httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Justin Erenkrantz <jerenkra...@apache.org>
Subject Re: [PATCH] Deny when reverse lookup fails
Date Sun, 06 Oct 2002 23:14:05 GMT
--On Friday, October 4, 2002 10:13 AM -0400 Joshua Slive <joshua@slive.ca> 
wrote:

> If I understand you correctly, that would be a major change to current
> behavior.  I believe that people expect a configuration like
>
> deny from .badguy.com
>
> to allow access from unknown IP addresses (IP addresses that have no
> reverse lookup).  Obviously, this is not at all secure, but that is how
> it has always been, and it is the way I would expect it to work.

Yes and no.  If I control badguy.com and know that you're denying me based 
on that, I could remove the reverse mapping from my domain and then I can 
get in.  So, yes, host-based denial is insecure and has almost no hope of 
true success.

Perhaps we could create a config option that allows for double reverse 
failures on denials to proceed.  But, I think it is worth it to reevaluate 
what we're doing now...  -- justin

Mime
View raw message