On 07/17/2012 06:16 AM, Fred Maillou wrote: >> How do you install a new updated firewall config? Hopefully not >> with 'shorewall stop; shorewall start'. > > Actually modifications are made to the config files and > 'shorewall restart' is called. It's been like that for years. > The difference now is that the system is exclusively managed by a > middleware configuration database (based on Yang data > model/netconf, a replacement of SNMP) in which Shorewall is a > managed object whose config files are written from what the user > has specified in a config database. And then Shorewall is > executed using those newly-created Shorewall config files. > > From the description of shorewall-init, I currently see no > advantage in using it for the current context, eg. the connection > tracking and MASQ enable/disable. There are already interactions > at the system level (netlink msg listening) when some interfaces > are changing states, by the application that manages the > Shorewall object. And flushing all connection tables does nto > seem like a good idea at the moment, because fo the possibility > of terminating a remote ssh connection used to configure the > firewall. OTOH, it could be that a custom crafted 'conntrack' > command can be made to flush uniquely the interface belonging to > MASQ when enabling/disabling MASQ.
Hi Fred, I don't see how MASQ can be missed when doing a 'restart'. The old Netfilter nat table is replaced atomically by the new one. So there is never a time when the MASQ rule isn't in place. Which Shorewall version are you running? Thanks, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
