My first encounter with shorewall months ago resulted in failure to get it working. I resorted to doing iptables rules directly. I''m back for more and beating my head against the same issue. I am following instructions here: <http://www.shorewall.net/two-interface.htm> I have a webserver/firewall sitting on a single, public IP. My issue is that when I start shorewall, I receive the error message "ERROR: Only one firewall zone may be defined" unless I delete (or comment out) my firewall zone in /etc/shorewall/zones like this: #fw firewall loc ipv4 net ipv4 These are the ONLY zones defined. ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
I have the same setup, my zones file looks like this: fw firewall net ipv4 BB On Jan 22, 2008 3:24 PM, Mike Purnell <mpurnell@greenftechn.com> wrote:> My first encounter with shorewall months ago resulted in failure to get > it working. I resorted to doing iptables rules directly. I''m back for > more and beating my head against the same issue. I am following > instructions here: <http://www.shorewall.net/two-interface.htm> > > I have a webserver/firewall sitting on a single, public IP. My issue is > that when I start shorewall, I receive the error message "ERROR: Only > one firewall zone may be defined" unless I delete (or comment out) my > firewall zone in /etc/shorewall/zones like this: > > #fw firewall > loc ipv4 > net ipv4 > > These are the ONLY zones defined. > > > > > > > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2008. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >-- Have Mercy & Say Yeah ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Mike Purnell wrote:> My first encounter with shorewall months ago resulted in failure to get > it working. I resorted to doing iptables rules directly. I''m back for > more and beating my head against the same issue. I am following > instructions here: <http://www.shorewall.net/two-interface.htm> > > I have a webserver/firewall sitting on a single, public IP. My issue is > that when I start shorewall, I receive the error message "ERROR: Only > one firewall zone may be defined" unless I delete (or comment out) my > firewall zone in /etc/shorewall/zones like this: > > #fw firewall > loc ipv4 > net ipv4 > > These are the ONLY zones defined.You are following the Shorewall 4.0 instructions but are running some earlier version with the shorewall.conf file not matching the version of Shorewall. The shorewall.conf file you are using either has IPSECFILE=ipsec, IPSECFILE=, or doesn''t contain an IPSECFILE specification. It should contain IPSECFILE=zone. It may also contain an explicit setting for FW (e.g., FW=fw). That should also be removed. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Tom Eastep wrote:> Mike Purnell wrote: > >> My first encounter with shorewall months ago resulted in failure to get >> it working. I resorted to doing iptables rules directly. I''m back for >> more and beating my head against the same issue. I am following >> instructions here: <http://www.shorewall.net/two-interface.htm> >> >> I have a webserver/firewall sitting on a single, public IP. My issue is >> that when I start shorewall, I receive the error message "ERROR: Only >> one firewall zone may be defined" unless I delete (or comment out) my >> firewall zone in /etc/shorewall/zones like this: >> >> #fw firewall >> loc ipv4 >> net ipv4 >> >> These are the ONLY zones defined. >> > > You are following the Shorewall 4.0 instructions but are running > some earlier version with the shorewall.conf file not matching > the version of Shorewall. > > The shorewall.conf file you are using either has > IPSECFILE=ipsec, IPSECFILE=, or doesn''t contain an IPSECFILE specification. > It should contain IPSECFILE=zone. It may also contain an explicit setting > for FW (e.g., FW=fw). That should also be removed. > > -Tom >The shorewall.conf file contained both IPSECFILE=zone and FW=fw The default .conf file contained both and I missed it. I removed the latter and all is well. Thanks. --Mike> ------------------------------------------------------------------------ > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2008. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > ------------------------------------------------------------------------ > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Mike Purnell wrote:> The shorewall.conf file contained both IPSECFILE=zone and FW=fw > The default .conf file contained both and I missed it.Where did you get this ''default'' file? We need to eradicate it. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Tom Eastep wrote:> Mike Purnell wrote: > >> The shorewall.conf file contained both IPSECFILE=zone and FW=fw >> The default .conf file contained both and I missed it. > > Where did you get this ''default'' file? We need to eradicate it. > > -Tom >I''m satisfied that the version of the file I used is no longer available from the repositories. --Mike ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Mike Purnell wrote:> Tom Eastep wrote: >> Mike Purnell wrote: >> >>> The shorewall.conf file contained both IPSECFILE=zone and FW=fw >>> The default .conf file contained both and I missed it. >> Where did you get this ''default'' file? We need to eradicate it. >> >> -Tom >> > I''m satisfied that the version of the file I used is no longer available > from the repositories.Thanks, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/