Shorewall users - Oct 2008 - WARNING: default route ignored on interface

I''m running Shorewall-perl 4.0.13 on a firewall that is managing three
static IP addresses on its external interface to the Internet.

In order to make outbound traffic from the firewall itself use a specific
external IP address, I added the following line to my "masq" file:

	ext0		ext0		171.66.155.245

(where the firewall''s external NIC is labelled "ext0", and
171.66.155.245
is the address assigned to one of the alias interfaces, ext0:1).

This works as intended.  And everything else about this firewall appears
to be working OK as well.

However, when I added the above line, I started seeing a warning message
that I hadn''t seen before:

	WARNING: default route ignored on interface ext0

I read the explanation for this warning offered on the "error
messages"
page -- namely, that the interface named in the SUBNET (should that be
SOURCE, by the way?) column of the "masq" file has the default route
--
and this is true as far as it goes, but it''s not clear to me what (if
anything) I should be doing instead.

For what it might be worth, I tried changing the line in question to:

	ext0		ext0:171.66.155.245	171.66.155.245

and the warning went away -- but outbound connections from the firewall
started being assigned a different external address (namely, the address
associated with the primary interface, ext0), so I changed it back.

I also tried using "fw" as the source -- and probably not
surprisingly,
that didn''t work at all, since "fw" isn''t an
interface.

So . . . .

Should I be saying something different in order to get the behaviour I
want in this case, but without also getting a warning?

Or is this warning message spurious, and I should just ignore it, and
maybe you''ll want to change the compiler so the warning won''t
be issued
in situations like this?

Or is there some other explanation?

-- 
Rich Wales      ===      Palo Alto, CA, USA      ===     richw@richw.org
http://www.richw.org   ===   http://en.wikipedia.org/wiki/User:Richwales

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer''s
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

Rich Wales wrote:
> I read the explanation for this warning offered on the "error
> messages" page
Which hasn''t been maintained for years.
> 
> Should I be saying something different in order to get the behaviour I
> want in this case, but without also getting a warning?
You should enter

	eth0		171.66.155.245/n	171.66.155.245

	Where n = VLSM mask appropriate for your external subnet.

Or

	eth0		<addr1>,<addr2>		171.66.155.245

	where <addr1> and <addr2> are the other two IP addresses configured
on
eth0.

When you specify an interface name in the SOURCE column as you did, the
compiled script examines the output of "ip route ls dev eth0". It
probably looks something like this:

	171.66.155.0/24  proto kernel  scope link  src 171.66.155.245
	default via 171.66.155.254  proto static

The script examines the first route and generates:

eth0		171.66.155.245/24	171.66.155.245

It then sees the second route which is equavalent to

	0.0.0.0/0 via 171.66.155.254  proto static

It realizes that you probably DON''T want this rule:

eth0		0.0.0.0/0	171.66.155.245

and issues the warning that you are seeing.

-Tom
-- 
Tom Eastep        \ The ultimate result of shielding men from the
Shoreline,         \ effects of folly is to fill the world with fools.
Washington, USA     \                                 -Herbert Spencer
http://shorewall.net \________________________________________________



-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer''s
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/