On 03/03/2014 04:09 AM, Tom Eastep wrote: > On 3/2/2014 8:26 AM, Tom Eastep wrote: >> On 3/1/2014 8:42 AM, matt darfeuille wrote: >>> hi, >>> >>> I also applied the patch on shorewall 4.5.21.6 using "patch >>> /usr/share/shorewall/Shorewall/Misc.pm ADMINISABSENTMINDED.patch". >>> >>> If I use hosts listed in the routestopped file(deprecated) the >>> traffic is allowed as expected but if I use the stoppedrules file the >>> connections are refused no matter what rules I put in the >>> stoppedrules! >>> >>> In other words with the patch installed I can no longer use the >>> stoppedrules file to determine which hosts should still have access >>> through the firewall when it is stopped. >> I have reverted that patch and will look at this again when time permits. >> > I'm sending this to the Development list to solicit your feedback. > > The documented behavior of ADMINISABSENTMINDED=No is that existing > connections are not allowed after 'stop'. The implementation, however, > allows existing connections to continue. > > The connections continue because of ESTABLISHED,RELATED rules that are > installed during 'stop' processing. If those rules are omitted, then the > stoppedrules file behavior is totally broken. The routestopped file > continues to work correctly because the rules in that file are largely > bidirectional. > > What to do? I'm leaning toward treating the stoppedrules file as if > ADMINISABSENTMINDED=Yes. Recall that if there are any entries in > routestopped, then stoppedrules is not processed. That way, we can > restore the documented ADMINISABSENTMINDED=No behavior for existing > routestopped users and still make stoppedrules work correctly. > > Comments?
Hi Tom, I don't think I have ever used 'shorewall stop', and I always set ADMINISABSENTMINDED=Yes, so that suggestion makes perfect sense to me. Regards, Paul ------------------------------------------------------------------------------ Subversion Kills Productivity. Get off Subversion & Make the Move to Perforce. With Perforce, you get hassle-free workflows. Merge that actually works. Faster operations. Version large binaries. Built-in WAN optimization and the freedom to use Git, Perforce or both. Make the move to Perforce. http://pubads.g.doubleclick.net/gampad/clk?id=122218951&iu=/4140/ostg.clktrk _______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
