FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian User

 
 
LinkBack Thread Tools
 
Old 08-17-2012, 07:35 PM
Nate Bargmann
 
Default Long delay when shorewall/shorewall6 starts/stops

This has bugged me on and off most of this year since for some reason
that I can't find, the shorewall/shorewall6 startup scripts have a pause
of about a minute before the system start/shutdown can continue. Right
now this affects both my desktop and laptop running Sid.

My desktop's network connection is a wired Ethernet that is managed by
the ifup/ifdown scripts. My laptop's wireless and wired interfaces
are managed by WiCD.

Right now in /etc/default/shorewall|shorewall6 is the variable
'wait_interface' that is undefined. A bit of testing shows the delay in
the scripts is not related to this variable. After this I am stumped as
the delay is deeper in Shorewall itself. This has gotten annoying
enough that I'm seriously considering a firewall alternative. I like
Shorewall as it is relatively easy to configure for new servers and
such.

- Nate >>

--

"The optimist proclaims that we live in the best of all
possible worlds. The pessimist fears this is true."

Ham radio, Linux, bikes, and more: http://www.n0nb.us


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20120817193557.GA17178@n0nb.us">http://lists.debian.org/20120817193557.GA17178@n0nb.us
 
Old 08-19-2012, 04:09 PM
Camaleón
 
Default Long delay when shorewall/shorewall6 starts/stops

On Fri, 17 Aug 2012 14:35:57 -0500, Nate Bargmann wrote:

> This has bugged me on and off most of this year since for some reason
> that I can't find, the shorewall/shorewall6 startup scripts have a pause
> of about a minute before the system start/shutdown can continue. Right
> now this affects both my desktop and laptop running Sid.

(...)

Google has found this, but not sure that's the cause of your delay
because looks like a corner case:

***
http://www.shorewall.net/3.0/FAQ.htm#faq62

(FAQ 62) I have unexplained 30-second pauses during "shorewall [re]
start". What causes that?

Answer: This usually happens when the firewall uses LDAP Authentication.
The solution is to list your LDAP server(s) as critical in /etc/shorewall/
routestopped.
***

In the FAQ, there are also some tips for speeding up the service:

http://www.shorewall.net/3.0/FAQ.htm#faq34

Greetings,

--
Camaleón


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/k0r339$da2$5@ger.gmane.org
 
Old 08-21-2012, 07:55 PM
Bob Proulx
 
Default Long delay when shorewall/shorewall6 starts/stops

Nate Bargmann wrote:
> This has bugged me on and off most of this year since for some reason
> that I can't find, the shorewall/shorewall6 startup scripts have a pause
> of about a minute before the system start/shutdown can continue. Right
> now this affects both my desktop and laptop running Sid.

I use shorewall on many systems and I do not experience any long
delays at startup or shutdown. Therefore this problem seems specific
to the configuration of your system.

> My desktop's network connection is a wired Ethernet that is managed by
> the ifup/ifdown scripts. My laptop's wireless and wired interfaces
> are managed by WiCD.

Same here.

I assume you have something like this in your /etc/network/interfaces:

allow-hotplug eth0
iface eth0 inet dhcp

If you change that to this does it improve things?

auto eth0
iface eth0 inet dhcp

I have notice that when used with nis/yp the above avoids an nis
startup delay.

Bob
 
Old 08-21-2012, 09:19 PM
Nate Bargmann
 
Default Long delay when shorewall/shorewall6 starts/stops

* On 2012 21 Aug 14:56 -0500, Bob Proulx wrote:
> Nate Bargmann wrote:
> > This has bugged me on and off most of this year since for some reason
> > that I can't find, the shorewall/shorewall6 startup scripts have a pause
> > of about a minute before the system start/shutdown can continue. Right
> > now this affects both my desktop and laptop running Sid.
>
> I use shorewall on many systems and I do not experience any long
> delays at startup or shutdown. Therefore this problem seems specific
> to the configuration of your system.

Of course. ;-)

> > My desktop's network connection is a wired Ethernet that is managed by
> > the ifup/ifdown scripts. My laptop's wireless and wired interfaces
> > are managed by WiCD.
>
> Same here.
>
> I assume you have something like this in your /etc/network/interfaces:
>
> allow-hotplug eth0
> iface eth0 inet dhcp

My laptop has exactly this stanza along with the lo stanza below in the
desktop's interfaces file. As WiCD is used, I wonder if the eth0 stanza
in necessary at all?

> If you change that to this does it improve things?
>
> auto eth0
> iface eth0 inet dhcp

This stanza is how my desktop is configured along with lo:

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto eth0
iface eth0 inet dhcp

WiCD is not used on the desktop as its only connection is the wired
Ethernet. The laptop can used either wired or wireless, both managed
via WiCD.

> I have notice that when used with nis/yp the above avoids an nis
> startup delay.

So far as I know, I do not use nis/yp.

I suppose the next step is figuring out how to enable debugging in
Shorewall. Sigh...

- Nate >>

--

"The optimist proclaims that we live in the best of all
possible worlds. The pessimist fears this is true."

Ham radio, Linux, bikes, and more: http://www.n0nb.us


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20120821211929.GF4826@n0nb.us">http://lists.debian.org/20120821211929.GF4826@n0nb.us
 
Old 08-21-2012, 09:22 PM
Nate Bargmann
 
Default Long delay when shorewall/shorewall6 starts/stops

* On 2012 21 Aug 15:32 -0500, peasthope@shaw.ca wrote:
> From: Nate Bargmann <n0nb@n0nb.us>
> Date: Fri, 17 Aug 2012 14:35:57 -0500
> > Right now this affects both my desktop and laptop running Sid.
>
> Is the desktop the fw zone? Another machine?

Each machine is defined for its own fw zone. I do not have a DMZ. The
machines do sit behind a OpenWRT router with its firewall enabled.

> > ... the shorewall/shorewall6 startup scripts have a pause
> > of about a minute before the system start/shutdown can continue.
>
> By any chance, does fw have another connection which can be closed
> when Shorewall is setting up? A VPN tunnel for example.

Not to my knowledge. I do my remote access using SSH and have nothing
persistent.

Both machines do have IPV6 enabled and I am also using shorewall6 on
both.

- Nate >>

--

"The optimist proclaims that we live in the best of all
possible worlds. The pessimist fears this is true."

Ham radio, Linux, bikes, and more: http://www.n0nb.us


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20120821212215.GG4826@n0nb.us">http://lists.debian.org/20120821212215.GG4826@n0nb.us
 
Old 08-21-2012, 09:29 PM
 
Default Long delay when shorewall/shorewall6 starts/stops

From: Nate Bargmann <n0nb@n0nb.us>
Date: Fri, 17 Aug 2012 14:35:57 -0500
> Right now this affects both my desktop and laptop running Sid.

Is the desktop the fw zone? Another machine?

> ... the shorewall/shorewall6 startup scripts have a pause
> of about a minute before the system start/shutdown can continue.

By any chance, does fw have another connection which can be closed
when Shorewall is setting up? A VPN tunnel for example.

Regards, ... Peter E.



--
123456789 123456789 123456789 123456789 123456789 123456789 123456789 12
Telephone +13606390202. Bcc: peter at easthope.ca http://carnot.yi.org/
"http://members.shaw.ca/peasthope/index.html#Itinerary "


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/171057621.55134.29217@cantor.invalid
 
Old 08-21-2012, 09:40 PM
Nate Bargmann
 
Default Long delay when shorewall/shorewall6 starts/stops

Camaleón, I accidentally deleted your reply.

Perhaps the only difference I can see with the FAQ you quoted is that
it's for the much older version 3.0. That has not been in
Unstable/Testing for some time. Currently, the Shorewall packages are
at 4.5.5-1. I'll double check for any LDAP stuff, though.

Thanks!

- Nate >>

--

"The optimist proclaims that we live in the best of all
possible worlds. The pessimist fears this is true."

Ham radio, Linux, bikes, and more: http://www.n0nb.us


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20120821214045.GA20399@n0nb.us">http://lists.debian.org/20120821214045.GA20399@n0nb.us
 
Old 08-21-2012, 11:12 PM
Bob Proulx
 
Default Long delay when shorewall/shorewall6 starts/stops

Nate Bargmann wrote:
> Bob Proulx wrote:
> > I assume you have something like this in your /etc/network/interfaces:
> >
> > allow-hotplug eth0
> > iface eth0 inet dhcp
>
> My laptop has exactly this stanza along with the lo stanza below in the
> desktop's interfaces file. As WiCD is used, I wonder if the eth0 stanza
> in necessary at all?

If specified then wicd will leave it as specified for ifupdown. If
not specified then wicd (or network-manager) will try to handle it.
So the answer of configuration is a decision for you. Do you want
ifupdown to manage it? Then you must specify it. Do you want wicd to
manage it? Then you must not specify it.

Note that udev will cache the ethernet address and if you change
network devices then udev will assign a different device name and then
wicd (or nm) will inherit it. This happens when moving disks from one
machine to another machine with a different ethernet address in the
hardware. Typical for me and many but unusual for many too. This is
the /etc/udev/rules.d/70-persistent-net.rules file.

> > If you change that to this does it improve things?
> >
> > auto eth0
> > iface eth0 inet dhcp
>
> This stanza is how my desktop is configured along with lo:

Using 'auto' is the old way. It sets up for a synchronous
configuration at boot time. Using 'allow-hotplug' is the new way. It
sets up for an event driven configuration to handle hotplug devices
such as usb devices, pcmcia, and so forth. Both work for the most
part. But there are corner cases in each.

> > I have notice that when used with nis/yp the above avoids an nis
> > startup delay.
>
> So far as I know, I do not use nis/yp.

I wasn't suggesting that you were using nis. I was simply pointing
that out as a data point where using 'auto' avoids a delay but
'allow-hotplug' has a problem. It was an example only.

> I suppose the next step is figuring out how to enable debugging in
> Shorewall. Sigh...

Start at the /etc/init.d/shorewall level and look there first. It is
likely not an issue with the upstream /sbin/shorewall but with the
startup script process. I would start debugging like this:

sh -x /etc/init.d/shorewall restart

Look at the shell trace output and see where the delay is occuring.

Bob
 
Old 08-22-2012, 12:43 AM
 
Default Long delay when shorewall/shorewall6 starts/stops

From: Nate Bargmann <n0nb@n0nb.us>
Date: Tue, 21 Aug 2012 16:22:15 -0500
> Each machine is defined for its own fw zone. I do not have a DMZ. The
> machines do sit behind a OpenWRT router with its firewall enabled.

Once everything is working, does "shorewall restart" give
the delay?

The router issues an address to each machine by DHCP?
One test is to temporarily connect the desktop machine directly
to the cable modem without the router. Another test is
to set a static address for the desktop machine.

Try various configurations until a clue surfaces.

Regards, ... Peter E.

--
123456789 123456789 123456789 123456789 123456789 123456789 123456789 12
Telephone +13606390202. Bcc: peter at easthope.ca http://carnot.yi.org/
"http://members.shaw.ca/peasthope/index.html#Itinerary "


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/171057621.68321.29220@cantor.invalid
 
Old 08-22-2012, 02:38 AM
Nate Bargmann
 
Default Long delay when shorewall/shorewall6 starts/stops

* On 2012 21 Aug 18:46 -0500, peasthope@shaw.ca wrote:
> From: Nate Bargmann <n0nb@n0nb.us>
> Date: Tue, 21 Aug 2012 16:22:15 -0500
> > Each machine is defined for its own fw zone. I do not have a DMZ. The
> > machines do sit behind a OpenWRT router with its firewall enabled.
>
> Once everything is working, does "shorewall restart" give
> the delay?

No, it does not. I see in the /var/log/shorewall-init.log file that on each
machine a 1 minute delay occurs:

Aug 19 18:07:03 Creating iptables-restore input...
Aug 19 18:07:03 Shorewall configuration compiled to /var/lib/shorewall/.start
Aug 19 18:08:03 Starting Shorewall....
Aug 19 18:08:03 Initializing...
Aug 19 18:08:03 Processing /etc/shorewall/init ...
Aug 19 18:08:03 Processing /etc/shorewall/tcclear ...


But running manually there is no such delay:

Aug 21 17:29:07 Creating iptables-restore input...
Aug 21 17:29:07 Shorewall configuration compiled to /var/lib/shorewall/.start
Aug 21 17:29:07 Starting Shorewall....
Aug 21 17:29:07 Initializing...
Aug 21 17:29:07 Processing /etc/shorewall/init ...
Aug 21 17:29:07 Processing /etc/shorewall/tcclear ...


> The router issues an address to each machine by DHCP?

Yes, but I see this on the laptop no matter where I am, my network or
not, as I recall.

> One test is to temporarily connect the desktop machine directly
> to the cable modem without the router. Another test is
> to set a static address for the desktop machine.
>
> Try various configurations until a clue surfaces.

Thanks for the ideas. I'll also try Bob's suggestion as well.

- Nate >>

--

"The optimist proclaims that we live in the best of all
possible worlds. The pessimist fears this is true."

Ham radio, Linux, bikes, and more: http://www.n0nb.us


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20120822023803.GK4826@n0nb.us">http://lists.debian.org/20120822023803.GK4826@n0nb.us
 

Thread Tools




All times are GMT. The time now is 10:30 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org