Hi list! I just upgraded my shorewall from 1.4.10g to 3.0.6 Everything seems to work out fine but I can''t figure out where I am going wrong with the /etc/shorewall/hosts file. I have two local subnets attached to this one interface and with shorewall 1.4.10g I has this line : loc eth0:10.1.0.0/16,10.2.0.0/16 When I use the exact same line I get this error starting shorewall: ERROR: Invalid zone definition for zone loc When I leave out the eth0: bit in that line I get an error that the zones I defined are invalid. Where did I go wrong? Thanks! ------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Remco Barendse wrote:> Hi list! > > I just upgraded my shorewall from 1.4.10g to 3.0.6 > > Everything seems to work out fine but I can''t figure out where I am > going wrong with the /etc/shorewall/hosts file. > > I have two local subnets attached to this one interface and with > shorewall 1.4.10g I has this line : > > loc eth0:10.1.0.0/16,10.2.0.0/16 > > > When I use the exact same line I get this error starting shorewall: > ERROR: Invalid zone definition for zone loc > > When I leave out the eth0: bit in that line I get an error that the > zones I defined are invalid. > > Where did I go wrong?What entry do you have for eth0 in /etc/shorewall/interfaces? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
>> When I use the exact same line I get this error starting shorewall: >> ERROR: Invalid zone definition for zone loc >> >> When I leave out the eth0: bit in that line I get an error that the >> zones I defined are invalid. >> >> Where did I go wrong? > > What entry do you have for eth0 in /etc/shorewall/interfaces?Just this: #ZONE INTERFACE BROADCAST OPTIONS loc eth0 detect blacklist ------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Remco Barendse wrote:>>> When I use the exact same line I get this error starting shorewall: >>> ERROR: Invalid zone definition for zone loc >>> >>> When I leave out the eth0: bit in that line I get an error that the >>> zones I defined are invalid. >>> >>> Where did I go wrong? >> >> What entry do you have for eth0 in /etc/shorewall/interfaces? > > Just this: > > #ZONE INTERFACE BROADCAST OPTIONS > loc eth0 detect blacklistMany Shorewall users had this silly configuration with early Shorewall versions -- that''s why I added the error message. The error message is documented at http://www.shorewall.net/ErrorMessages.html. The entry in /etc/shorewall/interfaces is equivalent to this entry in /etc/shorewall/hosts: loc eth0:0.0.0.0/0 In other words, your interface entry already associates the entire IPv4 address space through eth0 with zone ''loc''. So it is indeed superfluous to now add 10.1.0.0/16 and 10.2.0.0/16. You should be able to remove the the hosts file entry entirely and add ''routeback'' to the entry in /etc/shorewall/interfaces; e.g., #ZONE INTERFACE BROADCAST OPTIONS loc eth0 detect blacklist,routeback -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
>>> What entry do you have for eth0 in /etc/shorewall/interfaces? >> >> Just this: >> >> #ZONE INTERFACE BROADCAST OPTIONS >> loc eth0 detect blacklist > > Many Shorewall users had this silly configuration with early Shorewall > versions -- that''s why I added the error message. The error message is > documented at http://www.shorewall.net/ErrorMessages.html. > > The entry in /etc/shorewall/interfaces is equivalent to this entry in > /etc/shorewall/hosts: > > loc eth0:0.0.0.0/0 > > In other words, your interface entry already associates the entire IPv4 > address space through eth0 with zone ''loc''. So it is indeed superfluous > to now add 10.1.0.0/16 and 10.2.0.0/16. > > You should be able to remove the the hosts file entry entirely and add > ''routeback'' to the entry in /etc/shorewall/interfaces; e.g., > > #ZONE INTERFACE BROADCAST OPTIONS > loc eth0 detect blacklist,routebackThanks, that worked like a charm. Sorry for bothering you and the list with this, I should have upgraded earlier. Thanks again! Remco ------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642