From owner-freebsd-questions  Fri Aug 23  7:39:39 2002
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 2CD8937B400
	for <questions@FreeBSD.org>; Fri, 23 Aug 2002 07:39:37 -0700 (PDT)
Received: from pressure.noc.uk.easynet.net (pressure.noc.uk.easynet.net [195.40.7.165])
	by mx1.FreeBSD.org (Postfix) with ESMTP id B4DE543E7B
	for <questions@FreeBSD.org>; Fri, 23 Aug 2002 07:39:36 -0700 (PDT)
	(envelope-from marc.silver@uk.easynet.net)
Received: by pressure.noc.uk.easynet.net (Postfix, from userid 1332)
	id DDFA76C801; Fri, 23 Aug 2002 15:39:35 +0100 (BST)
Date: Fri, 23 Aug 2002 15:39:35 +0100
From: Marc Silver <marc.silver@uk.easynet.net>
To: Jacques Perrolle <yellow@RadOnc.Duke.EDU>
Cc: questions@FreeBSD.org
Subject: Re: IPFW
Message-ID: <20020823143935.GG73684@uk.easynet.net>
References: <7CDFAC86-B6A5-11D6-B3F4-003065B4FE54@radonc.duke.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <7CDFAC86-B6A5-11D6-B3F4-003065B4FE54@radonc.duke.edu>
User-Agent: Mutt/1.4i
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

On Fri, Aug 23, 2002 at 10:34:53AM -0400, Jacques Perrolle wrote:
> Isn't it dangerous to have a firewall that allows the use of domain 
> names, forcing it to resolve them with DNS?  This just begs for someone 
> to DNS spoof it, rendering the firewall virtually worthless.  

You seem to answer your own question.  Yes, it is bad practice to use
hostnames in your ruleset... since it opens you up to spoofing,
injection etc...  Static IP addresses only as far as I'm concerned
should be used.

> Also, apparently the rules that I create aren't static?  I encountered
> this yesterday when my main DNS was having a hiccup and the firewall
> rules on all my machines running IPFW were suddenly completely
> changed, replaced with root.register.com IP addresses.  Is there
> someway I've missed in all the docs to keep my rules in effect no
> matter what?

Not sure how they changed... your ruleset should never change.  If
you're really paranoid, you could always set securelevel to 3 to ensure
that anyway... :)  

- Marc

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message