> 3: DNS hostname lookup support. (Is this a bad idea from a remote > firewall rule manipulation attack type of perspective?) It's prone to chicken-and-egg-problems: your gateway blocks everything until the config has been parsed, which needs DNS lookups, which needs network connectivity, which your gateway blocks.