[Chilli] uamdomain / uamallowed

Wichert Akkerman wichert at wiggy.net
Wed Nov 10 16:34:08 UTC 2010 

Hi David,

If you say "uamdomain example.com" will match "*example.com", does that 
mean it will also match "badexample.com"? If so that could be a security 
problem.

Wichert.


On 11/10/10 17:03 , David Bird wrote:
> Well, here is where the change would be... that "google.com" would NOT
> mean "*google.com" (and "*.google.com isn't the same since it excludes
> "google.com" itself).
>
> Thinking that the best approach might be to basically keep it the way it
> is, that a uamdomain is always "*domain". The addition will be that
> hostnames in uamallowed could also be checked in DNS responses to pick
> up new/round-robin IPs. Why not just re-check the uamallowed at an
> interval? We do already, but that still would not pick up more dynamic
> DNS responses (again, round-robin IPs, etc). If "*domain" isn't wanted,
> then use uamallowed with the hostname. ? We could also add a '!' prefix
> to dis-authorize hostnames that are otherwise in the uamdomain.
>
>
> On Wed, 2010-11-10 at 16:18 +0200, Henk Kleynhans wrote:
>> I fall into the "most would consider camp" here... For example, if I
>> give access to google.com, I expect there to be access to
>> maps.google.com, mail.google.com, translate.google.com etc without
>> explicitly setting a wildcard.
>>
>>
>> If I wanted to provide access to only a few subdomains, I would
>> specify each of them explicitly.
>>
>>
>> Henk
>>
>>
>>
>>
>> On Wed, Nov 10, 2010 at 12:05 PM, David Bird<david at coova.com>  wrote:
>>          By "single domain" you then mean an implicit "*.domain" match?
>>          I suppose
>>          that is just nomenclature, but I think most would consider a
>>          "domain" a
>>          group of hostnames, not just one (even if that "hostname" is
>>          "coova.org"). Hmm.. maybe we do explicitly require *-wildcard
>>          matching,
>>          but automatically add the "*" prefix if the uamdomain starts
>>          with a
>>          '.' (for those who already use ".coova.org", for example, in
>>          their
>>          configurations).
>>
>>
>>          On Wed, 2010-11-10 at 09:46 +0100, Wichert Akkerman wrote:
>>          >  On 11/10/10 06:51 , David Bird wrote:
>>          >  >  In an effort to make uamdomain a bit more flexible, a
>>          change is
>>          >  >  required. Right now, DNS queries ending in any uamdomain
>>          defined are
>>          >  >  added to the garden when resolved. This means it's always
>>          "*uamdomain"
>>          >  >  in the match. Instead, maybe the "*" should have to be
>>          explicitly, as in
>>          >  >  "uamdomain=*.domain.com" so that you can also do single
>>          hostnames such
>>          >  >  as "uamdomain=singlehost.domain.com". ?
>>          >
>>          >  I had always expected uamdomain to specify a single domain,
>>          not a
>>          >  wildcard. I feel pretty strongly wildcards should be
>>          explicitly
>>          >  specified since they can be a security risk.
>>          >
>>          >  >  Or, uamdomain could be kept as-is (and via an option)
>>          hostnames in
>>          >  >  uamallowed can be "re-checked" against DNS to pick up any
>>          round-robin
>>          >  >  (or just new) IP addresses to add to garden ?  This way,
>>          the syntax for
>>          >  >  uamdomain does not need to change and hostnames used in
>>          uamallowed will
>>          >  >  update the walled garden when those hostnames are resolved
>>          by users (and
>>          >  >  not just resolved on start-up).
>>          >
>>          >  Perhaps cache entries for a configurable amount of time?
>>          >
>>          >  Wichert.
>>          >  _______________________________________________
>>          >  Chilli mailing list
>>          >  Chilli at coova.org
>>          >  http://lists.coova.org/cgi-bin/mailman/listinfo/chilli
>>
>>
>>          _______________________________________________
>>          Chilli mailing list
>>          Chilli at coova.org
>>          http://lists.coova.org/cgi-bin/mailman/listinfo/chilli
>>
>>
>>
>>
>> --
>> Henk Kleynhans
>> CEO&  Founder
>> Skyrove (Pty) Ltd
>> Technology Top 100 - Most Promising Emerging Enterprise
>> Tel: 0861 768 377
>> Cell: +27 (84) 3073451
>> Fax: +27 (86) 6204077
>> henk at skyrove.com
>>   blog: www.geekrebel.com
>>
>> ------
>>
>> "A person with ubuntu is open and available to others, affirming of
>> others, does not feel threatened that others are able and good, for he
>> or she has a proper self-assurance that comes from knowing that he or
>> she belongs in a greater whole and is diminished when others are
>> humiliated or diminished, when others are tortured or oppressed." -
>> Desmond Tutu
>>
>>
>>
>
>
> _______________________________________________
> Chilli mailing list
> Chilli at coova.org
> http://lists.coova.org/cgi-bin/mailman/listinfo/chilli

More information about the Chilli mailing list