On Fri, May 17, 2002 at 01:45:11PM +0100, Antony Stone wrote: > On Friday 17 May 2002 1:35 pm, Ramin Alidousti wrote: > > > On Fri, May 17, 2002 at 01:02:04PM +0100, Antony Stone wrote: > > > On Friday 17 May 2002 12:52 pm, Axel Heinrici wrote: > > > > > iptables -A icq -p tcp --dport 5190 -d login.icq.com -j ACCEPT > > > > > iptables -A icq -p tcp --dport 5190 -s login.icq.com -m state > > > > > --state ESTABLISHED,RELATED -j ACCEPT > > > > > iptables -A icq -p tcp --dport 5190 -s icq.com ! --syn -i > > > > > > > > Is this allowed. I thought ippables/netfilter does not make a DNS > > > > lookup. Or did you mean: "look it you yourself and replace it" > > > > > > Yes, this is perfectly okay - however you must remember that the lookup > > > is done once, when you enter the rule, and the machine then stores the IP > > > address which results from the lookup. > > > > What happens if a name resolves in several IP's? Is it not wiser to > > look it up manually and add multiple rules according to the number of > > A-RR? > > Yes, it is wiser to do the lookup yourself and be specific in the rule.
Just to make the point... this is especially true in this case. Both login.icq.com and icq.com resolve to more than one IP address. -- FunkyJesus System Administration Team
