On 04/18/2013 01:49 PM, Dash Four wrote: > > Tom Eastep wrote: >>> If I remove these lines (I commented them out), then everything is >>> clear. So, is there any way to "synchronise" both things as the way I >>> see it, one doesn't make sense without the other? In other words, if I >>> have chosen not to have the tftp helper, what is the sense in loading >>> nf_conntrack_tftp for example? >>> >> >> The modules files are also read by the CLI and by the shorecap programs; >> so that can't have ?if .... ?endif like other Shorewall configuration files. >> > Erm, you've lost me. What does that mean?
It means that it is not really feasible to sync the loaded helper modules with the HELPERS option. > >> But you can certainly copy helpers to /etc/shorewall/ and modify it in >> any way that you see fit. >> > Am I right in assuming that if I don't need any of the helpers, I could > also delete these lines too? Yes. > I also take it there isn't a way to sync > the "HELPERS" config option with this then? > No, there isn't. >>> Also, in that "helpers" file I see quite a few ipset modules >>> (ip_set_iphash, ip_set_ipmap etc) - these are not helpers and, anyway, >>> they appear to be in "modules.ipset" so I think it is safe to delete >>> them from there. >>> >> >> Yes -- that's certainly a bug. I've removed them for the next Beta. >> > Thanks. > >>> While I am at it, one further question: am I right in >>> assuming that if iptables match/target kernel module is needed in a >>> specific rule, then that kernel module is loaded automatically by >>> iptables anyway, so do we need any of the "modules.xtables" or >>> "modules.extensions"? >>> >> >> They are loaded by Shorewall only if LOAD_HELPERS_ONLY=No. If >> LOAD_HELPERS_ONLY=Yes, only the helpers file is loaded. >> >> They will be loaded if the kernel is configured for module autoloading. >> That is rare in embedded systems but is the norm for desktop and server >> distributions. >> > OK, so if I use iptables targets (which appear as kernel modules) and > don't need any "helpers" loaded, in order to prevent shorewall from > loading anything else (well, anything apart from the "essential" modules > - not sure if iptables would load these automatically!) while starting > my firewall successfully, all I have to do is: > > HELPERS=none > LOAD_HELPERS_ONLY=Yes > > Correct, or am I going to have my fingers burned? That will work, provided that you have module autoloading enabled in your kernel and you have an empty 'modules' file in /etc/shorewall/; in that case, Shorewall won't load a thing. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis & visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter
_______________________________________________ Shorewall-devel mailing list Shorewall-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-devel
