On 3/2/2014 8:26 AM, Tom Eastep wrote: > On 3/1/2014 8:42 AM, matt darfeuille wrote: >> hi, >> >> I also applied the patch on shorewall 4.5.21.6 using "patch >> /usr/share/shorewall/Shorewall/Misc.pm ADMINISABSENTMINDED.patch". >> >> If I use hosts listed in the routestopped file(deprecated) the >> traffic is allowed as expected but if I use the stoppedrules file the >> connections are refused no matter what rules I put in the >> stoppedrules! >> >> In other words with the patch installed I can no longer use the >> stoppedrules file to determine which hosts should still have access >> through the firewall when it is stopped. > > I have reverted that patch and will look at this again when time permits. >
I'm sending this to the Development list to solicit your feedback. The documented behavior of ADMINISABSENTMINDED=No is that existing connections are not allowed after 'stop'. The implementation, however, allows existing connections to continue. The connections continue because of ESTABLISHED,RELATED rules that are installed during 'stop' processing. If those rules are omitted, then the stoppedrules file behavior is totally broken. The routestopped file continues to work correctly because the rules in that file are largely bidirectional. What to do? I'm leaning toward treating the stoppedrules file as if ADMINISABSENTMINDED=Yes. Recall that if there are any entries in routestopped, then stoppedrules is not processed. That way, we can restore the documented ADMINISABSENTMINDED=No behavior for existing routestopped users and still make stoppedrules work correctly. Comments? -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Flow-based real-time traffic analytics software. Cisco certified tool. Monitor traffic, SLAs, QoS, Medianet, WAAS etc. with NetFlow Analyzer Customize your own dashboards, set traffic alerts and generate reports. Network behavioral analysis & security monitoring. All-in-one tool. http://pubads.g.doubleclick.net/gampad/clk?id=126839071&iu=/4140/ostg.clktrk
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
