Hi Tom, i am using shorewall version 5.2.0.4 and restart config is RESTART=restart
Thanks Naveen On Fri, Jul 19, 2019 at 2:26 PM Tom Eastep <teas...@shorewall.net> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > On 7/19/19 10:16 AM, Naveen Neelakanta wrote: > > Hi All, > > > > I am seeing an issue with ssh session getting dropped when i > > restart shorewall. I would restart the shorewall when there is a > > config change. > > > > Issue: 1) start a connection from the box to remote ip and send > > traffic This will create a conntrack entry like below , with zone=1 > > ipv4 2 tcp 6 300 ESTABLISHED src=10.24.53.11 > > dst=10.16.16.240 sport=58021 dport=22 src=10.16.16.240 > > dst=10.24.53.11 sport=22 dport=58021 [ASSURED] mark=0 *zone=1* > > use=3 > > > > 2) when i restart shorewall because, it flushed the iptable rule i > > believe, since there is not iptable rules, another connection track > > will be create with zone=0 , which will cause the connection to > > drop. > > > > ipv4 2 tcp 6 159 ESTABLISHED src=10.16.16.240 > > dst=10.24.53.11 sport=22 dport=58021 src=10.24.53.11 > > dst=10.16.16.240 sport=58021 dport=22 [ASSURED] mark=0 *zone=0* > > use=2 ipv4 2 tcp 6 300 ESTABLISHED src=10.24.53.11 > > dst=10.16.16.240 sport=58021 dport=22 src=10.16.16.240 > > dst=10.24.53.11 sport=22 dport=58021 [ASSURED] mark=0 *zone=1* > > use=3 > > > > I have the zone entry in conntrack file with the below lines . > > IPTABLES(CT --zone 1) eth5 - IPTABLES(CT --zone > > 1):O 0.0.0.0/0 <http://0.0.0.0/0> eth5 > > > > Appreciate any steps to avoid creating the default zone=0 > > conntrack getting created, even tough we have a connection entry > > present for the flow. > > > > What version of Shorewall are you running? And what is the setting (if > any) of RESTART in shorewall.conf? > > - -Tom > - -- > Tom Eastep \ Q: What do you get when you cross a mobster with > Shoreline, \ an international standard? > Washington, USA \ A: Someone who makes you an offer you can't > http://shorewall.org \ understand > \_______________________________________________ > -----BEGIN PGP SIGNATURE----- > Comment: GPGTools - http://gpgtools.org > > iQIzBAEBCgAdFiEEFNMNR63CLO6yqbL8luaz8kI6TRAFAl0yNV4ACgkQluaz8kI6 > TRBMXg//X8ovj67WCXbAvmO6in/bSlpx7AOlKS+P7coxZIFugCoxheOTS9H0gTqg > /SGY9S2ltqa5QA0wfVTv2SN1LUeRtEZNzKg8R4WyRxtrbcJcLc45GY6csLh8brq8 > hQ93KNE4kn9Yk2DWc5tf7U+udMnbj9xjjGkizQNpuWQ154uXDcQxepmnpob0n0KZ > xicF5rgqgX3KPtamLjEDobA8yXWEwtojzEWvQQFG6GmY9aBki/8+3m2Olo2LKZkp > omKuy7yADm8T5tOLdSluLtybmrL3ZPoUPsu3nhCPqvmEfag+WrOAj7IZa1O3bPec > oHD55S3oYsFMYqiZd/ctpYAqoFqpqQiSnr0T48F6ZgwfHXheSzRJ3z1M93E1HXSD > Of05MyqBODUSPGBiOL/zPMP3qV6Ppw6I5/fCzBWtzKI68JzcSaFCR85N6F62QSNb > CvCHiIAp6l6Xx85sho4RnzmnC9VLzT7hw9H4OyJ9Ehyjscs46Ef52VupYwjvhi3u > o2NSOo3lFaqtAYjFtKniIOOR2eOk99rqJ6FFV/m+6vIUeXku+xw6rTG8VE5Btpy9 > Cr9tPzO0IOTyYdr4C0X3BwsaEn/ZeabYtWOQiQFoEZ30na8IbiBFcGfMviDjyUKz > dvmKH6NAnwTvJb1fkgNK/rLI9EDpaZvcfDFAHrOPQ5JBe1BXP6M= > =p6CO > -----END PGP SIGNATURE----- >
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users