On 12/01/2017 02:53 AM, Simon Hobson wrote:
John McMonagle <jo...@advocap.org> wrote:
If for some reason dns is not available at shorewall start time will shorewall
fail?
Yes.
I know the problem you are trying to solve, been there, done that. What I ended
up doing was to install (on the router) a local resolver running a slave zone
for a couple of our own domains - then as long as the DNS is set to start
before the firewall, the DNS names I used would be available locally.
Ok, I can use resolver on the router.
So shorewall will be able to get to resolver.
What if when it boots for some reason the dns name in a rule can not be
resolved.
Will shorewall still hang?
If I'm reading your next comment correctly It will hang :-(
All I can say was that "cold starts" in our server room needed manual
intervention before that - even after that, some manual intervention was needed. My
border routers couldn't start Shorewall without the DNS, the DNS wouldn't work fully
without the internet, and the order things came up was not very determinate. So we ended
up doing some things manually - restarting shorewall on a number of machines after the
DNS became available, and then starting up the rest of the servers.
Luckily we didn't have many cold starts !
IMO using DNS names is a good idea provided you are aware of the problems it
can cause. Having to go round editing the firewall config on many servers every
time something changes address is not much fun. Just restarting Shorewall is
still a pain but not half as bad.
BTW - you can avoid dependency on external zones such as Debian's update
servers by running your own local cache. IIRC it was something like
apt-cache-ng I ran at my last place. That means you can use a local IP/DNS name
on all your servers, and only the cache needs any external IPs/names for
updates to work.
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
--
John McMonagle
IT Manager
Advocap Inc.
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
