Hi Tom,

i am using shorewall version 5.2.0.4 and restart config is RESTART=restart

Thanks
Naveen

On Fri, Jul 19, 2019 at 2:26 PM Tom Eastep <teas...@shorewall.net> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> On 7/19/19 10:16 AM, Naveen Neelakanta wrote:
> > Hi All,
> >
> > I am seeing an issue with ssh session getting dropped when i
> > restart shorewall. I would restart the shorewall when there is a
> > config change.
> >
> > Issue: 1) start a connection from the box to remote ip and send
> > traffic This will create a conntrack entry like below , with zone=1
> >  ipv4     2 tcp      6 300 ESTABLISHED src=10.24.53.11
> > dst=10.16.16.240 sport=58021 dport=22 src=10.16.16.240
> > dst=10.24.53.11 sport=22 dport=58021 [ASSURED] mark=0 *zone=1*
> > use=3
> >
> > 2) when i restart shorewall because, it flushed the iptable rule i
> > believe, since there is not iptable rules, another connection track
> > will be create with zone=0 , which will cause the connection to
> > drop.
> >
> > ipv4     2 tcp      6 159 ESTABLISHED src=10.16.16.240
> > dst=10.24.53.11 sport=22 dport=58021 src=10.24.53.11
> > dst=10.16.16.240 sport=58021 dport=22 [ASSURED] mark=0 *zone=0*
> > use=2 ipv4     2 tcp      6 300 ESTABLISHED src=10.24.53.11
> > dst=10.16.16.240 sport=58021 dport=22 src=10.16.16.240
> > dst=10.24.53.11 sport=22 dport=58021 [ASSURED] mark=0 *zone=1*
> > use=3
> >
> > I have the zone entry in conntrack file with the below lines .
> > IPTABLES(CT --zone 1)      eth5               - IPTABLES(CT --zone
> > 1):O     0.0.0.0/0 <http://0.0.0.0/0>      eth5
> >
> > Appreciate any steps to avoid creating the default zone=0
> > conntrack getting created, even tough we have a connection entry
> > present for the flow.
> >
>
> What version of Shorewall are you running? And what is the setting (if
> any) of RESTART in shorewall.conf?
>
> - -Tom
> - --
> Tom Eastep        \   Q: What do you get when you cross a mobster with
> Shoreline,         \     an international standard?
> Washington, USA     \ A: Someone who makes you an offer you can't
> http://shorewall.org \   understand
>                       \_______________________________________________
> -----BEGIN PGP SIGNATURE-----
> Comment: GPGTools - http://gpgtools.org
>
> iQIzBAEBCgAdFiEEFNMNR63CLO6yqbL8luaz8kI6TRAFAl0yNV4ACgkQluaz8kI6
> TRBMXg//X8ovj67WCXbAvmO6in/bSlpx7AOlKS+P7coxZIFugCoxheOTS9H0gTqg
> /SGY9S2ltqa5QA0wfVTv2SN1LUeRtEZNzKg8R4WyRxtrbcJcLc45GY6csLh8brq8
> hQ93KNE4kn9Yk2DWc5tf7U+udMnbj9xjjGkizQNpuWQ154uXDcQxepmnpob0n0KZ
> xicF5rgqgX3KPtamLjEDobA8yXWEwtojzEWvQQFG6GmY9aBki/8+3m2Olo2LKZkp
> omKuy7yADm8T5tOLdSluLtybmrL3ZPoUPsu3nhCPqvmEfag+WrOAj7IZa1O3bPec
> oHD55S3oYsFMYqiZd/ctpYAqoFqpqQiSnr0T48F6ZgwfHXheSzRJ3z1M93E1HXSD
> Of05MyqBODUSPGBiOL/zPMP3qV6Ppw6I5/fCzBWtzKI68JzcSaFCR85N6F62QSNb
> CvCHiIAp6l6Xx85sho4RnzmnC9VLzT7hw9H4OyJ9Ehyjscs46Ef52VupYwjvhi3u
> o2NSOo3lFaqtAYjFtKniIOOR2eOk99rqJ6FFV/m+6vIUeXku+xw6rTG8VE5Btpy9
> Cr9tPzO0IOTyYdr4C0X3BwsaEn/ZeabYtWOQiQFoEZ30na8IbiBFcGfMviDjyUKz
> dvmKH6NAnwTvJb1fkgNK/rLI9EDpaZvcfDFAHrOPQ5JBe1BXP6M=
> =p6CO
> -----END PGP SIGNATURE-----
>
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to