-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 7/19/19 10:16 AM, Naveen Neelakanta wrote: > Hi All, > > I am seeing an issue with ssh session getting dropped when i > restart shorewall. I would restart the shorewall when there is a > config change. > > Issue: 1) start a connection from the box to remote ip and send > traffic This will create a conntrack entry like below , with zone=1 > ipv4 2 tcp 6 300 ESTABLISHED src=10.24.53.11 > dst=10.16.16.240 sport=58021 dport=22 src=10.16.16.240 > dst=10.24.53.11 sport=22 dport=58021 [ASSURED] mark=0 *zone=1* > use=3 > > 2) when i restart shorewall because, it flushed the iptable rule i > believe, since there is not iptable rules, another connection track > will be create with zone=0 , which will cause the connection to > drop. > > ipv4 2 tcp 6 159 ESTABLISHED src=10.16.16.240 > dst=10.24.53.11 sport=22 dport=58021 src=10.24.53.11 > dst=10.16.16.240 sport=58021 dport=22 [ASSURED] mark=0 *zone=0* > use=2 ipv4 2 tcp 6 300 ESTABLISHED src=10.24.53.11 > dst=10.16.16.240 sport=58021 dport=22 src=10.16.16.240 > dst=10.24.53.11 sport=22 dport=58021 [ASSURED] mark=0 *zone=1* > use=3 > > I have the zone entry in conntrack file with the below lines . > IPTABLES(CT --zone 1) eth5 - IPTABLES(CT --zone > 1):O 0.0.0.0/0 <http://0.0.0.0/0> eth5 > > Appreciate any steps to avoid creating the default zone=0 > conntrack getting created, even tough we have a connection entry > present for the flow. >
What version of Shorewall are you running? And what is the setting (if any) of RESTART in shorewall.conf? - -Tom - -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________ -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQIzBAEBCgAdFiEEFNMNR63CLO6yqbL8luaz8kI6TRAFAl0yNV4ACgkQluaz8kI6 TRBMXg//X8ovj67WCXbAvmO6in/bSlpx7AOlKS+P7coxZIFugCoxheOTS9H0gTqg /SGY9S2ltqa5QA0wfVTv2SN1LUeRtEZNzKg8R4WyRxtrbcJcLc45GY6csLh8brq8 hQ93KNE4kn9Yk2DWc5tf7U+udMnbj9xjjGkizQNpuWQ154uXDcQxepmnpob0n0KZ xicF5rgqgX3KPtamLjEDobA8yXWEwtojzEWvQQFG6GmY9aBki/8+3m2Olo2LKZkp omKuy7yADm8T5tOLdSluLtybmrL3ZPoUPsu3nhCPqvmEfag+WrOAj7IZa1O3bPec oHD55S3oYsFMYqiZd/ctpYAqoFqpqQiSnr0T48F6ZgwfHXheSzRJ3z1M93E1HXSD Of05MyqBODUSPGBiOL/zPMP3qV6Ppw6I5/fCzBWtzKI68JzcSaFCR85N6F62QSNb CvCHiIAp6l6Xx85sho4RnzmnC9VLzT7hw9H4OyJ9Ehyjscs46Ef52VupYwjvhi3u o2NSOo3lFaqtAYjFtKniIOOR2eOk99rqJ6FFV/m+6vIUeXku+xw6rTG8VE5Btpy9 Cr9tPzO0IOTyYdr4C0X3BwsaEn/ZeabYtWOQiQFoEZ30na8IbiBFcGfMviDjyUKz dvmKH6NAnwTvJb1fkgNK/rLI9EDpaZvcfDFAHrOPQ5JBe1BXP6M= =p6CO -----END PGP SIGNATURE----- _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
