On Jan 15, 2012, at 6:27 PM, Tom Eastep wrote: >> >> I wonder as a matter of routine, if shorewall should flush the entire >> conntrack table when it loads to prevent this sort of thing. >> > > This problem is one of the key reasons that I developed shorewall-init. But > if you don't want to install and configure that, then hack your startup > scripts to pass the -p option to the 'start' command.
In Shorewall 4.5.0, the /etc/default/shorewall (/etc/sysconf/shorewall) file can specify STARTOPTIONS and RESTARTOPTIONS which will be inserted after 'start' or 'restart' respectively when invoking /sbin/shorewall from /etc/init.d/shorewall. So you will be able to specify '-p' in those variables to cause this to happen all of the time. I'll never make '-p' the default because a large percentage of Shorewall users don't even know that /sbin/shorewall exists and always control Shorewall via /etc/init.d/shorewall. If that script were to flush the conntrack table by default, then these users would be continuously locking themselves out of their own firewalls. -Tom Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ RSA(R) Conference 2012 Mar 27 - Feb 2 Save $400 by Jan. 27 Register now! http://p.sf.net/sfu/rsa-sfdev2dev2 _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
