Hi Tom,
That helped, I made the optional interface configuration as default.
#ZONE INTERFACE OPTIONS
inet eth5 detect
tcpflags,nosmurfs,logmartians,optional
lan eth4 detect
tcpflags,nosmurfs,logmartians,optional
lan eth0 detect
tcpflags,nosmurfs,logmartians,optional
inet eth3 detect
tcpflags,nosmurfs,logmartians,optional
cat /etc/shorewall/snat
MASQUERADE 0.0.0.0/0 eth3:0.0.0.0/0
MASQUERADE 0.0.0.0/0 eth5:0.0.0.0/0
I believe adding optional will only disable handling the routing error that
i was seeing, is there any other downside for adding an optional keyword in
interface configuration. Just wanted to know if interface gets an IP
address should I have to restart Shorewall.
Any pointer or link to understand Shorewall design and its working will
help.
Thanks,
Naveen
On Tue, Jul 24, 2018 at 9:54 AM, Tom Eastep <teas...@shorewall.net> wrote:
> On 07/23/2018 04:38 PM, Naveen Neelakanta wrote:
> > Hi Tom,
> >
> > I have upgraded to the latest version of Shorewall, but I am running
> > into an error which I did not see with the old version.
> >
> > *#shorewall version *
> > *5.2.0.4*
> >
> > #shorewall restart
> >
> > Optimizing Ruleset...
> > Creating iptables-restore input...
> > Shorewall configuration compiled to /var/lib/shorewall/.restart
> > Stopping Shorewall....
> > * ERROR: Unable to determine the routes through interface "eth5":
> > Firewall state not changed*
> > */usr/share/shorewall/lib.common: line 93: 15598 Terminated
> > $SHOREWALL_SHELL $script $options $@*
> >
> > Interface eth5 is configured for DHCP , but if does not have an ip.
> >
> > eth5 Link encap:Ethernet HWaddr 00:50:56:a6:72:24
> > BROADCAST MULTICAST MTU:1500 Metric:1
> > RX packets:0 errors:0 dropped:0 overruns:0 frame:0
> > TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
> > collisions:0 txqueuelen:1000
> > RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
> >
> > #cat /etc/shorewall/conntrack
> > #
> > # Shorewall version 4 - conntrack File
> > #
> > # For information about entries in this file, type man
> shorewall-conntrack
> > #
> > ############################################################
> ##################################################
> > ?FORMAT 3
> > #ACTION SOURCE DESTINATION PROTO DEST
> > SOURCE USER/ SWITCH
> > #
> > PORT(S) PORT(S) GROUP
> > IPTABLES(CT --zone 0) eth4 -
> > IPTABLES(CT --zone 0):PO (0.0.0.0/0 <http://0.0.0.0/0>) eth4
> > IPTABLES(CT --zone 0) eth0 -
> > IPTABLES(CT --zone 0):PO (0.0.0.0/0 <http://0.0.0.0/0>) eth0
> > IPTABLES(CT --zone 1) eth3 -
> > IPTABLES(CT --zone 1):PO (0.0.0.0/0 <http://0.0.0.0/0>) eth3
> > IPTABLES(CT --zone 2) eth5 -
> > IPTABLES(CT --zone 2):PO (0.0.0.0/0 <http://0.0.0.0/0>) eth5
> >
> >
> > # cat /etc/shorewall/interfaces
> > #ZONE INTERFACE OPTIONS
> > lan eth4 detect tcpflags,nosmurfs,logmartians
> > lan eth0 detect tcpflags,nosmurfs,logmartians
> > inet eth3 detect tcpflags,nosmurfs,logmartians
> > inet eth5 detect tcpflags,nosmurfs,logmartians
> >
> >
> > Trying to understand why is the error seen with latest Shorewall and any
> > configuration that can help me clear the error.
> >
>
> Because you didn't do what I suggested. You want:
>
> IPTABLES(CT --zone 0) eth4
> IPTABLES(CT --zone 0):O 0.0.0.0/0 eth4
> IPTABLES(CT --zone 0) eth0
> IPTABLES(CT --zone 0):O 0.0.0.0/0 eth0
> IPTABLES(CT --zone 0) eth3
> IPTABLES(CT --zone 0):O 0.0.0.0/0 eth5
> IPTABLES(CT --zone 0) eth0
> IPTABLES(CT --zone 0):O 0.0.0.0/0 eth5
>
>
> -Tom
> --
> Tom Eastep \ Q: What do you get when you cross a mobster with
> Shoreline, \ an international standard?
> Washington, USA \ A: Someone who makes you an offer you can't
> http://shorewall.org \ understand
> \_______________________________________________
>
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
