Jens wrote:> It seems that the standard setup as per my debian system has
> the following : IP_FORWARDING=keep
> To make my system work I had to change this to IP_FORWARDING=on.
>
> I have a pretty basic/stock debian (unstable) box sitting here for
shorewall.
> As far as I remember, nothing on this box as relating to ip_forwarding was
> changed.
>
> I don''t know if this is a debian problem, an operator problem or
something
> that would warrant an FAQ entry or maybe even a change in the default
> shorewall.conf file. I thought I would just point it out and hopefully save
> someone else some time.
This is the Debian default -- The default as I release it is
IP_FORWARDING=On.
In the QuickStart Guides, you will find:
-------------------------------------------------------------------------------
If you are using the Debian package, please check your shorewall.conf
file to ensure that the following are set correctly; if they are not,
change them appropriately:
* NAT_ENABLED=Yes (Shorewall versions earlier than 1.4.6)
* IP_FORWARDING=On
-------------------------------------------------------------------------------
I really don''t know where to repeat this information in the
documentation. Seems wrong to include a section in the Upgrade article
saying:
"If you ignore the above instructions and/or do something else, then
here are a list of things that might bite you"
I''ll think about what I can do in the near term...
My long-term approach to this problem in 2.1 is to add a
STARTUP_DISABLED variable to shorewall.conf. This will replace the
/etc/shorewall/startup_disabled file and the /etc/default/shorewall
entry on Debian. That way, I can add (and the Debian maintainer can
suppliment) text near STARTUP_DISABLED that tells people what to look
out for if they decide to install a new shorewall.conf file into an old
configuration.
-Tom
--
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ teastep@shorewall.net
