[Bug 616] Duplicate rules for multi-homed hostnames. IPv4 and IPv6 inconsistent treatment.

bugzilla-daemon at netfilter.org bugzilla-daemon at netfilter.org
Tue Jul 9 03:50:29 CEST 2013


https://bugzilla.netfilter.org/show_bug.cgi?id=616

--- Comment #6 from Phil Oester <netfilter at linuxace.com> 2013-07-09 03:50:27 CEST ---
Yes, I fully understand what is happening in the one specific example you have
provided.  However you need to answer what happens if Cloudmark suddenly
decides to add an IP _OUTSIDE_ of that /22 that is assigned to them.  Let's say
they open a new datacenter using subnet 1.2.3.0/24.  Your rule will now allow
1.2.0.0/22 even though they don't necessarily own that entire /22.  And you
won't even know about this change because of how you have specified a DNS name
with a CIDR mask (unless you happen to look at iptables -nvL output someday).  

My point remains: what you are doing is inherently dangerous, and not something
which should be promoted as "good firewall policy".

-- 
Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.



More information about the netfilter-buglog mailing list