I am setting to a shorewall system with 4 NIC''s as per the outline specification below. Can anyone please have a look and let me know what I have missed and what I have got wrong as I want to take this system live ASAP but do not want to kill internet access and the hosting for too long ! I have listed below the system outline & have attached the config files that I have changed, if you need more details please let me know. I have also atatched the output from Shorewall check if this of any use ? Shorewall firewall system config. System outline ! ETH0 212.219.13.74/24 Link to the Internet Subnet 255.255.255.0 Default router 212.219.13.254 ETH1 10.2.0.1/24 Link to local network, people split into groups by IP for different access. Subnet 255.0.0.0 ETH2 192.168.202.1/24 Link to DMZ Subnet 25.255.255.0 ETH3 10.3.0.1/16 Internal systems for Students (squid is also running on 10.0.0.1 for most users who will not have direct access to the Internet) 3 servers using the following IP''s to be in the DMZ 212.219.13.200 212.219.13.203 212.219.13.252 These cover DNS, FTP, POP3, SMTP, WWW, SSH & Webmin (port 10000) There are 5 GROUPS of people who should have the following access to the Internet. Teachers Port 80 only Admin staff Port 80 only Technical Ports 21, 22, 25, 53, 80, 110, 443, 659, 10000 Students NO Direct access ! (only Via squid ) Senior Staff Ports 80, 443, 569 I also want ETH3 to be LIVE when the firewall is shutdown ! Many thanks Denis Croombs -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. Marvin the E-Mail scanner
Denis Croombs wrote:> I am setting to a shorewall system with 4 NIC''s as per the outline > specification below. Can anyone please have a look and let me know what I > have missed and what I have got wrong as I want to take this system live > ASAP but do not want to kill internet access and the hosting for too long ! >You have a number of zones nested inside the ''loc'' zone yet you have listed those sub-zones *after* ''loc'' in /etc/shorewall/zones. That won''t work -- the sub-zones must be listed first. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Denis Croombs wrote:> I am setting to a shorewall system with 4 NIC''s as per the outline > specification below. Can anyone please have a look and let me know what I > have missed and what I have got wrong as I want to take this system live > ASAP but do not want to kill internet access and the hosting for too long ! >Even though there is an emphatic comment that the ''all''->''all'' policy must be last in the policy file, you''ve managed to place another policy after it. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
> > I am setting to a shorewall system with 4 NIC''s as per the outline > > specification below. Can anyone please have a look and let me know whatI> > have missed and what I have got wrong as I want to take this system live > > ASAP but do not want to kill internet access and the hosting for toolong !> > > > You have a number of zones nested inside the ''loc'' zone yet you have > listed those sub-zones *after* ''loc'' in /etc/shorewall/zones. That won''t > work -- the sub-zones must be listed first. > > -TomSolved Many thanks Denis -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. Marvin the E-Mail scanner
> > I am setting to a shorewall system with 4 NIC''s as per the outline > > specification below. Can anyone please have a look and let me know whatI> > have missed and what I have got wrong as I want to take this system live > > ASAP but do not want to kill internet access and the hosting for toolong !> > > > Even though there is an emphatic comment that the ''all''->''all'' policy > must be last in the policy file, you''ve managed to place another policy > after it. > > -TomThanks for that, I have corrected that error. Does that mean the rest is 100% correct ? Regards Denis -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. Marvin the E-Mail scanner
Denis Croombs wrote:>>>I am setting to a shorewall system with 4 NIC''s as per the outline >>>specification below. Can anyone please have a look and let me know what > > I > >>>have missed and what I have got wrong as I want to take this system live >>>ASAP but do not want to kill internet access and the hosting for too > > long ! > >>Even though there is an emphatic comment that the ''all''->''all'' policy >>must be last in the policy file, you''ve managed to place another policy >>after it. >> >>-Tom > > Thanks for that, I have corrected that error. > > Does that mean the rest is 100% correct ? >No -- it means that those are the two problems I spotted in the few minutes I spent looking at your configuration. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Hello, I have been using Shorewall for a time, and now I needed to configure an ADSL dual link setup. Not a load-balance solution, but one where specific services (CVS and email) goes through one link and all the other services go through the other one. For that, I read the faq and the LARTC examples, and for outgoing packets coming from the intranet or incoming packets coming to the firewall itself it worked fine. Still, I cant seem to make it work for outgoing packets from the firewall itself and for packets that are DNATed to the intranet. I know this is a much more LARTC related question, I just want to be sure Im not doing anything wrong with Shorewall. Im using Shorewall 1.4.10e on a 2.4.20-31.9 kernel from Redhat. Here are my ip route config: P1_NET="192.168.200.0/24" P2_NET="192.168.7.104/29" IF1="eth0" IF2="eth2" IP1="192.168.200.1" IP2="192.168.7.106" P1="192.168.200.254" P2="192.168.7.105" P0_NET="192.168.10.0/24" IF0="eth1" ip route add $P1_NET dev $IF1 src $IP1 table slow ip route add default via $P1 table slow ip route add $P2_NET dev $IF2 src $IP2 table fast ip route add default via $P2 table fast ip route add $P1_NET dev $IF1 src $IP1 ip route add $P2_NET dev $IF2 src $IP2 ip route add default via $P2 ip rule add from $IP1 table slow ip rule add from $IP2 table fast ip route add $P0_NET dev $IF0 table slow ip route add $P2_NET dev $IF2 table slow ip route add 127.0.0.0/8 dev lo table slow ip route add $P0_NET dev $IF0 table fast ip route add $P1_NET dev $IF1 table fast ip route add 127.0.0.0/8 dev lo table fast ip rule add fwmark 0x5 table slow prio 0 Default route is through fastlink And then, on tcrules on Shorewall: 5 eth1 0.0.0.0/0 tcp 2401 5 eth1 0.0.0.0/0 tcp 25 5 $FW 0.0.0.0/0 tcp 25 Im marking packets on PREROUTING The first line marks all outgoing CVS packets comming from the intranet, and the second the email ones. This works fine The third line should mark all email packets going out of the firewall, but they still go out through "fastlink", and with eth2 IP, instead of going through "slowlink", with eth0 IP. This is the "outgoing packets from the firewall" problem. About the DNAT problem, is this possible at all ? Like, regardless wheather the connection comes from slowlink (eth0) or fastlink (eth2), it can be DNATed to the intranet ? Right now, tcpdump show that both connection are DNATed ok, but the returning packets always go out through fastlink (default route). See you, and thanks for the great work Tom. Marcelo
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Marcelo Mercio Dandrea wrote: | | And then, on tcrules on Shorewall: | | 5 eth1 0.0.0.0/0 tcp 2401 | 5 eth1 0.0.0.0/0 tcp 25 | 5 $FW 0.0.0.0/0 tcp 25 | | Im marking packets on PREROUTING | The first line marks all outgoing CVS packets comming from the intranet, | and the second the email ones. This works fine | The third line should mark all email packets going out of the firewall, | but they still go out through "fastlink", and with eth2 IP, instead of going | through "slowlink", with eth0 IP. This is the "outgoing packets from the | firewall" problem. Please show us the output of "shorewall show mangle". | About the DNAT problem, is this possible at all ? See the additional information in FAQ 32 provided by Martin Brown. It is my understanding that that information is critical for getting DNAT to work. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBI2oGO/MAbZfjDLIRAs2ZAKCUgk+3lGIK8w0qt9O34wx4n4oYsQCfU43c LBjnWzrHg3vstP4fOJ7Vof8=rwmd -----END PGP SIGNATURE-----
Hi Tom, Thanks for the prompt answer. Here´s the shorewall show mangle output: Shorewall-1.4.10e TOS at xxx.xxxx.com.br - Wed Aug 18 15:02:12 BRT 2004 Counters reset Wed Aug 18 15:02:07 BRT 2004 Chain PREROUTING (policy ACCEPT 9234K packets, 2848M bytes) pkts bytes target prot opt in out source destination 299 167K pretos all -- * * 0.0.0.0/0 0.0.0.0/0 281 157K tcpre all -- * * 0.0.0.0/0 0.0.0.0/0 9 1115 MARK tcp -- eth1 * !192.168.10.254 0.0.0.0/0 tcp dpt:80 MARK set 0xca Chain INPUT (policy ACCEPT 2161K packets, 260M bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 6925K packets, 2394M bytes) pkts bytes target prot opt in out source destination 215 144K tcfor all -- * * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 2767K packets, 362M bytes) pkts bytes target prot opt in out source destination 99 6412 outtos all -- * * 0.0.0.0/0 0.0.0.0/0 89 5576 tcout all -- * * 0.0.0.0/0 0.0.0.0/0 Chain POSTROUTING (policy ACCEPT 9691K packets, 2756M bytes) pkts bytes target prot opt in out source destination Chain outtos (1 references) pkts bytes target prot opt in out source destination Chain pretos (1 references) pkts bytes target prot opt in out source destination Chain tcfor (1 references) pkts bytes target prot opt in out source destination Chain tcout (1 references) pkts bytes target prot opt in out source destination 0 0 MARK tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 MARK set 0x5 Chain tcpre (1 references) pkts bytes target prot opt in out source destination 0 0 MARK tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:2401 MARK set 0x5 0 0 MARK tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 MARK set 0x5 That 0xca mark is for the proxy web; it is inside de intranet, so Shorewall send the packet back. Its working fine. Regarding the FAQ 32, I read the Martin Brown contribuition (which excerpt is btw now on http://www.docum.org/docum.org/faq/cache/44.html). About outgoing connections, it seems everything I done is correct. Still, it seems the marking on output chain (for local created packets) doesnt trigger the ip rule. Still doesnt work. About the incoming connections (and the DNAT problem), it seems it involves the use of two ip address on the internal machine. Makes sense, it sounds possible now : ) I´ll try it. Thanks, Marcelo ----- Original Message ----- From: "Tom Eastep" <teastep@shorewall.net> To: "Mailing List for Shorewall Users" <shorewall-users@lists.shorewall.net> Sent: Wednesday, August 18, 2004 11:39 AM Subject: Re: [Shorewall-users] Two Links and DNAT> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Marcelo Mercio Dandrea wrote: > > | > | And then, on tcrules on Shorewall: > | > | 5 eth1 0.0.0.0/0 tcp 2401 > | 5 eth1 0.0.0.0/0 tcp 25 > | 5 $FW 0.0.0.0/0 tcp 25 > | > | Im marking packets on PREROUTING > | The first line marks all outgoing CVS packets comming from the > intranet, > | and the second the email ones. This works fine > | The third line should mark all email packets going out of the > firewall, > | but they still go out through "fastlink", and with eth2 IP, instead of > going > | through "slowlink", with eth0 IP. This is the "outgoing packets from the > | firewall" problem. > > Please show us the output of "shorewall show mangle". > > | About the DNAT problem, is this possible at all ? > > See the additional information in FAQ 32 provided by Martin Brown. It is > my understanding that that information is critical for getting DNAT towork.> > - -Tom > - -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.4 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD8DBQFBI2oGO/MAbZfjDLIRAs2ZAKCUgk+3lGIK8w0qt9O34wx4n4oYsQCfU43c > LBjnWzrHg3vstP4fOJ7Vof8> =rwmd > -----END PGP SIGNATURE----- > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe:https://lists.shorewall.net/mailman/listinfo/shorewall-users> Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Marcelo Mercio Dandrea wrote: | | Chain OUTPUT (policy ACCEPT 2767K packets, 362M bytes) | pkts bytes target prot opt in out source | destination | 99 6412 outtos all -- * * 0.0.0.0/0 | 0.0.0.0/0 | 89 5576 tcout all -- * * 0.0.0.0/0 | 0.0.0.0/0 | | Chain tcout (1 references) | pkts bytes target prot opt in out source | destination | 0 0 MARK tcp -- * * 0.0.0.0/0 | 0.0.0.0/0 tcp dpt:25 MARK set 0x5 Those rules are correct. Marking of locally-generated packets must occur in the OUTPUT chain which is what the above is showing. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBI9UvO/MAbZfjDLIRAnokAJsEkd+qKN17fV4Vnqs841JAbvZbkQCgn0zH FCZ/6C4VAoGnqbMARHzl1Qg=yj2o -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Marcelo Mercio Dandrea wrote: | ip route add default via $P2 | ip rule add from $IP1 table slow | ip rule add from $IP2 table fast | ip route add $P0_NET dev $IF0 table slow | ip route add $P2_NET dev $IF2 table slow | ip route add 127.0.0.0/8 dev lo table slow | ip route add $P0_NET dev $IF0 table fast | ip route add $P1_NET dev $IF1 table fast | ip route add 127.0.0.0/8 dev lo table fast | ip rule add fwmark 0x5 table slow prio 0 I wonder if reordering your rules to place this one first would correct the "from the firewall" problem... - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBI+hDO/MAbZfjDLIRAkh1AJ4sqjXQr5eIBDcW02HovKjEjTalrQCfYDZm /J0p6uNDX2QhBvdJmab7v+s=LDyd -----END PGP SIGNATURE-----
Actually, due to the "prio 0" entry, it is the first "changeable one", right after the kernel "local" one, and this one it seems I cant change. [root@magyar root]# ip rule 0: from all lookup local 0: from all fwmark 0x5 lookup slow 1: from 0.0.0.0 fwmark 0xca lookup www.out Its odd, because the marking is correct (I changed it to mark TOS instead of fwmark, so it would appear on tcpdump) and the packets are even going out through the right interface.. like, a local email packet is going out through eth0.. but with eth2 address! On the bright side, the "two ips on the internal machine" solution for two links and DNAT worked, so now only the local generated packets problem left. I´ll try to google more about it. Thanks! Marcelo Tom Eastep wrote:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Marcelo Mercio Dandrea wrote: > >> ip route add default via $P2 >> ip rule add from $IP1 table slow >> ip rule add from $IP2 table fast >> ip route add $P0_NET dev $IF0 table slow >> ip route add $P2_NET dev $IF2 table slow >> ip route add 127.0.0.0/8 dev lo table slow >> ip route add $P0_NET dev $IF0 table fast >> ip route add $P1_NET dev $IF1 table fast >> ip route add 127.0.0.0/8 dev lo table fast >> ip rule add fwmark 0x5 table slow prio 0 > > I wonder if reordering your rules to place this one first would > correct > the "from the firewall" problem... > > - -Tom > - -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.4 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD8DBQFBI+hDO/MAbZfjDLIRAkh1AJ4sqjXQr5eIBDcW02HovKjEjTalrQCfYDZm > /J0p6uNDX2QhBvdJmab7v+s> =LDyd > -----END PGP SIGNATURE----- > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: > http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm
Btw, by "shorewall show nat" I just noticed that I was doing snat only for packets comming from eth1 (intranet). So now I added the following line to /etc/shorewall/start iptables -t nat -A POSTROUTING -o eth0 -p tcp --dport 25 -j SNAT --to-source 192.168.200.1 Im not sure if this is the correct/best solution... but it worked. Now locally generated smtp packets go out only through eth0 (slowlink). Marcelo Tom Eastep wrote:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Marcelo Mercio Dandrea wrote: > >> ip route add default via $P2 >> ip rule add from $IP1 table slow >> ip rule add from $IP2 table fast >> ip route add $P0_NET dev $IF0 table slow >> ip route add $P2_NET dev $IF2 table slow >> ip route add 127.0.0.0/8 dev lo table slow >> ip route add $P0_NET dev $IF0 table fast >> ip route add $P1_NET dev $IF1 table fast >> ip route add 127.0.0.0/8 dev lo table fast >> ip rule add fwmark 0x5 table slow prio 0 > > I wonder if reordering your rules to place this one first would > correct > the "from the firewall" problem... > > - -Tom > - -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.4 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD8DBQFBI+hDO/MAbZfjDLIRAkh1AJ4sqjXQr5eIBDcW02HovKjEjTalrQCfYDZm > /J0p6uNDX2QhBvdJmab7v+s> =LDyd > -----END PGP SIGNATURE----- > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: > http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm
> Btw, by "shorewall show nat" I just noticed that I was doing snat only > for packets comming from eth1 (intranet). So now I added the following line > to /etc/shorewall/start > > iptables -t nat -A POSTROUTING -o eth0 -p tcp --dport 25 -j SNAT --to-source > 192.168.200.1 > > Im not sure if this is the correct/best solution... but it worked. Now > locally generated smtp packets go out only through eth0 (slowlink). > > > Marcelo > > > Tom Eastep wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > Marcelo Mercio Dandrea wrote: > > > >> ip route add default via $P2 > >> ip rule add from $IP1 table slow > >> ip rule add from $IP2 table fast > >> ip route add $P0_NET dev $IF0 table slow > >> ip route add $P2_NET dev $IF2 table slow > >> ip route add 127.0.0.0/8 dev lo table slow > >> ip route add $P0_NET dev $IF0 table fast > >> ip route add $P1_NET dev $IF1 table fast > >> ip route add 127.0.0.0/8 dev lo table fast > >> ip rule add fwmark 0x5 table slow prio 0 > > > > I wonder if reordering your rules to place this one first would > > correct > > the "from the firewall" problem... > > > > - -TomSorry for being slow on the reply but I think your missing some routing rules. ip rule add from $IP1 table T1 ip rule add from $IP2 table T2 Jerry
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Marcelo Mercio Dandrea wrote: | Btw, by "shorewall show nat" I just noticed that I was doing snat only | for packets comming from eth1 (intranet). So now I added the following line | to /etc/shorewall/start | | iptables -t nat -A POSTROUTING -o eth0 -p tcp --dport 25 -j SNAT - --to-source | 192.168.200.1 | | Im not sure if this is the correct/best solution... but it worked. Now | locally generated smtp packets go out only through eth0 (slowlink). | | You can have Shorewall generate that rule by using this /etc/shorewall/masq entry: eth0 0.0.0.0/0 192.168.200.1 tcp 25 - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBJKuNO/MAbZfjDLIRAj5IAKCnAXLRhFEyn7k0qmCDlNyHV/+EkgCgt41w 0H5JJ7ggKx+lj+/MdHZI9ys=ULyw -----END PGP SIGNATURE-----
Tom Eastep wrote:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Marcelo Mercio Dandrea wrote: >> Btw, by "shorewall show nat" I just noticed that I was doing >> snat only for packets comming from eth1 (intranet). So now I added >> the following > line >> to /etc/shorewall/start >> >> iptables -t nat -A POSTROUTING -o eth0 -p tcp --dport 25 -j SNAT > - --to-source >> 192.168.200.1 >> >> Im not sure if this is the correct/best solution... but it >> worked. Now locally generated smtp packets go out only through eth0 >> (slowlink). >> >> > > You can have Shorewall generate that rule by using this > /etc/shorewall/masq entry: > > eth0 0.0.0.0/0 192.168.200.1 tcp 25 > > - -Tom > - -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.4 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD8DBQFBJKuNO/MAbZfjDLIRAj5IAKCnAXLRhFEyn7k0qmCDlNyHV/+EkgCgt41w > 0H5JJ7ggKx+lj+/MdHZI9ys> =ULyw > -----END PGP SIGNATURE----- > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: > http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm(posting on bottom : ) ) Thanks for the tip Tom! Still, should it work on 1.4.10e ? I tried and got, on shorewall restart: Masqueraded Subnets and Hosts: To 0.0.0.0/0 from 192.168.10.0/24 through eth0 using 192.168.200.1 Error: Invalid comma-separated list "192.168.200.1 tcp 25" My /etc/shorewall/masq #INTERFACE SUBNET ADDRESS eth0 eth1 192.168.200.1 eth0 0.0.0.0/0 192.168.200.1 tcp 25 eth2 eth1 192.168.7.106 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE Marcelo
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Marcelo Mercio Dandrea wrote: | You can have Shorewall generate that rule by using this | /etc/shorewall/masq entry: | | eth0 0.0.0.0/0 192.168.200.1 tcp 25 | | Thanks for the tip Tom! Still, should it work on 1.4.10e ? I tried and | got, on shorewall restart: | Masqueraded Subnets and Hosts: | To 0.0.0.0/0 from 192.168.10.0/24 through eth0 using 192.168.200.1 | Error: Invalid comma-separated list "192.168.200.1 tcp 25" | My /etc/shorewall/masq | #INTERFACE SUBNET ADDRESS No -- you have to be running Shorewall 2.0.2 or later. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBJW1WO/MAbZfjDLIRAiBYAJ0TTwMjatvsCuC0OFex2jqatumFRgCfXs31 YlPzRB1lnV6VHrFhx97/Kys=BTwR -----END PGP SIGNATURE-----