On 5/25/13 3:45 PM, "Dash Four" <[email protected]> wrote:
> >Tom Eastep wrote: >>> Well, maybe not... I think I figured it out. I *do* have >>> net.ipv4.ip_forward=0 in my /etc/sysctl.conf. Now, what I think is >>> happening is that when the system brings all my devices up, "firewall" >>> sets /proc/net.../ip_forward to 1, but then the sysctl.conf variable >>> kicks in at the end of my system configuration/start up, reverting what >>> shorewall have previously set up during the time when the network >>> devices were brought up. Is that scenario feasible? >>> >> >> Yes. >> >I suppose the only way out of this is to explicitly enable ip forwarding >via sysctl.conf. I'll do that and see what happens. Good plan. > >>>>> 'local' is/was a legitimate option in Beta2/3. >>>>> >>>>> >>>> Not it Beta 3. Again, 'local' is a zone type. >>>> >>>> >>> Do I specify this in "OPTIONS", "IN OPTIONS" or "OUT OPTIONS"? >>> >> >> It is a zone TYPE. >> >Got it, thanks! So, instead of "ipv4" I need to specify "local" is that >it? What happens if this zone is ipv6 (or does shorewall cares?)? I >still need shorewall to "handle" this zone though - I don't want it >completely ignored. Shorewall doesn't restrict IPv6 at all, provided that you have DISABLE_IPV6=No in shorewall.conf. (that is Shorewall6's job). > >>> Shorewall has two places >>> where it manipulates this variable: at start where it does "echo 0 > >>> /proc/sys/net/netfilter/nf_conntrack_helper", and then again, when the >>> firewall is at stopped state it does the opposite - "echo 1 > >>> /proc/sys/net/netfilter/nf_conntrack_helper". I notice that there isn't >>> a diagnostic message displayed when this operation is done - maybe it >>>is >>> a good idea for you to add one. >>> >>> If "echo 1 > /proc/sys/net/netfilter/nf_conntrack_helper" triggers all >>> of the above messages (or if the system's default value of >>> "nf_conntrack_helper" is 1), then by simply adding >>> "net.netfilter.nf_conntrack_helper=0" to my sysctl.conf file should >>> eliminate these obnoxious messages appearing, correct? >>> >> >> I frankly don't know -- I suggest trying it and see. >> >See what I already posted - I think it is to do with the fact that >shorewall "assumes" that I have this enabled by default and sets it up >when the firewall is in stopped state, which is wrong. > >> What output did it produce? The patch adds diagnostic messages and >> warnings; it doesn't change the logic. >> >Same as before: > >-bash-4.1# shorewall update -D >Updating... >Processing /etc/shorewall/params ... >Processing /etc/shorewall/shorewall.conf... >No update required to configuration file /etc/shorewall/shorewall.conf; >/etc/shorewall/shorewall.conf.bak not saved > >I did check that the patch was applied properly, before you ask (and no, >/etc/shorewall/interfaces is *not* updated). Please post *all* of the output of 'shorewall update -D'. -Tom You do not need a parachute to skydive. You only need a parachute to skydive twice. ------------------------------------------------------------------------------ Try New Relic Now & We'll Send You this Cool Shirt New Relic is the only SaaS-based application performance monitoring service that delivers powerful full stack analytics. Optimize and monitor your browser, app, & servers with just a few lines of code. Try New Relic and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may _______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
