Bug 228277 - Should shorewall start before the network interfaces are brought up?
Should shorewall start before the network interfaces are brought up?
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: shorewall (Show other bugs)
6
All Linux
medium Severity medium
: ---
: ---
Assigned To: Robert Marcano
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-02-12 09:17 EST by Jonathan Underwood
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-05-15 09:30:18 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jonathan Underwood 2007-02-12 09:17:57 EST
Description of problem:
Currently, shorewall is start as service number S25, after network (S10). The
normal iptables script from core is ran before the network is bought up (S08).
Shouldn't shorewall also start before the network - presumably there is a window
of opportunity at boot when an un-firewalled network is active (though
admittedly there probably aren't any listening daemons running at that point).

Version-Release number of selected component (if applicable):
3.2.8

How reproducible:
Everytime

Steps to Reproduce:
1.Install shorewall
2./sbin/chkconfig shorewall on
3.ls /etc/rc5.d
  
Actual results:
S25shorewall

Expected results:
S08shorewall?

Additional info:
Comment 1 Robert Marcano 2007-05-15 09:30:18 EDT
Shorewall sometimes needs that the interfaces are already up to do its work,
quoting http://www.shorewall.net/2.0/ErrorMessages.html

"ERROR: Unable to determine the routes through interface <interface>

    You have specified <interface> in the SUBNET column of /etc/shorewall/masq
which means that Shorewall is supposed to determine the network(s) routed
through that interface. To do that, Shorewall issues the command ip addr ls dev
<interface> and that command failed. This usually means that you are trying to
start Shorewall before the <interface> is brought up"

The method i use to solve is to use the system-config-security-level to setup
the bare bones firewall rules before shorewall starts

Note You need to log in before you can comment on or make changes to this bug.