Hostname-based filtering?

Brian Somers brian at Awfulhak.org
Thu Jul 15 10:14:48 BST 2004


On Thu, 15 Jul 2004 09:52:37 +0100 (BST), "Jonathan Belson" <jon at witchspace.com> wrote:
> Hiya
> 
> > This is impossible at the IP, TCP, UDP layers.  It is possible at the
> > application layer (read HTTP or SMTP or whatever), but only if the
> > application layer supports it.
> 
> It works quite well for something that's impossible :-)
> 
> I don't know that much about Borderware kit, but I know that the server I'm
> accessing is connected to one of the auxiliary ports of the Borderware
> firewall.  The BW box has been configured to pass certain traffic [1] to
> the auxiliary server when I use a particular hostname.  The forwarding
> doesn't occur when I try to access the machine by IP, or via an alias.
> 
> [1] In this case it's traffic to and from our source code repository, but
> it seems you can do the same trick for any port.

There is no hostname visibility in IP traffic, nor in TCP/UDP - only IP number
visibility, so either you're filtering based on IP numbers or you're filtering
at the application layer.

Think about it - if you ``access the machine'' by name, a local name lookup is
done to turn that into a number and the connection is made.  If you access it
by IP, the name lookup is avoided, but the traffic passed is exactly the same.
The only way this can change is if the application puts the name in the payload
and the firewall is smart enough to understand that payload and NAT based on it.

> Cheers,
> 
> --Jon

-- 
Brian <brian at Awfulhak.org>                        <brian@[uk.]FreeBSD.org>
      <http://www.Awfulhak.org>                   <brian@[uk.]OpenBSD.org>
Don't _EVER_ lose your sense of humour !




More information about the Ukfreebsd mailing list