Is it possible to use ipfw to filter packets by domain name? What I need it for: I'd like to allow ssh logins only from a specific TLD (by reverse lookup...) - maybe there's another way?
Ivan Voras wrote:> Is it possible to use ipfw to filter packets by domain name? > > What I need it for: I'd like to allow ssh logins only from a specific > TLD (by reverse lookup...) - maybe there's another way?/etc/hosts.allow man 5 hosts_access
Ivan Voras <ivoras@fer.hr> wrote:
> Is it possible to use ipfw to filter packets by domain name?
No. That would required the IPFW code to perform reverse
DNS lookups, which isn't really feasable.
(In theory you could write a small filter program that
receives the ssh setup packets via an IPFW divert(4) rule.
However, DNS lookups can take a significant amount of time
which could probably interfere adversely with the TCP
retransmission timeout of the setup (SYN) packets. But
I could be wrong.)
> What I need it for: I'd like to allow ssh logins only from a specific
> TLD (by reverse lookup...) - maybe there's another way?
If there's a limited number of IP addreses or subnets
within that TLD that you want to allow access, then use
those addresses in IPFW rules.
Another way is to use the TCP wrapper, see hosts_access(5).
However, be aware that this is working at a higher level
than IPFW.
If you want to control logins to a single account only
(which is under your control), you could use public-key-
authentication and put the TLD with your public key in the
~/.ssh/authorized_keys file, like this:
from="*.org" ssh-dss ... <your key>
and disable password authentication alltogether. Then you
can only login with your private key _and_ from that TLD.
If it's not your own account and you don't trust the user,
then change his ~/.ssh/authorized_keys file like above,
and then set the system-immutable flags on the file _and_
on the directory ("chflags schg ..."). (Note that chmod
and chown will not be sufficient, because the use can still
rename the ~/.ssh directory and create a new one.)
Best regards
Oliver
--
Oliver Fromme, secnetix GmbH & Co KG, Oettingenstr. 2, 80538 M?nchen
Any opinions expressed in this message may be personal to the author
and may not necessarily reflect the opinions of secnetix in any way.
"If Java had true garbage collection, most programs
would delete themselves upon execution."
-- Robert Sewell
Hello Ivan, Tuesday, May 31, 2005, 4:43:16 PM, si pisal:> Is it possible to use ipfw to filter packets by domain name?> What I need it for: I'd like to allow ssh logins only from a specific > TLD (by reverse lookup...) - maybe there's another way?you can use AllowUsers sshd_config directive e.g: AllowUsers user@*.domain.tld or something like: AllowUsers user@111.111.111.* I think this is possible too. -- Sincerely, DanGer, ICQ: 261701668 | e-mail protecting at: http://www.2pu.net/ http://danger.rulez.sk | proxy list at: http://www.proxy-web.com/ | FreeBSD - The Power to Serve!
On Tue, May 31, 2005 at 04:43:16PM +0200, Ivan Voras wrote:> Is it possible to use ipfw to filter packets by domain name? > > What I need it for: I'd like to allow ssh logins only from a specific > TLD (by reverse lookup...) - maybe there's another way?Access control based on the reverse lookup of an IP address is a dangerous idea in general. Anyone who manages their own reverse DNS could bypass the security simply by creating a DNS entry. If someone controls the in-addr.arpa zone for a particular IP range, they can make those IPs resolve with any FQDN they want, even with domains they don't own. Bruce Nikkel
# bruce@nikkel.com / 2005-05-31 19:48:33 +0200:> On Tue, May 31, 2005 at 04:43:16PM +0200, Ivan Voras wrote: > > Is it possible to use ipfw to filter packets by domain name? > > > > What I need it for: I'd like to allow ssh logins only from a specific > > TLD (by reverse lookup...) - maybe there's another way? > > Access control based on the reverse lookup of an IP address is a > dangerous idea in general. Anyone who manages their own reverse DNS > could bypass the security simply by creating a DNS entry. If someone > controls the in-addr.arpa zone for a particular IP range, they can make > those IPs resolve with any FQDN they want, even with domains they don't > own.When you look at it from the "right" angle, dns actually involves NO ip adresses (except nothing else makes sense in NS RRs (Resource Records)). All you have is FQDN -> value mappings. In the case of PTR RRs (socalled "reverse dns"), the domain name is D.C.B.A.in-addr.arpa. for an IP address of A.B.C.D (that association is basically by convention :). The value could be "my grandma is 78 years old" FWIW. Again, there's really nothing special about the in-addr.arpa. domain: in-addr is a subdomain of arpa just like freebsd is a subdomain of org, and both org and arpa are children of the nameless root, which is the empty string to the right of the last dot (often implied) in each dns record: "www.freebsd.org" is actually a shorthand for "www.freebsd.org.". The problem can be mitigated by checking whether there's a corresponding A or CNAME RR, IOW whether D.C.B.A.in-addr.arpa. -> whatever.example.org. -> A.B.C.D (this kind of check is quite common in MTA configurations). To bring this back closer to the topic: I know for fact that pf (in OpenBSD at least) accepts hostnames instead of addresses, but you better make sure your resolv.conf is in good shape, and it resolves the names when it *loads* the rule (you need to be passing dns traffic at that point). But this still isn't what the OP asked for... sorry. -- How many Vietnam vets does it take to screw in a light bulb? You don't know, man. You don't KNOW. Cause you weren't THERE. http://bash.org/?255991