On 12/01/2017 07:31 AM, John McMonagle wrote: > On 12/01/2017 02:53 AM, Simon Hobson wrote: >> John McMonagle <jo...@advocap.org> wrote: >> >>> If for some reason dns is not available at shorewall start time will >>> shorewall fail? >> >> Yes. >> >> I know the problem you are trying to solve, been there, done that. >> What I ended up doing was to install (on the router) a local resolver >> running a slave zone for a couple of our own domains - then as long as >> the DNS is set to start before the firewall, the DNS names I used >> would be available locally. > > Ok, I can use resolver on the router. > So shorewall will be able to get to resolver. > What if when it boots for some reason the dns name in a rule can not be > resolved. > Will shorewall still hang? > If I'm reading your next comment correctly It will hang :-( >
It will never hang -- it simply won't start. There is a workaround, however. In shorewall.conf are two options: - DEFER_DNS_RESOLUTION. When set to No, DNS names are resolved at compile time; when set to Yes, DNS Names are resolved at runtime. - AUTOMAKE. When set to Yes, 'start', 'restart' and 'reload' only result in compilation if one of the files on the CONFIG_PATH has changed since the the last compilation. So by setting AUTOMAKE=Yes, and DEFER_DNS_RESOLUTION=No, compilation will only take place at boot time if a change had been make to the config but no 'restart' or 'reload' had taken place. This is clearly spelled out in the shorewall.conf manpage. So with these settings, so long as a 'reload' or 'restart' takes place after the Shorewall configuration is changes, there should be no DNS-related problems at boot time. -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
