Finally got around to checking this out.
systemctl is-enabled reported enabled for shorewall but not for
shorewall-init. So I enabled it for shorewall-init, and when it still
didn't start on boot I reenabled both, but still with no improvement.
There's no sign (that I can see) of it failing on boot - it just doesn't
seem to run.
So I'm at a loss as to why shorewall still doesn't start. The only other
thing I found is that the SMART data on the system disk (an SSD) is
showing a high rate of ecc errors. This could be causing some disk reads
to take a lot longer than others. Timing shouldn't have any effect on a
well written initialisation script, though I'm aware that creating a
"well written script" is easier said than done.
I'll append the output from a manual shorewall start.
Regards - Philip
PiWall ~ # shorewall start
Compiling using Shorewall 5.0.4...
Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf...
Loading Modules...
Compiling /etc/shorewall/zones...
Compiling /etc/shorewall/interfaces...
Interface "schl eno1 tcpflags,nosmurfs,logmartians,sourceroute=0"
Validated
Interface "pinet enp2s0 tcpflags,nosmurfs,routefilter,logmartians"
Validated
Interface "inet ppp0
tcpflags,nosmurfs,logmartians,sourceroute=0,optional" Validated
Determining Hosts in Zones...
fw (firewall)
schl (ipv4)
eno1:0.0.0.0/0
pinet (ipv4)
enp2s0:0.0.0.0/0
inet (ipv4)
ppp0:0.0.0.0/0
Locating Action Files...
Compiling /etc/shorewall/policy...
Policy for pinet to schl is DROP using chain pinet-schl
Policy for pinet to inet is DROP using chain pinet-inet
Policy for schl to fw is DROP using chain schl-all
Policy for schl to pinet is DROP using chain schl-all
Policy for schl to inet is DROP using chain schl-all
Policy for inet to fw is DROP using chain inet-all
Policy for inet to schl is DROP using chain inet-all
Policy for inet to pinet is DROP using chain inet-all
Policy for fw to schl is REJECT using chain all-all
Policy for fw to pinet is REJECT using chain all-all
Policy for fw to inet is REJECT using chain all-all
Policy for schl to fw is REJECT using chain all-all
Policy for schl to pinet is REJECT using chain all-all
Policy for schl to inet is REJECT using chain all-all
Policy for pinet to fw is REJECT using chain all-all
Policy for pinet to schl is REJECT using chain all-all
Policy for pinet to inet is REJECT using chain all-all
Policy for inet to fw is REJECT using chain all-all
Policy for inet to schl is REJECT using chain all-all
Policy for inet to pinet is REJECT using chain all-all
Adding Anti-smurf Rules
Compiling TCP Flags filtering...
Compiling Kernel Route Filtering...
Compiling Martian Logging...
Compiling Accept Source Routing...
Compiling /etc/shorewall/providers...
Provider "raw 1 1 - ppp0 - fallback" Compiled
Provider "school 2 - - eno1 172.16.135.254 primary" Compiled
Compiling /etc/shorewall/rtrules...
Routing rule "enp2s0 - raw 11000 1" Compiled
Routing rule "lo - raw 11000 1" Compiled
Compiling /etc/shorewall/mangle...
Mangle Rule "MARK(1) enp2s0 - udp 33434:33523 - - -" 0
Mangle Rule "MARK(1) enp2s0 - 253 - - - -" 0
Mangle Rule "MARK(1) fw - udp 33434:33523 - - -" 0
Mangle Rule "MARK(1) fw - 253 - - - -" 0
Compiling /etc/shorewall/masq...
Masq record "eno1 192.168.1.0/24 172.16.135.160" 0
Masq record "ppp0 192.168.1.0/24 detect" 0
Compiling MAC Filtration -- Phase 1...
Chain eno1_iop deleted
Chain eno1_fop deleted
Chain enp2s0_iop deleted
Chain enp2s0_fop deleted
Chain ppp0_iop deleted
Chain ppp0_fop deleted
Compiling /etc/shorewall/rules...
..Expanding Macro /usr/share/shorewall/macro.Web...
Rule "PARAM - - tcp 80" 0
Rule "PARAM - - tcp 443" 0
..End Macro /usr/share/shorewall/macro.Web
Rule "Web(ACCEPT) pinet schl" 0
Rule "ACCEPT pinet schl udp ntp" 0
Rule "DNAT pinet schl:172.16.133.248 udp 53 - 192.168.1.254" 0
Rule "DNAT pinet schl:172.16.133.248 tcp 53 - 192.168.1.254" 0
..Expanding Macro /usr/share/shorewall/macro.SMBBI...
Rule "PARAM - - udp 135,445" 0
Rule " PARAM - - udp 137:139" 0
Rule "PARAM - - udp 1024: 137" 0
Rule "PARAM - - tcp 135,139,445" 0
Rule "PARAM DEST SOURCE udp 135,445" 0
Rule " PARAM DEST SOURCE udp 137:139" 0
Rule "PARAM DEST SOURCE udp 1024: 137" 0
Rule "PARAM DEST SOURCE tcp 135,139,445" 0
..End Macro /usr/share/shorewall/macro.SMBBI
Rule "SMBBI(ACCEPT) pinet fw" 0
..Expanding Macro /usr/share/shorewall/macro.Ping...
Rule "PARAM - - icmp 8" 0
..End Macro /usr/share/shorewall/macro.Ping
Rule "Ping(ACCEPT) pinet fw" 0
Rule "ACCEPT pinet inet udp 33434:33523" 0
Rule "ACCEPT pinet inet 253" 0
..Expanding Macro /etc/shorewall/macro.Pi...
Rule "PARAM - - tcp 5900:5909 - -" 0
Rule "PARAM - - tcp ssh - -" 0
Rule "PARAM - - tcp http - -" 0
Rule "PARAM - - tcp 8080:8081 - -" 0
..End Macro /etc/shorewall/macro.Pi
Rule "Pi(DNAT) schl pinet:192.168.1.1 - - - 172.16.135.129" 0
..Expanding Macro /etc/shorewall/macro.Pi...
Rule "PARAM - - tcp 5900:5909 - -" 0
Rule "PARAM - - tcp ssh - -" 0
Rule "PARAM - - tcp http - -" 0
Rule "PARAM - - tcp 8080:8081 - -" 0
..End Macro /etc/shorewall/macro.Pi
Rule "Pi(DNAT) schl pinet:192.168.1.2 - - - 172.16.135.130" 0
..Expanding Macro /etc/shorewall/macro.Pi...
Rule "PARAM - - tcp 5900:5909 - -" 0
Rule "PARAM - - tcp ssh - -" 0
Rule "PARAM - - tcp http - -" 0
Rule "PARAM - - tcp 8080:8081 - -" 0
..End Macro /etc/shorewall/macro.Pi
Rule "Pi(DNAT) schl pinet:192.168.1.3 - - - 172.16.135.131" 0
..Expanding Macro /etc/shorewall/macro.Pi...
Rule "PARAM - - tcp 5900:5909 - -" 0
Rule "PARAM - - tcp ssh - -" 0
Rule "PARAM - - tcp http - -" 0
Rule "PARAM - - tcp 8080:8081 - -" 0
..End Macro /etc/shorewall/macro.Pi
Rule "Pi(DNAT) schl pinet:192.168.1.4 - - - 172.16.135.132" 0
..Expanding Macro /etc/shorewall/macro.Pi...
Rule "PARAM - - tcp 5900:5909 - -" 0
Rule "PARAM - - tcp ssh - -" 0
Rule "PARAM - - tcp http - -" 0
Rule "PARAM - - tcp 8080:8081 - -" 0
..End Macro /etc/shorewall/macro.Pi
Rule "Pi(DNAT) schl pinet:192.168.1.5 - - - 172.16.135.133" 0
..Expanding Macro /etc/shorewall/macro.Pi...
Rule "PARAM - - tcp 5900:5909 - -" 0
Rule "PARAM - - tcp ssh - -" 0
Rule "PARAM - - tcp http - -" 0
Rule "PARAM - - tcp 8080:8081 - -" 0
..End Macro /etc/shorewall/macro.Pi
Rule "Pi(DNAT) schl pinet:192.168.1.6 - - - 172.16.135.134" 0
..Expanding Macro /etc/shorewall/macro.Pi...
Rule "PARAM - - tcp 5900:5909 - -" 0
Rule "PARAM - - tcp ssh - -" 0
Rule "PARAM - - tcp http - -" 0
Rule "PARAM - - tcp 8080:8081 - -" 0
..End Macro /etc/shorewall/macro.Pi
Rule "Pi(DNAT) schl pinet:192.168.1.7 - - - 172.16.135.135" 0
..Expanding Macro /etc/shorewall/macro.Pi...
Rule "PARAM - - tcp 5900:5909 - -" 0
Rule "PARAM - - tcp ssh - -" 0
Rule "PARAM - - tcp http - -" 0
Rule "PARAM - - tcp 8080:8081 - -" 0
..End Macro /etc/shorewall/macro.Pi
Rule "Pi(DNAT) schl pinet:192.168.1.8 - - - 172.16.135.136" 0
..Expanding Macro /etc/shorewall/macro.Pi...
Rule "PARAM - - tcp 5900:5909 - -" 0
Rule "PARAM - - tcp ssh - -" 0
Rule "PARAM - - tcp http - -" 0
Rule "PARAM - - tcp 8080:8081 - -" 0
..End Macro /etc/shorewall/macro.Pi
Rule "Pi(DNAT) schl pinet:192.168.1.9 - - - 172.16.135.137" 0
..Expanding Macro /etc/shorewall/macro.Pi...
Rule "PARAM - - tcp 5900:5909 - -" 0
Rule "PARAM - - tcp ssh - -" 0
Rule "PARAM - - tcp http - -" 0
Rule "PARAM - - tcp 8080:8081 - -" 0
..End Macro /etc/shorewall/macro.Pi
Rule "Pi(DNAT) schl pinet:192.168.1.10 - - - 172.16.135.138" 0
..Expanding Macro /etc/shorewall/macro.Pi...
Rule "PARAM - - tcp 5900:5909 - -" 0
Rule "PARAM - - tcp ssh - -" 0
Rule "PARAM - - tcp http - -" 0
Rule "PARAM - - tcp 8080:8081 - -" 0
..End Macro /etc/shorewall/macro.Pi
Rule "Pi(DNAT) schl pinet:192.168.1.11 - - - 172.16.135.139" 0
..Expanding Macro /etc/shorewall/macro.Pi...
Rule "PARAM - - tcp 5900:5909 - -" 0
Rule "PARAM - - tcp ssh - -" 0
Rule "PARAM - - tcp http - -" 0
Rule "PARAM - - tcp 8080:8081 - -" 0
..End Macro /etc/shorewall/macro.Pi
Rule "Pi(DNAT) schl pinet:192.168.1.12 - - - 172.16.135.140" 0
..Expanding Macro /etc/shorewall/macro.Pi...
Rule "PARAM - - tcp 5900:5909 - -" 0
Rule "PARAM - - tcp ssh - -" 0
Rule "PARAM - - tcp http - -" 0
Rule "PARAM - - tcp 8080:8081 - -" 0
..End Macro /etc/shorewall/macro.Pi
Rule "Pi(DNAT) schl pinet:192.168.1.13 - - - 172.16.135.141" 0
..Expanding Macro /etc/shorewall/macro.Pi...
Rule "PARAM - - tcp 5900:5909 - -" 0
Rule "PARAM - - tcp ssh - -" 0
Rule "PARAM - - tcp http - -" 0
Rule "PARAM - - tcp 8080:8081 - -" 0
..End Macro /etc/shorewall/macro.Pi
Rule "Pi(DNAT) schl pinet:192.168.1.14 - - - 172.16.135.142" 0
..Expanding Macro /etc/shorewall/macro.Pi...
Rule "PARAM - - tcp 5900:5909 - -" 0
Rule "PARAM - - tcp ssh - -" 0
Rule "PARAM - - tcp http - -" 0
Rule "PARAM - - tcp 8080:8081 - -" 0
..End Macro /etc/shorewall/macro.Pi
Rule "Pi(DNAT) schl pinet:192.168.1.15 - - - 172.16.135.143" 0
..Expanding Macro /etc/shorewall/macro.Pi...
Rule "PARAM - - tcp 5900:5909 - -" 0
Rule "PARAM - - tcp ssh - -" 0
Rule "PARAM - - tcp http - -" 0
Rule "PARAM - - tcp 8080:8081 - -" 0
..End Macro /etc/shorewall/macro.Pi
Rule "Pi(DNAT) schl pinet:192.168.1.16 - - - 172.16.135.144" 0
Rule "ACCEPT schl fw tcp ssh" 0
Rule "ACCEPT schl fw tcp http" 0
..Expanding Macro /usr/share/shorewall/macro.Ping...
Rule "PARAM - - icmp 8" 0
..End Macro /usr/share/shorewall/macro.Ping
Rule "Ping(ACCEPT) schl fw" 0
..Expanding Macro /usr/share/shorewall/macro.Web...
Rule "PARAM - - tcp 80" 0
Rule "PARAM - - tcp 443" 0
..End Macro /usr/share/shorewall/macro.Web
Rule "Web(ACCEPT) fw schl" 0
Rule "ACCEPT fw schl udp domain" 0
Rule "ACCEPT fw schl tcp domain" 0
Rule "ACCEPT fw schl udp ntp" 0
..Expanding Macro /usr/share/shorewall/macro.Ping...
Rule "PARAM - - icmp 8" 0
..End Macro /usr/share/shorewall/macro.Ping
Rule "Ping(ACCEPT) fw schl" 0
Rule "ACCEPT fw pinet" 0
Rule "ACCEPT fw inet udp 33434:33523" 0
Rule "ACCEPT fw inet 253" 0
Compiling /etc/shorewall/conntrack...
Conntrack rule "CT:helper:amanda:PO - - udp 10080" 0
Conntrack rule "CT:helper:amanda:PO - - udp 10080" 0
Conntrack rule "CT:helper:ftp:PO - - tcp 21" 0
Conntrack rule "CT:helper:ftp:PO - - tcp 21" 0
Conntrack rule "CT:helper:RAS:PO - - udp 1719" 0
Conntrack rule "CT:helper:RAS:PO - - udp 1719" 0
Conntrack rule "CT:helper:Q.931:PO - - tcp 1720" 0
Conntrack rule "CT:helper:Q.931:PO - - tcp 1720" 0
Conntrack rule "CT:helper:irc:PO - - tcp 6667" 0
Conntrack rule "CT:helper:irc:PO - - tcp 6667" 0
Conntrack rule "CT:helper:netbios-ns:PO - - udp 137" 0
Conntrack rule "CT:helper:netbios-ns:PO - - udp 137" 0
Conntrack rule "CT:helper:pptp:PO - - tcp 1723" 0
Conntrack rule "CT:helper:pptp:PO - - tcp 1723" 0
Conntrack rule "CT:helper:sane:PO - - tcp 6566" 0
Conntrack rule "CT:helper:sane:PO - - tcp 6566" 0
Conntrack rule "CT:helper:sip:PO - - udp 5060" 0
Conntrack rule "CT:helper:sip:PO - - udp 5060" 0
Conntrack rule "CT:helper:snmp:PO - - udp 161" 0
Conntrack rule "CT:helper:snmp:PO - - udp 161" 0
Conntrack rule "CT:helper:tftp:PO - - udp 69" 0
Conntrack rule "CT:helper:tftp:PO - - udp 69" 0
Compiling MAC Filtration -- Phase 2...
Applying Policies...
Compiling /usr/share/shorewall/action.Reject for chain Reject...
Compiling /usr/share/shorewall/action.Broadcast for chain Broadcast...
..Expanding Macro /usr/share/shorewall/macro.AllowICMPs...
Rule "PARAM - - icmp fragmentation-needed" 0
Rule "PARAM - - icmp time-exceeded" 0
..End Macro /usr/share/shorewall/macro.AllowICMPs
..Expanding inline action /usr/share/shorewall/action.Invalid...
..End inline action /usr/share/shorewall/action.Invalid
..Expanding Macro /usr/share/shorewall/macro.SMB...
Rule "PARAM - - udp 135,445" 0
Rule " PARAM - - udp 137:139" 0
Rule "PARAM - - udp 1024: 137" 0
Rule "PARAM - - tcp 135,139,445" 0
..End Macro /usr/share/shorewall/macro.SMB
..Expanding Macro /usr/share/shorewall/macro.DropUPnP...
Rule "PARAM - - udp 1900" 0
..End Macro /usr/share/shorewall/macro.DropUPnP
..Expanding inline action /usr/share/shorewall/action.NotSyn...
..End inline action /usr/share/shorewall/action.NotSyn
..Expanding Macro /usr/share/shorewall/macro.DropDNSrep...
Rule "PARAM - - udp - 53" 0
..End Macro /usr/share/shorewall/macro.DropDNSrep
Policy REJECT from fw to schl using chain fw-schl
Policy REJECT from fw to pinet using chain fw-pinet
Policy REJECT from fw to inet using chain fw-inet
Compiling /usr/share/shorewall/action.Drop for chain Drop...
..Expanding Macro /usr/share/shorewall/macro.AllowICMPs...
Rule "PARAM - - icmp fragmentation-needed" 0
Rule "PARAM - - icmp time-exceeded" 0
..End Macro /usr/share/shorewall/macro.AllowICMPs
..Expanding inline action /usr/share/shorewall/action.Invalid...
..End inline action /usr/share/shorewall/action.Invalid
..Expanding Macro /usr/share/shorewall/macro.SMB...
Rule "PARAM - - udp 135,445" 0
Rule " PARAM - - udp 137:139" 0
Rule "PARAM - - udp 1024: 137" 0
Rule "PARAM - - tcp 135,139,445" 0
..End Macro /usr/share/shorewall/macro.SMB
..Expanding Macro /usr/share/shorewall/macro.DropUPnP...
Rule "PARAM - - udp 1900" 0
..End Macro /usr/share/shorewall/macro.DropUPnP
..Expanding inline action /usr/share/shorewall/action.NotSyn...
..End inline action /usr/share/shorewall/action.NotSyn
..Expanding Macro /usr/share/shorewall/macro.DropDNSrep...
Rule "PARAM - - udp - 53" 0
..End Macro /usr/share/shorewall/macro.DropDNSrep
Policy DROP from schl to fw using chain schl-fw
Policy DROP from schl to pinet using chain schl-pinet
Policy DROP from schl to inet using chain schl-inet
Policy REJECT from pinet to fw using chain pinet-fw
Policy DROP from pinet to schl using chain pinet-schl
Policy DROP from pinet to inet using chain pinet-inet
Policy DROP from inet to fw using chain inet-fw
Policy DROP from inet to schl using chain inet-schl
Policy DROP from inet to pinet using chain inet-pinet
Generating Rule Matrix...
Handling complex zones...
Entering main matrix-generation loop...
Chain eno1_in deleted
Chain eno1_fwd deleted
Chain enp2s0_in deleted
Chain enp2s0_fwd deleted
Chain ppp0_in deleted
Chain ppp0_fwd deleted
Finishing matrix...
Optimizing Ruleset...
Table raw pass 1, 2 referenced chains, level 4a...
Table raw pass 2, 2 referenced chains, level 4b...
Table raw pass 2, 0 referenced user chains, level 8...
Table raw pass 3, 2 referenced user chains, level 16...
Table raw Optimized -- Passes =
Table nat pass 1, 7 referenced chains, level 4a...
1 references to chain eno1_masq replaced
Chain eno1_masq deleted
Table nat pass 2, 6 referenced chains, level 4a...
Table nat pass 3, 6 referenced chains, level 4a...
Table nat pass 4, 6 referenced chains, level 4b...
Table nat pass 5, 1 short chains, level 4b...
Table nat pass 5, 3 referenced user chains, level 8...
Table nat pass 6, 6 referenced user chains, level 16...
Table nat Optimized -- Passes =
Table mangle pass 1, 11 referenced chains, level 4a...
Chain tcin deleted
Chain tcpost deleted
Empty chain tcfor deleted
Table mangle pass 2, 8 referenced chains, level 4a...
Table mangle pass 3, 8 referenced chains, level 4b...
Table mangle pass 4, 3 short chains, level 4b...
Table mangle pass 4, 3 referenced user chains, level 8...
Table mangle pass 5, 8 referenced user chains, level 16...
Table mangle Optimized -- Passes =
Table filter pass 1, 30 referenced chains, level 4a...
5 ACCEPT rules deleted from chain fw-pinet
Table filter pass 2, 30 referenced chains, level 4a...
1 references to chain fw-pinet replaced
Chain fw-pinet deleted
Table filter pass 3, 29 referenced chains, level 4a...
Table filter pass 4, 29 referenced chains, level 4b...
Table filter pass 5, 4 short chains, level 4b...
Table filter pass 5, 26 referenced user chains, level 8...
Chain inet-schl combined with inet-pinet
1 references to chain inet-schl replaced
Chain inet-schl deleted
Chain inet-pinet renamed to ~comb0
Table filter pass 6, 25 referenced user chains, level 8...
Table filter pass 7, 28 referenced user chains, level 16...
Table filter Optimized -- Passes =
Creating iptables-restore input...
Shorewall configuration compiled to /var/lib/shorewall/.start
Configuration uses these capabilities ('*' denotes required):
ADDRTYPE
AMANDA_HELPER*
COMMENTS
CONNMARK*
CONNMARK_MATCH*
CONNTRACK_MATCH
CT_TARGET
ENHANCED_REJECT
EXMARK
FTP_HELPER*
FWMARK_RT_MASK
GOTO_TARGET
H323_HELPER*
IPTABLES_S
IRC_HELPER*
LOG_TARGET*
MANGLE_ENABLED
MANGLE_FORWARD
MARK
MULTIPORT*
NAT_ENABLED
NETBIOS_NS_HELPER
NEW_CONNTRACK_MATCH
PPTP_HELPER*
RAW_TABLE
RECENT_MATCH
SANE_HELPER*
SIP_HELPER*
SNMP_HELPER*
TCPMSS_TARGET*
TFTP_HELPER*
WAIT_OPTION
XMULTIPORT*
Starting Shorewall....
Device "ppp0" does not exist.
Initializing...
Setting up Route Filtering...
Setting up Martian Logging...
Setting up Accept Source Routing...
Setting up log backend
Log Backend set to nf_log_ipv4
Disabling Kernel Automatic Helper Association
Shorewall-generated routing tables and routing rules removed
Adding Providers...
WARNING: Interface ppp0 is not usable -- Provider raw (1) not Started
Provider school (2) Started
Default route 'nexthop via 172.16.135.254 dev eno1 weight 1' Added
Preparing iptables-restore input...
Running /sbin/iptables-restore ...
IPv4 Forwarding Enabled
done.
On 25/01/2017 21:22, Philip Le Riche wrote:
> Thanks Matt and Roberto - I'll try the systemctl commands next time I go
> into school (not until next week now). And it looks like I somehow
> didn't install shorewall-init at home - not sure why.
>
> Regards - Philip
>
> On 25/01/2017 17:30, Matt Darfeuille wrote:
>> On 1/25/2017 6:06 PM, Philip Le Riche wrote:
>>> I've checked that STARTUP_ENABLED=Yes is still in my shorewall.conf, and
>>> though I'm not familiar with systemd, I've checked that
>>> shorewall.service in /lib/systemd/system is the same between home and
>>> school setups. However, at school I also seem to have a
>>> shorewall-init.service, not present at home (where Shorewall starts as
>>> it should).
>> See for shorewall-init.service:
>> http://shorewall.org/Shorewall-init.html
>> http://shorewall.org/manpages/shorewall-init.html
>>
>> -Matt
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
