Nicolas Fertig
2003-Sep-25 12:58 UTC
[Shorewall-users] shorewall restart take time and break connections
Hello all, The setup: eth0 => Internet (Public IP Address 212.231.191.112/28) eth1.0001 to eth1.0020 => VLAN (private address, masquerading) eth2 => DMZ (Public IP Adress 195.88.72.0/27, web server and VPN IPsec routers) The problem: When a add/remove VLAN (files zone, interfaces, policy, masq, tcrules, tcstart are modified), I need to restart the shorewall (shorewall restart), this take aprox. 40s ! (P3 900Mhz 500Mb/Ram) In this time, all connections between the net <=> DMZ are droped. The question: Is there a way to not break connection between DMZ and Internet when I restart the firewall ? Many thanks, Nicolas
Tom Eastep
2003-Sep-25 13:15 UTC
[Shorewall-users] shorewall restart take time and break connections
On Thu, 2003-09-25 at 12:58, Nicolas Fertig wrote:> Hello all, > > The setup: > > eth0 => Internet (Public IP Address 212.231.191.112/28) > eth1.0001 to eth1.0020 => VLAN (private address, masquerading) > eth2 => DMZ (Public IP Adress 195.88.72.0/27, web server and VPN IPsec > routers) > > > The problem: > > When a add/remove VLAN (files zone, interfaces, policy, masq, tcrules, > tcstart are modified), I need to restart the shorewall (shorewall restart), > this take aprox. 40s ! (P3 900Mhz 500Mb/Ram)You should consider using one of the lightweight shells such as ash (see the SHOREWALL_SHELL variable in /etc/shorewall/shorewall.conf). This will reduce the restart time dramatically.> In this time, all connections between the net <=> DMZ are droped.All current connections at the time of the restart remain enabled during the restart. New connections are disabled. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net