> Is it possible to filter on partial domain names? Is anyone working on > such an extension to IPTables? I realize that there would be a serious > penalty having to lookup IP addresses, but in this case the sponsor of > the work is willing to trade off speed for security. The sponsor also > happens to have a very complete DNS server in close proximity to this > machine.
You're not trading speed for security there. You're decreasing both.
I'm not sure what it is you're trying to do but I suspect you could do
this filtering at the application level.
Don't let it fool you into thinking it's more secure though, DNS is UDP
based (in general). If the remote IP addresses are static then just set
up a table with them. If they're dynamic or remote you should probably
be using a VPN or something at the application layer which will give you
strong authentication.
Stephen
msg00440/pgp00000.pgp
Description: PGP signature
