From: Andrew S. <and...@i2...> - 2011-07-31 16:53:06
|
Well, thanks for identifying the problem at least! - I'll do some digging on the web and see if anything presents itself, but otherwise hopefully someone on the list will have a clue. Do you have any particular suggestions for a workaround? All I really need is to make sure I can get the tunnel params configured before shorewall6 launches... I first tried to do this by creating a script to run from init.d with chkconfig before shorewall6 launches, but it seems to have the same problem there and moving it to rc.local didn't cure it - initially I thought it was a chkconfig load ordering problem. So I guess now the problem is how to launch it at all without doing it interactively from a su prompt? Not that it matters at this point, but there's nothing at all in the params file other than the comments lines, I didn't edit it, and I'm running the latest 4.4.21-1 build. (Just for completeness' sake.) ________________________________________ From: Tom Eastep [te...@sh...] Sent: Sunday, July 31, 2011 9:03 AM To: Shorewall Users Subject: Re: [Shorewall-users] Newb setup problem: On Sun, 2011-07-31 at 06:48 -0700, Tom Eastep wrote: > On Sun, 2011-07-31 at 06:35 -0700, Tom Eastep wrote: > > On Sun, 2011-07-31 at 06:48 +0000, Andrew Silverman wrote: > > > > > I am setting up a shorewall6-only config to firewall my HE tunnel. The system is a CentOS 6.0 VM (running on Hyper-V but that's not the problem here.) > > > > > > Shorewall6 runs just fine when I "su" and then launch it manually with "shorewall6 start" - no problems, everything behaves exactly as intended, and all the firewall behavior is exactly as I want it to be. So with all that initial config taken care of (much experimentation required) I moved on to trying to get it to start at boot automatically. > > > > > > However, when I try to launch it instead by putting shorewall6 start into /etc/rc.d/rc.local, it fails, and the log only shows me this: > > > > > > [root@ipv6tunl log]# more shorewall6-init.log > > > Jul 30 23:38:10 Processing /etc/shorewall6/params ... > > > Jul 30 23:38:10 ERROR: Processing of /etc/shorewall6/params failed > > > > > > And that's it - nothing else in the log. I tried changing the start line to do tracing to /tmp/trace, but the trace came up empty, so at the moment I am clueless as to why it won't start properly at boot time. > > > > > > FYI, the reason I'm starting it this way rather than by chkconfig is so that I can force a few ip commands to complete first to configure the HE 6in4 tunnel first before starting the firewall that relies on the tunnel being running. > > > > > > Totally open to suggestions, or what more troubleshooting/logging I can provide - NOT a Linux expert, but learning fast. > > > > What are the contents of /etc/shorewall6/params? > > > > Also, which version of Shorewall6 are you running? I've reproduced the problem. It is an SELinux issue whereby a script in /etc/init.d is not permitted to execute /usr/share/shorewall/getparams. You can reproduce the failure by simply typing: /etc/init.d/shorewall6 start Hopefully someone with more SELinux foo than I have (which is none) can give you advice. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ |