Not subscribed on the list Platform: Red Hat 8 uname -a: Linux 2.4.18-3 shorewall version: 2.0.2f I used the <http://www.shorewall.net/two-interface.htm> Two-interface QuickStart Guide to guide me through the configuration. [root@kjolur shorewall]# ip addr show 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 brd 127.255.255.255 scope host lo 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:60:97:e4:0a:9e brd ff:ff:ff:ff:ff:ff inet 192.168.100.1/24 brd 192.168.100.255 scope global eth0 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:10:4b:47:c4:b6 brd ff:ff:ff:ff:ff:ff inet 212.30.207.245/30 brd 212.30.207.247 scope global eth1 [root@kjolur shorewall]# ip route show 212.30.207.244/30 dev eth1 scope link 192.168.100.0/24 dev eth0 scope link 127.0.0.0/8 dev lo scope link default via 212.30.207.246 dev eth1 my /etc/shorewall/interfaces was: ######################################################################## ###### #ZONE INTERFACE BROADCAST OPTIONS net eth1 detect routefilter,norfc1918,tcpflags loc eth0 detect tcpflags #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE None of my DNAT rules worked. /var/log/messages said something like RFC1918 REJECTION I noticed that there was no rfc1918 file in /etc/shorewall. I changed my /etc/shorewall/interfaces to ######################################################################## ###### #ZONE INTERFACE BROADCAST OPTIONS net eth1 detect routefilter,tcpflags loc eth0 detect tcpflags #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE And everythins is working fine! Could it be that the problem was caused by the rfc1918 file not being ported with the rpm file in question? At last let me say this: Shorewall is amazing! This seems to be the best documented and supported open source software I have ever come around. Shorewall exceeds any proprietary software/system in this respect. Thanks! Using shorewall, I would recommend shorewall/Linux for firewall instead of any other commercial systems for many companies. Again thanks! Ásgeir Ægisson
Ásgeir Ægisson wrote:> > [root@kjolur shorewall]# ip addr show > 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > inet 127.0.0.1/8 brd 127.255.255.255 scope host lo > 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100 > link/ether 00:60:97:e4:0a:9e brd ff:ff:ff:ff:ff:ff > inet 192.168.100.1/24 brd 192.168.100.255 scope global eth0 > 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100 > link/ether 00:10:4b:47:c4:b6 brd ff:ff:ff:ff:ff:ff > inet 212.30.207.245/30 brd 212.30.207.247 scope global eth1 > > [root@kjolur shorewall]# ip route show > 212.30.207.244/30 dev eth1 scope link > 192.168.100.0/24 dev eth0 scope link > 127.0.0.0/8 dev lo scope link > default via 212.30.207.246 dev eth1 > > my /etc/shorewall/interfaces was: > ######################################################################## > ###### > #ZONE INTERFACE BROADCAST OPTIONS > net eth1 detect routefilter,norfc1918,tcpflags > loc eth0 detect tcpflags > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE > > None of my DNAT rules worked. /var/log/messages said something like > RFC1918 REJECTIONPlease quote exact log messages -- "...said something like..." doesn''t give us enough to go on.> > I noticed that there was no rfc1918 file in /etc/shorewall.There shouldn''t be -- the released rfc1918 file is in /var/share/shorewall. If you need to modify that file then you copy it to /etc/shorewall and modify the copy. I changed> my /etc/shorewall/interfaces to > ######################################################################## > ###### > #ZONE INTERFACE BROADCAST OPTIONS > net eth1 detect routefilter,tcpflags > loc eth0 detect tcpflags > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE > > And everythins is working fine! > Could it be that the problem was caused by the rfc1918 file not being > ported with the rpm file in question?No. We would have to see the exact log messages to understand why you were having problems (along with your DNAT rule(s)). From what you''ve posted, I can''t think why removing ''norfc1918'' would change anything.> > At last let me say this: > Shorewall is amazing! This seems to be the best documented and supported > open source software I have ever come around. Shorewall exceeds any > proprietary software/system in this respect. Thanks! Using shorewall, I > would recommend shorewall/Linux for firewall instead of any other > commercial systems for many companies.Thanks! -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Ásgeir Ægisson wrote:> Not subscribed on the list > > Platform: Red Hat 8 > uname -a: Linux 2.4.18-3Aha -- this may provide a clue. This old kernel didn''t have connection tracking match; I wonder if I''ve managed to break something with respect to these old kernels. Would you be so kind as to re-enable ''norfc1918'' then forward the output of "shorewall status" as an attachment? Thanks, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net