Hi, I''ve set up a bridge which connects two parts of the same subnet with each other. I''ve set up everything as described in the Documentation and it works very nicely. However: I have a problem with adding hosts to zones dynamically. The zone I want to add hosts to is called ''work''. Since only the bridge br0 is defined in /etc/shorewall/interfaces shorewall add eth1:192.168.2.10 work stops with Error: Unknown interface eth0 When I try shorewall add br0:eth1:192.168.2.10 work it stops again: Error: Unknown interface br0:eth0 However, issuing shorewall add br0:192.168.2.10 work gives the output Loading /usr/share/shorewall/functions... Processing /etc/shorewall/params ... Processing /etc/shorewall/shorewall.conf... Loading Modules... iptables v1.2.9: Unknown arg `--physdev-out'' Try `iptables -h'' or ''iptables --help'' for more information. Error: Can''t add -A to zone br0_dynf Beendet BUT actually the host IS added to the group ''work'', and everything ist fine. But why then the error message? And it is something inconsequent since the group work is defined in /etc/shorewall/hosts as being attached to br0:eth1 and not to br0 ... Now, an issue of shorewall delete br0:192.168.2.10 work says very nicely: Loading /usr/share/shorewall/functions... Processing /etc/shorewall/params ... Processing /etc/shorewall/shorewall.conf... Loading Modules... br0:192.168.2.10 removed from zone work My problem here is that I would like to add the hists dynamically from another program, and the error messages (and I suppose an error return value) make things more difficult. Thanks for any comments on this /ben
Sorry, eth0 in the error messages below should be eth1 everywhere. On 27.11.2004 03:00, Ben Greiner wrote:> Hi, > > I''ve set up a bridge which connects two parts of the same subnet with > each other. > I''ve set up everything as described in the Documentation and it works > very nicely. > > However: I have a problem with adding hosts to zones dynamically. > The zone I want to add hosts to is called ''work''. > > Since only the bridge br0 is defined in /etc/shorewall/interfaces > > shorewall add eth1:192.168.2.10 work > > stops with > > Error: Unknown interface eth0 > > When I try > > shorewall add br0:eth1:192.168.2.10 work > > it stops again: > > Error: Unknown interface br0:eth0 > > However, issuing > > shorewall add br0:192.168.2.10 work > > gives the output > > Loading /usr/share/shorewall/functions... > Processing /etc/shorewall/params ... > Processing /etc/shorewall/shorewall.conf... > Loading Modules... > iptables v1.2.9: Unknown arg `--physdev-out'' > Try `iptables -h'' or ''iptables --help'' for more information. > Error: Can''t add -A to zone br0_dynf > Beendet > > BUT actually the host IS added to the group ''work'', and everything ist > fine. But why then the error message? And it is something inconsequent > since the group work is defined in /etc/shorewall/hosts as being > attached to br0:eth1 and not to br0 ... > > Now, an issue of > > shorewall delete br0:192.168.2.10 work > > says very nicely: > > Loading /usr/share/shorewall/functions... > Processing /etc/shorewall/params ... > Processing /etc/shorewall/shorewall.conf... > Loading Modules... > br0:192.168.2.10 removed from zone work > > My problem here is that I would like to add the hists dynamically from > another program, and the error messages (and I suppose an error return > value) make things more difficult. > > Thanks for any comments on this > > /ben > > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm-- _____________________________________________________________________________ Ben Greiner Universität zu Köln/University of Cologne Staatswissenschaftliches Seminar Lehrstuhl Prof. Dr. Ockenfels Albertus-Magnus-Platz 50923 KÖLN, GERMANY PHONE ++49 (0) 221 470 6116 E-MAIL bgreiner@uni-koeln.de http://ockenfels.uni-koeln.de
On Sat, 2004-11-27 at 03:00 +0100, Ben Greiner wrote:> > Loading /usr/share/shorewall/functions... > Processing /etc/shorewall/params ... > Processing /etc/shorewall/shorewall.conf... > Loading Modules... > br0:192.168.2.10 removed from zone work > > My problem here is that I would like to add the hists dynamically from > another program, and the error messages (and I suppose an error return > value) make things more difficult. > > Thanks for any comments on thisI''ll document that dynamic zones don''t work on a bridge (and are not likely to ever work on a bridge). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Fri, 2004-11-26 at 18:09 -0800, Tom Eastep wrote:> On Sat, 2004-11-27 at 03:00 +0100, Ben Greiner wrote: > > > > > Loading /usr/share/shorewall/functions... > > Processing /etc/shorewall/params ... > > Processing /etc/shorewall/shorewall.conf... > > Loading Modules... > > br0:192.168.2.10 removed from zone work > > > > My problem here is that I would like to add the hists dynamically from > > another program, and the error messages (and I suppose an error return > > value) make things more difficult. > > > > Thanks for any comments on this > > I''ll document that dynamic zones don''t work on a bridge (and are not > likely to ever work on a bridge).I have updated the "shorewall add" and "shorewall delete" documentaiton to point out that the syntax makes no provision for specifying a bridge port and that therefore the "add" and "delete" commands cannot be used to add or delete a bridged host to a dynamic zone. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
But what actually happens when I issue shorewall add br0:host_ip zonename ??? I suppose that (beside the error message) the host is added to the zone, but it does not matter from which bridge port it comes. Is this right? Thanks for the quick response /ben On 27.11.2004 03:58, Tom Eastep wrote:>On Fri, 2004-11-26 at 18:09 -0800, Tom Eastep wrote: > > >>On Sat, 2004-11-27 at 03:00 +0100, Ben Greiner wrote: >> >> >> >>>Loading /usr/share/shorewall/functions... >>>Processing /etc/shorewall/params ... >>>Processing /etc/shorewall/shorewall.conf... >>>Loading Modules... >>>br0:192.168.2.10 removed from zone work >>> >>>My problem here is that I would like to add the hists dynamically from >>>another program, and the error messages (and I suppose an error return >>>value) make things more difficult. >>> >>>Thanks for any comments on this >>> >>> >>I''ll document that dynamic zones don''t work on a bridge (and are not >>likely to ever work on a bridge). >> >> > >I have updated the "shorewall add" and "shorewall delete" documentaiton >to point out that the syntax makes no provision for specifying a bridge >port and that therefore the "add" and "delete" commands cannot be used >to add or delete a bridged host to a dynamic zone. > >-Tom > >-- _____________________________________________________________________________ Ben Greiner Universität zu Köln/University of Cologne Staatswissenschaftliches Seminar Lehrstuhl Prof. Dr. Ockenfels Albertus-Magnus-Platz 50923 KÖLN, GERMANY PHONE ++49 (0) 221 470 6116 E-MAIL bgreiner@uni-koeln.de http://ockenfels.uni-koeln.de
On Sat, 2004-11-27 at 04:04 +0100, Ben Greiner wrote:> But what actually happens when I issue > > shorewall add br0:host_ip zonename > > ???Probably not what you want... -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
:-) Here the in my view important output from shorewall status after adding the host on br0 to zone work: Chain br0_dyni (1 references) pkts bytes target prot opt in out source destination 22 1576 work2fw all -- * * 192.168.2.10 0.0.0.0/0 Chain br0_dyno (1 references) pkts bytes target prot opt in out source destination 13 1524 fw2all all -- * * 0.0.0.0/0 192.168.2.10 Does this mean that the newly added host is allowed to go anywhere ? Sorry for bothering. /ben On 27.11.2004 04:15, Tom Eastep wrote:>On Sat, 2004-11-27 at 04:04 +0100, Ben Greiner wrote: > > >>But what actually happens when I issue >> >>shorewall add br0:host_ip zonename >> >>??? >> >> > >Probably not what you want... > >-Tom > >-- _____________________________________________________________________________ Ben Greiner Universität zu Köln/University of Cologne Staatswissenschaftliches Seminar Lehrstuhl Prof. Dr. Ockenfels Albertus-Magnus-Platz 50923 KÖLN, GERMANY PHONE ++49 (0) 221 470 6116 E-MAIL bgreiner@uni-koeln.de http://ockenfels.uni-koeln.de
On Sat, 2004-11-27 at 04:20 +0100, Ben Greiner wrote:> :-) > > Here the in my view important output from shorewall status after adding > the host on br0 to zone work: > > Chain br0_dyni (1 references) > pkts bytes target prot opt in out source > destination > 22 1576 work2fw all -- * * 192.168.2.10 > 0.0.0.0/0 > > Chain br0_dyno (1 references) > pkts bytes target prot opt in out source > destination > 13 1524 fw2all all -- * * 0.0.0.0/0 > 192.168.2.10 > > Does this mean that the newly added host is allowed to go anywhere ? > > Sorry for bothering.Ben, it is 7:20 PM on a Friday night here and I''m sitting in my TV room watching game shows with the rest of the family. Anything more than a "Yes"/"No" answer is going to have to wait until tomorrow morning. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:>>Does this mean that the newly added host is allowed to go anywhere ? >> >>Sorry for bothering. > > > Ben, it is 7:20 PM on a Friday night here and I''m sitting in my TV room > watching game shows with the rest of the family. Anything more than a > "Yes"/"No" answer is going to have to wait until tomorrow morning.I''ll take "Software Authors" for $300, Alex. A: He was born in 1945 in Washington State and is the author of one of the best tools for configuring a Netfilter based firewall. He also is one of the most dedicated to his craft and spends a great deal of time and effort on the Shorewall mailing list. Q: Who *is* T..... -- "I think the problem, to be quite honest with you, is that you''ve never actually known what the question is." --The computer "Deep Thought" in "Hitchhiker''s Guide to The Galaxy"
On Sat, 2004-11-27 at 04:20 +0100, Ben Greiner wrote:> :-) > > Here the in my view important output from shorewall status after adding > the host on br0 to zone work: > > Chain br0_dyni (1 references) > pkts bytes target prot opt in out source > destination > 22 1576 work2fw all -- * * 192.168.2.10 > 0.0.0.0/0 > > Chain br0_dyno (1 references) > pkts bytes target prot opt in out source > destination > 13 1524 fw2all all -- * * 0.0.0.0/0 > 192.168.2.10 > > Does this mean that the newly added host is allowed to go anywhere ?No. It means that traffic from the firewall to the newly-added host is subject to the ''fw->all'' policy. The br0_dyni entry means that traffic from br0:192.168.2.10 will be governed by the rules that you have defined for work->fw traffic. What is missing in these rules is an indication of which bridge port 192.168.2.10 is attached to. That is of course due to the fact that the "add" (and "delete") commands don''t allow you to specify the port name (as you discovered). Basically, there is a lot of code missing in Shorewall to support bridges and dynamic zones. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Sat, 2004-11-27 at 07:34 -0800, Tom Eastep wrote:> > Basically, there is a lot of code missing in Shorewall to support > bridges and dynamic zones. >But not as much code as I feared (~ 50 lines). The Shorewall2/ CVS code (based on Shorewall 2.2.0 Beta 6) seems to do the right thing. Files updated since Beta 6 are ''firewall'' and ''help'' which may both be installed in /usr/share/shorewall. If you need a fix for 2.0.11, I''ll try to back-port the change but I would like you to test it since I don''t have a 2.0 bridge environment to test with any more. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Sat, 2004-11-27 at 13:05 +0800, Ed Greshko wrote:>> > I''ll take "Software Authors" for $300, Alex.;) -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Sat, 2004-11-27 at 08:19 -0800, Tom Eastep wrote:> On Sat, 2004-11-27 at 07:34 -0800, Tom Eastep wrote: > > > > > Basically, there is a lot of code missing in Shorewall to support > > bridges and dynamic zones. > > > > But not as much code as I feared (~ 50 lines). The Shorewall2/ CVS code > (based on Shorewall 2.2.0 Beta 6) seems to do the right thing. Files > updated since Beta 6 are ''firewall'' and ''help'' which may both be > installed in /usr/share/shorewall. > > If you need a fix for 2.0.11, I''ll try to back-port the change but I > would like you to test it since I don''t have a 2.0 bridge environment to > test with any more.There''s also an (untested) version for 2.0 in the STABLE2/ CVS project. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Sat, 2004-11-27 at 08:19 -0800, Tom Eastep wrote:> On Sat, 2004-11-27 at 07:34 -0800, Tom Eastep wrote: > > > > > Basically, there is a lot of code missing in Shorewall to support > > bridges and dynamic zones. > > > > But not as much code as I feared (~ 50 lines). The Shorewall2/ CVS code > (based on Shorewall 2.2.0 Beta 6) seems to do the right thing. Files > updated since Beta 6 are ''firewall'' and ''help'' which may both be > installed in /usr/share/shorewall.I discovered a problem with this code and there is a fix in CVS. The STABLE2/ version did does not have this problem and should be okay as it is. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Hi Tom, thanks for adding the dynamic host adding feature for bridges in 2.0.12. I just found time to test it. However, after upgrading from shorewall-2.0.10-1 I tried it out, but I get an error message when adding the host whichs says # shorewall add br0:eth0:192.168.2.2 work Loading /usr/share/shorewall/functions... Processing /etc/shorewall/params ... Processing /etc/shorewall/shorewall.conf... Loading Modules... /usr/share/shorewall/firewall: line 1: match_destination_hosts: command not found br0:eth0:192.168.2.2 added to zone work I don''t know where this comes from. Actually, line 1 in /usr/share/shorewall/firewall is "#!/bin/sh" ! The functionality is fine, that is the host is added and removed to the group. Thanks /ben On 29.11.2004 20:44, Tom Eastep wrote:>On Sat, 2004-11-27 at 08:19 -0800, Tom Eastep wrote: > > >>On Sat, 2004-11-27 at 07:34 -0800, Tom Eastep wrote: >> >> >> >>>Basically, there is a lot of code missing in Shorewall to support >>>bridges and dynamic zones. >>> >>> >>> >>But not as much code as I feared (~ 50 lines). The Shorewall2/ CVS code >>(based on Shorewall 2.2.0 Beta 6) seems to do the right thing. Files >>updated since Beta 6 are ''firewall'' and ''help'' which may both be >>installed in /usr/share/shorewall. >> >> > >I discovered a problem with this code and there is a fix in CVS. The >STABLE2/ version did does not have this problem and should be okay as it >is. > >-Tom > >
On Thu, 2004-12-02 at 04:48 +0100, Ben Greiner wrote:> Loading Modules... > /usr/share/shorewall/firewall: line 1: match_destination_hosts: command > not foundOn line 5805 in /usr/share/shorewall/firewall, change ''match_destination_hosts'' to ''match_dest_hosts''. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Very nice. Thanks a lot for all your effort /ben On 02.12.2004 16:04, Tom Eastep wrote:>On Thu, 2004-12-02 at 04:48 +0100, Ben Greiner wrote: > > > >>Loading Modules... >>/usr/share/shorewall/firewall: line 1: match_destination_hosts: command >>not found >> >> > >On line 5805 in /usr/share/shorewall/firewall, change >''match_destination_hosts'' to ''match_dest_hosts''. > >-Tom > >-- _____________________________________________________________________________ Ben Greiner Universität zu Köln/University of Cologne Staatswissenschaftliches Seminar Lehrstuhl Prof. Dr. Ockenfels Albertus-Magnus-Platz 50923 KÖLN, GERMANY PHONE ++49 (0) 221 470 6116 E-MAIL bgreiner@uni-koeln.de http://ockenfels.uni-koeln.de
Reasonably Related Threads
- host list in /etc/shorewall/hosts: interface ignored
- Adding dynamically more than one host at once?
- User sets or anything similar?
- CTDB node stucks in " ctdb-eventd[13184]: 50.samba: samba not listening on TCP port 445"
- Unable to set attributes in a samba share (error 0x00000005)