On 12-01-15 09:27 PM, Tom Eastep wrote: > > But if you don't want to install and configure that, then hack your startup > scripts to pass the -p option to the 'start' command.
Yeah, I've been trying that. The conntrack table seems to be the same before and after a [re]start -p. Witness: # conntrack -L -nv | grep 5060; shorewall-lite restart -p; conntrack -L -nv | grep 5060; ip route ls udp 17 3586 src=10.75.22.8 dst=1.2.3.4 sport=5060 dport=5060 packets=23 bytes=12972 src=1.2.3.4 dst=9.8.7.6 sport=5060 dport=5060 packets=23 bytes=9591 [ASSURED] mark=513 use=3 udp 17 3581 src=10.75.22.8 dst=2.3.4.5 sport=5060 dport=5060 packets=49 bytes=28524 src=2.3.4.5 dst=9.8.7.6 sport=5060 dport=5060 packets=75 bytes=38618 [ASSURED] mark=513 use=2 udp 17 3587 src=10.75.22.8 dst=3.4.5.6 sport=5060 dport=5060 packets=23 bytes=12972 src=3.4.5.6 dst=9.8.7.6 sport=5060 dport=5060 packets=23 bytes=9591 [ASSURED] mark=513 use=2 conntrack v1.0.0 (conntrack-tools): 145 flow entries have been shown. udp 17 3597 src=10.75.22.8 dst=10.75.23.254 sport=5060 dport=5060 packets=470 bytes=275890 [UNREPLIED] src=10.75.23.254 dst=9.8.7.6 sport=5060 dport=5060 packets=0 bytes=0 mark=1 use=2 Restarting Shorewall Lite.... Initializing... Processing /etc/shorewall/gw-new/init ... Creating any undefined ipsets... Processing /etc/shorewall/gw-new/tcclear ... Setting up Route Filtering... Setting up Martian Logging... Setting up Proxy ARP... Adding Providers... Setting up Traffic Control... Preparing iptables-restore input... Running /usr/sbin/iptables-restore... IPv4 Forwarding Enabled Processing /etc/shorewall/gw-new/start ... Processing /etc/shorewall/gw-new/started ... set +x done. udp 17 3576 src=10.75.22.8 dst=1.2.3.4 sport=5060 dport=5060 packets=23 bytes=12972 src=1.2.3.4 dst=9.8.7.6 sport=5060 dport=5060 packets=23 bytes=9591 [ASSURED] mark=513 use=2 udp 17 3571 src=10.75.22.8 dst=2.3.4.5 sport=5060 dport=5060 packets=49 bytes=28524 src=2.3.4.5 dst=9.8.7.6 sport=5060 dport=5060 packets=75 bytes=38618 [ASSURED] mark=513 use=2 udp 17 3578 src=10.75.22.8 dst=3.4.5.6 sport=5060 dport=5060 packets=23 bytes=12972 src=3.4.5.6 dst=9.8.7.6 sport=5060 dport=5060 packets=23 bytes=9591 [ASSURED] mark=513 use=2 conntrack v1.0.0 (conntrack-tools): 131 flow entries have been shown. udp 17 3599 src=10.75.22.8 dst=10.75.23.254 sport=5060 dport=5060 packets=473 bytes=277651 [UNREPLIED] src=10.75.23.254 dst=9.8.7.6 sport=5060 dport=5060 packets=0 bytes=0 mark=1 use=2 10.8.0.2 dev tun0 proto kernel scope link src 10.8.0.1 8.2.7.3 dev pppoe-wan1 proto kernel scope link src 9.8.7.6 10.8.0.0/24 via 10.8.0.2 dev tun0 10.75.22.0/24 dev br-lan proto kernel scope link src 10.75.22.196 10.75.23.0/24 via 10.8.0.2 dev tun0 192.168.123.0/24 via 10.75.22.1 dev br-lan proto zebra metric 20 6.5.4.0/20 dev eth0.2 proto kernel scope link src 6.5.3.242 default via 6.5.4.1 dev eth0.2 I hope the obfuscation has not made it too difficult to understand, but these days of prevalent cracking and social engineering, one cannot be too careful I fear. In any case, I think the main point to take away is that before and after shorewall is restarted with -p the conntrack table is the same with entries being natted from the interface which is not even the default gateway. I would expect that after the restart either the entries would be completely gone, or if a connection had snuck through between the shorewall restarting (and flushing the table) and the second conntrack -L that the source IP would show the default route's IP, not the backup route's. Looking further into the shorewall-lite script on this machine I can see that setting a "-p" option sets a "g_purge=Yes" but nowhere else in that script is g_purge referenced. How exactly is "-p" supposed to result in a flushing of the conntrack table? This is shorewall-lite 4.4.12.2 FWIW. Cheers, b.
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Try before you buy = See our experts in action! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-dev2
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
