-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 10/28/2017 5:16 PM, da...@justemail.net wrote: > Hi Tom, > > I'm having a tough time getting this all straight. > > My systemd OpenVPN.service has > > Wants=network-online.target shorewall-lite.service > After=syslog.target network-online.target shorewall-lite.service > > According to systemd docs > > "Wants=: This directive is similar to Requires=, but less strict. > Systemd will attempt to start any units listed here when this unit > is activated. If these units are not found or fail to start, the > current unit will continue to function. This is the recommended way > to configure most dependency relationships. Again, this implies a > parallel activation unless modified by other directives." > > So REMOVE the dependency in both Wants/After on 'shorewall-lite'?
Yes. > > > My firewall's 'interfaces' has > > vpn VPNIF > optional,physical=tun1,routefilter=0,logmartians=0,routeback=1 > > This is clear > > "- Don't make the TUN interface 'optional'." > > So that changes > > - vpn VPNIF > optional,physical=tun1,routefilter=0,logmartians=0,routeback=1 + > vpn VPNIF physical=tun1,routefilter=0,logmartians=0,routeback=1 > > > Not sure what to do with this one, > > "- Don't use any option for the TUN interface in /etc/shorewall > /interfaces that causes a change in /proc/sys/net/config/." > > When I look in there > > cd /proc/sys/net/ ls bridge/ core/ ipv4/ ipv6/ netfilter/ > nf_conntrack_max unix/ > > What changes do I look for? Delete 'routefilter=0' and 'logmartians=0' > > And for this one > > "- Don't name the TUN interface in the SOURCE column of the masq > file." > > In my masq file I've got this #IFC:DEST SRC > ADDRESS PROTO PORT(S) ... VPNIF:10.1.1.53 10.254.254.1 > 10.1.10.53 tcp,udp 53 That is fine. - -Tom - -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJZ9SF8AAoJEJbms/JCOk0QQHQP/3qZZhcTXDbw5EmAJOYKxuPK WWRB5Tb1JFH1Ja3S7dsdReblohlGfQw3gTCcRLzigVHAe4wm/1TMbFg1JDqb1XM1 45FSYDubuEHmPeP1Abs/eSpFFI4aNNJqySF/KM5lIyXSeltHIWnFiCmbzvQzJp8D 0WF9Jolai8rXvVIi0guyG1FAWKJBbsJcmr8FbOvcp0qP3BMMP5wtvXBWF4l7Mrum YA6z7EfZUoXkAqgdcZmubaKG2/C9ZNPwb9GxyengLBTma74Ch00iL/wh9E6XHMi7 d35ghRvolYaygBR2ExJFZSTaSYk50qzWAFgHeyrtqeG2c26rIALYwGzeLDE1MUCA f5YxRIaFt5shno1h8TZCLCdOig/zzGHdPVQYOBAu/4Wa3sG3tmDW4za8vrxBT1oS J1YFp+MHczsyAT0N5lxSCMOLGPth6+ZbhfUk1d/dZH8gnMevQuoH2Yc23X0lVsil 2vEVxC9/aaso2GQqRzNOFUPGsA6RTPmp02/Ji5cveEhMntxdc6l+KqPPefk/Hd4m hp85Il8in1PYipeVkWG/zhZiq465JxxhCxkQH2aHWMLPV/3+ean6hh9M2WhVuCcW jgIiMecGl2RF0IgG+si3sYRCPTMRHqg7eG7Zw1u3EJ8y06Mu+kmpv6UkSZraMUwy omxUYbn9bvqZBDgI7f7l =rSQ6 -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users