[Shorewall-users] Suggestion re loading kernel modules

Tom Eastep teastep at shorewall.net
Mon Dec 8 07:22:09 PST 2003

On Sun, 2003-12-07 at 23:55, ahg1 at swiftdsl.com.au wrote:
> Is it feasible (for Shorewall) to figure out which netfilter
> modules should be loaded?

I doubt it -- just because a user doesn't have any rules that explicitly
deal with FTP doesn't mean that the user doesn't want the ftp connection
tracking helper loaded -- doesn't mean that they do either.

Given that Shorewall has to do it's work without the benefit of
'modprobe' (because of Leaf/Bering), I think that the current
/etc/shorewall/modules file works OK. It may end up loading more modules
than a user needs but users that are concerned about that can always
comment out the entries for those modules that they don't need.

One possible improvement would be for Shorewall to detect when
'modprobe' is present and use it instead of 'insmod'. That would largely
eliminate the need for MODULE_SUFFIX and MODULESDIR.

Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep at shorewall.net

More information about the Shorewall-users mailing list