And it looks like there''s a bug. I have a "firewall" with a single ethernet interface that splits into a network zone and a local zone and as a consequence I have a hosts file with the following in it: net eth0:!192.168.0.0/24 loc eth0:192.168.0.0/24 When I run shorewall start, I get an error, running in debug mode and capturing the output give me: + run_iptables -A OUTPUT -o eth0 -d ''!192.168.0.0/24'' -j fw2net + ''['' -n '''' '']'' + ''['' -n '''' '']'' + /sbin/iptables -A OUTPUT -o eth0 -d ''!192.168.0.0/24'' -j fw2net iptables v1.2.11: host/network `!192.168.0.0'' not found Try `iptables -h'' or ''iptables --help'' for more information. + ''['' -z '''' '']'' + error_message ''ERROR: Command "/sbin/iptables -A'' OUTPUT -o eth0 -d ''!192.168.0.0/24'' -j ''fw2net" Failed'' + echo '' ERROR: Command "/sbin/iptables -A'' OUTPUT -o eth0 -d ''!192.168.0.0/24'' -j ''fw2net" Failed'' ERROR: Command "/sbin/iptables -A OUTPUT -o eth0 -d !192.168.0.0/24 -j fw2net" Failed It looks like there are places that should be calling run_iptables2, not run_iptables. Shorewall version is 2.2.2 I don''t think you need the rest of the stuff since this isn''t a problem with the iptables running, but with getting the iptables generated in the first place. Dick Munroe
Richard Munroe wrote:> And it looks like there''s a bug. > > I have a "firewall" with a single ethernet interface that splits into a > network zone and a local zone and as a consequence I have a hosts file > with the following in it: > > net eth0:!192.168.0.0/24 > loc eth0:192.168.0.0/24 >You should follow the instructions at http://shorewall.net/Multiple_Zones.html#OneArmed and you won''t encounter this "bug". -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:> Richard Munroe wrote: > >>And it looks like there''s a bug. >> >>I have a "firewall" with a single ethernet interface that splits into a >>network zone and a local zone and as a consequence I have a hosts file >>with the following in it: >> >>net eth0:!192.168.0.0/24 >>loc eth0:192.168.0.0/24 >> > > > You should follow the instructions at > http://shorewall.net/Multiple_Zones.html#OneArmed and you won''t > encounter this "bug". >I''ve uploaded a corrected ''firewall'' script to http://shorewall.net/pub/shorewall/2.2/shorewall-2.2.2/errata -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key