[Ferm] @ipfilter on FQDNs or so

Marc Haber mh+ferm at zugschlus.de
Thu Jun 13 17:43:02 CEST 2013 

Hi,

On Thu, Jun 13, 2013 at 02:43:10PM +0200, Kiss Gabor (Bitman) wrote:
> I often use FQDNs instead of IP addresses. Ferm passes them unchanged
> to iptables/ip6tables that do the actual work of resolving names.

Hm. So it would be better to have ferm do the work of resolving. While
we're at it, it would be nice to have ferm write host names and IP
addresses to a small (SQLite?) database so that it can issue warnings
if the DNS has changed. This reduces the risk of using the (still
insecure) DNS as input for the packet filter.

> A more realistic example from my practice:
> domain ip {
>     @def $is_ipv4 = 1;
>     table filter {
> 	@include 'monitor.ferm';
> 	chain INPUT {
> 		# monitoring
> 		jump ACCEPT_MONITOR;
> ...
> 	}
> ...
>     }
> }
> 
> domain ip6 {
>     @def $is_ipv6 = 1;
>     table filter {
> 	@include 'monitor.ferm';
> 	chain INPUT {
> 		# monitoring
> 		jump ACCEPT_MONITOR;
> ...
> 	}
> ...
>     }
> }
> 
> File monitor.ferm:
> # Common ip/ip6 include
> 
> chain ACCEPT_MONITOR {
>     ACCEPT saddr (host1.example.com host2.example.com) {
> 	proto tcp mod multiport destination-ports (munin 5666);
> 	proto udp mod multiport destination-ports (ntp snmp);
>     }
>     @if "$is_ipv4"  ACCEPT saddr (host3.example.com) {
> 	proto tcp mod multiport destination-ports (munin 5666);
> 	proto udp mod multiport destination-ports (ntp snmp);
>     }
> }

Ouch. This is _very_ ugly.

> I wonder if somebody could implement this feature.

If somebody would point me towards the code point where a host name
could be written, I can try. I have a bit of experience with DNS and
database programming in perl.

> A flaw of ip6tables related to FQDNs also inspires a workaround in Ferm.
> Iptables generates multiple rules if host has multiple A records.
> Meanwhile ip6tables (as of version 1.4.8) does not follow this practice
> but inserts a single rule even if host has several AAAA records.

So it only generates a rule for the first AAAA record returned?

> So it would the very satisfing solution if Ferm could resolve names itself.

It would, in my opinion.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 31958061
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 31958062

More information about the Ferm mailing list