Thanks very much Tom, see further comments below.
On Wed, Jun 21, 2017 at 4:15 PM, Tom Eastep <[email protected]> wrote:
> On 06/20/2017 11:21 PM, Norman Henderson wrote:
> > Thank you for this Tom. The "persistent" option is a good help, although
> > it has the side effect that on reload etc. Shorewall will try to
> > re-enable the provider, which is not desirable if it is flaky e.g. can
> > be enabled but won't pass traffic.
>
> That isn't intentional. I'll take a look.
>
I was basing the comment on the following from
shorewall.net/manpages/shorewall-providers.html:
Note
The generated script will attempt to reenable a disabled persistent
provider during execution of the *start*, *restart* and *reload* commands.
When persistent is not specified, only the *enable* and *reenable* commands
can reenable the provider.
>
> >
> > The change of name from lsm to foolsm has created some issues, in my
> > installation (just upgraded to 5.1.4.3) shorewall is still referring for
> > example to start_lsm rather than start_foolsm. Worked around for now
> > using start_lsm() { start_foolsm; } in lib.private.
>
> lib.private is a user-supplied library. So, yes, you needed to change it
> when lsm was renamed.
>
What I meant (and should have said) is that /var/lib/shorewall/.start
.restart .reload all contain various references to lsm and to start_lsm.
The workaround was to create lib.private containing: start_lsm() {
start_foolsm; } as well as start_foolsm(){ xxx }
>
> >
> > Yes I see that I was incorrect, foolsm can in fact ping any address
> > however, there is a statement somewhere that the source address for
> > pings is always autodiscovered. If that is true, it isn't possible to
> > ping from a determined interface except to an on-net address.
>
> Not true -- you specify the interface, and the address is then
> autodiscovered ON THAT INTERFACE.
Somehow I missed the device= keyword in foolsm.conf; there is also a
keyword sourceip= which confused me.
>
> >
> > Adding a route for a specific target address doesn't seem like a very
> > clean solution and creates other problems because the target address is
> > not only for monitoring, it is also used to establish tunnels etc. and
> > for those uses I need to be able to choose the "best" provider that is
> > up. Furthermore that implies that I need a different target address for
> > each provider, again not so good.
>
> Any monitor that you use will have those restrictions.
>
> >
> > On the other hand, I see there is a "sourceip=" option in foolsm.conf,
> > if that works then I should be OK. I am trying that but will have to
> > wait for at least one of the flaky providers to come up again (!)
> >
> > Finally: the suggested eventscript for foolsm uses argument ${4} as the
> > ${DEVICE} which is used for firewall enable / disable. I am seeing that
> > when the script gets called that argument is null. I am using the
> > ${NAME} instead for now, but any idea what might cause that?
> >
>
> Afraid not.
>
> -Tom
> --
> Tom Eastep \ Q: What do you get when you cross a mobster with
> Shoreline, \ an international standard?
> Washington, USA \ A: Someone who makes you an offer you can't
> http://shorewall.org \ understand
> \_______________________________________________
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Shorewall-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
