Re: [Shorewall-users] strange bug/problem with shorewall after centos-5.2 update

Sun, 29 Jun 2008 06:54:44 -0700 

Farkas Levente wrote:

hi,
we use shorewall for many years. noew we update our firewall to centos 5.2. where run shorewall-lite and there is an internal server which is the administrative system. now the following happend. after the firewall reboot shorewall (or iptables or the system denied all external connections (although shorewall-lite is started). now if i restart it: 
/sbin/service shorewall-lite restart
then everything work. or if from the administrative system i issue a:
/sbin/shorewall reload -s -c portal
than it also works again. so each of the above command is enough. so it was easy to find a workaround i simple put into rc.local: 
/sbin/service shorewall-lite restart
but imho it's still a bug and i don't know how to find the reason.


Compare the output of 'shorewall-lite dump' before and after the restart.


the only difference what i find in the sysinit script is -f option to 
shorewall but in /var/lib/shorewall-lite/ the file firewall and restore 
are the same.



The files /var/lib/shorewall-lite/firewall and /var/lib/shorewall/restore 
are supposed to be the same if you have done a 'shorewall-lite save'.



if i comment out the -f option then it's working without any workaround 
(or this is the workaround).

so what can be the reason?




The file /var/lib/shorewall-lite/.iptables-restore-input is probably wrong. 
But since I can't see it, I can't tell you what is wrong with it.


You can try this experiment:

a) cd /var/lib/shorewall-lite
b) mv .iptables-restore-input bad-input
c) shorewall-lite save
d) diff -au bad-input .iptables-restore-input

What are the differences?

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ [EMAIL PROTECTED]
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key




Attachment:
signature.asc

Description: OpenPGP digital signature


-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users






















					Reply via email to