Hi. I''ve read the FAQ entry about speeding up of shorewall (re)start and I must say, that although shorewall is an excelent piece of software, it has a one serious drawback: the long time blocking new connections during entering new rules and restart. I have a router with a four interfaces, couple of zones and rules. My configuration is resulting in ''shorewall show; shorewall show nat'' giving 1200 lines (I suppose it will be about 950 rules). On PIII 450 MHz generating all of this rules takes over 20 seconds. I suppose that during this time shorewall doesn''t forward new connections. I suppose too, that running a script containing 950 iptables lines wouldn''t last so long. My question is: is there a reason, for which shorewall doesn''t have a ''compile'' option, which would generate a complete shell script containing all ''iptables'' commands needed to restart the firewall? I there is one - how to efficiently enter new rules without blocking new connections? Now I''m entering them manually into apropriate chains, but with not very simple configurations maintaining coherence of running and saved in /etc/shorewall/ configurations is not very comfortable. Regards, R. ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
On Friday 06 January 2006 08:23, siaco@autograf.pl wrote:> Hi. > > I''ve read the FAQ entry about speeding up of shorewall (re)start and I must > say, that although shorewall is an excelent piece of software, it has a one > serious drawback: the long time blocking new connections during entering > new rules and restart. > > I have a router with a four interfaces, couple of zones and rules. My > configuration is resulting in ''shorewall show; shorewall show nat'' giving > 1200 lines (I suppose it will be about 950 rules). On PIII 450 MHz > generating all of this rules takes over 20 seconds. I suppose that during > this time shorewall doesn''t forward new connections. I suppose too, that > running a script containing 950 iptables lines wouldn''t last so long. > > My question is: is there a reason, for which shorewall doesn''t have a > ''compile'' option, which would generate a complete shell script containing > all ''iptables'' commands needed to restart the firewall? I there is one - > how to efficiently enter new rules without blocking new connections? Now > I''m entering them manually into apropriate chains, but with not very simple > configurations maintaining coherence of running and saved in > /etc/shorewall/ configurations is not very comfortable.Everyone agrees that this would be a good addition to Shorewall but to this point, no one has had the time, talent and energy required to implement it. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Friday 06 January 2006 13:16, Tom Eastep wrote:> > Everyone agrees that this would be a good addition to Shorewall but to this > point, no one has had the time, talent and energy required to implement it. >Follow up: This feature will be in Shorewall 3.2. Alpha quality code is available in the current development release (3.1.0). Experienced Shorewall users are encouraged to test this code (but not on production systems -- it most certainly has bugs). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key