Using the latest Debian release of shorewall (2.4.1-3) there seems to be an unfortunate bug in the masq script, either with the doc or the program itself, or both. In /etc/shorewall/masq there is the following entry: # SUBNET -- Subnet that you wish to masquerade. You can specify this as # a subnet or as an interface. If you give the name of an # interface, you must have iproute installed and the interface # must be up before you start the firewall. # # In order to exclude a subset of the specified SUBNET, you # may append "!" and a comma-separated list of IP addresses # and/or subnets that you wish to exclude. # # Example: eth1!192.168.1.4,192.168.32.0/27 # Well last night I found the example to be grievously mistaken; for when I entered this: eth1!192.168.4.0/24 eth0 ...in my config, it promptly crashed shorewall on restart. This effectively cut me off from my remote firewall making me a less than happy camper. I found the resolution to the problem was to add a colon: eth1:!192.168.4.0/24 eth0 I don''t know if this works as intended, but at very least shorewall doesn''t crash when I do it. I checked with the 2.4.3 normal release, and the example remains the same as with the Debian package. Unless this was fixed very recently, I think it would be an issue that needs to be addressed globally. - Matt ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
Matt LaPlante wrote:> > # SUBNET -- Subnet that you wish to masquerade. You can specify thisPlease note: This part of the comments is describing the SUBNET COLUMN!!!> # > # Example: eth1!192.168.1.4,192.168.32.0/27 > # > > Well last night I found the example to be grievously mistaken; for when I > entered this: > > eth1!192.168.4.0/24 eth0You decided to use the syntax for the SUBNET column in the INTERFACE column.> > ...in my config, it promptly crashed shorewall on restart. This effectively > cut me off from my remote firewall making me a less than happy camper.Shorewall contains ample facilities for preventing you from sawing off the limb you are sitting on but you have to use them.> I found the resolution to the problem was to add a colon: > > eth1:!192.168.4.0/24 eth0 > > I don''t know if this works as intended, but at very least shorewall doesn''t > crash when I do it.That is the correct syntax. From the masq file: # INTERFACE -- Outgoing interface. This is usually your internet # interface. If ADD_SNAT_ALIASES=Yes in # /etc/shorewall/shorewall.conf, you may add ":" and # a digit to indicate that you want the alias added with # that name (e.g., eth0:0). This will allow the alias to # be displayed with ifconfig. THAT IS THE ONLY USE FOR # THE ALIAS NAME AND IT MAY NOT APPEAR IN ANY OTHER # PLACE IN YOUR SHOREWALL CONFIGURATION. # # This may be qualified by adding the character # ":" followed by a destination host or subnet. Note that a colon (":") is required when you qualify the interface name.> > I checked with the 2.4.3 normal release, and the example remains the same as > with the Debian package. Unless this was fixed very recently, I think it > would be an issue that needs to be addressed globally.Right.... -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
I should add that I did a "shorewall check" prior to restarting, and it passed both times, even with the config that crashed on restart. - Matt -----Original Message----- From: shorewall-users-admin@lists.sourceforge.net [mailto:shorewall-users-admin@lists.sourceforge.net] On Behalf Of Tom Eastep Sent: Tuesday, August 30, 2005 9:53 AM To: shorewall-users@lists.sourceforge.net Subject: Re: [Shorewall-users] Example/Crash bug in /etc/masq Matt LaPlante wrote:> > # SUBNET -- Subnet that you wish to masquerade. You can specify thisPlease note: This part of the comments is describing the SUBNET COLUMN!!!> # > # Example: eth1!192.168.1.4,192.168.32.0/27 > # > > Well last night I found the example to be grievously mistaken; for when I > entered this: > > eth1!192.168.4.0/24 eth0You decided to use the syntax for the SUBNET column in the INTERFACE column.> > ...in my config, it promptly crashed shorewall on restart. Thiseffectively> cut me off from my remote firewall making me a less than happy camper.Shorewall contains ample facilities for preventing you from sawing off the limb you are sitting on but you have to use them.> I found the resolution to the problem was to add a colon: > > eth1:!192.168.4.0/24 eth0 > > I don''t know if this works as intended, but at very least shorewalldoesn''t> crash when I do it.That is the correct syntax. From the masq file: # INTERFACE -- Outgoing interface. This is usually your internet # interface. If ADD_SNAT_ALIASES=Yes in # /etc/shorewall/shorewall.conf, you may add ":" and # a digit to indicate that you want the alias added with # that name (e.g., eth0:0). This will allow the alias to # be displayed with ifconfig. THAT IS THE ONLY USE FOR # THE ALIAS NAME AND IT MAY NOT APPEAR IN ANY OTHER # PLACE IN YOUR SHOREWALL CONFIGURATION. # # This may be qualified by adding the character # ":" followed by a destination host or subnet. Note that a colon (":") is required when you qualify the interface name.> > I checked with the 2.4.3 normal release, and the example remains the sameas> with the Debian package. Unless this was fixed very recently, I think it > would be an issue that needs to be addressed globally.Right.... -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
Matt LaPlante wrote:> I should add that I did a "shorewall check" prior to restarting, and it > passed both times, even with the config that crashed on restart.gateway:/etc/test# shorewall help check check: check [ <configuration-directory> ] Performs a cursory validation of the zones, interfaces, hosts, rules and policy files. Use this if you are unsure of any edits you have made to the shorewall configuration. See the try command examples for a recommended way to make changes. gateway:/etc/test# I don''t see the ''masq'' file listed there -- do you? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:> Matt LaPlante wrote: >>I should add that I did a "shorewall check" prior to restarting, and it >>passed both times, even with the config that crashed on restart. > > gateway:/etc/test# shorewall help check > check: check [ <configuration-directory> ] > Performs a cursory validation of the zones, interfaces, hosts, > rules and policy files. Use this if you are unsure of any edits > you have made to the shorewall configuration. See the try command > examples for a recommended way to make changes. > gateway:/etc/test# > > I don''t see the ''masq'' file listed there -- do you? >I''ve just committed code to the development branch that adds "masq" to the list of files processed by the "check" command. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key