On Thu, Oct 29, 2009 at 10:58, Ryan Lynch <ryan.b.lynch@xxxxxxxxx> wrote:
> KB is correct--IPTables performs a DNS lookup when it processes the
> rule. It doesn't slow down to run a DNS lookup for every packet it
> sees.
>
> There are some practical risks to using hostnames, if you're not
> expecting them, though. If you lose DNS services during startup, your
> boot will hang for a while trying to resolve those names. Plus, even
> after it does finish booting, you will be missing the firewall rules
> that contained the unresolvable names, which may compromise your
> security to a greater or lesser extent..
>
> Personally, I would avoid using hostnames in iptables startup scripts
> for these reasons, unless I had some automated notification and
> fail-safe action for this case, or if I had all the relevant hostnames
> listed in /etc/hosts or a really persistent local cache, like nscd w/
> the 'reload-count infinite' option.
>
>
> On 2009-10-29, Karanbir Singh <mail-lists@xxxxxxxxx> wrote:
>> On 10/29/2009 10:29 AM, Vinicius Coque wrote:
>>>> does it work to define iptables rules with a fqdn as destination
>>>> instead of an IP address? Or is it useful to resolve the name first
>>>> using e.g. nslookup, writing the result to a variable which is then
>>>> used within the -d statement?
>>
>> I guess that depends on what you are trying to achieve, afaik iptables
>> will not hit DNS for each packet, and will only resolve at time of table
>> / policy creation.
BTW, sorry for the top-posting. The gmail client for BlackBerry seems
to have been designed in the spirit of "Freedom means not having to
make a choice".
-Ryan
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
