Re: [Shorewall-users] Can not connect remotely after boot when using systemd

Mon, 29 Jan 2018 03:37:23 -0800 

On 1/24/2018 7:09 PM, Tom Eastep wrote:
> On 01/24/2018 07:52 AM, Matt Darfeuille wrote:
>> On 1/24/2018 1:32 PM, Matt Darfeuille wrote:
>>> Hi,
>>>
>>> I'm remotely connecting to a server in the dmz zone with the following
>>> configuration:
>>>
>>> /etc/network/interfaces:
>>>
>>> allow-hotplug enp1s0
>>> iface enp1s0 inet dhcp
>>>
>>> /etc/shorewall/zones:
>>>
>>> net ipv4
>>>
>>> /etc/shorewall/interfaces:
>>>
>>> net enp1s0 dhcp,optional
>>>
>>> /etc/shorewall/rules:
>>>
>>> ACCEPT net $FW:&enp1s0 tcp 22
>>>
>>>
>>> This configuration works fine and after rebooting that server I can
>>> access it remotely.
>>>
>>> But if I configure that same interface using systemd, after reboot, I
>>> can no longer access that server remotely.
>>>
>>> /etc/systemd/network/enp1s0.network:
>>>
>>> [Match]
>>> Name=enp1s0
>>>
>>> [Network]
>>> DHCP=ipv4
>>>
>>> The wait option in /etc/shorewall/interfaces doesn't seem to help.
>>> I'm not sure how to fix that and I would rather keep using systemd! :)
>>>
>>
>> After some more testing I can confirm that the same behavior is also
>> happening when /etc/network/interfaces is used.
>> Is it expected (it works  fine if I use $FW:ip)?
>>
> 
> It is not expected, and I am unable to reproduce the problem on Debian
> 9.3. What is the output of 'shorewall show net-fw' after reboot?
> 

The issue is fixed:

If the dhcp interface doesn't get an IP when the firewall is being
started here is some ways to work around that:

With the release of Shorewall 5.1.11.2 simply use the wait option in
/etc/shorewall/interfaces (wait=<TIME-TO-WAIT>).

If Shorewall 5.1.11.2 is not an option:
- When the service systemd-networkd is used to configure the dhcp
interface also enabling 'systemd-networkd-wait-online' could help.

- When the dhcp interface is configured in /etc/network/interfaces
adding an exit-hook script to reload shorewall when a new lease is bound
could help.
An dhclient-exit-hooks.d script could look like:

case $reason in
    BOUND)
        /sbin/<PRODUCT> reload
        ;;
esac

A special thanks to Tom for making the wait option works with address
variable and for his help sorting this out! :)

-Matt
-- 
Matt Darfeuille

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to