Re: [suse-security] ipchains-rule to deny a special domain -didn't work :(
In case u wanted to restrict access from a certain domain name.... ipchains doesnt accept domain names for -s or -d afaik. At least, I couldnt get a rule like ipchains -A input -s *.nz -d 123.123.123.123 -j DENY to work :( .-. /v\ L I N U X // \\ >Phear the Penguin< /( )\ ^^-^^
christian.burri@synecta.ch wrote:
In case u wanted to restrict access from a certain domain name.... ipchains doesnt accept domain names for -s or -d afaik. At least, I couldnt get a rule like
ipchains -A input -s *.nz -d 123.123.123.123 -j DENY
to work :(
Redirect all http traffic to a host running squid. Only this one should be allowed to connect to http servers. Martin -- martin.peikert@innominate.com innominate AG the linux architects tel: +49-30-308806-0 fax: -77 http://www.innominate.com
Hi,
In case u wanted to restrict access from a certain domain name.... ipchains doesnt accept domain names for -s or -d afaik. At least, I couldnt get a rule like
ipchains -A input -s *.nz -d 123.123.123.123 -j DENY
I really suggest you read up on networking. The Linux documents are a good start. Ipchains does accept domain names but its not a good idea to use them. The name you have tried to use is not a domain name. Its an attempt to glob a domain which will not work with any network application.I presume you were trying to map .nz to a subnet aaa.bbb.ccc.ddd/nn. First of all, domain space does not map to subnets. It is quite possible to have a domain with all its hosts scattered in different subnets. You need a DNS zone transfer to identify all the hosts in a domain and if you try that an aware administrator may finger you as a potential threat. You can map a host from its fully qualified domain name (FQDN) to one or more IP addresses. Using the FQDN in ipchains will return just one address. You may be getting confused with proxy configuration. This is quite different. Firewalls work on the IP address, proxies can work on the text sting sent by the calling application. This makes *.nz perfectly valid for configuring say a web proxy. HTH John
participants (3)
-
christian.burri@synecta.ch
-
John Trickey
-
Martin Peikert