On Friday 2025-03-07 16:46, Guido Trentalancia wrote: >I can give you quick example of an hostname which is allocated >dynamically in DNS: www.google.com. > >If you perform: > > # nslookup www.google.com > >then you will obtain a different IP address (or different multiple IP >addresses) each time you run the command. > >Given the above, any iptables rule for such kind of host will need to >use its FQDN instead of a statically allocated numeric IP address. In that case of multiple queries returning multiple results (DNS roundrobing), using hostnames in firewall rules (with or without ignoring lookup errors) is even more wrong than before! Because -s google.com -j ACCEPT/REJECT only performs one lookup, it leads to * accepting _too few_ hosts, meaning you erroneously reject some google.com connections in subsequent rules, * or rejecting *too few* hosts, meaning you erroneously let some connections through in subsequent rules. So now we've gone from 100% of the time google.com is not reachable to randomly failing half the time attempting to load a search page.
