Hi, I have a machine with iptables managed by shorewall with around fifty GRE interfaces that route VOIP traffic. Currently each interface is listed in routestopped and interfaces and shorewall takes a good six minutes to restart. I''m wondering: 1) All of the gre interfaces are in the same zone, so I''m thinking about replacing all of the gre interface configurations with a single line "cust gre+ -". I believe that this would make shorewall start faster, but would it change the firewall''s behavior in any other way? 2) Is there a way to wildcard routestopped? Ideally, I could specify "gre+" to leave all gre interfaces open, but leaving the firewall completely open during a restart or in the event of a failure to start would be ok as well. Thanks -Brian ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
On Sun, April 16, 2006 13:19, Brian Camp wrote:> 1) All of the gre interfaces are in the same zone, so I''m thinking > about replacing all of the gre interface configurations with a single > line "cust gre+ -". I believe that this would make shorewall start > faster, but would it change the firewall''s behavior in any other way?Shouldn''t -- provided that you specify ''routeback'' as an option in the "cust gre+" line.> > 2) Is there a way to wildcard routestopped? Ideally, I could specify > "gre+" to leave all gre interfaces open, but leaving the firewall > completely open during a restart or in the event of a failure to > start would be ok as well.Just use ''gre+'' in the routestopped file. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
On Sunday 16 April 2006 16:25, Tom Eastep wrote: ure to> > start would be ok as well. > > Just use ''gre+'' in the routestopped file. >And be sure to specify ''routeback'' there as well. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key