On Friday 17 May 2002 1:35 pm, Ramin Alidousti wrote: > On Fri, May 17, 2002 at 01:02:04PM +0100, Antony Stone wrote: > > On Friday 17 May 2002 12:52 pm, Axel Heinrici wrote: > > > > iptables -A icq -p tcp --dport 5190 -d login.icq.com -j ACCEPT > > > > iptables -A icq -p tcp --dport 5190 -s login.icq.com -m state > > > > --state ESTABLISHED,RELATED -j ACCEPT > > > > iptables -A icq -p tcp --dport 5190 -s icq.com ! --syn -i > > > > > > Is this allowed. I thought ippables/netfilter does not make a DNS > > > lookup. Or did you mean: "look it you yourself and replace it" > > > > Yes, this is perfectly okay - however you must remember that the lookup > > is done once, when you enter the rule, and the machine then stores the IP > > address which results from the lookup. > > What happens if a name resolves in several IP's? Is it not wiser to > look it up manually and add multiple rules according to the number of > A-RR?
Yes, it is wiser to do the lookup yourself and be specific in the rule. If you get the system to do it for you (as above), then you will get a rule containing only the first IP address returned from the lookup. Antony.
