I see this in my boot log
...
-- Unit [email protected] has begun starting up.
Sep 24 10:51:47 fw ifup[3293]: tun1
Sep 24 10:51:47 fw ifup[3360]: tun1
Sep 24 10:51:47 fw ifup[3293]: tun1 Set 'tun1' persistent and
owned by uid 499 gid 499
Sep 24 10:51:59 fw systemd[1]: Started ifup managed network interface
tun1.
-- Subject: Unit [email protected] has finished start-up
-- Unit [email protected] has finished starting up.
here, the tun1 intfc is supposedly 'up'
this originates from a system config of
cat /etc/sysconfig/network/ifcfg-tun1
BOOTPROTO='static'
STARTMODE='auto'
TUNNEL='tun'
TUNNEL_SET_GROUP='openvpn'
TUNNEL_SET_OWNER='openvpn'
TUNNEL_SET_PERSISTENT='yes'
IPV6INIT='no'
IPADDR="0.0.0.0"
next openvpn is brought up
-- Subject: Unit openvpn.service has begun with start-up
-- Unit openvpn.service has begun starting up.
and then shorewall-lite starts
Sep 24 10:52:01 fw systemd[1]: Starting shorewall-lite...
-- Subject: Unit shorewall-lite.service has begun with start-up
-- Unit shorewall-lite.service has begun starting up.
Sep 24 10:52:02 fw shorewall-lite[3597]: Starting Shorewall Lite....
note that the eth0 ping test succeeds
Sep 24 10:52:03 fw shorewall-lite[3597]: OK ping @ INTFC=eth0
but that, now, the tun1 ping test is just missing
Sep 24 10:52:03 fw shorewall-lite[3597]: Initializing...
and only NOW are there some interface settings applied
Sep 24 10:52:04 fw sudo[3738]: root : TTY=unknown ;
PWD=/usr/local/etc/openvpn ; USER=root ; COMMAND=/sbin/ip link set dev tun1 up
mtu 1500
Sep 24 10:52:04 fw shorewall-lite[3597]: Processing init user exit ...
Sep 24 10:52:04 fw sudo[3754]: root : TTY=unknown ;
PWD=/usr/local/etc/openvpn ; USER=root ; COMMAND=/sbin/ip addr add dev tun1
10.0.0.2/24 broadcast 10.0.0.255
Sep 24 10:52:04 fw sudo[3771]: root : TTY=unknown ;
PWD=/usr/local/etc/openvpn ; USER=root ; COMMAND=/sbin/ip route add
10.200.0.0/24 via 10.0.0.1
which are originating from the openvpn config/setup
IIUC ^^^, shorewall-lite's start -- and the interface test for tun1 -- needs to
wait until AFTER those openvpn configs are applied
currently, I thought this would do the trick
cat /etc/systemd/system/shorewall-lite.service
[Unit]
Description=shorewall-lite
After=syslog.target network-online.target openvpn.target
Before=shorewall-lite.target
Wants=network-online.target
[Service]
Type=oneshot
RemainAfterExit=yes
StandardOutput=syslog
ExecStart=/usr/sbin/shorewall-lite start
ExecStop=/usr/sbin/shorewall-lite stop
[Install]
WantedBy=multi-user.target
Where 'network-online.target' is used, per
Cut the crap! How do I make network.target work for me?
http://www.freedesktop.org/wiki/Software/systemd/NetworkTarget/
" ...
Alternatively, you can change your service that needs the
network to be up, to include After=network-online.target and
Wants=network-online.target.
..."
in order to
"...
ensure that all configured network devices are up and have an
IP address assigned before boot continues."
..."
Apparently, that's not having the intended effect wrt shorewall-lite.
Where's the right place to get shorewall-lite to 'wait' for that tun1
interface's complete config by openvpn?
------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
