> TCP/IP doesn't really work that way, in particular people forget that > packets may take different routes forth and back. > > As best as I can tell, all your proposed uses would open you up to > rather trivial attacks, given a single compromised machine anywhere > in your DMZ.
I don't understand, the use cases I'm suggesting are as "unsafe" as relying on ACLs with either client.ip or server.ip. I'm suggesting making the alternative to ACLs more convenient, by not having to match addresses or extract the port number with std.port() and relying on an abstract name instead. You have the same problem if anything matching one of your ACLs trusted address is compromised. Dridi _______________________________________________ varnish-dev mailing list [email protected] https://www.varnish-cache.org/lists/mailman/listinfo/varnish-dev
