Thank you Erich, that was the step I missed: dynamic zone. It's working OK across shorewall stop/start, I will have to wait until tonight to try a reboot.
Tom, I have gone back to SAVE_IPSETS=Yes in shorewall.conf rather than using the shorewall-init feature. Is there a reason to use one rather than the other? Also, is it OK to add entries using ipset add, which seems to be a lot faster than shorewall add ? On Mon, Apr 13, 2020 at 9:21 PM Tom Eastep <teas...@shorewall.net> wrote: > On 4/13/20 12:36 PM, Tom Eastep wrote: > > On 4/13/20 10:42 AM, Norman Henderson wrote: > >> Hi all, > >> > >> I am struggling with an ipset that needs to be present or else shorewall > >> does not start. It gets created outside shorewall by a script that > >> periodically downloads a list of country IP's. I cannot manage to get it > >> preserved across a "shutdown -r now" let alone, God forbid a hard crash > >> and restart. > >> > >> I have tried SAVE_IPSETS=Yes in shorewall.conf and > >> also SAVE_IPSETS="/var/lib/shorewall/ipset-init-save" in > >> /etc/default/shorewall-init. > >> > >> In the latter case, the file is not created. There are files, presumably > >> from the SAVE_IPSETS=Yes in shorewall.conf, > >> /var/lib/shorewall/ipsets.temp and ipsets.save but they only contain the > >> dynamic blacklist ipset, not the country list ipset. In neither case > >> does that ipset get restored. > > > > Both options should not be set simultaneously. After setting > > SAVE_IPSETS=Yes, did you recompile the firewall script before rebooting? > > > > There is another sharp edge here. If you set > SAVE_IPSETS="/var/lib/shorewall/ipset-init-save" in > /etc/default/shorewall-init but shorewall-init hasn't been started by > systemd, then when you reboot, shorewall-init won't be stopped and > /var/lib/shorewall/ipset-init-save won't be created. So, when > shorewall-init is started during boot, it won't find the file and the > ipsets won't be created/restored. > > You can work around this by using: > > ipset save > /var/lib/shorewall/ipset-init-save > > before rebooting after setting SAVE_IPSETS in /etc/default/shorewall-init. > > -Tom > > -Tom > -- > Tom Eastep \ Q: What do you get when you cross a mobster > Shoreline, \ with an international standard? > Washington, USA \ A: Someone who makes you an offer you > http://shorewall.org \ can't understand > \________________________________________ > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
