From owner-freebsd-net@FreeBSD.ORG  Sun Jun  1 12:56:59 2003
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 6D7DF37B401
	for <freebsd-net@freebsd.org>; Sun,  1 Jun 2003 12:56:59 -0700 (PDT)
Received: from out003.verizon.net (out003pub.verizon.net [206.46.170.103])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 86E1643FA3
	for <freebsd-net@freebsd.org>; Sun,  1 Jun 2003 12:56:58 -0700 (PDT)
	(envelope-from cswiger@mac.com)
Received: from mac.com ([129.44.60.214]) by out003.verizon.net
          (InterMail vM.5.01.05.33 201-253-122-126-133-20030313) with ESMTP
          id <20030601195657.RSGI4805.out003.verizon.net@mac.com>
          for <freebsd-net@freebsd.org>; Sun, 1 Jun 2003 14:56:57 -0500
Message-ID: <3EDA5A7F.6060204@mac.com>
Date: Sun, 01 Jun 2003 15:56:47 -0400
From: Chuck Swiger <cswiger@mac.com>
Organization: The Courts of Chaos
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
	rv:1.4b) Gecko/20030507
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: freebsd-net@freebsd.org
References: <001f01c32831$296b9210$812a40c1@PETEX31>
	<3EDA498D.3000307@mac.com> <008f01c32875$c210c730$812a40c1@PETEX31>
In-Reply-To: <008f01c32875$c210c730$812a40c1@PETEX31>
X-Enigmail-Version: 0.75.0.0
X-Enigmail-Supports: pgp-inline, pgp-mime
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
X-Authentication-Info: Submitted using SMTP AUTH at out003.verizon.net from
	[129.44.60.214] at Sun, 1 Jun 2003 14:56:57 -0500
Subject: Re: ipfw and hostnames
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 01 Jun 2003 19:56:59 -0000

Petri Helenius wrote:
[ ...using DNS in firewall rules... ]
> I know that, I control the domains and additionally they are for non-critical
> resources like NTP access.

OK: it's good to keep your firewall clocks syncronized.
External NTP servers are best accessed by name, agreed.

So run a NTP server on your local net, not on a firewall, which uses DNS to 
refer to higher-stratum NTP sources.  Have your firewall refer to the local NTP 
server by IP.

 > Obviously all rules really important are based on IP addresses.

If your firewall needs to perform *any* DNS queries, what happens if the DNS 
server(s) are down or unreachable when the firewall tries to restart?  Does it 
fail in a way that you are happy with?

-Chuck