hi, in the interface doc i read : "The broadcast address(es) for the network(s) to which the interface belongs. For P-T-P interfaces, this column is left blank." but in case openvpn when --topology subnet then the tun interface is a P-t-P connection but still has a subnet. so "-" or "detect"? thanks. -- Levente "Si vis pacem para bellum!" ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
Farkas Levente wrote:> hi, > in the interface doc i read : > > "The broadcast address(es) for the network(s) to which the interface > belongs. For P-T-P interfaces, this column is left blank." > > but in case openvpn when --topology subnet then the tun interface is a > P-t-P connection but still has a subnet. so "-" or "detect"? > thanks. >Look at the output of ''ip addr tun0''. If it contains a ''brd'' then use ''detect'' (or specify the brd address if tun0 might not be up when Shorewall starts); otherwise use ''-''. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
Tom Eastep wrote:> Farkas Levente wrote: >> hi, >> in the interface doc i read : >> >> "The broadcast address(es) for the network(s) to which the interface >> belongs. For P-T-P interfaces, this column is left blank." >> >> but in case openvpn when --topology subnet then the tun interface is a >> P-t-P connection but still has a subnet. so "-" or "detect"? >> thanks. >> > > Look at the output of ''ip addr tun0''. If it contains a ''brd'' then use > ''detect'' (or specify the brd address if tun0 might not be up when Shorewall > starts); otherwise use ''-''.ok to be clarify tun0 is a openvpn server in topology subnet, while tun1 is an openvpn client in topology net30. i also check a topology subnet client. and it seems in case of - topology subnet (both server and client) there is a brd so use detect. - all other topology use - imho it''d be useful to document:-) thanks. [root@portal openvpn]# ip address show tun0 45: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 100 link/[65534] inet 192.168.255.1/24 brd 192.168.255.255 scope global tun0 [root@portal openvpn]# ip address show tun1 46: tun1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1400 qdisc pfifo_fast qlen 100 link/[65534] inet 10.0.2.14 peer 10.0.2.13/32 scope global tun1 -- Levente "Si vis pacem para bellum!" ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
Farkas Levente wrote:> Tom Eastep wrote: >> Farkas Levente wrote: >>> hi, >>> in the interface doc i read : >>> >>> "The broadcast address(es) for the network(s) to which the interface >>> belongs. For P-T-P interfaces, this column is left blank." >>> >>> but in case openvpn when --topology subnet then the tun interface is a >>> P-t-P connection but still has a subnet. so "-" or "detect"? >>> thanks. >>> >> Look at the output of ''ip addr tun0''. If it contains a ''brd'' then use >> ''detect'' (or specify the brd address if tun0 might not be up when Shorewall >> starts); otherwise use ''-''. > > ok to be clarify tun0 is a openvpn server in topology subnet, while tun1 > is an openvpn client in topology net30. i also check a topology subnet > client. and it seems in case of > - topology subnet (both server and client) there is a brd so use detect. > - all other topology use - > imho it''d be useful to document:-)The whole BROADCAST nonsense essentially goes away with Shorewall-perl; using that compiler, unless you are running on an old/broken distribution, you must specify ''-'' or ''detect'' in the BROADCAST column and the two are equivalent. So by the time that James finally releases OpenVPN 2.1 (it''s still in RC), this should be a non-issue for most users. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/