Hi.
I'm not sure if I've got the gist of this thread correctly, but I thought it might be useful to point out the following, which may not be obvious: If you create netfilter rules using hostnames, they get resolved once and once only at the time the rule is entered (ie when you type it in, or when it gets executed in a startup script), and from that point onwards, netfilter internally uses the numeric value in the ruleset. If you create netfilter rules using IP addresses, then of course it's clear that these are the addresses being used in the rules, but internally everything is just the same. Do not think that netfilter is going to do a series of DNS lookups every time a packet comes through and gets matched against a ruleset which you specified using hostnames ! Hope that helps ? Antony.
