Alex M wrote:
Also, set my company's IP (that's for sure has only one IP) and when I typed
the name it didn't allow to go through. There is a definet need to add
Domain Pass-through!
Do you use m0n0 as your DNS forwarder? You probably couldn't get through
to the web site because the unauthenticated client was not allowed to
contact the DNS server, but that's just a guess.
Adding the feature you describe is probably not as easy as it sounds.
the packet filter does not do DNS lookups, so you would have to expand
the code so that ANY request from an unauthenticated client first gets
checked against the allowed hostnames, THEN the firewall would have to
resolve the hostname and dynamically set a rule to allow the result of
the DNS lookup, since IPs change (dynamic, round robin, you name it).
After that, for security reasons, the dynamically generated rule would
probably have to be deleted, so that a future DNS change does not allow
the wrong traffic out and the ruleset grows too much. Not a cut-and-dry
thing.
Sven
