Hello, I have a firewall with two providers and another two ethernets connected to a different lans. My problem is, with a provider I can connect to internet, but with another not, and I don''t know why. I send packets by correct ethernet card of provider and receive the packets well but I can send to the lan of the client. Here is an example: in Lan card of the client: 11:29:57.891730 IP 192.168.18.210 > 66.199.187.40: ICMP echo request, id 12835, seq 714, length 64 In card of the provider: 11:29:57.891730 IP 192.168.21.220 > 66.199.187.40: ICMP echo request, id 12835, seq 714, length 64 The response: 11:45:06.531052 IP 66.199.187.40 > 192.168.21.220: ICMP echo reply, id 1280, seq 16129, length 40 What files do you need to help me ?? Thank you! ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Adrian Chapela wrote:> > What files do you need to help me ?? >First see Shorewall FAQs 57 and 58. If they don''t help, then please see http://www.shorewall.net/support.htm#Guidelines (Hint -- yours is a ''Connection Problem''). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Tom Eastep escribió:> Adrian Chapela wrote: >> >> What files do you need to help me ?? >>> > First see Shorewall FAQs 57 and 58. If they don''t help, then please > see http://www.shorewall.net/support.htm#Guidelines (Hint -- yours is > a ''Connection Problem'').Yes I read it, and I change this: OLD config: mundor 1 1 main mundor 192.168.20.254 track lan,lan2 auna 2 2 main auna 192.168.21.254 track lan,lan2 New config: mundor 1 1 main mundor 192.168.20.254 track,balance lan,lan2 auna 2 2 main auna 192.168.21.254 track,balance lan,lan2 With this config all DNAT are working well but the traffic is all sent by mundor ISP Here is my tcrules: 1 192.168.18.0/24 !192.168.0.0/16 1 192.168.19.0/24 !192.168.0.0/16 2 192.168.19.5 !192.168.0.0/16 2 192.168.19.42 !192.168.0.0/16 2 192.168.19.201 !192.168.0.0/16 2 192.168.19.203 !192.168.0.0/16 2 192.168.19.205 !192.168.0.0/16 2 192.168.19.144 !192.168.0.0/16 2 192.168.19.22 0.0.0.0/0 For example, 192.168.19.5 must are going by auna ISP but I am seeing packets on mundor Why ?> > -Tom > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2008. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > ------------------------------------------------------------------------ > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Adrian Chapela wrote:> > For example, 192.168.19.5 must are going by auna ISP but I am seeing > packets on mundor Why ?If you don''t send the information we ask for, you are just wasting your time and ours. http://www.shorewall.net/support.htm#Guidelines -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Tom Eastep escribió:> Adrian Chapela wrote: >> >> For example, 192.168.19.5 must are going by auna ISP but I am seeing >> packets on mundor Why ? > > If you don''t send the information we ask for, you are just wasting > your time and ours.Have you received my mail ? I sent it to mail list and it was rejected, and for you ? The size was oK?> > http://www.shorewall.net/support.htm#Guidelines > > -Tom > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2008. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > ------------------------------------------------------------------------ > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Adrian Chapela wrote:> Have you received my mail ? I sent it to mail list and it was rejected, > and for you ? The size was oK?I''ve received no mail directly from you. What email address did you send it to? I prefer that this sort of mail be sent to support@shorewall.net. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Tom Eastep wrote:> Adrian Chapela wrote: > >> Have you received my mail ? I sent it to mail list and it was >> rejected, and for you ? The size was oK? > > I''ve received no mail directly from you. What email address did you send > it to? I prefer that this sort of mail be sent to support@shorewall.net.Sorry -- I DID receive your email and will look at the dump now. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Tom Eastep escribió:> Tom Eastep wrote: >> Adrian Chapela wrote: >> >>> Have you received my mail ? I sent it to mail list and it was >>> rejected, and for you ? The size was oK? >> >> I''ve received no mail directly from you. What email address did you >> send it to? I prefer that this sort of mail be sent to >> support@shorewall.net. > > Sorry -- I DID receive your email and will look at the dump now.Excuse me!! I think I resolved my problem. I am doing masquerading from my client lans to the ISP lan. Now, I create a new mark to send packets for the correct ISP including this masquerade lan. CLIENT LAN 192.168.19.0 ---> MASQUERADE TO -->> 192.168.21.220 -->> RULE to send packets by this ISP, could be ?? ISP1 LAN 192.168.21. ISP2 LAN 192.168.20. Now, I have another problem restarting shorewall: [...] Restarting... Restarting Shorewall.... Initializing... Clearing Traffic Control/QOS Deleting user chains... Enabling Loopback and DNS Lookups Setting up dynamic rules... Creating Interface Chains... Adding Providers... RTNETLINK answers: File exists ERROR: Command "ip route replace default scope global nexthop via 192.168.20.254 dev mundor weight 1 nexthop via 192.168.21.254 dev auna weight 1" Failed Restoring Shorewall... RTNETLINK answers: File exists ERROR: Command "ip route replace default scope global nexthop via 192.168.20.254 dev mundor weight 1 nexthop via 192.168.21.254 dev auna weight 1" Failed /var/lib/shorewall/.restart: line 76: 25214 Terminado $RESTOREPATH restore /sbin/shorewall: line 955: 24950 Terminado ${VARDIR}/.$command $command I need to del this rule, and the restart shorewall. ip route del default scope global nexthop via 192.168.20.254 dev mundor weight 1 nexthop via 192.168.21.254 dev auna weight 1> > -Tom > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2008. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > ------------------------------------------------------------------------ > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Adrian Chapela wrote:> I send you this mail directly because the email list rejects my mail. > > Tom Eastep escribió: >> Adrian Chapela wrote: >>> >>> For example, 192.168.19.5 must are going by auna ISP but I am seeing >>> packets on mundor Why ? >> >> If you don''t send the information we ask for, you are just wasting >> your time and ours. > > Excuse me, I will send you attach of shorewall dump. > The problem is: > All is working but I can''t define marks to do tcrules well. All of my > traffic is going out by one ISP.From the dump: Chain tcpre (3 references) pkts bytes target prot opt in out source destination 67 3172 MARK all -- * * 192.168.18.0/24 !192.168.0.0/16 MARK set 0x1 263 20300 MARK all -- * * 192.168.19.0/24 !192.168.0.0/16 MARK set 0x1 0 0 MARK all -- * * 192.168.19.5 !192.168.0.0/16 MARK set 0x2 0 0 MARK all -- * * 192.168.19.42 !192.168.0.0/16 MARK set 0x2 0 0 MARK all -- * * 192.168.19.201 !192.168.0.0/16 MARK set 0x2 0 0 MARK all -- * * 192.168.19.203 !192.168.0.0/16 MARK set 0x2 1 60 MARK all -- * * 192.168.19.205 !192.168.0.0/16 MARK set 0x2 69 6100 MARK all -- * * 192.168.19.144 !192.168.0.0/16 MARK set 0x2 <========= 0 0 MARK all -- * * 192.168.19.22 0.0.0.0/0 MARK set 0x2 So 69 connections have been marked to go out of aunu.> > Another question could be, Why now I need to use balance and until > yesterday I could use "track" option in provider?From the dump: /proc /proc/sys/net/ipv4/conf/auna/proxy_arp = 0 /proc/sys/net/ipv4/conf/auna/arp_filter = 0 /proc/sys/net/ipv4/conf/auna/arp_ignore = 0 /proc/sys/net/ipv4/conf/auna/rp_filter = 1 <==== /proc/sys/net/ipv4/conf/auna/log_martians = 0 <==== This explains why the ''aunu'' provider was not working without ''balance''. Packets arriving from that provider were being silently dropped as ''Martians''. I suspect that the rp_filter = 1 setting occurred yesterday which is why it suddenly stopped working. Do you have ''route_filter'' specified on the aunu interface in /etc/shorewall/interfaces? Hint: You should NEVER set the ''route_filter'' option without the ''log_martians'' option (in Shorewall 4.2, log_martians will be on by default). And there _IS_ (or has been) traffic going through aunu: 4: mundor: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:0a:5e:64:66:e6 brd ff:ff:ff:ff:ff:ff RX: bytes packets errors dropped overrun mcast 41870838 227929 0 0 0 0 TX: bytes packets errors dropped carrier collsns 64122751 140429 0 0 0 0 5: auna: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:0a:5e:64:67:3a brd ff:ff:ff:ff:ff:ff RX: bytes packets errors dropped overrun mcast 1001062 8507 0 0 0 0 <========== TX: bytes packets errors dropped carrier collsns 1579949 5807 0 0 0 0 <========== These could be because of the incoming DNAT rules though as there are quite a few active connections through auna. Sorry that I don''t have any more time to look at this now as I am already late for work. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Adrian Chapela wrote:> Tom Eastep escribió: >> Tom Eastep wrote: >>> Adrian Chapela wrote: >>> >>>> Have you received my mail ? I sent it to mail list and it was >>>> rejected, and for you ? The size was oK? >>> I''ve received no mail directly from you. What email address did you >>> send it to? I prefer that this sort of mail be sent to >>> support@shorewall.net. >> Sorry -- I DID receive your email and will look at the dump now. > > Excuse me!! I think I resolved my problem. I am doing masquerading from > my client lans to the ISP lan. Now, I create a new mark to send packets > for the correct ISP including this masquerade lan. > > CLIENT LAN 192.168.19.0 ---> MASQUERADE TO -->> 192.168.21.220 -->> RULE > to send packets by this ISP, could be ?? > ISP1 LAN 192.168.21. > ISP2 LAN 192.168.20. > > Now, I have another problem restarting shorewall: > [...] > Restarting... > Restarting Shorewall.... > Initializing... > Clearing Traffic Control/QOS > Deleting user chains... > Enabling Loopback and DNS Lookups > Setting up dynamic rules... > Creating Interface Chains... > Adding Providers... > RTNETLINK answers: File exists > ERROR: Command "ip route replace default scope global nexthop via > 192.168.20.254 dev mundor weight 1 nexthop via 192.168.21.254 dev auna > weight 1" Failed > Restoring Shorewall... > RTNETLINK answers: File exists > ERROR: Command "ip route replace default scope global nexthop via > 192.168.20.254 dev mundor weight 1 nexthop via 192.168.21.254 dev auna > weight 1" Failed > /var/lib/shorewall/.restart: line 76: 25214 Terminado >You have a broken version of the ''ip'' utility -- which Debian repository do you use and is your system up to date? What is the output of "ip -V"? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Tom Eastep escribió:> Adrian Chapela wrote: >> Tom Eastep escribió: >>> Tom Eastep wrote: >>>> Adrian Chapela wrote: >>>> >>>>> Have you received my mail ? I sent it to mail list and it was >>>>> rejected, and for you ? The size was oK? >>>> I''ve received no mail directly from you. What email address did you >>>> send it to? I prefer that this sort of mail be sent to >>>> support@shorewall.net. >>> Sorry -- I DID receive your email and will look at the dump now. >> >> Excuse me!! I think I resolved my problem. I am doing masquerading >> from my client lans to the ISP lan. Now, I create a new mark to send >> packets for the correct ISP including this masquerade lan. >> >> CLIENT LAN 192.168.19.0 ---> MASQUERADE TO -->> 192.168.21.220 -->> >> RULE to send packets by this ISP, could be ?? >> ISP1 LAN 192.168.21. >> ISP2 LAN 192.168.20. >> >> Now, I have another problem restarting shorewall: >> [...] >> Restarting... >> Restarting Shorewall.... >> Initializing... >> Clearing Traffic Control/QOS >> Deleting user chains... >> Enabling Loopback and DNS Lookups >> Setting up dynamic rules... >> Creating Interface Chains... >> Adding Providers... >> RTNETLINK answers: File exists >> ERROR: Command "ip route replace default scope global nexthop via >> 192.168.20.254 dev mundor weight 1 nexthop via 192.168.21.254 dev >> auna weight 1" Failed >> Restoring Shorewall... >> RTNETLINK answers: File exists >> ERROR: Command "ip route replace default scope global nexthop via >> 192.168.20.254 dev mundor weight 1 nexthop via 192.168.21.254 dev >> auna weight 1" Failed >> /var/lib/shorewall/.restart: line 76: 25214 Terminado > > You have a broken version of the ''ip'' utility -- which Debian > repository do you use and is your system up to date? > > What is the output of "ip -V"?This is the output (I update it today, and I have the same problem): ip utility, iproute2-ss080108 I configured shorewall again with ROUTE_FILTER=No and now the config of provides is OK again with track option, and with this option ip route doesn''t send output error. Thank you!> > -Tom > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2008. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > ------------------------------------------------------------------------ > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Adrian Chapela wrote:> > I configured shorewall again with ROUTE_FILTER=No and now the config of > provides is OK again with track option, and with this option ip route > doesn''t send output error. >Interestsing. Unfortunately, I''m unable to reproduce that behavior here; The setting of the ROUTE_FILTER option has no effect on my ability to restart my Multi-ISP configuration. OTOH, I''m running 4.1.8 -- I''ll install 4.0.10 when I have a chance and see if I can reproduce it there. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Tom Eastep escribió:> Adrian Chapela wrote: > >> >> I configured shorewall again with ROUTE_FILTER=No and now the config >> of provides is OK again with track option, and with this option ip >> route doesn''t send output error. >> > > Interestsing. Unfortunately, I''m unable to reproduce that behavior > here; The setting of the ROUTE_FILTER option has no effect on my > ability to restart my Multi-ISP configuration. > > OTOH, I''m running 4.1.8 -- I''ll install 4.0.10 when I have a chance > and see if I can reproduce it there.Ok! Good support!! Thank you again!> > -Tom > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2008. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > ------------------------------------------------------------------------ > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Tom Eastep wrote:> Adrian Chapela wrote: > >> >> I configured shorewall again with ROUTE_FILTER=No and now the config >> of provides is OK again with track option, and with this option ip >> route doesn''t send output error. >> > > Interestsing. Unfortunately, I''m unable to reproduce that behavior here; > The setting of the ROUTE_FILTER option has no effect on my ability to > restart my Multi-ISP configuration. > > OTOH, I''m running 4.1.8 -- I''ll install 4.0.10 when I have a chance and > see if I can reproduce it there.I''m also unable to reproduce the problem under 4.0.10 :-( -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Tom Eastep escribió:> Tom Eastep wrote: >> Adrian Chapela wrote: >> >>> >>> I configured shorewall again with ROUTE_FILTER=No and now the config >>> of provides is OK again with track option, and with this option ip >>> route doesn''t send output error. >>> >> >> Interestsing. Unfortunately, I''m unable to reproduce that behavior >> here; The setting of the ROUTE_FILTER option has no effect on my >> ability to restart my Multi-ISP configuration. >> >> OTOH, I''m running 4.1.8 -- I''ll install 4.0.10 when I have a chance >> and see if I can reproduce it there. > > I''m also unable to reproduce the problem under 4.0.10 :-(What problem , shorewall restart ? or traffic problem ? Can you post your config ?> > -Tom > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2008. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > ------------------------------------------------------------------------ > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Adrian Chapela wrote:>> I''m also unable to reproduce the problem under 4.0.10 :-( > What problem , shorewall restart ? or traffic problem ? Can you post > your config ?If, by traffic problem, you mean the problem that you solved by adding the correct masq rules then of course I can reproduce that problem (if you configure it incorrectly, it doesn''t work). But I cannot reproduce the failure with ''ip route replace''. My config is at http://www1.shorewall.net/pub/shorewall/contrib/MultiISPExample/ -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Tom Eastep escribió:> Adrian Chapela wrote: > >>> I''m also unable to reproduce the problem under 4.0.10 :-( >> What problem , shorewall restart ? or traffic problem ? Can you post >> your config ? > > If, by traffic problem, you mean the problem that you solved by adding > the correct masq rules then of course I can reproduce that problem (if > you configure it incorrectly, it doesn''t work).OK!> > But I cannot reproduce the failure with ''ip route replace''.OK, what packages need I update ? I update today iproute2, what are your version ??> > My config is at > http://www1.shorewall.net/pub/shorewall/contrib/MultiISPExample/If I try to access the files in shorewall, I can''t read them. The problem is "Forbidenn", myabe wrong read rights ?> > -Tom > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2008. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > ------------------------------------------------------------------------ > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Adrian Chapela wrote:> If I try to access the files in shorewall, I can''t read them. The > problem is "Forbidenn", myabe wrong read rights ?Should be ok now. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Adrian Chapela wrote:> Tom Eastep escribió: > >> But I cannot reproduce the failure with ''ip route replace''. > OK, what packages need I update ? I update today iproute2, what are your > version ??ursa:/home/teastep/shorewallBuild/4.2 # ip -V ip utility, iproute2-ss070710 ursa:/home/teastep/shorewallBuild/4.2 # uname -a Linux ursa 2.6.22.17-0.1-default #1 SMP 2008/02/10 20:01:04 UTC x86_64 x86_64 x86_64 GNU/Linux ursa:/home/teastep/shorewallBuild/4.2 # -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Tom Eastep escribió:> Adrian Chapela wrote: > >> If I try to access the files in shorewall, I can''t read them. The >> problem is "Forbidenn", myabe wrong read rights ? > > Should be ok now.I read shorewall.conf and I see "ROUTE_FILTER=" and then in tcrules I see two providers but two have the same package mark, is this normal ? I think the config is not valid to test my problem .> > -Tom > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2008. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > ------------------------------------------------------------------------ > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Adrian Chapela wrote:> Tom Eastep escribió: >> Adrian Chapela wrote: >> >>> If I try to access the files in shorewall, I can''t read them. The >>> problem is "Forbidenn", myabe wrong read rights ? >> Should be ok now. > I read shorewall.conf and I see "ROUTE_FILTER=" and then in tcrules I > see two providers but two have the same package mark, is this normal ? I > think the config is not valid to test my problem .I assure you that the contents of tcrules has absolutely nothing to do with your ''restart'' problem. The tcrules file generates input to iptables-restore; you are seeing a failure in the ''ip route replace'' command. And as I''ve said more than once now, ''restart'' works fine regardless of how I set ROUTE_FILTER. I did go back and check which Compiler you are using though and find that you are using Shorewall-shell. So I installed Shorewall-common-4.0.10 and Shorewall-shell-4.0.10 and I still cannot get it to fail with ROUTE_FILTER=Yes. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Tom Eastep escribió:> Adrian Chapela wrote: >> Tom Eastep escribió: >>> Adrian Chapela wrote: >>> >>>> If I try to access the files in shorewall, I can''t read them. The >>>> problem is "Forbidenn", myabe wrong read rights ? >>> Should be ok now. >> I read shorewall.conf and I see "ROUTE_FILTER=" and then in tcrules I >> see two providers but two have the same package mark, is this normal >> ? I think the config is not valid to test my problem . > > I assure you that the contents of tcrules has absolutely nothing to do > with your ''restart'' problem. The tcrules file generates input to > iptables-restore; you are seeing a failure in the ''ip route replace'' > command. And as I''ve said more than once now, ''restart'' works fine > regardless of how I set ROUTE_FILTER.Yes, I know, but I want to say to you with which configuration I have the problem. If I use tcrules with track option, I don''t have problems with iproute, because Shorewall doesn''t execute ''ip route replace''.> > I did go back and check which Compiler you are using though and find > that you are using Shorewall-shell. So I installed > Shorewall-common-4.0.10 and Shorewall-shell-4.0.10 and I still cannot > get it to fail with ROUTE_FILTER=Yes. >> -Tom > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2008. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > ------------------------------------------------------------------------ > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/