--On Friday, October 4, 2002 10:13 AM -0400 Joshua Slive <[EMAIL PROTECTED]> wrote:
> If I understand you correctly, that would be a major change to current > behavior. I believe that people expect a configuration like > > deny from .badguy.com > > to allow access from unknown IP addresses (IP addresses that have no > reverse lookup). Obviously, this is not at all secure, but that is how > it has always been, and it is the way I would expect it to work. Yes and no. If I control badguy.com and know that you're denying me based on that, I could remove the reverse mapping from my domain and then I can get in. So, yes, host-based denial is insecure and has almost no hope of true success. Perhaps we could create a config option that allows for double reverse failures on denials to proceed. But, I think it is worth it to reevaluate what we're doing now... -- justin