On Thu, Oct 29, 2009 at 10:58, Ryan Lynch <ryan.b.lynch at gmail.com> wrote: > KB is correct--IPTables performs a DNS lookup when it processes the > rule. It doesn't slow down to run a DNS lookup for every packet it > sees. > > There are some practical risks to using hostnames, if you're not > expecting them, though. If you lose DNS services during startup, your > boot will hang for a while trying to resolve those names. Plus, even > after it does finish booting, you will be missing the firewall rules > that contained the unresolvable names, which may compromise your > security to a greater or lesser extent.. > > Personally, I would avoid using hostnames in iptables startup scripts > for these reasons, unless I had some automated notification and > fail-safe action for this case, or if I had all the relevant hostnames > listed in /etc/hosts or a really persistent local cache, like nscd w/ > the 'reload-count infinite' option. > > > On 2009-10-29, Karanbir Singh <mail-lists at karan.org> wrote: >> On 10/29/2009 10:29 AM, Vinicius Coque wrote: >>>> does it work to define iptables rules with a fqdn as destination >>>> instead of an IP address? Or is it useful to resolve the name first >>>> using e.g. nslookup, writing the result to a variable which is then >>>> used within the -d statement? >> >> I guess that depends on what you are trying to achieve, afaik iptables >> will not hit DNS for each packet, and will only resolve at time of table >> / policy creation. BTW, sorry for the top-posting. The gmail client for BlackBerry seems to have been designed in the spirit of "Freedom means not having to make a choice". -Ryan