Thanks for your answers everyone. On Mon 23 Apr 2007 03:59:00 NZST +1200, Rob Terhaar wrote:
> don't think this is possible, or a good idea ether. Whether it's a good idea or not depends on what it's being used for. Authentication by IP is a bad idea, restricting who can connect in the first place and proceed to authentication stage is a further line of defence, and in any case no worse than allowing the whole Internet - except for a DoS condition in case of DNS poisoning. That's a tradeoff decision though, and either direction is valid. Or what am I missing? The DNS answer could also be sanity-checked (though not with pfsense) if the possible IP range is known. Using a VPN effectively integrates the client into the server's network - do I really want that? And is the whole Internet allowed to attempt to be a VPN client? That would be no better than the starting position. Thanks, Volker -- Volker Kuhlmann is list0570 with the domain in header http://volker.dnsalias.net/ Please do not CC list postings to me. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
