We have been using Shorewall for years and are extremely grateful for the work that has been put into the system. It has never disappointed us once. For the first time this week, we have run into an issue. I am almost absolutely sure it has something to do with the configuration of the servers where it has been deployed. I am hoping someone on the list can assist. Some of our servers have a hardware firewall sitting between them and their Internet connection. The servers have multiple NICs with eth0 (172.16.x.x) being mapped by the hardware firewall to a public IP address. The second NIC (10.10.x.x) is used to connect to a back network for performing backups. We would like to use shorewall to ensure that only access on the second NIC can be made by our monitoring system and the backup server, also on the 10.10.x.x network. When we start shorewall, it takes in excess of 4 minutes to start. This occurs only on servers with this configuration regardless of CPU and memory. None of the rule entries are using hostnames that would cause DNS lookups. The only other differentiating factor is that these systems authentication via LDAP (through PAM). Any thoughts? Thanks in advance for the help. My apologies if we missed something in the documentation or something just didn''t *click*. Cheers, Matthew
I am still playing with this and trying to discover the issue(s). One thing I noticed is that the slowdown seems to occur with the default Drop and Reject rulesets. it specifically start when "Processing /usr/share/shorewall/action.Reject..." If there is additional information I should/could be including, I am happy to do such. I just don''t want to send a bunch of attachments when not everyone has broadband. Thanks in advance. Cheers, Matthew On Apr 28, 2005, at 9:43 AM, Matthew E. Porter wrote:> We have been using Shorewall for years and are extremely grateful for > the work that has been put into the system. It has never disappointed > us once. > > For the first time this week, we have run into an issue. I am almost > absolutely sure it has something to do with the configuration of the > servers where it has been deployed. I am hoping someone on the list > can assist. > > Some of our servers have a hardware firewall sitting between them and > their Internet connection. The servers have multiple NICs with eth0 > (172.16.x.x) being mapped by the hardware firewall to a public IP > address. The second NIC (10.10.x.x) is used to connect to a back > network for performing backups. We would like to use shorewall to > ensure that only access on the second NIC can be made by our > monitoring system and the backup server, also on the 10.10.x.x > network. > > When we start shorewall, it takes in excess of 4 minutes to start. > This occurs only on servers with this configuration regardless of CPU > and memory. None of the rule entries are using hostnames that would > cause DNS lookups. > > The only other differentiating factor is that these systems > authentication via LDAP (through PAM). > > Any thoughts? Thanks in advance for the help. My apologies if we > missed something in the documentation or something just didn''t > *click*. > > > Cheers, > Matthew > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm
Matthew E. Porter wrote:> I am still playing with this and trying to discover the issue(s). One > thing I noticed is that the slowdown seems to occur with the default > Drop and Reject rulesets. it specifically start when "Processing > /usr/share/shorewall/action.Reject..." > >Have you checked the list archives? This problem sounds very familiar... -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Matthew E. Porter wrote:> My guess is the PAM LDAP Authentication has something to do with it.You are not running 2.2.3 so adding the LDAP server to /etc/shorewall/stopped won''t help. I can''t understand how LDAP would be invoked but I think that''s what happened in the previous case in the archives that I referred to. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:> Matthew E. Porter wrote: >>My guess is the PAM LDAP Authentication has something to do with it. > > You are not running 2.2.3 so adding the LDAP server to > /etc/shorewall/stopped won''t help. I can''t understand how LDAP would be > invoked but I think that''s what happened in the previous case in the > archives that I referred to. >http://lists.shorewall.net/pipermail/shorewall-users/2004-November/015225.html -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key