On Wed, 29 Feb 2012 10:33:28 -0800,
Tom Eastep <[email protected]> wrote :
> So to stop an existing ping at with shorewall start/restart, you need
> to flush the conntrack table ('shorewall restart -p'). That requires
> that you install the conntrack utility program (usually, the package
> is called simply 'conntrack').
It was indeed a difference of kernels.
Setting the conntrack ICMP timeout value to 1 for instance, for all
practical purposes, stops the pings just about immediately, which is
fine. This approach would be less encompassing that having a
shorewall -p which I suspect resets much more than only the ICMP
timeout. For instance, if an admin is logged in using ssh for setting
up a firewall, using shorewall -p would flush his connection tracking
table which could by detriemental when doing an error such as not
opening a hole for the ssh connection once the firewall is up. Is it
possible to only flush certain tables ? A value of 1 as the ICMP
timeout could perhaps have an effect on normal pings when the network
is slow, do you think so ?
Those were the components:
System that does not stop the pings:
shorewall: 4.5.0.1-4.5.1-Beta2
kernel: 3.0.0
iptables: 1.4.8-3
iproute: 20100519-3
System that does stop the pings:
shorewall: 4.0.15
kernel: 2.6.26
iptables: 1.3.6.0
iproute: 20061002-3
Thanks so much for your help.
------------------------------------------------------------------------------
Virtualization & Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
