[Shorewall-users] Re FAQ 9 - FQDNs in config

Tom Eastep teastep@shorewall.net
Mon, 15 Apr 2002 10:30:57 -0700 (Pacific Daylight Time)


On Mon, 15 Apr 2002, Simon Turvey wrote:

> Has anyone found a satisfactory way of specifying source/destinations that
> have their addresses assigned via DHCP?  I wish to configure Shorewall for
> an IPSEC tunnel with an endpoint with an IP allocated this way.  My friend
> and I both use the dyndns server to create a domain name that always points
> to our respective IPs.  However, if we can't use the domain names in the
> Shorewall config then we're just left with hard-coding the IPs and risking
> them changing on us.
>

A couple of things:

a) being able to specify FQDNs in Shorewall would NOT help you as much as
you seem to think. The iptables utililty resolves DNS names when it
processes rules and substitutes the IP addresses in place of the name.
Hence, once your firewall is started, it DOES NOT change when DNS<->IP
relationships change.

b) As far as Shorewall is concerned, you could simply use a "road-warrior"
configuration (accept IPSEC from the net zone unconditionally).

c) I think you will find that configuring IPSEC in this environment is
going to be a bigger pain then Shorewall is.

-Tom
--
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net