When I install the two-interfaces files in /etc/shorewall on my FC-5 system (with shorewall-3.2.3) and run "services shorewall restart" I get ------------------------------------------------------ cp -a interfaces masq policy routestopped rules zones /etc/shorewall/ ... [root@alfred shorewall]# service shorewall restart ... Determining Zones... ERROR: Zone fw is defined more than once ------------------------------------------------------ Am I doing something silly? -- Timothy Murphy e-mail (<80k only): tim /at/ birdsnest.maths.tcd.ie tel: +353-86-2336090, +353-1-2842366 s-mail: School of Mathematics, Trinity College, Dublin 2, Ireland ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
You are using the FC-specific restart (through services). For this mailing list please try ''shorewall restart'' and see if that gives you the same error. If not, please report a bug to FC. ~David On 9/5/06, Timothy Murphy <tim@birdsnest.maths.tcd.ie> wrote:> > When I install the two-interfaces files in /etc/shorewall on my FC-5 system > (with shorewall-3.2.3) and run "services shorewall restart" I get > ------------------------------------------------------ > cp -a interfaces masq policy routestopped rules zones /etc/shorewall/ > ... > [root@alfred shorewall]# service shorewall restart > ... > Determining Zones... > ERROR: Zone fw is defined more than once > ------------------------------------------------------ > > Am I doing something silly? > > -- > Timothy Murphy > e-mail (<80k only): tim /at/ birdsnest.maths.tcd.ie > tel: +353-86-2336090, +353-1-2842366 > s-mail: School of Mathematics, Trinity College, Dublin 2, Ireland > > ------------------------------------------------------------------------- > Using Tomcat but need to do more? Need to support web services, security? > Get stuff done quickly with pre-integrated technology to make your job easier > Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Timothy Murphy wrote:> When I install the two-interfaces files in /etc/shorewall on my FC-5 system > (with shorewall-3.2.3) and run "services shorewall restart" I get > ------------------------------------------------------ > cp -a interfaces masq policy routestopped rules zones /etc/shorewall/ > ... > [root@alfred shorewall]# service shorewall restart > ... > Determining Zones... > ERROR: Zone fw is defined more than once > ------------------------------------------------------ > > Am I doing something silly? >You apparently have some old files in /etc/shorewall. Your /etc/shorewall/shorewall.conf file defines the FW option which was deprecated in Shorewall 3.0. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Tom Eastep wrote:> Timothy Murphy wrote: >> When I install the two-interfaces files in /etc/shorewall on my FC-5 system >> (with shorewall-3.2.3) and run "services shorewall restart" I get >> ------------------------------------------------------ >> cp -a interfaces masq policy routestopped rules zones /etc/shorewall/ >> ... >> [root@alfred shorewall]# service shorewall restart >> ... >> Determining Zones... >> ERROR: Zone fw is defined more than once >> ------------------------------------------------------ >> >> Am I doing something silly? >> > > You apparently have some old files in /etc/shorewall. Your > /etc/shorewall/shorewall.conf file defines the FW option which was > deprecated in Shorewall 3.0.Or, your shorewall.conf file has IPSECFILE=ipsec (or it doesn''t set IPSECFILE at all). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
On Tuesday 05 September 2006 21:32, you wrote:> >> When I install the two-interfaces files in /etc/shorewall on my FC-5 > >> system (with shorewall-3.2.3) and run "services shorewall restart" I get > >> ------------------------------------------------------ > >> cp -a interfaces masq policy routestopped rules zones /etc/shorewall/ > >> ... > >> [root@alfred shorewall]# service shorewall restart > >> ... > >> Determining Zones... > >> ERROR: Zone fw is defined more than once > >> ------------------------------------------------------ > >> > >> Am I doing something silly? > > > > You apparently have some old files in /etc/shorewall. Your > > /etc/shorewall/shorewall.conf file defines the FW option which was > > deprecated in Shorewall 3.0.Thank you very much. That was exactly it - when I replaced shorewall.conf with a brand-new copy all was well. I have two little newbie queries. [Apologies if I am repeating myself - I sent a similar posting earlier, but I don''t see any record of it in my sent-mail, and I have a feeling it was swallowed up while I was playing with my shorewall settings.] (1) I''ve added the lines -------------------------------------------------- POP3/ACCEPT $FW net POP3S/ACCEPT $FW net SMTP/ACCEPT $FW net NTP/ACCEPT $FW net NTP/ACCEPT loc $FW ACCEPT $FW net tcp 540 -------------------------------------------------- to my shorewall rules, and I am wondering if this is what I should do to allow mail in and out, etc. (The last line is for uucp - I am the last person in the world using it.) Incidentally, I think all traffic between loc and fw used to be allowed in the earlier version of two-interfaces I was using? Is it possible to allow that with the current version? Or is it considered unwise? (2) My second query is about httpd/apache . I am running a web-server on my fw machine. This machine is attached by eth0 to an ADSL modem (which is in turn attached to the phone inlet). I have a fixed external IP address, 86.43.71.228 , while the eth0 interface on my fw machine is 192.168.1.1 . I''d like the web-server to be accessible from the net. I''m not sure if I have understood the instructions for this. Would it be right to add the line DNAT net $FW:192.168.1.1 tcp 80 - 86.43.71.228 to my rules? This isn''t working at the moment, but the problem could well be with my httpd settings. (I used to use the shorewall AllowWeb macro, but that doesn''t seem to exist any more.) -- Timothy Murphy e-mail (<80k only): tim /at/ birdsnest.maths.tcd.ie tel: +353-86-2336090, +353-1-2842366 s-mail: School of Mathematics, Trinity College, Dublin 2, Ireland ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
On Wed, 2006-09-06 at 14:19 +0100, Timothy Murphy wrote:> > (1) I''ve added the lines > -------------------------------------------------- > POP3/ACCEPT $FW net > POP3S/ACCEPT $FW net > SMTP/ACCEPT $FW net > NTP/ACCEPT $FW net > NTP/ACCEPT loc $FW > ACCEPT $FW net tcp 540 > -------------------------------------------------- > to my shorewall rules, > and I am wondering if this is what I should do > to allow mail in and out, etc. > (The last line is for uucp - I am the last person in the world using it.) > > Incidentally, I think all traffic between loc and fw used to be allowed > in the earlier version of two-interfaces I was using? > Is it possible to allow that with the current version? > Or is it considered unwise?You have complete control over these sorts of policies. Simply add this to your /etc/shorewall/policy file: loc $FW ACCEPT> > (2) My second query is about httpd/apache . > I am running a web-server on my fw machine. > This machine is attached by eth0 to an ADSL modem > (which is in turn attached to the phone inlet). > I have a fixed external IP address, 86.43.71.228 , > while the eth0 interface on my fw machine is 192.168.1.1 . > I''d like the web-server to be accessible from the net. > I''m not sure if I have understood the instructions for this. > Would it be right to add the line > DNAT net $FW:192.168.1.1 tcp 80 - 86.43.71.228 > to my rules? > > This isn''t working at the moment, > but the problem could well be with my httpd settings. > (I used to use the shorewall AllowWeb macro, > but that doesn''t seem to exist any more.)You want ACCEPT net $FW tcp 80 And you need to configure your ADSL modem (which is apparently operating as a router) to forward tcp port 80 to 192.168.1.1. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642