Roberto C. Sánchez
2007-Oct-21 15:49 UTC
Bug#413548: Re: NAT (masquerade) rules lost after reboot
I''m reviewing some Debian bug reports against shorewall. Would someone please look at #413548 [0]? Basically, the submitter loses NAT rules on reboot. Lorenzo had requested the shorewall-init.log, which the user provided. I mailed him a few months ago asking for the shorewall dump output, but he never replied. If someone could look at the information that is there and provide some insight/suggestions, I would appreciate it. Regards, -Roberto [0] http://bugs.debian.org/413548 -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
Tom Eastep
2007-Oct-21 16:09 UTC
Re: Bug#413548: Re: NAT (masquerade) rules lost after reboot
Roberto C. Sánchez wrote:> I''m reviewing some Debian bug reports against shorewall. > > Would someone please look at #413548 [0]? > > Basically, the submitter loses NAT rules on reboot. Lorenzo had > requested the shorewall-init.log, which the user provided. I mailed > him a few months ago asking for the shorewall dump output, but he never > replied. If someone could look at the information that is there and > provide some insight/suggestions, I would appreciate it.Roberto, I don''t believe that any progress can be made on this report without a dump taken after the initial "shorewall start" during reboot. It would also be helpful if VERBOSITY were set to 2 so that the shorewall-init.log output would be more meaningful. Additionally, a dump after the subsequent stop/start sequence would be useful for comparison. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
Tuomo Soini
2007-Oct-22 06:11 UTC
Re: Bug#413548: Re: NAT (masquerade) rules lost after reboot
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Roberto C. Sánchez wrote:> I''m reviewing some Debian bug reports against shorewall.I think this could be good evidence why -f in /etc/default/shorewall by default is soo bad idea. I guess he has saved shorewall state in his machine. /sbin/shorewall forget might fix it. - -- Tuomo Soini <tis@foobar.fi> Linux and network services +358 40 5240030 Foobar Oy <http://foobar.fi/> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFHHD7/TlrZKzwul1ERAk1DAKCP/CBhLSkZ2kpMJrfSxcGbj3hejQCfaNdS mpRqmwUw8c4lZf3/EfD4cJM=ZCUg -----END PGP SIGNATURE----- ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
Roberto C. Sánchez
2007-Oct-22 08:44 UTC
Re: Bug#413548: Re: NAT (masquerade) rules lost after reboot
On Mon, Oct 22, 2007 at 09:11:11AM +0300, Tuomo Soini wrote:> Roberto C. Snchez wrote: > > I''m reviewing some Debian bug reports against shorewall. > > I think this could be good evidence why -f in /etc/default/shorewall by > default is soo bad idea. I guess he has saved shorewall state in his > machine. /sbin/shorewall forget might fix it. >Yes, Tom and I discussed this on IRC yesterday and I have removed the -f option from the Debian defaults file. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
Tom Eastep
2007-Oct-22 14:06 UTC
Re: Bug#413548: Re: NAT (masquerade) rules lost after reboot
Tuomo Soini wrote:> Roberto C. Sánchez wrote: >> I''m reviewing some Debian bug reports against shorewall. > > I think this could be good evidence why -f in /etc/default/shorewall by > default is soo bad idea. I guess he has saved shorewall state in his > machine. /sbin/shorewall forget might fix it. >I thought about that as a possible cause in this case but note that the OP is using /etc/init.d/shorewall stop followed by /etc/init.d/shorewall start. If this was a stale saved configuration, it should have been restored again by the ''start''. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
Tuomo Soini
2007-Oct-22 18:18 UTC
Re: Bug#413548: Re: NAT (masquerade) rules lost after reboot
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tom Eastep wrote:> > I thought about that as a possible cause in this case but note that the OP > is using /etc/init.d/shorewall stop followed by /etc/init.d/shorewall start. > If this was a stale saved configuration, it should have been restored again > by the ''start''. >People often give false information when they do bug reports. It''s quite possible he had /sbin/shorewall stop && /sbin/shorewall start if he didn''t actually copy-paste lines from rc.local... - -- Tuomo Soini <tis@foobar.fi> Linux and network services +358 40 5240030 Foobar Oy <http://foobar.fi/> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFHHOmKTlrZKzwul1ERAoK1AKCOSSLaorkKSeu3QqvfjHBn+3WLJwCgtKJr 68CJr8pD/sCdGIvwyOv9tZ4=lUSk -----END PGP SIGNATURE----- ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/