Re: validfqdn

[Bob Brewer <ipfire-devel@grantura.co.uk>]

[-- Attachment #1: Type: text/plain, Size: 2996 bytes --]

Michael Tremer wrote:

Hi Michael,

Thank you for your reply.

> Thank you for submitting your patch.
> 
>> On 12 Dec 2018, at 22:48, Bob Brewer <ipfire-devel(a)grantura.co.uk> wrote:
>> 
>> I am porting the old ipcop addon 'Banish' to IPFire and during testing
>> have found a problem in general-functions.pl which causes validfqdn to
>> return 1 when testing valid and invalid ip addresses when it should
>> return 0.
> 
> What does the add-on do? I could not find an old version for IPCop on the
> Internet…
> 
Banish is a well written perl based IPCop addon that allows you to maintain 
a blocklist consisting of fqdn, mac address, ip range, CIDR and domain 
formats. It was written by Sid McLaurin and was last maintained about 10 
years ago when IPCop was at version 1.4.18. I cannot currently find any 
trace of Sid McLauren and assume it has been abandoned and his servers are 
no longer in existence. 

The program generates CUSTOMFORWARD, CUSTOMINPUT and CUSTOMOUTPUT
iptables from the maintained GUI based blocklist.

I have a copy of Banish 1.4.7 which dates back to 2008 and have ported it to 
the last version of IPCop although I haven't produced an install script for 
it. If you would like a copy of Banish 1.4.7 I would be pleased to send it 
to you.


>> As this is not a problem with IPCop 2 a comparison of the validfqdn
>> section in IPFire's general-functions.pl shows a missing segment that
>> checks the TLD can only be a-z or A-Z.
> 
> What requires this change?

Banish checks new entries through the web interface to make sure that they 
confirm to formats stated above and gives error messages if they are not 
correct. In testing I was finding that invalid ip addresses (such as 
192.168.0.256) were being validated by validfqdn as a fqdn and allowing it 
to be incorrectly used in the block list.

> 
> I do not know of any ASCII TLDs that have numbers, but there is no reason
> that they can’t in the future. Furthermore, we have some non-ASCII TLDs
> which will have to be encoded into ASCII using the puny-codes. That will
> result in something like this:
> 
> XN--FHBEI
> XN--FIQ228C5HS
> XN--FIQ64B
> XN--FIQS8S
> XN—FIQZ9S
> 
> This is just a couple of random TLDs I picked from here:
> 
>   http://data.iana.org/TLD/tlds-alpha-by-domain.txt
> 
There are some weird domains in there and many are new to me so maybe my 
patch needs to be updated to allow for these but I notice that there aren't 
any purely numeric TLDs in that list.

> I assume that those will no longer be usable after your patch. Can you
> confirm that?
>
MY patch brings IPfire's validfqdn to be the same as the one in the latest 
IPCop version. It looks like we need to add a '-' to the regex string to 
make comply with the domains listed above.

I have a hacked version of Banish almost working on IPFire but it still 
needs some more work to make an install script. I think it would make a good 
addition to IPFire and will make it available if you are interested.

Regards

Rob