start script fails with upstart (if config requires DNS resolv)

Duplicated the wrong way round? Surely the newer ticket should me made a duplicate of the older ticket?

Still, marked as security vulnerability. Not having a firewall after bootup is a security risk.

s/me/be/ :)

AFAIK the firehol init script is present and has not changed.

The suspecting package IMHO may well be an incomplete/broken upstart / -compat init procedure.

maybe related: http://sourcecode.de/content/fun-upstart

Johnathon, can you reproduce this bug?

ceg wrote:
> Johnathon, can you reproduce this bug?
>

No... with a basic firehol setup, firehol is starting on bootup, and
correctly loading rules into iptables...

Didn't mention this is on a *fresh* 9.10 installation.

ceg wrote:
> Didn't mention this is on a *fresh* 9.10 installation.
>

mine is a beta-release fresh install. Kept it up-to-date, obviously.

Asked an old friend if he'd seen any problems, and he hasn't, running
9.10 with firehol.. sounds like it might be a problem just with your
machine or setup :/

I got the firehol output into a file by modifying the init script.

The iptables commands fail because domains are not being resolved to ip addresses.

Now I am not sure. Starting the firewall before the network is up might be adequate behaviour. How can the init scripts handle this? Do firehol save on shutdown and a restore early on during boot, and a regular restart later on?

This failure to load with domain names in the config may have arisen with the network now set up by upstarts native /etc/init mechanism (instead of with symlinks in/ets/rc?.d) or been present all the time.

However, a proper fix should no be now to ship two firehol upstart definitions:

One /etc/init/firehol-first.conf (or -prenet, -init, -predns or -minimal?) definition that stats firehol (before any network/dns is up) with a corresponding /etc/firehol/firehol-first.conf .

And one /etc/init/firehol.conf definition that starts firehol (always after a network interface has come up) regulary.

Sorry typo has made it unclear: I mean "a proper fix should now be to..."

I don't have this kind of problem... After editing properly the config file, firehol works fine.

Nahsei, do you use lines like "client http accept dst archive.ubuntu.com" and the domain names are being resolved and firehol started correctly on boot?

At the risk of courting contreversy, is the real "solution" not to only use IP addresses in firehol scripts and possibly better failsafe if the firewall does not load (although good look googling for the reason or remotely logging into your box to fix it with everything set to deny).

Using names means any resolution failure risks your firewall not starting up; the fact that DNS is apparently no longer resolving early enough in the boot process has simply exposed one cause.

The fact is that when using a domain name IPs are resolved at load time and will be unchanged for the lifetime of the firewall - so it doesn't do what most people would really want anyway.

Actually right, resolving at each startup makes the firewall vulnerable to dns spoofing.

OTOH its a nice feature to be able to write down domain names.

So, the two stages may be improved.
The lower-stage firehol start/stop scripts could always just dump/restore the rules (resolved IPs), to make sure firewall is up even on resolv errors.
The stage two script (when an interface came up) rechecks whether the config file (possibly containing domains) does still create the same rules (with IPs).
If there are differences, notify/warn the admin if the config file has not been changed.

for dumping rules see man page "firehol save"