Prehaps instead of reload the whole table, why not just reload the particular rule? Eg: 1. Ping www.name.com, dump IP into 1st file. Grep should help you here. 2. Pick up IP from 1st file and use it to write rule. 3. Ping www.name.com, dump IP into 2nd file. 4. Pick up IP from 2nd file and insert new rules. 5. Using 1st file, delete rules that correspond to 2nd IP. 6. Ping www.name.com, dump IP into 1st file. 7. Pick up IP from 1st file and use it to write rule. 8. Using 2nd file, delete rules that correspond to 2nd IP. You should be able to kick off steps 1,2 yourself, then have scripts do steps 3-5 and 6-8. That way you should limit your downtime and processer usage. Anthony Sadler Far Edge Technology w: (02) 8425 1400 -----Original Message----- From: netfilter-bounces@xxxxxxxxxxxxxxxxxxx [mailto:netfilter-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of R. DuFresne Sent: Wednesday, 12 October 2005 10:39 To: Barry Fawthrop Cc: netfilter@xxxxxxxxxxxxxxxxxxx Subject: Re: IP Vs DNS -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, 11 Oct 2005, Barry Fawthrop wrote: > > Jim Laurino wrote: > >>> Greetings all >>> >>> with an IPTABLES ruleset you can specify an IP address to be >>> allowed/blocked >>> iptables INPUT -s 12.12.12.12 -j ALLOW >>> >>> But can this be done with a DNS name >>> iptables INPUT -s www.name.com -j ALLOW >> >> >> IPTABLES accepts DNS names, but the DNS lookup is performed >> when the rule is placed in the kernel, >> not when the rule is evaluated against a packet. >> The kernel (netfilter) rules use ip address only. >> >> To achieve what you want, I think you would have to >> update the rule whenever the DNS mapping changed. >> > How can this be done on a per packet basis, where the IP is checked regularly > or can the table be flushed and reloaded every hour. > What would be the negative of doing a reload each hour?? During the reload, depending upon how long the rules take to be implimented, unless one is careful about things like turning off forwarding and such, there is the exposure window of the network behind the firewall. Now if one has a nice, tight and short ruleset, the exposure window might be all iof two seconds or so, but if one has one of them fancy 20,000 rulsets, this exposure window might be a bit broader. Proper placement of the 'echo "0" > /proc/sys/net/ipv4/ip_forward' and 'echo "1" > /proc/sys/net/ipv4/ip_forward' commands within the rulesets is then all important when recycling the FW. Another way around this might be to down all interfaces during the FW recycle, bringing them up after it;s complete. Yet the thing is that DNS changes to sites like those mentioned above rarely takes place in any hourly let alone daily or weekly windows. Now the real question is, can one control another sites load balancing and DNS features with funky crafting of iptables rules? I'm guessing in some cases it works, and in other cases yer hosing lots of attempts to reach a site that is not single hosted, depending upon the load balancing scheme<s> in place by the site owners. Then again, what is the real goal of considering limiting to a particular machine for a multi-hosted site? Is one more trustworthy then another? Thanks, Ron DuFresne - -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ admin & senior security consultant: sysinfo.com http://sysinfo.com Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629 ...We waste time looking for the perfect lover instead of creating the perfect love. -Tom Robbins <Still Life With Woodpecker> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFDTFsNst+vzJSwZikRAoh2AJ9zSnReJPnHL/EUEflacEeeQbRJ0gCeOD7+ wTlVaDm81UWVE+j1J/Iqm4w= =dBeq -----END PGP SIGNATURE-----
