Great - thanks Tom! Removing routefilter from the 2 outbound interfaces
did the trick. I can now do both traceroute and http from the Pi, and
the -i option fixed traceroute on the firewall itself. I would have
given up long before stumbling across routefilter.
I haven't seen the dhcpd startup problem again so I assume that's gone
away. However the mobile dongle startup seems to be getting more
unreliable but that seems to be USB problem not a shorewall one assuming
the kernel USB and networking stacks are completely disjoint.
(/var/log/messages shows it sometimes recognising the mass storeage
device and/or the CDROM on the dongle but not the GSM modem, or
detecting it as a serial device but not doing anything with it).
Thanks again for excellent support.
Best regards - Philip
On 11/01/2017 19:46, Tom Eastep wrote:
> On 01/11/2017 03:21 AM, Philip Le Riche wrote:
> > Hi Tom -
>
> > Several other problems which may or may not be related: 1.
> > traceroute getting send: operation not permitted when run from the
> > firewall itself.
>
> As pointed out in http://www.shorewall.org/MultiISP.html, packet
> marking is unreliable when applied to connections originating from the
> firewall. Try using the '-i' option of traceroute from the firewall.
>
> > 2. Mobile data dongle not starting with shorewall running -
> > possibly the same problem as 1.
>
> No clue -- are there any 'Shorewall' messages logged when this occurs?
>
> > 3. dhcpd not starting reliably - possibly a startup sequence
> > problem - it's worked the last twice and I didn't record the
> > message but was something about no available NICs to serve on.
>
> Sounds like a startup sequencing issue. Can't tell without seeing the
> messages.
>
> -Tom
> >
------------------------------------------------------------------------------
> Developer Access Program for Intel Xeon Phi Processors > Access to
Intel Xeon Phi processor-based developer platforms. > With one year of
Intel Parallel Studio XE. > Training and support from Colfax. > Order
your platform today. http://sdm.link/xeonphi >
_______________________________________________ > Shorewall-users
mailing list > Shorewall-users@lists.sourceforge.net >
https://lists.sourceforge.net/lists/listinfo/shorewall-users >
------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
