I'm asking because I'm seeing two issues with the restart command when trying 
to move from shorewall 5.0.14.1 to a more recent version (eg. 5.1.5.1).

According to 
http://www.shorewall.net/pub/shorewall/5.0/shorewall-5.0.14/releasenotes.txt, 
the "restart" option should behave the same way. So, if RESTART=restart then a 
"true" restart is done (stop&start). It won't be a "reload".

On both of my old and new shorewall systems, RESTART=restart. 
ADMINISABSENTMINDED is also set to Yes.

First issue:

Here's what I see when I ping to a host in CAIB zone at 10.215.9.172 from a 
host in LAN zone while running "shorewall restart".

[...]
64 bytes from 10.215.9.172: icmp_seq=4 ttl=59 time=4.06 ms
64 bytes from 10.215.9.172: icmp_seq=5 ttl=59 time=2.77 ms
64 bytes from 10.215.9.172: icmp_seq=6 ttl=59 time=2.30 ms
>From 172.16.0.2 icmp_seq=7 Time to live exceeded
64 bytes from 10.215.9.172: icmp_seq=8 ttl=59 time=2.97 ms
64 bytes from 10.215.9.172: icmp_seq=9 ttl=59 time=4.23 ms
64 bytes from 10.215.9.172: icmp_seq=10 ttl=59 time=2.98 ms

This is the content of stoppedrules:

ACCEPT          $IF_LAN                 $IF_IBS
ACCEPT          $IF_LAN                 $IF_CAIB

The IP addr. 172.16.0.2 is on a gateway out the WAN interface.

The providers file contains:
WAN     1       1       -       $IF_WAN         $ADDR_GW_WAN    track,primary
CAIB    2       2       -       $IF_CAIB        $ADDR_GW_CAIB   track,fallback=1
IBS     3       3       -       $IF_IBS         $ADDR_GW_IBS    track,fallback=1

The rtrules file contains:
-                       10.215.0.0/17           CAIB            11692

So I guess that if I wanted to allow all traffic from lan to caib and to ibs 
then I would also have to modify the routing table.
I think I should do this in the "stopped" file with something like this:

route add 10.215.0.0/17 gw $ADDR_GW_CAIB

I haven't tried it though. Does it make sense?

Also, would I need to remove the route entries listed in "stopped" when 
shorewall starts again? Would I need to add something like this in the 
"started" or "start" files? Which file BTW? (I would need to do that before 
Shorewall starts handling routes)

route del 10.215.0.0/17

Alternatively, if I could do without running the code in "stopped" and 
"started" then I could issue a "shorewall reload".
However, I've seen the "From 172.16.0.2 icmp_seq=38 Time to live exceeded" 
message even when issuing a "reload".
So it seems that in this particular case (maybe due to the providers&rtrules 
settings) a reload and a restart behave alike (only tested with 5.0.14.1 as 
5.1.5.1 is not in production yet).

The second issue regards performance on a restart or a reload.

Both of my systems (5.0 / 5.1) have the same ruleset of about 7000 lines.
Shorewall 5.0 is running on a "weak" server whereas 5.1 is on much more 
powerful hardware.

With 5.0:

# time /etc/init.d/shorewall restart
[...]
real    0m14.793s
user    0m8.780s
sys     0m1.480s

With 5.1:

# time /etc/init.d/shorewall restart
[...]
real 0m45.981s
user 0m42.410s
sys  0m2.310s

The difference between the two is staggering.
It's probably due to the OPTIMIZE option in shorewall.conf, right?

In shorewall 5.0.14.1 the default value for OPTIMIZE is 0.
In 5.1.5.1 the default value is All despite the man page saying that "The 
default value is zero which disables all optimizations" (that was true for 
older versions).

So I guess I have to set OPTIMIZE=0 or None in 5.1 in order to get similar or 
better timings.

BTW, I'm wondering if the OPTIMIZE option could somehow explain the other issue 
I'm having in the ML thread "traffic issues through firewall router".
I'll do a test asap.

Vieri

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to