NFS tcp wrapper situation

Ralf Ertzinger fedora at camperquake.de
Tue Jan 20 22:32:30 UTC 2009


Hi.

On Tue, 20 Jan 2009 17:18:45 -0500, Warren Togami wrote

> * This is inconsistent with iptables.  "iptables -A INPUT -p tcp
> --dport 22 -s badhost.example.com -j REJECT" might also fail to
> reject an incoming connection under similar DNS-related conditions.
> It would be clearly wrong for sshd to second-guess and parse iptables
> rules, and make its own decision based its own reverse DNS query
> matching hostnames found in those iptables rules.  Why is it OK to
> second guess tcp wrappers but not iptables?

Wait a second. iptables does not support hostnames the same way
tcpwrappers does. The userspace component may, but name resolution is
done on rule creation, not on rule matching later on.




More information about the fedora-devel-list mailing list