Nowadays FQDN hostnames are very often unavoidable, because in many cases their IP addresses are allocated dynamically by the DNS... The patch is very useful for a desktop computer which, for example, connects to a wireless network only occasionally and not necessarily at system bootup and which needs rules for IPs dynamically allocated to FQDNs. Guido On Fri, 07/03/2025 at 15.48 +0100, Reindl Harald wrote: > > Am 07.03.25 um 15:07 schrieb Jan Engelhardt: > > > > On Friday 2025-03-07 14:42, Guido Trentalancia wrote: > > > > > libxtables: tolerate DNS lookup failures > > > > > > Do not abort on DNS lookup failure, just skip the > > > rule and keep processing the rest of the rules. > > > > > > This is particularly useful, for example, when > > > iptables-restore is called at system bootup > > > before the network is up and the DNS can be > > > reached. > > > > Not a good idea. Given > > > > -F INPUT > > -P INPUT ACCEPT > > -A INPUT -s evil.hacker.com -j REJECT > > -A INPUT -j ACCEPT > > > > if you skip the rule, you now have a questionable hole in your > > security. > > just don't use hostnames in stuff which is required to be upo > *before* > the network to work properly at all
