Re: [PATCH iptables]: xtables: tolerate DNS lookup failures

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Of course, if the DNS is not available the "evil hacker" rule is
skipped when this patch is merged.

However the drawbacks of not applying this patch are far worse, because
 if the DNS is not available and some rules in the table contain domain
names, then all rules are skipped and the operation is aborted even for
numeric IP addresses and resolvable names.

Finally, consider that nowadays many host names are allocated
dynamically and therefore for several hosts it is not possible to enter
their numeric IP address.

I hope this helps...

Guido

On Fri, 07/03/2025 at 15.07 +0100, Jan Engelhardt wrote:
> On Friday 2025-03-07 14:42, Guido Trentalancia wrote:
> 
> > libxtables: tolerate DNS lookup failures
> > 
> > Do not abort on DNS lookup failure, just skip the
> > rule and keep processing the rest of the rules.
> > 
> > This is particularly useful, for example, when
> > iptables-restore is called at system bootup
> > before the network is up and the DNS can be
> > reached.
> 
> Not a good idea. Given
> 
> 	-F INPUT
> 	-P INPUT ACCEPT
> 	-A INPUT -s evil.hacker.com -j REJECT
> 	-A INPUT -j ACCEPT
> 
> if you skip the rule, you now have a questionable hole in your
> security.
> 




[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux