From: Eric Frisch <ericf@xxxxxxxxxxx> Date: 17 Mar 2003 09:43:40 -0500 On Mon, 2003-03-17 at 09:04, Michelle A. Hoyle wrote: > The only question I have now (and possibly more suited for CobaltUsers, but this is where we started) is that I'm getting a notice hourly from the cron daemon complaining that the log_traffic script can't find the tables it uses for its accounting. I had a look at the script and I know that's because the gShield script is overwriting those rules. How did you cope with this or did you just remove the hourly cronjob?I haven't looked at this or noticed it because I am running gShield on a somewhat kludged system. My machine is really a Raq4r with a 2.4 kernel stuffed into it. I had to do this because of some stability/DOS related issues, the machine with the 2.2 kernel was constantly hanging. I have another Raq4r running in test with a 550 software load on it and may go that way for all the systems because the entire software base is much newer.
I ran into another question: I did get the firewall all configured *BUT* it only works for the main site IP/name. If I try to access any of the virtual hosts, they're blocked. I had a look at the [scanty] documentation and saw info about NATs and suchlike, but nothing specifically about passing through virtual IPs. With my RaQ4 ipchains configuration, this was never an issue. I saw something in the configuration directory called "routables." There are files in there to fill in IPs for something. Is it required to fill in the entire range of virtual host IPs in there plus permit the various services in the routables.conf as well? How did you handle that?
Without analyzing what log_traffic really does, it is hard to tell what impact there is to disabling the cron job.
<SNIP>
Maybe the original rules could be added in at the end using the separate file that gShield reads as it's final task. I assume the original rules would probably show up in one of the rc files.
Actually, that was a good idea. gShield 2.8 allows you to specify a "first" and "last" script to be sourced. I just did an ln -s /etc/iptables.conf gshield.last and that's apparently taken care of that problem handily.
Thanks for your help, Michelle