--On Freitag, 17. Mai 2002 13:45 +0100 Antony Stone
<[EMAIL PROTECTED]> wrote:
> On Friday 17 May 2002 1:35 pm, Ramin Alidousti wrote:
>
>> On Fri, May 17, 2002 at 01:02:04PM +0100, Antony Stone wrote:
>> > On Friday 17 May 2002 12:52 pm, Axel Heinrici wrote:
>> > > > iptables -A icq -p tcp --dport 5190 -d login.icq.com -j ACCEPT
>> > > > iptables -A icq -p tcp --dport 5190 -s login.icq.com -m state
>> > > > --state ESTABLISHED,RELATED -j ACCEPT
>> > > > iptables -A icq -p tcp --dport 5190 -s icq.com ! --syn -i
>> > >
>> > > Is this allowed. I thought ippables/netfilter does not make a DNS
>> > > lookup. Or did you mean: "look it you yourself and replace it"
>> >
>> > Yes, this is perfectly okay - however you must remember that the lookup
>> > is done once, when you enter the rule, and the machine then stores the
>> > IP address which results from the lookup.
>>
>> What happens if a name resolves in several IP's? Is it not wiser to
>> look it up manually and add multiple rules according to the number of
>> A-RR?
> Yes, it is wiser to do the lookup yourself and be specific in the rule.
>
> If you get the system to do it for you (as above), then you will get a
> rule containing only the first IP address returned from the lookup.
I think it's depend on what you want. If you need every IP of a server,
than it's better to add all IP manually but if it's enought if the first
IP is found, than this should work.
Beside you must have a working internet connection to get the IP via DNS.
If you use a dial-up connection you have to add a rule to allow DNS querys
first.
Another point is the number of rules you have. With only a few rules it
doesn't matter how long it will take to get through all rules until you get
a match (most of the time). If you have serveral hundreds of rules time
matters.
Greetings Erik
