Thanks again. I discovered a source that I had not thought about before: gateways defined along with static IP's in the netplan configuration; I removed those. The other source is dhcp. I removed "routers" from the "request" list in dhclient.conf and to be sure added a script under /etc/dhcp/dhclient-exit-hooks.d containing: ip route delete default via $new_routers (that was inspired by https://unix.stackexchange.com/questions/182967/can-i-prevent-a-default-route-being-added-when-bringing-up-an-interface )
Neither of those have been changed so it's strange. However I may simply not have identified that there was a problem before that one link went flaky. I guess it will be clear later today or in a few days whether this is the complete solution. Best, Norman On Tue, Jul 27, 2021 at 7:51 AM Tuomo Soini <[email protected]> wrote: > On Mon, 26 Jul 2021 19:38:42 +0100 > Norman and Audrey Henderson <[email protected]> wrote: > > > The interfaces of course require a gateway since they are not > > point-to-point. > > You missed the point. Interface scripts must not add gateway when you > do multi-isp. If you down/up interface and scripting add gateway, then > running shorewall reload actually need to remove gateway from main > routing table. So you should not configure gateway when using multi-isp. > > So rule #1 - do not configure gateway. > > > Today I disabled foolsm so I am sure those scripts are not doing > > anything. I cannot guess what other system component could be > > reacting to a change in interface status and creating a default route > > in table main - unless there is some misconfiguration in shorewall, > > but I don't see any evidence of that. > > foolsm logs all it's actions - if you suspect foolsm changing your > interface status you can see it in syslog. > > > I have off.d and routable.d scripts in networkd-dispatcher, which end > > with shorewall reload. So as far as I am aware, any changes to > > interfaces would be caught by those scripts and shorewall reload will > > be run after the interface changes state. > > > > Today I noted on the firewall running shorewall that (1) periodically > > a default route for the flaky interface, I believe actually totally > > down all day, would appear in table main (2) as a result the firewall > > could not ping out (unless specifying another interface) and no-one > > else on the network had outside access either (3) shorewall reload > > removes the offending default route and then everything works again. > > If you have gateway configured in interface scripting and you down/up > interface gateway gets added to main routing table. With multi-isp you > must not set gateway from interface script, correct place to configure > is in /etc/shorewall/providers > > -- > Tuomo Soini <[email protected]> > Foobar Linux services > +358 40 5240030 > Foobar Oy <https://foobar.fi/> > > > _______________________________________________ > Shorewall-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/shorewall-users >
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
