Philipp Rusch wrote:> Here is the .restart script as attachment. > Thank you again for your time, Tom. >Philipp, This appears to be a bash problem: test:~ # /home/teastep/.restart start Starting Shorewall.... Segmentation fault test:~ # less /home/teastep/.restart start test:~ # ll /bin/sh lrwxrwxrwx 1 root root 4 Apr 14 08:26 /bin/sh -> bash test:~ # which ash /bin/ash test:~ # ash /home/teastep/.restart start Starting Shorewall.... I killed the script after a couple of minutes but it was running normally. The Segmentation fault with bash occurred almost immediately. test:~ # bash /home/teastep/.restart start Starting Shorewall.... Segmentation fault test:~ # So setting SHOREWALL_SHELL=/bin/ash may help. Have you tried my suggestion of configuring a single IPSEC zone? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tom Eastep wrote:> Philipp Rusch wrote: >> Here is the .restart script as attachment. >> Thank you again for your time, Tom. >> > > Philipp, > > This appears to be a bash problem: > > test:~ # /home/teastep/.restart start > Starting Shorewall.... > Segmentation fault > test:~ # less /home/teastep/.restart start > test:~ # ll /bin/sh > lrwxrwxrwx 1 root root 4 Apr 14 08:26 /bin/sh -> bash > test:~ # which ash > /bin/ash > test:~ # ash /home/teastep/.restart start > Starting Shorewall.... > > I killed the script after a couple of minutes but it was running > normally. The Segmentation fault with bash occurred almost immediately. > > test:~ # bash /home/teastep/.restart start > Starting Shorewall.... > Segmentation fault > test:~ # >BTW -- the above tests were conducted on an OpenSuSE 10.2 system running on X86_64 hardware. I got similar results with bash on a Ubuntu Feisty Fawn system; on that system, dash ran the script without suffering a fault. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFG0GfNO/MAbZfjDLIRAhM8AJoDoYYiZbcGBKd3nOir9VgMhi7sIQCgk8of PZIpqVhF/i5LboE1IOgtjn4=bES+ -----END PGP SIGNATURE----- ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
Tom Eastep wrote:> > > BTW -- the above tests were conducted on an OpenSuSE 10.2 system running > on X86_64 hardware. I got similar results with bash on a Ubuntu Feisty > Fawn system; on that system, dash ran the script without suffering a fault. >Ubuntu was running on 32-bit hardware -- so the problem isn''t 64-bit specific. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
Tom Eastep schrieb:> -SNIP- > Have you tried my suggestion of configuring a single IPSEC zone? > > -Tom >Yes, I followed your suggestion and made only one zone for all the 172.30.0.0/16 tunnels. This works wonderful now and reduces restart times a lot. BTW, our firewall is running SuSE 10.1 x86_64 . So for now there is only one small thing left, that''s the strange behaviour about that MTU size with 1350 bytes, which still is a myth to me. Is it possible that my (rather small routers) can not find out about MTU, because I am blocking the type of ICMP-packets they need for discovering ? Regards, -- Mit freundlichen Grüßen, Philipp Rusch ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
Philipp Rusch wrote:> Tom Eastep schrieb: >> -SNIP- >> Have you tried my suggestion of configuring a single IPSEC zone? >> >> -Tom >> > Yes, I followed your suggestion and made only one zone for all the > 172.30.0.0/16 tunnels. > This works wonderful now and reduces restart times a lot. > BTW, our firewall is running SuSE 10.1 x86_64 . > So for now there is only one small thing left, that''s the strange > behaviour about that > MTU size with 1350 bytes, which still is a myth to me. > Is it possible that my (rather small routers) can not find out about > MTU, because I am > blocking the type of ICMP-packets they need for discovering ? >Specifying the mtu for ipsec zones is usually necessary in any configuration. It doesn''t need to be *your* routers that are misconfigured -- it can be any router carrying traffic that is encrypted/decrypted by your firewall. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/