Hi, Sebastian Wolfgarten wrote:
> I have a question about (dns) wildcards in iptables: > > Are there plans (or still implemented?) to support > wildcards in iptables? For instance I would like to > disable network access to a whole domain like > www.microsoft.com by a rule like "*.microsoft.com", > is it possible yet? I mean of course I could ban > their whole network but they seem to use akamai > (or however they are called) and I've got so many > ip addresses of them that I think that would be too > much. Even a ban of microsoft.* would be great? > This is not implementated yet, or? Any other ways? I personally think this is rather difficult, as it would require a reverse DNS mapping in real-time. Currently, the name->IP address resolution is done in user-space, AFAIK, whereas your solution would require either an IP->name resolution in kernel-space, or a zone transfer for microsoft.com in user space (and I doubt MS allows public zone transfers). Markus -- "Ihre Meinung ist mir zwar widerlich, aber ich werde mich dafuer totschlagen lassen, dass sie sie sagen duerfen." - Voltaire
