# [EMAIL PROTECTED] / 2005-05-31 19:48:33 +0200:
> On Tue, May 31, 2005 at 04:43:16PM +0200, Ivan Voras wrote:
> > Is it possible to use ipfw to filter packets by domain name?
> >
> > What I need it for: I'd like to allow ssh logins only from a specific
> > TLD (by reverse lookup...) - maybe ther
Lowell Gilbert <[EMAIL PROTECTED]> writes:
> Oliver Fromme <[EMAIL PROTECTED]> writes:
>
> > I assume he's not using inetd(8) for ssh (which is not a
> > good ide ain general, and it's not the default anyway).
> > Note that sshd(8) supports hosts_access(3) directly without
> > the help of inetd(8
Oliver Fromme <[EMAIL PROTECTED]> writes:
> I assume he's not using inetd(8) for ssh (which is not a
> good ide ain general, and it's not the default anyway).
> Note that sshd(8) supports hosts_access(3) directly without
> the help of inetd(8).
I thought someone had specified inetd, but looking a
[EMAIL PROTECTED] wrote:
Access control based on the reverse lookup of an IP address is a
dangerous idea in general. Anyone who manages their own reverse DNS
could bypass the security simply by creating a DNS entry. If someone
controls the in-addr.arpa zone for a particular IP range, they can ma
On Tue, May 31, 2005 at 04:43:16PM +0200, Ivan Voras wrote:
> Is it possible to use ipfw to filter packets by domain name?
>
> What I need it for: I'd like to allow ssh logins only from a specific
> TLD (by reverse lookup...) - maybe there's another way?
Access control based on the reverse looku
Lowell Gilbert <[EMAIL PROTECTED]> wrote:
> Oliver Fromme <[EMAIL PROTECTED]> writes:
> > Ivan Voras <[EMAIL PROTECTED]> wrote:
> > > As I understand it, sshd actually accepts connections
> > > prior to checking hosts.allow?
> >
> > Yes, the connection is accepted first, because there is
>
On Tue, May 31, 2005 at 11:54:25AM -0400, Lowell Gilbert wrote:
> Oliver Fromme <[EMAIL PROTECTED]> writes:
>
> > Ivan Voras <[EMAIL PROTECTED]> wrote:
>
> > > As I understand it, sshd actually accepts connections
> > > prior to checking hosts.allow?
> >
> > Yes, the connection is accepted fi
Oliver Fromme <[EMAIL PROTECTED]> writes:
> Ivan Voras <[EMAIL PROTECTED]> wrote:
> > As I understand it, sshd actually accepts connections
> > prior to checking hosts.allow?
>
> Yes, the connection is accepted first, because there is
> no information available about it before it is accepted.
Ivan Voras <[EMAIL PROTECTED]> wrote:
> Igor Robul wrote:
> > Ivan Voras wrote:
> > > What I need it for: I'd like to allow ssh logins only from a specific
> > > TLD (by reverse lookup...) - maybe there's another way?
> >
> > /etc/hosts.allow
> > man 5 hosts_access
>
> How safe is it?
Hello Ivan,
Tuesday, May 31, 2005, 4:43:16 PM, si pisal:
> Is it possible to use ipfw to filter packets by domain name?
> What I need it for: I'd like to allow ssh logins only from a specific
> TLD (by reverse lookup...) - maybe there's another way?
you can use AllowUsers sshd_config directive
Ivan Voras <[EMAIL PROTECTED]> wrote:
> Is it possible to use ipfw to filter packets by domain name?
No. That would required the IPFW code to perform reverse
DNS lookups, which isn't really feasable.
(In theory you could write a small filter program that
receives the ssh setup packets via an IP
Igor Robul wrote:
Ivan Voras wrote:
What I need it for: I'd like to allow ssh logins only from a specific
TLD (by reverse lookup...) - maybe there's another way?
/etc/hosts.allow
man 5 hosts_access
How safe is it? As I understand it, sshd actually accepts connections
prior to checking hos
Ivan Voras wrote:
Is it possible to use ipfw to filter packets by domain name?
What I need it for: I'd like to allow ssh logins only from a specific
TLD (by reverse lookup...) - maybe there's another way?
/etc/hosts.allow
man 5 hosts_access
___
fre
Is it possible to use ipfw to filter packets by domain name?
What I need it for: I'd like to allow ssh logins only from a specific
TLD (by reverse lookup...) - maybe there's another way?
___
freebsd-stable@freebsd.org mailing list
http://lists.freeb
14 matches
Mail list logo
