> ---Messaggio originale-----
> Da: Tom Eastep [mailto:teas...@shorewall.net]
> Inviato: martedì 29 novembre 2016 17:09
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
> 
> On 11/29/2016 01:42 AM, shorew...@iotti.biz wrote:
> > Hi all,
> >
> > I use shorewall in a two node active/backup firewall cluster. I issue
> > shorewall stop on the inactive node to apply the rules described in
> > stoppedrules, just to protect the backup node itself.
> > Unfortunately, shorewall stop has the (for me) unwanted side effect of
> > enabling routing, i.e. put 1 in /proc/sys/net/ipv4/ip_forward.
> > This produces some problems, mainly with proxy arp. I would like to
> > ask if there is a builtin way to make shorewall disable routing, only
> > when invoked with stop (I am aware of the IP_FORWARDING setting which
> > however is not specific fo stop).
> >
> > Just for completeness, my stoppedrules file lists only rules where $FW
> > is the source or the destination. So routing, in my case, should not
> > be needed. Maybe I'm using too much fantasy, but I think it would be
> > even nicer if routing would be automatically disabled in such a
> > situation.
> >
> 
> Why don't you simply place this in /etc/shorewall/stopped?
> 
>       echo 0 > /proc/sys/net/ipv4/ip_forward

Yes that's what I'm doing actually. I was only curious if there was some
setting built-in, mainly because it seems strange to me (but my point of
view can be particular) that when the firewall is being stopped, ip_forward
is actively set to 1. 

Thank you, regards
Luigi


------------------------------------------------------------------------------
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to