Package: ferm
Version: 2.1-1
Severity: wishlist
Hi,
the appearance of the resolve function and the corresponding warning
in the documentation has made me thing about possibilities to make DNS
lookups in packet filter rules a little less dangerous. My idea would
be to add a possibility to give the packet filter rule set the
possibility to judge what to expect from a lookup.
For example, a function @match could be implemented using regexp
and/or Net::Patricia, allowing the code to judge whether the return of
a lookup is reasonable. For example:
@match(<ip address>,<list of prefixes>)
would return the empty string if ip address is not in any of the
prefixes, and the ip address if ip address is in one of the prefixes,
allowing code like
proto tcp dport 80 daddr @match(@lookup("www.strato.de"),"2a01:238::/32")
ACCEPT;
which will only produce a valid rule if www.strato.de is inside
Strato's IPv6 network. That way, IP address changes inside the
expected range are processed transparently with the system failing to
the safe side (not producing any rule) if the DNS answer is bogus.
Depending on the format of the match string, the function could choose
whether to match IPv4, IPv6 or regular expressions.
Greetings
Marc
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
