I'm asking because I'm seeing two issues with the restart command when trying 
to move from shorewall to a more recent version (eg.

According to 
the "restart" option should behave the same way. So, if RESTART=restart then a 
"true" restart is done (stop&start). It won't be a "reload".

On both of my old and new shorewall systems, RESTART=restart. 

First issue:

Here's what I see when I ping to a host in CAIB zone at from a 
host in LAN zone while running "shorewall restart".

64 bytes from icmp_seq=4 ttl=59 time=4.06 ms
64 bytes from icmp_seq=5 ttl=59 time=2.77 ms
64 bytes from icmp_seq=6 ttl=59 time=2.30 ms
>From icmp_seq=7 Time to live exceeded
64 bytes from icmp_seq=8 ttl=59 time=2.97 ms
64 bytes from icmp_seq=9 ttl=59 time=4.23 ms
64 bytes from icmp_seq=10 ttl=59 time=2.98 ms

This is the content of stoppedrules:

ACCEPT          $IF_LAN                 $IF_IBS
ACCEPT          $IF_LAN                 $IF_CAIB

The IP addr. is on a gateway out the WAN interface.

The providers file contains:
WAN     1       1       -       $IF_WAN         $ADDR_GW_WAN    track,primary
CAIB    2       2       -       $IF_CAIB        $ADDR_GW_CAIB   track,fallback=1
IBS     3       3       -       $IF_IBS         $ADDR_GW_IBS    track,fallback=1

The rtrules file contains:
-                        CAIB            11692

So I guess that if I wanted to allow all traffic from lan to caib and to ibs 
then I would also have to modify the routing table.
I think I should do this in the "stopped" file with something like this:

route add gw $ADDR_GW_CAIB

I haven't tried it though. Does it make sense?

Also, would I need to remove the route entries listed in "stopped" when 
shorewall starts again? Would I need to add something like this in the 
"started" or "start" files? Which file BTW? (I would need to do that before 
Shorewall starts handling routes)

route del

Alternatively, if I could do without running the code in "stopped" and 
"started" then I could issue a "shorewall reload".
However, I've seen the "From icmp_seq=38 Time to live exceeded" 
message even when issuing a "reload".
So it seems that in this particular case (maybe due to the providers&rtrules 
settings) a reload and a restart behave alike (only tested with as is not in production yet).

The second issue regards performance on a restart or a reload.

Both of my systems (5.0 / 5.1) have the same ruleset of about 7000 lines.
Shorewall 5.0 is running on a "weak" server whereas 5.1 is on much more 
powerful hardware.

With 5.0:

# time /etc/init.d/shorewall restart
real    0m14.793s
user    0m8.780s
sys     0m1.480s

With 5.1:

# time /etc/init.d/shorewall restart
real 0m45.981s
user 0m42.410s
sys  0m2.310s

The difference between the two is staggering.
It's probably due to the OPTIMIZE option in shorewall.conf, right?

In shorewall the default value for OPTIMIZE is 0.
In the default value is All despite the man page saying that "The 
default value is zero which disables all optimizations" (that was true for 
older versions).

So I guess I have to set OPTIMIZE=0 or None in 5.1 in order to get similar or 
better timings.

BTW, I'm wondering if the OPTIMIZE option could somehow explain the other issue 
I'm having in the ML thread "traffic issues through firewall router".
I'll do a test asap.


Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
Shorewall-users mailing list

Reply via email to