University Crest

[wlug] Debian, Shorewall and dial-up

wlug archive index About the wlug list Mailing lists home
To The University of Waikato HomepageWaikato Home > Waikato Mailing Lists > wlug Info > wlug archives
Glenn Ramsey glenn@c...
Tue May 3 10:25:30 NZST 2005

Recently I changed the NAT/firewall setup scripts on my Debian box to
Shorewall from ipmasp, because I couldn't figure out how to configure
DNAT using ipmasq.

There is problem with the Shorewall setup that I cannot find any
references to, neither in the docs nor googling.

This box does NAT/firewall for my small office LAN through a dial-up

On boot as Shorewall tries to start I get messages saying:
"modprobe: modprobe: can't locate module ppp0", until the script times 
out after 180s. After that, however it seems to work fine. The issue is 
that this extends the startup time by 3 minutes.

I think this is because, following the "two interface setup" in the
docs, I have set wait_interface="ppp0" in /etc/default/shorewall and
this causes /usr/share/shorewall/wait4ifup to be executed. Since it's a
dialup connection it can't find ppp0 at boot time, hence the problem.
Removing the wait_interface causes the startup of Shorewall to fail.

Seems like this would be a common issue and since I can't find any
references to it this makes me think I have missed something fundamental
in the setup.

Apart from this issue the rest of the setup works fine.

Ipmasq handles this situation by setting up LAN stuff at boot and then
having a /etc/ppp/ip-up script to setup the external interface stuff.

What is the right way to resolve this issue?

The solution I'm after is the "standard, out of the box" one. This is
because if I put in customised stuff I will inevitably forget about it
and then wonder why it's broken next time I uprade something[2].

For now I have disabled shorewall at startup and added a script that 
contains only "/sbin/shorewall restart" to /etc/ppp/ip-up.d. This works 
but also involves customisation beyond what is described in the docs and 
is additional to the configuration provided by the package. Ie if I 
remove the shorewall package my script will not be deleted.

I could just set the timeout in wait4ifup to be a smaller value,
like 1sec, which would solve the problem but that seems like a hack that 
I shouldn't need, but it's more likely to be removed if I remove/purge 
the package.


[1] in case you were wondering, DSL is not available where I live.

[2] and it's frustrating enough dealing with the stuff that breaks all
by itself when you upgrade something

Glenn Ramsey <glenn@c...> 07 8627077

More information about the wlug mailing list
NOTICE: This is an archive of a public mailing list. The University of Waikato is not responsible for its contents.

The University of Waikato - Te Whare Wananga o Waikato