From my look at the restore script created by shorewall 4.0.12 and shorewall-lite 4.0.8 I''m wondering why I don''t see anything that would enable /proc/sys/net/ipv4/ip_forward for the "restore" code-path. It would seem in define_firewall() that "echo 1> /proc/sys/net/ipv4/ip_forward" is done if $COMMAND is anything otherthan restore however. Is there something about the restore case that should not enable ip_forward if shorewall.conf has IP_FORWARDING=On? Cheers, b. ------------------------------------------------------------------------------ Create and Deploy Rich Internet Apps outside the browser with Adobe(R)AIR(TM) software. With Adobe AIR, Ajax developers can use existing skills and code to build responsive, highly engaging applications that combine the power of local resources and data with the reach of the web. Download the Adobe AIR SDK and Ajax docs to start building applications today-http://p.sf.net/sfu/adobe-com
On Thu, 2009-02-05 at 08:09 -0500, Brian J. Murrell wrote:> From my look at the restore script created by shorewall 4.0.12 and > shorewall-lite 4.0.8 I''m wondering why I don''t see anything that would > enable /proc/sys/net/ipv4/ip_forward for the "restore" code-path. > > It would seem in define_firewall() that "echo 1 > > /proc/sys/net/ipv4/ip_forward" is done if $COMMAND is anything other > than restore however. > > Is there something about the restore case that should not enable > ip_forward if shorewall.conf has IP_FORWARDING=On?In fact, perhaps I am misunderstanding the point of "shorewall restore". It would seem there are a number of things that [ $COMMAND = restore ] does not do that are done otherwise. Things like: echo 1 > /proc/sys/net/ipv4/ip_forward run_{refreshed|start}_exit run_started_exit And in fact this is explaining why I am finding my actions in /etc/shorewall/start are not always being run. I guess I was under the impression that "shorewall restore" was suitable to run from an initscript to quickly bring a previously saved instance of shorewall up -- i.e. without having to do all the rule building/compilation and whatnot. I''m pretty sure I even remember seeing it used that way in a provided initscript (from a linux distro probably). It would seem this is not the case however. Did it used to be at one time and I''m just not keeping up with the times? b. ------------------------------------------------------------------------------ Create and Deploy Rich Internet Apps outside the browser with Adobe(R)AIR(TM) software. With Adobe AIR, Ajax developers can use existing skills and code to build responsive, highly engaging applications that combine the power of local resources and data with the reach of the web. Download the Adobe AIR SDK and Ajax docs to start building applications today-http://p.sf.net/sfu/adobe-com
~sigh~ Third message in a row. Every time I think I''ve said
everything
I need/want to say...
Some more digging and it seems that maybe (or maybe not) my memory on
shorewall[-lite] restore in the start action of an initscript is faulty.
In any case, even "shorewall-lite start -f" ends up being a glorified
"shorewall-lite restore" with all of the problems I listed previously.
I should add here, that I don''t have "make" installed on my
shorewall-lite system so start_command() is not taking the "make -qf
${CONFDIR}/Makefile; do_it()" route but rather the "shoreall-lite
restore-ipsets; shorewall-lite restore" path.
Now I think I am done until somebody wants to comment on "shorewall-lite
restore" and it''s applicability in starting shorewall on a system
"from
fresh" (i.e. boot).
Cheers,
b.
------------------------------------------------------------------------------
Create and Deploy Rich Internet Apps outside the browser with Adobe(R)AIR(TM)
software. With Adobe AIR, Ajax developers can use existing skills and code to
build responsive, highly engaging applications that combine the power of local
resources and data with the reach of the web. Download the Adobe AIR SDK and
Ajax docs to start building applications today-http://p.sf.net/sfu/adobe-com
Brian J. Murrell wrote:> From my look at the restore script created by shorewall 4.0.12 and > shorewall-lite 4.0.8 I''m wondering why I don''t see anything that would > enable /proc/sys/net/ipv4/ip_forward for the "restore" code-path. > > It would seem in define_firewall() that "echo 1 >> /proc/sys/net/ipv4/ip_forward" is done if $COMMAND is anything other > than restore however. > > Is there something about the restore case that should not enable > ip_forward if shorewall.conf has IP_FORWARDING=On?That was fixed in Shorewall 4.0.13 (actually, it was fixed 4.0.12.2). -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Create and Deploy Rich Internet Apps outside the browser with Adobe(R)AIR(TM) software. With Adobe AIR, Ajax developers can use existing skills and code to build responsive, highly engaging applications that combine the power of local resources and data with the reach of the web. Download the Adobe AIR SDK and Ajax docs to start building applications today-http://p.sf.net/sfu/adobe-com
Brian J. Murrell wrote:> On Thu, 2009-02-05 at 08:09 -0500, Brian J. Murrell wrote: >> From my look at the restore script created by shorewall 4.0.12 and >> shorewall-lite 4.0.8 I''m wondering why I don''t see anything that would >> enable /proc/sys/net/ipv4/ip_forward for the "restore" code-path. >> >> It would seem in define_firewall() that "echo 1 >>> /proc/sys/net/ipv4/ip_forward" is done if $COMMAND is anything other >> than restore however. >> >> Is there something about the restore case that should not enable >> ip_forward if shorewall.conf has IP_FORWARDING=On? > > In fact, perhaps I am misunderstanding the point of "shorewall restore". > It would seem there are a number of things that [ $COMMAND = restore ] > does not do that are done otherwise. Things like: > > echo 1 > /proc/sys/net/ipv4/ip_forwardAgain -- that bug is unique to the version of Shorewall-perl that you are running.> > run_{refreshed|start}_exit > > run_started_exit > > And in fact this is explaining why I am finding my actions > in /etc/shorewall/start are not always being run. >You are correct. Those user exits are not executed when the command is ''restore''. The scripts are intended to allow modification of the Netfilter ruleset after Shorewall has completed its configuration. Such changes would have already been applied in the case of restore. So they are not executed for ''restore''.> I guess I was under the impression that "shorewall restore" was suitable > to run from an initscript to quickly bring a previously saved instance > of shorewall up -- i.e. without having to do all the rule > building/compilation and whatnot. I''m pretty sure I even remember > seeing it used that way in a provided initscript (from a linux distro > probably). > > It would seem this is not the case however. Did it used to be at one > time and I''m just not keeping up with the times?The default used to be to use the "-f" option which ends up doing a ''restore'' if the compiled script hadn''t been replaced in since the last ''save''. With Shorewall-perl, there is no noticeable difference in the speed of ''start'' and ''restore'' so we''ve changed the init script to simply do a ''start''. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Create and Deploy Rich Internet Apps outside the browser with Adobe(R)AIR(TM) software. With Adobe AIR, Ajax developers can use existing skills and code to build responsive, highly engaging applications that combine the power of local resources and data with the reach of the web. Download the Adobe AIR SDK and Ajax docs to start building applications today-http://p.sf.net/sfu/adobe-com
On Thu, 2009-02-05 at 07:29 -0800, Tom Eastep wrote:> Brian J. Murrell wrote: > > From my look at the restore script created by shorewall 4.0.12 and > > shorewall-lite 4.0.8 I''m wondering why I don''t see anything that would > > enable /proc/sys/net/ipv4/ip_forward for the "restore" code-path. > > > > It would seem in define_firewall() that "echo 1 > >> /proc/sys/net/ipv4/ip_forward" is done if $COMMAND is anything other > > than restore however. > > > > Is there something about the restore case that should not enable > > ip_forward if shorewall.conf has IP_FORWARDING=On? > > That was fixed in Shorewall 4.0.13 (actually, it was fixed 4.0.12.2).Lol. OK. I will update/upgrade. Given my understanding of shorewall[-lite] I''m assuming I just need to upgrade the shorewall machine, not the shorewall-lite machine? b. ------------------------------------------------------------------------------ Create and Deploy Rich Internet Apps outside the browser with Adobe(R)AIR(TM) software. With Adobe AIR, Ajax developers can use existing skills and code to build responsive, highly engaging applications that combine the power of local resources and data with the reach of the web. Download the Adobe AIR SDK and Ajax docs to start building applications today-http://p.sf.net/sfu/adobe-com
Brian J. Murrell wrote:> ~sigh~ Third message in a row. Every time I think I''ve said everything > I need/want to say... > > Some more digging and it seems that maybe (or maybe not) my memory on > shorewall[-lite] restore in the start action of an initscript is faulty. > > In any case, even "shorewall-lite start -f" ends up being a glorified > "shorewall-lite restore" with all of the problems I listed previously. > > I should add here, that I don''t have "make" installed on my > shorewall-lite system so start_command() is not taking the "make -qf > ${CONFDIR}/Makefile; do_it()" route but rather the "shoreall-lite > restore-ipsets; shorewall-lite restore" path. > > Now I think I am done until somebody wants to comment on "shorewall-lite > restore" and it''s applicability in starting shorewall on a system "from > fresh" (i.e. boot).I can add an option to shorewall.conf that causes the started script to run during restore. There is no place to run the ''start'' script during restore because iptables-restore creates the ''shorewall'' chain whose presence indicates that Shorewall is in the running state. Alternatively, I can create a ''restored'' script. Probably safer... -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Create and Deploy Rich Internet Apps outside the browser with Adobe(R)AIR(TM) software. With Adobe AIR, Ajax developers can use existing skills and code to build responsive, highly engaging applications that combine the power of local resources and data with the reach of the web. Download the Adobe AIR SDK and Ajax docs to start building applications today-http://p.sf.net/sfu/adobe-com
Brian J. Murrell wrote:> On Thu, 2009-02-05 at 07:29 -0800, Tom Eastep wrote: >> Brian J. Murrell wrote: >>> From my look at the restore script created by shorewall 4.0.12 and >>> shorewall-lite 4.0.8 I''m wondering why I don''t see anything that would >>> enable /proc/sys/net/ipv4/ip_forward for the "restore" code-path. >>> >>> It would seem in define_firewall() that "echo 1 >>>> /proc/sys/net/ipv4/ip_forward" is done if $COMMAND is anything other >>> than restore however. >>> >>> Is there something about the restore case that should not enable >>> ip_forward if shorewall.conf has IP_FORWARDING=On? >> That was fixed in Shorewall 4.0.13 (actually, it was fixed 4.0.12.2). > > Lol. OK. I will update/upgrade. Given my understanding of > shorewall[-lite] I''m assuming I just need to upgrade the shorewall > machine, not the shorewall-lite machine?Yes. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Create and Deploy Rich Internet Apps outside the browser with Adobe(R)AIR(TM) software. With Adobe AIR, Ajax developers can use existing skills and code to build responsive, highly engaging applications that combine the power of local resources and data with the reach of the web. Download the Adobe AIR SDK and Ajax docs to start building applications today-http://p.sf.net/sfu/adobe-com
On Thu, 2009-02-05 at 07:41 -0800, Tom Eastep wrote:> Yes.Sweet. This is exactly the fix I needed. Now things that didn''t work before work. All except of course executing my "start" script on restore. But more on that in reply to your other message. b. ------------------------------------------------------------------------------ Create and Deploy Rich Internet Apps outside the browser with Adobe(R)AIR(TM) software. With Adobe AIR, Ajax developers can use existing skills and code to build responsive, highly engaging applications that combine the power of local resources and data with the reach of the web. Download the Adobe AIR SDK and Ajax docs to start building applications today-http://p.sf.net/sfu/adobe-com
On Thu, 2009-02-05 at 07:41 -0800, Tom Eastep wrote:> > I can add an option to shorewall.conf that causes the started script to > run during restore. There is no place to run the ''start'' script during > restore because iptables-restore creates the ''shorewall'' chain whose > presence indicates that Shorewall is in the running state.Hrm. I think my choice of start/started was mostly arbitrary. I think I could use started just as readily as I use start. In fact one use of it is just laziness to create an initscript for my customized ip6tables rules which will go away when I get around to shorewall6. The launching of that script could very easily be in started instead of start. Or better yet, in init, nice and early. The only other thing I do in start is: num_tcfor_rules=$(($($IPTABLES -t mangle -L tcfor -n | wc -l) - 2)) $IPTABLES -t mangle -I tcfor $num_tcfor_rules -m helper --helper sip -j MARK --set-mark 0x1 To get SIP connections prioritized and: # ospf is exempt from mac blocking $IPTABLES -I br-lan_mac -p 89 -j RETURN Because *everyone* should participate in OSPF regardless of whether they are allowed to use the gateway or not. IIRC, if you don''t do this, it confuses the overall OSPF fabric. Or maybe it was just a quagga bug. :-)> Alternatively, I can create a ''restored'' script. Probably safer...restored to be executed in place of started? Sure. b. ------------------------------------------------------------------------------ Create and Deploy Rich Internet Apps outside the browser with Adobe(R)AIR(TM) software. With Adobe AIR, Ajax developers can use existing skills and code to build responsive, highly engaging applications that combine the power of local resources and data with the reach of the web. Download the Adobe AIR SDK and Ajax docs to start building applications today-http://p.sf.net/sfu/adobe-com
Brian J. Murrell wrote:> > The only other thing I do in start is: > > num_tcfor_rules=$(($($IPTABLES -t mangle -L tcfor -n | wc -l) - 2)) > $IPTABLES -t mangle -I tcfor $num_tcfor_rules -m helper --helper sip -j MARK --set-mark 0x1 > > To get SIP connections prioritized and: > > # ospf is exempt from mac blocking > $IPTABLES -I br-lan_mac -p 89 -j RETURN > > Because *everyone* should participate in OSPF regardless of whether they > are allowed to use the gateway or not. IIRC, if you don''t do this, it > confuses the overall OSPF fabric. Or maybe it was just a quagga > bug. :-)And none of those things (except your ipv6 stuff) needs to be done on ''restore''.> >> Alternatively, I can create a ''restored'' script. Probably safer... > > restored to be executed in place of started? Sure. >That is the approach I''m taking. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Create and Deploy Rich Internet Apps outside the browser with Adobe(R)AIR(TM) software. With Adobe AIR, Ajax developers can use existing skills and code to build responsive, highly engaging applications that combine the power of local resources and data with the reach of the web. Download the Adobe AIR SDK and Ajax docs to start building applications today-http://p.sf.net/sfu/adobe-com
On Thu, 2009-02-05 at 08:38 -0800, Tom Eastep wrote:> Brian J. Murrell wrote: > > > > > The only other thing I do in start is: > > > > num_tcfor_rules=$(($($IPTABLES -t mangle -L tcfor -n | wc -l) - 2)) > > $IPTABLES -t mangle -I tcfor $num_tcfor_rules -m helper --helper sip -j MARK --set-mark 0x1 > > > > To get SIP connections prioritized and: > > > > # ospf is exempt from mac blocking > > $IPTABLES -I br-lan_mac -p 89 -j RETURN > > > > Because *everyone* should participate in OSPF regardless of whether they > > are allowed to use the gateway or not. IIRC, if you don''t do this, it > > confuses the overall OSPF fabric. Or maybe it was just a quagga > > bug. :-) > > And none of those things (except your ipv6 stuff) needs to be done on > ''restore''.Hrm. It''s totally possible that I am missing some of the picture here, but given that a "shorewall-lite start -f" (which could be done from a fresh reboot) is essentially a "shorewall-lite restore", why do none of those other actions need doing on a restore? b. ------------------------------------------------------------------------------ Create and Deploy Rich Internet Apps outside the browser with Adobe(R)AIR(TM) software. With Adobe AIR, Ajax developers can use existing skills and code to build responsive, highly engaging applications that combine the power of local resources and data with the reach of the web. Download the Adobe AIR SDK and Ajax docs to start building applications today-http://p.sf.net/sfu/adobe-com
Brian J. Murrell wrote:> On Thu, 2009-02-05 at 08:38 -0800, Tom Eastep wrote: >> Brian J. Murrell wrote: >> >>> The only other thing I do in start is: >>> >>> num_tcfor_rules=$(($($IPTABLES -t mangle -L tcfor -n | wc -l) - 2)) >>> $IPTABLES -t mangle -I tcfor $num_tcfor_rules -m helper --helper sip -j MARK --set-mark 0x1 >>> >>> To get SIP connections prioritized and: >>> >>> # ospf is exempt from mac blocking >>> $IPTABLES -I br-lan_mac -p 89 -j RETURN >>> >>> Because *everyone* should participate in OSPF regardless of whether they >>> are allowed to use the gateway or not. IIRC, if you don''t do this, it >>> confuses the overall OSPF fabric. Or maybe it was just a quagga >>> bug. :-) >> And none of those things (except your ipv6 stuff) needs to be done on >> ''restore''. > > Hrm. It''s totally possible that I am missing some of the picture here, > but given that a "shorewall-lite start -f" (which could be done from a > fresh reboot) is essentially a "shorewall-lite restore", why do none of > those other actions need doing on a restore?Because they were done at the ''start'' preceding the ''save''; ''save'' saved them in ${VARDIR}/restore-iptables which is what gets passed to iptables-restore during ''restore''. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Create and Deploy Rich Internet Apps outside the browser with Adobe(R)AIR(TM) software. With Adobe AIR, Ajax developers can use existing skills and code to build responsive, highly engaging applications that combine the power of local resources and data with the reach of the web. Download the Adobe AIR SDK and Ajax docs to start building applications today-http://p.sf.net/sfu/adobe-com
On Thu, 2009-02-05 at 08:53 -0800, Tom Eastep wrote:> > Because they were done at the ''start'' preceding the ''save''; ''save'' saved > them in ${VARDIR}/restore-iptables which is what gets passed to > iptables-restore during ''restore''./me smacks forehead Of course! So, given that I''ve moved the ip6tables script to init, I think I am all set. A reboot of the firewall sure seems to put everything back where it should be. The restored script would still be a good addition however. Cheers, b. ------------------------------------------------------------------------------ Create and Deploy Rich Internet Apps outside the browser with Adobe(R)AIR(TM) software. With Adobe AIR, Ajax developers can use existing skills and code to build responsive, highly engaging applications that combine the power of local resources and data with the reach of the web. Download the Adobe AIR SDK and Ajax docs to start building applications today-http://p.sf.net/sfu/adobe-com