Hi, Not sure if this is a bug or there is something i am missing. Here is the story: I renamed "net" to "netc" to better understand it when I am looking at it. I changed it in zones: netc NetC Internet In interfaces: netc eth0 detect blah,blah.... and rules: rules:ACCEPT netc loc:192.168.1.130 tcp smtp,www Nothing to change in masq so it still looks like: eth0 192.168.1.0/24 However, my computers inside cannot go outside. I think this is because shorewall did not create loc2netc chain. Could anyone help. VV _________________________________________________________________ Chat with friends online, try MSN Messenger: http://messenger.msn.com
--On Tuesday, July 09, 2002 21:44:17 +0000 Val Vechnyak <vechnyak@hotmail.com> wrote:> Hi, > > Not sure if this is a bug or there is something i am missing. Here is > the story: > > I renamed "net" to "netc" to better understand it when I am looking at it. > > I changed it in zones: > netc NetC Internet > > In interfaces: > netc eth0 detect blah,blah.... > > and rules: > rules:ACCEPT netc loc:192.168.1.130 tcp smtp,www > > Nothing to change in masq so it still looks like: > eth0 192.168.1.0/24 > > However, my computers inside cannot go outside. I think this is because > shorewall did not create loc2netc chain.The only reason that it would do that is if you had rules with source zone ''loc'' and destination zone ''netc''. That''s doubtful since the local zone to the network is usually covered by an ACCEPT policy (see below).> > Could anyone help. >Did Shorewall in fact start? You don''t say which version of Shorewall you are running -- later versions do a much better job of catching zone names that aren''t defined in the /etc/shorewall/zones file. Did you change ''net'' -> ''netc'' in the Policy file? -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
--On Tuesday, July 09, 2002 14:52:02 -0700 Tom Eastep <teastep@shorewall.net> wrote:> > Did Shorewall in fact start? You don''t say which version of Shorewall you > are running -- later versions do a much better job of catching zone names > that aren''t defined in the /etc/shorewall/zones file. > > Did you change ''net'' -> ''netc'' in the Policy file? >Turns out that the code for verifying zones in the policy file during start and restart is broken. The code in the check command is OK though so "shorewall check" should point out any undefined zones in the policy file. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
--On Tuesday, July 09, 2002 16:39:43 -0800 John Andersen <JAndersen@screenio.com> wrote:> is this a fix that will warrant a new release and should I > hold off a while?I won''t be releasing a new version to correct that problem -- the "shorewall check" command will point out any undefined zones in the policy file even if the "shorewall [re]start" command(s) won''t. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
On 9 Jul 2002 at 15:35, Tom Eastep wrote: > Turns out that the code for verifying zones in the policy file during start> and restart is broken. The code in the check command is OK though so > "shorewall check" should point out any undefined zones in the policy file. > > -TomSince I was just about to upgrade to 1.3.3... is this a fix that will warrant a new release and should I hold off a while? ______________________________________ John Andersen NORCOM / Juneau, Alaska http://www.screenio.com/ (907) 790-3386