Hi,
in Debian's shorewall-init runscript there seems to be an error in the
shorewall_start function. See
<http://sourceforge.net/p/shorewall/code/ci/master/tree/Shorewall-init/init.debian.sh#l120>:
> else
> echo echo_notdone
> fi
> done
>
> echo "done."
>
> return 0
> }
Instead of calling the echo_notdone function, it is echoing echo_notdone...
Currently:
> Sun Jun 15 02:21:53 2014: Initializing "Shorewall-based firewalls":
> Compiling...
> Sun Jun 15 02:21:53 2014: /var/lib/shorewall/firewall is up to date -- no
> compilation required
> Sun Jun 15 02:21:53 2014: echo_notdone
> Sun Jun 15 02:21:53 2014: Compiling...
> Sun Jun 15 02:21:53 2014: /var/lib/shorewall6/firewall is up to date -- no
> compilation required
> Sun Jun 15 02:21:53 2014: echo_notdone
> Sun Jun 15 02:21:53 2014: done.
> Sun Jun 15 02:21:56 2014: [....] Configuring network interfaces...Waiting for
> DAD... Done
> Sun Jun 15 02:21:59 2014: done.
> Sun Jun 15 02:21:59 2014: [ ok ] Cleaning up temporary files....
> Sun Jun 15 02:21:59 2014: [ ok ] Setting up X socket directories...
> /tmp/.X11-unix /tmp/.ICE-unix.
> Sun Jun 15 02:21:59 2014: Starting "Shorewall firewall": done.
> Sun Jun 15 02:21:59 2014: Starting "Shorewall6 firewall": done.
> Sun Jun 15 02:21:59 2014: INIT: Entering runlevel: 2
If you fix the problem (remove the "echo") the new output will be
> Sun Jun 15 02:39:09 2014: Initializing "Shorewall-based firewalls":
> Compiling...
> Sun Jun 15 02:39:09 2014: /var/lib/shorewall/firewall is up to date -- no
> compilation required
> Sun Jun 15 02:39:09 2014: not done.
> Sun Jun 15 02:39:12 2014: [....] Configuring network interfaces...Waiting for
> DAD... Done
> Sun Jun 15 02:39:15 2014: done.
> Sun Jun 15 02:39:15 2014: [ ok ] Cleaning up temporary files....
> Sun Jun 15 02:39:15 2014: [ ok ] Setting up X socket directories...
> /tmp/.X11-unix /tmp/.ICE-unix.
> Sun Jun 15 02:39:15 2014: Starting "Shorewall firewall": done.
> Sun Jun 15 02:39:15 2014: Starting "Shorewall6 firewall": done.
> Sun Jun 15 02:39:15 2014: [FAIL] startpar: service(s) returned failure:
> shorewall-init ... failed!
> Sun Jun 15 02:39:15 2014: INIT: Entering runlevel: 2
This uncovers two additional problems:
1) shorewall-init isn't doing its job. I added "set -x" to see why
> if [ -x ${STATEDIR}/$PRODUCT/firewall ]; then
fails:
> Sun Jun 15 02:46:43 2014: Initializing "Shorewall-based firewalls": +
> setstatedir
> Sun Jun 15 02:46:43 2014: + local statedir
> Sun Jun 15 02:46:43 2014: + [ -f /etc/shorewall/vardir ]
> Sun Jun 15 02:46:43 2014: + [ -n ]
> Sun Jun 15 02:46:43 2014: + STATEDIR=/var/lib//shorewall
> Sun Jun 15 02:46:43 2014: + [ shorewall = shorewall -o shorewall = shorewall6
> ]
> Sun Jun 15 02:46:43 2014: + /sbin/shorewall -V0 compile -c
> Sun Jun 15 02:46:43 2014: Compiling...
> Sun Jun 15 02:46:43 2014: /var/lib/shorewall/firewall is up to date -- no
> compilation required
> Sun Jun 15 02:46:43 2014: + [ -x /var/lib//shorewall/shorewall/firewall ]
> Sun Jun 15 02:46:43 2014: + echo_notdone
> Sun Jun 15 02:46:43 2014: + echo not done.
> Sun Jun 15 02:46:43 2014: not done.
Looks like $PRODUCT is not needed, because it is already set with STATEDIR?
2) The shorewall and shorewall6 runscript should start *after*
shorewall-init.
Tested with shorewall*-4.5.21.9-1 on Debian jessie/testing. But should
also affect stable (wheezy) and old stable (squeeze).
-Thomas
------------------------------------------------------------------------------
HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
Find What Matters Most in Your Big Data with HPCC Systems
Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
Leverages Graph Analysis for Fast Processing & Easy Data Exploration
http://p.sf.net/sfu/hpccsystems
_______________________________________________
Shorewall-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-devel
