On Mon, 12 Sep 2005, Matus UHLAR - fantomas wrote:
> however, currently I'm not able to differ if someone entered an this IP (or
> hostname pointing to this IP) or an invalid hostname, and give people
> different error messages.
The first (explicitly entered) can be matched using dstdomain in
2.5.STABLE10.
> I probably could make an exemption in denying 240.0.0.0/4 or allow
> accessing 255.255.255.255, but I found this sick...
Removing the use of 255.255.255.255 from he dst acl is trivial. In acl.c
look for ACL_DST_IP in aclMatchAcl, and at the end of it's block replace
return aclMatchIp(&ae->data, no_addr);
with simply
return 0;
this will make dst acls always false if the destination IP can not be
resolved (there is no IP to match the acl against, so it can't be true..)
Then to match invalid hosts you can use
acl all_destinations dst 0.0.0.0/0
http_access deny !all_destinations
Regards
Henrik
Received on Tue Sep 13 2005 - 17:30:33 MDT
This archive was generated by hypermail pre-2.1.9 : Sat Oct 01 2005 - 12:00:03 MDT