I''m running shorewall on two CentOS servers in different countries, both running shorewall 4.5.4 under CentOS-6.4. I noticed today that one of the servers has ip_forward set [tim@alfred ~]$ sudo sysctl net.ipv4.ip_forward net.ipv4.ip_forward = 1 while the other has it unset. Both have IP_FORWARDING=On in /etc/shorewall/shorewall.conf . Does this setting over-ride the sysctl setting? Or do they have different effects? -- Timothy Murphy e-mail: gayleard /at/ eircom.net tel: +353-86-2336090, +353-1-2842366 School of Mathematics, Trinity College, Dublin 2, Ireland ------------------------------------------------------------------------------ Get your SQL database under version control now! Version control is standard for application code, but databases havent caught up. So what steps can you take to put your SQL databases under version control? Why should you start doing it? Read more to find out. http://pubads.g.doubleclick.net/gampad/clk?id=49501711&iu=/4140/ostg.clktrk
Yes the setting in shorewall.conf will override the setting in sysctl.conf. You can set IP_FORWARDING=KEEP so that it will keep whatever the setting is for ip_forwarding. On Thu, Aug 1, 2013 at 3:24 PM, Timothy Murphy <gayleard@alice.it> wrote:> I''m running shorewall on two CentOS servers in different countries, > both running shorewall 4.5.4 under CentOS-6.4. > > I noticed today that one of the servers has ip_forward set > [tim@alfred ~]$ sudo sysctl net.ipv4.ip_forward > net.ipv4.ip_forward = 1 > while the other has it unset. > > Both have > IP_FORWARDING=On > in /etc/shorewall/shorewall.conf . > > Does this setting over-ride the sysctl setting? > Or do they have different effects? > > -- > Timothy Murphy > e-mail: gayleard /at/ eircom.net > tel: +353-86-2336090, +353-1-2842366 > School of Mathematics, Trinity College, Dublin 2, Ireland > > > ------------------------------------------------------------------------------ > Get your SQL database under version control now! > Version control is standard for application code, but databases havent > caught up. So what steps can you take to put your SQL databases under > version control? Why should you start doing it? Read more to find out. > http://pubads.g.doubleclick.net/gampad/clk?id=49501711&iu=/4140/ostg.clktrk > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------------ Get your SQL database under version control now! Version control is standard for application code, but databases havent caught up. So what steps can you take to put your SQL databases under version control? Why should you start doing it? Read more to find out. http://pubads.g.doubleclick.net/gampad/clk?id=49501711&iu=/4140/ostg.clktrk
However if you rerun sysctl -p (assuming net.ipv4.ip_forward=1 is defined) that will then override the setting yet again. On Thu, Aug 1, 2013 at 4:02 PM, johnny bowen <jbowen7@gmail.com> wrote:> Yes the setting in shorewall.conf will override the setting in sysctl.conf. > > You can set > IP_FORWARDING=KEEP > so that it will keep whatever the setting is for ip_forwarding. > > On Thu, Aug 1, 2013 at 3:24 PM, Timothy Murphy <gayleard@alice.it> wrote: >> I''m running shorewall on two CentOS servers in different countries, >> both running shorewall 4.5.4 under CentOS-6.4. >> >> I noticed today that one of the servers has ip_forward set >> [tim@alfred ~]$ sudo sysctl net.ipv4.ip_forward >> net.ipv4.ip_forward = 1 >> while the other has it unset. >> >> Both have >> IP_FORWARDING=On >> in /etc/shorewall/shorewall.conf . >> >> Does this setting over-ride the sysctl setting? >> Or do they have different effects? >> >> -- >> Timothy Murphy >> e-mail: gayleard /at/ eircom.net >> tel: +353-86-2336090, +353-1-2842366 >> School of Mathematics, Trinity College, Dublin 2, Ireland >> >> >> ------------------------------------------------------------------------------ >> Get your SQL database under version control now! >> Version control is standard for application code, but databases havent >> caught up. So what steps can you take to put your SQL databases under >> version control? Why should you start doing it? Read more to find out. >> http://pubads.g.doubleclick.net/gampad/clk?id=49501711&iu=/4140/ostg.clktrk >> _______________________________________________ >> Shorewall-users mailing list >> Shorewall-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------------ Get your SQL database under version control now! Version control is standard for application code, but databases havent caught up. So what steps can you take to put your SQL databases under version control? Why should you start doing it? Read more to find out. http://pubads.g.doubleclick.net/gampad/clk?id=49501711&iu=/4140/ostg.clktrk
On Thursday, August 01, 2013 04:02:29 PM johnny bowen wrote:> > IP_FORWARDING=On > > > > in /etc/shorewall/shorewall.conf . > > > > Does this setting over-ride the sysctl setting? > > Or do they have different effects?> Yes the setting in shorewall.conf will override the setting in sysctl.conf.> You can set > IP_FORWARDING=KEEP > so that it will keep whatever the setting is for ip_forwarding.Thanks for the response. But what exactly do you mean by "the setting for ip_forwarding"? Do you mean the sysctl.conf setting? And as a matter of interest, why would the IP_FORWARDING setting change? As it happened, it seemed as though IP forwarding was _not_ working on my CentOS server with IP_FORWARDING=On, even after re-starting shorewall (and powering the router on and off). That was with net.ipv4.ip_forward = 0. But after changing this with sudo sysctl -w net.ipv4.ip_forward=1 the problem seemed to go away. Is that plausible? -- Timothy Murphy e-mail: gayleard /at/ eircom.net tel: +353-86-2336090, +353-1-2842366 School of Mathematics, Trinity College, Dublin 2, Ireland ------------------------------------------------------------------------------ Get your SQL database under version control now! Version control is standard for application code, but databases havent caught up. So what steps can you take to put your SQL databases under version control? Why should you start doing it? Read more to find out. http://pubads.g.doubleclick.net/gampad/clk?id=49501711&iu=/4140/ostg.clktrk
IP Forwarding is used when you need to send packets from one interface to another. So if you''re using Shorewall there''s a good change you''re doing this if you''re using it as a firewall for a LAN. By default it''s turned off on most Distrobutions. ip_forwarding is the kernel parameter that allows IP Forwarding. It''s current value can be found in /proc: # cat /proc/sys/net/ipv4/ip_forward 0 is off; 1 is on There are several ways to turn in on: 1) # echo 1 > /proc/sys/net/ipv4/ip_forward 2) # sysctl -w net.ipv4.ip_forward=1 3)# echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf && sysctl -p 4) add IP_FORWARDING=On to shorewall.conf and run shorewall restart Note that ONLY the 3rd and 4th options I gave will persist after reboot. (So use one of those) So you said that IP Forwarding was not working when you set IP_FORWARDING=On, well perhaps you didn''t restart Shorewall. Test it by: # echo 0 > /proc/sys/net/ipv4/ip_forward # cat /proc/sys/net/ipv4/ip_forward # sed -i ''s/IP_FORWARDING=&/IP_FORWARDING=On/g'' /etc/shorewall/shorewall.conf # shorewall check && shorewall restart # cat /proc/sys/net/ipv4/ip_forward The result should be 1 On Fri, Aug 2, 2013 at 6:01 AM, Timothy Murphy <gayleard@alice.it> wrote:> On Thursday, August 01, 2013 04:02:29 PM johnny bowen wrote: > > > > IP_FORWARDING=On > > > > > > in /etc/shorewall/shorewall.conf . > > > > > > Does this setting over-ride the sysctl setting? > > > Or do they have different effects? > > > Yes the setting in shorewall.conf will override the setting in > sysctl.conf. > > > You can set > > IP_FORWARDING=KEEP > > so that it will keep whatever the setting is for ip_forwarding. > > Thanks for the response. > But what exactly do you mean by "the setting for ip_forwarding"? > Do you mean the sysctl.conf setting? > > And as a matter of interest, > why would the IP_FORWARDING setting change? > > As it happened, it seemed as though IP forwarding was _not_ working > on my CentOS server with IP_FORWARDING=On, > even after re-starting shorewall (and powering the router on and off). > That was with net.ipv4.ip_forward = 0. > But after changing this with > sudo sysctl -w net.ipv4.ip_forward=1 > the problem seemed to go away. > > Is that plausible? > > -- > Timothy Murphy > e-mail: gayleard /at/ eircom.net > tel: +353-86-2336090, +353-1-2842366 > School of Mathematics, Trinity College, Dublin 2, Ireland > > > > ------------------------------------------------------------------------------ > Get your SQL database under version control now! > Version control is standard for application code, but databases havent > caught up. So what steps can you take to put your SQL databases under > version control? Why should you start doing it? Read more to find out. > http://pubads.g.doubleclick.net/gampad/clk?id=49501711&iu=/4140/ostg.clktrk > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------------------------------ Get your SQL database under version control now! Version control is standard for application code, but databases havent caught up. So what steps can you take to put your SQL databases under version control? Why should you start doing it? Read more to find out. http://pubads.g.doubleclick.net/gampad/clk?id=49501711&iu=/4140/ostg.clktrk
On Saturday, August 03, 2013 04:25:46 PM johnny bowen wrote:> IP Forwarding is used when you need to send packets from one interfaceto> another. So if you''re using Shorewall there''s a good change you''re doing > this if you''re using it as a firewall for a LAN. By default it''s turned off > on most Distrobutions. > > ip_forwarding is the kernel parameter that allows IP Forwarding. It''s > current value can be found in /proc: > # cat /proc/sys/net/ipv4/ip_forward 0 is off; 1 is on > > There are several ways to turn in on: > > 1) # echo 1 > /proc/sys/net/ipv4/ip_forward > > 2) # sysctl -w net.ipv4.ip_forward=1 > > 3)# echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf && sysctl -p > > 4) add IP_FORWARDING=On to shorewall.conf and run shorewall restartYou seem to be saying that setting IP_FORWARDING = On in shorewall.conf and re-starting shorewall should change the setting of net.ipv4.ip_forward . This did not happen in my case. I have "IP_FORWARDING=On" in shorewall.conf and I re-started shorewall (several times) on my CentOS-6.4 server, but "sudo sysctl net.ipv4.ip_forward" reported "net.ipv4.ip_forward = 0". -- Timothy Murphy e-mail: gayleard /at/ eircom.net tel: +353-86-2336090, +353-1-2842366 School of Mathematics, Trinity College, Dublin 2, Ireland ------------------------------------------------------------------------------ Get your SQL database under version control now! Version control is standard for application code, but databases havent caught up. So what steps can you take to put your SQL databases under version control? Why should you start doing it? Read more to find out. http://pubads.g.doubleclick.net/gampad/clk?id=49501711&iu=/4140/ostg.clktrk
> On Saturday, August 03, 2013 04:25:46 PM johnny bowen wrote: >> IP Forwarding is used when you need to send packets from one interface > to >> another. So if you''re using Shorewall there''s a good change you''re doing >> this if you''re using it as a firewall for a LAN. By default it''s turned >> off >> on most Distrobutions. >> >> ip_forwarding is the kernel parameter that allows IP Forwarding. It''s >> current value can be found in /proc: >> # cat /proc/sys/net/ipv4/ip_forward 0 is off; 1 is >> on >> >> There are several ways to turn in on: >> >> 1) # echo 1 > /proc/sys/net/ipv4/ip_forward >> >> 2) # sysctl -w net.ipv4.ip_forward=1 >> >> 3)# echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf && sysctl -p >> >> 4) add IP_FORWARDING=On to shorewall.conf and run shorewall restart > > You seem to be saying that setting IP_FORWARDING = On in shorewall.conf > and re-starting shorewall should change the setting of net.ipv4.ip_forward > . > This did not happen in my case. > I have "IP_FORWARDING=On" in shorewall.conf > and I re-started shorewall (several times) on my CentOS-6.4 server, > but "sudo sysctl net.ipv4.ip_forward" reported "net.ipv4.ip_forward = 0".Hi, Do you have something else installed which could change forwarding (NetworkManager or something)? Could it be a problem with SELinux? Regards, Simon ------------------------------------------------------------------------------ Get your SQL database under version control now! Version control is standard for application code, but databases havent caught up. So what steps can you take to put your SQL databases under version control? Why should you start doing it? Read more to find out. http://pubads.g.doubleclick.net/gampad/clk?id=49501711&iu=/4140/ostg.clktrk
On 08/04/2013 11:43 PM, Simon Matter wrote:>> On Saturday, August 03, 2013 04:25:46 PM johnny bowen wrote: >>> IP Forwarding is used when you need to send packets from one interface >> to >>> another. So if you''re using Shorewall there''s a good change you''re doing >>> this if you''re using it as a firewall for a LAN. By default it''s turned >>> off >>> on most Distrobutions. >>> >>> ip_forwarding is the kernel parameter that allows IP Forwarding. It''s >>> current value can be found in /proc: >>> # cat /proc/sys/net/ipv4/ip_forward 0 is off; 1 is >>> on >>> >>> There are several ways to turn in on: >>> >>> 1) # echo 1 > /proc/sys/net/ipv4/ip_forward >>> >>> 2) # sysctl -w net.ipv4.ip_forward=1 >>> >>> 3)# echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf && sysctl -p >>> >>> 4) add IP_FORWARDING=On to shorewall.conf and run shorewall restart >> You seem to be saying that setting IP_FORWARDING = On in shorewall.conf >> and re-starting shorewall should change the setting of net.ipv4.ip_forward >> . >> This did not happen in my case. >> I have "IP_FORWARDING=On" in shorewall.conf >> and I re-started shorewall (several times) on my CentOS-6.4 server, >> but "sudo sysctl net.ipv4.ip_forward" reported "net.ipv4.ip_forward = 0". > Hi, > > Do you have something else installed which could change forwarding > (NetworkManager or something)? > Could it be a problem with SELinux?If it were an SELinux problem, I would expect an error message during restart. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Get your SQL database under version control now! Version control is standard for application code, but databases havent caught up. So what steps can you take to put your SQL databases under version control? Why should you start doing it? Read more to find out. http://pubads.g.doubleclick.net/gampad/clk?id=49501711&iu=/4140/ostg.clktrk