Hi! On our shorewall we do have multiple local zones (wtal0 and call0). I need to forward traffic betweeen these zones in any case; even when shorewall is restarted. Is there a way to accept traffic from call0 to wtal0 during restart? Maybe in tweaking /sbin/shorewall? Thanks, Christian -- you don''t need eyes to see you need visions. ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
Christian Lox wrote:> Is there a way to accept traffic from call0 to wtal0 during restart?/etc/shorewall/routestopped. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep schrieb:> Christian Lox wrote: > > >>Is there a way to accept traffic from call0 to wtal0 during restart? > > > /etc/shorewall/routestopped. >This was my first thought too. But after testing and reading the docs again I found that routestopped declares hosts that are accessible from the *firewall*. But I need to forward traffic from 192.168.10.67 (which is in zone call0 = 192.168.10.64/26) to 192.168.10.23 (which is in zone wtal0 = 192.168.10.0/27). ip_forwarding is on, also when shorewall is stopped. My wild guess is that i need some iptable command somewhere in /sbin/shorewall that forwards this traffic even in state ''stopped'' or ''restarting''. Christian -- you don''t need eyes to see you need visions. ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
Christian Lox wrote:> Tom Eastep schrieb:>> /etc/shorewall/routestopped. >> > > This was my first thought too. > But after testing and reading the docs again I found that routestopped > declares hosts that are accessible from the *firewall*.It allows traffic BETWEEN the hosts as well. What "test" did you try?> My wild guess is that i need some iptable command somewhere in > /sbin/shorewall that forwards this traffic even in state ''stopped'' or > ''restarting''.There is no possible change to /sbin/shorewall that could have any effect on this. /sbin/shorewall is a stupid frontend for /usr/share/shorewall/firewall which does the real work. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep schrieb:> Christian Lox wrote: > >>Tom Eastep schrieb: > > >>>/etc/shorewall/routestopped. >>> >> >>This was my first thought too. >>But after testing and reading the docs again I found that routestopped >>declares hosts that are accessible from the *firewall*. > > > It allows traffic BETWEEN the hosts as well. What "test" did you try? >Well, I opened 192.168.10.23 in a webbrowser, issued ''shorewall stop'' and I can''t reach the webserver anymore. ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
Christian Lox wrote:> Tom Eastep schrieb: >> Christian Lox wrote: >> >>> Tom Eastep schrieb: >> >> >>>> /etc/shorewall/routestopped. >>>> >>> >>> This was my first thought too. >>> But after testing and reading the docs again I found that routestopped >>> declares hosts that are accessible from the *firewall*. >> >> >> It allows traffic BETWEEN the hosts as well. What "test" did you try? >> > > Well, I opened 192.168.10.23 in a webbrowser, issued ''shorewall stop'' > and I can''t reach the webserver anymore. >I give up........... -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Christian Lox wrote:> Tom Eastep schrieb: >> Christian Lox wrote: >> >>> Tom Eastep schrieb: >> >> >>>> /etc/shorewall/routestopped. >>>> >>> >>> This was my first thought too. >>> But after testing and reading the docs again I found that routestopped >>> declares hosts that are accessible from the *firewall*. >> >> >> It allows traffic BETWEEN the hosts as well. What "test" did you try? >> > > Well, I opened 192.168.10.23 in a webbrowser, issued ''shorewall stop'' > and I can''t reach the webserver anymore. >Let me try one more time. - I asked you what test of /etc/shorewall/routestopped that you had tried. I (apparently unrealistically) assumed that you would show me your /etc/shorewall/routestopped file and describe which two hosts that you had tried to communicate between with the firewall stopped. - Instead, you describe a test in which you establish a connection, then stop the firewall and complain that the connection no longer works (I guess that''s what you tested). You don''t mention whether either the the source or the destination is listed in /etc/shorewall/routestopped and if so, which options their entries specify. So I have no way to respond to your post other than to tell you how this part of Shorewall works. - Keeping existing connections alive after "shorewall stop" is controlled by the ADMINISABSENTMINDED option in shorewall.conf. If you set that option to Yes then connections will be kept alive. The ''source'' and ''dest'' options in /etc/shorewall/routestopped are most useful when you use this setting. - During "shorewall start" and "shorewall restart", existing connections are always kept alive (ESTABLISHED,RELATED allowed) independent of the setting of ADMINISABSENDMINDED. - ADMINISABSENTMINDED=Yes also enables all outgoing traffic from the firewall itself when Shorewall is stopped. Hopefully this information will allow you to configure your firewall to allow the traffic you want when Shorewall is stopped. If you have problems, please give us *complete* details about what isn''t working. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key