[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: NFS tcp wrapper situation

Ralf Ertzinger wrote:

On Tue, 20 Jan 2009 17:18:45 -0500, Warren Togami wrote

* This is inconsistent with iptables.  "iptables -A INPUT -p tcp
--dport 22 -s badhost.example.com -j REJECT" might also fail to
reject an incoming connection under similar DNS-related conditions.
It would be clearly wrong for sshd to second-guess and parse iptables
rules, and make its own decision based its own reverse DNS query
matching hostnames found in those iptables rules.  Why is it OK to
second guess tcp wrappers but not iptables?

Wait a second. iptables does not support hostnames the same way
tcpwrappers does. The userspace component may, but name resolution is
done on rule creation, not on rule matching later on.

Yes, that is why I said "similar DNS-related conditions". In the case of iptables it would be cases like forward resolver different from reverse, or secondary IP from forward resolver, or if the IP address referenced changed since iptables parsing, or if the DNS server failed during iptables parsing.

Warren Togami
wtogami redhat com

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]