Red Hat Bugzilla – Bug 80783
FQDNs don't work in /etc/sysconfig/iptables
Last modified: 2007-04-18 12:49:24 EDT
Description of problem:
If there are FQDNs in /etc/sysconfig/iptables, iptables won't start at boot time
because networking is not up and FQDNs cannot be resolved.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Add some rule include FQDN to /etc/sysconfig/iptables
2. Boot the machine
iptables won't start.
iptables should start.
Solution: networking must be started before iptables during boot.
> Solution: networking must be started before iptables during boot.
It's not that simple. That would be a security risc, putting the machine online
before the firewall is up.
I would suggest you resolve the FQDNs to their respective static IP address.
While I agree that there's a theoretical security risk (the window of
opportunity is barely noticeable), FQDNs are sometimes very useful with services
like dyndns where the FQDN of a service is static but IP address changes from
time to time.
I've changed the starting order locally and think that it would be nice to see
this on official RHL, too, but I won't protest WONTFIX stamp either.
Rather than switching the startup order, it would make more sense to
split the firewall configuration over two init scripts - one to close
everthing down, that runs before networking is initialised, and one to
open the holes, afterwards. Whether this should be a feature of the OS,
or down to sensible system administration is a matter for debate.