> > Yes I knew not good to go, (still scratching head)
> > lsm 0.130-1
> > lsm.conf
> > #
> > # (C) 2009 Mika Ilmaranta<[email protected]>
> > #
> > # License: GPLv2
> > #
> >
> > #
> > # Debug level: 0 .. 8 are normal, 9 gives lots of stuff and 100
doesn't
> > # bother to detach
> > #
> > #debug=10
> > debug=9
> > #debug=8
> >
> > #
> > # Defaults for the connection entries
> > #
> > defaults {
> > name=defaults
> > checkip=127.0.0.1
> > eventscript=/etc/lsm/script
> > notifyscript=
> > max_packet_loss=15
> > max_successive_pkts_lost=7
> > min_packet_loss=5
> > min_successive_pkts_rcvd=10
> > interval_ms=1000
> > timeout_ms=1000
> > [email protected]
> > check_arp=0
> > sourceip=
> > # if using ping probes for monitoring only then defaults should
> > # not define a default device for packets to autodiscover their path
> > # to destination
> > # device=eth0
> > # use system default ttl
> > ttl=0
> > # assume initial up state at lsm startup (1 = up, 0 = down, 2 =
unknown
> > (default))
> > # status=1
> > }
> >
> > #
> > # Some example connections are found in lsm.conf.sample
> > #
> > include /etc/lsm/shorewall.conf
>
> Sorry -- also need to see that file.
>
> -Tom
I also might add this incase of any bearing on trouble here. I was up late
testing this more so if comcast failed.
It seem to have the same issue, ie lsm cant ping its downsteam ip when
disable is in effect in shorewall.
This morning a live real failure occured on the failover isp.(rea) I had
forgot to stop lsm last night.
They called and woke me up complaining the ipsec tunnel was down.
When it failed I had modifed lsm in the way below when it failed live.
(may not have any bearing on trouble not sure)
#!/bin/sh
#
# (C) 2009 Mika Ilmaranta <[email protected]>
# (C) 2009 Tom Eastep <[email protected]>
#
# License: GPLv2
#
STATE=${1}
NAME=${2}
CHECKIP=${3}
DEVICE=${4}
WARN_EMAIL=${5}
REPLIED=${6}
WAITING=${7}
TIMEOUT=${8}
REPLY_LATE=${9}
CONS_RCVD=${10}
CONS_WAIT=${11}
CONS_MISS=${12}
AVG_RTT=${13}
if [ -f /usr/share/shorewall-lite/lib.base ]; then
VARDIR=/var/lib/shorewall-lite
STATEDIR=/etc/shorewall-lite
else
VARDIR=/var/lib/shorewall
STATEDIR=/etc/shorewall
fi
[ -f ${STATEDIR}/vardir ] && . ${STATEDIR}/vardir
cat <<EOM | mail -s "${NAME} ${STATE}, DEV ${DEVICE}" ${WARN_EMAIL}
Hi,
Connection ${NAME} is now ${STATE}.
Following parameters were passed:
newstate = ${STATE}
name = ${NAME}
checkip = ${CHECKIP}
device = ${DEVICE}
warn_email = ${WARN_EMAIL}
Packet counters:
replied = ${REPLIED} packets replied
waiting = ${WAITING} packets waiting for reply
timeout = ${TIMEOUT} packets that have timed out (= packet loss)
reply_late = ${REPLY_LATE} packets that received a reply after timeout
cons_rcvd = ${CONS_RCVD} consecutively received replies in sequence
cons_wait = ${CONS_WAIT} consecutive packets waiting for reply
cons_miss = ${CONS_MISS} consecutive packets that have timed out
avg_rtt = ${AVG_RTT} average rtt, notice that waiting and timed out
packets have rtt = 0 when calculating this
Your LSM Daemon
EOM
if [ ${STATE} = up ]; then
# echo 0 > ${VARDIR}/${DEVICE}.status # Uncomment this line if you are
running Shorewall 4.4.x or earlier
${VARDIR}/firewall enable ${DEVICE}
else
# echo 1 > ${VARDIR}/${DEVICE}.status # Uncomment this line if you are
running Shorewall 4.4.x or earlier
${VARDIR}/firewall disable ${DEVICE}
/usr/sbin/ipsec stop
/usr/sbin/openvpn stop
fi
/sbin/shorewall show routing >> /var/log/lsm
exit 0
#EOF
Mike
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
