On 10/27/19 2:57 PM, Nigel Aves wrote: > As a note, I'm a photographer who likes to run their own server for web > sites / email server, but I am no sys-admin person. I have though been > using Shorewall for a number of years now. > > I've been building a new server to replace my aging server. Centos 7 / > VirtualMin install for software / admin. BUT I have had to use Kernel > 4.x so that the Ryzen processor was recognized correctly. > > I copied all the shorewall files across, checked configuration and > shorewall started up OK. But I could never get shorewall to start at > boot. Tried all hints I could find on internet to no avail. > > Loaded Shorewall-init, set up the conf file. But now every-time I tried > to start it would fail with an error about the ipset "f2b" (- from > fail2ban).
When you say 'start it', do you mean Shorewall or Shorewall-init? The shorewall-init 'start' command basically loads the ipsets then issues a 'stop' command for each product listed in the PRODUCTS option in the shorewall-init configuration file. > I took all references out of the conf files for Shorewall, > did a "shorewall compile". This seems to have solved the error messages > I was getting. > > Questions. > > 1/ When using shorewall-init does shorewall itself have to be running, > or is the compiled shorewall rules loaded directly into iptables? If you are relying on Shorewall-init to load the ipset during boot, then: a) shorewall-init must be enabled in your init system (systemd or Sys5 init). b) The shorewall-init config file must have the SAVE_IPSETS option set to the name of a file where the ipsets are to be saved. b) The PRODUCTS option must at least include 'shorewall'. c) The ipset must exist each time that Shorewall-init is stopped. > > 2/ When using fail2ban should I still be trying to push the banned ip's > into shorewall, or should I change the settings to push directly into > iptables? You should have them saved in the ipset. > > 3/ Anything I might have missed ( )? > What version of Shorewall are you running? -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
