[Shorewall-users] Shorewall don't like xMule ...?

Tom Eastep teastep at shorewall.net
Wed Jul 9 07:59:51 PDT 2003


On Wed, 9 Jul 2003 figti at netcourrier.com wrote:

> I've the xMule p2p program running on my firewall, which is also a
> gateway for my private network. I've set Shorewall according to the
> "Two-interface QuickStart Guide" (policy, rules, masq, interfaces,
> shorewall.conf files attached)
>

"P2P" and security are often mutually exclusive.
 
> 
> I noticed that Shorewall causes xMule to weird behaviors : after 15-20
> minutes, xMule drains 100% CPU and thus "hangs". I found out that
> shutting down Shorewall get things back to normal ( xMule gets back to
> 5-10% CPU...) Restarting Shorewall causes xMule to get back to 100% CPU
> within 10-15 minutes :( To my point of view, it is quite the same as a
> "funnel phenomenon", with xMule having large amounts of
> incoming/outgoing connections, and Shorewalls struggling under that
> heavy load.

Well, since once you start Shorewall there is NOT ONE INSTRUCTION OF 
SHOREWALL CODE RUNNING, the notion that "Shorewall's struggling" is 
ridiculous.

If *netfilter* has run out of entries it it's connection tracking table, 
you will see messages to that effect in your system log. You are probably 
also seeing Shorewall messages if you would bother to look.


> 
> Besides, I noticed that adding "fw net ACCEPT" in /etc/shorewall/policy
> causes xMule to run smoothly for hours (but this way my gateway is not
> protected any more...)

Well, that policy is included in the sample policy file but is commented 
out. Uncommenting it is prefectly acceptable if you want to be able to run 
arbitrary network clients on your firewall. Your gateway is still quite 
secure with that policy.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep at shorewall.net



More information about the Shorewall-users mailing list