Hello, Today I restarted the firewall machine during an outage of the ADSL line overhere. At the boot Shorewall did not start but stopped during start. The problem was that the ADSL line was down so no DNS server available to resolve hostnames. I have a hostname in "blacklist" file and therefore shorewall did not start. Is this problem solvable without putting an IP address in the blacklist file ? -- Groeten, Peter -- Bedenk steeds dat je uniek bent, zoals iedereen. --- --- Heb je een Sony Digital video camera ? --- Kijk eens op http://www.dvin.org --- Kijk ook op http://www.lindeman.org --- ICQ 22383596 --- Uptime lindeman.org:0 days, 0 hours and 28 minutes, 0 users logged in.
--On Sunday, January 05, 2003 01:40:12 AM +0100 Peter Lindeman <peter@lindeman.nl> wrote:> Hello, > > Today I restarted the firewall machine during an outage of the ADSL line > overhere. At the boot Shorewall did not start but stopped during start. > The problem was that the ADSL line was down so no DNS server available to > resolve hostnames. I have a hostname in "blacklist" file and therefore > shorewall did not start. Is this problem solvable without putting an IP > address in the blacklist file ? >Since you apparently don''t read the documentation, I will quote it for you from http://shorewall.sourceforge.net/configuration_file_basics.htm#dnsnames: --------------------------------------------------------------------------- -- WARNING: I personally recommend strongly against using DNS names in Shorewall configuration files. If you use DNS names and you are called out of bed at 2:00AM because Shorewall won''t start as a result of DNS problems then don''t say that you were not forewarned. -Tom Beginning with Shorwall 1.3.9, Host addresses in Shorewall configuration files may be specified as either IP addresses or DNS Names. DNS names in iptables rules aren''t nearly as useful as they first appear. When a DNS name appears in a rule, the iptables utility resolves the name to one or more IP addresses and inserts those addresses into the rule. So changes in the DNS->IP address relationship that occur after the firewall has started have absolutely no effect on the firewall''s ruleset. If your firewall rules include DNS names then: * If your /etc/resolv.conf is wrong then your firewall won''t start. * If your /etc/nsswitch.conf is wrong then your firewall won''t start. * If your Name Server(s) is(are) down then your firewall won''t start. * If your startup scripts try to start your firewall before starting your DNS server then your firewall won''t start. * Factors totally outside your control (your ISP''s router is down for example), can prevent your firewall from starting. * You must bring up your network interfaces prior to starting your firewall. --------------------------------------------------------------------------- -- -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.sf.net Washington USA \ teastep@shorewall.net
Hello, My system is connected to the Internet through an ADSL line (and is of course protected by shorewall ;-) Our ADSL is disconnected every 24 hours (by our provider, to make sure we don''t get a nearly static IP). So far so good, the pppd daemon reconnects the line immediately. We are also using some TC rules to shape the traffic (on ppp0). As suggested by TOM in his documentation, there rules are copied in the /etc/shorewall/tcstart file. They are therefore invoked each time shorewall is started. Unfortunately, when the ADSL is disconnected, the ppp0 interface looses its shapping rules (am I wrong there ?) To solve the problem, I made a link to the tcstart script from /etc/ppp/ip-up.d... Am I wrong here? Thanks for your feedback. -bertrand
--On Sunday, January 05, 2003 04:13:28 PM -0800 Tom Eastep <teastep@shorewall.net> wrote:> > Since you apparently don''t read the documentation, I will quote it for > youPeter, Please accept my apology for this outburst -- I probably shouldn''t answer questions on Sunday evening given that I spend my weekends either with my wife''s mother who is dying of cancer or with my own mother who has Alzheimer''s disease. Needless to say, I''m never in a good mood on Sunday evenings but I shouldn''t take it out on folks asking questions... -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.sf.net Washington USA \ teastep@shorewall.net
--On Monday, January 06, 2003 01:28:31 AM +0100 Bertrand Renuart <bertrand.renuart@itma.lu> wrote:> > Unfortunately, when the ADSL is disconnected, the ppp0 interface looses > its shapping rules (am I wrong there ?) > To solve the problem, I made a link to the tcstart script from > /etc/ppp/ip-up.d... > > Am I wrong here?No, that''s fine. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.sf.net Washington USA \ teastep@shorewall.net