From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: Forcing all DNS traffic from the LAN to the firewall Date: Mon, 16 Nov 2020 10:34:41 +0000 Message-ID: In-Reply-To: <20201115154458.GC727329@vesikko.tarvainen.info> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============2486076599211296291==" List-Id: --===============2486076599211296291== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi, > On 15 Nov 2020, at 15:44, Tapani Tarvainen wr= ote: >=20 > On Sun, Nov 15, 2020 at 02:50:09PM +0000, Michael Tremer (michael.tremer(a)= ipfire.org) wrote: >=20 >>> deactivating these rules would need a complete reboot!? Or do I >>> overlook something? >>=20 >> Yes, this would be true. >=20 > Why? After all iptables supports deleting (-D) or replacing (-R) > rules anywhere any chain. Turning rules in a custom chain on > or off could be done with a single iptables command. >=20 > OK, I guess that'd require non-trivial amount of coding in IPFire. It is in theory possible, but in practise would be surgically removing firewa= ll rules. If anyone has some custom changes in here, or if you install an update and th= e newer version of the script is expecting some changes, this won=E2=80=99t w= ork any more. Therefore the best way is to have a chain that can be flushed and recreated. >> Maybe we should in general move these things to not require a reboot? >=20 > I'd like that. BTW unbound also supports changes without total reload. Which ones? >> I believe reloading the whole firewall is something we can support right n= ow. >=20 > That would already be helpful. >=20 > --=20 > Tapani Tarvainen --===============2486076599211296291==--