shorewall-users October 2010 archive
Main Archive Page > Month Archives  > shorewall-users archives
shorewall-users: Re: [Shorewall-users] Couple of brouter questio

Re: [Shorewall-users] Couple of brouter questions

From: Maple Thorpe <maplethorpe_at_nospam>
Date: Sat Oct 16 2010 - 13:28:16 GMT
To: Shorewall Users <shorewall-users@lists.sourceforge.net>

On Fri, 2010-10-15 at 15:34 -0700, Tom Eastep wrote:
> On 10/15/10 12:50 PM, Maple Thorpe wrote:
> > I've followed the brouter example and now need some clarification
> > regarding the 'params' file. In the example, 'NET' is set using
> > NET=pub:!$SERVERS.
>
> I assume that you are referring to the obsolete document
> http://www.shorewall.net/3.0/NewBridge.html? The "3.0" in that URL is
> significant; it means that the document is relevant to Shorewall 3.x and
> has been deprecated since Shorewall-perl was introduced in Shorewall
> 4.4.0. The current document is
> http://www.shorewall.net/bridge-Shorewall-perl.html.
> >
> > In my Shorewall (4.4.11.1) configuration, Shorewall complaints during
> > startup with message: shorewall[15246]: ERROR: Unknown Interface (!
> > 10.0.2.5,10.0.2.26,10.0.2.51,10.0.2.52,10.0.2.53,10.0.2.54,10.0.2.55,10.0.2.252,10.0.2.253,10.0.2.254) : /etc/shorewall/rules (line 19)
> >
> > =================
> > shorewall/params
> > =================
> > SERVERS=10.0.2.5,10.0.2.26,10.0.2.51,10.0.2.52,10.0.2.53,10.0.2.54,10.0.2.55,10.0.2.252,10.0.2.253,10.0.2.254
> > WR0=pub:$SERVERS #Use in place of 'wr0' in rule DEST
> > NET=pub:!$SERVERS #Use in place of 'net' in rule DEST

Params configuration is same. No longer sure how params' '$NET' is used
in the rules file if 'pub' is OK. I'll just remove references for now.
>
> > The error message is consistent, whenever the compilation process
> > encounters a rule similar to $NET:a.b.c.d in the rules file.
>
> That's because it's an invalid rule. Do the expansion yourself and look
> at it!
>
> What you want is pub:a.b.c.d.
>
> >
> > Also, the mDNS macro now complaints on startup.
>
> And the complaint is?

shorewall[16431]: Compiling /etc/shorewall/rules...
shorewall[16431]: ERROR: Unknown destination zone
(224.0.0.251) : /etc/shorewall/macro.mDNS (line 11)
ERROR:Shorewall restart failed

===============
shorewall/rules
(line 11)
===============
mDNS(ACCEPT):info $FW loc

================
mDNS macro
================
#
# Shorewall version 4 - Multicast DNS Macro
#
# /usr/share/shorewall/macro.mDNS
#
# This macro handles multicast DNS traffic.
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT(S) PORT(S) LIMIT GROUP
PARAM - 224.0.0.251 udp 5353
PARAM - 224.0.0.251 2
PARAM DEST SOURCE:224.0.0.251 udp 5353
PARAM DEST SOURCE:224.0.0.251 2

> >
> > What do I need to change for the desired macro expansion
>
> I really recommend that you switch to using the current bridge/router HOWTO.
>
> > and What do I need to change to stop "martian source" complaints on bridge device for
> > the servers in 'WR0 zone'.
>
> That's not a Shorewall configuration issue; it is a routing issue which
> indicates that there is no route to those hosts through the interface.
>
Yeah, I realized the servers' private ips used in $SERVER var were the
cause of the martians.
> -Tom
> ------------------------------------------------------------------------------
> Download new Adobe(R) Flash(R) Builder(TM) 4
> The new Adobe(R) Flex(R) 4 and Flash(R) Builder(TM) 4 (formerly
> Flex(R) Builder(TM)) enable the development of rich applications that run
> across multiple browsers and platforms. Download your free trials today!
> http://p.sf.net/sfu/adobe-dev2dev
> _______________________________________________ Shorewall-users mailing list Shorewall-users_at_lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
>

One more question, if I am understanding the examples correctly, is it correct to conclude, in order to have a brouter+OpenVPN configuration, there must be two different bridges. One bridge for brouter and the second for OpenVPN?

Thanks

------------------------------------------------------------------------------
Download new Adobe(R) Flash(R) Builder(TM) 4
The new Adobe(R) Flex(R) 4 and Flash(R) Builder(TM) 4 (formerly
Flex(R) Builder(TM)) enable the development of rich applications that run
across multiple browsers and platforms. Download your free trials today!
http://p.sf.net/sfu/adobe-dev2dev
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users