From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: Forcing all DNS traffic from the LAN to the firewall
Date: Mon, 16 Nov 2020 10:34:41 +0000 [thread overview]
Message-ID: <F5871A91-507A-4B71-9916-F30445EBD54E@ipfire.org> (raw)
In-Reply-To: <20201115154458.GC727329@vesikko.tarvainen.info>
[-- Attachment #1: Type: text/plain, Size: 1248 bytes --]
Hi,
> On 15 Nov 2020, at 15:44, Tapani Tarvainen <ipfire(a)tapanitarvainen.fi> wrote:
>
> On Sun, Nov 15, 2020 at 02:50:09PM +0000, Michael Tremer (michael.tremer(a)ipfire.org) wrote:
>
>>> deactivating these rules would need a complete reboot!? Or do I
>>> overlook something?
>>
>> Yes, this would be true.
>
> Why? After all iptables supports deleting (-D) or replacing (-R)
> rules anywhere any chain. Turning rules in a custom chain on
> or off could be done with a single iptables command.
>
> OK, I guess that'd require non-trivial amount of coding in IPFire.
It is in theory possible, but in practise would be surgically removing firewall rules.
If anyone has some custom changes in here, or if you install an update and the newer version of the script is expecting some changes, this won’t work any more.
Therefore the best way is to have a chain that can be flushed and recreated.
>> Maybe we should in general move these things to not require a reboot?
>
> I'd like that. BTW unbound also supports changes without total reload.
Which ones?
>> I believe reloading the whole firewall is something we can support right now.
>
> That would already be helpful.
>
> --
> Tapani Tarvainen
next prev parent reply other threads:[~2020-11-16 10:34 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-11-09 17:47 Matthias Fischer
2020-11-10 13:07 ` Tapani Tarvainen
2020-11-13 14:24 ` Michael Tremer
2020-11-13 14:35 ` Tapani Tarvainen
2020-11-11 15:02 ` Rainer Kemme
2020-11-13 14:23 ` Michael Tremer
2020-11-13 14:55 ` Tapani Tarvainen
2020-11-15 13:16 ` Matthias Fischer
2020-11-15 14:45 ` Michael Tremer
2020-11-15 15:33 ` Tapani Tarvainen
2020-11-16 10:32 ` Michael Tremer
2020-11-15 14:40 ` Michael Tremer
2020-11-13 16:57 ` Matthias Fischer
2020-11-13 17:08 ` Paul Simmons
2020-11-15 13:36 ` Matthias Fischer
2020-11-15 14:50 ` Michael Tremer
2020-11-15 15:44 ` Tapani Tarvainen
2020-11-16 10:34 ` Michael Tremer [this message]
2020-11-23 9:08 ` Matthias Fischer
2020-12-25 16:57 ` Matthias Fischer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=F5871A91-507A-4B71-9916-F30445EBD54E@ipfire.org \
--to=michael.tremer@ipfire.org \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox