From: Andrew S. <asu...@su...> - 2006-11-18 14:00:06
|
On Wed, Nov 15, 2006 at 04:17:24AM +0000, Andrew Suffield wrote: > On Tue, Nov 14, 2006 at 06:11:48PM -0800, Tom Eastep wrote: > > Andrew Suffield wrote: > > > > > > > > So it seems like there's two ways to tackle this problem. The first is > > > to dramatically reduce the number of iptables rules used by the > > > firewall by restructuring it differently - I'm not sure if this is > > > possible, so I'm attaching the relevant parts of one of them in case > > > anybody has any ideas (the other is much the same, only bigger) > > > > I've attached an updated configuration which is similar. It requires > > that you manually configure the broadcast addresses in the interfaces > > file (I've just put "-") but it compiles on my not-so-new laptop in 10 > > seconds. > > I'll have to play with it next time I'm at that site, and > see if this works as I expect. It appears to work - but takes a little over 3 minutes to compile on the server I normally use for this (1 minute user, 2 minutes system). Admittedly that server's only got a C3 processor (poor cooling in that cupboard), but that's still a long way from 10 seconds. I could use a faster server instead, but I have to wonder if I'm missing something. Still, it got the network downtime to a little under 1 minute (all the firewalls are C3s too), which is at least tolerable - people don't call me and complain when I do it any more. > It also gives me another idea... maybe I can use ipsets to trim the > number of duplicate rules, so the config isn't quite so eye-watering. This was a promising idea but ran into a couple of problems. My first effort got me this: Validating hosts file... ERROR: BRIDGING=Yes is needed for this zone definition: bario eth0.102:+barionets I'm not really sure why that happened, but I guess shorewall thinks this is a bridge port rather than an ipset? I backed off from using a zone, and did all the work in the rules file, which avoided the problem. However, I then discovered this: asuffield@rukia:~/shorewall/sado$ grep home firewall progress_message2 "Processing /home/asuffield/shorewall/sado/stop ..." progress_message2 "Processing /home/asuffield/shorewall/sado/stopped ..." progress_message2 "Processing /home/asuffield/shorewall/sado/params ..." progress_message2 "Processing /home/asuffield/shorewall/sado/init ..." ipset -R < /home/asuffield/shorewall/sado/ipsets progress_message2 "Processing /home/asuffield/shorewall/sado/continue ..." progress_message2 "Processing /home/asuffield/shorewall/sado/initdone ..." progress_message2 "Processing /home/asuffield/shorewall/sado/start ..." progress_message2 "Processing /home/asuffield/shorewall/sado/started ..." That would work fine if I was using shorewall directly, but I don't think it'll work very well with shorewall-lite. Presumably the contents of the ipsets file should be copied into the firewall script instead. |