Date: Mon, 23 Jul 2001 01:03:27 -0700 From: "Crist J. Clark" <cristjc@earthlink.net> To: Lars Eggert <larse@ISI.EDU> Cc: dd@FreeBSD.ORG, freebsd-bugs@FreeBSD.ORG Subject: Re: conf/18521: 4.0-STABLE: problem in rc.network (with patch) Message-ID: <20010723010327.I419@blossom.cjclark.org> In-Reply-To: <DGEIIENGBBMIPHJOBIIEIEEPCAAA.larse@isi.edu>; from larse@ISI.EDU on Mon, Jul 23, 2001 at 08:44:06AM %2B0100 References: <200107221536.f6MFaWq16020@freefall.freebsd.org> <DGEIIENGBBMIPHJOBIIEIEEPCAAA.larse@isi.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Jul 23, 2001 at 08:44:06AM +0100, Lars Eggert wrote: > Fixing ipfw is the better idea for sure. I just included our local hack > around the problem for completeness (of the bug submission). ipfw(8) just uses gethostbyname(3) when there is a hostname in the rule, but it is first checked if it is an IP address, in which case gethostbyname(3) is never called. Enabling network services like DNS or NIS before starting the firewall is, in general, not a good security practice. However, at your site, if you want to use DNS or NIS names in your rc.firewall configuration, that's your business. The startup scripts simply cannot support every configuration people may wish to run. For the existing ipfw(8) startup to run smoothly, only IP addresses should be used and not hostnames (DNS or NIS, but /etc/hosts should be OK if it is first in host.conf). If not configuring NIS causes delays even if all hosts are given as IP addresses (or in /etc/hosts), only then is there is a bug. It looks like ru changed ipfw(8) from always doing a name lookup and then falling back to IP address to checking for an IP address and falling back to a name lookup back 1999/06/04 in ipfw.c 1.69. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010723010327.I419>