Re: [PATCH iptables]: xtables: tolerate DNS lookup failures

[Reindl Harald <h.reindl@xxxxxxxxxxxxx>]

Am 07.03.25 um 20:32 schrieb Guido Trentalancia:
> That's the way it is, I am personally against the practice of resolving FQDNs dynamically, but many commercial services do so and the only way of setting up iptables rules in that case is using FQDNs...

there is nothing qualified in a reverse-lookup
franklyi can place any reverse-name that i want for any IP i control
don't care really but using hostnames in a packet filter is dumb

> Iptables has always supported FQDNs, we are not talking here about removing that support or whether it should be used or not, the point is makjng that feature more robust and fault-tolerant.
>
> I believe the patch improves the current situation for those that wish or simply must use FQDN-based rules.
>
> Regards,
>
> Guido
>
> On the 7th march 2025 20:15:39 CET, Reindl Harald <h.reindl@xxxxxxxxxxxxx> wrote:
> > Am 07.03.25 um 16:31 schrieb Guido Trentalancia:
> > > Nowadays FQDN hostnames are very often unavoidable, because in many
> > > cases their IP addresses are allocated dynamically by the DNS...
> >
> > which makes rules with hostnames even more dumb
> >
> > frankly you can't write useful rules for dynamic IPs at all
> >
> > > The patch is very useful for a desktop computer which, for example,
> > > connects to a wireless network only occasionally and not necessarily
> > at
> > > system bootup and which needs rules for IPs dynamically allocated to
> > > FQDNs.
> > >
> > > Guido
> > >
> > > On Fri, 07/03/2025 at 15.48 +0100, Reindl Harald wrote:
> > > > Am 07.03.25 um 15:07 schrieb Jan Engelhardt:
> > > > > On Friday 2025-03-07 14:42, Guido Trentalancia wrote:
> > > > >
> > > > > > libxtables: tolerate DNS lookup failures
> > > > > >
> > > > > > Do not abort on DNS lookup failure, just skip the
> > > > > > rule and keep processing the rest of the rules.
> > > > > >
> > > > > > This is particularly useful, for example, when
> > > > > > iptables-restore is called at system bootup
> > > > > > before the network is up and the DNS can be
> > > > > > reached.
> > > > >
> > > > > Not a good idea. Given
> > > > >
> > > > > 	-F INPUT
> > > > > 	-P INPUT ACCEPT
> > > > > 	-A INPUT -s evil.hacker.com -j REJECT
> > > > > 	-A INPUT -j ACCEPT
> > > > >
> > > > > if you skip the rule, you now have a questionable hole in your
> > > > > security.
> > > >
> > > > just don't use hostnames in stuff which is required to be upo
> > > > *before*
> > > > the network to work properly at all