Shorewall users - Sep 2004 - Re: routing between networks on same

Hi Tom,
Thank you for your quick reply.
I aplied changes as you suppose, and now users can
comunicate each with others. - thank you very much.

I have just one aditional question regarding
PKTTYPE=No variable.

I didnt find it in shorewall.conf so I simply add it
at the end of conf file (above #Last line :-) ) So
question is it is standard feature of shorewall, and
from which version it is available?
>From your reply it seems that problem is somewere in
iptables/netfilter. What do you suppose to check?

Thank you very much.

Best Regards
Dominik

-----Original Message-----
From: shorewall-users-bounces@lists.shorewall.net
[shorewall-users-bounces@lists.shorewall.net] On
Behalf Of Tom
Eastep
Sent: Monday, September 27, 2004 1:03 AM
To: Mailing List for Shorewall Users
Subject: Re: [Shorewall-users] routing between
networks on same
interface

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

litin@unhfree.net wrote:
|
|
| In time of migration to new Shorewall version I
leave same
configuration file,
| but from that time any communication between users
located on same ap
isn''t
| allowed:
|
| Sep 26 20:45:45 weedle Shorewall:FORWARD:REJECT:
IN=3Deth0 OUT=3Deth0
| MAC=3D00:50:fc:3a:02:9b:00:e0:98:be:7d:0f:08:00 
SRC=3D192.168.140.198
| DST=3D192.168.140.230 LEN=3D60 TOS=3D00
PREC=3D0x00 TTL=3D126 ID=3D58717 CE
PROTO=3DICMP
| TYPE=3D8 CODE=3D0 ID=3D38899 SEQ=3D34560

You need to specify ''routeback'' on each of the
''ap''
entries in
/etc/shorewall/hosts.

|
| Also with same configuration I am finding in
shorewall log some
| broadcast/multicast REJECT which wasnot present in
past:
|
| Jan  1 01:00:00 square Shorewall:OUTPUT:REJECT:
IN=3D OUT=3Deth0 MAC=3D
| SRC=3D192.168.144.217 DST=3D224.0.0.5 LEN=3D64
TOS=3D00 PREC=3D0x00 TTL=3D1
ID=3D62155 CE
| PROTO=3D0
|

Try setting PKTTYPE=3DNo in shorewall.conf. The
Netfilter pkttype match
feature seems to fail to identify some
broadcast/multicast packets.

- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a
sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \
https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla -
http://enigmail.mozdev.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

litinoveweedle@quick.cz wrote:
> Hi Tom,
> Thank you for your quick reply.
> I aplied changes as you suppose, and now users can
> comunicate each with others. - thank you very much.
>
> I have just one aditional question regarding
> PKTTYPE=No variable.
>
> I didnt find it in shorewall.conf so I simply add it
> at the end of conf file (above #Last line :-) ) So
> question is it is standard feature of shorewall, and
> from which version it is available?
This question can be easliy answered by visiting the Shorweall web site
- -- PKTTYPE is discussed on the home page in the 2.0.6 release notes.

- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFBWCaqO/MAbZfjDLIRArZ0AKCKjlsvlst1YH0f53Bk3Qd/f/B2eACfU43K
K3WNfXkwF8ixxyuzR7jV/Ow=a75n
-----END PGP SIGNATURE-----