-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 01/10/2017 12:50 PM, Philip Le Riche wrote: > I'm afraid I'm still struggling with this, though I made a minor > breakthrough when I realised I hadn't added a masq rule for the > raw interface, and the ppp0 not useable problem has gone away. (It > seems I have to connect it with shorewall clear then start > shorewall.) Anyway, my home test setup now seems to be working like > the school firewall. > > (To recap, Raspberry Pis on zone pinet are accessed by PCs in zone > schl using ssh and vnc, and access the Internet via schl and the > school gateway. Traceroute traffic (only) from Pis and the firewall > is to be routed to a 3rd zone containing a mobile data dongle to > give unfiltered Internet access.) > > Traceroute is now routed correctly from the Pis, but on the > firewall traceroute reports Send: Operation not permitted. (I have > the same rules with pinet and $FW as source to allow traceroute.) > Also, web access from both the Pis and the firewall is now broken. > However a PC on schl can still access a Pi. > > My providers file is now: #NAME NUMBER MARK DUPLICATE > INTERFACE GATEWAY OPTIONS raw 1 1 - ppp0 > - school 2 - - eno1 192.168.1.1 primary > > If I add option fallback to provider raw, that fixes web from both > the Pis and the firewall but breaks traceroute. (I didn't think it > was a good idea but tried it anyway.) > > I've read providers(5) and Multiple Internet Connections several > times and spent a good few hours trying to get it to work but there > seems to be something that I still haven't correctly understood. > Any help would be greatly appreciated. > > For reference, my other relevant shorewall files are: mangle: > #ACTION SOURCE DEST PROTO PORT(S) SOURCE USER > TEST # PORT(S) MARK(1) enx00e04c534458 - > udp 33434:33523 - - - MARK(1) enx00e04c534458 - > 253 - - - - MARK(1) $FW - udp 33434:33523 > - - - MARK(1) $FW - 253 - - - - > > rtrules: #SOURCE DEST PROVIDER PRIORITY MARK > enx00e04c534458 - raw 11000 1 lo - raw > 11000 1 > > zones: fw firewall schl ipv4 pinet ipv4 inet ipv4 > > interfaces: schl eno1 > tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0 pinet > enx00e04c534458 tcpflags,nosmurfs,routefilter,logmartians inet > ppp0 > tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0,optional > Philip,
Please: a) Set fallback on the raw provider. b) Shorewall reload c) Try a traceroute from a Pi d) 'shorewall dump > dump' e) Send me the 'dump' file. Thanks, - -Tom - -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJYdUyjAAoJEJbms/JCOk0Qn6YP/3W0mR7r0vPSXzHXX5OR46La FskEkO1IIky4Q05WAd3NzRLrxmHLc+X1BBY/eAfXjKhsWeTvHOTOBXPuc06NWjAU J103rLyiwHMHAyZUvxSEz+LMEDEdsCfgZJwDSiqNekVz194TPZ5xM0BP7x6A0Cjd HTCRnCgTqPO/UsySYGaofwtQcyON1RcvLL+uXcj2N1OJ7aUmnfdksN88IW1+9c3V xwQ7Rz16Tr2tZN8XleI46nBtnsHTL6NlrY2JNOWRfBYEXosaLMn7sRmbB3rzxJD6 jT0jBVPDqPajpUztFsUk3BZWna1mA4MQropn1baNFd/BtTaW3Ifh0GKSG0HahCSa njRKg50Y0vQol3b+Gj3GbjS3VZXj1pQHwY2kR0S4ZnHxzr1GuwpCMTY47foWWJBk E14HFQA8LabIuOjDE5mUVnUQ86DgW/QAFitkQHU6n9zRfQQdyWZKPIaGnPimUqTN NbCuds1QFC7brP23zIJduxijUisUoi/tF3k10zltd4OIAnFQP3cETcu8IXb3EklH 3HYLsjU7ayjUbEpYBa5trPCuodN90jWc0W5gnATgBhSKg9skOy7Jf5WA3GRlzfG2 oTbA0lePnLCXNz0pF7zL41iBaZo4d2EbI19WCjxkJwtwOWMQCKWih0iH+L7vvKMs PfcOlYxZk42klDznwf9P =3vOF -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Developer Access Program for Intel Xeon Phi Processors Access to Intel Xeon Phi processor-based developer platforms. With one year of Intel Parallel Studio XE. Training and support from Colfax. Order your platform today. http://sdm.link/xeonphi _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
