I''m still working on a solution to my problem with my dynamic client. I wandered into a suggested solution of having my friend register via a Dynamic DNS registry using a client (there are lots of them). This would of course give him a static hostname. But what is the best way to implement this with Shorewall? I was looking at the documentation and noticed that it doesn''t say if you can put in a hostname instead of an IP (I know, contrary to sensability - due to spoofing). Or would it be done another way (hosts/zone)? Wayne King /insert witty quote here/ ---------------------------------------------
Wayne: Maybe a VPN would be less trouble for the client? There may be bit of a lag between DNS updates... Let me paint a picture: Connect, update dns, try access, not updated yet, wait, gain access, opps modem disconnected, get different ip, start over... This could get a bit annoying... What type of access is the client on? Check out the PPTP link at the site... Jerry Vonau admin@kiteflyer.com wrote:> > I''m still working on a solution to my problem with my dynamic client. > I wandered into a suggested solution of having my friend register via a Dynamic > DNS registry using a client (there are lots of them). This would of course give > him a static hostname. But what is the best way to implement this with Shorewall? > I was looking at the documentation and noticed that it doesn''t say if you can > put in a hostname instead of an IP (I know, contrary to sensability - due to > spoofing). Or would it be done another way (hosts/zone)? > > Wayne King > > /insert witty quote > here/ > > --------------------------------------------- > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@shorewall.net > http://www.shorewall.net/mailman/listinfo/shorewall-users
Folks -- host names in iptables rules don''t do squat for the problem of dynamic IP addresses even if Shorewall did support them (see the FAQ for the reasons why Shorewall doesn''t support host names). If you do place host names in iptables rules, the host names are converted to IP addresses WHEN THE iptables UTILITY PARSES THE RULES!!! So once you have started your firewall, changes in the IP addresses of remote hosts ARE NOT REFLECTED IN YOUR RULESET. -Tom -- Tom Eastep \ Shorewall -- iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net> -----Original Message----- > From: shorewall-users-admin@shorewall.net > [mailto:shorewall-users-admin@shorewall.net] On Behalf Of > admin@kiteflyer.com > Sent: Sunday, February 24, 2002 2:25 PM > To: shorewall-users@shorewall.net > Subject: [Shorewall-users] Host names in rules or??? > > > I''m still working on a solution to my problem with my dynamic client. > I wandered into a suggested solution of having my friend > register via a Dynamic > DNS registry using a client (there are lots of them). This > would of course give > him a static hostname. But what is the best way to implement > this with Shorewall? > I was looking at the documentation and noticed that it > doesn''t say if you can > put in a hostname instead of an IP (I know, contrary to > sensability - due to > spoofing). Or would it be done another way (hosts/zone)? > > Wayne King > > /insert witty quote > here/ > > --------------------------------------------- > > > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@shorewall.net > http://www.shorewall.net/mailman/listinfo/shorewall-users >
> Wayne: > > Maybe a VPN would be less trouble for the client? >I''m looking at all my options, but it''s looking that way. I''m not looking forward to it - see the note I just got from him: "Wayne, I went to sign up with this company after Bill sent me a msg.. The computer came back and gave me the following msg.: Error: Cookies Disable. ????????" It''s amazing ain''t it? Wayne King /insert witty quote here/ ---------------------------------------------
On Sun, 24 Feb 2002, Tom Eastep wrote:> Folks -- host names in iptables rules don''t do squat for the problem of > dynamic IP addresses even if Shorewall did support them (see the FAQ for > the reasons why Shorewall doesn''t support host names). If you do place > host names in iptables rules, the host names are converted to IP > addresses WHEN THE iptables UTILITY PARSES THE RULES!!! So once you have > started your firewall, changes in the IP addresses of remote hosts ARE > NOT REFLECTED IN YOUR RULESET.The other issue is that NONE of the dynamic DNS providers properly handle reverse DNS queries (i.e. IP address -> domain name). The problem is that the reverse DNS maps (i.e. the in-addr.arpa tables) are controlled by the ISP that "owns" the address block. -Mark Ganzer