s***@iotti.biz
2016-11-29 09:42:47 UTC
Hi all,
I use shorewall in a two node active/backup firewall cluster. I issue
shorewall stop on the inactive node to apply the rules described in
stoppedrules, just to protect the backup node itself. Unfortunately,
shorewall stop has the (for me) unwanted side effect of enabling routing,
i.e. put 1 in /proc/sys/net/ipv4/ip_forward. This produces some problems,
mainly with proxy arp.
I would like to ask if there is a builtin way to make shorewall disable
routing, only when invoked with stop (I am aware of the IP_FORWARDING
setting which however is not specific fo stop).
Just for completeness, my stoppedrules file lists only rules where $FW is
the source or the destination. So routing, in my case, should not be needed.
Maybe I'm using too much fantasy, but I think it would be even nicer if
routing would be automatically disabled in such a situation.
Thank you
Luigi
------------------------------------------------------------------------------
I use shorewall in a two node active/backup firewall cluster. I issue
shorewall stop on the inactive node to apply the rules described in
stoppedrules, just to protect the backup node itself. Unfortunately,
shorewall stop has the (for me) unwanted side effect of enabling routing,
i.e. put 1 in /proc/sys/net/ipv4/ip_forward. This produces some problems,
mainly with proxy arp.
I would like to ask if there is a builtin way to make shorewall disable
routing, only when invoked with stop (I am aware of the IP_FORWARDING
setting which however is not specific fo stop).
Just for completeness, my stoppedrules file lists only rules where $FW is
the source or the destination. So routing, in my case, should not be needed.
Maybe I'm using too much fantasy, but I think it would be even nicer if
routing would be automatically disabled in such a situation.
Thank you
Luigi
------------------------------------------------------------------------------