Tom Eastep wrote: >> Well, maybe not... I think I figured it out. I *do* have >> net.ipv4.ip_forward=0 in my /etc/sysctl.conf. Now, what I think is >> happening is that when the system brings all my devices up, "firewall" >> sets /proc/net.../ip_forward to 1, but then the sysctl.conf variable >> kicks in at the end of my system configuration/start up, reverting what >> shorewall have previously set up during the time when the network >> devices were brought up. Is that scenario feasible? >> > > Yes. > I suppose the only way out of this is to explicitly enable ip forwarding via sysctl.conf. I'll do that and see what happens.
>>>> 'local' is/was a legitimate option in Beta2/3. >>>> >>>> >>> Not it Beta 3. Again, 'local' is a zone type. >>> >>> >> Do I specify this in "OPTIONS", "IN OPTIONS" or "OUT OPTIONS"? >> > > It is a zone TYPE. > Got it, thanks! So, instead of "ipv4" I need to specify "local" is that it? What happens if this zone is ipv6 (or does shorewall cares?)? I still need shorewall to "handle" this zone though - I don't want it completely ignored. >> Shorewall has two places >> where it manipulates this variable: at start where it does "echo 0 > >> /proc/sys/net/netfilter/nf_conntrack_helper", and then again, when the >> firewall is at stopped state it does the opposite - "echo 1 > >> /proc/sys/net/netfilter/nf_conntrack_helper". I notice that there isn't >> a diagnostic message displayed when this operation is done - maybe it is >> a good idea for you to add one. >> >> If "echo 1 > /proc/sys/net/netfilter/nf_conntrack_helper" triggers all >> of the above messages (or if the system's default value of >> "nf_conntrack_helper" is 1), then by simply adding >> "net.netfilter.nf_conntrack_helper=0" to my sysctl.conf file should >> eliminate these obnoxious messages appearing, correct? >> > > I frankly don't know -- I suggest trying it and see. > See what I already posted - I think it is to do with the fact that shorewall "assumes" that I have this enabled by default and sets it up when the firewall is in stopped state, which is wrong. > What output did it produce? The patch adds diagnostic messages and > warnings; it doesn't change the logic. > Same as before: -bash-4.1# shorewall update -D Updating... Processing /etc/shorewall/params ... Processing /etc/shorewall/shorewall.conf... No update required to configuration file /etc/shorewall/shorewall.conf; /etc/shorewall/shorewall.conf.bak not saved I did check that the patch was applied properly, before you ask (and no, /etc/shorewall/interfaces is *not* updated). ------------------------------------------------------------------------------ Try New Relic Now & We'll Send You this Cool Shirt New Relic is the only SaaS-based application performance monitoring service that delivers powerful full stack analytics. Optimize and monitor your browser, app, & servers with just a few lines of code. Try New Relic and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may _______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
