[Shorewall-users] Re (2): Re (2): failure of FTP connection

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

From:	Tom Eastep <te...@sh....>
Date:	Mon, 27 Dec 2010 09:49:29 -0800
> My sincere apologies.

No offense but I was puzzled.

> I missed the LOC+.

That's Loc+ for all interfaces in the loc zone.  Pascal style spelling.
I described this interface naming scheme a month or two back in response 
to interest from another list participant.  Not sure whether this problem 
is strictly since that change.  Perhaps it won't work after all.

OK, this in the interfaces manual is pertinent.
"routeback ... This option is also required when you have used a 
wildcard in the INTERFACE column if you want to allow traffic 
between the interfaces that match the wildcard."

routeback added.

joule:/etc/shorewall# egrep -v '(^ *#)|(^ *$)' interfaces
net  MainBoard  detect  dhcp,tcpflags,routefilter,nosmurfs,logmartians
loc  Loc+       detect  tcpflags,nosmurfs,routeback
vpn  tun0

 After 'shorewall restart' the addresses still don't show.
joule:/etc/shorewall# shorewall show zones
Shorewall 4.4.11.6 Zones at joule - Mon Dec 27 03:17:16 PST 2010

fw (firewall)
net (ipv4)
   MainBoard:0.0.0.0/0
loc (ipv4)
   Loc+:0.0.0.0/0
vpn (ipv4)
   tun0:0.0.0.0/0

Naming the interfaces explicitly is no improvement.
joule:/etc/shorewall# egrep -v '(^ *#)|(^ *$)' interfaces
net    MainBoard       detect     dhcp,tcpflags,routefilter,nosmurfs,logmartians
loc    LocPCI1         detect     tcpflags,nosmurfs,routeback
loc    LocACS29H901847 detect     tcpflags,nosmurfs,routeback
vpn     tun0

joule:/etc/shorewall# shorewall restart 
  ...
joule:/etc/shorewall# shorewall show zones
Shorewall 4.4.11.6 Zones at joule - Mon Dec 27 04:05:01 PST 2010

fw (firewall)
net (ipv4)
   MainBoard:0.0.0.0/0
loc (ipv4)
   LocACS29H901847:0.0.0.0/0
   LocPCI1:0.0.0.0/0
vpn (ipv4)
   tun0:0.0.0.0/0

My interface names are unconventional for Linux but apparently 
acceptable to udev and ifconfig.  Shorewall does not recognize 
them?  If all else fails I can try reverting to the good old 
ethn interface names.

Thanks,         ... Peter E.

-- 
Telephone 1 360 450 2132.
Shop pages http://carnot.yi.org/ accessible as long as the old drives survive.
Personal pages http://members.shaw.ca/peasthope/ .