John Morris wrote:
Tried to send in traces and such the other day, but they were just too big and got rejected. Here's a description of the problem; should be enough without the traces.We run CentOS 5 with an LDAP directory. Shorewall/iptables hung at the last line in the following listing:progress_message2 "Creating action chain Drop" run_iptables -A Drop -p tcp --dport 113 -j reject progress_message " Rule \"REJECT - - tcp 113 - - \" added." run_iptables -A Drop -p all -j dropBcastA trace of the /sbin/iptables process revealed the iptables process doing an LDAP query; turned out to be searching for a protocols entry (files was listed first in nsswitch.conf; I didn't get as far as to see which protocol it was looking for, or if it was doing a getent for the whole table).CentOS's authconfig script enables ldap for protocols by default in /etc/nsswitch.conf. Removing the 'ldap' from the mapping in nsswitch.conf stopped this query and everything worked again.It seems that this command is being executed in a certain part of the shorewall script where network access is being blocked. We don't really care, since we don't put the protocols map in our LDAP directory, but I'm posting this as an FYI, perhaps for the next person.One more thing I found: if shorewall stops in mid-flight at at this point, the iptables rules are left in a state where the LDAP server is still inaccessible. Rerunning shorewall will hang again, even if the nsswitch.conf protocols ldap mapping is removed; to get shorewall running again, either the iptables rules must be cleared, or the passwd ldap mapping must be temporarily removed.
See Shorewall FAQ 62 and eithera) Beat yourself violently about the head for ever believing that LDAP authentication on a firewall was a good idea; or
b) List your LDAP server(s) IP address(es) in /etc/shorewall/routestopped with the 'critical' option and hope for the best.
-Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
