Description of problem: If there are FQDNs in /etc/sysconfig/iptables, iptables won't start at boot time because networking is not up and FQDNs cannot be resolved. Version-Release number of selected component (if applicable): All. How reproducible: Always. Steps to Reproduce: 1. Add some rule include FQDN to /etc/sysconfig/iptables 2. Boot the machine 3. Actual results: iptables won't start. Expected results: iptables should start. Additional info: Solution: networking must be started before iptables during boot.
> Solution: networking must be started before iptables during boot. It's not that simple. That would be a security risc, putting the machine online before the firewall is up. I would suggest you resolve the FQDNs to their respective static IP address.
While I agree that there's a theoretical security risk (the window of opportunity is barely noticeable), FQDNs are sometimes very useful with services like dyndns where the FQDN of a service is static but IP address changes from time to time. I've changed the starting order locally and think that it would be nice to see this on official RHL, too, but I won't protest WONTFIX stamp either.
Rather than switching the startup order, it would make more sense to split the firewall configuration over two init scripts - one to close everthing down, that runs before networking is initialised, and one to open the holes, afterwards. Whether this should be a feature of the OS, or down to sensible system administration is a matter for debate.