Greetings shorewall users, I'm running into a problem and hoping someone might have a simple idea how to fix it.
I have shorewall configured on a linux fw with 2 port DNAT rules to an internal server for openvpn from external clients. Everything works fine there. I have a problem when the fw is rebooted however. When it comes back up, interfaces are brought up before shorewall is started and the external openvpn clients are trying to reconnect. When shorewall starts, it blocks (in the external 2fw chain) the openvpn ports which are configured to be DNATed. I've pinned it down to the fact that when the interfaces first come up, the external clients attempt to connect to the non-DNATed (yet) ports which creates a connection tracking entry for the clients->fw. When shorewall starts, it sees future packets as part of that connection and drops them as destined for the fw. Packets from new tuples are DNATed correctly. So my question is, what's the best way around this? Right now, I have to manually stop the clients for long enough that their connection tracking entries go away, then restart them. Should I start shorewall twice: once when lo comes up then restart it when my other interfaces have been configured? Has anyone else had to solve this? Thanks in advance, -- Brad Barden <[email protected]>
pgpwi8dDFnDIk.pgp
Description: PGP signature
------------------------------------------------------------------------------ This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon's best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
