At 08:55 PM 10/6/02 -0700, Liu Mei wrote: >Doesn't work. :-( It won't. As I understand ipchains (and iptables -- this message doesn't say enough for me to know which you are using), if you specify a FQN in the -s or -d parts of a rule addition, the FQN gets resolved when the rule is installed, not every time a packet hits that rule. And sites like Yahoo use dynamic address assignment, so the same FQN will resolve to many different IP addresses at different times.
Here's an example, simplified so I could do it quick. First, I ping to www.yahoo.com and yahoo.com from my workstation. Here is what I get (edited a bit - the point is to notice the IP addresses): autovcr@waverly:/usr/share/doc/ipchains$ ping yahoo.com PING yahoo.com (64.58.79.230): 56 data bytes 64 bytes from 64.58.79.230: icmp_seq=0 ttl=246 time=100.5 ms [...] autovcr@waverly:/usr/share/doc/ipchains$ ping www.yahoo.com PING www.yahoo.akadns.net (66.218.71.83): 56 data bytes 64 bytes from 66.218.71.83: icmp_seq=0 ttl=56 time=20.8 ms Now I ssh over to another host that does its DNS independently from the first, and I do the same thing: ray@lazlo:~$ ping yahoo.com PING yahoo.com (66.218.71.198): 56 data bytes 64 bytes from 66.218.71.198: icmp_seq=0 ttl=246 time=391.1 ms [...] ray@lazlo:~$ ping www.yahoo.com PING www.yahoo.akadns.net (66.218.71.86): 56 data bytes 64 bytes from 66.218.71.86: icmp_seq=0 ttl=56 time=12.3 ms Although I used two different hosts to speed up construction of the example, the same thing would happen, even with hosts that shared a DNS resolver. Dynamic address resolution needs short caching timeouts to work, so the resolver would soon go back and get a new address for this sort of FQN. As a result, you can't block access to these domains via firewall rulesets. At least not easily; you'd have to specify a large range of addresses to make it work ... I don't know how you'd find ALL the addresses that Yahoo uses -- note that my example turned up 4 different addresses, one on a different /8 network from the other 3. To do what you want, you need to switch to using a proxy server on the firewall, and blocking ALL direct access. This will let the firewall (or whatever host runs the proxy server) allow or deny access based on URL, not IP address. The well-known proxy servers are Squid and Junkbuster; there has been at least one recent thread about Squid on this list. >--- [EMAIL PROTECTED] wrote: > > trying using just the top level domain, IE yahoo.com > > and > > hotmail.com > > > > I haven't tried that, but its worth a shot. > > > > On Sun, 6 Oct 2002 17:04:35 -0700 (PDT) > > Liu Mei <[EMAIL PROTECTED]> wrote: > > > Hi, > > > > > > If I only want to allow user to check their email > > on > > > yahoo or hotmail, how should I setup the firewall? > > > > > > Simply using -d www.yahoo.com or -d > > www.hotmail.com in > > > the rules doesn't work. I guess the reason is that > > the > > > yahoo mail and hotmail use mutilple different IPs > > > while redirecting the users to their emailbox. -- -------------------------------------------"Never tell me the odds!"-------- Ray Olszewski -- Han Solo Palo Alto, California, USA [EMAIL PROTECTED] ------------------------------------------------------------------------------- ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
