Shorewall users - Nov 2005 - shorewall and broadcast

Hi,

I configured some ha services using heartbeat, I have this on my log:

Nov 14 09:59:06 mail1 heartbeat[3932]: ERROR: Unable to send bcast [-1] 
packet: Operation not permitted
Nov 14 09:59:06 mail1 heartbeat[3932]: ERROR: write failure on bcast 
bond1.: Operation not permitted

how allow broadcast only on some interfaces with shorewall?

attacched is shorewall status

Thanks
Nicola

On Monday 14 November 2005 07:16, Nicola Murino wrote:
> Hi,
>
> I configured some ha services using heartbeat, I have this on my log:
>
> Nov 14 09:59:06 mail1 heartbeat[3932]: ERROR: Unable to send bcast [-1]
> packet: Operation not permitted
> Nov 14 09:59:06 mail1 heartbeat[3932]: ERROR: write failure on bcast
> bond1.: Operation not permitted
>
> how allow broadcast only on some interfaces with shorewall?
There are no special considerations for allowing broadcast output -- you must 
ACCEPT UDP <port number> from the fw to the zone connected to the
interface.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Strange ... I have an ACCEPT policy for that:

tail /etc/shorewall/policy

#
# See http://shorewall.net/Documentation.htm#Policy for additional 
information.
###############################################################################
#SOURCE         DEST            POLICY          LOG             LIMIT:BURST
#                                               LEVEL
fw              net             ACCEPT
fw              ha              ACCEPT
ha              fw              ACCEPT
all             all             DROP            info
#LAST LINE -- DO NOT REMOVE

tail /etc/shorewall/interfaces
#                       net     ppp0    -
#
# For additional information, see 
http://shorewall.net/Documentation.htm#Interfaces
#
##############################################################################
#ZONE    INTERFACE      BROADCAST       OPTIONS                 GATEWAY
#
net     bond0           detect          
arp_filter,nosmurfs,tcpflags,routefilter,logmartians
ha      bond1           detect
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

cat /etc/sysctl.conf | grep icmp
net.ipv4.icmp_echo_ignore_all = 0
net.ipv4.icmp_echo_ignore_broadcasts = 0
net.ipv4.icmp_ignore_bogus_error_responses = 1

maybe the problem is not shorewall related,

thanks
Nicola




Tom Eastep ha scritto:
>On Monday 14 November 2005 07:16, Nicola Murino wrote:
>  
>
>>Hi,
>>
>>I configured some ha services using heartbeat, I have this on my log:
>>
>>Nov 14 09:59:06 mail1 heartbeat[3932]: ERROR: Unable to send bcast [-1]
>>packet: Operation not permitted
>>Nov 14 09:59:06 mail1 heartbeat[3932]: ERROR: write failure on bcast
>>bond1.: Operation not permitted
>>
>>how allow broadcast only on some interfaces with shorewall?
>>    
>>
>
>There are no special considerations for allowing broadcast output -- you
must
>ACCEPT UDP <port number> from the fw to the zone connected to the
interface.
>
>-Tom
>  
>

On Monday 14 November 2005 09:42, Nicola Murino wrote:
> maybe the problem is not shorewall related,
Do "shorewall clear" and see if you still have problems (be sure to
"shorewall
start" after testing).

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key