Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 23 Jul 2001 01:03:27 -0700
From:      "Crist J. Clark" <cristjc@earthlink.net>
To:        Lars Eggert <larse@ISI.EDU>
Cc:        dd@FreeBSD.ORG, freebsd-bugs@FreeBSD.ORG
Subject:   Re: conf/18521: 4.0-STABLE: problem in rc.network (with patch)
Message-ID:  <20010723010327.I419@blossom.cjclark.org>
In-Reply-To: <DGEIIENGBBMIPHJOBIIEIEEPCAAA.larse@isi.edu>; from larse@ISI.EDU on Mon, Jul 23, 2001 at 08:44:06AM %2B0100
References:  <200107221536.f6MFaWq16020@freefall.freebsd.org> <DGEIIENGBBMIPHJOBIIEIEEPCAAA.larse@isi.edu>

next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Jul 23, 2001 at 08:44:06AM +0100, Lars Eggert wrote:
> Fixing ipfw is the better idea for sure. I just included our local hack
> around the problem for completeness (of the bug submission).

ipfw(8) just uses gethostbyname(3) when there is a hostname in the
rule, but it is first checked if it is an IP address, in which case
gethostbyname(3) is never called. Enabling network services like DNS
or NIS before starting the firewall is, in general, not a good
security practice. However, at your site, if you want to use DNS or
NIS names in your rc.firewall configuration, that's your business. The
startup scripts simply cannot support every configuration people may
wish to run. For the existing ipfw(8) startup to run smoothly, only IP
addresses should be used and not hostnames (DNS or NIS, but /etc/hosts
should be OK if it is first in host.conf). If not configuring NIS
causes delays even if all hosts are given as IP addresses (or in
/etc/hosts), only then is there is a bug.

It looks like ru changed ipfw(8) from always doing a name lookup and
then falling back to IP address to checking for an IP address and
falling back to a name lookup back 1999/06/04 in ipfw.c 1.69.
-- 
Crist J. Clark                           cjclark@alum.mit.edu

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010723010327.I419>