--=-UGEx5+ftOq1u0titfakU
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
Hija,
after loading my original firewall with too much services I decided to
move the firewall to another machine. Since I converted all machines in
my lab to diskless workstation (ether-)booting over NFS from a server=20
with mirrored disks I also wanted the firewall setup to be as minimal
as possible with root mounted on read-only NFS (its rw at the moment
until all problems were shaken out).
Now for the real problem: shorewall does what every sensible firewall
does, closing all ports and then reopening them according to the
ruleset; problem here is that once it goes for the first step it cannot
access data on the net anymore which it must do. Any ideas how to work
around that problem?
Would it be sensible to copy the genereated sequence of commands and
the necessary tools temporarily to /tmp (which is mounted in RAM) and
launch from there? Or is there a way to fire the complete configuration
at once (thus not requiring any "disk"-accesses?)?
BTW: Thanks for the cool product. I stumbled over it some time ago=20
and certainly appreciate the love it has been given.
--=20
Servus,
Daniel
--=-UGEx5+ftOq1u0titfakU
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: Dies ist ein digital signierter Nachrichtenteil
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
iD8DBQA9gxbachlzsq9KoIYRAhAlAJ9XFPP65w/ZqEsc7AiDecQi3U5m7QCg5wSW
SPsjT+R9Zp80nMF3QGxiENk=NE+0
-----END PGP SIGNATURE-----
--=-UGEx5+ftOq1u0titfakU--
On Saturday 14 September 2002 13:00, Daniel Egger wrote:> Hija, > > after loading my original firewall with too much services I decided to > move the firewall to another machine. Since I converted all machines in > my lab to diskless workstation (ether-)booting over NFS from a server > with mirrored disks I also wanted the firewall setup to be as minimal > as possible with root mounted on read-only NFS (its rw at the moment > until all problems were shaken out). > > Now for the real problem: shorewall does what every sensible firewall > does, closing all ports and then reopening them according to the > ruleset; problem here is that once it goes for the first step it cannot > access data on the net anymore which it must do. Any ideas how to work > around that problem? > > Would it be sensible to copy the genereated sequence of commands and > the necessary tools temporarily to /tmp (which is mounted in RAM) and > launch from there? Or is there a way to fire the complete configuration > at once (thus not requiring any "disk"-accesses?)?If I were you, I''d mount both /etc/shorewall and /var/lib/shorewall as tmpfs=20 and copy the content from the NFS server to those directories at boot. Maybe=20 you should include the copy process into your shorewall start sequence so=20 changes can always be made on the NFS server. Simon> > BTW: Thanks for the cool product. I stumbled over it some time ago > and certainly appreciate the love it has been given.
--=-vYalRrJbleIfgFEmeutc Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Am Sam, 2002-09-14 um 13.27 schrieb Simon Matter:> If I were you, I''d mount both /etc/shorewall and /var/lib/shorewall as tmpfs=20 > and copy the content from the NFS server to those directories at boot. Maybe=20 > you should include the copy process into your shorewall start sequence so=20 > changes can always be made on the NFS server.Sounds like a sensible idea. I suspect I also need the tools to manipulate the filter tables in RAM, though. I will try how that works, hopefully nothing else is blocking.... Unfortunately I don''t have much of a debugging possibility since syslog is redirected to a different server, too. =20 --=20 Servus, Daniel --=-vYalRrJbleIfgFEmeutc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Dies ist ein digital signierter Nachrichtenteil -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQA9gyvschlzsq9KoIYRAv8YAJ0dSw8s8zDC98MmR50bnCRhJAy0RgCgtQ+g 4x2Jw7InBxDcTAPVw1xmIFQ=lZo5 -----END PGP SIGNATURE----- --=-vYalRrJbleIfgFEmeutc--
Daniel Egger wrote:> Am Sam, 2002-09-14 um 13.27 schrieb Simon Matter: > > >>If I were you, I''d mount both /etc/shorewall and /var/lib/shorewall as tmpfs >>and copy the content from the NFS server to those directories at boot. Maybe >>you should include the copy process into your shorewall start sequence so >>changes can always be made on the NFS server. > > > Sounds like a sensible idea. I suspect I also need the tools to > manipulate the filter tables in RAM, though.Nod -- with iptables and all of its extension libraries residing on the NFS server, it would be very difficult to come up with a [re]start strategy in Shorewall that would work. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
On Saturday 14 September 2002 18:16, Tom Eastep wrote:> Daniel Egger wrote: > > Am Sam, 2002-09-14 um 13.27 schrieb Simon Matter: > >>If I were you, I''d mount both /etc/shorewall and /var/lib/shorewall as > >> tmpfs and copy the content from the NFS server to those directories at > >> boot. Maybe you should include the copy process into your shorewall > >> start sequence so changes can always be made on the NFS server. > > > > Sounds like a sensible idea. I suspect I also need the tools to > > manipulate the filter tables in RAM, though. > > Nod -- with iptables and all of its extension libraries residing on the > NFS server, it would be very difficult to come up with a [re]start > strategy in Shorewall that would work.Okay, so he really needs more RAM to put all those things into tmpfs :) Maybe=20 it''s even better then to make it tmpfs only and boot the image via tftp. Like=20 those floppy based firewalls but using tftp instead. Simon> > -Tom
I just recently built an embedded firewall... So I have a file listing that has everything you need to run a firewall system from ramdisk. You could possibly work off of this: http://pfnguyen.best.vwh.net/firewall/file_list.html I modified the network start scripts somewhat, but you should be able to copy a RedHat network-start-script setup verbatim. All of the files take about 20MB altogether, so you could get by with a 32MB ramdisk. I put mine on a 128MB ramdisk, since I''m too lazy to send logs to another machine, I just log locally, and 100MB of working space is plenty.> Okay, so he really needs more RAM to put all those things > into tmpfs :) Maybe > it''s even better then to make it tmpfs only and boot the > image via tftp. Like > those floppy based firewalls but using tftp instead.