Re: [alpine-devel] Alpine Wall for firewall management
On Wed, 04 Jan 2012 11:21:00 +0200
Timo Teräs <timo.teras_at_iki.fi> wrote:
> On 01/03/2012 07:45 PM, Jeremy Thomerson wrote:
> > At what point does the back-end do the resolution? It seems like it
> > would need to periodically update this since a firewall may run
> > weeks, months, or years with no change and name resolution could
> > change periodically. Will it observe TTL?
> I believe updating of the DNS records to IPv4/IPv6 addresses would be
> administrative step. The idea is to create permanent cache of the fqdn
> domain names, that gets refreshed only as a result of running a
> command (or clicking acf button).
> This is because otherwise just someone updating a dns entry could
> break the whole firewall. Additionally, during bootup we cannot
> usually do dns queries (so we really need cached info). However,
> allowing usage of dns names will be beneficial, as it avoid
> duplication of information in multiple places. This should be
> sufficient as your server dns records should not change that often;
> and when they change you probably want to double check your firewall
> rules anyway.
> The idea is also that for fqdn's both A and AAAA records are used, so
> alpine wall would automatically create both ipv4 and ipv6 firewall
I really like this. It means that if you move a service to new IP you
update DNS and then just refresh dns cache in firewall rather than sync
the ip address info in firewall config. And yes, I would prefer that dns
refresh in firewall is a manual admin step.
Very nice! Thanks!
Received on Thu Jan 05 2012 - 11:23:17 GMT