[Shorewall-newbies] startup script

Tom Eastep teastep at shorewall.net
Mon Dec 15 09:01:00 PST 2003


On Monday 15 December 2003 07:57 am, Oliver Lange wrote:

>    If you specify "routefilter" for an interface, that interface must be up
> prior to starting the firewall.

Translation: You must start your ADSL connection BEFORE you start Shorewall.

>
> Indeed my 'interfaces' configuration contains this:
>
> #ZONE	INTERFACE	BROADCAST	OPTIONS
> net	ppp0		-		routefilter,norfc1918
>
> I followed the documentation, downloaded the example two-interfaces config
> files tarball, copied them over the default configs in /etc/shorewall,
> followed the qiuckstart guide for a two-interfaces environment, read
> everything carefully and followed everything carefully.
>
> Now when i put 'adsl-start' into the /etc/shorewall/start script, i can see
> the following message appearing on the local tty during boot:
>
>    Warning: Cannot set route filtering on ppp0

The /etc/shorewall/start script runs AFTER Shorewall has completed startup so 
your ppp0 interface is being brought up too late.

You shouldn't be using Shorewall extension scripts to start your ADSL 
connection anyway because a "shorewall restart" will attempt to start your 
ADSL connection again.

>
> Don't misunderstand me, the firewall doesn't fail, it starts up well and it
> also seems to be running fine (so far), even if i don't forward ports yet.
>
> I simply don't understand it, especially the meaning of the 'routefilter'
> parameter. Yes, i've read the parameter description, but still don'
> understand it. I'm familiar with 'Miami' on the Amiga, SuSEfirewall2 on
> SuSE Linux, ZoneAlarm and OutpostFirewall on Windows, and now I've
> installed a fresh new router using shorewall on a gentoo-Linux box.
>
> Each of these firewalls didn't enforce me to learn much about routing &
> firewalling.

We apologize for asking you to learn something and hope that the experience 
isn't too painful.

> Shorewall is no doubt one of the easiest & coolest Linux 
> firewalls i've ever seen, but I just ask myself what I can do to avoid that
> boot warning. I wonder whatever for the 'routefilter' parameter is used,
> and if i need it at all.

It is recommended that Shorewall users use route filtering because it guards 
against source address spoofing.

The bottom line here is that you should fix your system startup sequence so 
that your ADSL connection comes up before Shorewall starts.

Failing in that:

a) Be sure you are running Shorewall 1.4.8 or later (e.g., 1.4.9 Beta 1).
b) Remove 'routefilter' from the 'ppp0' line in /etc/shorewall/interfaces.
c) Set ROUTE_FILTER=Yes in /etc/shorewall/shorewall.conf

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep at shorewall.net




More information about the Shorewall-newbies mailing list