Tom Eastep wrote: > Ljubomir Ljubojevic wrote: > >>> There is a defect in Shorewall that causes the startup failure when >>> an optional interface has multiple providers through it and >>> Shorewall is unable to determine the MAC address of one or more of >>> the GATEWAYs. That bug will be somewhat difficult to fix and, when >>> fixed, your firewall still won't restart properly under the same >>> circumstances. > > The attached patch to /usr/share/shorewall/Shorewall/Providers.pm should > prevent the startup failure. If the MAC of the remote gateway is not > detectable, the provider does not come up.
Does that means that it will never start or it will start after some period? In my case not starting at all would cause that machine to be without any routed network connection. I will test init delay in some 2 hours and if it works, then I will just use that option. I never patched anything yet, so I will try to patch it but I am note sure I will test this on this unit before the thorough backup of current working system. >> I have noticed that br0 even when up does not function for 5-10 >> seconds more. That happens and on my desktop with br0 interface >> connected to eth0 and Virtualbox virtual machines but without any >> firewall what so ever. Network Monitor tray icon starts flashing >> active but ping does not work for several seconds more. > > That explains the failure then. > >>> Note the identical MAC addresses in the two rules -- without seeing >>> /var/lib/shorewall/.restart, I cannot tell if that is a Shorewall >>> bug or a configuration error. >>> >> That is not a bug. I have only one gateway machine, using one NIC >> (one MAC) for both public subnets. > > Thanks for the explanation. > >> I believe that CentOS/KVM/Shorewall/Webmin/Virtualmin combination is >> the way to go, > >> The thing that would be nice to see is updated Webmin module for >> shorewall, at least possibility to select currently unaccessible >> files (like tc_rules) for manual editing. that would make sure my >> shorewall howto's are much easier to follow. > > Maintenance of the Webmin module is outside of the Shorewall project. It would be a good way of promoting your excellent software. I was not asking you to work on it your self, My thought was you might know someone of your co-developers or helpers that is able to work on it a little, or just contact Webmin developers and assist them (give them pointers and tell them what to enhance) so that Shorewall module is easier to work with. With KVM/Xen... maturity Webmin starts to be more and more best way to maintain virtual servers. Assuring there are fresh binaries for most popular distro's and enhanced webmin module would do wonders for shorewall's popularization. As I progress in learning how to master rpm building I intend to be active in several communities including shorewall's to see how much I can help. I can not promise anything I have the will to find the time. > >> I will also try the init workaround and report the results, and you >> could maybe think about adding it as a configuration value to avoid >> tainting the internals. > > /etc/shorewall/init is intended for just this sort of thing. Adding > commands to that file is not 'tainting the internals'. You are right, I was not looking at the location of the file, sorry. I assumed without reading that it's rc.d init script. I guess holiday atmosphere (Orthodox Easter) got me too relaxed. Ljubomir ------------------------------------------------------------------------------ Stay on top of everything new and different, both inside and around Java (TM) technology - register by April 22, and save $200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco. 300 plus technical and hands-on sessions. Register today. Use priority code J9JMT32. http://p.sf.net/sfu/p _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
