Shorewall users - Aug 2007 - have to restart shorewall after a dynamic IP change

Hi,
I''ve to restart shorewall when my dynamic IP was changed from my ISP.
Of course i can with a shell script do it automatically, but the
question is still there.. why ?


mess-mate                               
-- 

"I understand this is your first dead client," Sabian was saying.  The
absurdity of the statement made me want to laugh but they don''t call me
Deadpan Allie and lie.
		-- Pat Cadigan, "Mindplayers"


-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

mess-mate wrote:
> Hi,
> I''ve to restart shorewall when my dynamic IP was changed from my
ISP.
> Of course i can with a shell script do it automatically, but the
> question is still there.. why ?
> 
You initiated a very long email thread with the title:

	ETH0_IP=`find_first_interface_address ppp0`

in which you said that you have the following in /etc/shorewall/rules:

	DNAT    loc        dmz:192.168.20.1     tcp     80      -   $ETH0_IP

When the IP address of ppp0 changes, the DNAT rule no longer works.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

Tom Eastep <teastep@shorewall.net> wrote:
| mess-mate wrote:
| > Hi,
| > I''ve to restart shorewall when my dynamic IP was changed from my
ISP.
| > Of course i can with a shell script do it automatically, but the
| > question is still there.. why ?
| > 
| 
| You initiated a very long email thread with the title:
| 
| 	ETH0_IP=`find_first_interface_address ppp0`
| 
| in which you said that you have the following in /etc/shorewall/rules:
| 
| 	DNAT    loc        dmz:192.168.20.1     tcp     80      -   $ETH0_IP
| 
| When the IP address of ppp0 changes, the DNAT rule no longer works.
| 
| -Tom
Ahh yes  of course.
I''ve to write a shellcript detecting an IP change and restarting
shorewall.
Thanks.


mess-mate                               
-- 

Q:	How many surrealists does it take to change a light bulb?
A:	Two, one to hold the giraffe, and the other to fill the bathtub
	with brightly colored machine tools.

	[Surrealist jokes just aren''t my cup of fur.  Ed.]


-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

Unless your ppp0-Device has more than one IP, why not simply configure
shorewall in a way the resulting rules are independent from your dynamic
external IP?

mess-mate schrieb:
> I''ve to write a shellcript detecting an IP change and restarting
> shorewall.


-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

On Wed, 2007-08-22 at 16:44 +0200, Frank Wittig wrote:
> Unless your ppp0-Device has more than one IP, why not simply configure
> shorewall in a way the resulting rules are independent from your dynamic
> external IP?
Mess-mate wants to be able to access his web server (in a DMZ) using
it''s (dynamic) DNS name as described in Shorewall FAQ 2b.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

On Wed, Aug 22, 2007 at 07:52:21AM -0700, Tom Eastep
wrote:
> On Wed, 2007-08-22 at 16:44 +0200, Frank Wittig wrote:
> > Unless your ppp0-Device has more than one IP, why not simply configure
> > shorewall in a way the resulting rules are independent from your
dynamic
> > external IP?
> 
> Mess-mate wants to be able to access his web server (in a DMZ) using
> it''s (dynamic) DNS name as described in Shorewall FAQ 2b.
This seems like a problem that would benefit from using an ipset,
controlled by the dhcp client (or whatever provides the dynamic
address). It is not immediately obvious to me how to arrange that,
though.

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

On Wed, 2007-08-22 at 17:47 +0100, Andrew Suffield
wrote:
> On Wed, Aug 22, 2007 at 07:52:21AM -0700, Tom Eastep wrote:
> > On Wed, 2007-08-22 at 16:44 +0200, Frank Wittig wrote:
> > > Unless your ppp0-Device has more than one IP, why not simply
configure
> > > shorewall in a way the resulting rules are independent from your
dynamic
> > > external IP?
> > 
> > Mess-mate wants to be able to access his web server (in a DMZ) using
> > it''s (dynamic) DNS name as described in Shorewall FAQ 2b.
> 
> This seems like a problem that would benefit from using an ipset,
> controlled by the dhcp client (or whatever provides the dynamic
> address). It is not immediately obvious to me how to arrange that,
> though.
Currently, Shorewall doesn''t correctly handle an ipset as the ORIGINAL
DEST:

/etc/shorewall/rules:
DNAT	net	dmz:192.168.1.5	tcp	80	-	+setname

The generated rules (both compilers generate similar rules):

-A net_dnat -p 6 --dport 80 -m set --set setname dst -j DNAT --to-destination
192.168.1.5
-A net2dmz -p 6 --dport 80 -d 192.168.1.5 -m conntrack --ctorigdst +setname -j
ACCEPT

The second rule is bogus.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/