On 5/9/2014 7:01 PM, Bill Shirley wrote: > > On 5/5/2014 12:11 PM, Emiliano Marino wrote: >> Hi! This is my first email to the this mail list. >> >> I am playing with ipsets and shorewall and I'm failing to create (using >> shorewall) an ipset with a default timeout. >> When shorewall compiles it throws me a warning saying that the ipset does >> not exist (it is right), and when it starts >> at some stage of the init procedure it creates the ipset. >> I can't (or don't know how to) change shorewall command to create the ipset. >> even tried to use the "Init" script, but >> the ipset is already created when the script is executed. >> >> So, anybody has a suggestion? >> I know that if a make a script that create ipset before shorewall starts I >> do the thing, but I prefer to do it inside >> or with shorewall terms. >> >> Sorry my english :) >> Thanks in advance >> >> >> ------------------------------------------------------------------------------ >> Is your legacy SCM system holding you back? Join Perforce May 7 to find out: >> • 3 signs your SCM is hindering your productivity >> • Requirements for releasing software faster >> • Expert tips and advice for migrating your SCM now >> http://p.sf.net/sfu/perforce >> >> >> _______________________________________________ >> Shorewall-users mailing list >> Shorewall-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/shorewall-users > > I define my ipsets in /etc/shorewall/init: > modprobe ip_set > ipset -exist create fail2ban-IpPort hash:ip,port timeout 3600 > ipset -exist create fail2ban-Ip hash:ip timeout 86400 > > This is on Fedora 19 with SELinux. SELinux will deny the 'ipset create' by > default when run by systemctl. I created a > policy to allow it: > module my_shorewall_ipset 1.0; > > require { > type shorewall_t; > type kernel_t; > class system module_request; > } > > #============= shorewall_t ============== > > #!!!! This avc can be allowed using the boolean 'domain_kernel_load_modules' > allow shorewall_t kernel_t:system module_request;
Additionally, in the just-uploaded 4.6.0-RC3, the 'init' user exit is executed prior to creation of the ipsets. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Is your legacy SCM system holding you back? Join Perforce May 7 to find out: • 3 signs your SCM is hindering your productivity • Requirements for releasing software faster • Expert tips and advice for migrating your SCM now http://p.sf.net/sfu/perforce
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
