I''m using shorewall-perl 4.0.15 on Ubuntu 8.04. The tcrules man page says I can use "A comma-separated list of interface names, IP addresses, MAC addresses and/or subnets" in the SOURCE column. This seems to work fine for everything except interfaces, which generate an error if I use more than one: /etc/shorwall/tcrules: ... CONTINUE $FW,eth0,vlan2 192.168.10.0/24,10.99.1.0/24 #shorewall check .... Checking /etc/shorewall/tcrules... ERROR: Unknown Interface (fw,eth0,vlan2) : /etc/shorewall/tcrules (line 34) Is this just a limitation of shorewall? I tried leaving it blank and allowing it to happen for all interfaces but that didn''t seem to include $FW, so I need at least 2 rules. Is there a way I can specify a variable for the DEST column to make the repeated rules easier to maintain? Brad C ------------------------------------------------------------------------------ Create and Deploy Rich Internet Apps outside the browser with Adobe(R)AIR(TM) software. With Adobe AIR, Ajax developers can use existing skills and code to build responsive, highly engaging applications that combine the power of local resources and data with the reach of the web. Download the Adobe AIR SDK and Ajax docs to start building applications today-http://p.sf.net/sfu/adobe-com
Brad Clarke wrote:> I''m using shorewall-perl 4.0.15 on Ubuntu 8.04. The tcrules man page > says I can use "A comma-separated list of interface names, IP > addresses, MAC addresses and/or subnets" in the SOURCE column. This > seems to work fine for everything except interfaces, which generate an > error if I use more than one: > > /etc/shorwall/tcrules: > ... > CONTINUE $FW,eth0,vlan2 192.168.10.0/24,10.99.1.0/24 > > #shorewall check > .... > Checking /etc/shorewall/tcrules... > ERROR: Unknown Interface (fw,eth0,vlan2) : /etc/shorewall/tcrules (line 34) > > > Is this just a limitation of shorewall? >Yes -- While the text implies that there may be more than one interface, the syntax diagram obviously does not.> I tried leaving it blank and allowing it to happen for all interfaces > but that didn''t seem to include $FW, so I need at least 2 rules. Is > there a way I can specify a variable for the DEST column to make the > repeated rules easier to maintain?No. ------------------------------------------------------------------------------ Create and Deploy Rich Internet Apps outside the browser with Adobe(R)AIR(TM) software. With Adobe AIR, Ajax developers can use existing skills and code to build responsive, highly engaging applications that combine the power of local resources and data with the reach of the web. Download the Adobe AIR SDK and Ajax docs to start building applications today-http://p.sf.net/sfu/adobe-com
Shorewall Guy wrote:> Brad Clarke wrote:> >> I tried leaving it blank and allowing it to happen for all interfaces >> but that didn''t seem to include $FW, so I need at least 2 rules. Is >> there a way I can specify a variable for the DEST column to make the >> repeated rules easier to maintain? > > No.And we probably won''t develop one. Any router with Shorewall installed should generate almost no internet traffic (SSH and package manager update pulls). If the router is also running a web proxy then it will have outgoing web requests but then the local systems will not. And any server with Shorewall installed has $FW in all of it''s rules. So the number of rules such a feature would save seems minimal. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Create and Deploy Rich Internet Apps outside the browser with Adobe(R)AIR(TM) software. With Adobe AIR, Ajax developers can use existing skills and code to build responsive, highly engaging applications that combine the power of local resources and data with the reach of the web. Download the Adobe AIR SDK and Ajax docs to start building applications today-http://p.sf.net/sfu/adobe-com
Shorewall Guy wrote:> Brad Clarke wrote: > >> I tried leaving it blank and allowing it to happen for all interfaces >> but that didn''t seem to include $FW, so I need at least 2 rules. Is >> there a way I can specify a variable for the DEST column to make the >> repeated rules easier to maintain? > > No.After a night''s sleep, I realize that there *is* a way to have a single rule for both passthrough and router-generated traffic: place the rule in the POSTROUTING chain (Use the '':T'' chain designator). ------------------------------------------------------------------------------ Create and Deploy Rich Internet Apps outside the browser with Adobe(R)AIR(TM) software. With Adobe AIR, Ajax developers can use existing skills and code to build responsive, highly engaging applications that combine the power of local resources and data with the reach of the web. Download the Adobe AIR SDK and Ajax docs to start building applications today-http://p.sf.net/sfu/adobe-com
Shorewall Guy wrote:> Shorewall Guy wrote: >> Brad Clarke wrote: >> >>> I tried leaving it blank and allowing it to happen for all interfaces >>> but that didn''t seem to include $FW, so I need at least 2 rules. Is >>> there a way I can specify a variable for the DEST column to make the >>> repeated rules easier to maintain? >> No. > > After a night''s sleep, I realize that there *is* a way to have a single > rule for both passthrough and router-generated traffic: place the rule > in the POSTROUTING chain (Use the '':T'' chain designator).True -- another way is to use ''classify'' rules which are always inserted into the POSTROUTING chain. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Create and Deploy Rich Internet Apps outside the browser with Adobe(R)AIR(TM) software. With Adobe AIR, Ajax developers can use existing skills and code to build responsive, highly engaging applications that combine the power of local resources and data with the reach of the web. Download the Adobe AIR SDK and Ajax docs to start building applications today-http://p.sf.net/sfu/adobe-com