You can supply
hostnames instead of
IP addresses in
your firewall rules. If DNS reports multiple IP addresses for that
hostname, a separate rule will be created for each IP address. For
example, www.yahoo.com has (at
this writing) 11 IP addresses:
$ host www.yahoo.com
www.yahoo.com is an alias for www.yahoo.akadns.net.
www.yahoo.akadns.net has address 216.109.125.68
www.yahoo.akadns.net has address 64.58.76.227
...
So you could block access to Yahoo, for example, and view the results
by:
iptables:
# iptables -A OUTPUT -d www.yahoo.com -j REJECT
# iptables -L OUTPUT
ipchains:
# ipchains -A output -d www.yahoo.com -j REJECT
# ipchains -L output
Security experts recommend that you use only IP addresses in your
rules, not hostnames, since an attacker could poison your DNS and
circumvent rules defined for hostnames. However, the hostnames are
relevant only at the moment you run iptables or
ipchains to define a rule, as the program looks up
the underlying IP addresses immediately and stores them in the rule.
So you could conceivably use hostnames for convenience when defining
your rules, then check the results (via the output of
iptables-save
or ipchains-save
[Recipe 2.19]) to confirm the IP addresses.
|