Hi, I have a dynamic network (ospf) connecting different locations over frame relay (wan). Each location frame relay access device is actually a linux box running shorewall,zebra with a sangoma card. As a backup I have added to some locations a DSL line which serves as a gateway to the Internet but also over which I have created VPNs to connect those locations using OpenVPN as a backup. Everything works fine thanks to the excellent work of the community. Now because this network is dynamic, the routes can be asymetric. The response to a packet leaving one location might not come back the same way. I had therefore to disable checking not syn packet in shorewall.conf. My question is, I would like to keep that check for my Internet interface (net -> fw) but disable it for the rest of my zones. How can I do that in shorewall. I am running an older version 1.3.14-1. As all those routers are not local to me I fear upgrading them remotely if I needed to. BTW, what the best way to upgrade shorewall? As the syntax is sometimes changing, it is possible that a new script will fail while loading older rules files, which would be bad news. Happened to me before :-) Especially when the check argument is not supposed to guaranty correctness. One thing that would be helpful is for shorewall to save the iptables layout and execute itself and if fail to restore the iptables layout saved. I understand that shorewall does a lot more like autoloading some modules, but it could save a shell script of all commands that it did last it succeeded and go back to it when it fails. Or it could be just a file that we create that is executed if shorewall fails without the try command. Kind of what I do right now but with the at command as shorewall return codes are not consistent in the version I use. The problem is sometimes I forget. Just an idea, not a critism. I love shorewall. Certainly the best firewall script I know. On another subject. The biggest problem I have with shorewall is during reboot. Not all my interfaces comes up everytime before shorewall is run. delayed DHCP, PPP interfaces failing, VPN failing, etc ... However if those interfaces are not up shorewall will fail. Is there an option where I could specify that the interfaces might not be up when shorewall is executed? Thanks Pascal
On Wed, 2003-12-17 at 18:19, Pascal DeMilly wrote:> Hi, > > I have a dynamic network (ospf) connecting different locations over > frame relay (wan). Each location frame relay access device is actually a > linux box running shorewall,zebra with a sangoma card. > > As a backup I have added to some locations a DSL line which serves as a > gateway to the Internet but also over which I have created VPNs to > connect those locations using OpenVPN as a backup. > > Everything works fine thanks to the excellent work of the community. Now > because this network is dynamic, the routes can be asymetric. The > response to a packet leaving one location might not come back the same > way. I had therefore to disable checking not syn packet in > shorewall.conf. > > My question is, I would like to keep that check for my Internet > interface (net -> fw) but disable it for the rest of my zones. > > How can I do that in shorewall. I am running an older version 1.3.14-1. > > As all those routers are not local to me I fear upgrading them remotely > if I needed to. > > BTW, what the best way to upgrade shorewall? As the syntax is sometimes > changing, it is possible that a new script will fail while loading older > rules files, which would be bad news. Happened to me before :-) > > Especially when the check argument is not supposed to guaranty > correctness. One thing that would be helpful is for shorewall to save > the iptables layout and execute itself and if fail to restore the > iptables layout saved. I understand that shorewall does a lot more like > autoloading some modules, but it could save a shell script of all > commands that it did last it succeeded and go back to it when it fails. > Or it could be just a file that we create that is executed if shorewall > fails without the try command. Kind of what I do right now but with the > at command as shorewall return codes are not consistent in the version I > use. The problem is sometimes I forget. Just an idea, not a critism. I > love shorewall. Certainly the best firewall script I know. > > > On another subject. The biggest problem I have with shorewall is during > reboot. Not all my interfaces comes up everytime before shorewall is > run. delayed DHCP, PPP interfaces failing, VPN failing, etc ... However > if those interfaces are not up shorewall will fail. Is there an option > where I could specify that the interfaces might not be up when shorewall > is executed? > > Thanks > > Pascal > > > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm
On Wed, 17 Dec 2003, Pascal DeMilly wrote:> My question is, I would like to keep that check for my Internet > interface (net -> fw) but disable it for the rest of my zones. > > How can I do that in shorewall. I am running an older version 1.3.14-1. >You can''t.> As all those routers are not local to me I fear upgrading them remotely > if I needed to. > > BTW, what the best way to upgrade shorewall? As the syntax is sometimes > changing, it is possible that a new script will fail while loading older > rules files, which would be bad news. Happened to me before :-) >Any time that there is that kind of incompatibility, it is documented in the "Migration Considerations" in the Release Notes. And it is my policy to only make that sort of change in Major relases (1.2, 1.3, 1.4, ...).> Especially when the check argument is not supposed to guaranty > correctness. One thing that would be helpful is for shorewall to save > the iptables layout and execute itself and if fail to restore the > iptables layout saved. I understand that shorewall does a lot more like > autoloading some modules, but it could save a shell script of all > commands that it did last it succeeded and go back to it when it fails. > Or it could be just a file that we create that is executed if shorewall > fails without the try command. Kind of what I do right now but with the > at command as shorewall return codes are not consistent in the version I > use. The problem is sometimes I forget. Just an idea, not a critism. I > love shorewall. Certainly the best firewall script I know. >If I ever rewrite Shorewall, that will be one of the features that I will try to incorporate.> > On another subject. The biggest problem I have with shorewall is during > reboot. Not all my interfaces comes up everytime before shorewall is > run. delayed DHCP, PPP interfaces failing, VPN failing, etc ... However > if those interfaces are not up shorewall will fail. Is there an option > where I could specify that the interfaces might not be up when shorewall > is executed? >Shorewall can be configured to start correctly without *any* interfaces started. You just have to review each of your configuration settings against the documentation and look out for places where the documenation stresses that a particular setting requires an associated interface to be up before Shorewall starts. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net