I'm (still) trying to troubleshoot SW + interface behavior on boot/startup.
The boot process reports failures on interface checks, which resolve
'automagically' after boot's completed.
Looking at my system's boot log
journalctl -xb | awk '/vpn/ || /shorewall/ || ((/ifup/ || /ifdown/ ||
/service/) && (/eth0/ || /tun1/))'
Sep 24 08:02:07 fw shorewall-init[935]: Initializing
"Shorewall-based firewalls": Stopping Shorewall Lite....
Sep 24 08:02:08 fw shorewall-init[935]: done.
Sep 24 08:02:08 fw shorewall-init[935]: Stopping Shorewall6
Lite....
Sep 24 08:02:08 fw shorewall-init[935]: done.
... shorewall-init has done its thing,
Sep 24 08:02:09 fw systemd[1]: Starting ifup managed network
interface eth0...
-- Subject: Unit [email protected] has begun with start-up
-- Unit [email protected] has begun starting up.
Sep 24 08:02:10 fw ifup[1682]: eth0 device: Realtek
Semiconductor Co., Ltd. RTL8111/8168/8411 PCI Express Gigabit Ethernet
Controller (rev 06)
Sep 24 08:02:26 fw systemd[1]: Started ifup managed network
interface eth0.
-- Subject: Unit [email protected] has finished start-up
-- Unit [email protected] has finished starting up.
... the external interface, eth0, is up,
Sep 24 08:02:58 fw systemd[1]: Starting ifup managed network
interface tun1...
-- Subject: Unit [email protected] has begun with start-up
-- Unit [email protected] has begun starting up.
Sep 24 08:02:58 fw ifup[3146]: tun1
Sep 24 08:02:58 fw ifup[3213]: tun1
Sep 24 08:02:58 fw ifup[3146]: tun1 Set 'tun1' persistent
and owned by uid 499 gid 499
... the vpn tunnel interface, tun1, is up,
-- Subject: Unit openvpn.service has begun with start-up
-- Unit openvpn.service has begun starting up.
-- Subject: Unit openvpn.service has finished start-up
-- Unit openvpn.service has finished starting up.
... the openvpn.service is up,
next, shorewall-lite starts
Sep 24 08:03:13 fw systemd[1]: Starting shorewall-lite...
-- Subject: Unit shorewall-lite.service has begun with start-up
-- Unit shorewall-lite.service has begun starting up.
Sep 24 08:03:13 fw shorewall-lite[3450]: Starting Shorewall
Lite....
... but fails to ping the 1st provider's interface, eth0,
Sep 24 08:03:14 fw shorewall-lite[3450]: BAD ping @ INTFC=eth0
Sep 24 08:03:14 fw shorewall-lite[3450]: Initializing...
Sep 24 08:03:15 fw shorewall-lite[3450]: Processing init user
exit ...
Sep 24 08:03:16 fw shorewall-lite[3450]: Processing tcclear
user exit ...
Sep 24 08:03:16 fw shorewall-lite[3450]: Setting up Route
Filtering...
Sep 24 08:03:16 fw shorewall-lite[3450]: Setting up Martian
Logging...
Sep 24 08:03:16 fw shorewall-lite[3450]: Setting up Accept
Source Routing...
Sep 24 08:03:16 fw shorewall-lite[3450]: Setting up Proxy ARP...
Sep 24 08:03:16 fw shorewall-lite[3450]: Adding Providers...
Sep 24 08:03:17 fw shorewall-lite[3450]: WARNING: Interface
eth0 is not usable -- Provider prov1 (1) not Started
Sep 24 08:03:17 fw shorewall-lite[3450]: WARNING: Interface
tun1 is not usable -- Provider prov2 (2) not Started
Sep 24 08:03:17 fw shorewall-lite[3450]: WARNING: No Default
route added (all 'balance' providers are down)
Sep 24 08:03:17 fw shorewall-lite[3450]: NOTICE: Default route
restored
Sep 24 08:03:17 fw shorewall-lite[3450]: Preparing
iptables-restore input...
Sep 24 08:03:17 fw shorewall-lite[3450]: Running
/usr/sbin/iptables-restore...
Sep 24 08:03:17 fw shorewall-lite[3450]: IPv4 Forwarding Enabled
Sep 24 08:03:17 fw shorewall-lite[3450]: Processing start user
exit ...
Sep 24 08:03:17 fw shorewall-lite[3450]: Processing started
user exit ...
Sep 24 08:03:17 fw shorewall-lite[3450]: done.
-- Subject: Unit shorewall-lite.target has begun with start-up
-- Unit shorewall-lite.target has begun starting up.
... shorewall-lite never announces that it "has finished starting up."
Shorewall6-lite begins startup,
Sep 24 08:03:17 fw systemd[1]: Starting shorewall6-lite...
-- Subject: Unit shorewall6-lite.service has begun with start-up
-- Unit shorewall6-lite.service has begun starting up.
Sep 24 08:03:17 fw shorewall6-lite[3819]: Starting Shorewall6
Lite....
Sep 24 08:03:17 fw shorewall6-lite[3819]: Initializing...
Sep 24 08:03:17 fw shorewall6-lite[3819]: Processing init user
exit ...
Sep 24 08:03:17 fw shorewall6-lite[3819]: Processing tcclear
user exit ...
Sep 24 08:03:18 fw shorewall6-lite[3819]: Setting up Proxy
NDP...
Sep 24 08:03:18 fw shorewall6-lite[3819]: Preparing
ip6tables-restore input...
Sep 24 08:03:18 fw shorewall6-lite[3819]: Running
/usr/sbin/ip6tables-restore...
Sep 24 08:03:18 fw shorewall6-lite[3819]: IPv6 Forwarding
Enabled
Sep 24 08:03:18 fw shorewall6-lite[3819]: Setting up IPv6
Interface Forwarding...
Sep 24 08:03:18 fw shorewall6-lite[3819]: Processing start user
exit ...
Sep 24 08:03:18 fw shorewall6-lite[3819]: Processing started
user exit ...
Sep 24 08:03:18 fw shorewall6-lite[3819]: done.
-- Subject: Unit shorewall6-lite.target has begun with start-up
-- Unit shorewall6-lite.target has begun starting up.
-- Subject: Unit shorewall6-lite.target has finished start-up
-- Unit shorewall6-lite.target has finished starting up.
and finishes successfully.
But, immediately AFTER boot's complete, at shell, both ping to the 'net via
eth0,
ping 8.8.8.8 -c1
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=48 time=61.6 ms
--- 8.8.8.8 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 61.663/61.663/61.663/0.000 ms
and ping to the other side of the vpn, via tun1,
ping 192.168.0.10 -c1
PING 192.168.0.10 (192.168.0.10) 56(84) bytes of data.
64 bytes from 192.168.0.10: icmp_seq=1 ttl=64 time=45.8 ms
--- 192.168.0.10 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 45.833/45.833/45.833/0.000 ms
work correctly, and SW status shows,
shorewall-lite status
Shorewall Lite-4.6.3.4 Status at fw - Wed Sep 24 09:03:25 PDT
2014
Shorewall Lite is running
State:Started (Wed Sep 24 08:03:17 PDT 2014) from
/usr/local/etc/shorewall/IPv4/ (/var/lib/shorewall-lite/firewall compiled by
Shorewall version 4.6.3.4)
shorewall6-lite status
Shorewall6 Lite-4.6.3.4 Status at fw - Wed Sep 24 09:03:43 PDT
2014
Shorewall6 Lite is running
State:Started (Wed Sep 24 08:03:18 PDT 2014) from
/usr/local/etc/shorewall/IPv6/ (/var/lib/shorewall6-lite/firewall compiled by
Shorewall version 4.6.3.4)
that both SF4 & SW6 are up & running.
The progress/state DURING boot, and AFTER boot are not consistent. I've do not
understand why the interfaces are up, SW seems to fail, then ends up working
anyway.
What do I check to find/fix the SW startup fail on interfaces DURING boot?
------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
