I'd like to follow up on this thread so that if anyone later encounters this
difficulty, they can avoid going through a) below (though I performed that
step as a result of feelings of frustration rather than those of guilt).
Implementing b) and c) helped with *some* of the cases where shorewall
encountered nss_ldap-related timeouts, but there was still a last one left.
When shutting down a CentOS system with the EPEL Shorewall RPM, the network
is shutdown before Shorewall. There is still a case where Shorewall
requires a passwd getent lookup in the "determine_capabilities" function in
/usr/share/shorewall/lib.base on this line:
qt $IPTABLES -A $chain -m owner --uid-owner 0 -j ACCEPT &&
OWNER_MATCH=Yes
It's quite possible that my nss_ldap configuration is wrong, since uid 0 is
in the /etc/passwd file.
Anyway, disregarding that problem, if one generates the
/etc/shorewall/capabilities file with "shorewall show -f capabilities >
/etc/shorewall/capabilities", Shorewall reads this file instead of
performing the tests itself, and everything behaves well again.
John
On Thu, Mar 6, 2008 at 1:36 PM, Tom Eastep <[EMAIL PROTECTED]> wrote:
> Tom Eastep wrote:
>
> >
> > See Shorewall FAQ 62 and either
> >
> > a) Beat yourself violently about the head for ever believing that LDAP
> > authentication on a firewall was a good idea; or
> >
> > b) List your LDAP server(s) IP address(es) in
> > /etc/shorewall/routestopped with the 'critical' option and hope for the
> > best.
> >
>
> or
>
> c) Upgrade to Shorewall 4 and migrate to Shorewall-perl which doesn't have
> this problem.
>
>
> -Tom
> --
> Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
> Shoreline, \ http://shorewall.net
> Washington USA \ [EMAIL PROTECTED]
> PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
>
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2008.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> _______________________________________________
> Shorewall-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>
-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
