Apart from the case of DNS Round-robin, quite often an hostname (for example, a server hostname) is DNS-mapped to a static IP address, but over the time (several months or years) that IP address might change, even though it's still statically mapped. In that case, if a client behind an iptables packet filter does not use hostname-based rules, it won't be able to connect to that server anymore. So, there are cases where hostname-based rules give an advantage. Of course, it is out of discussion that rules based on IP addresses are always preferable when it can certainly be excluded that IP addresses are going to change over time, for example, if the rules refer to hosts in the same network or in a network managed by the same entity. Guido On Fri, 07/03/2025 at 21.07 +0100, Reindl Harald wrote: > > Am 07.03.25 um 20:32 schrieb Guido Trentalancia: > > That's the way it is, I am personally against the practice of > > resolving FQDNs dynamically, but many commercial services do so and > > the only way of setting up iptables rules in that case is using > > FQDNs... > > there is nothing qualified in a reverse-lookup > franklyi can place any reverse-name that i want for any IP i control > don't care really but using hostnames in a packet filter is dumb > > > Iptables has always supported FQDNs, we are not talking here about > > removing that support or whether it should be used or not, the > > point is makjng that feature more robust and fault-tolerant. > > > > I believe the patch improves the current situation for those that > > wish or simply must use FQDN-based rules. > > > > Regards, > > > > Guido > > > > On the 7th march 2025 20:15:39 CET, Reindl Harald <h.reindl@theloun > > ge.net> wrote: > > > > > > > > > Am 07.03.25 um 16:31 schrieb Guido Trentalancia: > > > > Nowadays FQDN hostnames are very often unavoidable, because in > > > > many > > > > cases their IP addresses are allocated dynamically by the > > > > DNS... > > > > > > which makes rules with hostnames even more dumb > > > > > > frankly you can't write useful rules for dynamic IPs at all > > > > > > > The patch is very useful for a desktop computer which, for > > > > example, > > > > connects to a wireless network only occasionally and not > > > > necessarily > > > > > > at > > > > system bootup and which needs rules for IPs dynamically > > > > allocated to > > > > FQDNs. > > > > > > > > Guido > > > > > > > > On Fri, 07/03/2025 at 15.48 +0100, Reindl Harald wrote: > > > > > > > > > > Am 07.03.25 um 15:07 schrieb Jan Engelhardt: > > > > > > > > > > > > On Friday 2025-03-07 14:42, Guido Trentalancia wrote: > > > > > > > > > > > > > libxtables: tolerate DNS lookup failures > > > > > > > > > > > > > > Do not abort on DNS lookup failure, just skip the > > > > > > > rule and keep processing the rest of the rules. > > > > > > > > > > > > > > This is particularly useful, for example, when > > > > > > > iptables-restore is called at system bootup > > > > > > > before the network is up and the DNS can be > > > > > > > reached. > > > > > > > > > > > > Not a good idea. Given > > > > > > > > > > > > -F INPUT > > > > > > -P INPUT ACCEPT > > > > > > -A INPUT -s evil.hacker.com -j REJECT > > > > > > -A INPUT -j ACCEPT > > > > > > > > > > > > if you skip the rule, you now have a questionable hole in > > > > > > your > > > > > > security. > > > > > > > > > > just don't use hostnames in stuff which is required to be upo > > > > > *before* > > > > > the network to work properly at all
