Description of problem: Currently, shorewall is start as service number S25, after network (S10). The normal iptables script from core is ran before the network is bought up (S08). Shouldn't shorewall also start before the network - presumably there is a window of opportunity at boot when an un-firewalled network is active (though admittedly there probably aren't any listening daemons running at that point). Version-Release number of selected component (if applicable): 3.2.8 How reproducible: Everytime Steps to Reproduce: 1.Install shorewall 2./sbin/chkconfig shorewall on 3.ls /etc/rc5.d Actual results: S25shorewall Expected results: S08shorewall? Additional info:
Shorewall sometimes needs that the interfaces are already up to do its work, quoting http://www.shorewall.net/2.0/ErrorMessages.html "ERROR: Unable to determine the routes through interface <interface> You have specified <interface> in the SUBNET column of /etc/shorewall/masq which means that Shorewall is supposed to determine the network(s) routed through that interface. To do that, Shorewall issues the command ip addr ls dev <interface> and that command failed. This usually means that you are trying to start Shorewall before the <interface> is brought up" The method i use to solve is to use the system-config-security-level to setup the bare bones firewall rules before shorewall starts