Hello all, I''ve implemented an automatic bandwidth monitoring and topup system for a VPN I''ve built, and need to restart Shorewall every time my script writes /etc/shorewall/rules. The only problem is that it seems to cut access (drops ping packets, and presumably everything else) for about 20-30 seconds while it''s restarting. As I''m intending this to scale to 50+ users, regular downtime is not something I''m really keen on having. Hence, I''m asking if there''s a way of restarting shorewall, but leaving whatever is cutting access (Interface aliases? I have 16 addresses on eth0) until a proper restart? All that changes is a few ACCEPT rules in ''rules''. I''m trying to avoid doing two seperate commands every time a user is cut off/resumed - I have been thinking about updating Shorewall''s rules as normal with the script, and using direct IPTABLES -J accept..... style commands to do the instant update, but this is far from a glamourous solution, especially if states are uncertain. Am I simply doing far more than Shorewall was ever intended to do? If I am, could someone recommend a package that can do the ''neat tricks'' I need? Or.. am I just going to have to bite the bullet and write iptables.up and user-block.pl scripts myself? Please find attached my shorewall configuration. Any suggestions would be greatly appreciated. Thank you very much, Jan Mulders
Jan Mulders wrote:> Hello all, > > I''ve implemented an automatic bandwidth monitoring and topup system for a > VPN I''ve built, and need to restart Shorewall every time my script writes > /etc/shorewall/rules. The only problem is that it seems to cut access (drops > ping packets, and presumably everything else) for about 20-30 seconds while > it''s restarting. As I''m intending this to scale to 50+ users, regular > downtime is not something I''m really keen on having. > > Hence, I''m asking if there''s a way of restarting shorewall, but leaving > whatever is cutting access (Interface aliases? I have 16 addresses on eth0) > until a proper restart? >What is the setting of RETAIN_ALIASES= in shorewall.conf? If it is set to "no" try "yes".> All that changes is a few ACCEPT rules in ''rules''. I''m trying to avoid doing > two seperate commands every time a user is cut off/resumed - I have been > thinking about updating Shorewall''s rules as normal with the script, and > using direct IPTABLES -J accept..... style commands to do the instant > update, but this is far from a glamourous solution, especially if states are > uncertain. > > Am I simply doing far more than Shorewall was ever intended to do? If I am, > could someone recommend a package that can do the ''neat tricks'' I need? Or.. > am I just going to have to bite the bullet and write iptables.up and > user-block.pl scripts myself? >dynamic zones maybe?> Please find attached my shorewall configuration. > > Any suggestions would be greatly appreciated. > > Thank you very much, > > Jan Mulders >Jerry ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
Jan Mulders wrote:> Hello all, > > I''ve implemented an automatic bandwidth monitoring and topup system > for a VPN I''ve built, and need to restart Shorewall every time my > script writes /etc/shorewall/rules. The only problem is that it seems > to cut access (drops ping packets, and presumably everything else) for > about 20-30 seconds while it''s restarting. As I''m intending this to > scale to 50+ users, regular downtime is not something I''m really keen > on having. > > Hence, I''m asking if there''s a way of restarting shorewall, but > leaving whatever is cutting access (Interface aliases? I have 16 > addresses on eth0) until a proper restart? > > All that changes is a few ACCEPT rules in ''rules''. I''m trying to avoid > doing two seperate commands every time a user is cut off/resumed - I > have been thinking about updating Shorewall''s rules as normal with the > script, and using direct IPTABLES -J accept..... style commands to do > the instant update, but this is far from a glamourous solution, > especially if states are uncertain. > > Am I simply doing far more than Shorewall was ever intended to do? If > I am, could someone recommend a package that can do the ''neat tricks'' > I need? Or.. am I just going to have to bite the bullet and write > iptables.up and user-block.pl scripts myself? > > Please find attached my shorewall configuration. > > Any suggestions would be greatly appreciated. > > Thank you very much, > > Jan MuldersWithout worrying about the restarts can you not make your script to only restart shorewall after x changes? -- Ray Booysen rj_booysen@rjb.za.net ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
The problem is I really need to block the user as soon as possible after a user hits their limit - as my VPN is fast (100mbps symmetrical), users can stack up a lot of transfer very quickly. On another note, thank you very much Jerry for your suggestion - Shorewall was not set to retain aliases, and I''ve just tested it while running an FTP download and a UDP game, and it seems like only ICMP is affected during restart now. I guess this means I don''t have to angst about shorewall interfering during restarts any more :-) Dynamic zones is adding/removing a physical or virtual interface to a zone dynamically, correct? Can I do this for -subsets- of interfaces (ie, a single IP address on my local network), as hinted at by the manpage? Would the gurus here consider that a better solution than commenting out ACCEPT rules for hosts, or is it simply a case of convenience? In terms of expanding on my configuration, do you know if it''s possible to rate-limit a user (down to, say, 5k/sec) from a perl script using Shorewall as the medium? Which would suit me better under this condition - editing ''rules'' or dynamic zones? Thanks a lot for your help, Jan On 01/02/06, Ray Booysen <rj_booysen@rjb.za.net> wrote:> > Jan Mulders wrote: > > Hello all, > > > > I''ve implemented an automatic bandwidth monitoring and topup system > > for a VPN I''ve built, and need to restart Shorewall every time my > > script writes /etc/shorewall/rules. The only problem is that it seems > > to cut access (drops ping packets, and presumably everything else) for > > about 20-30 seconds while it''s restarting. As I''m intending this to > > scale to 50+ users, regular downtime is not something I''m really keen > > on having. > > > > Hence, I''m asking if there''s a way of restarting shorewall, but > > leaving whatever is cutting access (Interface aliases? I have 16 > > addresses on eth0) until a proper restart? > > > > All that changes is a few ACCEPT rules in ''rules''. I''m trying to avoid > > doing two seperate commands every time a user is cut off/resumed - I > > have been thinking about updating Shorewall''s rules as normal with the > > script, and using direct IPTABLES -J accept..... style commands to do > > the instant update, but this is far from a glamourous solution, > > especially if states are uncertain. > > > > Am I simply doing far more than Shorewall was ever intended to do? If > > I am, could someone recommend a package that can do the ''neat tricks'' > > I need? Or.. am I just going to have to bite the bullet and write > > iptables.up and user-block.pl scripts myself? > > > > Please find attached my shorewall configuration. > > > > Any suggestions would be greatly appreciated. > > > > Thank you very much, > > > > Jan Mulders > Without worrying about the restarts can you not make your script to only > restart shorewall after x changes? > > -- > Ray Booysen > rj_booysen@rjb.za.net > > > > ------------------------------------------------------- > This SF.net email is sponsored by: Splunk Inc. Do you grep through log > files > for problems? Stop! Download the new AJAX search engine that makes > searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642 > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >
In my simple environment, I use Bridging and a 2 node device(s). Try putting 2 completely seperate but identical shorewall servers in series with each other. Harware is cheap. Make changes in A, restart Make same changes in B, restart. No downtime. Make sure they are both doing a pass through mode in the routestopped file. Restart 1 at a time and you are protected from everything on the unsafe side. This method will not work in a complex environment but works great for me. Regards JimSanders Subject: Re: [Shorewall-users] Restarting Shorewall without downtime? Date: Wed, 1 Feb 2006 10:36 EST From: Ray Booysen <rj_booysen@rjb.za.net> To: shorewall-users@lists.sourceforge.net Jan Mulders wrote:> Hello all, > > I''ve implemented an automatic bandwidth monitoring and topup system > for a VPN I''ve built, and need to restart Shorewall every time my > script writes /etc/shorewall/rules. The only problem is that it seems > to cut access (drops ping packets, and presumably everything else) for > about 20-30 seconds while it''s restarting. As I''m intending this to > scale to 50+ users, regular downtime is not something I''m really keen > on having. > > Hence, I''m asking if there''s a way of restarting shorewall, but > leaving whatever is cutting access (Interface aliases? I have 16 > addresses on eth0) until a proper restart? > > All that changes is a few ACCEPT rules in ''rules''. I''m trying to avoid > doing two seperate commands every time a user is cut off/resumed - I > have been thinking about updating Shorewall''s rules as normal with the > script, and using direct IPTABLES -J accept..... style commands to do > the instant update, but this is far from a glamourous solution, > especially if states are uncertain. > > Am I simply doing far more than Shorewall was ever intended to do? If > I am, could someone recommend a package that can do the ''neat tricks'' > I need? Or.. am I just going to have to bite the bullet and write > iptables.up and user-block.pl scripts myself? > > Please find attached my shorewall configuration. > > Any suggestions would be greatly appreciated. > > Thank you very much, > > Jan MuldersWithout worrying about the restarts can you not make your script to only restart shorewall after x changes? -- Ray Booysen rj_booysen@rjb.za.net
Jan Mulders wrote:> ... > I guess this means I don''t have to angst about shorewall interfering during > restarts any more :-) > > Dynamic zones is adding/removing a physical or virtual interface to a zone > dynamically, correct? Can I do this for -subsets- of interfaces (ie, a > single IP address on my local network), as hinted at by the manpage?You can add anything that you can normally put in a zone. Interfaces, subnets, or individual hosts.> Would the gurus here consider that a better solution than commenting out > ACCEPT rules for hosts, or is it simply a case of convenience?Absolutely. Although Tom has been trying to drop dynamic zones for a long time now, they are unlikely to go away until ipsets has stabilised in kernel.org distributions, and then there will be a direct replacement for them any way.> In terms of expanding on my configuration, do you know if it''s possible to > rate-limit a user (down to, say, 5k/sec) from a perl script using Shorewall > as the medium? Which would suit me better under this condition - editing > ''rules'' or dynamic zones?If your users have fixed addresses, then i expect switching them from the "full access" zone to the "cut-down" zone would mean you were able to rate-limit them effectively. Paul ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642