From: Tom E. <te...@sh...> - 2010-12-27 19:37:53
|
On 12/27/10 10:13 AM, pea...@sh... wrote: > From: Tom Eastep <te...@sh....> > Date: Mon, 27 Dec 2010 09:49:29 -0800 >> My sincere apologies. > > No offense but I was puzzled. > >> I missed the LOC+. > > That's Loc+ for all interfaces in the loc zone. Pascal style spelling. > I described this interface naming scheme a month or two back in response > to interest from another list participant. Not sure whether this problem > is strictly since that change. Perhaps it won't work after all. > > OK, this in the interfaces manual is pertinent. > "routeback ... This option is also required when you have used a > wildcard in the INTERFACE column if you want to allow traffic > between the interfaces that match the wildcard." > > routeback added. > > joule:/etc/shorewall# egrep -v '(^ *#)|(^ *$)' interfaces > net MainBoard detect dhcp,tcpflags,routefilter,nosmurfs,logmartians > loc Loc+ detect tcpflags,nosmurfs,routeback > vpn tun0 > > After 'shorewall restart' the addresses still don't show. > joule:/etc/shorewall# shorewall show zones > Shorewall 4.4.11.6 Zones at joule - Mon Dec 27 03:17:16 PST 2010 > > fw (firewall) > net (ipv4) > MainBoard:0.0.0.0/0 > loc (ipv4) > Loc+:0.0.0.0/0 > vpn (ipv4) > tun0:0.0.0.0/0 > I didn't expect that to change. > Naming the interfaces explicitly is no improvement. > joule:/etc/shorewall# egrep -v '(^ *#)|(^ *$)' interfaces > net MainBoard detect dhcp,tcpflags,routefilter,nosmurfs,logmartians > loc LocPCI1 detect tcpflags,nosmurfs,routeback > loc LocACS29H901847 detect tcpflags,nosmurfs,routeback > vpn tun0 > > joule:/etc/shorewall# shorewall restart > ... > joule:/etc/shorewall# shorewall show zones > Shorewall 4.4.11.6 Zones at joule - Mon Dec 27 04:05:01 PST 2010 > > fw (firewall) > net (ipv4) > MainBoard:0.0.0.0/0 > loc (ipv4) > LocACS29H901847:0.0.0.0/0 > LocPCI1:0.0.0.0/0 > vpn (ipv4) > tun0:0.0.0.0/0 > > My interface names are unconventional for Linux but apparently > acceptable to udev and ifconfig. Shorewall does not recognize > them? If all else fails I can try reverting to the good old > ethn interface names. I suspect that we are trying to solve multiple problems at once here. Your original post complained that FTP didn't work and indicated that you were getting REJECTs out of the FORWARD chain. Are you still seeing those messages? -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ |