Re: [PATCH iptables]: xtables: tolerate DNS lookup failures

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Nowadays FQDN hostnames are very often unavoidable, because in many
cases their IP addresses are allocated dynamically by the DNS...

The patch is very useful for a desktop computer which, for example,
connects to a wireless network only occasionally and not necessarily at
system bootup and which needs rules for IPs dynamically allocated to
FQDNs.

Guido

On Fri, 07/03/2025 at 15.48 +0100, Reindl Harald wrote:
> 
> Am 07.03.25 um 15:07 schrieb Jan Engelhardt:
> > 
> > On Friday 2025-03-07 14:42, Guido Trentalancia wrote:
> > 
> > > libxtables: tolerate DNS lookup failures
> > > 
> > > Do not abort on DNS lookup failure, just skip the
> > > rule and keep processing the rest of the rules.
> > > 
> > > This is particularly useful, for example, when
> > > iptables-restore is called at system bootup
> > > before the network is up and the DNS can be
> > > reached.
> > 
> > Not a good idea. Given
> > 
> > 	-F INPUT
> > 	-P INPUT ACCEPT
> > 	-A INPUT -s evil.hacker.com -j REJECT
> > 	-A INPUT -j ACCEPT
> > 
> > if you skip the rule, you now have a questionable hole in your
> > security.
> 
> just don't use hostnames in stuff which is required to be upo
> *before* 
> the network to work properly at all




[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux