Hi all,
does it work to define iptables rules with a fqdn as destination instead of an IP address? Or is it useful to resolve the name first using e.g. nslookup, writing the result to a variable which is then used within the -d statement?
Best Regards Marcus
Yes it works, but using fqdn as destination, iptables can take too long time to resolve the address. Using nslookup is a better solution, I think.
Vinícius Coque
On Wed, Oct 28, 2009 at 6:44 PM, Marcus Moeller mail@marcus-moeller.de wrote:
Hi all,
does it work to define iptables rules with a fqdn as destination instead of an IP address? Or is it useful to resolve the name first using e.g. nslookup, writing the result to a variable which is then used within the -d statement?
Best Regards Marcus _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On 10/29/2009 10:29 AM, Vinicius Coque wrote:
does it work to define iptables rules with a fqdn as destination instead of an IP address? Or is it useful to resolve the name first using e.g. nslookup, writing the result to a variable which is then used within the -d statement?
I guess that depends on what you are trying to achieve, afaik iptables will not hit DNS for each packet, and will only resolve at time of table / policy creation.
- KB
KB is correct--IPTables performs a DNS lookup when it processes the rule. It doesn't slow down to run a DNS lookup for every packet it sees.
There are some practical risks to using hostnames, if you're not expecting them, though. If you lose DNS services during startup, your boot will hang for a while trying to resolve those names. Plus, even after it does finish booting, you will be missing the firewall rules that contained the unresolvable names, which may compromise your security to a greater or lesser extent..
Personally, I would avoid using hostnames in iptables startup scripts for these reasons, unless I had some automated notification and fail-safe action for this case, or if I had all the relevant hostnames listed in /etc/hosts or a really persistent local cache, like nscd w/ the 'reload-count infinite' option.
On 2009-10-29, Karanbir Singh mail-lists@karan.org wrote:
On 10/29/2009 10:29 AM, Vinicius Coque wrote:
does it work to define iptables rules with a fqdn as destination instead of an IP address? Or is it useful to resolve the name first using e.g. nslookup, writing the result to a variable which is then used within the -d statement?
I guess that depends on what you are trying to achieve, afaik iptables will not hit DNS for each packet, and will only resolve at time of table / policy creation.
- KB
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Thu, Oct 29, 2009 at 10:58, Ryan Lynch ryan.b.lynch@gmail.com wrote:
KB is correct--IPTables performs a DNS lookup when it processes the rule. It doesn't slow down to run a DNS lookup for every packet it sees.
There are some practical risks to using hostnames, if you're not expecting them, though. If you lose DNS services during startup, your boot will hang for a while trying to resolve those names. Plus, even after it does finish booting, you will be missing the firewall rules that contained the unresolvable names, which may compromise your security to a greater or lesser extent..
Personally, I would avoid using hostnames in iptables startup scripts for these reasons, unless I had some automated notification and fail-safe action for this case, or if I had all the relevant hostnames listed in /etc/hosts or a really persistent local cache, like nscd w/ the 'reload-count infinite' option.
On 2009-10-29, Karanbir Singh mail-lists@karan.org wrote:
On 10/29/2009 10:29 AM, Vinicius Coque wrote:
does it work to define iptables rules with a fqdn as destination instead of an IP address? Or is it useful to resolve the name first using e.g. nslookup, writing the result to a variable which is then used within the -d statement?
I guess that depends on what you are trying to achieve, afaik iptables will not hit DNS for each packet, and will only resolve at time of table / policy creation.
BTW, sorry for the top-posting. The gmail client for BlackBerry seems to have been designed in the spirit of "Freedom means not having to make a choice".
-Ryan
On Wednesday 28 October 2009 16:44, Marcus Moeller wrote:
does it work to define iptables rules with a fqdn as destination instead of an IP address? Or is it useful to resolve the name first using e.g. nslookup, writing the result to a variable which is then used within the -d statement?
Best bet it to stay with the address.
On Thu, Oct 29, 2009 at 17:12, Robert Spangler mlists@zoominternet.net wrote:
On Wednesday 28 October 2009 16:44, Marcus Moeller wrote:
does it work to define iptables rules with a fqdn as destination instead of an IP address? Or is it useful to resolve the name first using e.g. nslookup, writing the result to a variable which is then used within the -d statement?
Best bet it to stay with the address.
No offense, Robert, but I don't think yours is a very helpful statement. When someone asks about alternative web servers, do we just tell them "Best bet is to stay with Apache"? That's just an opaque personal prejudice, and it doesn't give the guy asking the question any new or helpful information.
I can definitely think of cases where using FQDNs is a better choice, and I have some examples from my own personal experience. So I don't believe that you can say there is a "best" method, for all situations. You might be ignorant of the applicable use cases, but that doesn't mean they don't exist.
Marcus can weigh the pros and cons of both methods, for his particular case, and make an informed choice.
-Ryan
On Thursday 29 October 2009 19:57, Ryan Lynch wrote:
No offense, Robert, but I don't think yours is a very helpful statement.
I think it is about time you get off my back!
When someone asks about alternative web servers, do we just tell them "Best bet is to stay with Apache"? That's just an opaque personal prejudice, and it doesn't give the guy asking the question any new or helpful information.
It was an opinion and yes there were other replies that told him what he needed to know. Don't assume I don't know anything.
I can definitely think of cases where using FQDNs is a better choice,
Please do explain. On second thought never mind because I am really not interested.
and I have some examples from my own personal experience. So I don't believe that you can say there is a "best" method, for all situations.
Yes I can. Host information can be spoofed. So can IP Addresses. Here is the point you are missing, if he is going to connect to your system then he is going to do it via IP address not using his FQDN and the network could care less about FQDN. Packets are not routed using FQDN they are routed via IP Address and Mac's. So while FQDN is an option it is not as reliable as the IP Address. So what are you going to do now a reverse lookup? How often do they match what you are looking for these days? Not often.
You can always create a packet that says you are this or that but without the true IP address you'll never get a response which means you will never get connected.
You might be ignorant of the applicable use cases, but that doesn't mean they don't exist.
Ahh yes, you understand everyone problem and have the perfect solution. Please excuse me old wise one. What an @ss.
Do not bother to respond on the list as you are just wasting everyones time.
Hi again.
and I have some examples from my own personal experience. So I don't believe that you can say there is a "best" method, for all situations.
Yes I can. Host information can be spoofed. So can IP Addresses. Here is the point you are missing, if he is going to connect to your system then he is going to do it via IP address not using his FQDN and the network could care less about FQDN. Packets are not routed using FQDN they are routed via IP Address and Mac's. So while FQDN is an option it is not as reliable as the IP Address. So what are you going to do now a reverse lookup? How often do they match what you are looking for these days? Not often.
You can always create a packet that says you are this or that but without the true IP address you'll never get a response which means you will never get connected.
I agree on that and it's the reason why I finally decided not to use fqdns.
Thank you both for the detailed explanation :)
Best Regards Marcus
-
Karanbir Singh -
Marcus Moeller -
Robert Spangler -
Ryan Lynch -
Vinicius Coque