Hello everyone, I''m using shorewall successfully on many servers withount any problems and I''m really happy with this great piece of software. But now I ran into a problem with shorewall 3.0.4 on Ubuntu 6.06 running on a vServer. The provider uses virtual interfaces like eth0:vs01 for the customers. The interface eth0 cannot be touched. I''ve read the instructions for aliased interfaces but somehow I don''t get it. I want some basic fw rules like opening port 22 for ssh. Here is my configuration: /etc/shorewall/interfaces net eth0 /etc/shorewall/zones fw firewall net ipv4 /etc/shorewall/policy net all DROP error all all REJECT error $FW net ACCEPT error /etc/shorewall/rules ACCEPT net:123.123.123.123 $FW 22 123.123.123.123 is the ip of the virtual interface eth0:vs01 Trying to start shorewall gives the following error: Loading /usr/share/shorewall/functions... Processing /etc/shorewall/shorewall.conf... Starting Shorewall... Initializing... Shorewall has detected the following iptables/netfilter capabilities: NAT: Not available Packet Mangling: Not available Multi-port Match: Not available Connection Tracking Match: Not available Packet Type Match: Not available Policy Match: Not available Physdev Match: Not available IP range Match: Not available Recent Match: Not available Owner Match: Not available Ipset Match: Not available CONNMARK Target: Not available Connmark Match: Not available Raw Table: Not available CLASSIFY Target: Not available Determining Zones... IPv4 Zones: net Firewall Zone: fw Validating interfaces file... Validating hosts file... Validating Policy file... Determining Hosts in Zones... net Zone: eth0:0.0.0.0/0 Pre-processing Actions... Pre-processing /usr/share/shorewall/action.Drop... ..Expanding Macro /usr/share/shorewall/macro.Auth... ..End Macro ..Expanding Macro /usr/share/shorewall/macro.AllowICMPs... ..End Macro ..Expanding Macro /usr/share/shorewall/macro.SMB... ..End Macro ..Expanding Macro /usr/share/shorewall/macro.DropUPnP... ..End Macro ..Expanding Macro /usr/share/shorewall/macro.DropDNSrep... ..End Macro Pre-processing /usr/share/shorewall/action.Reject... Pre-processing /usr/share/shorewall/action.Limit... /usr/share/shorewall/firewall: line 3009: /proc/sys/net/ipv4/conf/all/proxy_arp: Operation not permitted /usr/share/shorewall/firewall: line 3009: /proc/sys/net/ipv4/conf/default/proxy_arp: Operation not permitted /usr/share/shorewall/firewall: line 3009: /proc/sys/net/ipv4/conf/eth0/proxy_arp: Operation not permitted /usr/share/shorewall/firewall: line 3009: /proc/sys/net/ipv4/conf/lo/proxy_arp: Operation not permitted Deleting user chains... iptables: Operation not permitted ERROR: Command "/sbin/iptables -P INPUT DROP" Failed /usr/share/shorewall/firewall: line 3009: /proc/sys/net/ipv4/conf/all/proxy_arp: Operation not permitted /usr/share/shorewall/firewall: line 3009: /proc/sys/net/ipv4/conf/default/proxy_arp: Operation not permitted /usr/share/shorewall/firewall: line 3009: /proc/sys/net/ipv4/conf/eth0/proxy_arp: Operation not permitted /usr/share/shorewall/firewall: line 3009: /proc/sys/net/ipv4/conf/lo/proxy_arp: Operation not permitted iptables: Operation not permitted iptables: Operation not permitted iptables: Operation not permitted iptables: Operation not permitted iptables: Operation not permitted iptables: Operation not permitted iptables: Operation not permitted So how can I use this virtual interface with shorewall? Thanks in advance. Best Regards Matthias ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Matthias wrote:> Hello everyone, > > I''m using shorewall successfully on many servers withount any problems and I''m > really happy with this great piece of software. > > But now I ran into a problem with shorewall 3.0.4 on Ubuntu 6.06 running on a > vServer.You cannot run a Netfilter-based firewall in a vserver -- only on the host (rootserver). See the Vserver FAQ. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642