[Shorewall-users] newnotsys

Tom Eastep teastep at shorewall.net
Wed Dec 17 20:48:25 PST 2003

On Wed, 17 Dec 2003, Pascal DeMilly wrote:

> My question is, I would like to keep that check for my Internet
> interface (net -> fw) but disable it for the rest of my zones.
> How can I do that in shorewall. I am running an older version 1.3.14-1.

You can't.

> As all those routers are not local to me I fear upgrading them remotely
> if I needed to.
> BTW, what the best way to upgrade shorewall? As the syntax is sometimes
> changing, it is possible that a new script will fail while loading older
> rules files, which would be bad news. Happened to me before :-)

Any time that there is that kind of incompatibility, it is documented in
the "Migration Considerations" in the Release Notes. And it is my policy
to only make that sort of change in Major relases (1.2, 1.3, 1.4, ...).

> Especially when the check argument is not supposed to guaranty
> correctness. One thing that would be helpful is for shorewall to save
> the iptables layout and execute itself and if fail to restore the
> iptables layout saved. I understand that shorewall does a lot more like
> autoloading some modules, but it could save a shell script of all
> commands that it did last it succeeded and go back to it when it fails.
> Or it could be just a file that we create that is executed if shorewall
> fails without the try command. Kind of what I do right now but with the
> at command as shorewall return codes are not consistent in the version I
> use. The problem is sometimes I forget. Just an idea, not a critism. I
> love shorewall. Certainly the best firewall script I know.

If I ever rewrite Shorewall, that will be one of the features that I will
try to incorporate.

> On another subject. The biggest problem I have with shorewall is during
> reboot. Not all my interfaces comes up everytime before shorewall is
> run. delayed DHCP, PPP interfaces failing, VPN failing, etc ... However
> if those interfaces are not up shorewall will fail. Is there an option
> where I could specify that the interfaces might not be up when shorewall
> is executed?

Shorewall can be configured to start correctly without *any* interfaces
started. You just have to review each of your configuration settings
against the documentation and look out for places where the documenation
stresses that a particular setting requires an associated interface to be
up before Shorewall starts.

Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep at shorewall.net

More information about the Shorewall-users mailing list