Very Computer

Is the only solution, to run dig every once and awhile and make sure
that I have all of the latest ip addresses included in the filter,
instead of relying on 'mail.myisp.com' in the script?

How do other firewall systems get around this issue (Zone alarm,NIS
2003)?

Quote:>Whenever my isp changes or adds an ip address to the list of mail
>servers I cannot connect to the server.  In my rules I have put
>'mail.myisp.com' as the smtp server and the pop3 server but
>occassionally I still cannot connect to the e-mail server.  I believe
>that they are adding/changing/round-robin the ip addresses for the
>mail servers and the script is only picking up one of these addresses.
> Is there a way to get around this problem in ipchains and/or
>iptables?

>Is the only solution, to run dig every once and awhile and make sure
>that I have all of the latest ip addresses included in the filter,
>instead of relying on 'mail.myisp.com' in the script?

>How do other firewall systems get around this issue (Zone alarm,NIS
>2003)?

AtGuard (obsolete, but it seems to work. Possibly now Norton?) uses host
names, IPs, or ranges. Another Windows personal firewall I tried
(possibly Tiny, now Kerio?) did need IPs, and I ended up setting a /26
block for my ISP's news server, which is fairly distributed. I take it
your mail servers aren't in a nice tidy /nn block?

I'd have thought if anyone was prepared to go to the lengths of
poisoning your ISP's DNS to get at you, they'd find it easier to spoof
their IP.
--
Joe

Quote:> I'd have thought if anyone was prepared to go to the lengths of
> poisoning your ISP's DNS to get at you, they'd find it easier to spoof
> their IP.

Also his concept of using DNS to look up the name, then setting it in tables
(either by name or resulting IP) makes him vulnerable to poisoned DNS so I'm
not really sure how your response fits in...