On 3/16/20 12:57 PM, PGNet Dev wrote: > i'm running distro-pkg'd shorewall 5.2.3.7, on opensuse leap15.1. > it's deployed on my boxes as shorewall-lite + shorewall-init. > once up, it runs fine. > > on upgrade by package manager, "Something(tm)" in the install process causes > the fw to immediately start blocking traffic. > if the upgrade's in the middle of a larger set of upgrades, it causes all > subsequent package updates to fail -- due to loss of network connectivity. > a restart of shorewall immediately fixes the problem ... and allows all > traffic -- upgrades, access, etc -- to continue without problem. > i reported this at distro > > https://bugzilla.opensuse.org/show_bug.cgi?id=1166114 > > where dev was unable to reproduce. > eventually figured out one significant difference -- I run shorewall-init, > the dev does not. > atm, here > > cat /etc/sysconfig/shorewall-init > PRODUCTS="shorewall-lite shorewall6-lite" > IFUPDOWN=0 > LOGFILE=/var/log/shorewall/shorewall-ops.log > OPTIONS="" > > i'm not clear whichh thread to pull at in troubleshooting ... > is it possible/likely that my use of shorewall-init is causal here?
It is possible, if the update process is restarting shorewall-init after
it is restarting shorewall. Remember that
shorewall-init start
is equivalent to
shorewall-lite stop; shorewall6-lite stop
with your /etc/sysconfig/shorewall-init file. You may be able to
determine what is going on by looking at your shorewall logs and
comparing the timestamps.
Ideally, update/upgrade should do nothig with shorewall-init other than
install the new packages.
> since, in the -init config, i disable IFUPDOWN, and manage my IPSETs
> externally, with own scripts, i'm wondering if -init's necessary/useful at
> all ... &/or if there's something fixable if i do leave it in place ?
With your configuration, shorewall-init is ensuring that only
connections allowed by your 'stopped' configurations are being allowed
between the time that your external interface(s) comes up and the time
that shorewall-lite and shorewall6-lite are started.
Without knowing more about the OpenSuSE update/upgrade process, I don't
know if this is fixable or not.
-Tom
--
Tom Eastep \ Q: What do you get when you cross a mobster
Shoreline, \ with an international standard?
Washington, USA \ A: Someone who makes you an offer you
http://shorewall.org \ can't understand
\________________________________________
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
