On 9/11/10 4:31 PM, Brian J. Murrell wrote: > > But following along with http://www.shorewall.net/MultiISP.html#lsm I > wonder if some of this could not be automated/integrated more directly > with shorewall. I'm looking at /etc/shorewall/lib.private in > particular. Apart from the "checkip" value, this looks very generatable > by shorewall's compiler, and the "checkip" value could easily be plugged > into a shorewall configuration file, methinks. > > Thots?
Not going to happen. - I came up with the scheme in the Multi-ISP Doc primarily because the init script which comes with LSM doesn't work on Debian. People running RedHat-related distros typically have init start LSM. I know of at least one user that has LSM start Shorewall at boot. - The sample generates the entire stanza for each interface, but 'checkip' is the only parameter that can reasonably be guessed by Shorewall. And it's not the compiler that has to do the guessing -- in most cases, the compiler doesn't have a clue about the interface so this guessing has to be done at runtime. - There are some parameters, 'ttl' for example, that can't be guessed without a lot of time-consuming probing. When I ran LSM, I had one interface where the default gateway was proxy arp'ed and I had to use ttl = 2! - Even 'checkip' isn't totally foolproof; suppose you want to use an address other than the default gateway? Soon I would have the entire LSM configuration embedded in the Shorewall;s config so that Shorewall's guesses could be overridden. - If I automate the entire Shorewall interaction with LSM, then *I* get to do all LSM support on Shorewall systems. I'm not signing up to do that. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing http://p.sf.net/sfu/novell-sfdev2dev
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
