Re: [Shorewall-users] Shorewall not starting on boot - eth0 not up yet
On 11/20/2014 00:42 AM, Tom Eastep wrote: No -- but they are pretty obvious. Given the error message you are seeing, something you are doing requires the IP address of eth0. Some possibilities are: - You are calling find_first_interface_address() in your params file - You have used eth0 or %eth0 in one of your files - You have used detect: in a rule. - You have entered detect in the ADDRESS column in the masq file Thanks Tom, and yes, that seems to be it. I have the Address column in masq as detect, probably for historical reasons from when I was setting it up in a test environment. That interface now has 17 IP addresses (recently increased from 9), 16 associated with DNAT rules. So masq would have been using them all as masqueraded adresses, which is not what I intended. Regards - Philip -- Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=157005751iu=/4140/ostg.clktrk___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Shorewall not starting on boot - eth0 not up yet
On 11/20/2014 3:38 AM, Philip Le Riche wrote: On 11/20/2014 00:42 AM, Tom Eastep wrote: No -- but they are pretty obvious. Given the error message you are seeing, something you are doing requires the IP address of eth0. Some possibilities are: - You are calling find_first_interface_address() in your params file - You have used eth0 or %eth0 in one of your files - You have used detect: in a rule. - You have entered detect in the ADDRESS column in the masq file Thanks Tom, and yes, that seems to be it. I have the Address column in masq as detect, probably for historical reasons from when I was setting it up in a test environment. That interface now has 17 IP addresses (recently increased from 9), 16 associated with DNAT rules. So masq would have been using them all as masqueraded adresses, which is not what I intended. Actually, only the first IP address is used for SNAT when 'detect' is specified. -Tom -- Tom Eastep\ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \ signature.asc Description: OpenPGP digital signature -- Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=157005751iu=/4140/ostg.clktrk___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Shorewall not starting on boot - eth0 not up yet
Thanks Tom - it sounds like adding something like required,wait=5 would at least be a viable work-around. But reading between the lines, it seems you're saying that I could in all likelihood sidestep the problem completely, just by specifying optional instead (I presume required is the default - the man page is silent on that.) Is there a discussion somewhere of what configurations require required? Regards - Philip On 18/11/2014 16:47, Tom Eastep wrote: On 11/18/2014 1:12 AM, Philip Le Riche wrote: I'm using Shorewall to protect a school network from a classroom network of Raspberry Pis, which are operated headless from school network PCs using VNC or PuTTy. All was working fine, starting up successfully on boot until I did the following: Installed isc-dhcp-server to serve dhcp to guest Pis Installed Apache2 and a cgi script to report DHCP leases Added 8 more fixed IP addresses to the school NIC and 8 more DNAT rules (bringing it to 16) mapping them to classroom IP addresses Installed OpenSSH for firewall maintenance Added Shorewall ACCEPT rules with destination $FW for the above. Now Shorewall doesn't start on boot, and neither does sshd, but both start successfully if you log in and type shorewall start and service sshd start. (Apache and dhcp-server start up ok.) The problem seems to be that eth0 is still not up by the time the Shorewall and sshd init scripts get run. In shorewall-init.log there are messages Can't determine the IP address of eth0 You have configured Shorewall so that eth0 *must* be up before Shorewall can start. If that is really necessary (which I rather doubt), then: a) Specify 'required' on the eth0 entry in /etc/shorewall/interfaces b) Additionally, specify 'wait=N' where N is the number of seconds that you are willing to wait for eth0 to come up. -Tom -- Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=157005751iu=/4140/ostg.clktrk ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users -- Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=157005751iu=/4140/ostg.clktrk___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Shorewall not starting on boot - eth0 not up yet
On 11/19/2014 3:12 AM, Philip Le Riche wrote: Thanks Tom - it sounds like adding something like required,wait=5 would at least be a viable work-around. Yes. But reading between the lines, it seems you're saying that I could in all likelihood sidestep the problem completely, just by specifying optional instead (I presume required is the default - the man page is silent on that.) The default is neither required nor optional. The firewall will start even if the interface doesn't exist, provided that you haven't used a configuration construct that requires the interface to be up in order to start. Is there a discussion somewhere of what configurations require required? No -- but they are pretty obvious. Given the error message you are seeing, something you are doing requires the IP address of eth0. Some possibilities are: - You are calling find_first_interface_address() in your params file - You have used eth0 or %eth0 in one of your files - You have used detect: in a rule. - You have entered detect in the ADDRESS column in the masq file -Tom -- Tom Eastep\ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \ signature.asc Description: OpenPGP digital signature -- Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=157005751iu=/4140/ostg.clktrk___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
[Shorewall-users] Shorewall not starting n boot - eth0 not up yet
I'm using Shorewall to protect a school network from a classroom network of Raspberry Pis, which are operated headless from school network PCs using VNC or PuTTy. All was working fine, starting up successfully on boot until I did the following: Installed isc-dhcp-server to serve dhcp to guest Pis Installed Apache2 and a cgi script to report DHCP leases Added 8 more fixed IP addresses to the school NIC and 8 more DNAT rules (bringing it to 16) mapping them to classroom IP addresses Installed OpenSSH for firewall maintenance Added Shorewall ACCEPT rules with destination $FW for the above. Now Shorewall doesn't start on boot, and neither does sshd, but both start successfully if you log in and type shorewall start and service sshd start. (Apache and dhcp-server start up ok.) The problem seems to be that eth0 is still not up by the time the Shorewall and sshd init scripts get run. In shorewall-init.log there are messages Can't determine the IP address of eth0 and in /var/log/auth.log there are sshd messages Cannot bind any address. Shorewall is running under Linux Mint 16. It may be arguable whether the Shorewall (and sshd) init scripts are at fault or whether the fault lies with networking startup, but it must be an issue other people round here have hit. Is there a recognised fix, either to delay startup of Shorewall (and sshd), or to ensure networking runs to completion before dependant init scripts are run? Googling for the sshd half of the problem only seems to come up with sticking plaster solutions. Regards - Philip -- Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=157005751iu=/4140/ostg.clktrk ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Shorewall not starting n boot - eth0 not up yet
Is Mint 16 using systemd ? -- Artur W dniu 18.11.2014 o 10:12, Philip Le Riche pisze: I'm using Shorewall to protect a school network from a classroom network of Raspberry Pis, which are operated headless from school network PCs using VNC or PuTTy. All was working fine, starting up successfully on boot until I did the following: Installed isc-dhcp-server to serve dhcp to guest Pis Installed Apache2 and a cgi script to report DHCP leases Added 8 more fixed IP addresses to the school NIC and 8 more DNAT rules (bringing it to 16) mapping them to classroom IP addresses Installed OpenSSH for firewall maintenance Added Shorewall ACCEPT rules with destination $FW for the above. Now Shorewall doesn't start on boot, and neither does sshd, but both start successfully if you log in and type shorewall start and service sshd start. (Apache and dhcp-server start up ok.) The problem seems to be that eth0 is still not up by the time the Shorewall and sshd init scripts get run. In shorewall-init.log there are messages Can't determine the IP address of eth0 and in /var/log/auth.log there are sshd messages Cannot bind any address. Shorewall is running under Linux Mint 16. It may be arguable whether the Shorewall (and sshd) init scripts are at fault or whether the fault lies with networking startup, but it must be an issue other people round here have hit. Is there a recognised fix, either to delay startup of Shorewall (and sshd), or to ensure networking runs to completion before dependant init scripts are run? Googling for the sshd half of the problem only seems to come up with sticking plaster solutions. Regards - Philip -- Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=157005751iu=/4140/ostg.clktrk ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users -- Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=157005751iu=/4140/ostg.clktrk ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Shorewall not starting n boot - eth0 not up yet
No, I believe it uses Upstart. - Philip On 18/11/2014 09:44, Artur Uszyński wrote: Is Mint 16 using systemd ? -- Artur W dniu 18.11.2014 o 10:12, Philip Le Riche pisze: I'm using Shorewall to protect a school network from a classroom network of Raspberry Pis, which are operated headless from school network PCs using VNC or PuTTy. All was working fine, starting up successfully on boot until I did the following: Installed isc-dhcp-server to serve dhcp to guest Pis Installed Apache2 and a cgi script to report DHCP leases Added 8 more fixed IP addresses to the school NIC and 8 more DNAT rules (bringing it to 16) mapping them to classroom IP addresses Installed OpenSSH for firewall maintenance Added Shorewall ACCEPT rules with destination $FW for the above. Now Shorewall doesn't start on boot, and neither does sshd, but both start successfully if you log in and type shorewall start and service sshd start. (Apache and dhcp-server start up ok.) The problem seems to be that eth0 is still not up by the time the Shorewall and sshd init scripts get run. In shorewall-init.log there are messages Can't determine the IP address of eth0 and in /var/log/auth.log there are sshd messages Cannot bind any address. Shorewall is running under Linux Mint 16. It may be arguable whether the Shorewall (and sshd) init scripts are at fault or whether the fault lies with networking startup, but it must be an issue other people round here have hit. Is there a recognised fix, either to delay startup of Shorewall (and sshd), or to ensure networking runs to completion before dependant init scripts are run? Googling for the sshd half of the problem only seems to come up with sticking plaster solutions. Regards - Philip -- Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=157005751iu=/4140/ostg.clktrk ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users -- Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=157005751iu=/4140/ostg.clktrk ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users -- Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=157005751iu=/4140/ostg.clktrk ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Shorewall not starting n boot - eth0 not up yet
At 11/18/2014 04:12 AM, Philip Le Riche wrote: ... Shorewall is running under Linux Mint 16. It may be arguable whether the Shorewall (and sshd) init scripts are at fault or whether the fault lies with networking startup, but it must be an issue other people round here have hit. Is there a recognised fix, either to delay startup of Shorewall (and sshd), or to ensure networking runs to completion before dependant init scripts are run? Googling for the sshd half of the problem only seems to come up with sticking plaster solutions. Regards - Philip What is the setting in /etc/default/shorewall for wait_interface=?? If not set, try setting it. Wayne -- Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=157005751iu=/4140/ostg.clktrk___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Shorewall not starting n boot - eth0 not up yet
At 11/18/2014 04:12 AM, Philip Le Riche wrote: ... Shorewall is running under Linux Mint 16. It may be arguable whether the Shorewall (and sshd) init scripts are at fault or whether the fault lies with networking startup, but it must be an issue other people round here have hit. Is there a recognised fix, either to delay startup of Shorewall (and sshd), or to ensure networking runs to completion before dependant init scripts are run? Googling for the sshd half of the problem only seems to come up with sticking plaster solutions. Regards - Philip What is the setting in /etc/default/shorewall for wait_interface=?? If not set, try setting it. Wayne -- Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=157005751iu=/4140/ostg.clktrk___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Shorewall not starting n boot - eth0 not up yet
On 11/18/2014 1:12 AM, Philip Le Riche wrote: I'm using Shorewall to protect a school network from a classroom network of Raspberry Pis, which are operated headless from school network PCs using VNC or PuTTy. All was working fine, starting up successfully on boot until I did the following: Installed isc-dhcp-server to serve dhcp to guest Pis Installed Apache2 and a cgi script to report DHCP leases Added 8 more fixed IP addresses to the school NIC and 8 more DNAT rules (bringing it to 16) mapping them to classroom IP addresses Installed OpenSSH for firewall maintenance Added Shorewall ACCEPT rules with destination $FW for the above. Now Shorewall doesn't start on boot, and neither does sshd, but both start successfully if you log in and type shorewall start and service sshd start. (Apache and dhcp-server start up ok.) The problem seems to be that eth0 is still not up by the time the Shorewall and sshd init scripts get run. In shorewall-init.log there are messages Can't determine the IP address of eth0 You have configured Shorewall so that eth0 *must* be up before Shorewall can start. If that is really necessary (which I rather doubt), then: a) Specify 'required' on the eth0 entry in /etc/shorewall/interfaces b) Additionally, specify 'wait=N' where N is the number of seconds that you are willing to wait for eth0 to come up. -Tom -- Tom Eastep\ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \ signature.asc Description: OpenPGP digital signature -- Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=157005751iu=/4140/ostg.clktrk___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users