On Monday 13 August 2007 11:09:55 Andrew Suffield wrote: > Whatever you are doing, it sounds like a bad idea. Are you aware that > DNS responses can be trivially faked by an attacker? There's no > particular reason to expect the value returned from a DNS query over > the public internet to be accurate. This sort of thing is only really > appropriate for local DNS servers, and that doesn't sound like what > you have here. (And that's before considering that the DNS result > picked up by shorewall is going to continue being used even when > somebody else has received that IP address, until shorewall is > next restarted) > > You probably want to create restrictions based on something other than > the IP address. If you told us more about what you're doing, we might > have some better ideas.
Hi Andrew, You are quite correct, I agree with you, its not really a good idea at all. End goal in this case was to secure ssh. I only wanted to allow ssh in from the internet from static IPs I know(work) and from my home(which was a dyndns address hence the problem). A better way would probably be to secure ssh better perhaps with ssh rate limiting or something? I have changed all my rules to only use IPs now as that is better. Thanks for the feedback. -- Divan Santana Skype: DivanSantana Gtalk/MSN: [EMAIL PROTECTED] Love God, Love People, Love Life! ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
