On 12/01/2017 08:49 AM, Tom Eastep wrote: > On 12/01/2017 07:31 AM, John McMonagle wrote: >> On 12/01/2017 02:53 AM, Simon Hobson wrote: >>> John McMonagle <jo...@advocap.org> wrote: >>> >>>> If for some reason dns is not available at shorewall start time will >>>> shorewall fail? >>> >>> Yes. >>> >>> I know the problem you are trying to solve, been there, done that. >>> What I ended up doing was to install (on the router) a local resolver >>> running a slave zone for a couple of our own domains - then as long as >>> the DNS is set to start before the firewall, the DNS names I used >>> would be available locally. >> >> Ok, I can use resolver on the router. >> So shorewall will be able to get to resolver. >> What if when it boots for some reason the dns name in a rule can not be >> resolved. >> Will shorewall still hang? >> If I'm reading your next comment correctly It will hang :-( >> > > It will never hang -- it simply won't start. > > There is a workaround, however. In shorewall.conf are two options: > > - DEFER_DNS_RESOLUTION. When set to No, DNS names are resolved at > compile time; when set to Yes, DNS Names are resolved at runtime. > > - AUTOMAKE. When set to Yes, 'start', 'restart' and 'reload' only > result in compilation if one of the files on the CONFIG_PATH has > changed since the the last compilation. > > So by setting AUTOMAKE=Yes, and DEFER_DNS_RESOLUTION=No, compilation > will only take place at boot time if a change had been make to the > config but no 'restart' or 'reload' had taken place. This is clearly > spelled out in the shorewall.conf manpage. So with these settings, > so long as a 'reload' or 'restart' takes place after the Shorewall > configuration is changes, there should be no DNS-related problems at > boot time. >
I should add that when DNS changes such that the compiled Shorewall script uses obsolete IP addresses, you must use the -c option to 'reload' or 'restart' to force recompilation. -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
