I've installed
shorewall-lite version
4.5.21.4
shorewall6-lite version
4.5.21.4
I use these systemd files to start it
cat /etc/systemd/system/shorewall-lite.service
[Unit]
Description=shorewall-lite
After=syslog.target network.target
Before=shorewall-lite.target fail2ban.service
Requires=fail2ban.service
Wants=network.target
[Service]
Type=oneshot
RemainAfterExit=yes
StandardOutput=syslog
ExecStart=/usr/sbin/shorewall-lite start
ExecStop=/usr/sbin/shorewall-lite stop
[Install]
WantedBy=multi-user.target
cat /etc/systemd/system/shorewall6-lite.service
[Unit]
Description=shorewall6-lite
After=syslog.target network.target
Before=shorewall6-lite.target fail2ban.service
Requires=fail2ban.service
Wants=network.target
[Service]
Type=oneshot
RemainAfterExit=yes
StandardOutput=syslog
ExecStart=/usr/sbin/shorewall6-lite start
ExecStop=/usr/sbin/shorewall6-lite stop
[Install]
WantedBy=multi-user.target
Testing
systemctl stop shorewall-lite
systemctl stop shorewall6-lite
correctly drops me into my fallback, stoppedrules configurations
iptables -L -n
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
ACCEPT tcp -- xx.x.xx.xxx/29 0.0.0.0/0
tcp dpt:22
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ip6tables -L -n
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all ::/0 ::/0
ctstate RELATED,ESTABLISHED
ACCEPT all fe80::/10 ::/0
ACCEPT all ::/0 fe80::/10
ACCEPT all ::/0 ff00::/8
ACCEPT tcp 2001:aaa:aaaa:aaa::5
2600:cccc::cccc:cccc:cccc:1122 tcp dpt:22
ACCEPT tcp 2001:bbb:bbbb:bbb::/64
2600:cccc::cccc:cccc:cccc:1122 tcp dpt:22
ACCEPT all ::/0 ::/0
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all ::/0 ::/0
ctstate RELATED,ESTABLISHED
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all ::/0 ::/0
ctstate RELATED,ESTABLISHED
ACCEPT all ::/0 fe80::/10
ACCEPT all ::/0 ff00::/8
ACCEPT all ::/0 ::/0
then starting
systemctl start shorewall-lite
systemctl start shorewall6-lite
loads the full/populated firewall configs
iptables -L -n | wc
207 1323 13782
ip6tables -L -n | wc
266 1610 18822
and everything's working as usual
If I restart JUST the IPv4 shorewall
systemctl restart shorewall-lite
the v4 firewall gets porperly reloaded
iptables -L -n | wc
207 1323 13782
but the v6 firewall is stopped, dropped back to the stoppedrules config
ip6tables -L -n | wc
10 35 393
ip6tables -L -n
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all ::/0 ::/0
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all ::/0 ::/0
I can easily start it again
systemctl start shorewall6-lite
ip6tables -L -n | wc
266 1610 18822
There's obviously some incorrect/broken/missing dependency between the
two. How do I properly config shorewall &/or the systemd unit files to
maintain the IPv4 & IPv6 shorewall instances' independence?
------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT
organizations don't have a clear picture of how application performance
affects their revenue. With AppDynamics, you get 100% visibility into your
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
