NFS tcp wrapper situation
Warren Togami
wtogami at redhat.com
Tue Jan 20 22:52:38 UTC 2009
Ralf Ertzinger wrote:
> Hi.
>
> On Tue, 20 Jan 2009 17:18:45 -0500, Warren Togami wrote
>
>> * This is inconsistent with iptables. "iptables -A INPUT -p tcp
>> --dport 22 -s badhost.example.com -j REJECT" might also fail to
>> reject an incoming connection under similar DNS-related conditions.
>> It would be clearly wrong for sshd to second-guess and parse iptables
>> rules, and make its own decision based its own reverse DNS query
>> matching hostnames found in those iptables rules. Why is it OK to
>> second guess tcp wrappers but not iptables?
>
> Wait a second. iptables does not support hostnames the same way
> tcpwrappers does. The userspace component may, but name resolution is
> done on rule creation, not on rule matching later on.
>
Yes, that is why I said "similar DNS-related conditions". In the case
of iptables it would be cases like forward resolver different from
reverse, or secondary IP from forward resolver, or if the IP address
referenced changed since iptables parsing, or if the DNS server failed
during iptables parsing.
Warren Togami
wtogami at redhat.com
More information about the devel
mailing list