Shorewall users - Jun 2004 - Shorewall-2.0.2f-1.noarch.rpm has no rfc1918 file

Not subscribed on the list
 
Platform: Red Hat 8
uname -a: Linux 2.4.18-3
shorewall version: 2.0.2f
 
I used the   <http://www.shorewall.net/two-interface.htm> Two-interface
QuickStart Guide to guide me through the configuration.
 
[root@kjolur shorewall]# ip addr show
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:60:97:e4:0a:9e brd ff:ff:ff:ff:ff:ff
    inet 192.168.100.1/24 brd 192.168.100.255 scope global eth0
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:10:4b:47:c4:b6 brd ff:ff:ff:ff:ff:ff
    inet 212.30.207.245/30 brd 212.30.207.247 scope global eth1
 
[root@kjolur shorewall]# ip route show
212.30.207.244/30 dev eth1  scope link
192.168.100.0/24 dev eth0  scope link
127.0.0.0/8 dev lo  scope link
default via 212.30.207.246 dev eth1
 
my /etc/shorewall/interfaces was:
########################################################################
######
#ZONE   INTERFACE       BROADCAST       OPTIONS
net     eth1            detect          routefilter,norfc1918,tcpflags
loc     eth0            detect          tcpflags
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
 
None of my DNAT rules worked.  /var/log/messages said something like
RFC1918 REJECTION
 
I noticed that there was no rfc1918 file in /etc/shorewall.  I changed
my /etc/shorewall/interfaces to
########################################################################
######
#ZONE   INTERFACE       BROADCAST       OPTIONS
net     eth1            detect          routefilter,tcpflags
loc     eth0            detect          tcpflags
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
 
And everythins is working fine!
Could it be that the problem was caused by the rfc1918 file not being
ported with the rpm file in question?
 
At last let me say this:
Shorewall is amazing! This seems to be the best documented and supported
open source software I have ever come around.  Shorewall exceeds any
proprietary software/system in this respect. Thanks!  Using shorewall, I
would recommend shorewall/Linux for firewall instead of any other
commercial systems for many companies.
 
Again thanks!
 
Ásgeir Ægisson

Ásgeir Ægisson wrote:
>  
> [root@kjolur shorewall]# ip addr show
> 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
>     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>     inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
> 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
>     link/ether 00:60:97:e4:0a:9e brd ff:ff:ff:ff:ff:ff
>     inet 192.168.100.1/24 brd 192.168.100.255 scope global eth0
> 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
>     link/ether 00:10:4b:47:c4:b6 brd ff:ff:ff:ff:ff:ff
>     inet 212.30.207.245/30 brd 212.30.207.247 scope global eth1
>  
> [root@kjolur shorewall]# ip route show
> 212.30.207.244/30 dev eth1  scope link
> 192.168.100.0/24 dev eth0  scope link
> 127.0.0.0/8 dev lo  scope link
> default via 212.30.207.246 dev eth1
>  
> my /etc/shorewall/interfaces was:
> ########################################################################
> ######
> #ZONE   INTERFACE       BROADCAST       OPTIONS
> net     eth1            detect          routefilter,norfc1918,tcpflags
> loc     eth0            detect          tcpflags
> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
>  
> None of my DNAT rules worked.  /var/log/messages said something like
> RFC1918 REJECTION
Please quote exact log messages -- "...said something like..."
doesn''t
give us enough to go on.
>  
> I noticed that there was no rfc1918 file in /etc/shorewall.
There shouldn''t be -- the released rfc1918 file is in 
/var/share/shorewall. If you need to modify that file then you copy it 
to /etc/shorewall and modify the copy.

I changed
> my /etc/shorewall/interfaces to
> ########################################################################
> ######
> #ZONE   INTERFACE       BROADCAST       OPTIONS
> net     eth1            detect          routefilter,tcpflags
> loc     eth0            detect          tcpflags
> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
>  
> And everythins is working fine!
> Could it be that the problem was caused by the rfc1918 file not being
> ported with the rpm file in question?
No. We would have to see the exact log messages to understand why you 
were having problems (along with your DNAT rule(s)). From what you''ve 
posted, I can''t think why removing ''norfc1918'' would
change anything.
>  
> At last let me say this:
> Shorewall is amazing! This seems to be the best documented and supported
> open source software I have ever come around.  Shorewall exceeds any
> proprietary software/system in this respect. Thanks!  Using shorewall, I
> would recommend shorewall/Linux for firewall instead of any other
> commercial systems for many companies.
Thanks!

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Ásgeir Ægisson wrote:
> Not subscribed on the list
>  
> Platform: Red Hat 8
> uname -a: Linux 2.4.18-3
Aha -- this may provide a clue. This old kernel didn''t have connection 
tracking match; I wonder if I''ve managed to break something with
respect
to these old kernels.

Would you be so kind as to re-enable ''norfc1918'' then forward
the output
of "shorewall status" as an attachment?

Thanks,
-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net