Tom Eastep wrote: > Ljubomir Ljubojevic wrote: > > >> I do not know the internals of shorewall, and this is my first >> (possible) bug report so I relied on the fact you will ask for relevant >> information. >> I added both requests as file attachments. >> > > Thank you for the additional information. > > There is a defect in Shorewall that causes the startup failure when an > optional interface has multiple providers through it and Shorewall is > unable to determine the MAC address of one or more of the GATEWAYs. That > bug will be somewhat difficult to fix and, when fixed, your firewall > still won't restart properly under the same circumstances. > > While the bridge is being started prior to the 'shorewall restart', it > appears that the bridge is not yet fully functional. Adding a few second > 'sleep' in /etc/shorewall/init may help. > I have noticed that br0 even when up does not function for 5-10 seconds more. That happens and on my desktop with br0 interface connected to eth0 and Virtualbox virtual machines but without any firewall what so ever. Network Monitor tray icon starts flashing active but ping does not work for several seconds more.
> I notice in the .iptables-restore-input that when Shorewall does come > up, the following rules are generated: > > -A routemark -i br0 -m mac --mac-source 00:0c:76:42:a9:8c -j MARK > --set-mark 1 > -A routemark -i br0 -m mac --mac-source 00:0c:76:42:a9:8c -j MARK > --set-mark 2 > > Note the identical MAC addresses in the two rules -- without seeing > /var/lib/shorewall/.restart, I cannot tell if that is a Shorewall bug or > a configuration error. > That is not a bug. I have only one gateway machine, using one NIC (one MAC) for both public subnets. Diagram is: Server (unit in question) with 1 NIC and 2 public IP's on 2 public subnets ------> 1 Cat5 cable ------> ------> 1 NIC with 2 public IP's on 2 public subnets both acting as gateways on StarV3 wireless Router that uses RIP + policy routing to separate traffic. I know I have VERY interesting (and difficult) setup, and I want you to know that I am very happy with shorewall. I am starting to print all documentation I can get about new shorewall (I already have 3.x manuals) and I am going to even write few howto's. One using several virtual machines (for several tasks) on the 1physical server with 1(or more) NIC and several public IP's from several ISP's. This setup should be quite common for providing redundancy for small ISP's that have several uplinks, but avoiding BGP routing. I believe that CentOS/KVM/Shorewall/Webmin/Virtualmin combination is the way to go, I've already collected quite a few RPM's backported from latest Fedora RPM's (shorewall, everything for kvm deployment, freeradius...), and I am planing to document the complete process. The thing that would be nice to see is updated Webmin module for shorewall, at least possibility to select currently unaccessible files (like tc_rules) for manual editing. that would make sure my shorewall howto's are much easier to follow. I will also try the init workaround and report the results, and you could maybe think about adding it as a configuration value to avoid tainting the internals. Ljubomir ------------------------------------------------------------------------------ Stay on top of everything new and different, both inside and around Java (TM) technology - register by April 22, and save $200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco. 300 plus technical and hands-on sessions. Register today. Use priority code J9JMT32. http://p.sf.net/sfu/p _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
