Hi, I''ve noticed that if I have NIS enabled then shorewall will fail to start correctly as there is a brief time during startup (and restart) that the network is wholly disconnected causing NIS to object during RPC. The problem appears to be that during initialization and building of the chains the default is to allow existing connections and internal traffic to/from loopback, effectively killing all new traffic at that point. I''m not sure if this is the intention, but certainly having a network that is briefly open is not ideal either. However I would of thought that at least traffic to/from the routestopped interfaces should be allowed at this point, but it doesn''t appear to be... Dave Hawkes ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
Dave Hawkes wrote:> I''ve noticed that if I have NIS enabled then shorewall will fail to > start correctly as there is a brief time during startup (and restart) > that the network is wholly disconnected causing NIS to object during > RPC. The problem appears to be that during initialization and building > of the chains the default is to allow existing connections and internal > traffic to/from loopback, effectively killing all new traffic at that > point.LDAP users also experience a long delay :-(> > I''m not sure if this is the intention, but certainly having a network > that is briefly open is not ideal either. However I would of thought > that at least traffic to/from the routestopped interfaces should be > allowed at this point, but it doesn''t appear to be... >The 2.5 development series adds a ''critical'' option to the routestopped file that behaves like you want. As you have noted though, if there are any ''critical'' hosts defined then there is a brief interval when the firewall is "wide open". -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:> > > The 2.5 development series adds a ''critical'' option to the routestopped > file that behaves like you want. As you have noted though, if there are > any ''critical'' hosts defined then there is a brief interval when the > firewall is "wide open". >Thanks for the info Tom, I''ll give it a try in the next week and see if it fixes the NIS issue. Dave Hawkes ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
Dave Hawkes wrote:> Tom Eastep wrote: > > Thanks for the info Tom, I''ll give it a try in the next week and see if > it fixes the NIS issue. >Please inform us of the results. Be sure to read the release notes carefully as there are a number of migration issues when going to 2.5. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key