I recently added a new subnet to my existing network that is behind a
firewall running Shorewall 4.4.16.1. I am attempting to allow traffic
to route between the two subnets. The subnets are defined as per what
is seen in ifconfig here:
[root@fw10g shorewall]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:1B:21:84:AF:04
inet addr:129.116.190.250 Bcast:129.116.190.255
Mask:255.255.255.0
inet6 addr: fe80::21b:21ff:fe84:af04/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:893909525 errors:0 dropped:0 overruns:0 frame:0
TX packets:1079210487 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:740527359996 (689.6 GiB) TX bytes:1270877098736
(1.1 TiB)
eth0:0 Link encap:Ethernet HWaddr 00:1B:21:84:AF:04
inet addr:129.116.65.225 Bcast:129.116.65.255
Mask:255.255.255.224
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
when looking at the current documentation from
http://www.shorewall.net/Shorewall_and_Aliased_Interfaces.html
it states that you can modify the /etc/shorewall/interfaces file to
include the following (modified from the docs to use my two subnets):
loc eth0 129.116.190.255,129.116.65.255*routeback*
however, when I attempt to compile shorewall with this configuration I
get this message:
Compiling /etc/shorewall/interfaces...
WARNING: Shorewall no longer uses broadcast addresses in rule
generation when Address Type Match is available :
/etc/shorewall/interfaces (line 11)
in a google search I found that you can supposedly modify the line above
and replace "routeback" with either "-" or
"detect", but neither of
those work. Does anyone know how current versions of shorewall handle
aliased interfaces?
Thanks.
Steve Williams
--
''''''
(O O)
,-------------- oOO-(_)-OOo -------------,
| Stephen Williams |
| Manager of Computer Services |
| Center for Space Research |
| University of Texas at Austin |
| 3925 W. Braker Ln., Suite 200 |
| Austin, TX 78759-5321 |
| 512.471.7235 512.471.3570 (fax) |
| williams@csr.utexas.edu |
|____________________ Oooo ______________|
oooO ( )
( ) ) /
\ ( (_/
\_)
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
Steve Williams wrote:> I recently added a new subnet to my existing network that is behind a firewall running Shorewall 4.4.16.1. I am attempting to allow traffic to route between the two subnets. The subnets are defined as per what is seen in ifconfig here: > > [root@fw10g shorewall]# ifconfig > eth0 Link encap:Ethernet HWaddr 00:1B:21:84:AF:04 > inet addr:129.116.190.250 Bcast:129.116.190.255 Mask:255.255.255.0 > inet6 addr: fe80::21b:21ff:fe84:af04/64 Scope:Link > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > RX packets:893909525 errors:0 dropped:0 overruns:0 frame:0 > TX packets:1079210487 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:1000 > RX bytes:740527359996 (689.6 GiB) TX bytes:1270877098736 (1.1 TiB) > > eth0:0 Link encap:Ethernet HWaddr 00:1B:21:84:AF:04 > inet addr:129.116.65.225 Bcast:129.116.65.255 Mask:255.255.255.224 > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > > when looking at the current documentation from > > http://www.shorewall.net/Shorewall_and_Aliased_Interfaces.html > > it states that you can modify the /etc/shorewall/interfaces file to include the following (modified from the docs to use my two subnets): > > loc eth0 129.116.190.255,129.116.65.255 *routeback* > > > however, when I attempt to compile shorewall with this configuration I get this message: > > Compiling /etc/shorewall/interfaces... > WARNING: Shorewall no longer uses broadcast addresses in rule generation when Address Type Match is available : /etc/shorewall/interfaces (line 11) > > in a google search I found that you can supposedly modify the line above and replace "routeback" with either "-" or "detect", but neither of those work. Does anyone know how current versions of shorewall handle aliased interfaces? >This should work: loc eth0 - routeback -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
Tom Eastep wrote:> > This should work: > > loc eth0 - routeback >That, of course, assumes that the hosts in the two networks know that they must route traffic to the other network via the Shorewall box. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/