[Firehol-support] Installing time
Phil Whineray
phil at firehol.org
Mon Jul 24 21:46:31 BST 2017
Hi
On Mon, Jul 24, 2017 at 08:54:42PM +0200, Jonathan Baecker wrote:
> Hi Phil,
> thank you for your replay!
> I found the problem kid... In the firehol-default.conf I had *WAIT_FOR_IFACE
> *set to an virtual interface from a vm, it looks like this is not working. I
> removed that variable and now firehol starts in one second :).
Good news, glad you solved it.
> Can it be problematic, when I set nat and firewall rules for an IP that is
> not existing on startup? When, then I have to modify my systemd start
> script.
To the best of my knowledge it's fine to have rules that refer to
things that don't exist yet (or indeed ever), they just don't have
any effect because nothing will match them. It's probably more secure
overall to have the rules in place before the interfaces are brought
up.
The WAIT_FOR_IFACE was a patch brought in from Debian but I never
really understood its value... maybe to allow DNS names to work, but
I don't agree with using those in firewall rules because they don't
behave how most people would expect/want.
Cheers
Phil
More information about the Firehol-support
mailing list