jen142@promessage.com
2013-Dec-28 18:45 UTC
stopping shorewall-lite also stops shorewall6-lite. how to fix the dependency?
I've installed shorewall-lite version 4.5.21.4 shorewall6-lite version 4.5.21.4 I use these systemd files to start it cat /etc/systemd/system/shorewall-lite.service [Unit] Description=shorewall-lite After=syslog.target network.target Before=shorewall-lite.target fail2ban.service Requires=fail2ban.service Wants=network.target [Service] Type=oneshot RemainAfterExit=yes StandardOutput=syslog ExecStart=/usr/sbin/shorewall-lite start ExecStop=/usr/sbin/shorewall-lite stop [Install] WantedBy=multi-user.target cat /etc/systemd/system/shorewall6-lite.service [Unit] Description=shorewall6-lite After=syslog.target network.target Before=shorewall6-lite.target fail2ban.service Requires=fail2ban.service Wants=network.target [Service] Type=oneshot RemainAfterExit=yes StandardOutput=syslog ExecStart=/usr/sbin/shorewall6-lite start ExecStop=/usr/sbin/shorewall6-lite stop [Install] WantedBy=multi-user.target Testing systemctl stop shorewall-lite systemctl stop shorewall6-lite correctly drops me into my fallback, stoppedrules configurations iptables -L -n Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED ACCEPT tcp -- xx.x.xx.xxx/29 0.0.0.0/0 tcp dpt:22 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy DROP) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED Chain OUTPUT (policy DROP) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ip6tables -L -n Chain INPUT (policy DROP) target prot opt source destination ACCEPT all ::/0 ::/0 ctstate RELATED,ESTABLISHED ACCEPT all fe80::/10 ::/0 ACCEPT all ::/0 fe80::/10 ACCEPT all ::/0 ff00::/8 ACCEPT tcp 2001:aaa:aaaa:aaa::5 2600:cccc::cccc:cccc:cccc:1122 tcp dpt:22 ACCEPT tcp 2001:bbb:bbbb:bbb::/64 2600:cccc::cccc:cccc:cccc:1122 tcp dpt:22 ACCEPT all ::/0 ::/0 Chain FORWARD (policy DROP) target prot opt source destination ACCEPT all ::/0 ::/0 ctstate RELATED,ESTABLISHED Chain OUTPUT (policy DROP) target prot opt source destination ACCEPT all ::/0 ::/0 ctstate RELATED,ESTABLISHED ACCEPT all ::/0 fe80::/10 ACCEPT all ::/0 ff00::/8 ACCEPT all ::/0 ::/0 then starting systemctl start shorewall-lite systemctl start shorewall6-lite loads the full/populated firewall configs iptables -L -n | wc 207 1323 13782 ip6tables -L -n | wc 266 1610 18822 and everything's working as usual If I restart JUST the IPv4 shorewall systemctl restart shorewall-lite the v4 firewall gets porperly reloaded iptables -L -n | wc 207 1323 13782 but the v6 firewall is stopped, dropped back to the stoppedrules config ip6tables -L -n | wc 10 35 393 ip6tables -L -n Chain INPUT (policy DROP) target prot opt source destination ACCEPT all ::/0 ::/0 Chain FORWARD (policy DROP) target prot opt source destination Chain OUTPUT (policy DROP) target prot opt source destination ACCEPT all ::/0 ::/0 I can easily start it again systemctl start shorewall6-lite ip6tables -L -n | wc 266 1610 18822 There's obviously some incorrect/broken/missing dependency between the two. How do I properly config shorewall &/or the systemd unit files to maintain the IPv4 & IPv6 shorewall instances' independence? ------------------------------------------------------------------------------ Rapidly troubleshoot problems before they affect your business. Most IT organizations don't have a clear picture of how application performance affects their revenue. With AppDynamics, you get 100% visibility into your Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk