Re: [PATCH iptables]: xtables: tolerate DNS lookup failures

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 





Am 07.03.25 um 20:32 schrieb Guido Trentalancia:
That's the way it is, I am personally against the practice of resolving FQDNs dynamically, but many commercial services do so and the only way of setting up iptables rules in that case is using FQDNs...

there is nothing qualified in a reverse-lookup
franklyi can place any reverse-name that i want for any IP i control
don't care really but using hostnames in a packet filter is dumb

Iptables has always supported FQDNs, we are not talking here about removing that support or whether it should be used or not, the point is makjng that feature more robust and fault-tolerant.

I believe the patch improves the current situation for those that wish or simply must use FQDN-based rules.

Regards,

Guido

On the 7th march 2025 20:15:39 CET, Reindl Harald <h.reindl@xxxxxxxxxxxxx> wrote:


Am 07.03.25 um 16:31 schrieb Guido Trentalancia:
Nowadays FQDN hostnames are very often unavoidable, because in many
cases their IP addresses are allocated dynamically by the DNS...

which makes rules with hostnames even more dumb

frankly you can't write useful rules for dynamic IPs at all

The patch is very useful for a desktop computer which, for example,
connects to a wireless network only occasionally and not necessarily
at
system bootup and which needs rules for IPs dynamically allocated to
FQDNs.

Guido

On Fri, 07/03/2025 at 15.48 +0100, Reindl Harald wrote:

Am 07.03.25 um 15:07 schrieb Jan Engelhardt:

On Friday 2025-03-07 14:42, Guido Trentalancia wrote:

libxtables: tolerate DNS lookup failures

Do not abort on DNS lookup failure, just skip the
rule and keep processing the rest of the rules.

This is particularly useful, for example, when
iptables-restore is called at system bootup
before the network is up and the DNS can be
reached.

Not a good idea. Given

	-F INPUT
	-P INPUT ACCEPT
	-A INPUT -s evil.hacker.com -j REJECT
	-A INPUT -j ACCEPT

if you skip the rule, you now have a questionable hole in your
security.

just don't use hostnames in stuff which is required to be upo
*before*
the network to work properly at all




[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux