Shorewall users - Aug 2004 - Question about ip_forward in clear_firewall

Firewall users,
   My apologies as I''m not on this list, so please respond directly as 
well as to the list. I did try to search the archives and didn''t find 
any hits, although the search did not like searching for terms with 
underscores in them (both clear_firewall and ip_forward).

I was trying to understand why, when running shorewall stop, even though 
it echoes
   IP Forwarding Disabled!
it really wasn''t.
I''m running 2.0.1 under Mandrake 10.
I traced it down to the following line in the clear_firewall function in 
/usr/share/shorewall/firewall:
     echo 1 > /proc/sys/net/ipv4/ip_forward
which turns forwarding back on regardless of the setting of 
IP_FORWARDING in the shorewall.conf

To make sure it wasn''t something changed on my system, I looked at the 
RPMs linked from the sourceforge site, and I see the same line in the 
RPMs for 2.0.1, 2.0.8 and 2.1.6

I''m running this on my laptop, with multiple interfaces, and really 
desire shorewall to respect the "IP_FORWARDING=Keep" configured in 
shorewall.conf.

Thanks for any help,
Mitch
-- 
Mitch Silverstein                                  Cell:   717-877-2115
mitch.silverstein@perfectorder.com                 Office: 717-796-1936
Perfect Order, Inc.                                Fax:    717-796-9759
http://www.perfectorder.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Mitch Silverstein wrote:
| Firewall users,
|   My apologies as I''m not on this list, so please respond directly as
| well as to the list. I did try to search the archives and didn''t find
| any hits, although the search did not like searching for terms with
| underscores in them (both clear_firewall and ip_forward).
|
| I was trying to understand why, when running shorewall stop, even though
| it echoes
|   IP Forwarding Disabled!
| it really wasn''t.
| I''m running 2.0.1 under Mandrake 10.
| I traced it down to the following line in the clear_firewall function in
| /usr/share/shorewall/firewall:
|     echo 1 > /proc/sys/net/ipv4/ip_forward
| which turns forwarding back on regardless of the setting of
| IP_FORWARDING in the shorewall.conf

But ''clear_firewall()'' is only called on "shorewall
clear" -- you are
complaining about "shorwall stop" with *does* follow the setting of
IP_FORWARDING.

As documented, "shorewall clear" makes your system "wide
open" and that
includes turning on forwarding.

If you don''t like that behavior, you can always comment out the
offending command; that''s one of the advantages of open source
software.

- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFBK0tAO/MAbZfjDLIRAklZAKDArzM3sJwHTOUeFtDGxiIY8KoseACgrdtO
JOWOVuW2Fjz5If7D3fYJoI4=y5AO
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Tom Eastep wrote:
| Mitch Silverstein wrote:
| | Firewall users,
| |   My apologies as I''m not on this list, so please respond directly
as
| | well as to the list. I did try to search the archives and didn''t
find
| | any hits, although the search did not like searching for terms with
| | underscores in them (both clear_firewall and ip_forward).
| |
| | I was trying to understand why, when running shorewall stop, even though
| | it echoes
| |   IP Forwarding Disabled!
| | it really wasn''t.
| | I''m running 2.0.1 under Mandrake 10.
| | I traced it down to the following line in the clear_firewall function in
| | /usr/share/shorewall/firewall:
| |     echo 1 > /proc/sys/net/ipv4/ip_forward
| | which turns forwarding back on regardless of the setting of
| | IP_FORWARDING in the shorewall.conf
|
| But ''clear_firewall()'' is only called on "shorewall
clear" -- you are
| complaining about "shorwall stop" with *does* follow the setting of
| IP_FORWARDING.
|
| As documented, "shorewall clear" makes your system "wide
open" and that
| includes turning on forwarding.
|
| If you don''t like that behavior, you can always comment out the
| offending command; that''s one of the advantages of open source
software.

Or you can turn forwarding off in your /etc/shorewall/clear file.

- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFBK0t1O/MAbZfjDLIRApQNAJwIi0aOlpUIFNNGZ6DFT6eDP3O0oACeIY5l
YyrCVu/tllUQ9CLV0yxcaAI=5hwD
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Tom Eastep wrote:
| Tom Eastep wrote:
| | Mitch Silverstein wrote:
| | | Firewall users,
| | |   My apologies as I''m not on this list, so please respond
directly as
| | | well as to the list. I did try to search the archives and didn''t
find
| | | any hits, although the search did not like searching for terms with
| | | underscores in them (both clear_firewall and ip_forward).
| | |
| | | I was trying to understand why, when running shorewall stop, even
| though
| | | it echoes
| | |   IP Forwarding Disabled!
| | | it really wasn''t.
| | | I''m running 2.0.1 under Mandrake 10.
| | | I traced it down to the following line in the clear_firewall
| function in
| | | /usr/share/shorewall/firewall:
| | |     echo 1 > /proc/sys/net/ipv4/ip_forward
| | | which turns forwarding back on regardless of the setting of
| | | IP_FORWARDING in the shorewall.conf
| |
| | But ''clear_firewall()'' is only called on "shorewall
clear" -- you are
| | complaining about "shorwall stop" with *does* follow the setting
of
| | IP_FORWARDING.
| |
| | As documented, "shorewall clear" makes your system "wide
open" and that
| | includes turning on forwarding.
| |
| | If you don''t like that behavior, you can always comment out the
| | offending command; that''s one of the advantages of open source
software.
|
| Or you can turn forwarding off in your /etc/shorewall/clear file.
|

And before someone asks, no the standard Shorewall distribution does not
include /etc/shorewall/clear -- you have to create the file.

- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFBK04cO/MAbZfjDLIRAis5AKCRgcScdBb1MwmXT2Ap1puuYl0I8QCgkGLT
lTo7NHp9PcCrKlUAEHQ/nmQ=si3g
-----END PGP SIGNATURE-----

Calling "/etc/init.d/shorewall stop" invokes "/sbin/shorewall
clear"
which calls "/usr/share/shorewall/firewall clear"
Initially, clear does set /proc/sys/net/ipv4/ip_forward according to 
IP_FORWARDING, but then the clear_firewall() call always sets it to 1

Yes, understand I can override by duplicating the setup_forwarding() 
code in my own
/etc/shorewall/clear, or by commenting out the line from 
/usr/share/shorewall/firewall

I guess I was trying to understand why stopping the firewall always 
turns on ip_forward.  My concern is especially in the case where 
IP_FORWARDING is set to Off and the script echoes "IP Forwarding 
Disabled!" but in the end, Forwarding is silently re-enabled.
Before I commented that line out, I wanted to know if others had 
encountered this, what the rationale was, and whether commenting it out 
in clear_firewall would have other negative effects.

Thanks for you time and effort, on this issue and on shorewall 
development in general,
Mitch

Tom Eastep wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Tom Eastep wrote:
> | Mitch Silverstein wrote:
> | | Firewall users,
> | |   My apologies as I''m not on this list, so please respond
directly as
> | | well as to the list. I did try to search the archives and
didn''t find
> | | any hits, although the search did not like searching for terms with
> | | underscores in them (both clear_firewall and ip_forward).
> | |
> | | I was trying to understand why, when running shorewall stop, even 
> though
> | | it echoes
> | |   IP Forwarding Disabled!
> | | it really wasn''t.
> | | I''m running 2.0.1 under Mandrake 10.
> | | I traced it down to the following line in the clear_firewall 
> function in
> | | /usr/share/shorewall/firewall:
> | |     echo 1 > /proc/sys/net/ipv4/ip_forward
> | | which turns forwarding back on regardless of the setting of
> | | IP_FORWARDING in the shorewall.conf
> |
> | But ''clear_firewall()'' is only called on
"shorewall clear" -- you are
> | complaining about "shorwall stop" with *does* follow the
setting of
> | IP_FORWARDING.
> |
> | As documented, "shorewall clear" makes your system "wide
open" and that
> | includes turning on forwarding.
> |
> | If you don''t like that behavior, you can always comment out the
> | offending command; that''s one of the advantages of open source
software.
> 
> Or you can turn forwarding off in your /etc/shorewall/clear file.
> 
> - -Tom
> - --
> Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
> PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> 
> iD8DBQFBK0t1O/MAbZfjDLIRApQNAJwIi0aOlpUIFNNGZ6DFT6eDP3O0oACeIY5l
> YyrCVu/tllUQ9CLV0yxcaAI> =5hwD
> -----END PGP SIGNATURE-----
-- 
Mitch Silverstein                                  Cell:   717-877-2115
mitch.silverstein@perfectorder.com                 Office: 717-796-1936
Perfect Order, Inc.                                Fax:    717-796-9759
http://www.perfectorder.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Mitch Silverstein wrote:
| Calling "/etc/init.d/shorewall stop" invokes "/sbin/shorewall
clear"
| which calls "/usr/share/shorewall/firewall clear"
| Initially, clear does set /proc/sys/net/ipv4/ip_forward according to
| IP_FORWARDING, but then the clear_firewall() call always sets it to 1
|

Where did you get your Shorewall distribution and which version is it?
No code that I currently distribute does that. All of the code that I
distribute invokes "/sbin/shorewall stop" from
"/etc/init.d/shorewall stop"

- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFBK1umO/MAbZfjDLIRAs6bAJ9IgnM23xPdUx5ZhFBmlR/+TaC3bgCfUYp9
0l7SZVar+a0kphoPZGv592g=7N0/
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Tom Eastep wrote:
| Mitch Silverstein wrote:
| | Calling "/etc/init.d/shorewall stop" invokes "/sbin/shorewall
clear"
| | which calls "/usr/share/shorewall/firewall clear"
| | Initially, clear does set /proc/sys/net/ipv4/ip_forward according to
| | IP_FORWARDING, but then the clear_firewall() call always sets it to 1
| |
|
| Where did you get your Shorewall distribution and which version is it?
| No code that I currently distribute does that. All of the code that I
| distribute invokes "/sbin/shorewall stop" from
"/etc/init.d/shorewall
stop"
|

Sorry -- I should have looked again at your original post. It seems that
Mandrake are doing this to you...

- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFBK2L/O/MAbZfjDLIRAo61AKDIPdEZZfQvBncMQFU9IS1Oa6nkHACfT6Hp
wvqx1eu8bLFi0ULZso70Fyg=cDXg
-----END PGP SIGNATURE-----

Got it, thanks!
I changed the stop call in /etc/init.d/shorewall to call stop instead of 
clear (imagine that :) )
There actually was another cmd called "rstopped" in their 
/etc/init.d/shorewall that called "/sbin/shorewall stop"
Not clear what any of that is about.

Thanks for the help,
Mitch

Tom Eastep wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Tom Eastep wrote:
> | Mitch Silverstein wrote:
> | | Calling "/etc/init.d/shorewall stop" invokes
"/sbin/shorewall clear"
> | | which calls "/usr/share/shorewall/firewall clear"
> | | Initially, clear does set /proc/sys/net/ipv4/ip_forward according to
> | | IP_FORWARDING, but then the clear_firewall() call always sets it to 1
> | |
> |
> | Where did you get your Shorewall distribution and which version is it?
> | No code that I currently distribute does that. All of the code that I
> | distribute invokes "/sbin/shorewall stop" from
"/etc/init.d/shorewall
> stop"
> |
> 
> Sorry -- I should have looked again at your original post. It seems that
> Mandrake are doing this to you...
> 
> - -Tom
> - --
> Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
> PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> 
> iD8DBQFBK2L/O/MAbZfjDLIRAo61AKDIPdEZZfQvBncMQFU9IS1Oa6nkHACfT6Hp
> wvqx1eu8bLFi0ULZso70Fyg> =cDXg
> -----END PGP SIGNATURE-----
-- 
Mitch Silverstein                                  Cell:   717-877-2115
mitch.silverstein@perfectorder.com                 Office: 717-796-1936
Perfect Order, Inc.                                Fax:    717-796-9759
http://www.perfectorder.com