Subject: Re: rc.d/ipfilter with dyndns - chicken <-> egg, et all
To: Quentin Garnier <>
From: Steven M. Bellovin <>
List: current-users
Date: 10/30/2003 09:53:18
In message <>, Quent
in Garnier writes:

>IPFilter only gets IP addresses passed by userland utilities. The kernel
>will _not_ perform name resolution.
>Besides, it would be a very bad idea to make such a security tool depend
>on an external source of information, and DNS servers are one of the most
>unreliable sources in the world (they can fail, be slightly out of date,
>and there are ways to attack such a setup).
>Don't forget about 'ipf -y' with a dynamic address setup, also.

Yes -- I have 'ipf -y' in my /etc/dhclient-exit-hooks file, though 
primarily to make NAT work for my vmware hosts.

You're quite right about the risks of relying on the DNS, too.

		--Steve Bellovin,