Would it work for you to have an ipset and a cron job that does DNS lookups and populates the ipset with addresses? You could configure Shorewall to just refer to the ipset.
Bill On 11/30/2017 4:31 PM, John McMonagle wrote:
I want to put our externally facing servers on their own network with a default outgoing policy of drop or reject. Will do rules on router. Will need a few rules to allow some outgoing. For some rules a dns name is a lot easier as the ip may change In all the cases I can think of a failure would not be catastrophic. For example if the rule fails for the debian package server changes would just not be able to update packages. If for some reason dns is not available at shorewall start time will shorewall fail? I can live with an occasional shorewall restart. If that will not work is there a better way to get it done? John
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
