On 2013-05-05 13:57:10 +0000, cac...@quantum-sci.com said: > Today I noticed to my horror that my firewall was ACCEPTing EVERYTHING. > It was like this for a couple of weeks. I found the reason was I'd > removed 'tor' from the services file and so Shorewall failed to start. > I've removed tor from the rules file now, and of course it works. > > But routestopped has only eth0, which is not connected. (wlan0 is) The > policy file seems to have everything DENYed. > > So I don't understand how this could have happened?
Startup behavior with Shorewall can be a bit tricky. If you happen to run xUbuntu, you need to know that Upstart can't guarantee that a 'shorewall stop' command is issued (and locks down the firewall to routestopped) before the network is brought up. None of that matters, as you have discovered, with an invalid Shorewall configuration. While I haven't tested this, it's likely that this also applies to running 'shorewall stop' to lock the firewall to the routestopped config. As I recall, Shorewall checks its configuration, and will not change *anything* without a valid config. This applies for both adding and removing of rules, policies, and so on. It appears likely you had an invalid config (as stated in your first paragraph), and had rebooted the machine. I'm willing to bet you didn't notice the message that shorewall didn't start - either because you weren't watching, or because a boot splash hid the message. It doesn't matter what your policy, rules, or anything else is configured. As I recall, if your configuration isn't valid, shorewall won't apply any of it. The default boot state for the Linux kernel allows any network connection. It's likely it is also the state shorewall will leave you with if your configuration is not valid. 'shorewall check' is very useful; ALWAYS run it after modifying your shorewall config. -- Troy Telford ------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. This 200-page book is written by three acclaimed leaders in the field. The early access version is available now. Download your free book today! http://p.sf.net/sfu/neotech_d2d_may _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
