hi, while stopping shorewall 4.5.21.2 on a debian7 box with the ADMINISABSENTMINDED set to no in shorewall.conf, the connections on vlan tagged interfaces that were active before the shorewall stop command was executed are not terminated as it is for the firewall and other interfaces! when the firewall is stopped as expected new connections on vlan tagged interface are refused but even though ADMINISABSENTMINDED=No, active connections are not dealt with accordingly! As vlan tagged interface could be treated as regular interface is it safe to assume that shorewall should also be able to stop all active connections? ------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
On 10/27/2013 10:15 AM, matt darfeuille wrote:> hi, while stopping shorewall 4.5.21.2 on a debian7 box with the > ADMINISABSENTMINDED set to no in shorewall.conf, the connections on > vlan tagged interfaces that were active before the shorewall stop > command was executed are not terminated as it is for the firewall and > other interfaces! > > when the firewall is stopped as expected new connections on vlan > tagged interface are refused but even though ADMINISABSENTMINDED=No, > active connections are not dealt with accordingly! > > As vlan tagged interface could be treated as regular interface is it > safe to assume that shorewall should also be able to stop all active > connections?Yes. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
Hi, thank you for confirming it! Unfortunaetly it is not working as it should be! For setting up the interfaces I tried those two links: http://www.mysidenotes.com/2007/08/17/vlan-configuration-on-ubuntu-deb ian/ https://wiki.debian.org/NetworkConfiguration#Howto_use_vlan_.28dot1q.2 C_802.1q.2C_trunk.29_.28Etch.2C_Lenny.29 Regardless of which ways are used shorewall is still unable to stop active connections! The shorewall configuration is as follows: one zone per tagged interface, interfaces file: zone vlan tagged interface option, policy file: everything is blocked, rules file: ACCEPT zone:mac address zone protocol ports, all is masqueraded, the maclist option is used in interfaces file thus in maclist file: ACCEPT vlan tagged interface mac and ip address. I''m not sure what to do next to have the shorewall stop command behaving accordingly to the ADMINISABSENTMINDED=No!? -Matt On 27 Oct 2013 at 10:52, Tom Eastep wrote:> On 10/27/2013 10:15 AM, matt darfeuille wrote: > > hi, while stopping shorewall 4.5.21.2 on a debian7 box with the > > ADMINISABSENTMINDED set to no in shorewall.conf, the connections on > > vlan tagged interfaces that were active before the shorewall stop > > command was executed are not terminated as it is for the firewall and > > other interfaces! > > > > when the firewall is stopped as expected new connections on vlan > > tagged interface are refused but even though ADMINISABSENTMINDED=No, > > active connections are not dealt with accordingly! > > > > As vlan tagged interface could be treated as regular interface is it > > safe to assume that shorewall should also be able to stop all active > > connections? > > Yes. > > -Tom > -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________ > >------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
On 10/27/2013 10:52 AM, Tom Eastep wrote:> On 10/27/2013 10:15 AM, matt darfeuille wrote: >> hi, while stopping shorewall 4.5.21.2 on a debian7 box with the >> ADMINISABSENTMINDED set to no in shorewall.conf, the connections on >> vlan tagged interfaces that were active before the shorewall stop >> command was executed are not terminated as it is for the firewall and >> other interfaces! >> >> when the firewall is stopped as expected new connections on vlan >> tagged interface are refused but even though ADMINISABSENTMINDED=No, >> active connections are not dealt with accordingly! >> >> As vlan tagged interface could be treated as regular interface is it >> safe to assume that shorewall should also be able to stop all active >> connections?How are you stopping Shorewall? -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
I am stopping shorewall with the following command: "shorewall stop" and I am also aware of the /etc/init.d/shorewall behavior, and SAFESTOP=1 in /etc/default/shorewall! I never stop shorewall using the init script though but I do stop it with /sbin/shorewall stop! -Matt On 28 Oct 2013 at 8:44, Tom Eastep wrote:> On 10/27/2013 10:52 AM, Tom Eastep wrote: > > On 10/27/2013 10:15 AM, matt darfeuille wrote: > >> hi, while stopping shorewall 4.5.21.2 on a debian7 box with the > >> ADMINISABSENTMINDED set to no in shorewall.conf, the connections on > >> vlan tagged interfaces that were active before the shorewall stop > >> command was executed are not terminated as it is for the firewall and > >> other interfaces! > >> > >> when the firewall is stopped as expected new connections on vlan > >> tagged interface are refused but even though ADMINISABSENTMINDED=No, > >> active connections are not dealt with accordingly! > >> > >> As vlan tagged interface could be treated as regular interface is it > >> safe to assume that shorewall should also be able to stop all active > >> connections? > > How are you stopping Shorewall? > > -Tom > -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________ > >------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk