** Description changed: Binary package hint: firehol ubuntu 9.10 The failure to load with domain names used in the firehol.conf may have arisen with the network now set up by upstart's native /etc/init mechanism (instead of with symlinks in/ets/rc?.d) or been present all the time. However, a proper fix should now be to ship firehol with specific upstart definitions and corresponding config files: 1) /etc/init/firehol-prep.conf that starts firehol (before any network/dns is up) with the corresponding config file /etc/firehol /firehol-prep.conf (by default just shutting everything down). 2) /etc/init/firehol.conf that starts firehol (always after any network interface is set up) with the regular /etc/firehol/firehol.conf Symtoms (with domain names used like in "client http accept dst archive.ubuntu.com"): * /etc/init.d/firehol script is there * /etc/firehol/firehol.conf is in place * firehol can be started with "/etc/init.d/firehol start" (START_FIREHOL in /etc/defaults/firehol is set to yes) and the iptables are set ok. * symlinks in /etc/rc?.d do exist - However after a reboot: + However, after a reboot the chains are empty: # iptables iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination + + + Solution: + + Load only a basic (blocking) config file with numeric IPs in the early boot process, + and (re)load the real firehol.conf later, each time a network device got set up. + + + Workaround: + Call "firehol /etc/firehol/firehol.conf start" again from /etc/rc.local. + + (Warning: System is without protection until a successful firehol + start.)
** Description changed: Binary package hint: firehol - ubuntu 9.10 + ubuntu 9.10, 10.04, 10.10, ... The failure to load with domain names used in the firehol.conf may have arisen with the network now set up by upstart's native /etc/init mechanism (instead of with symlinks in/ets/rc?.d) or been present all the time. However, a proper fix should now be to ship firehol with specific upstart definitions and corresponding config files: 1) /etc/init/firehol-prep.conf that starts firehol (before any network/dns is up) with the corresponding config file /etc/firehol /firehol-prep.conf (by default just shutting everything down). 2) /etc/init/firehol.conf that starts firehol (always after any network interface is set up) with the regular /etc/firehol/firehol.conf Symtoms (with domain names used like in "client http accept dst archive.ubuntu.com"): * /etc/init.d/firehol script is there * /etc/firehol/firehol.conf is in place * firehol can be started with "/etc/init.d/firehol start" (START_FIREHOL in /etc/defaults/firehol is set to yes) and the iptables are set ok. * symlinks in /etc/rc?.d do exist However, after a reboot the chains are empty: # iptables iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination - Solution: Load only a basic (blocking) config file with numeric IPs in the early boot process, and (re)load the real firehol.conf later, each time a network device got set up. - Workaround: Call "firehol /etc/firehol/firehol.conf start" again from /etc/rc.local. (Warning: System is without protection until a successful firehol start.) ** Summary changed: - start script fails (if config requires DNS resolv) + start script fails with upstart (if config requires DNS resolv) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/490317 Title: start script fails with upstart (if config requires DNS resolv) -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
