ipfw and hostnames
Chuck Swiger
cswiger at mac.com
Sun Jun 1 12:56:59 PDT 2003
Petri Helenius wrote:
[ ...using DNS in firewall rules... ]
> I know that, I control the domains and additionally they are for non-critical
> resources like NTP access.
OK: it's good to keep your firewall clocks syncronized.
External NTP servers are best accessed by name, agreed.
So run a NTP server on your local net, not on a firewall, which uses DNS to
refer to higher-stratum NTP sources. Have your firewall refer to the local NTP
server by IP.
> Obviously all rules really important are based on IP addresses.
If your firewall needs to perform *any* DNS queries, what happens if the DNS
server(s) are down or unreachable when the firewall tries to restart? Does it
fail in a way that you are happy with?
-Chuck
More information about the freebsd-net
mailing list