Seems reasonable. I forgot to copy the list in my original response... Stuart Remphrey RMIT ITS Infrastructure Services - Unix Systems Phone (03) 992 55 070 (or extension 55070)
>>> Rudolph Pereira <[EMAIL PROTECTED]> 05-Oct-06 1:05:38 pm >>> On Thu, Oct 05, 2006 at 11:44:21AM +1000, Rudolph Pereira wrote: > On Thu, Oct 05, 2006 at 10:39:28AM +1000, Stuart Remphrey wrote: > > Is there a reason you can't use IP addresses instead of hostnames in > > ipf.conf, > > since the latter may also expose you in the event of a successful DNS > > attack > > like DNS cache pollution, ARP/DNS spoof, etc? > > > > ie. if possible IP Filter should not trust DNS -- which resolves the > > start order issue. > > Good point, but I think I'd rather have hostnames for maintainability and am > willing to accept the risk on the DNS insecurity, particularly as I > (need to) trust the network to the DNS servers and the DNS servers themselves. Actually, I neglected to mention the main point :), that is: given the current init script goes to great lengths to allow DNS to work (particularly the bits working around default-deny) it seems like prohibiting use of DNS in ipf.conf wasn't the intention of the author(s). I'm not saying that DNS should or shouldn't be used, just that my patch: - makes it slightly easier to do so should one want to do it - fixes what seems to me to be an oversight rather than an intentional security feature Sorry for not mentioning that in my original post; good to see some response to it nonetheless. thanks
