patdk-lap | it's never really gone well for people | 00:00 |
---|---|---|
wingarmac | It seems not applicable, as names are translated as IP from the start and the distant host reached has no clue of the name used to be reached. | 00:01 |
JanC | but this is about what hostname was used to point to the server's WAN IP | 00:01 |
wingarmac | this is about apply host name port authority | 00:02 |
wingarmac | make a differnece with a same IP called ones ns.example.com for usage of port 53 and example.com for enpoint port, and another.example.com for another port and service. | 00:04 |
wingarmac | All on the same IP | 00:04 |
wingarmac | But as I mentioned, it isn't applicable, as the used host name at the request isn't send with it. So the server will not be able to identify what host name was used to be reached. Thus no filter can be applied. | 00:06 |
JanC | some protocols (like HTTP) have the hostname in the protocol (but you can't easily use that in a firewall either because that is _after_ the connection is established, and when TLS is used it's encrypted) | 00:08 |
patdk-lap | oh, a layer7 firewall | 00:09 |
wingarmac | Another clue I encountered is the reading of IPv6 of a visitor with PHP. Sometimes I get one or the other, but can't get both it seems. | 00:10 |
patdk-lap | well, iptables/nftables/ufw doesn't support beyond layber 3, and only supports limited layer4 for masq things like sip/ftp with lots of limitations | 00:11 |
patdk-lap | hmm, wouldn't you setup that *firewall* in whatever is doing the reverse proxy for your webservers? | 00:12 |
patdk-lap | haproxy/nginx/apache/... can all do it | 00:12 |
JanC | it's wg & DNS, I think | 00:12 |
patdk-lap | he is bringing up dns and php | 00:12 |
patdk-lap | it's very confusing | 00:12 |
JanC | ah yes, that's a something new (not the original question) :) | 00:13 |
wingarmac | Well, sorry for that, but I've many more questions. To remain on the second one: https://paste.ubuntu.com/p/nbSXrcfsSk/ | 00:15 |
wingarmac | This is my code used for https://ns.wingarmac.org | 00:15 |
wingarmac | I thought it was confirmed the firewall can't use names, so I skipped to the next question. Sorry for any confusion. | 00:16 |
=== unixtippse1 is now known as unixtippse | ||
=== ajfriesen9 is now known as ajfriesen | ||
=== bbezak0 is now known as bbezak | ||
=== brlin_ is now known as brlin | ||
=== teward_ is now known as teward | ||
=== frickler_ is now known as frickler | ||
=== JanC is now known as Guest8432 | ||
=== JanC_ is now known as JanC | ||
=== esv__ is now known as esv | ||
=== andol_ is now known as andol | ||
=== jelly-home is now known as jelly |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!