Hi.
On Tue, 20 Jan 2009 17:18:45 -0500, Warren Togami wrote
* This is inconsistent with iptables. "iptables -A INPUT -p
tcp
--dport 22 -s
badhost.example.com -j REJECT" might also fail to
reject an incoming connection under similar DNS-related conditions.
It would be clearly wrong for sshd to second-guess and parse iptables
rules, and make its own decision based its own reverse DNS query
matching hostnames found in those iptables rules. Why is it OK to
second guess tcp wrappers but not iptables?
Wait a second. iptables does not support hostnames the same way
tcpwrappers does. The userspace component may, but name resolution is
done on rule creation, not on rule matching later on.