Shorewall users - Dec 2008 - "ERROR: Unknown host - any host" My configuration suddenly don't work, why?

Hi, i have been using shorewall for 3 months, and shorewall was working
well, but i don''t know why, when I type "shorewall start" o
"shorewall
restart", it says that.

I have two files of rules:

The first:
DNS/ACCEPT     net:208.67.222.222,208.67.220.220

The second:
DNS/ACCEPT     net:208.67.222.222,208.67.220.220
HTTP/ACCEPT    net:www.google.com,mail.google.com,...
HTTPS/ACCEPT    net:www.google.com,mail.google.com,...

Then, when I stop shorewall, the first file is used, and when i type
"shorewall restart", is used the second. Then, I have to type again
"shorewall restart", and it works tiwh the second file (at least, it
WAS
working).

But now, suddenly it says, "ERROR: Unknown host". What could i do?
Somebody
could help me? Yesterday was working, and i haven''t problems with
Internet.

Thank you very much, I appreciate your help.


------------------------------------------------------------------------------

Manuel Gómez escribió:
> HTTP/ACCEPT    net:www.google.com,mail.google.com,...
> HTTPS/ACCEPT    net:www.google.com,mail.google.com,...
It is not possible a firewall knows what IP has www.google.com.

http://shorewall.net/manpages/shorewall-rules.html
SOURCE:
{zone|all[+][-]}[:interface][:{address-or-range[,address-or-range]...[exclusion]|exclusion|+ipset}

You need to use IP (address-or-range), hostnames are not allowed.

Regards,
Rodolfo Pilas



------------------------------------------------------------------------------

You are wrong, it''s possible. In fact, i have been using hostnames
during
three months.

2008/12/31 Rodolfo Pilas <rodolfo@pilas.net>
> Manuel Gómez escribió:
>
> > HTTP/ACCEPT    net:www.google.com,mail.google.com,...
> > HTTPS/ACCEPT    net:www.google.com,mail.google.com,...
>
> It is not possible a firewall knows what IP has www.google.com.
>
> http://shorewall.net/manpages/shorewall-rules.html
> SOURCE:
>
>
{zone|all[+][-]}[:interface][:{address-or-range[,address-or-range]...[exclusion]|exclusion|+ipset}
>
> You need to use IP (address-or-range), hostnames are not allowed.
>
> Regards,
> Rodolfo Pilas
>
>
>
>
------------------------------------------------------------------------------
>
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>

------------------------------------------------------------------------------

It''s very simple find the IP of a hostname, and are many software
(firewalls, for example) that can do it easily.

Sorry for double-posting.


------------------------------------------------------------------------------

Manuel Gómez wrote:
> You are wrong, it''s possible. In fact, i have been using hostnames
> during three months.
Shorewall does support DNS names but we strongly recommend against using
it just for this reason -- see
http://www.shorewall.net/configuration_file_basics.htm#dnsnames

Clearly DNS resolution is failing for some reason. Did you change your
Shorewall configuration recently? For example, did you switch the
ADMINISABSENTMINDED setting?




------------------------------------------------------------------------------

> >  ...  It is not possible a firewall knows what IP has www.google.com.
...
> ... it''s possible. In fact, i have been using hostnames ...
Not to beat a dead horse (I hope:-), yet not leave newbies with a misimpression
either, please follow the hyperlink in Shorewall 4.x FAQ 79.

Yes, using hostnames seldom causes a syntax error or a crash, and usually even
does something reasonable. But no it''s neither a good idea nor works
very well with multi-address servers such as www.google.com.

thanks! -Chuck Kollars



      

------------------------------------------------------------------------------