(sorry, I simply pressed 'reply' on this Yahoo thing and the
reply went to your personal email when I intended it to be in the
mailing list - so here it is in the mailing list)
Hi Tom,
>> Are there persistent connection tracking (and related)
>> parameters set at install time that would make do with this
>> condition when > enabling/disabling MASQ ?
> If there were, don't you think that I would have already
> implemented support for them (and told you about them)?
Right ;-)
> How do you install a new updated firewall config? Hopefully not
> with 'shorewall stop; shorewall start'.
Actually modifications are made to the config files and
'shorewall restart' is called. It's been like that for years.
The difference now is that the system is exclusively managed by a
middleware configuration database (based on Yang data
model/netconf, a replacement of SNMP) in which Shorewall is a
managed object whose config files are written from what the user
has specified in a config database. And then Shorewall is
executed using those newly-created Shorewall config files.
From the description of shorewall-init, I currently see no
advantage in using it for the current context, eg. the connection
tracking and MASQ enable/disable. There are already interactions
at the system level (netlink msg listening) when some interfaces
are changing states, by the application that manages the
Shorewall object. And flushing all connection tables does nto
seem like a good idea at the moment, because fo the possibility
of terminating a remote ssh connection used to configure the
firewall. OTOH, it could be that a custom crafted 'conntrack'
command can be made to flush uniquely the interface belonging to
MASQ when enabling/disabling MASQ.
Thanks for all comments.
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
