Tom Eastep wrote: >> I was right! It looks as though not all parts of the firewall file are >> executed when ifupdown-local gets started, as opposed to a direct >> "firewall start". Here is the diff produced before and after "shorewall >> reload" (I've omitted the counter differences and other such "noise"): >> Well, maybe not... I think I figured it out. I *do* have net.ipv4.ip_forward=0 in my /etc/sysctl.conf. Now, what I think is happening is that when the system brings all my devices up, "firewall" sets /proc/net.../ip_forward to 1, but then the sysctl.conf variable kicks in at the end of my system configuration/start up, reverting what shorewall have previously set up during the time when the network devices were brought up. Is that scenario feasible?
>> 'local' is/was a legitimate option in Beta2/3. >> > > Not it Beta 3. Again, 'local' is a zone type. > Do I specify this in "OPTIONS", "IN OPTIONS" or "OUT OPTIONS"? >> May 25 17:06:12 test1 kernel: [ 85.305983] xt_CT: No such helper "ftp" >> May 25 17:06:12 test1 kernel: [ 85.369152] xt_CT: No such helper "ftp-0" >> May 25 17:06:12 test1 kernel: [ 85.426916] xt_CT: No such helper "irc" >> May 25 17:06:12 test1 kernel: [ 85.491393] xt_CT: No such helper "irc-0" >> May 25 17:06:12 test1 kernel: [ 85.550423] xt_CT: No such helper >> "amanda" >> >> /var/log/shorewall.log (shorewall startup log) >> ~~~~~~~~~~~~~~~~~~~~~~ >> May 25 17:06:09 Processing /etc/shorewall/start ... >> May 25 17:06:10 Processing /etc/shorewall/started ... >> >> /var/log/shorewall-ifupdown.log (shorewall-init log) >> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >> [...] >> May 25 17:05:54 /sbin/ifup-local: Executing /var/lib//shorewall/firewall >> -V0 up eth0 >> >> *** Note the times - it looks as though it happens at the very beginning >> (my guess is during shorewall compilation). >> > > The 'start' and 'started scripts are run at the very end of the firewall > script's execution. Again, I want to look at the 'firewall' script. > I am assuming a similar thing is happening here. Although I do not have "net.netfilter.nf_conntrack_helper" set in my sysctl.conf (maybe I should explicitly disable it and set it to 0), I presume the "default" value if nothing specified is 1 (enabled). Shorewall has two places where it manipulates this variable: at start where it does "echo 0 > /proc/sys/net/netfilter/nf_conntrack_helper", and then again, when the firewall is at stopped state it does the opposite - "echo 1 > /proc/sys/net/netfilter/nf_conntrack_helper". I notice that there isn't a diagnostic message displayed when this operation is done - maybe it is a good idea for you to add one. If "echo 1 > /proc/sys/net/netfilter/nf_conntrack_helper" triggers all of the above messages (or if the system's default value of "nf_conntrack_helper" is 1), then by simply adding "net.netfilter.nf_conntrack_helper=0" to my sysctl.conf file should eliminate these obnoxious messages appearing, correct? >>>>>> 6. "shorewall update -D" does not check all files in /etc/shorewall: >>>>>> >>>>>> Compiling /etc/shorewall/interfaces... >>>>>> WARNING: 'FORMAT' is deprecated in favor of '?FORMAT' - consider >>>>>> running 'shorewall update -D' /etc/shorewall/interfaces (line 17) >>>>>> >>>>>> -bash-4.1# shorewall update -D >>>>>> Updating... >>>>>> Processing /etc/shorewall/params ... >>>>>> Processing /etc/shorewall/shorewall.conf... >>>>>> No update required to configuration file >>>>>> /etc/shorewall/shorewall.conf; >>>>>> /etc/shorewall/shorewall.conf.bak not saved >>>>>> >>>>>> "interfaces" is not changed (I had to do that manually). >>>>>> >>>>>> >>>>>> >>>>> Works for me. >>>>> >>>>> root@gateway:~# shorewall update -D >>>>> Updating... >>>>> Processing /etc/shorewall/params ... >>>>> Processing /etc/shorewall/shorewall.conf... >>>>> No update required to configuration file >>>>> /etc/shorewall/shorewall.conf; >>>>> /etc/shorewall/shorewall.conf.bak not saved >>>>> Loading Modules... >>>>> Converting 'FORMAT' and 'COMMENT' lines to compiler directives... >>>>> File /etc/shorewall/interfaces updated - old file renamed >>>>> /etc/shorewall/interfaces.bak >>>>> Running /etc/shorewall/compile... >>>>> Checking /etc/shorewall/zones... >>>>> Checking /etc/shorewall/interfaces... >>>>> >>>>> >>>>> >>>> Well, it doesn't work here. >>>> >>>> >>> I suspect that it is something about the file itself -- did you save a >>> copy? >>> >>> >> -bash-4.1# ls -las /etc/shorewall >> 8 drwx------. 3 root root 4096 May 25 16:50 . >> [...] >> 8 -rw-------. 1 root root 1135 May 15 19:13 interfaces >> >> All files in /etc/shorewall have their permissions set at 600 (rw only >> on owner). In addition, the whole /etc/ partition has "noexec" attribute >> set in my fstab to prevent code being executed on that partition. >> >> -bash-4.1# cat /etc/shorewall/interfaces >> # >> # Shorewall version 4 - Interfaces File >> # >> # For information about entries in this file, type "man >> shorewall-interfaces" >> # >> # The manpage is also online at >> # http://www.shorewall.net/manpages/shorewall-interfaces.html >> # >> ########################################################################## >> ##### >> FORMAT 2 >> ########################################################################## >> ##### >> #ZONE INTERFACE OPTIONS >> [...] >> >> >> So, on the face of it, nothing special apart from maybe the file >> permissions. >> > > Please apply the attached debugging patch and post the output produced by > 'update -D'. > Nada! Same result as before - with or without this patch. ------------------------------------------------------------------------------ Try New Relic Now & We'll Send You this Cool Shirt New Relic is the only SaaS-based application performance monitoring service that delivers powerful full stack analytics. Optimize and monitor your browser, app, & servers with just a few lines of code. Try New Relic and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may _______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
