Shorewall users - Feb 2003 - Shorewall and keepalived yet again.

You would think that after a couple of weeks of me fighting with this I 
would of figured it out but you would be wrong.

I have been able to get rules to work that allow keepalived to run on the 
same box however, those rules seem pretty much useless
EXAMPLE:
                                                                 PROTOCOL
ACCEPT  net1:192.168.10.3       net1:224.0.0.18         all

having all for a protocol is not what I am looking for.  I have tried 
setting it as tcp, udp, and icmp.  with those settings the rule blocks all 
traffic.  Is there a way to make shorewall accept the protocol VRRP 
(0x70)?  As far as I can tell this is just about the only thing that is 
stopping me from actually getting this working correctly.  I tried entering 
in 70 and 0x70 for the protocol as well as VRRP and none of these 
worked.  Shorewall got grumpy on a reload and didn''t like those 
protocols.  I have my policies set up correctly, my routestopped is right, 
my config file is ok but I am at a loss for the rule to allow keepalived to 
work.

HEEELLLPP!!!  I am at my wits end.


Catapultam habeo. Nisi pecuniam omnem mihi dabis, ad caput tuum saxum 
immane mittam.

Um I added vrrp into /etc/protocols and this fixed my problem.  I feel like 
I am running around in circles and wasting people''s time.  If anyone
else
out there has a config that worked for them can you please email it to me.

At 06:10 PM 2/20/2003 -0600, you wrote:
>You would think that after a couple of weeks of me fighting with this I 
>would of figured it out but you would be wrong.
>
>I have been able to get rules to work that allow keepalived to run on the 
>same box however, those rules seem pretty much useless
>EXAMPLE:
>                                                                 PROTOCOL
>ACCEPT  net1:192.168.10.3       net1:224.0.0.18         all
>
>having all for a protocol is not what I am looking for.  I have tried 
>setting it as tcp, udp, and icmp.  with those settings the rule blocks all 
>traffic.  Is there a way to make shorewall accept the protocol VRRP 
>(0x70)?  As far as I can tell this is just about the only thing that is 
>stopping me from actually getting this working correctly.  I tried 
>entering in 70 and 0x70 for the protocol as well as VRRP and none of these 
>worked.  Shorewall got grumpy on a reload and didn''t like those 
>protocols.  I have my policies set up correctly, my routestopped is right, 
>my config file is ok but I am at a loss for the rule to allow keepalived 
>to work.
>
>HEEELLLPP!!!  I am at my wits end.
>
>
>Catapultam habeo. Nisi pecuniam omnem mihi dabis, ad caput tuum saxum 
>immane mittam.
>
>
>
>_______________________________________________
>Shorewall-users mailing list
>Shorewall-users@lists.shorewall.net
>http://lists.shorewall.net/mailman/listinfo/shorewall-users
Catapultam habeo. Nisi pecuniam omnem mihi dabis, ad caput tuum saxum 
immane mittam.

Charles Holbrook wrote:
> You would think that after a couple of weeks of me fighting with this I 
> would of figured it out but you would be wrong.
> 
> I have been able to get rules to work that allow keepalived to run on 
> the same box however, those rules seem pretty much useless
> EXAMPLE:
>                                                                 PROTOCOL
> ACCEPT  net1:192.168.10.3       net1:224.0.0.18         all
> 
> having all for a protocol is not what I am looking for.  I have tried 
> setting it as tcp, udp, and icmp.  with those settings the rule blocks 
> all traffic.  Is there a way to make shorewall accept the protocol VRRP 
> (0x70)?  As far as I can tell this is just about the only thing that is 
> stopping me from actually getting this working correctly.  I tried 
> entering in 70 and 0x70 for the protocol as well as VRRP and none of 
> these worked.  Shorewall got grumpy on a reload and didn''t like
those
> protocols.  I have my policies set up correctly, my routestopped is 
> right, my config file is ok but I am at a loss for the rule to allow 
> keepalived to work.
> 
> HEEELLLPP!!!  I am at my wits end.
> 
> 
/etc/protocols is your friend:

[root@gateway ipv4]# grep -i vrrp /etc/protocols
vrrp    112     VRRP            # Virtual Router Redundancy Protocol
[root@gateway ipv4]# shorewall try /etc/test
...
Processing ./rules...
    Rule "ACCEPT net:192.168.10.3 net:224.0.0.18 vrrp" added.
  ...

I took the liberty of changing net1 to net...

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

Charles Holbrook wrote:
 > Um I added vrrp into /etc/protocols and this fixed my problem.  I feel
 > like I am running around in circles and wasting people''s time. 
If
 > anyone else out there has a config that worked for them can you please
 > email it to me.
 >

One thing that might help you debug faster is to run Shorewall with an
empty /etc/shorewall/common file. This will prevent Shorewall from
silently dropping multi-cast packets so you can see everything that is
being dropped. The downside of that will be that if you have Windoze
machines connected to the firewall, there will be a LOT of logged crap.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net