Hi Tom, thanks for our quick reply.
On 07/06/2012 06:43 PM, Tom Eastep wrote: > On 07/06/2012 08:52 AM, Matthias Sitte wrote: >> Hi there, >> >> I'm quite puzzled with the proper configuration of Shorewall. I'm >> running Debian Squeeze in an OpenVZ container (virtual server with >> 3rd party company). > > That's interesting -- most people trying to run Shorewall in an OpenVZ > container under Squeeze find that outgoing connections from the firewall > don't work at all because Netfilter connection tracking is totally > broken. Possibly there has finally been a fix for that. I'd be happy to share more details if you tell me what you need (versions of which packages etc) to see why it works. It's a clean system with nothing but Shorewall installed. The config files for Shorewall are pretty simple. > >> Of course, Shorewall should automatically start when rebooting. >> Making the appropriate changes to shorewall.conf and >> /etc/default/shorewall it should all be fine -- but it ain't >> somehow. >> > >> Again, reboot, and I can still ping the system. Bring Shorewall down >> and up again -- no response on a ping. > > How are you bringing Shorewall down at up again? Using > /etc/init.d/shorewall or /sbin/shorewall? I'm simply using `shorewall stop' and `shorewall start'. Just to be on the safe side, I've checked that using `/etc/init.d/shorewall stop' and `/etc/init.d/shorewall start' has the same outcome, i.e., `iptables -L' shows the "correct" set of rules. > >> Why?? >> >> Looking at the /var/log/shorewall-init.log I've noticed that it looks >> somehow "messed up" as if two instances of Shorewall were started >> simultaneously while booting. They seem to interfere and leave an >> empty iptables (see shorewall-init.log.1.gz). > > Have you confirmed that it is empty? It looks to me as if Shorewall's > stdout file and STARTUP_LOG files are both pointing to > /var/log/shorewall-init.log. That is causing the duplication of messages > that you are seeing. Given that the two seem to have different verbosity > (and STARTUP_LOG has timestamps), the buffers of the two files get > filled at a different rate so they get flushed to disk at different points. Hm, I didn't realize that Shorewall might be using the same file for both `stdout' and STARTUP_LOG. I'll check on that ... Anyway, right after the system comes up, `iptables -L' gives me empty lists: # iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Stopping/starting Shorewall as described above makes it work nicely, though. > >> However, after stopping/starting Shorewall, the iptables are filled >> correctly and the firewall works (see shorewall-init.log.2.gz). >> >> So, does anyone have an idea what goes wrong here? I'd be happy if >> you could help me out with this one or point me to some websites >> where problem is solved. > > I don't think we know exactly what the problem is at this point. A wild guess: I could check the /etc/init.d/* scripts for other things that might interfere with the iptables... > > -Tom >
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
