Hi Tom, like reported yesterday to shorewall-devel [1], upgrading from previous versions to shorewall-4.6.4 requires *two* restarts. That's not a good experience:
> # shorewall status > Shorewall-4.6.4 Status at gentoo-x64 - Fri Oct 10 23:30:16 CEST 2014 > > Shorewall is running > State:Started (Fri Oct 10 15:19:14 CEST 2014) from /etc/shorewall/ > (/var/lib/shorewall/firewall compiled by Shorewall version 4.6.3.4) > > # shorewall safe-restart > Compiling... > Processing /etc/shorewall/params ... > Processing /etc/shorewall/shorewall.conf... > Loading Modules... > Compiling /etc/shorewall/zones... > Compiling /etc/shorewall/interfaces... > Determining Hosts in Zones... > Locating Action Files... > Compiling /etc/shorewall/policy... > Running /etc/shorewall/initdone... > Adding Anti-smurf Rules > Compiling TCP Flags filtering... > Compiling Kernel Route Filtering... > Compiling Martian Logging... > Compiling MAC Filtration -- Phase 1... > Compiling /etc/shorewall/blrules... > Compiling /etc/shorewall/rules... > Compiling /etc/shorewall/conntrack... > Compiling MAC Filtration -- Phase 2... > Applying Policies... > Compiling /usr/share/shorewall/action.Reject for chain Reject... > Compiling /usr/share/shorewall/action.Broadcast for chain Broadcast... > Generating Rule Matrix... > Optimizing Ruleset... > Creating iptables-restore input... > Shorewall configuration compiled to /var/lib/shorewall/.restart > Currently-running Configuration Saved to /var/lib/shorewall/.safe > Usage: /var/lib/shorewall/firewall [ options ] <command> > > <command> is one of: > start > stop > clear > disable <interface> > down <interface> > enable <interface> > reset > refresh > restart > run <command> [ <parameter> ... ] > status > up <interface> > version > > Options are: > > -v and -q Standard Shorewall verbosity controls > -n Don't update routing configuration > -p Purge Conntrack Table > -t Timestamp progress Messages > -V <verbosity> Set verbosity explicitly > -R <file> Override RESTOREFILE setting > Restarting... > Restarting Shorewall.... > Initializing... > Processing /etc/shorewall/init ... > Processing /etc/shorewall/tcclear ... > Setting up Route Filtering... > Setting up Martian Logging... > Setting up log backend > Setting up Proxy ARP... > Preparing iptables-restore input... > Running /sbin/iptables-restore... > IPv4 Forwarding Disabled! > Processing /etc/shorewall/start ... > Processing /etc/shorewall/started ... > done. > Do you want to accept the new firewall configuration? [y/n] n > Initializing... > Processing /etc/shorewall/init ... > Processing /etc/shorewall/tcclear ... > Setting up Route Filtering... > Setting up Martian Logging... > Setting up Proxy ARP... > IPv4 Forwarding Disabled! > Processing /etc/shorewall/restored ... > done. > New configuration has been rejected and the old one restored > > # shorewall safe-restart > Compiling... > Processing /etc/shorewall/params ... > Processing /etc/shorewall/shorewall.conf... > Loading Modules... > Compiling /etc/shorewall/zones... > Compiling /etc/shorewall/interfaces... > Determining Hosts in Zones... > Locating Action Files... > Compiling /etc/shorewall/policy... > Running /etc/shorewall/initdone... > Adding Anti-smurf Rules > Compiling TCP Flags filtering... > Compiling Kernel Route Filtering... > Compiling Martian Logging... > Compiling MAC Filtration -- Phase 1... > Compiling /etc/shorewall/blrules... > Compiling /etc/shorewall/rules... > Compiling /etc/shorewall/conntrack... > Compiling MAC Filtration -- Phase 2... > Applying Policies... > Compiling /usr/share/shorewall/action.Reject for chain Reject... > Compiling /usr/share/shorewall/action.Broadcast for chain Broadcast... > Generating Rule Matrix... > Optimizing Ruleset... > Creating iptables-restore input... > Shorewall configuration compiled to /var/lib/shorewall/.restart > Currently-running Configuration Saved to /var/lib/shorewall/.safe > Restarting... > Restarting Shorewall.... > Initializing... > Processing /etc/shorewall/init ... > Processing /etc/shorewall/tcclear ... > Setting up Route Filtering... > Setting up Martian Logging... > Setting up log backend > Setting up Proxy ARP... > Preparing iptables-restore input... > Running /sbin/iptables-restore... > IPv4 Forwarding Disabled! > Processing /etc/shorewall/start ... > Processing /etc/shorewall/started ... > done. > Do you want to accept the new firewall configuration? [y/n] y > New configuration has been accepted Same with shorewall6. See also: ========= [1] http://thread.gmane.org/gmane.comp.security.shorewall.devel/4115 -Thomas ------------------------------------------------------------------------------ Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://p.sf.net/sfu/Zoho _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
