Re: [Shorewall-users] Zone based connection tracking

Tom Eastep Wed, 25 Jul 2018 16:01:54 -0700

Naveen,

You don't need 'optional' with the rules that I sent you.


-Tom

On 07/25/2018 11:42 AM, Naveen Neelakanta wrote:
> Hi Tom, 
> 
> That helped, I made the optional interface configuration as default. 
> 
> #ZONE     INTERFACE       OPTIONS
> inet     eth5            detect         
> tcpflags,nosmurfs,logmartians,optional
> lan     eth4            detect         
> tcpflags,nosmurfs,logmartians,optional
> lan     eth0            detect         
> tcpflags,nosmurfs,logmartians,optional
> inet     eth3            detect         
> tcpflags,nosmurfs,logmartians,optional
> 
> 
> cat /etc/shorewall/snat 
> MASQUERADE0.0.0.0/0 <http://0.0.0.0/0>eth3:0.0.0.0/0 <http://0.0.0.0/0>
> MASQUERADE0.0.0.0/0 <http://0.0.0.0/0>eth5:0.0.0.0/0 <http://0.0.0.0/0>
> 
> I believe adding optional will only disable handling the routing error
> that i was seeing, is there any other downside for adding an optional
> keyword in interface configuration. Just wanted to know if interface
> gets an IP address should I have to restart Shorewall.
> 
> Any pointer or link to understand Shorewall design and its working will
> help.
> 
> Thanks,
> Naveen
> 
> On Tue, Jul 24, 2018 at 9:54 AM, Tom Eastep <teas...@shorewall.net
> <mailto:teas...@shorewall.net>> wrote:
> 
>     On 07/23/2018 04:38 PM, Naveen Neelakanta wrote:
>     > Hi Tom, 
>     > 
>     > I have upgraded to the latest version of Shorewall, but I am running
>     > into an error which I did not see with the old version.
>     > 
>     > *#shorewall version *
>     > *5.2.0.4*
>     > 
>     > #shorewall restart 
>     > 
>     > Optimizing Ruleset...
>     > Creating iptables-restore input...
>     > Shorewall configuration compiled to /var/lib/shorewall/.restart
>     > Stopping Shorewall....
>     > *   ERROR: Unable to determine the routes through interface "eth5":
>     > Firewall state not changed*
>     > */usr/share/shorewall/lib.common: line 93: 15598 Terminated       
>          
>     > $SHOREWALL_SHELL $script $options $@*
>     > 
>     > Interface eth5 is configured for DHCP , but if does not have an ip.
>     > 
>     > eth5      Link encap:Ethernet  HWaddr 00:50:56:a6:72:24  
>     >           BROADCAST MULTICAST  MTU:1500  Metric:1
>     >           RX packets:0 errors:0 dropped:0 overruns:0 frame:0
>     >           TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
>     >           collisions:0 txqueuelen:1000 
>     >           RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
>     > 
>     > #cat /etc/shorewall/conntrack
>     > #
>     > # Shorewall version 4 - conntrack File
>     > #
>     > # For information about entries in this file, type man 
> shorewall-conntrack
>     > #
>     > 
> ##############################################################################################################
>     > ?FORMAT 3
>     > #ACTION                 SOURCE          DESTINATION     PROTO   DEST   
>     >         SOURCE  USER/  SWITCH
>     > #                                                               
>     > PORT(S)         PORT(S) GROUP
>     > IPTABLES(CT --zone 0)      eth4               -
>     > IPTABLES(CT --zone 0):PO      (0.0.0.0/0 <http://0.0.0.0/0>
>     <http://0.0.0.0/0>)      eth4
>     > IPTABLES(CT --zone 0)      eth0               -
>     > IPTABLES(CT --zone 0):PO      (0.0.0.0/0 <http://0.0.0.0/0>
>     <http://0.0.0.0/0>)      eth0
>     > IPTABLES(CT --zone 1)      eth3               -
>     > IPTABLES(CT --zone 1):PO      (0.0.0.0/0 <http://0.0.0.0/0>
>     <http://0.0.0.0/0>)      eth3
>     > IPTABLES(CT --zone 2)      eth5               -
>     > IPTABLES(CT --zone 2):PO      (0.0.0.0/0 <http://0.0.0.0/0>
>     <http://0.0.0.0/0>)      eth5
>     > 
>     > 
>     > # cat /etc/shorewall/interfaces
>     > #ZONE     INTERFACE       OPTIONS
>     > lan     eth4            detect          tcpflags,nosmurfs,logmartians
>     > lan     eth0            detect          tcpflags,nosmurfs,logmartians
>     > inet     eth3            detect          tcpflags,nosmurfs,logmartians
>     > inet     eth5            detect          tcpflags,nosmurfs,logmartians
>     > 
>     > 
>     > Trying to understand why is the error seen with latest Shorewall and any
>     > configuration that can help me clear the error.
>     > 
> 
>     Because you didn't do what I suggested. You want:
> 
>     IPTABLES(CT --zone 0)   eth4
>     IPTABLES(CT --zone 0):O 0.0.0.0/0 <http://0.0.0.0/0>       eth4
>     IPTABLES(CT --zone 0)   eth0
>     IPTABLES(CT --zone 0):O 0.0.0.0/0 <http://0.0.0.0/0>       eth0
>     IPTABLES(CT --zone 0)   eth3
>     IPTABLES(CT --zone 0):O 0.0.0.0/0 <http://0.0.0.0/0>       eth5
>     IPTABLES(CT --zone 0)   eth0
>     IPTABLES(CT --zone 0):O 0.0.0.0/0 <http://0.0.0.0/0>       eth5
> 
> 
>     -Tom
>     -- 
>     Tom Eastep        \   Q: What do you get when you cross a mobster with
>     Shoreline,         \     an international standard?
>     Washington, USA     \ A: Someone who makes you an offer you can't
>     http://shorewall.org \   understand
>                           \_______________________________________________
> 
> 


-- 
Tom Eastep        \   Q: What do you get when you cross a mobster with
Shoreline,         \     an international standard?
Washington, USA     \ A: Someone who makes you an offer you can't
http://shorewall.org \   understand
                      \_______________________________________________

signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot

_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] Zone based connection tracking

Reply via email to