On 15-11-10 01:45 PM, Giancarlo Razzolini wrote:
As a general rule you should avoid using dns names on anything that
might cause the boot process to fail. Even more, you should really
avoid using names on hostname.if files.
Anybody run into this before? - is the fix to add all the symbolic
names to /etc/hosts?
Well, if the hosts have fixed addresses, you'd be better using macros on
pf.conf that translate to their IP address. This way you won't run into
boot issues (or reload issues, in case your resolver is down). This has
the added inconvenience that you need to update your pf.conf file
manually every time one address changes.
Now, if you really, really need to use fqdn's on pf.conf, my suggestion
is that you use ifstated to detected if your link is up and your
resolver working, and them load the rules into an anchor afterwards.
Also, you can update the anchor to reflect any uplink unavailability. Or
you can use unbound with local-zones or a unbound + nsd combo, if you
also need authoritative. I think you'll need to hack your /etc/rc file
to load them before your pf.conf is loaded.
FWIW, yes, putting the entries into /etc/hosts *will* work, and it
avoids the need to use pf.conf macros, ifstated, etc.
However, it now means that you have to ensure /etc/hosts remains 100%
accurate... although I shudder to think of using ifstated and anchors to
do this, it does avoid the /etc/hosts maintenance problem. And make no
mistake: you *will* eventually forget to update /etc/hosts. Absolutely,
100% guaranteed.
-Adam
