bugzilla-daemon@bugzilla.netfilter.org
2006-Feb-09 15:43 UTC
[Bug 441] Feature Request; Resolve Domains/Hostnames
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=441
laforge@netfilter.org changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |WONTFIX
------- Additional Comments From laforge@netfilter.org 2006-02-09 15:43 MET
-------
This is not a fix, it's a feature. Actually, we should remove support for
resolving host names alltogether. Why:
1) because we only look up the first A record and not further A records
2) because dns zones can change and we only resolve at ruleset loadtime
3) because DNS can easily be spoofed (and thus firewall rules changed)
4) because a good firewall should first load the ruleset, and only then enable
network traffic to the outside world and therefore cannot contact a DNS
server.
--
Configure bugmail:
https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You reported the bug, or are watching the reporter.
Apparently Analagous Threads
- [Bug 616] New: Duplicate rules for multi-homed hostnames. IPv4 and IPv6 inconsistent treatment.
- [ANNOUNCE] Security Advisory about IRC DCC connection tracking
- [Bug 616] Duplicate rules for multi-homed hostnames. IPv4 and IPv6 inconsistent treatment.
- [Bug 580] New: iptables-restore and iptables-save lack comparison of a saved ruleset against the currently deployed rules
- [Bug 45] Feature: only count packets that get matched in a chain
Wisdom of the Ancients
