Mail archive
alpine-devel

Re: [alpine-devel] Alpine Wall for firewall management

From: Natanael Copa <ncopa_at_alpinelinux.org>
Date: Thu, 5 Jan 2012 11:23:17 +0100

On Wed, 04 Jan 2012 11:21:00 +0200
Timo Teräs <timo.teras_at_iki.fi> wrote:

> On 01/03/2012 07:45 PM, Jeremy Thomerson wrote:

> >
> > At what point does the back-end do the resolution? It seems like it
> > would need to periodically update this since a firewall may run
> > weeks, months, or years with no change and name resolution could
> > change periodically. Will it observe TTL?
>
> I believe updating of the DNS records to IPv4/IPv6 addresses would be
> administrative step. The idea is to create permanent cache of the fqdn
> domain names, that gets refreshed only as a result of running a
> command (or clicking acf button).
>
> This is because otherwise just someone updating a dns entry could
> break the whole firewall. Additionally, during bootup we cannot
> usually do dns queries (so we really need cached info). However,
> allowing usage of dns names will be beneficial, as it avoid
> duplication of information in multiple places. This should be
> sufficient as your server dns records should not change that often;
> and when they change you probably want to double check your firewall
> rules anyway.
>
> The idea is also that for fqdn's both A and AAAA records are used, so
> alpine wall would automatically create both ipv4 and ipv6 firewall
> rules.

I really like this. It means that if you move a service to new IP you
update DNS and then just refresh dns cache in firewall rather than sync
the ip address info in firewall config. And yes, I would prefer that dns
refresh in firewall is a manual admin step.

Very nice! Thanks!

-nc


---
Unsubscribe:  alpine-devel+unsubscribe_at_lists.alpinelinux.org
Help:         alpine-devel+help_at_lists.alpinelinux.org
---
Received on Thu Jan 05 2012 - 11:23:17 UTC