On 5/25/13 2:37 PM, "Dash Four" <[email protected]> wrote:
> >Tom Eastep wrote: >>> I was right! It looks as though not all parts of the firewall file are >>> executed when ifupdown-local gets started, as opposed to a direct >>> "firewall start". Here is the diff produced before and after "shorewall >>> reload" (I've omitted the counter differences and other such "noise"): >>> >Well, maybe not... I think I figured it out. I *do* have >net.ipv4.ip_forward=0 in my /etc/sysctl.conf. Now, what I think is >happening is that when the system brings all my devices up, "firewall" >sets /proc/net.../ip_forward to 1, but then the sysctl.conf variable >kicks in at the end of my system configuration/start up, reverting what >shorewall have previously set up during the time when the network >devices were brought up. Is that scenario feasible? Yes. > >>> 'local' is/was a legitimate option in Beta2/3. >>> >> >> Not it Beta 3. Again, 'local' is a zone type. >> >Do I specify this in "OPTIONS", "IN OPTIONS" or "OUT OPTIONS"? It is a zone TYPE. > >>> May 25 17:06:12 test1 kernel: [ 85.305983] xt_CT: No such helper >>>"ftp" >>> May 25 17:06:12 test1 kernel: [ 85.369152] xt_CT: No such helper >>>"ftp-0" >>> May 25 17:06:12 test1 kernel: [ 85.426916] xt_CT: No such helper >>>"irc" >>> May 25 17:06:12 test1 kernel: [ 85.491393] xt_CT: No such helper >>>"irc-0" >>> May 25 17:06:12 test1 kernel: [ 85.550423] xt_CT: No such helper >>> "amanda" >>> >>> /var/log/shorewall.log (shorewall startup log) >>> ~~~~~~~~~~~~~~~~~~~~~~ >>> May 25 17:06:09 Processing /etc/shorewall/start ... >>> May 25 17:06:10 Processing /etc/shorewall/started ... >>> >>> /var/log/shorewall-ifupdown.log (shorewall-init log) >>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >>> [...] >>> May 25 17:05:54 /sbin/ifup-local: Executing >>>/var/lib//shorewall/firewall >>> -V0 up eth0 >>> >>> *** Note the times - it looks as though it happens at the very >>>beginning >>> (my guess is during shorewall compilation). >>> >> >> The 'start' and 'started scripts are run at the very end of the firewall >> script's execution. Again, I want to look at the 'firewall' script. >> >I am assuming a similar thing is happening here. Although I do not have >"net.netfilter.nf_conntrack_helper" set in my sysctl.conf (maybe I >should explicitly disable it and set it to 0), I presume the "default" >value if nothing specified is 1 (enabled). Yes. >Shorewall has two places >where it manipulates this variable: at start where it does "echo 0 > >/proc/sys/net/netfilter/nf_conntrack_helper", and then again, when the >firewall is at stopped state it does the opposite - "echo 1 > >/proc/sys/net/netfilter/nf_conntrack_helper". I notice that there isn't >a diagnostic message displayed when this operation is done - maybe it is >a good idea for you to add one. > >If "echo 1 > /proc/sys/net/netfilter/nf_conntrack_helper" triggers all >of the above messages (or if the system's default value of >"nf_conntrack_helper" is 1), then by simply adding >"net.netfilter.nf_conntrack_helper=0" to my sysctl.conf file should >eliminate these obnoxious messages appearing, correct? I frankly don't know -- I suggest trying it and see. > >>>>>>> 6. "shorewall update -D" does not check all files in >>>>>>>/etc/shorewall: >>>>>>> >>>>>>> Compiling /etc/shorewall/interfaces... >>>>>>> WARNING: 'FORMAT' is deprecated in favor of '?FORMAT' - consider >>>>>>> running 'shorewall update -D' /etc/shorewall/interfaces (line 17) >>>>>>> >>>>>>> -bash-4.1# shorewall update -D >>>>>>> Updating... >>>>>>> Processing /etc/shorewall/params ... >>>>>>> Processing /etc/shorewall/shorewall.conf... >>>>>>> No update required to configuration file >>>>>>> /etc/shorewall/shorewall.conf; >>>>>>> /etc/shorewall/shorewall.conf.bak not saved >>>>>>> >>>>>>> "interfaces" is not changed (I had to do that manually). >>>>>>> >>>>>>> >>>>>>> >>>>>> Works for me. >>>>>> >>>>>> root@gateway:~# shorewall update -D >>>>>> Updating... >>>>>> Processing /etc/shorewall/params ... >>>>>> Processing /etc/shorewall/shorewall.conf... >>>>>> No update required to configuration file >>>>>> /etc/shorewall/shorewall.conf; >>>>>> /etc/shorewall/shorewall.conf.bak not saved >>>>>> Loading Modules... >>>>>> Converting 'FORMAT' and 'COMMENT' lines to compiler directives... >>>>>> File /etc/shorewall/interfaces updated - old file renamed >>>>>> /etc/shorewall/interfaces.bak >>>>>> Running /etc/shorewall/compile... >>>>>> Checking /etc/shorewall/zones... >>>>>> Checking /etc/shorewall/interfaces... >>>>>> >>>>>> >>>>>> >>>>> Well, it doesn't work here. >>>>> >>>>> >>>> I suspect that it is something about the file itself -- did you save a >>>> copy? >>>> >>>> >>> -bash-4.1# ls -las /etc/shorewall >>> 8 drwx------. 3 root root 4096 May 25 16:50 . >>> [...] >>> 8 -rw-------. 1 root root 1135 May 15 19:13 interfaces >>> >>> All files in /etc/shorewall have their permissions set at 600 (rw only >>> on owner). In addition, the whole /etc/ partition has "noexec" >>>attribute >>> set in my fstab to prevent code being executed on that partition. >>> >>> -bash-4.1# cat /etc/shorewall/interfaces >>> # >>> # Shorewall version 4 - Interfaces File >>> # >>> # For information about entries in this file, type "man >>> shorewall-interfaces" >>> # >>> # The manpage is also online at >>> # http://www.shorewall.net/manpages/shorewall-interfaces.html >>> # >>> >>>######################################################################## >>>## >>> ##### >>> FORMAT 2 >>> >>>######################################################################## >>>## >>> ##### >>> #ZONE INTERFACE OPTIONS >>> [...] >>> >>> >>> So, on the face of it, nothing special apart from maybe the file >>> permissions. >>> >> >> Please apply the attached debugging patch and post the output produced >>by >> 'update -D'. >> >Nada! Same result as before - with or without this patch. What output did it produce? The patch adds diagnostic messages and warnings; it doesn't change the logic. -Tom You do not need a parachute to skydive. You only need a parachute to skydive twice. ------------------------------------------------------------------------------ Try New Relic Now & We'll Send You this Cool Shirt New Relic is the only SaaS-based application performance monitoring service that delivers powerful full stack analytics. Optimize and monitor your browser, app, & servers with just a few lines of code. Try New Relic and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may _______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
