Menu
▾
▴
Re: [Shorewall-users] cannot ping through Shorewall 5.1.4.4 gateway
|
From: Tom E. <te...@sh...> - 2017-07-05 14:41:26
|
On 07/05/2017 12:30 AM, Vieri Di Paola via Shorewall-users wrote: > > ________________________________ > From: Tom Eastep <te...@sh...> >> >> root@debianvm:/etc/shorewall# shorewall start > > [...] >> Compiling /etc/shorewall/providers... >> ERROR: Providers interfaces may not specify 'routefilter' when >> USE_DEFAULT_RT=Yes /etc/shorewall/providers (line 10) > > Do you mean that it's fixed in 5.1.5, or that you cannot reproduce the issue I reported? I couldn't reproduce it. > > I redid the same, but this time in "interfaces" I not only have routefilter but also rpfilter (for the sake of testing -- not that I need both options). Now I'm getting a different error with "shorewall check", but "shorewall start" still doesn't complain and exits successfully. > > If I run the following: > > shorewall stop > swtest 2>&1 3>&1 > shorewall status >> swtest 2>&1 3>&1 > shorewall check >> swtest 2>&1 3>&1 > echo ">>> shorewall start:" >> swtest 2>&1 3>&1 > shorewall start >> swtest 2>&1 3>&1 > echo ">>> interfaces:" >> swtest 2>&1 3>&1 > cat interfaces >> swtest > echo ">>> providers:" >> swtest 2>&1 3>&1 > cat providers >> swtest > > I get this: > > Stopping Shorewall.... > Processing /etc/shorewall/stop ... > Processing /etc/shorewall/tcclear ... > Preparing iptables-restore input... > Running /sbin/iptables-restore... > IPv4 Forwarding Enabled > Processing /etc/shorewall/stopped ... > done. > Shorewall-5.1.4.4 Status at inf-fw2 - Wed Jul 5 08:59:27 CEST 2017 > > Shorewall is stopped > State:Stopped Wed Jul 5 08:59:27 CEST 2017 (/var/lib/shorewall/firewall compiled Wed Jul 5 08:53:34 CEST 2017 by Shorewall version 5.1.4.4) > > Checking using Shorewall 5.1.4.4... > Processing /etc/shorewall/params ... > Processing /etc/shorewall/shorewall.conf... > Loading Modules... > Checking /etc/shorewall/zones... > Checking /etc/shorewall/interfaces... > ERROR: The 'routefilter', 'sfilter' and 'rpfilter' options are mutually exclusive /etc/shorewall/interfaces (line 2) >>>> shorewall start: > Starting Shorewall.... > Initializing... > Processing /etc/shorewall/init ... > Processing /etc/shorewall/tcclear ... > Setting up ARP filtering... > Setting up Route Filtering... > Setting up Martian Logging... > Setting up Accept Source Routing... > Setting up log backend > Setting up Proxy ARP... > Adding Providers... > Preparing iptables-restore input... > Running /sbin/iptables-restore ... > IPv4 Forwarding Enabled > Processing /etc/shorewall/start ... > Processing /etc/shorewall/started ... > done. >>>> interfaces: > #ZONE INTERFACE OPTIONS > net4 $IF_ISP4 optional,tcpflags,nosmurfs,logmartians,proxyarp=0,arp_ignore=1,sourceroute=0,rpfilter,routefilter > net3 $IF_ISP3 optional,tcpflags,nosmurfs,logmartians,proxyarp=0,arp_ignore=1,sourceroute=0,rpfilter,routefilter > net2 $IF_ISP2 optional,tcpflags,nosmurfs,logmartians,proxyarp=0,arp_ignore=1,sourceroute=0,rpfilter,routefilter > net1 $IF_ISP1 optional,tcpflags,nosmurfs,logmartians,proxyarp=0,arp_ignore=1,sourceroute=0,rpfilter,routefilter > dmz $IF_DMZ routeback > loc $IF_LAN routeback >>>> providers: > #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONSCOPY > ISP1 1 1 - $IF_ISP1 $IF_ISP1_GW track,balance=3,persistent > ISP2 2 2 - $IF_ISP2 $IF_ISP2_GW track,balance=2,persistent > ISP3 3 3 - $IF_ISP3 $IF_ISP3_GW track,balance=1,persistent > ISP4 4 4 - $IF_ISP4 $IF_ISP4_GW track,balance=1,persistent > There seems to be a problem with AUTOMAKE=Yes -- the 'start' command is using your previously-compiled script. You can work around this by setting AUTOMAKE=No, and we'll look at it after we get your other problem addressed. -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________ |
