH for all IPs,
Is it possible that iptables always looks up the ip address from the
hostname, so that only the ip has access which is registrated under
the dyndns?



Hi

This may be a ridiculous suggestion.

How about basing it on MAC address.

Stupid I know.

Buts all I could think off.

Brent Clark



I'm not too sure either, but I do know that iptables resolve the names
the moment the rule is added, not again. Unless you run the rule every
minute to make sure it's updated constantly.

Can't you setup SSHD to only allow connections from certain hosts?
Then again sshd might use the reverse lookup of the ip, which isn't
always the dyndns name...

Will you let us know how you achieve this?



Most systems, at least linux based dists now have ssh compiled with tcpd support <also, ssh did, and still should have an acce3ss list allowed in the sshd_config file, unless that was removed in openssh due to the tcpd issues>, so the way I might deal with this is to only allow the dynamic apddress space through via a hosts.allow file with a default deny all in hosts.deny for sshd. Actually, since all the access to/through my firewall comes from static IP's, I do this in both tcpd and iptables with a list of allowed hosts at present and in the recent past. This give me two layers of protection should the firewall be taken down, or not comeup and all that.


This issue is easiest if you know up front what the dyn address space consits of <you control the dynaic address space>, it is tougher if one has to guess at the low and top ends of what addresses might get passed to systems on boot.

Thanks,

Ron DuFresne
- -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior security consultant: sysinfo.com
http://sysinfo.com

...Love is the ultimate outlaw.  It just won't adhere to rules.
The most any of us can do is sign on as it's accomplice.  Instead
of vowing to honor and obey, maybe we should swear to aid and abet.
That would mean that security is out of the question.  The words
"make" and "stay" become inappropriate.  My love for you has no
strings attached.  I love you for free...
                        -Tom Robins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFCL3o0st+vzJSwZikRAu5RAJ9eOStR8ujT7TFthrJ2SXmElndCrACgyjFt
jm3SWenK9jyHU1NQ7xHNLA0=
=TXR9
-----END PGP SIGNATURE-----

[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux