So, after a lot of reboots some information: nf_nat_pptp has been loaded by an forgotten script on reboot - shame on me THIS module pulls in nf_nat_proto_gre and (both of them?) caused the initial problem.
nf_conntrack_pptp pulls nf_conntrack_proto_gre and seems to be loaded automatically when needed. They are needed and make no problems (as far I can see). However, a lot of modules are loaded by shorewall, even if not active. I removed everything network-related stuff (including shorewall) and rebooted -> no relevant modules loaded, no iptables, nothing. So far so good. The I started shorewall. It loads everything(?), regardless what's defined in /etc/shorewall/helpers. There was no network activity, which could have been load them automatically. The command you mentioned will reflect what's included in /etc/shorewall/helpers, but it seems to be ignored. Some data: /etc/shorewall/shorewall.conf: ------------------------------ AUTOHELPERS=No HELPERS= LOAD_HELPERS_ONLY=Yes fgrep loadmodule /var/lib/shorewall/firewall -------------------------------------------- loadmodule() # $1 = module name, $2 - * arguments loadmodule ip_conntrack_ftp loadmodule ip_conntrack_irc loadmodule ip_conntrack_netbios_ns loadmodule ip_nat_ftp loadmodule ip_nat_irc loadmodule nf_conntrack_ftp loadmodule nf_conntrack_irc loadmodule nf_conntrack_netbios_ns loadmodule nf_conntrack_netlink loadmodule nf_nat_ftp loadmodule nf_nat_irc loadmodule nf_nat /etc/shorewall/helpers ---------------------- loadmodule ip_conntrack_ftp loadmodule ip_conntrack_irc loadmodule ip_conntrack_netbios_ns loadmodule ip_nat_ftp loadmodule ip_nat_irc loadmodule nf_conntrack_ftp loadmodule nf_conntrack_irc loadmodule nf_conntrack_netbios_ns loadmodule nf_conntrack_netlink loadmodule nf_nat_ftp loadmodule nf_nat_irc loadmodule nf_nat lsmod (only some modules, which shouldn't have been loaded and appear after a "shorewall start") ---------------------------------------------------------------------------- -------------------- nf_conntrack_amanda 1713 0 nf_conntrack_irc 2639 0 nf_conntrack_snmp 891 0 nf_conntrack_sip 16004 0 nf_conntrack_pptp 3625 0 nf_conntrack_proto_gre 3766 1 nf_conntrack_pptp nf_conntrack_tftp 2529 0 nf_conntrack_sane 2724 0 . . . Some of them may be pulled in as a dependency, but not all I think. Tarqi -----Original Message----- From: Tom Eastep [mailto:[email protected]] Sent: Saturday, September 22, 2012 12:50 AM To: Shorewall Users Subject: Re: [Shorewall-users] GRE blocked on Masq PPTP On 09/21/2012 03:43 PM, Tarqi Kazan wrote: > I tried several combinations and ended up with the loaded modules all > the time. > And yes, after a reboot I unloaded the modules, and everything worked. > So something is loading the modules automatically, regardless what I > set in shorewall.conf and "helpers". > The docs in shorewall.conf says to set AUTOHELPERS to NO if using > kernel > 3.5, which is the case. What does 'fgrep loadmodule /var/lib/shorewall/firewall' display? -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ How fast is your code? 3 out of 4 devs don\\\'t know how their code performs in production. Find out how slow your code is with AppDynamics Lite. http://ad.doubleclick.net/clk;262219672;13503038;z? http://info.appdynamics.com/FreeJavaPerformanceDownload.html _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
