Re: Long delay when shorewall/shorewall6 starts/stops
Nate Bargmann wrote: This has bugged me on and off most of this year since for some reason that I can't find, the shorewall/shorewall6 startup scripts have a pause of about a minute before the system start/shutdown can continue. Right now this affects both my desktop and laptop running Sid. I use shorewall on many systems and I do not experience any long delays at startup or shutdown. Therefore this problem seems specific to the configuration of your system. My desktop's network connection is a wired Ethernet that is managed by the ifup/ifdown scripts. My laptop's wireless and wired interfaces are managed by WiCD. Same here. I assume you have something like this in your /etc/network/interfaces: allow-hotplug eth0 iface eth0 inet dhcp If you change that to this does it improve things? auto eth0 iface eth0 inet dhcp I have notice that when used with nis/yp the above avoids an nis startup delay. Bob signature.asc Description: Digital signature
Re: Long delay when shorewall/shorewall6 starts/stops
From: Nate Bargmann n...@n0nb.us Date: Fri, 17 Aug 2012 14:35:57 -0500 Right now this affects both my desktop and laptop running Sid. Is the desktop the fw zone? Another machine? ... the shorewall/shorewall6 startup scripts have a pause of about a minute before the system start/shutdown can continue. By any chance, does fw have another connection which can be closed when Shorewall is setting up? A VPN tunnel for example. Regards, ... Peter E. -- 123456789 123456789 123456789 123456789 123456789 123456789 123456789 12 Telephone +13606390202. Bcc: peter at easthope.ca http://carnot.yi.org/ http://members.shaw.ca/peasthope/index.html#Itinerary -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/171057621.55134.29217@cantor.invalid
Re: Long delay when shorewall/shorewall6 starts/stops
* On 2012 21 Aug 14:56 -0500, Bob Proulx wrote: Nate Bargmann wrote: This has bugged me on and off most of this year since for some reason that I can't find, the shorewall/shorewall6 startup scripts have a pause of about a minute before the system start/shutdown can continue. Right now this affects both my desktop and laptop running Sid. I use shorewall on many systems and I do not experience any long delays at startup or shutdown. Therefore this problem seems specific to the configuration of your system. Of course. ;-) My desktop's network connection is a wired Ethernet that is managed by the ifup/ifdown scripts. My laptop's wireless and wired interfaces are managed by WiCD. Same here. I assume you have something like this in your /etc/network/interfaces: allow-hotplug eth0 iface eth0 inet dhcp My laptop has exactly this stanza along with the lo stanza below in the desktop's interfaces file. As WiCD is used, I wonder if the eth0 stanza in necessary at all? If you change that to this does it improve things? auto eth0 iface eth0 inet dhcp This stanza is how my desktop is configured along with lo: # This file describes the network interfaces available on your system # and how to activate them. For more information, see interfaces(5). # The loopback network interface auto lo iface lo inet loopback # The primary network interface auto eth0 iface eth0 inet dhcp WiCD is not used on the desktop as its only connection is the wired Ethernet. The laptop can used either wired or wireless, both managed via WiCD. I have notice that when used with nis/yp the above avoids an nis startup delay. So far as I know, I do not use nis/yp. I suppose the next step is figuring out how to enable debugging in Shorewall. Sigh... - Nate -- The optimist proclaims that we live in the best of all possible worlds. The pessimist fears this is true. Ham radio, Linux, bikes, and more: http://www.n0nb.us -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120821211929.gf4...@n0nb.us
Re: Long delay when shorewall/shorewall6 starts/stops
* On 2012 21 Aug 15:32 -0500, peasth...@shaw.ca wrote: From: Nate Bargmann n...@n0nb.us Date: Fri, 17 Aug 2012 14:35:57 -0500 Right now this affects both my desktop and laptop running Sid. Is the desktop the fw zone? Another machine? Each machine is defined for its own fw zone. I do not have a DMZ. The machines do sit behind a OpenWRT router with its firewall enabled. ... the shorewall/shorewall6 startup scripts have a pause of about a minute before the system start/shutdown can continue. By any chance, does fw have another connection which can be closed when Shorewall is setting up? A VPN tunnel for example. Not to my knowledge. I do my remote access using SSH and have nothing persistent. Both machines do have IPV6 enabled and I am also using shorewall6 on both. - Nate -- The optimist proclaims that we live in the best of all possible worlds. The pessimist fears this is true. Ham radio, Linux, bikes, and more: http://www.n0nb.us -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120821212215.gg4...@n0nb.us
Re: Re: Long delay when shorewall/shorewall6 starts/stops
Camaleón, I accidentally deleted your reply. Perhaps the only difference I can see with the FAQ you quoted is that it's for the much older version 3.0. That has not been in Unstable/Testing for some time. Currently, the Shorewall packages are at 4.5.5-1. I'll double check for any LDAP stuff, though. Thanks! - Nate -- The optimist proclaims that we live in the best of all possible worlds. The pessimist fears this is true. Ham radio, Linux, bikes, and more: http://www.n0nb.us -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120821214045.ga20...@n0nb.us
Re: Long delay when shorewall/shorewall6 starts/stops
Nate Bargmann wrote: Bob Proulx wrote: I assume you have something like this in your /etc/network/interfaces: allow-hotplug eth0 iface eth0 inet dhcp My laptop has exactly this stanza along with the lo stanza below in the desktop's interfaces file. As WiCD is used, I wonder if the eth0 stanza in necessary at all? If specified then wicd will leave it as specified for ifupdown. If not specified then wicd (or network-manager) will try to handle it. So the answer of configuration is a decision for you. Do you want ifupdown to manage it? Then you must specify it. Do you want wicd to manage it? Then you must not specify it. Note that udev will cache the ethernet address and if you change network devices then udev will assign a different device name and then wicd (or nm) will inherit it. This happens when moving disks from one machine to another machine with a different ethernet address in the hardware. Typical for me and many but unusual for many too. This is the /etc/udev/rules.d/70-persistent-net.rules file. If you change that to this does it improve things? auto eth0 iface eth0 inet dhcp This stanza is how my desktop is configured along with lo: Using 'auto' is the old way. It sets up for a synchronous configuration at boot time. Using 'allow-hotplug' is the new way. It sets up for an event driven configuration to handle hotplug devices such as usb devices, pcmcia, and so forth. Both work for the most part. But there are corner cases in each. I have notice that when used with nis/yp the above avoids an nis startup delay. So far as I know, I do not use nis/yp. I wasn't suggesting that you were using nis. I was simply pointing that out as a data point where using 'auto' avoids a delay but 'allow-hotplug' has a problem. It was an example only. I suppose the next step is figuring out how to enable debugging in Shorewall. Sigh... Start at the /etc/init.d/shorewall level and look there first. It is likely not an issue with the upstream /sbin/shorewall but with the startup script process. I would start debugging like this: sh -x /etc/init.d/shorewall restart Look at the shell trace output and see where the delay is occuring. Bob signature.asc Description: Digital signature
Re: Re: Long delay when shorewall/shorewall6 starts/stops
From: Nate Bargmann n...@n0nb.us Date: Tue, 21 Aug 2012 16:22:15 -0500 Each machine is defined for its own fw zone. I do not have a DMZ. The machines do sit behind a OpenWRT router with its firewall enabled. Once everything is working, does shorewall restart give the delay? The router issues an address to each machine by DHCP? One test is to temporarily connect the desktop machine directly to the cable modem without the router. Another test is to set a static address for the desktop machine. Try various configurations until a clue surfaces. Regards, ... Peter E. -- 123456789 123456789 123456789 123456789 123456789 123456789 123456789 12 Telephone +13606390202. Bcc: peter at easthope.ca http://carnot.yi.org/ http://members.shaw.ca/peasthope/index.html#Itinerary -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/171057621.68321.29220@cantor.invalid
Re (2): Long delay when shorewall/shorewall6 starts/stops
If an earlier copy of this message reached the list, it's References are absent. From: Nate Bargmann n...@n0nb.us Date: Tue, 21 Aug 2012 16:22:15 -0500 Each machine is defined for its own fw zone. If both machines have the delay, troubleshooting on the wired machine should be more efficient that on the wireless machine. Wireless adds a layer of complexity in your work. Regards, ... Peter E. -- 123456789 123456789 123456789 123456789 123456789 123456789 123456789 12 Telephone +13606390202. Bcc: peter at easthope.ca http://carnot.yi.org/ http://members.shaw.ca/peasthope/index.html#Itinerary -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/171057621.79582.29222@cantor.invalid
Re: Re: Long delay when shorewall/shorewall6 starts/stops
* On 2012 21 Aug 18:46 -0500, peasth...@shaw.ca wrote: From: Nate Bargmann n...@n0nb.us Date: Tue, 21 Aug 2012 16:22:15 -0500 Each machine is defined for its own fw zone. I do not have a DMZ. The machines do sit behind a OpenWRT router with its firewall enabled. Once everything is working, does shorewall restart give the delay? No, it does not. I see in the /var/log/shorewall-init.log file that on each machine a 1 minute delay occurs: Aug 19 18:07:03 Creating iptables-restore input... Aug 19 18:07:03 Shorewall configuration compiled to /var/lib/shorewall/.start Aug 19 18:08:03 Starting Shorewall Aug 19 18:08:03 Initializing... Aug 19 18:08:03 Processing /etc/shorewall/init ... Aug 19 18:08:03 Processing /etc/shorewall/tcclear ... But running manually there is no such delay: Aug 21 17:29:07 Creating iptables-restore input... Aug 21 17:29:07 Shorewall configuration compiled to /var/lib/shorewall/.start Aug 21 17:29:07 Starting Shorewall Aug 21 17:29:07 Initializing... Aug 21 17:29:07 Processing /etc/shorewall/init ... Aug 21 17:29:07 Processing /etc/shorewall/tcclear ... The router issues an address to each machine by DHCP? Yes, but I see this on the laptop no matter where I am, my network or not, as I recall. One test is to temporarily connect the desktop machine directly to the cable modem without the router. Another test is to set a static address for the desktop machine. Try various configurations until a clue surfaces. Thanks for the ideas. I'll also try Bob's suggestion as well. - Nate -- The optimist proclaims that we live in the best of all possible worlds. The pessimist fears this is true. Ham radio, Linux, bikes, and more: http://www.n0nb.us -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120822023803.gk4...@n0nb.us
Re: Long delay when shorewall/shorewall6 starts/stops
On Fri, 17 Aug 2012 14:35:57 -0500, Nate Bargmann wrote: This has bugged me on and off most of this year since for some reason that I can't find, the shorewall/shorewall6 startup scripts have a pause of about a minute before the system start/shutdown can continue. Right now this affects both my desktop and laptop running Sid. (...) Google has found this, but not sure that's the cause of your delay because looks like a corner case: *** http://www.shorewall.net/3.0/FAQ.htm#faq62 (FAQ 62) I have unexplained 30-second pauses during shorewall [re] start. What causes that? Answer: This usually happens when the firewall uses LDAP Authentication. The solution is to list your LDAP server(s) as critical in /etc/shorewall/ routestopped. *** In the FAQ, there are also some tips for speeding up the service: http://www.shorewall.net/3.0/FAQ.htm#faq34 Greetings, -- Camaleón -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/k0r339$da2$5...@ger.gmane.org
Long delay when shorewall/shorewall6 starts/stops
This has bugged me on and off most of this year since for some reason that I can't find, the shorewall/shorewall6 startup scripts have a pause of about a minute before the system start/shutdown can continue. Right now this affects both my desktop and laptop running Sid. My desktop's network connection is a wired Ethernet that is managed by the ifup/ifdown scripts. My laptop's wireless and wired interfaces are managed by WiCD. Right now in /etc/default/shorewall|shorewall6 is the variable 'wait_interface' that is undefined. A bit of testing shows the delay in the scripts is not related to this variable. After this I am stumped as the delay is deeper in Shorewall itself. This has gotten annoying enough that I'm seriously considering a firewall alternative. I like Shorewall as it is relatively easy to configure for new servers and such. - Nate -- The optimist proclaims that we live in the best of all possible worlds. The pessimist fears this is true. Ham radio, Linux, bikes, and more: http://www.n0nb.us -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120817193557.ga17...@n0nb.us
