On 9/24/2014 9:14 AM, PGNd wrote: > I'm (still) trying to troubleshoot SW + interface behavior on boot/startup. > The boot process reports failures on interface checks, which resolve > 'automagically' after boot's completed. > > Looking at my system's boot log > > journalctl -xb | awk '/vpn/ || /shorewall/ || ((/ifup/ || /ifdown/ || > /service/) && (/eth0/ || /tun1/))' > > Sep 24 08:02:07 fw shorewall-init[935]: Initializing > "Shorewall-based firewalls": Stopping Shorewall Lite.... > Sep 24 08:02:08 fw shorewall-init[935]: done. > Sep 24 08:02:08 fw shorewall-init[935]: Stopping Shorewall6 > Lite.... > Sep 24 08:02:08 fw shorewall-init[935]: done. > > ... shorewall-init has done its thing, > > > Sep 24 08:02:09 fw systemd[1]: Starting ifup managed network > interface eth0... > -- Subject: Unit [email protected] has begun with start-up > -- Unit [email protected] has begun starting up. > Sep 24 08:02:10 fw ifup[1682]: eth0 device: Realtek > Semiconductor Co., Ltd. RTL8111/8168/8411 PCI Express Gigabit Ethernet > Controller (rev 06) > Sep 24 08:02:26 fw systemd[1]: Started ifup managed network > interface eth0. > -- Subject: Unit [email protected] has finished start-up > -- Unit [email protected] has finished starting up. > > ... the external interface, eth0, is up, > > Sep 24 08:02:58 fw systemd[1]: Starting ifup managed network > interface tun1... > -- Subject: Unit [email protected] has begun with start-up > -- Unit [email protected] has begun starting up. > Sep 24 08:02:58 fw ifup[3146]: tun1 > Sep 24 08:02:58 fw ifup[3213]: tun1 > Sep 24 08:02:58 fw ifup[3146]: tun1 Set 'tun1' persistent > and owned by uid 499 gid 499 > > ... the vpn tunnel interface, tun1, is up, > > -- Subject: Unit openvpn.service has begun with start-up > -- Unit openvpn.service has begun starting up. > -- Subject: Unit openvpn.service has finished start-up > -- Unit openvpn.service has finished starting up. > > ... the openvpn.service is up,
Which doesn't mean that the VPN is up. It mearly means that the daemon has started. > > next, shorewall-lite starts > > Sep 24 08:03:13 fw systemd[1]: Starting shorewall-lite... > -- Subject: Unit shorewall-lite.service has begun with start-up > -- Unit shorewall-lite.service has begun starting up. > Sep 24 08:03:13 fw shorewall-lite[3450]: Starting Shorewall > Lite.... > > ... but fails to ping the 1st provider's interface, eth0, > > Sep 24 08:03:14 fw shorewall-lite[3450]: BAD ping @ INTFC=eth0 Does you 'stopped' Shorewall configuration allow outgoing ping and the related responses? Remember that Shorewall-init has stopped Shorewall. > Sep 24 08:03:14 fw shorewall-lite[3450]: Initializing... > Sep 24 08:03:15 fw shorewall-lite[3450]: Processing init user > exit ... > Sep 24 08:03:16 fw shorewall-lite[3450]: Processing tcclear > user exit ... > Sep 24 08:03:16 fw shorewall-lite[3450]: Setting up Route > Filtering... > Sep 24 08:03:16 fw shorewall-lite[3450]: Setting up Martian > Logging... > Sep 24 08:03:16 fw shorewall-lite[3450]: Setting up Accept > Source Routing... > Sep 24 08:03:16 fw shorewall-lite[3450]: Setting up Proxy ARP... > Sep 24 08:03:16 fw shorewall-lite[3450]: Adding Providers... > Sep 24 08:03:17 fw shorewall-lite[3450]: WARNING: Interface > eth0 is not usable -- Provider prov1 (1) not Started > Sep 24 08:03:17 fw shorewall-lite[3450]: WARNING: Interface > tun1 is not usable -- Provider prov2 (2) not Started Because those are WARNINGs, it means that both eth0 and tun1 are defined as 'optional'. So the configuration starts, but multi-ISP isn't configured completely. > Sep 24 08:03:17 fw shorewall-lite[3450]: WARNING: No Default > route added (all 'balance' providers are down) > Sep 24 08:03:17 fw shorewall-lite[3450]: NOTICE: Default route > restored > Sep 24 08:03:17 fw shorewall-lite[3450]: Preparing > iptables-restore input... > Sep 24 08:03:17 fw shorewall-lite[3450]: Running > /usr/sbin/iptables-restore... > Sep 24 08:03:17 fw shorewall-lite[3450]: IPv4 Forwarding Enabled > Sep 24 08:03:17 fw shorewall-lite[3450]: Processing start user > exit ... > Sep 24 08:03:17 fw shorewall-lite[3450]: Processing started > user exit ... > Sep 24 08:03:17 fw shorewall-lite[3450]: done. > -- Subject: Unit shorewall-lite.target has begun with start-up > -- Unit shorewall-lite.target has begun starting up. > > ... shorewall-lite never announces that it "has finished starting up." Shorewall-lite has announced that it is finished (see the 'done.'). systemd has not announced that is has finished. > > Shorewall6-lite begins startup, > > Sep 24 08:03:17 fw systemd[1]: Starting shorewall6-lite... > -- Subject: Unit shorewall6-lite.service has begun with start-up > -- Unit shorewall6-lite.service has begun starting up. > Sep 24 08:03:17 fw shorewall6-lite[3819]: Starting Shorewall6 > Lite.... > Sep 24 08:03:17 fw shorewall6-lite[3819]: Initializing... > Sep 24 08:03:17 fw shorewall6-lite[3819]: Processing init user > exit ... > Sep 24 08:03:17 fw shorewall6-lite[3819]: Processing tcclear > user exit ... > Sep 24 08:03:18 fw shorewall6-lite[3819]: Setting up Proxy > NDP... > Sep 24 08:03:18 fw shorewall6-lite[3819]: Preparing > ip6tables-restore input... > Sep 24 08:03:18 fw shorewall6-lite[3819]: Running > /usr/sbin/ip6tables-restore... > Sep 24 08:03:18 fw shorewall6-lite[3819]: IPv6 Forwarding > Enabled > Sep 24 08:03:18 fw shorewall6-lite[3819]: Setting up IPv6 > Interface Forwarding... > Sep 24 08:03:18 fw shorewall6-lite[3819]: Processing start user > exit ... > Sep 24 08:03:18 fw shorewall6-lite[3819]: Processing started > user exit ... > Sep 24 08:03:18 fw shorewall6-lite[3819]: done. > -- Subject: Unit shorewall6-lite.target has begun with start-up > -- Unit shorewall6-lite.target has begun starting up. > -- Subject: Unit shorewall6-lite.target has finished start-up > -- Unit shorewall6-lite.target has finished starting up. > > and finishes successfully. > > But, immediately AFTER boot's complete, at shell, both ping to the 'net via > eth0, > > ping 8.8.8.8 -c1 > PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data. > 64 bytes from 8.8.8.8: icmp_seq=1 ttl=48 time=61.6 ms > > --- 8.8.8.8 ping statistics --- > 1 packets transmitted, 1 received, 0% packet loss, time 0ms > rtt min/avg/max/mdev = 61.663/61.663/61.663/0.000 ms > > and ping to the other side of the vpn, via tun1, > > ping 192.168.0.10 -c1 > PING 192.168.0.10 (192.168.0.10) 56(84) bytes of data. > 64 bytes from 192.168.0.10: icmp_seq=1 ttl=64 time=45.8 ms > > --- 192.168.0.10 ping statistics --- > 1 packets transmitted, 1 received, 0% packet loss, time 0ms > rtt min/avg/max/mdev = 45.833/45.833/45.833/0.000 ms > > work correctly, and SW status shows, > > shorewall-lite status > Shorewall Lite-4.6.3.4 Status at fw - Wed Sep 24 09:03:25 PDT > 2014 > > Shorewall Lite is running > State:Started (Wed Sep 24 08:03:17 PDT 2014) from > /usr/local/etc/shorewall/IPv4/ (/var/lib/shorewall-lite/firewall compiled by > Shorewall version 4.6.3.4) Do 'shorewall status -i'. You will probably see that both provider interfaces are disabled. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
