[Shorewall-users] STDERR messages (fwd)

Tom Eastep teastep@shorewall.net
Fri, 5 Apr 2002 16:00:02 -0800 (Pacific Standard Time)


On Fri, 5 Apr 2002, Gar Nelson wrote:

> I guess I'm guilty of trimming my messages too much. <s>
>
> Another guy brought up that he was getting STDERR messages all over his
> terminal screen when running shorewall. I'm guessing that he is also
> using his box as a workstation? I can see how that would be a bit
> disrupting.
>

Two things about the initial report:

a) The fellow was trying to create a "Linux from Scratch" router.
b) His complaint was that if his Shorewall configuration was wrong then
the STDERR messages messed up his display.

The obvious solution to that problem was "fix your Shorewall
configuration" or modify the way you are starting it to redirect standard
error.

> In my case, the shorewall system is dedicated, but it normally doesn't
> have a screen attached to it. (kvm switch shared with a bunch of other
> servers). 99.9% of the time, no one will see the shorewall screen here.
> The error messages don't bother me in a using the machine sense, but
> maybe there is something there I should see.
>
> So the question is, redirecting that STDERR to a file, and still
> starting up shorewall automatically at boot.

Again, I think this is a tempest in a teapot -- if you don't like
Shorewall's STDERR messages then fix your Shorewall configuration so that
the messages no longer occur.

>
> /etc/init.d/shorewall start > /var/log/shorewall.log 2>&1  will work if
> you disable the regular sysVinit call via symbolic link in /etc/rc3.d or
> /etc/rc5.d and instead place the call in /etc/rc.d/rc.local  That
> accomplishes the mission, getting shorewall to start automatically, with
> STDERR redirected, but it also starts shorewall last.
>
> One of the benifits of Tom's shorewall is that you can start it before
> the network comes up, however, using rc.local removes that possibility.
>
> If you're using the symbolic link in /etc/rc3.d or /etc/rc5.d, then
> sysVinit supplies the "start". So how do you supply the rest of the
> tail? "> /var/log/shorewall.log 2>&1" Is it possible?

Again -- fix you Shorewall configuration so that there are no error
messages.

Remember that Shorewall isn't something that runs continuously in your
system -- it's a tool for configuring NetFilter and once NetFilter is
configured, Shorewall's job is done (until you want to change or stop your
configuration).

-Tom
--
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net