I have hostnames in my ipf.conf file because they're pointers to 
dyndns. This is bad for ipfilter because we start it (like we should)  
before bringing the interfaces up, however, this just isn't going 
to work when DNS isnt up. I realize I could just call rc.d/ipfilter reload 
from rc.local and/or crontab a reload of the filter rules after the 
interfaces are up; but, once they are up, does ipf check to see if the 
records have changed to another ip everytime an incoming packet comes 
through? Argh! And no, they won't let me do xfers from the dns servers to 
my machine or update my tables. I think I'm dancing in catch22 land...

	The other question is, should we be doing something different in 
rc.d/ipfilter and friends for hostname based filtering? Like parse the 
rules, try to resolve the hostname using the hosts file or local name 
server (after bind starts in that case) without complaining about it, then 
try to reload/resync the rules after the interfaces are up and before 
services start binding to ports and complain here if something isn't 
resolvable?

	I know this is off the wall, but I don't think it's really going 
to be an uncommon situation in the near future as people start deploying 
dynamic DNS into their organizations.

	I appologize in advance if this doesn't make any real sense, and 
I should just grin and bear it, or RTFM.


-- 

The nice thing about Windows is - It does not just crash, it displays a
dialog box and lets you press 'OK' first.
						-- Arno Schaefer