[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: NFS tcp wrapper situation



Hi.

On Tue, 20 Jan 2009 17:18:45 -0500, Warren Togami wrote

> * This is inconsistent with iptables.  "iptables -A INPUT -p tcp
> --dport 22 -s badhost.example.com -j REJECT" might also fail to
> reject an incoming connection under similar DNS-related conditions.
> It would be clearly wrong for sshd to second-guess and parse iptables
> rules, and make its own decision based its own reverse DNS query
> matching hostnames found in those iptables rules.  Why is it OK to
> second guess tcp wrappers but not iptables?

Wait a second. iptables does not support hostnames the same way
tcpwrappers does. The userspace component may, but name resolution is
done on rule creation, not on rule matching later on.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]