[Shorewall-users] OOPS! subject should read: NEWNOTSYN

Pascal DeMilly list.shorewall at newgenesys.com
Wed Dec 17 18:33:15 PST 2003


On Wed, 2003-12-17 at 18:19, Pascal DeMilly wrote:
> Hi,
> 
> I have a dynamic network (ospf) connecting different locations over
> frame relay (wan). Each location frame relay access device is actually a
> linux box running shorewall,zebra with a sangoma card.
> 
> As a backup I have added to some locations a DSL line which serves as a
> gateway to the Internet but also over which I have created VPNs to
> connect those locations using OpenVPN as a backup.
> 
> Everything works fine thanks to the excellent work of the community. Now
> because this network is dynamic, the routes can be asymetric. The
> response to a packet leaving one location might not come back the same
> way. I had therefore to disable checking not syn packet in
> shorewall.conf.
> 
> My question is, I would like to keep that check for my Internet
> interface (net -> fw) but disable it for the rest of my zones.
> 
> How can I do that in shorewall. I am running an older version 1.3.14-1.
> 
> As all those routers are not local to me I fear upgrading them remotely
> if I needed to. 
> 
> BTW, what the best way to upgrade shorewall? As the syntax is sometimes
> changing, it is possible that a new script will fail while loading older
> rules files, which would be bad news. Happened to me before :-)
> 
> Especially when the check argument is not supposed to guaranty
> correctness. One thing that would be helpful is for shorewall to save
> the iptables layout and execute itself and if fail to restore the
> iptables layout saved. I understand that shorewall does a lot more like
> autoloading some modules, but it could save a shell script of all
> commands that it did last it succeeded and go back to it when it fails.
> Or it could be just a file that we create that is executed if shorewall
> fails without the try command. Kind of what I do right now but with the
> at command as shorewall return codes are not consistent in the version I
> use. The problem is sometimes I forget. Just an idea, not a critism. I
> love shorewall. Certainly the best firewall script I know.
> 
> 
> On another subject. The biggest problem I have with shorewall is during
> reboot. Not all my interfaces comes up everytime before shorewall is
> run. delayed DHCP, PPP interfaces failing, VPN failing, etc ... However
> if those interfaces are not up shorewall will fail. Is there an option
> where I could specify that the interfaces might not be up when shorewall
> is executed?
> 
> Thanks
> 
> Pascal
> 
> 
> 
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users at lists.shorewall.net
> Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm



More information about the Shorewall-users mailing list