Tristan DEFERT
2007-Jul-13 13:19 UTC
new bridging / hosts definition file vs ip exclusion list
Hi list users, i use new bridging method since few days and i cannot set up /etc/shorewall/hosts as written in doc. That means i do not identify anymore my bridge zones by interface like this: wan $bridge_interface:$wan_interface dmz $bridge_interface:$dmz_interface But i now use: dmz $bridge_interface:$dmz_subnet,!$router_ip but this syntax does not work for me. Instead of EXCLUDING one or more hosts from my dmz zone (doesn''t work) i must use this kind of syntax: dmz $bridge_interface:$dmz_addresses_pool where $dmz_addresses_pool covers my whole subnet class but the router: so i do not exclude anything, but i define a shrinked pool within my subnet. did anyone succeed with such a setup where !exclusion is used within shorewall/hosts ? what could affect this behaviour? what lacks (if so) to iptables? I do not use such an exclusion anywhere else in shorewall. any feedback welcome! Tristan ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Eastep
2007-Jul-13 13:32 UTC
Re: new bridging / hosts definition file vs ip exclusion list
Tristan DEFERT wrote:> Hi list users, > > i use new bridging method since few days and i cannot set > up /etc/shorewall/hosts as written in doc. > > That means i do not identify anymore my bridge zones by interface like > this: > wan $bridge_interface:$wan_interface > dmz $bridge_interface:$dmz_interface > > But i now use: > dmz $bridge_interface:$dmz_subnet,!$router_ip > > but this syntax does not work for me. > Instead of EXCLUDING one or more hosts from my dmz zone (doesn''t work) > i must use this kind of syntax: > dmz $bridge_interface:$dmz_addresses_pool > where $dmz_addresses_pool covers my whole subnet class but the router: > so i do not exclude anything, but i define a shrinked pool within my > subnet. > > did anyone succeed with such a setup where !exclusion is used within > shorewall/hosts ? > > what could affect this behaviour? what lacks (if so) to iptables? > I do not use such an exclusion anywhere else in shorewall. > > any feedback welcome! >Which Shorewall version are you running? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tristan DEFERT
2007-Jul-13 13:34 UTC
Re: new bridging / hosts definition file vs ip exclusion list
My running kernel is 2.6.18-4-k7 and my shorewall shell is /bin/ash this is a stock kernel and all required iptables modules are present Le vendredi 13 juillet 2007 à 15:19 +0200, Tristan DEFERT a écrit :> Hi list users, > > i use new bridging method since few days and i cannot set > up /etc/shorewall/hosts as written in doc. > > That means i do not identify anymore my bridge zones by interface like > this: > wan $bridge_interface:$wan_interface > dmz $bridge_interface:$dmz_interface > > But i now use: > dmz $bridge_interface:$dmz_subnet,!$router_ip > > but this syntax does not work for me. > Instead of EXCLUDING one or more hosts from my dmz zone (doesn't work) > i must use this kind of syntax: > dmz $bridge_interface:$dmz_addresses_pool > where $dmz_addresses_pool covers my whole subnet class but the router: > so i do not exclude anything, but i define a shrinked pool within my > subnet. > > did anyone succeed with such a setup where !exclusion is used within > shorewall/hosts ? > > what could affect this behaviour? what lacks (if so) to iptables? > I do not use such an exclusion anywhere else in shorewall. > > any feedback welcome! > > Tristan > > > > ------------------------------------------------------------------------- > This SF.net email is sponsored by DB2 Express > Download DB2 Express C - the FREE version of DB2 express and take > control of your XML. No limits. Just data. Click to get it now. > http://sourceforge.net/powerbar/db2/ > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Tristan DEFERT
2007-Jul-13 13:36 UTC
Re: new bridging / hosts definition file vs ip exclusion list
Le vendredi 13 juillet 2007 à 06:32 -0700, Tom Eastep a écrit :> Tristan DEFERT wrote: > > Hi list users, > > > > i use new bridging method since few days and i cannot set > > up /etc/shorewall/hosts as written in doc. > > > > That means i do not identify anymore my bridge zones by interface like > > this: > > wan $bridge_interface:$wan_interface > > dmz $bridge_interface:$dmz_interface > > > > But i now use: > > dmz $bridge_interface:$dmz_subnet,!$router_ip > > > > but this syntax does not work for me. > > Instead of EXCLUDING one or more hosts from my dmz zone (doesn't work) > > i must use this kind of syntax: > > dmz $bridge_interface:$dmz_addresses_pool > > where $dmz_addresses_pool covers my whole subnet class but the router: > > so i do not exclude anything, but i define a shrinked pool within my > > subnet. > > > > did anyone succeed with such a setup where !exclusion is used within > > shorewall/hosts ? > > > > what could affect this behaviour? what lacks (if so) to iptables? > > I do not use such an exclusion anywhere else in shorewall. > > > > any feedback welcome! > > > > Which Shorewall version are you running?3.2.6 from debian etch> > -Tom > ------------------------------------------------------------------------- > This SF.net email is sponsored by DB2 Express > Download DB2 Express C - the FREE version of DB2 express and take > control of your XML. No limits. Just data. Click to get it now. > http://sourceforge.net/powerbar/db2/ > _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users-- Tristan DEFERT Société Alpha Mosa __________________________________________________________________ Tél. (33) 03 26 48 17 56 Internet : http://www.alphamosa.fr Fax. (33) 03 26 48 10 87 eMail : tristan.d@alphamosa.fr ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Tom Eastep
2007-Jul-13 14:14 UTC
Re: new bridging / hosts definition file vs ip exclusion list
Tristan DEFERT wrote:>> Which Shorewall version are you running? > 3.2.6 from debian etchFrom http://www.shorewall.net/NewBridge.html Caution This article applies to Shorewall 3.3.3 and later. If you are running a version of Shorewall earlier than Shorewall 3.3.3 then please see the documentation for that release. Additionally, the feature was broken at some point and not corrected until Shorewall 3.4.4. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Eastep
2007-Jul-13 14:26 UTC
Re: new bridging / hosts definition file vs ip exclusion list
Tom Eastep wrote:> Tristan DEFERT wrote: > >>> Which Shorewall version are you running? >> 3.2.6 from debian etch > > From http://www.shorewall.net/NewBridge.html > > Caution > > This article applies to Shorewall 3.3.3 and later. If you are > running a version of Shorewall earlier than Shorewall 3.3.3 then > please see the documentation for that release. > > Additionally, the feature was broken at some point and not corrected until > Shorewall 3.4.4.Please disregard that last part -- I was thinking of Shorewall perl were this feature was broken for a long time. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/