shorewall starts before the ppp interfaces
Hello,
I'm the maintainer of shorewall, an iptables based firewall.
I recently fixed the bug #172607, shorewall was started in runlevel 2,
3, 4, 5 at level 90 leaving the machine unprotected for a varible time.
Now shorewall starts in rcS.d/40 just after the configuration of the
network interfaces. This change, unluckily, introduced a new problem.
Shorewall has a feature that allows to auto-determine the IP address of
an interface. This feature works perfectly except during the startup
procedure with a ppp interface.
A ppp interface can be configured through:
1) /etc/init.d/ppp (runlevel 2,3,4,5 (14))
2) /etc/init.d/networking (runlevel 1 (40))
Of course solution #1 doesn't work because shorewall is started before
the configuration of the interface. Solution #2 should be ok but it
isn't. The problem is the following: if the interface is configured with
the dhcp, the startup procedure won't proceed until the interface is
configured, but this not happen if your interfaces uses the ppp method,
because the ppp method is non-blocking.
For example if you stop your dhcp server before eth0 is ready, the
networking script will wait until the server is back again, or the
timeout exceeds. With the ppp method the script suddenly terminates
because pppd goes in background. The ppp method usually requires several
seconds to setup an interface, so when the startup procedure runs
shorewall, shorewall fails because it's not able to determine the ppp
interface address because the interface is not yet configured.
I looked at the pppd documentation, the nodetach option does the
opposite, pppd never goes in background. What I'm looking for, is a
method to tell ifup to wait until the ppp interface is configured and
has it own address.
Any ideas?
-- lorenzo
Reply to: