I am setting to a shorewall system with 4 NIC''s as per the outline specification below. Can anyone please have a look and let me know what I have missed and what I have got wrong as I want to take this system live ASAP but do not want to kill internet access and the hosting for too long ! I have listed below the system outline & have attached the config files that I have changed, if you need more details please let me know. I have also atatched the output from Shorewall check if this of any use ? Shorewall firewall system config. System outline ! ETH0 212.219.13.74/24 Link to the Internet Subnet 255.255.255.0 Default router 212.219.13.254 ETH1 10.2.0.1/24 Link to local network, people split into groups by IP for different access. Subnet 255.0.0.0 ETH2 192.168.202.1/24 Link to DMZ Subnet 25.255.255.0 ETH3 10.3.0.1/16 Internal systems for Students (squid is also running on 10.0.0.1 for most users who will not have direct access to the Internet) 3 servers using the following IP''s to be in the DMZ 212.219.13.200 212.219.13.203 212.219.13.252 These cover DNS, FTP, POP3, SMTP, WWW, SSH & Webmin (port 10000) There are 5 GROUPS of people who should have the following access to the Internet. Teachers Port 80 only Admin staff Port 80 only Technical Ports 21, 22, 25, 53, 80, 110, 443, 659, 10000 Students NO Direct access ! (only Via squid ) Senior Staff Ports 80, 443, 569 I also want ETH3 to be LIVE when the firewall is shutdown ! Many thanks Denis Croombs -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. Marvin the E-Mail scanner
Denis Croombs wrote:> I am setting to a shorewall system with 4 NIC''s as per the outline > specification below. Can anyone please have a look and let me know what I > have missed and what I have got wrong as I want to take this system live > ASAP but do not want to kill internet access and the hosting for too long ! >You have a number of zones nested inside the ''loc'' zone yet you have listed those sub-zones *after* ''loc'' in /etc/shorewall/zones. That won''t work -- the sub-zones must be listed first. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Denis Croombs wrote:> I am setting to a shorewall system with 4 NIC''s as per the outline > specification below. Can anyone please have a look and let me know what I > have missed and what I have got wrong as I want to take this system live > ASAP but do not want to kill internet access and the hosting for too long ! >Even though there is an emphatic comment that the ''all''->''all'' policy must be last in the policy file, you''ve managed to place another policy after it. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
> > I am setting to a shorewall system with 4 NIC''s as per the outline > > specification below. Can anyone please have a look and let me know whatI> > have missed and what I have got wrong as I want to take this system live > > ASAP but do not want to kill internet access and the hosting for toolong !> > > > You have a number of zones nested inside the ''loc'' zone yet you have > listed those sub-zones *after* ''loc'' in /etc/shorewall/zones. That won''t > work -- the sub-zones must be listed first. > > -TomSolved Many thanks Denis -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. Marvin the E-Mail scanner
> > I am setting to a shorewall system with 4 NIC''s as per the outline > > specification below. Can anyone please have a look and let me know whatI> > have missed and what I have got wrong as I want to take this system live > > ASAP but do not want to kill internet access and the hosting for toolong !> > > > Even though there is an emphatic comment that the ''all''->''all'' policy > must be last in the policy file, you''ve managed to place another policy > after it. > > -TomThanks for that, I have corrected that error. Does that mean the rest is 100% correct ? Regards Denis -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. Marvin the E-Mail scanner
Denis Croombs wrote:>>>I am setting to a shorewall system with 4 NIC''s as per the outline >>>specification below. Can anyone please have a look and let me know what > > I > >>>have missed and what I have got wrong as I want to take this system live >>>ASAP but do not want to kill internet access and the hosting for too > > long ! > >>Even though there is an emphatic comment that the ''all''->''all'' policy >>must be last in the policy file, you''ve managed to place another policy >>after it. >> >>-Tom > > Thanks for that, I have corrected that error. > > Does that mean the rest is 100% correct ? >No -- it means that those are the two problems I spotted in the few minutes I spent looking at your configuration. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Hello,
I have been using Shorewall for a time, and now I needed to
configure an ADSL dual link setup. Not a load-balance solution, but one
where specific services (CVS and email) goes through one link and all the
other services go through the other one. For that, I read the faq and the
LARTC examples, and for outgoing packets coming from the intranet or
incoming packets coming to the firewall itself it worked fine. Still, I
cant seem to make it work for outgoing packets from the firewall itself and
for packets that are DNATed to the intranet. I know this is a much more
LARTC related question, I just want to be sure Im not doing anything wrong
with Shorewall.
Im using Shorewall 1.4.10e on a 2.4.20-31.9 kernel from Redhat.
Here are my ip route config:
P1_NET="192.168.200.0/24"
P2_NET="192.168.7.104/29"
IF1="eth0"
IF2="eth2"
IP1="192.168.200.1"
IP2="192.168.7.106"
P1="192.168.200.254"
P2="192.168.7.105"
P0_NET="192.168.10.0/24"
IF0="eth1"
ip route add $P1_NET dev $IF1 src $IP1 table slow
ip route add default via $P1 table slow
ip route add $P2_NET dev $IF2 src $IP2 table fast
ip route add default via $P2 table fast
ip route add $P1_NET dev $IF1 src $IP1
ip route add $P2_NET dev $IF2 src $IP2
ip route add default via $P2
ip rule add from $IP1 table slow
ip rule add from $IP2 table fast
ip route add $P0_NET dev $IF0 table slow
ip route add $P2_NET dev $IF2 table slow
ip route add 127.0.0.0/8 dev lo table slow
ip route add $P0_NET dev $IF0 table fast
ip route add $P1_NET dev $IF1 table fast
ip route add 127.0.0.0/8 dev lo table fast
ip rule add fwmark 0x5 table slow prio 0
Default route is through fastlink
And then, on tcrules on Shorewall:
5 eth1 0.0.0.0/0 tcp 2401
5 eth1 0.0.0.0/0 tcp 25
5 $FW 0.0.0.0/0 tcp 25
Im marking packets on PREROUTING
The first line marks all outgoing CVS packets comming from the intranet,
and the second the email ones. This works fine
The third line should mark all email packets going out of the firewall,
but they still go out through "fastlink", and with eth2 IP, instead of
going
through "slowlink", with eth0 IP. This is the "outgoing packets
from the
firewall" problem.
About the DNAT problem, is this possible at all ? Like, regardless
wheather the connection comes from slowlink (eth0) or fastlink (eth2), it
can be DNATed to the intranet ? Right now, tcpdump show that both connection
are DNATed ok, but the returning packets always go out through fastlink
(default route).
See you, and thanks for the great work Tom.
Marcelo
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Marcelo Mercio Dandrea wrote: | | And then, on tcrules on Shorewall: | | 5 eth1 0.0.0.0/0 tcp 2401 | 5 eth1 0.0.0.0/0 tcp 25 | 5 $FW 0.0.0.0/0 tcp 25 | | Im marking packets on PREROUTING | The first line marks all outgoing CVS packets comming from the intranet, | and the second the email ones. This works fine | The third line should mark all email packets going out of the firewall, | but they still go out through "fastlink", and with eth2 IP, instead of going | through "slowlink", with eth0 IP. This is the "outgoing packets from the | firewall" problem. Please show us the output of "shorewall show mangle". | About the DNAT problem, is this possible at all ? See the additional information in FAQ 32 provided by Martin Brown. It is my understanding that that information is critical for getting DNAT to work. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBI2oGO/MAbZfjDLIRAs2ZAKCUgk+3lGIK8w0qt9O34wx4n4oYsQCfU43c LBjnWzrHg3vstP4fOJ7Vof8=rwmd -----END PGP SIGNATURE-----
Hi Tom,
Thanks for the prompt answer. Here´s the shorewall show mangle
output:
Shorewall-1.4.10e TOS at xxx.xxxx.com.br - Wed Aug 18 15:02:12 BRT 2004
Counters reset Wed Aug 18 15:02:07 BRT 2004
Chain PREROUTING (policy ACCEPT 9234K packets, 2848M bytes)
pkts bytes target prot opt in out source
destination
299 167K pretos all -- * * 0.0.0.0/0
0.0.0.0/0
281 157K tcpre all -- * * 0.0.0.0/0
0.0.0.0/0
9 1115 MARK tcp -- eth1 * !192.168.10.254
0.0.0.0/0 tcp dpt:80 MARK set 0xca
Chain INPUT (policy ACCEPT 2161K packets, 260M bytes)
pkts bytes target prot opt in out source
destination
Chain FORWARD (policy ACCEPT 6925K packets, 2394M bytes)
pkts bytes target prot opt in out source
destination
215 144K tcfor all -- * * 0.0.0.0/0
0.0.0.0/0
Chain OUTPUT (policy ACCEPT 2767K packets, 362M bytes)
pkts bytes target prot opt in out source
destination
99 6412 outtos all -- * * 0.0.0.0/0
0.0.0.0/0
89 5576 tcout all -- * * 0.0.0.0/0
0.0.0.0/0
Chain POSTROUTING (policy ACCEPT 9691K packets, 2756M bytes)
pkts bytes target prot opt in out source
destination
Chain outtos (1 references)
pkts bytes target prot opt in out source
destination
Chain pretos (1 references)
pkts bytes target prot opt in out source
destination
Chain tcfor (1 references)
pkts bytes target prot opt in out source
destination
Chain tcout (1 references)
pkts bytes target prot opt in out source
destination
0 0 MARK tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:25 MARK set 0x5
Chain tcpre (1 references)
pkts bytes target prot opt in out source
destination
0 0 MARK tcp -- eth1 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:2401 MARK set 0x5
0 0 MARK tcp -- eth1 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:25 MARK set 0x5
That 0xca mark is for the proxy web; it is inside de intranet, so
Shorewall send the packet back. Its working fine.
Regarding the FAQ 32, I read the Martin Brown contribuition (which
excerpt is btw now on http://www.docum.org/docum.org/faq/cache/44.html).
About outgoing connections, it seems everything I done is correct. Still, it
seems the marking on output chain (for local created packets) doesnt trigger
the ip rule. Still doesnt work.
About the incoming connections (and the DNAT problem), it seems it
involves the use of two ip address on the internal machine. Makes sense, it
sounds possible now : ) I´ll try it.
Thanks,
Marcelo
----- Original Message -----
From: "Tom Eastep" <teastep@shorewall.net>
To: "Mailing List for Shorewall Users"
<shorewall-users@lists.shorewall.net>
Sent: Wednesday, August 18, 2004 11:39 AM
Subject: Re: [Shorewall-users] Two Links and DNAT
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Marcelo Mercio Dandrea wrote:
>
> |
> | And then, on tcrules on Shorewall:
> |
> | 5 eth1 0.0.0.0/0 tcp 2401
> | 5 eth1 0.0.0.0/0 tcp 25
> | 5 $FW 0.0.0.0/0 tcp 25
> |
> | Im marking packets on PREROUTING
> | The first line marks all outgoing CVS packets comming from the
> intranet,
> | and the second the email ones. This works fine
> | The third line should mark all email packets going out of the
> firewall,
> | but they still go out through "fastlink", and with eth2 IP,
instead of
> going
> | through "slowlink", with eth0 IP. This is the "outgoing
packets from the
> | firewall" problem.
>
> Please show us the output of "shorewall show mangle".
>
> | About the DNAT problem, is this possible at all ?
>
> See the additional information in FAQ 32 provided by Martin Brown. It is
> my understanding that that information is critical for getting DNAT to
work.>
> - -Tom
> - --
> Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
> Shoreline, \ http://shorewall.net
> Washington USA \ teastep@shorewall.net
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFBI2oGO/MAbZfjDLIRAs2ZAKCUgk+3lGIK8w0qt9O34wx4n4oYsQCfU43c
> LBjnWzrHg3vstP4fOJ7Vof8> =rwmd
> -----END PGP SIGNATURE-----
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
>
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Marcelo Mercio Dandrea wrote: | | Chain OUTPUT (policy ACCEPT 2767K packets, 362M bytes) | pkts bytes target prot opt in out source | destination | 99 6412 outtos all -- * * 0.0.0.0/0 | 0.0.0.0/0 | 89 5576 tcout all -- * * 0.0.0.0/0 | 0.0.0.0/0 | | Chain tcout (1 references) | pkts bytes target prot opt in out source | destination | 0 0 MARK tcp -- * * 0.0.0.0/0 | 0.0.0.0/0 tcp dpt:25 MARK set 0x5 Those rules are correct. Marking of locally-generated packets must occur in the OUTPUT chain which is what the above is showing. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBI9UvO/MAbZfjDLIRAnokAJsEkd+qKN17fV4Vnqs841JAbvZbkQCgn0zH FCZ/6C4VAoGnqbMARHzl1Qg=yj2o -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Marcelo Mercio Dandrea wrote: | ip route add default via $P2 | ip rule add from $IP1 table slow | ip rule add from $IP2 table fast | ip route add $P0_NET dev $IF0 table slow | ip route add $P2_NET dev $IF2 table slow | ip route add 127.0.0.0/8 dev lo table slow | ip route add $P0_NET dev $IF0 table fast | ip route add $P1_NET dev $IF1 table fast | ip route add 127.0.0.0/8 dev lo table fast | ip rule add fwmark 0x5 table slow prio 0 I wonder if reordering your rules to place this one first would correct the "from the firewall" problem... - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBI+hDO/MAbZfjDLIRAkh1AJ4sqjXQr5eIBDcW02HovKjEjTalrQCfYDZm /J0p6uNDX2QhBvdJmab7v+s=LDyd -----END PGP SIGNATURE-----
Actually, due to the "prio 0" entry, it is the first "changeable
one", right after the kernel "local" one, and this one it seems I
cant
change.
[root@magyar root]# ip rule
0: from all lookup local
0: from all fwmark 0x5 lookup slow
1: from 0.0.0.0 fwmark 0xca lookup www.out
Its odd, because the marking is correct (I changed it to mark TOS
instead of fwmark, so it would appear on tcpdump) and the packets are even
going out through the right interface.. like, a local email packet is going
out through eth0.. but with eth2 address!
On the bright side, the "two ips on the internal machine" solution
for
two links and DNAT worked, so now only the local generated packets problem
left. I´ll try to google more about it.
Thanks!
Marcelo
Tom Eastep wrote:> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Marcelo Mercio Dandrea wrote:
>
>> ip route add default via $P2
>> ip rule add from $IP1 table slow
>> ip rule add from $IP2 table fast
>> ip route add $P0_NET dev $IF0 table slow
>> ip route add $P2_NET dev $IF2 table slow
>> ip route add 127.0.0.0/8 dev lo table slow
>> ip route add $P0_NET dev $IF0 table fast
>> ip route add $P1_NET dev $IF1 table fast
>> ip route add 127.0.0.0/8 dev lo table fast
>> ip rule add fwmark 0x5 table slow prio 0
>
> I wonder if reordering your rules to place this one first would
> correct
> the "from the firewall" problem...
>
> - -Tom
> - --
> Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
> Shoreline, \ http://shorewall.net
> Washington USA \ teastep@shorewall.net
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFBI+hDO/MAbZfjDLIRAkh1AJ4sqjXQr5eIBDcW02HovKjEjTalrQCfYDZm
> /J0p6uNDX2QhBvdJmab7v+s> =LDyd
> -----END PGP SIGNATURE-----
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
> https://lists.shorewall.net/mailman/listinfo/shorewall-users Support:
> http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
Btw, by "shorewall show nat" I just noticed that I was doing snat only
for packets comming from eth1 (intranet). So now I added the following line
to /etc/shorewall/start
iptables -t nat -A POSTROUTING -o eth0 -p tcp --dport 25 -j SNAT --to-source
192.168.200.1
Im not sure if this is the correct/best solution... but it worked. Now
locally generated smtp packets go out only through eth0 (slowlink).
Marcelo
Tom Eastep wrote:> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Marcelo Mercio Dandrea wrote:
>
>> ip route add default via $P2
>> ip rule add from $IP1 table slow
>> ip rule add from $IP2 table fast
>> ip route add $P0_NET dev $IF0 table slow
>> ip route add $P2_NET dev $IF2 table slow
>> ip route add 127.0.0.0/8 dev lo table slow
>> ip route add $P0_NET dev $IF0 table fast
>> ip route add $P1_NET dev $IF1 table fast
>> ip route add 127.0.0.0/8 dev lo table fast
>> ip rule add fwmark 0x5 table slow prio 0
>
> I wonder if reordering your rules to place this one first would
> correct
> the "from the firewall" problem...
>
> - -Tom
> - --
> Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
> Shoreline, \ http://shorewall.net
> Washington USA \ teastep@shorewall.net
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFBI+hDO/MAbZfjDLIRAkh1AJ4sqjXQr5eIBDcW02HovKjEjTalrQCfYDZm
> /J0p6uNDX2QhBvdJmab7v+s> =LDyd
> -----END PGP SIGNATURE-----
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
> https://lists.shorewall.net/mailman/listinfo/shorewall-users Support:
> http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
> Btw, by "shorewall show nat" I just noticed that I was doing snat only > for packets comming from eth1 (intranet). So now I added the following line > to /etc/shorewall/start > > iptables -t nat -A POSTROUTING -o eth0 -p tcp --dport 25 -j SNAT --to-source > 192.168.200.1 > > Im not sure if this is the correct/best solution... but it worked. Now > locally generated smtp packets go out only through eth0 (slowlink). > > > Marcelo > > > Tom Eastep wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > Marcelo Mercio Dandrea wrote: > > > >> ip route add default via $P2 > >> ip rule add from $IP1 table slow > >> ip rule add from $IP2 table fast > >> ip route add $P0_NET dev $IF0 table slow > >> ip route add $P2_NET dev $IF2 table slow > >> ip route add 127.0.0.0/8 dev lo table slow > >> ip route add $P0_NET dev $IF0 table fast > >> ip route add $P1_NET dev $IF1 table fast > >> ip route add 127.0.0.0/8 dev lo table fast > >> ip rule add fwmark 0x5 table slow prio 0 > > > > I wonder if reordering your rules to place this one first would > > correct > > the "from the firewall" problem... > > > > - -TomSorry for being slow on the reply but I think your missing some routing rules. ip rule add from $IP1 table T1 ip rule add from $IP2 table T2 Jerry
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Marcelo Mercio Dandrea wrote: | Btw, by "shorewall show nat" I just noticed that I was doing snat only | for packets comming from eth1 (intranet). So now I added the following line | to /etc/shorewall/start | | iptables -t nat -A POSTROUTING -o eth0 -p tcp --dport 25 -j SNAT - --to-source | 192.168.200.1 | | Im not sure if this is the correct/best solution... but it worked. Now | locally generated smtp packets go out only through eth0 (slowlink). | | You can have Shorewall generate that rule by using this /etc/shorewall/masq entry: eth0 0.0.0.0/0 192.168.200.1 tcp 25 - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBJKuNO/MAbZfjDLIRAj5IAKCnAXLRhFEyn7k0qmCDlNyHV/+EkgCgt41w 0H5JJ7ggKx+lj+/MdHZI9ys=ULyw -----END PGP SIGNATURE-----
Tom Eastep wrote:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Marcelo Mercio Dandrea wrote: >> Btw, by "shorewall show nat" I just noticed that I was doing >> snat only for packets comming from eth1 (intranet). So now I added >> the following > line >> to /etc/shorewall/start >> >> iptables -t nat -A POSTROUTING -o eth0 -p tcp --dport 25 -j SNAT > - --to-source >> 192.168.200.1 >> >> Im not sure if this is the correct/best solution... but it >> worked. Now locally generated smtp packets go out only through eth0 >> (slowlink). >> >> > > You can have Shorewall generate that rule by using this > /etc/shorewall/masq entry: > > eth0 0.0.0.0/0 192.168.200.1 tcp 25 > > - -Tom > - -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.4 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD8DBQFBJKuNO/MAbZfjDLIRAj5IAKCnAXLRhFEyn7k0qmCDlNyHV/+EkgCgt41w > 0H5JJ7ggKx+lj+/MdHZI9ys> =ULyw > -----END PGP SIGNATURE----- > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: > http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm(posting on bottom : ) ) Thanks for the tip Tom! Still, should it work on 1.4.10e ? I tried and got, on shorewall restart: Masqueraded Subnets and Hosts: To 0.0.0.0/0 from 192.168.10.0/24 through eth0 using 192.168.200.1 Error: Invalid comma-separated list "192.168.200.1 tcp 25" My /etc/shorewall/masq #INTERFACE SUBNET ADDRESS eth0 eth1 192.168.200.1 eth0 0.0.0.0/0 192.168.200.1 tcp 25 eth2 eth1 192.168.7.106 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE Marcelo
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Marcelo Mercio Dandrea wrote: | You can have Shorewall generate that rule by using this | /etc/shorewall/masq entry: | | eth0 0.0.0.0/0 192.168.200.1 tcp 25 | | Thanks for the tip Tom! Still, should it work on 1.4.10e ? I tried and | got, on shorewall restart: | Masqueraded Subnets and Hosts: | To 0.0.0.0/0 from 192.168.10.0/24 through eth0 using 192.168.200.1 | Error: Invalid comma-separated list "192.168.200.1 tcp 25" | My /etc/shorewall/masq | #INTERFACE SUBNET ADDRESS No -- you have to be running Shorewall 2.0.2 or later. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBJW1WO/MAbZfjDLIRAiBYAJ0TTwMjatvsCuC0OFex2jqatumFRgCfXs31 YlPzRB1lnV6VHrFhx97/Kys=BTwR -----END PGP SIGNATURE-----