Greetings shorewall users, I''m running into a problem and hoping someone might have a simple idea how to fix it. I have shorewall configured on a linux fw with 2 port DNAT rules to an internal server for openvpn from external clients. Everything works fine there. I have a problem when the fw is rebooted however. When it comes back up, interfaces are brought up before shorewall is started and the external openvpn clients are trying to reconnect. When shorewall starts, it blocks (in the external 2fw chain) the openvpn ports which are configured to be DNATed. I''ve pinned it down to the fact that when the interfaces first come up, the external clients attempt to connect to the non-DNATed (yet) ports which creates a connection tracking entry for the clients->fw. When shorewall starts, it sees future packets as part of that connection and drops them as destined for the fw. Packets from new tuples are DNATed correctly. So my question is, what''s the best way around this? Right now, I have to manually stop the clients for long enough that their connection tracking entries go away, then restart them. Should I start shorewall twice: once when lo comes up then restart it when my other interfaces have been configured? Has anyone else had to solve this? Thanks in advance, -- Brad Barden <brad@mifflinet.net> ------------------------------------------------------------------------------ This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon''s best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev
On Sat, 26 Dec 2009 10:43:03 -0600 Brad <brad+shorewall-users@mifflinet.net> wrote:> > So my question is, what''s the best way around this? Right now, I have > to manually stop the clients for long enough that their connection > tracking entries go away, then restart them. Should I start shorewall > twice: once when lo comes up then restart it when my other interfaces > have been configured? Has anyone else had to solve this? >The easiest solution is to install the conntrack utility program and arrange for /etc/init.d/shorewall to use the "-p" option to the start command. The other choice is to rearrange the order of startup so that Shorewall starts after networking. That usually requires so modification to the Shorewall configuration. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon''s best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev
On Sat Dec 26, 2009 at 11:12:49AM -0800, Tom Eastep wrote:> The easiest solution is to install the conntrack utility program and > arrange for /etc/init.d/shorewall to use the "-p" option to the start > command.Perfect, -p is exactly what I was looking for. Thanks! -- Brad Barden <brad@mifflinet.net> ------------------------------------------------------------------------------ This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon''s best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev