X-Original-To: alpine-devel@lists.alpinelinux.org Delivered-To: alpine-devel@mail.alpinelinux.org Received: from mail.wtbts.no (mail.wtbts.no [213.234.126.131]) by mail.alpinelinux.org (Postfix) with ESMTP id 03DD9DC1667 for ; Thu, 5 Jan 2012 10:23:21 +0000 (UTC) Received: from localhost (bsna.nor.wtbts.net [127.0.0.1]) by mail.wtbts.no (Postfix) with ESMTP id 97DA2AE4003; Thu, 5 Jan 2012 10:23:20 +0000 (UTC) X-Virus-Scanned: Yes Received: from mail.wtbts.no ([127.0.0.1]) by localhost (bsna.nor.wtbts.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xipNP1koYLsr; Thu, 5 Jan 2012 10:23:18 +0000 (UTC) Received: from mail.ytre.org (extmail.nor.wtbts.net [10.65.72.14]) by mail.wtbts.no (Postfix) with ESMTP id BBE21376277; Thu, 5 Jan 2012 10:23:18 +0000 (UTC) Received: from mail.ytre.org (localhost [127.0.0.1]) by mail.ytre.org (Postfix) with ESMTP id 8CEF160B80D15; Thu, 5 Jan 2012 10:23:18 +0000 (UTC) Received: from ncopa-desktop.nor.wtbts.net (ncopa-desktop.nor.wtbts.net [10.65.65.1]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: ncopa@ytre.org) by mail.ytre.org (Postfix) with ESMTPSA id 1E94160A8A272; Thu, 5 Jan 2012 10:23:17 +0000 (UTC) Date: Thu, 5 Jan 2012 11:23:17 +0100 From: Natanael Copa To: Timo =?ISO-8859-1?Q?Ter=E4s?= Cc: jeremy@thomersonfamily.com, Kaarle Ritvanen , alpine-devel@lists.alpinelinux.org Subject: Re: [alpine-devel] Alpine Wall for firewall management Message-ID: <20120105112317.32270488@ncopa-desktop.nor.wtbts.net> In-Reply-To: <4F0419FC.3080801@iki.fi> References: <4F0419FC.3080801@iki.fi> X-Mailer: Claws Mail 3.8.0 (GTK+ 2.24.6; x86_64-unknown-linux-gnu) X-Mailinglist: alpine-devel Precedence: list List-Id: Alpine Development List-Unsubscribe: List-Post: List-Help: List-Subscribe: Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-Virus-Scanned: ClamAV using ClamSMTP On Wed, 04 Jan 2012 11:21:00 +0200 Timo Ter=E4s wrote: > On 01/03/2012 07:45 PM, Jeremy Thomerson wrote: > >=20 > > At what point does the back-end do the resolution? It seems like it > > would need to periodically update this since a firewall may run > > weeks, months, or years with no change and name resolution could > > change periodically. Will it observe TTL? >=20 > I believe updating of the DNS records to IPv4/IPv6 addresses would be > administrative step. The idea is to create permanent cache of the fqdn > domain names, that gets refreshed only as a result of running a > command (or clicking acf button). >=20 > This is because otherwise just someone updating a dns entry could > break the whole firewall. Additionally, during bootup we cannot > usually do dns queries (so we really need cached info). However, > allowing usage of dns names will be beneficial, as it avoid > duplication of information in multiple places. This should be > sufficient as your server dns records should not change that often; > and when they change you probably want to double check your firewall > rules anyway. >=20 > The idea is also that for fqdn's both A and AAAA records are used, so > alpine wall would automatically create both ipv4 and ipv6 firewall > rules. I really like this. It means that if you move a service to new IP you update DNS and then just refresh dns cache in firewall rather than sync the ip address info in firewall config. And yes, I would prefer that dns refresh in firewall is a manual admin step. Very nice! Thanks! -nc --- Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org Help: alpine-devel+help@lists.alpinelinux.org ---