John McMonagle <jo...@advocap.org> wrote: > If for some reason dns is not available at shorewall start time will > shorewall fail?
Yes. I know the problem you are trying to solve, been there, done that. What I ended up doing was to install (on the router) a local resolver running a slave zone for a couple of our own domains - then as long as the DNS is set to start before the firewall, the DNS names I used would be available locally. All I can say was that "cold starts" in our server room needed manual intervention before that - even after that, some manual intervention was needed. My border routers couldn't start Shorewall without the DNS, the DNS wouldn't work fully without the internet, and the order things came up was not very determinate. So we ended up doing some things manually - restarting shorewall on a number of machines after the DNS became available, and then starting up the rest of the servers. Luckily we didn't have many cold starts ! IMO using DNS names is a good idea provided you are aware of the problems it can cause. Having to go round editing the firewall config on many servers every time something changes address is not much fun. Just restarting Shorewall is still a pain but not half as bad. BTW - you can avoid dependency on external zones such as Debian's update servers by running your own local cache. IIRC it was something like apt-cache-ng I ran at my last place. That means you can use a local IP/DNS name on all your servers, and only the cache needs any external IPs/names for updates to work. ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
