[Ferm] @ipfilter on FQDNs or so
Marc Haber
mh+ferm at zugschlus.de
Fri Jun 14 17:24:03 CEST 2013
On Thu, Jun 13, 2013 at 07:15:18PM +0200, Kiss Gabor (Bitman) wrote:
> > > A more realistic example from my practice:
>
> > Ouch. This is _very_ ugly.
>
> Don't panic. I show just a simplified version. :-)
>
> I'd happily study other peoples' complex firewall configuration
> if possible. I'd really learn better style. Unfortunately one can find
> zillion lines of code on the network in any programming language
> but firewall configs.
To make my firewall configs easier to read I would like to have ferm
without having to write @ipfilter all over the place. I might be in a
position to write my first decently sized dual stack packet filter in
the third quarter, and I would love to have ferm in a state to allow
this without being too ugly by then.
> > > A flaw of ip6tables related to FQDNs also inspires a workaround in Ferm.
> > > Iptables generates multiple rules if host has multiple A records.
> > > Meanwhile ip6tables (as of version 1.4.8) does not follow this practice
> > > but inserts a single rule even if host has several AAAA records.
> >
> > So it only generates a rule for the first AAAA record returned?
>
> Exactly.
Ouch. Unuseable.
Greetings
Marc
--
-----------------------------------------------------------------------------
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 31958061
Nordisch by Nature | How to make an American Quilt | Fax: *49 621 31958062
More information about the Ferm
mailing list