Re: [Shorewall-users] When starting a firewall setup...

Mon, 14 Jun 2010 22:15:39 -0700 

Hi Jorge,

After reading "
Another good practice is the use shorewall safe-start and safe-restart,
that way if your new config dont pass shorewall check the system will
fall back to the last good config." 

I tried safe-restart and found it hangs my session for 150 seconds but
restart works in an instant.

See attached for a more detailed description.

Regards,
Trent

My environment:
r...@nper-r1:~# dpkg -l | grep shorewall
ii  shorewall                                 4.4.10~Beta4-1               
Shoreline Firewall, netfilter configurator
ii  shorewall-perl                            4.4.10~Beta4-1               
Shoreline Firewall, netfilter configurator -

What I see:
r...@nper-r1:~# shorewall safe-restart
Compiling...
Processing /etc/shorewall/shorewall.conf...
Loading Modules...
Compiling /etc/shorewall/zones...
Compiling /etc/shorewall/interfaces...
Compiling /etc/shorewall/hosts...
Determining Hosts in Zones...
Preprocessing Action Files...
   Pre-processing /usr/share/shorewall/action.Drop...
   Pre-processing /usr/share/shorewall/action.Reject...
Compiling /etc/shorewall/policy...
Processing /etc/shorewall/initdone...
Adding rules for DHCP
Compiling TCP Flags filtering...
Compiling Kernel Route Filtering...
Compiling Martian Logging...
Compiling /etc/shorewall/masq...
Compiling MAC Filtration -- Phase 1...
Compiling /etc/shorewall/rules...
Compiling /etc/shorewall/tunnels...
Generating Transitive Closure of Used-action List...
Processing /usr/share/shorewall/action.Reject for chain Reject...
Processing /usr/share/shorewall/action.Drop for chain Drop...
Compiling MAC Filtration -- Phase 2...
Applying Policies...
Generating Rule Matrix...
Creating iptables-restore input...
Compiling iptables-restore input for chain mangle:...
Shorewall configuration compiled to /var/lib/shorewall/.restart
   Dynamic Rules Saved

"... this is where it hangs for 150 seconds. Then I see..."
   Currently-running Configuration Saved to /var/lib/shorewall/.safe
Restarting...
Restarting Shorewall....
done.
Do you want to accept the new firewall configuration? [y/n] y
New configuration has been accepted
r...@nper-r1:/etc/shorewall# 

(ps -ef) From a second session during 150 second wait for first session:
root     17384  6181  0 04:59 pts/0    00:00:00 /bin/sh /sbin/shorewall 
safe-restart
root     17538 17384  0 04:59 pts/0    00:00:00 /sbin/iptables-save
root     17539 17384  0 04:59 pts/0    00:00:00 /bin/sh /sbin/shorewall 
safe-restart
root     17541 17539  0 04:59 pts/0    00:00:00 awk BEGIN           { sline=""; 
};\?             /^-j/           { print sline $0; next };\?


But when I do the normal restart...
r...@nper-r1:~# shorewall restart
Compiling...
Processing /etc/shorewall/shorewall.conf...
Loading Modules...
Compiling /etc/shorewall/zones...
Compiling /etc/shorewall/interfaces...
Compiling /etc/shorewall/hosts...
Determining Hosts in Zones...
Preprocessing Action Files...
   Pre-processing /usr/share/shorewall/action.Drop...
   Pre-processing /usr/share/shorewall/action.Reject...
Compiling /etc/shorewall/policy...
Processing /etc/shorewall/initdone...
Adding rules for DHCP
Compiling TCP Flags filtering...
Compiling Kernel Route Filtering...
Compiling Martian Logging...
Compiling /etc/shorewall/masq...
Compiling MAC Filtration -- Phase 1...
Compiling /etc/shorewall/rules...
Compiling /etc/shorewall/tunnels...
Generating Transitive Closure of Used-action List...
Processing /usr/share/shorewall/action.Reject for chain Reject...
Processing /usr/share/shorewall/action.Drop for chain Drop...
Compiling MAC Filtration -- Phase 2...
Applying Policies...
Generating Rule Matrix...
Creating iptables-restore input...
Compiling iptables-restore input for chain mangle:...
Shorewall configuration compiled to /var/lib/shorewall/.restart
Restarting Shorewall....
Initializing...
Processing /etc/shorewall/init ...
Setting up Route Filtering...
Setting up Martian Logging...
Setting up Proxy ARP...
Preparing iptables-restore input...
Running /sbin/iptables-restore...
Setting up dynamic rules...
IPv4 Forwarding Enabled
Processing /etc/shorewall/start ...
Processing /etc/shorewall/started ...
done.

All is fine.


------------------------------------------------------------------------------
ThinkGeek and WIRED's GeekDad team up for the Ultimate 
GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the 
lucky parental unit.  See the prize list and enter to win: 
http://p.sf.net/sfu/thinkgeek-promo
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to