Re: [Shorewall-users] Newb setup problem:

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Well, thanks for identifying the problem at least! - I'll do some digging on the web and see if anything presents itself, but otherwise hopefully someone on the list will have a clue. Do you have any particular suggestions for a workaround?

All I really need is to make sure I can get the tunnel params configured before shorewall6 launches... I first tried to do this by creating a script to run from init.d with chkconfig before shorewall6 launches, but it seems to have the same problem there and moving it to rc.local didn't cure it - initially I thought it was a chkconfig load ordering problem.  So I guess now the problem is how to launch it at all without doing it interactively from a su prompt?

Not that it matters at this point, but there's nothing at all in the params file other than the comments lines, I didn't edit it, and I'm running the latest 4.4.21-1 build. (Just for completeness' sake.)

________________________________________
From: Tom Eastep [te...@sh...]
Sent: Sunday, July 31, 2011 9:03 AM
To: Shorewall Users
Subject: Re: [Shorewall-users] Newb setup problem:

On Sun, 2011-07-31 at 06:48 -0700, Tom Eastep wrote:
> On Sun, 2011-07-31 at 06:35 -0700, Tom Eastep wrote:
> > On Sun, 2011-07-31 at 06:48 +0000, Andrew Silverman wrote:
> >
> > > I am setting up a shorewall6-only config to firewall my HE tunnel.  The system is a CentOS 6.0 VM (running on Hyper-V but that's not the problem here.)
> > >
> > > Shorewall6 runs just fine when I "su" and then launch it manually with "shorewall6 start" - no problems, everything behaves exactly as intended, and all the firewall behavior is exactly as I want it to be.  So with all that initial config taken care of (much experimentation required) I moved on to trying to get it to start at boot automatically.
> > >
> > > However, when I try to launch it instead by putting shorewall6 start into /etc/rc.d/rc.local, it fails, and the log only shows me this:
> > >
> > > [root@ipv6tunl log]# more shorewall6-init.log
> > > Jul 30 23:38:10 Processing /etc/shorewall6/params ...
> > > Jul 30 23:38:10    ERROR: Processing of /etc/shorewall6/params failed
> > >
> > > And that's it - nothing else in the log.  I tried changing the start line to do tracing to /tmp/trace, but the trace came up empty, so at the moment I am clueless as to why it won't start properly at boot time.
> > >
> > > FYI, the reason I'm starting it this way rather than by chkconfig is so that I can force a few ip commands to complete first to configure the HE 6in4 tunnel first before starting the firewall that relies on the tunnel being running.
> > >
> > > Totally open to suggestions, or what more troubleshooting/logging I can provide - NOT a Linux expert, but learning fast.
> >
> > What are the contents of /etc/shorewall6/params?
> >
>
> Also, which version of Shorewall6 are you running?

I've reproduced the problem. It is an SELinux issue whereby a script
in /etc/init.d is not permitted to
execute /usr/share/shorewall/getparams. You can reproduce the failure by
simply typing:

        /etc/init.d/shorewall6 start

Hopefully someone with more SELinux foo than I have (which is none) can
give you advice.

-Tom
--
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________