Hi, I have three interfaces, one on the external net (eth0) and two bridged (br0) on the local net (bridging eth1 and eth2). I am using shorewall 2.4.0 on Fedora Core 3 (iptables 1.2.11, kernel 2.6.11-1.14_FC3). /etc/shorewall/interfaces #ZONE INTERFACE BROADCAST OPTIONS net eth0 detect dhcp,routefilter,logmartians,norfc1918,tcpflags,nosmurfs loc br0 10.0.2.7 routeback,dhcp,maclist /etc/shorewall/masq #INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC eth0 10.0.2.0/29 /etc/shorewall/maclist #INTERFACE MAC IP ADDRESSES (Optional) br0:eth2 xx:xx:xx:xx:xx:xx 10.0.2.3 br0:eth1 xx:xx:xx:xx:xx:xx 10.0.2.6 Problem: every time a new client requests an address through DHCP broadcast on br0, the following shows up in the log: kernel: Shorewall:br0_mac:REJECT:IN=br0 OUT=br0 PHYSIN=eth2 PHYSOUT=eth1 SRC=0.0.0.0 DST=255.255.255.255 LEN=328 TOS=0x10 PREC=0x00 TTL=16 ID=0 PROTO=UDP SPT=68 DPT=67 LEN=308 or kernel: Shorewall:br0_mac:REJECT:IN=br0 OUT=br0 PHYSIN=eth1 PHYSOUT=eth2 SRC=0.0.0.0 DST=255.255.255.255 LEN=328 TOS=0x10 PREC=0x00 TTL=16 ID=0 PROTO=UDP SPT=68 DPT=67 LEN=308 Depending on which of the two adapters the DHCP request originates from on the bridge. I have been trying to get rid of this from the log, but I have not been successful. Other that this, shorewall works great in this configuration. Does anyone have a suggestion? Thanks ------------------------------------------------------- This SF.Net email is sponsored by the ''Do More With Dual!'' webinar happening July 14 at 8am PDT/11am EDT. We invite you to explore the latest in dual core and dual graphics technology at this free one hour event hosted by HP, AMD, and NVIDIA. To register visit http://www.hp.com/go/dualwebinar
Supernaut wrote:> > Depending on which of the two adapters the DHCP request originates from > on the bridge. I have been trying to get rid of this from the log, but > I have not been successful. Other that this, shorewall works great in > this configuration. Does anyone have a suggestion? >Please apply the attached patch: cd /usr/share/shorewall patch < .../dhcpmaclist.diff -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:> Supernaut wrote: > >>Depending on which of the two adapters the DHCP request originates from >>on the bridge. I have been trying to get rid of this from the log, but >>I have not been successful. Other that this, shorewall works great in >>this configuration. Does anyone have a suggestion? >> > > Please apply the attached patch: >Also, please forward the output of "shorewall show br0_fwd". The patch shouldn''t be necessary if the current code is working correctly. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Thanks Tom. The patch solved the problem. On Wed, 2005-07-13 at 07:27 -0700, Tom Eastep wrote:> Supernaut wrote: > > > > > Depending on which of the two adapters the DHCP request originates from > > on the bridge. I have been trying to get rid of this from the log, but > > I have not been successful. Other that this, shorewall works great in > > this configuration. Does anyone have a suggestion? > > > > Please apply the attached patch: > > cd /usr/share/shorewall > patch < .../dhcpmaclist.diff > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key------------------------------------------------------- This SF.Net email is sponsored by the ''Do More With Dual!'' webinar happening July 14 at 8am PDT/11am EDT. We invite you to explore the latest in dual core and dual graphics technology at this free one hour event hosted by HP, AMD, and NVIDIA. To register visit http://www.hp.com/go/dualwebinar
Tom Eastep wrote:> > Also, please forward the output of "shorewall show br0_fwd". The patch > shouldn''t be necessary if the current code is working correctly. >Never mind -- I determined what is happening. For those who are interested, a better patch is attached (it also backs out the previous patch). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key