Hi, I am having problem with setting up "maclist" with following versions. I am using RedHat Stock Kernel 2.4.20-20.7 and iptables 1.2.8. shorewall-1.4.6c shorewall-1.4.7b shorewall-1.4.7c shorewall-1.4.8-0RC1 Shorewall stop with following error. <snip> Setting up MAC Verification on eth2... Bad argument `RETURN'' Try `iptables -h'' or ''iptables --help'' for more information. Processing /etc/shorewall/stop ... Processing /etc/shorewall/stopped ... <snip> Here is the configuration files /etc/shorewall/zones #ZONE DISPLAY COMMENTS net Net Internet loc Local Local networks dmz DMZ Demilitarized zone p2p p2p Point to Point Link vpn vpn PPTP VPN Clients #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE /etc/shorewall/interfaces #ZONE INTERFACE BROADCAST OPTIONS net eth0 detect loc eth2 10.255.255.255 maclist #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE Thanks, Venkatesh K
On Fri, 31 Oct 2003, Venkatesh. K wrote:> Hi, > > I am having problem with setting up "maclist" with following versions. > I am using RedHat Stock Kernel 2.4.20-20.7 and iptables 1.2.8. > > shorewall-1.4.6c > shorewall-1.4.7b > shorewall-1.4.7c > shorewall-1.4.8-0RC1 > > Shorewall stop with following error. > > <snip> > Setting up MAC Verification on eth2... > Bad argument `RETURN'' > Try `iptables -h'' or ''iptables --help'' for more information. > Processing /etc/shorewall/stop ... > Processing /etc/shorewall/stopped ... > <snip> > > Here is the configuration files > > /etc/shorewall/zones > #ZONE DISPLAY COMMENTS > net Net Internet > loc Local Local networks > dmz DMZ Demilitarized zone > p2p p2p Point to Point Link > vpn vpn PPTP VPN Clients > #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE > > /etc/shorewall/interfaces > #ZONE INTERFACE BROADCAST OPTIONS > net eth0 detect > loc eth2 10.255.255.255 maclist > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE >On the Shorewall home page, you will see three Frames. In the left-hand Frame is an Index. In that Index is an entry entitled "Things to try if it doesn''t work" If you click on that link, you will see a heading "If the firewall fails to start" Please follow the instructions that you find there. And also please tell me what I can do do make that information easier to find because I am completely out of ideas.... -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Fri, 2003-10-31 at 12:20, Tom Eastep wrote:> > And also please tell me what I can do do make that information easier to > find because I am completely out of ideas....This may be too late for the folks already subscribed to this list....but since you are soliciting ideas.... Correct me if I am wrong, it has been a while, but I believe it is a 2 step process to subscribe. 1. You subscribe via the web and are sent an email. 2. You respond to the email to verify that you are the one subscribing. While it is not a cure it "may" help the situation if the confirm email contains information along the lines of "Before posting to this list, please see the problem reporting guidelines." An alternative would be to make the confirmation process an interactive one where the subscriber has to visit a URL with the "guidelines" and a "confirm" button tucked away so you actually have to read what is there. Oh, and I don''t know if the policy has changed....but you may want to consider allowing only subscribed members the ability to post. -- "An opinion is like an asshole - everybody has one." - Clint Eastwood as Harry Callahan, The Dead Pool - 1988.
I found out the source of problem. In fact I had gone through mailing list archives and trouble shooting info available on site. Generally, I write my own network init script to replace the generic network script of RedHat. My network init script uses "iproute2" toolset instead of ifconfig. <snip> ip addr add 192.168.0.1/32 brd 192.168.0.255 dev eth0 ip route add 192.168.0.0/24 scope link proto kernel src 192.168.0.1 dev eth0 <snip> <shorewall cmd>iptables -A eth2_mac -s 192.168.1.253 -d -j RETURN<error> Shorewall might be having trouble parsing the network information with the above setup. The correct command should be "iptables -A eth2_mac -s 192.168.1.253 -d 255.255.255.255 -j RETURN" Shorewall does''t have any problems as long as maclist option is not used. Venkatesh K ----- Original Message ----- From: "Tom Eastep" <teastep@shorewall.net> To: "Shorewall Users Mailing List" <shorewall-users@lists.shorewall.net> Sent: Friday, October 31, 2003 9:50 AM Subject: Re: [Shorewall-users] Bug? with Maclist option> On Fri, 31 Oct 2003, Venkatesh. K wrote: > > > Hi, > > > > I am having problem with setting up "maclist" with following versions. > > I am using RedHat Stock Kernel 2.4.20-20.7 and iptables 1.2.8. > > > > shorewall-1.4.6c > > shorewall-1.4.7b > > shorewall-1.4.7c > > shorewall-1.4.8-0RC1 > > > > Shorewall stop with following error. > > > > <snip> > > Setting up MAC Verification on eth2... > > Bad argument `RETURN'' > > Try `iptables -h'' or ''iptables --help'' for more information. > > Processing /etc/shorewall/stop ... > > Processing /etc/shorewall/stopped ... > > <snip> > > > > Here is the configuration files > > > > /etc/shorewall/zones > > #ZONE DISPLAY COMMENTS > > net Net Internet > > loc Local Local networks > > dmz DMZ Demilitarized zone > > p2p p2p Point to Point Link > > vpn vpn PPTP VPN Clients > > #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE > > > > /etc/shorewall/interfaces > > #ZONE INTERFACE BROADCAST OPTIONS > > net eth0 detect > > loc eth2 10.255.255.255 maclist > > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE > > > > On the Shorewall home page, you will see three Frames. > > In the left-hand Frame is an Index. > > In that Index is an entry entitled "Things to try if it doesn''t work" > > If you click on that link, you will see a heading "If the firewall fails > to start" > > Please follow the instructions that you find there. > > And also please tell me what I can do do make that information easier to > find because I am completely out of ideas.... > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe:https://lists.shorewall.net/mailman/listinfo/shorewall-users> Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >
On Fri, 2003-10-31 at 05:03, Venkatesh. K wrote:> I found out the source of problem. In fact I had gone through mailing list > archives and trouble shooting info available on site. > > Generally, I write my own network init script to replace the generic network > script of RedHat. My network init script uses "iproute2" toolset instead of > ifconfig. > > <snip> > ip addr add 192.168.0.1/32 brd 192.168.0.255 dev eth0 > ip route add 192.168.0.0/24 scope link proto kernel src 192.168.0.1 dev eth0 > <snip> > > <shorewall cmd>iptables -A eth2_mac -s 192.168.1.253 -d -j RETURN<error> > > Shorewall might be having trouble parsing the network information with the > above setup. The correct command should be "iptables -A eth2_mac -s > 192.168.1.253 -d 255.255.255.255 -j RETURN" > > Shorewall does''t have any problems as long as maclist option is not used. >I still won''t be able to fix it if you don''t send me a trace. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Fri, 2003-10-31 at 06:52, Tom Eastep wrote:> > > > Shorewall does''t have any problems as long as maclist option is not used. > > > > I still won''t be able to fix it if you don''t send me a trace.Never mind -- I''ve been able to reproduce the problem. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Fri, 2003-10-31 at 07:09, Tom Eastep wrote:> On Fri, 2003-10-31 at 06:52, Tom Eastep wrote: > > > > > > > Shorewall does''t have any problems as long as maclist option is not used. > > > > > > > I still won''t be able to fix it if you don''t send me a trace. > > Never mind -- I''ve been able to reproduce the problem. >The version of the ''firewall'' script in CVS (Shorewall/ project) corrects this problem. The script was not expecting /32 addresses to have a broadcast address associated with them. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Hi, Thanks for the help. I had resolved this problem just after I wrote to List by using ip address add 192.168.0.1/24 brd + dev eth0 instead of setting up a /32 address and later adding a route. I maintain a crazy setup where there is a need to add 768 IP address(s) to a single interface for doing SNAT :( and "ifconfig" would not fit the bill. Again, thanks for help. Venkatesh K ----- Original Message ----- From: "Tom Eastep" <teastep@shorewall.net> To: "Shorewall Users Mailing List" <shorewall-users@lists.shorewall.net> Sent: Friday, October 31, 2003 9:03 PM Subject: Re: [Shorewall-users] Bug? with Maclist option> On Fri, 2003-10-31 at 07:09, Tom Eastep wrote: > > On Fri, 2003-10-31 at 06:52, Tom Eastep wrote: > > > > > > > > > > Shorewall does''t have any problems as long as maclist option is notused.> > > > > > > > > > I still won''t be able to fix it if you don''t send me a trace. > > > > Never mind -- I''ve been able to reproduce the problem. > > > > The version of the ''firewall'' script in CVS (Shorewall/ project) > corrects this problem. The script was not expecting /32 addresses to > have a broadcast address associated with them. > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe:https://lists.shorewall.net/mailman/listinfo/shorewall-users> Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >