[Bug 616] Duplicate rules for multi-homed hostnames. IPv4 and IPv6 inconsistent treatment.
bugzilla-daemon at netfilter.org
bugzilla-daemon at netfilter.org
Tue Jul 9 03:50:29 CEST 2013
https://bugzilla.netfilter.org/show_bug.cgi?id=616
--- Comment #6 from Phil Oester <netfilter at linuxace.com> 2013-07-09 03:50:27 CEST ---
Yes, I fully understand what is happening in the one specific example you have
provided. However you need to answer what happens if Cloudmark suddenly
decides to add an IP _OUTSIDE_ of that /22 that is assigned to them. Let's say
they open a new datacenter using subnet 1.2.3.0/24. Your rule will now allow
1.2.0.0/22 even though they don't necessarily own that entire /22. And you
won't even know about this change because of how you have specified a DNS name
with a CIDR mask (unless you happen to look at iptables -nvL output someday).
My point remains: what you are doing is inherently dangerous, and not something
which should be promoted as "good firewall policy".
--
Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.
More information about the netfilter-buglog
mailing list