On 01/12/17 07:31, John McMonagle wrote: > I want to put our externally facing serversĀ on their own network with a > default outgoing policy of drop or reject. > > Will do rules on router. > > Will need a few rules to allow some outgoing. > For some rules a dns name is a lot easier as the ip may change > In all the cases I can think of a failure would not be catastrophic. > For example if the rule fails for the debian package server changes > would just not be able to update packages. > > If for some reason dns is not available at shorewall start time will > shorewall fail? > > I can live with an occasional shorewall restart. > > If that will not work is there a better way to get it done?
If you use dnsmasq as your resolver, there's a much easier way than all the suggested scripting solutions to do this: dnsmasq can insert DNS query results into ipsets, which you can then use in shorewall rules. See the ipset directive in the dnsmasq docs for details, but it's basically as simple as adding ipset=/<domain>/[domain/]<ipset>[,<ipset>] to your dnsmasq.conf. (Hint: the reason you'll want multiple ipsets with the same DNS domains is dual stack.) Paul ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
