[Shorewall-users] newnotsys

Pascal DeMilly list.shorewall at newgenesys.com
Wed Dec 17 18:19:26 PST 2003


I have a dynamic network (ospf) connecting different locations over
frame relay (wan). Each location frame relay access device is actually a
linux box running shorewall,zebra with a sangoma card.

As a backup I have added to some locations a DSL line which serves as a
gateway to the Internet but also over which I have created VPNs to
connect those locations using OpenVPN as a backup.

Everything works fine thanks to the excellent work of the community. Now
because this network is dynamic, the routes can be asymetric. The
response to a packet leaving one location might not come back the same
way. I had therefore to disable checking not syn packet in

My question is, I would like to keep that check for my Internet
interface (net -> fw) but disable it for the rest of my zones.

How can I do that in shorewall. I am running an older version 1.3.14-1.

As all those routers are not local to me I fear upgrading them remotely
if I needed to. 

BTW, what the best way to upgrade shorewall? As the syntax is sometimes
changing, it is possible that a new script will fail while loading older
rules files, which would be bad news. Happened to me before :-)

Especially when the check argument is not supposed to guaranty
correctness. One thing that would be helpful is for shorewall to save
the iptables layout and execute itself and if fail to restore the
iptables layout saved. I understand that shorewall does a lot more like
autoloading some modules, but it could save a shell script of all
commands that it did last it succeeded and go back to it when it fails.
Or it could be just a file that we create that is executed if shorewall
fails without the try command. Kind of what I do right now but with the
at command as shorewall return codes are not consistent in the version I
use. The problem is sometimes I forget. Just an idea, not a critism. I
love shorewall. Certainly the best firewall script I know.

On another subject. The biggest problem I have with shorewall is during
reboot. Not all my interfaces comes up everytime before shorewall is
run. delayed DHCP, PPP interfaces failing, VPN failing, etc ... However
if those interfaces are not up shorewall will fail. Is there an option
where I could specify that the interfaces might not be up when shorewall
is executed?



More information about the Shorewall-users mailing list