On 08/19/2015 07:50 AM, Victor Julien wrote: > On 08/18/2015 02:12 PM, Dick Hollenbeck wrote: >> This is still a problem as of 18-August-2015: >> >> http://vuurmuur-users.narkive.com/1W0jUSnb/existing-ssh-session-being-killed-during-rule-application >> >> I loaded nf_conntrack_ipv4 ahead of time, even logged out and back in, then >> did the >> vuurmuur startup and it killed my ssh connection. >> >> This makes the vuurmuur package unusable. If there is no remedy soon we'll >> have to remove >> this package from our embedded distro. >> >> >> # vuurmuur -V >> Vuurmuur 0.8rc1 (using libvuurmuur 0.8rc1) >> >> Again, its such a disagreeable behaviour that it makes the package unusable. >> > > I wonder what a good solution would be. For example, when you log in > over SSH you can get a env var: > > SSH_CONNECTION=192.168.1.3 34790 192.168.1.1 22 > > If you're willing to trust this env var, you could have the init script > do a work around. E.g. add a rule for that tulpe, or maybe add the > conntrack entry manually using the conntrack tool. > > However, this won't work in all cases. For example sudo strips this env > var away. > > I guess another way would be to have the interface define a 'management' > ip (or port) that operates outside of the conntrack rules (in the raw > table perhaps). > > Suggestions and/or patches are welcome.
After a reboot, starting with no iptables rules, and no modules loaded if I do the following: # vuurmuur -k -v I then see this. The last line is where it hangs: Keeping rulesfiles... verbose output Info: This is Vuurmuur 0.8rc1 (using libvuurmuur 0.8rc1) Info: Copyright (C) 2002-2008 by Victor Julien Info: Loading services... Info: Loading services succesfull. Info: Loading interfaces... Info: Loading interfaces succesfull. Info: Loading zones... Info: Loading zones succesfull. Info: Loading rulesfile... Info: 5 rules loaded. Info: Loading rulesfile succesfull. Info: Analyzing the rules... Info: Creating the rules... (rules to create: 5) Info: NEWQUEUE target not setup. QUEUE-target not supported by system. Info: connection tracking for QUEUE not setup. QUEUE-target and/or mark-match not supported by system. Warning: snat rules not created: SNAT-target not supported by this system. Info: Creating rules finished. ------------------------------------------------------------------------------ _______________________________________________ Vuurmuur-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/vuurmuur-users
