>> >> The 'start' and 'started scripts are run at the very end of the firewall >> script's execution. Again, I want to look at the 'firewall' script. >> > I am assuming a similar thing is happening here. Although I do not > have "net.netfilter.nf_conntrack_helper" set in my sysctl.conf (maybe > I should explicitly disable it and set it to 0), I presume the > "default" value if nothing specified is 1 (enabled). Shorewall has two > places where it manipulates this variable: at start where it does > "echo 0 > /proc/sys/net/netfilter/nf_conntrack_helper", and then > again, when the firewall is at stopped state it does the opposite - > "echo 1 > /proc/sys/net/netfilter/nf_conntrack_helper". I notice that > there isn't a diagnostic message displayed when this operation is done > - maybe it is a good idea for you to add one. > > If "echo 1 > /proc/sys/net/netfilter/nf_conntrack_helper" triggers all > of the above messages (or if the system's default value of > "nf_conntrack_helper" is 1), then by simply adding > "net.netfilter.nf_conntrack_helper=0" to my sysctl.conf file should > eliminate these obnoxious messages appearing, correct? I think this error comes from shorewall-init.
When the system boots up, shorewall-init is first started before any of the interfaces or shorewall are brought up/started. shorewall-init compiles "firewall" *and* stops the firewall, triggering "echo 1 > /proc/sys/net/netfilter/nf_conntrack_helper". Since the "nf_conntrack_helper" is now in enabled state, when the interfaces are then brought up one by one by the system, this causes all of the messages to appear. This is self-evident from the repeated helper messages I enclosed previously - they repeat 3 times, which is exactly the number of devices I asked the OS to bring up at startup. Even if I explicitly disable the helpers in my sysctl.conf file, that won't do me any good since the compiled "firewall" script explicitly enables my helpers when the firewall is stopped, which is wrong and should be corrected. ------------------------------------------------------------------------------ Try New Relic Now & We'll Send You this Cool Shirt New Relic is the only SaaS-based application performance monitoring service that delivers powerful full stack analytics. Optimize and monitor your browser, app, & servers with just a few lines of code. Try New Relic and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may _______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
