The version of Shorewall currently in CVS (Shorewall2/ project) has been integrated with iptables-save/iptables-restore. This provides the means to start and restart shorewall very quickly (mine restarts in under a second) in the case where you are not changing your configuration. The release notes are attached. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep wrote:> > WARNING: iptables 1.2.9 is broken with respect to iptables-save; > you must patch iptables 1.2.9 with the iptables patch availale from > the Shorewall errata page. >FYI, I have reported this bug to the Netfilter team. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep wrote:> Tom Eastep wrote: > >> >> WARNING: iptables 1.2.9 is broken with respect to iptables-save; >> you must patch iptables 1.2.9 with the iptables patch availale from >> the Shorewall errata page. >> > > FYI, I have reported this bug to the Netfilter team.I apologize for talking to myself -- been up a long time today. The iptables-save bug only shows itself if your kernel has connection tracking match support. You can determine if your kernel has this support enabled by using ''shorewall check''; the support is enabled if you see the <<<<<< line below with "Available". Shorewall has detected the following iptables/netfilter capabilities: NAT: Available Packet Mangling: Available Multi-port Match: Available Connection Tracking Match: Available <<<<<<<<<<<<<<<<<<<<<<<<<<<< -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net