I''ve followed the brouter example and now need some clarification regarding the ''params'' file. In the example, ''NET'' is set using NET=pub:!$SERVERS. In my Shorewall (4.4.11.1) configuration, Shorewall complaints during startup with message: shorewall[15246]: ERROR: Unknown Interface (! 10.0.2.5,10.0.2.26,10.0.2.51,10.0.2.52,10.0.2.53,10.0.2.54,10.0.2.55,10.0.2.252,10.0.2.253,10.0.2.254) : /etc/shorewall/rules (line 19) ================shorewall/params ================SERVERS=10.0.2.5,10.0.2.26,10.0.2.51,10.0.2.52,10.0.2.53,10.0.2.54,10.0.2.55,10.0.2.252,10.0.2.253,10.0.2.254 WR0=pub:$SERVERS #Use in place of ''wr0'' in rule DEST NET=pub:!$SERVERS #Use in place of ''net'' in rule DEST ================shorewall/rules (line 19) ================ACCEPT:info $FW $NET:12.x.y.z tcp 8000 ================shorewall/zones ================fw firewall pub ipv4 net:pub bport4 wr0:pub bport4 loc ipv4 ===================shorewall/interfaces ===================pub br0 detect bridge net br0:eth2 wr0 br0:eth1 loc eth0 detect tcpflags,dhcp The error message is consistent, whenever the compilation process encounters a rule similar to $NET:a.b.c.d in the rules file. Also, the mDNS macro now complaints on startup. What do I need to change for the desired macro expansion and What do I need to change to stop "martian source" complaints on bridge device for the servers in ''WR0 zone''. Thanks ------------------------------------------------------------------------------ Download new Adobe(R) Flash(R) Builder(TM) 4 The new Adobe(R) Flex(R) 4 and Flash(R) Builder(TM) 4 (formerly Flex(R) Builder(TM)) enable the development of rich applications that run across multiple browsers and platforms. Download your free trials today! http://p.sf.net/sfu/adobe-dev2dev
On 10/15/10 12:50 PM, Maple Thorpe wrote:> I''ve followed the brouter example and now need some clarification > regarding the ''params'' file. In the example, ''NET'' is set using > NET=pub:!$SERVERS.I assume that you are referring to the obsolete document http://www.shorewall.net/3.0/NewBridge.html? The "3.0" in that URL is significant; it means that the document is relevant to Shorewall 3.x and has been deprecated since Shorewall-perl was introduced in Shorewall 4.4.0. The current document is http://www.shorewall.net/bridge-Shorewall-perl.html.> > In my Shorewall (4.4.11.1) configuration, Shorewall complaints during > startup with message: shorewall[15246]: ERROR: Unknown Interface (! > 10.0.2.5,10.0.2.26,10.0.2.51,10.0.2.52,10.0.2.53,10.0.2.54,10.0.2.55,10.0.2.252,10.0.2.253,10.0.2.254) : /etc/shorewall/rules (line 19) > > ================> shorewall/params > ================> SERVERS=10.0.2.5,10.0.2.26,10.0.2.51,10.0.2.52,10.0.2.53,10.0.2.54,10.0.2.55,10.0.2.252,10.0.2.253,10.0.2.254 > WR0=pub:$SERVERS #Use in place of ''wr0'' in rule DEST > NET=pub:!$SERVERS #Use in place of ''net'' in rule DEST> The error message is consistent, whenever the compilation process > encounters a rule similar to $NET:a.b.c.d in the rules file.That''s because it''s an invalid rule. Do the expansion yourself and look at it! What you want is pub:a.b.c.d.> > Also, the mDNS macro now complaints on startup.And the complaint is?> > What do I need to change for the desired macro expansionI really recommend that you switch to using the current bridge/router HOWTO.> and What do I need to change to stop "martian source" complaints on bridge device for > the servers in ''WR0 zone''.That''s not a Shorewall configuration issue; it is a routing issue which indicates that there is no route to those hosts through the interface. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Download new Adobe(R) Flash(R) Builder(TM) 4 The new Adobe(R) Flex(R) 4 and Flash(R) Builder(TM) 4 (formerly Flex(R) Builder(TM)) enable the development of rich applications that run across multiple browsers and platforms. Download your free trials today! http://p.sf.net/sfu/adobe-dev2dev
On Fri, 2010-10-15 at 15:34 -0700, Tom Eastep wrote:> On 10/15/10 12:50 PM, Maple Thorpe wrote: > > I''ve followed the brouter example and now need some clarification > > regarding the ''params'' file. In the example, ''NET'' is set using > > NET=pub:!$SERVERS. > > I assume that you are referring to the obsolete document > http://www.shorewall.net/3.0/NewBridge.html? The "3.0" in that URL is > significant; it means that the document is relevant to Shorewall 3.x and > has been deprecated since Shorewall-perl was introduced in Shorewall > 4.4.0. The current document is > http://www.shorewall.net/bridge-Shorewall-perl.html. > > > > In my Shorewall (4.4.11.1) configuration, Shorewall complaints during > > startup with message: shorewall[15246]: ERROR: Unknown Interface (! > > 10.0.2.5,10.0.2.26,10.0.2.51,10.0.2.52,10.0.2.53,10.0.2.54,10.0.2.55,10.0.2.252,10.0.2.253,10.0.2.254) : /etc/shorewall/rules (line 19) > > > > ================> > shorewall/params > > ================> > SERVERS=10.0.2.5,10.0.2.26,10.0.2.51,10.0.2.52,10.0.2.53,10.0.2.54,10.0.2.55,10.0.2.252,10.0.2.253,10.0.2.254 > > WR0=pub:$SERVERS #Use in place of ''wr0'' in rule DEST > > NET=pub:!$SERVERS #Use in place of ''net'' in rule DESTParams configuration is same. No longer sure how params'' ''$NET'' is used in the rules file if ''pub'' is OK. I''ll just remove references for now.> > > The error message is consistent, whenever the compilation process > > encounters a rule similar to $NET:a.b.c.d in the rules file. > > That''s because it''s an invalid rule. Do the expansion yourself and look > at it! > > What you want is pub:a.b.c.d. > > > > > Also, the mDNS macro now complaints on startup. > > And the complaint is?shorewall[16431]: Compiling /etc/shorewall/rules... shorewall[16431]: ERROR: Unknown destination zone (224.0.0.251) : /etc/shorewall/macro.mDNS (line 11) ERROR:Shorewall restart failed ==============shorewall/rules (line 11) ==============mDNS(ACCEPT):info $FW loc ===============mDNS macro ===============# # Shorewall version 4 - Multicast DNS Macro # # /usr/share/shorewall/macro.mDNS # # This macro handles multicast DNS traffic. # ############################################################################### #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ # PORT(S) PORT(S) LIMIT GROUP PARAM - 224.0.0.251 udp 5353 PARAM - 224.0.0.251 2 PARAM DEST SOURCE:224.0.0.251 udp 5353 PARAM DEST SOURCE:224.0.0.251 2> > > > What do I need to change for the desired macro expansion > > I really recommend that you switch to using the current bridge/router HOWTO. > > > and What do I need to change to stop "martian source" complaints on bridge device for > > the servers in ''WR0 zone''. > > That''s not a Shorewall configuration issue; it is a routing issue which > indicates that there is no route to those hosts through the interface. >Yeah, I realized the servers'' private ips used in $SERVER var were the cause of the martians.> -Tom > ------------------------------------------------------------------------------ > Download new Adobe(R) Flash(R) Builder(TM) 4 > The new Adobe(R) Flex(R) 4 and Flash(R) Builder(TM) 4 (formerly > Flex(R) Builder(TM)) enable the development of rich applications that run > across multiple browsers and platforms. Download your free trials today! > http://p.sf.net/sfu/adobe-dev2dev > _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users >One more question, if I am understanding the examples correctly, is it correct to conclude, in order to have a brouter+OpenVPN configuration, there must be two different bridges. One bridge for brouter and the second for OpenVPN? Thanks ------------------------------------------------------------------------------ Download new Adobe(R) Flash(R) Builder(TM) 4 The new Adobe(R) Flex(R) 4 and Flash(R) Builder(TM) 4 (formerly Flex(R) Builder(TM)) enable the development of rich applications that run across multiple browsers and platforms. Download your free trials today! http://p.sf.net/sfu/adobe-dev2dev
On 10/16/10 6:28 AM, Maple Thorpe wrote:> shorewall[16431]: Compiling /etc/shorewall/rules... shorewall[16431]: > ERROR: Unknown destination zone (224.0.0.251) : > /etc/shorewall/macro.mDNS (line 11) ERROR:Shorewall restart failed > > =============== shorewall/rules (line 11) =============== > mDNS(ACCEPT):info $FW locHow is ''loc'' defined? I''m unable to reproduce this problem. When ''loc'' is undefined, I get ''Unknown destination zone (loc)''.> > One more question, if I am understanding the examples correctly, is > it correct to conclude, in order to have a brouter+OpenVPN > configuration, there must be two different bridges. One bridge for > brouter and the second for OpenVPN? >Depends on whether you want the OpenVPN clients to use addresses in a different network. If so, I would configure a second bridge. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Download new Adobe(R) Flash(R) Builder(TM) 4 The new Adobe(R) Flex(R) 4 and Flash(R) Builder(TM) 4 (formerly Flex(R) Builder(TM)) enable the development of rich applications that run across multiple browsers and platforms. Download your free trials today! http://p.sf.net/sfu/adobe-dev2dev
On Sat, 2010-10-16 at 07:52 -0700, Tom Eastep wrote:> On 10/16/10 6:28 AM, Maple Thorpe wrote: > > > shorewall[16431]: Compiling /etc/shorewall/rules... shorewall[16431]: > > ERROR: Unknown destination zone (224.0.0.251) : > > /etc/shorewall/macro.mDNS (line 11) ERROR:Shorewall restart failed > > > > =============== shorewall/rules (line 11) =============== > > mDNS(ACCEPT):info $FW loc > > How is ''loc'' defined? I''m unable to reproduce this problem. When ''loc'' > is undefined, I get ''Unknown destination zone (loc)''.======================shorewall zones ======================#ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS fw firewall pub ipv4 net:pub bport4 vpn:pub bport4 wr0 ipv4 loc ipv4 ''loc'' remained as ''ipv4'' although changes were made to other zones (e.g. net, vpn, wr0).> > > > > One more question, if I am understanding the examples correctly, is > > it correct to conclude, in order to have a brouter+OpenVPN > > configuration, there must be two different bridges. One bridge for > > brouter and the second for OpenVPN? > > > > Depends on whether you want the OpenVPN clients to use addresses in a > different network. If so, I would configure a second bridge. > > -Tom > ------------------------------------------------------------------------------ > Download new Adobe(R) Flash(R) Builder(TM) 4 > The new Adobe(R) Flex(R) 4 and Flash(R) Builder(TM) 4 (formerly > Flex(R) Builder(TM)) enable the development of rich applications that run > across multiple browsers and platforms. Download your free trials today! > http://p.sf.net/sfu/adobe-dev2dev > _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------------ Download new Adobe(R) Flash(R) Builder(TM) 4 The new Adobe(R) Flex(R) 4 and Flash(R) Builder(TM) 4 (formerly Flex(R) Builder(TM)) enable the development of rich applications that run across multiple browsers and platforms. Download your free trials today! http://p.sf.net/sfu/adobe-dev2dev
On 10/16/10 8:39 AM, Maple Thorpe wrote:> On Sat, 2010-10-16 at 07:52 -0700, Tom Eastep wrote: >> On 10/16/10 6:28 AM, Maple Thorpe wrote: >> >>> shorewall[16431]: Compiling /etc/shorewall/rules... shorewall[16431]: >>> ERROR: Unknown destination zone (224.0.0.251) : >>> /etc/shorewall/macro.mDNS (line 11) ERROR:Shorewall restart failed >>> >>> =============== shorewall/rules (line 11) =============== >>> mDNS(ACCEPT):info $FW loc >> >> How is ''loc'' defined? I''m unable to reproduce this problem. When ''loc'' >> is undefined, I get ''Unknown destination zone (loc)''. > > ======================> shorewall zones > ======================> #ZONE TYPE OPTIONS IN OUT > # OPTIONS OPTIONS > fw firewall > pub ipv4 > net:pub bport4 > vpn:pub bport4 > wr0 ipv4 > loc ipv4 > > ''loc'' remained as ''ipv4'' although changes were made to other zones (e.g. > net, vpn, wr0).I''m still unable to reproduce this. Please: a) shorewall show -f capabilities > /etc/shorewall/caps b) tar -zxf shorewall.tgz /etc/shorewall c) Send the shorewall.tgz file to me personally. Thanks, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Download new Adobe(R) Flash(R) Builder(TM) 4 The new Adobe(R) Flex(R) 4 and Flash(R) Builder(TM) 4 (formerly Flex(R) Builder(TM)) enable the development of rich applications that run across multiple browsers and platforms. Download your free trials today! http://p.sf.net/sfu/adobe-dev2dev