On Wed, 28 Feb 2024 19:45:55 +0100 Peter Thurner | Blunix GmbH via Shorewall-users <shorewall-users@lists.sourceforge.net> wrote:
> I am aware of that, however sometimes there isn't really a much > better way than using dns names. that doesn't just affect shorewall > but iptables in general of course. > > ok but long story short - I am aware I'm doing this wrong, and hence > there is no option to ignore failed rules, yes? > > I suppose i could use a cronjob that updates an ipset or so and then > have shorewall use that ipset as a workaround. Do you guys have a > better recommendation? > > Big fan of shorewall btw, used it for many years. Keep up the good > work :) Well - truth is there is not much work done any more. Shorewall is slowly getting obsolete because it is based on iptables/ip6tables. Here is one contributed script to handle updating ipsets. https://shorewall.org/pub/shorewall/contrib/DNSLookup/ At my daytime job, we created completely nftables based new firewall which can handle dns with nftables by doing automatic dns resolving. Idea for this came from DNSLookup and another similar scripting system updating ipsets based on dns. But unlike with ipsets you don't have issues with startup failing if ipset is missing which was one issue we found with ipset based solution. https://github.com/FoobarOy/foomuuri/wiki/Configuration#resolve That's not shorewall but created by guys who used shorewall for 20 years. -- Tuomo Soini <t...@foobar.fi> Foobar Linux services +358 40 5240030 Foobar Oy <https://foobar.fi/> _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
