hi, there are a few files in /var/lib/shorewall to save informations about a running shorewall, it would be nice to have an additional file which store the dynamic added hosts for vpn-connection because all tunnels go down if restarting shorewall because all dynamic hosts are deleted. it is possible to add this feature in the future or can i do it in another way? thx claus
On Monday 12 January 2004 11:37 pm, Claus Rosenberger wrote:> hi, > > there are a few files in /var/lib/shorewall to save informations about a > running shorewall, it would be nice to have an additional file which store > the dynamic added hosts for vpn-connection because all tunnels go down if > restarting shorewall because all dynamic hosts are deleted. > > it is possible to add this feature in the future or can i do it in another > way? >It''s already there -- there is a ''zones'' file which keeps track of the contents of dynamic zones. Seems to be broken however -- I''ll take a look. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Tuesday 13 January 2004 07:29 am, Tom Eastep wrote:> On Monday 12 January 2004 11:37 pm, Claus Rosenberger wrote: > > hi, > > > > there are a few files in /var/lib/shorewall to save informations about a > > running shorewall, it would be nice to have an additional file which > > store the dynamic added hosts for vpn-connection because all tunnels go > > down if restarting shorewall because all dynamic hosts are deleted.Note that NONE of the information in those files is kept over a restart; most of it is there so that Shorewall can "undo" at "stop" (or the first phase of "restart") what it did at the last "start".> > > > it is possible to add this feature in the future or can i do it in > > another way? > > It''s already there -- there is a ''zones'' file which keeps track of the > contents of dynamic zones. Seems to be broken however -- I''ll take a look. >My mistake -- the ''zone'' state file is only used to catch the case where you try to add the same host to a zone more than once. This is consistent with the notion that Shorewall doesn''t retain any state information over a restart. I really want to avoid maintaining such persistent state because it can lead to cases where stale state causes your firewall to be mis-configured without you knowing it. If you were to maintain a small file of connected hosts yourself, you could then run through the file at "shorewall [re]start" time issuing "shorewall add" commands -- use the /etc/shorewall/start file for this purpose. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
> On Tuesday 13 January 2004 07:29 am, Tom Eastep wrote: >> On Monday 12 January 2004 11:37 pm, Claus Rosenberger wrote: >> > hi, >> > >> > there are a few files in /var/lib/shorewall to save informations about >> a >> > running shorewall, it would be nice to have an additional file which >> > store the dynamic added hosts for vpn-connection because all tunnels >> go >> > down if restarting shorewall because all dynamic hosts are deleted. > > Note that NONE of the information in those files is kept over a restart; > most > of it is there so that Shorewall can "undo" at "stop" (or the first phase > of > "restart") what it did at the last "start". > >> > >> > it is possible to add this feature in the future or can i do it in >> > another way? >> >> It''s already there -- there is a ''zones'' file which keeps track of the >> contents of dynamic zones. Seems to be broken however -- I''ll take a >> look. >> > > My mistake -- the ''zone'' state file is only used to catch the case where > you > try to add the same host to a zone more than once. > > This is consistent with the notion that Shorewall doesn''t retain any state > information over a restart. I really want to avoid maintaining such > persistent state because it can lead to cases where stale state causes > your > firewall to be mis-configured without you knowing it.you''re right. sometimes it can be dangerous. i will see, if i can check out the opened tunnels while restarting the firewall and add these hosts in my start-script. the "ipsec eroute" command should give me the informations i need. thx> If you were to maintain a small file of connected hosts yourself, you > could > then run through the file at "shorewall [re]start" time issuing "shorewall > add" commands -- use the /etc/shorewall/start file for this purpose. > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > > >