On 4/13/20 12:36 PM, Tom Eastep wrote: > On 4/13/20 10:42 AM, Norman Henderson wrote: >> Hi all, >> >> I am struggling with an ipset that needs to be present or else shorewall >> does not start. It gets created outside shorewall by a script that >> periodically downloads a list of country IP's. I cannot manage to get it >> preserved across a "shutdown -r now" let alone, God forbid a hard crash >> and restart. >> >> I have tried SAVE_IPSETS=Yes in shorewall.conf and >> also SAVE_IPSETS="/var/lib/shorewall/ipset-init-save" in >> /etc/default/shorewall-init. >> >> In the latter case, the file is not created. There are files, presumably >> from the SAVE_IPSETS=Yes in shorewall.conf, >> /var/lib/shorewall/ipsets.temp and ipsets.save but they only contain the >> dynamic blacklist ipset, not the country list ipset. In neither case >> does that ipset get restored. > > Both options should not be set simultaneously. After setting > SAVE_IPSETS=Yes, did you recompile the firewall script before rebooting? >
There is another sharp edge here. If you set SAVE_IPSETS="/var/lib/shorewall/ipset-init-save" in /etc/default/shorewall-init but shorewall-init hasn't been started by systemd, then when you reboot, shorewall-init won't be stopped and /var/lib/shorewall/ipset-init-save won't be created. So, when shorewall-init is started during boot, it won't find the file and the ipsets won't be created/restored. You can work around this by using: ipset save > /var/lib/shorewall/ipset-init-save before rebooting after setting SAVE_IPSETS in /etc/default/shorewall-init. -Tom -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster Shoreline, \ with an international standard? Washington, USA \ A: Someone who makes you an offer you http://shorewall.org \ can't understand \________________________________________
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
