From owner-freebsd-net@FreeBSD.ORG  Sun Jun  1 23:51:14 2003
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 921F237B401
	for <freebsd-net@freebsd.org>; Sun,  1 Jun 2003 23:51:14 -0700 (PDT)
Received: from silver.he.iki.fi (silver.he.iki.fi [193.64.42.241])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 5CB4E43F75
	for <freebsd-net@freebsd.org>; Sun,  1 Jun 2003 23:51:13 -0700 (PDT)
	(envelope-from pete@he.iki.fi)
Received: from PETEX31 (h81.vuokselantie10.fi [193.64.42.129])
	by silver.he.iki.fi (8.12.9/8.11.4) with SMTP id h526pAk8011531;
	Mon, 2 Jun 2003 09:51:10 +0300 (EEST)
	(envelope-from pete@he.iki.fi)
Message-ID: <00d701c328d3$54612910$812a40c1@PETEX31>
From: "Petri Helenius" <pete@he.iki.fi>
To: "Chuck Swiger" <cswiger@mac.com>, <freebsd-net@freebsd.org>
References: <001f01c32831$296b9210$812a40c1@PETEX31><3EDA498D.3000307@mac.com>
	<008f01c32875$c210c730$812a40c1@PETEX31> <3EDA5A7F.6060204@mac.com>
Date: Mon, 2 Jun 2003 09:50:59 +0300
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Subject: Re: ipfw and hostnames
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Jun 2003 06:51:14 -0000

>
> If your firewall needs to perform *any* DNS queries, what happens if the DNS
> server(s) are down or unreachable when the firewall tries to restart?  Does it
> fail in a way that you are happy with?
>
Thatīs an another defect in ipfw client utility, it stops processing rules if
it fails to lookup something. There should at least be a switch to allow
it to continue and ignore the lines it cannot do.

And in case you were wondering, I donīt believe in perimeter security,
so we run packet filters on all machines, not just on something some people
call the magic-security-device-on-the-border alias "firewall".

Pete