On Wed, Sep 24, 2014, at 12:21 PM, Tom Eastep wrote:
> man shorewall-interfaces and look at the 'wait' option.
modifying
/interfaces
- vpn1 VPN_IF optional,...
+ vpn1 VPN_IF optional,wait=60,...
after reboot, @ shell
shorewall-lite status -i
Interface eth0 is Enabled
Interface tun1 is Enabled
!!
checking boot logs
journalctl -xb | awk '/vpn/ || /shorewall/ || ((/ifup/ || /ifdown/ ||
/service/) && (/eth0/ || /tun1/))'
...
-- Unit [email protected] has finished starting up.
Sep 24 15:16:59 fw ifup[3105]: tun1
Sep 24 15:16:59 fw ifup[3172]: tun1
Sep 24 15:16:59 fw ifup[3105]: tun1 Set 'tun1' persistent
and owned by uid 499 gid 499
Sep 24 15:17:11 fw systemd[1]: Started ifup managed network
interface tun1.
-- Subject: Unit [email protected] has finished start-up
-- Unit [email protected] has finished starting up.
-- Subject: Unit openvpn.service has begun with start-up
-- Unit openvpn.service has begun starting up.
-- Subject: Unit openvpn.service has finished start-up
-- Unit openvpn.service has finished starting up.
Sep 24 15:17:13 fw systemd[1]: Starting shorewall-lite...
-- Subject: Unit shorewall-lite.service has begun with start-up
-- Unit shorewall-lite.service has begun starting up.
Sep 24 15:17:14 fw shorewall-lite[3409]: Starting Shorewall
Lite....
Sep 24 15:17:16 fw sudo[3489]: root : TTY=unknown ;
PWD=/usr/local/etc/openvpn ; USER=root ; COMMAND=/sbin/ip link set dev tun1 up
mtu 1500
Sep 24 15:17:16 fw sudo[3502]: root : TTY=unknown ;
PWD=/usr/local/etc/openvpn ; USER=root ; COMMAND=/sbin/ip addr add dev tun1
10.0.0.2/24 broadcast 10.0.0.255
Sep 24 15:17:16 fw sudo[3506]: root : TTY=unknown ;
PWD=/usr/local/etc/openvpn ; USER=root ; COMMAND=/sbin/ip route add
10.200.0.0/24 via 10.0.0.1
Sep 24 15:17:18 fw shorewall-lite[3409]: OK ping @ INTFC=tun1
<==========================
Sep 24 15:17:19 fw shorewall-lite[3409]: OK ping @ INTFC=eth0
Sep 24 15:17:20 fw shorewall-lite[3409]: OK ping @ INTFC=tun1
<==========================
Sep 24 15:17:20 fw shorewall-lite[3409]: Initializing...
Sep 24 15:17:21 fw shorewall-lite[3409]: Processing init user
exit ...
Sep 24 15:17:22 fw shorewall-lite[3409]: Processing tcclear
user exit ...
Sep 24 15:17:22 fw shorewall-lite[3409]: Setting up Route
Filtering...
...
interface PINGs for both eth0 & tun1 are successful.
Note, that I get a DOUBLE test for tun1. Why?
The shorewall-lite's systemd unit's
After=network-online.target
Wants=network-online.target
dependency mgmt is supposed to work, providing delay until ALL interfaces are
up. Question is -- why doesn't it, in the specific case of SW?
Wondering out loud -- could this be an instance where systemd's After=/What=
dependency mgmt is not fully reliable for sequence ordering, and socket-based
activation (http://0pointer.net/blog/projects/socket-activation.html)
should be used by network, openvpn &/or SW services ?
------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
