Re: [PATCH iptables]: xtables: tolerate DNS lookup failures

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 





Am 07.03.25 um 21:37 schrieb Guido Trentalancia:
Apart from the case of DNS Round-robin, quite often an hostname (for
example, a server hostname) is DNS-mapped to a static IP address, but
over the time (several months or years) that IP address might change,
even though it's still statically mapped.

In that case, if a client behind an iptables packet filter does not use
hostname-based rules, it won't be able to connect to that server
anymore.

So, there are cases where hostname-based rules give an advantage.
sorry, but hostanme based access lists are even on a webserver a bad idea and on a packet filter it's unacceptable

if a host changes it's IP rules have to be adjusted - it's as simple as that for the past 20 years in networking and will continue so the next 20 years

------------

and frankly if a service partner can't assign a static IP it's the wrong partner to begin with - we are talking about security

either you have a static ip or there is a vpn-tunnel with certificates done within seconds with wireguard - the dynamic host is the one to build up the tunnel, case closed




[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux