Red Hat Bugzilla – Bug 228277
Should shorewall start before the network interfaces are brought up?
Last modified: 2007-11-30 17:11:57 EST
Description of problem:
Currently, shorewall is start as service number S25, after network (S10). The
normal iptables script from core is ran before the network is bought up (S08).
Shouldn't shorewall also start before the network - presumably there is a window
of opportunity at boot when an un-firewalled network is active (though
admittedly there probably aren't any listening daemons running at that point).
Version-Release number of selected component (if applicable):
Steps to Reproduce:
2./sbin/chkconfig shorewall on
Shorewall sometimes needs that the interfaces are already up to do its work,
"ERROR: Unable to determine the routes through interface <interface>
You have specified <interface> in the SUBNET column of /etc/shorewall/masq
which means that Shorewall is supposed to determine the network(s) routed
through that interface. To do that, Shorewall issues the command ip addr ls dev
<interface> and that command failed. This usually means that you are trying to
start Shorewall before the <interface> is brought up"
The method i use to solve is to use the system-config-security-level to setup
the bare bones firewall rules before shorewall starts