Re: Forcing all DNS traffic from the LAN to the firewall

On Sun, Nov 15, 2020 at 02:50:09PM +0000, Michael Tremer (michael.tremer@ipfire.org) wrote:

...

deactivating these rules would need a complete reboot!? Or do I overlook something?

Yes, this would be true.

Why? After all iptables supports deleting (-D) or replacing (-R) rules anywhere any chain. Turning rules in a custom chain on or off could be done with a single iptables command.

OK, I guess that'd require non-trivial amount of coding in IPFire.

Maybe we should in general move these things to not require a reboot?

I'd like that. BTW unbound also supports changes without total reload.

I believe reloading the whole firewall is something we can support right now.

That would already be helpful.