On Tue, 9 Dec 2003, Gianni Bragante wrote:
> I am experiencing long delays at boot when appliying a
> restrictive firewall policy.
I did not see a smoking gun in data you sent, but a shot in the
dark is DNS (domain name service) host name resolution.
Firewall rules might be generating a chicken and the egg
situation where services are needed but pinholes in the firewall
are not ready to pipe in the necessary data. Thus some start up
things stall or timeout. They have for me.
If you have a caching name service make sure the list of
nameserver hosts is in a good order. For example if
/etc/named.conf has two bad and the last good then the timeouts
for the first two bad/slow boxes will dominate until the info is
cached.
Other chicken+egg -- look at /etc/hosts and
/etc/sysconfig/networking/profiles/default/hosts
It is useful to have data describing the connection to all local
boxes that are network service interconnected. Important stuff
like httpd, nfs, samba, ntp, sendmail, cups, lpd all can do
forward and reverse name resolution early in the boot process.
It is also useful to have the names and IP addresses of the
hosts in /etc/named.conf See also /etc/host.conf! My Fedora box
had "hosts, nis" in etc/host.conf. Since I do not use nis this
was wrong. I am looking right now to see that the reason for
both /etc/host.conf /etc/resolv.conf resolver configuration
files. Since this box has been badly abused buy updates and
upgrades my junk might be cruft from RH4565789.... it could have
been me tinkering.
Even if you are booting DHCP some hints in local files can help.
If you are booting DHCP ensure that you are getting the setup you
expect and need from your DHCP server.
One hint of trouble is when a service restart is issued and you
get a FAIL on the stop but is OK on the start.
This is a clever script:
/sbin/service --status-all
Saves tinkering in /etc/init.d/{this,that,another} by hand.
--
T o m M i t c h e l l
mitch48 -a*t- yahoo-dot-com
