Hello List! Sorry, I sent the email prematurely. This email outlines the problem I was having. This may be one of those, you''re doing it wrong, and there is a far easier way to do it than the way you are doing it. Please let me know. *Problem* **- Seems like rules to the firewall work fine. However, the DNAT rule will not work over its dead body. When I had the 3 NIC setup, that DNAT rule worked fine. -Also, I can''t use the shorewall show status commands because /var/log/shorewall.log is empty. *Overview *-Cable Provider provides 2x IPs -IPs are given out via DHCP. Static costs $$ (double/triple the monthly cost). -Bandwidth is 7Mb down/2Mb up, but shared between two ips. *Goal* - Use both IPs and do traffic shaping on both of them. IP1 gives access to router. IP2 gives access to other machines on LAN using DNAT. - My goal is that I could have usenet or bt going full throttle, but immediately slows down once someone makes a voip phone call or starts browsing the internet. - If I didn''t need to do the traffic shaping, using 3 NICs with the multi-isp shorewall setup would work fine. *Rationale and other strategies* - Tried using 3 NICs, 2 on the internet getting IPs via DHCP, and 1 for the lan. Couldn''t do traffic shaping well, since the bandwidth is shared between the two ips. If each IP got dedicated bandwidth it''d be fantastic, but I couldn''t figure out what to do to keep latency down, tried halving the bandwidth on each interface, but to no avail. Perhaps go back to this setup, but use IFB''s to shape the download bandwidth? Ultimately, the only reason this seems to be a difficult problem is because I need to try to get traffic shaping shared between two ips. *Current Physical Setup* *=========================*- Two NICs: eth0-LAN,eth1-INTERNET - Using bridge-br0 interface to bridge eth1 & tap0 - Using Program called Multimac to create tap1 & tap2 interfaces with unique MAC addresses that request ips via DHCP. Multimac works by copying all traffic on tap0 to tap1 & tap2. Call it another bridge. I tried to not use multimac and create tap interfaces, add them to the bridge and assign unique MACs and IPs, but couldn''t get it to work, so I just ended up using the multimac application. ** *Current Setup **=========================*- Version: Shorewall-perl 4.0.15 on Debian lenny *zones =========================*fw firewall loc ipv4 ptd1 ipv4 ptd2 ipv4 world ipv4 wan:world bport4 dmz:world bport4 * Interfaces **==========================* world br0 - bridge,dhcp wan br0:eth1 - dmz br0:tap0 - ptd1 tap1 detect dhcp,routeback,upnp ptd2 tap2 detect dhcp,routeback,upnp loc eth0 detect dhcp,routeback* Policy **=========================*wan dmz ACCEPT dmz wan ACCEPT # Firewall Policy loc ptd1 ACCEPT loc ptd2 ACCEPT loc $FW ACCEPT loc all REJECT info $FW ptd1 ACCEPT $FW ptd2 ACCEPT $FW loc ACCEPT $FW all REJECT info ptd1 $FW DROP info ptd1 loc DROP info ptd1 all DROP info ptd2 $FW DROP info ptd2 loc DROP info ptd2 all DROP info # THE FOLLOWING POLICY MUST BE LAST all all REJECT info* Masq **==========================* tap1 192.168.1.0/24 24.102.132.193 tap1 24.102.139.228 24.102.132.193 tap2 192.168.1.0/24 24.102.139.228 tap2 24.102.132.193 24.102.139.228* providers** **==========================* ptd1 1 1 main tap1 detect track,balance,optional eth0 ptd2 2 2 main tap2 detect track,balance,optional eth0* route_rules **==========================* 192.168.1.2 - ptd2 1000 192.168.1.0/24 - ptd1 1000* tcclasses **==========================* tap0 1 25*full/100 full 1 tos=0x68/0xfc,tos=0xb8/0xfc tap0 2 15*full/100 full 2 tap0 3 20*full/100 full 3 tos-minimize-delay tap0 4 30*full/100 full 4 tap0 5 10*full/100 75*full/10 5 default * tcdevices **==========================* tap0 1550kbit 5600kbit* tcrules **==========================* 1:T 0.0.0.0/0 0.0.0.0/0 icmp echo-request 1:T 0.0.0.0/0 0.0.0.0/0 icmp echo-reply 1:T 192.168.1.5 0.0.0.0/0 1:T 0.0.0.0/0 192.168.1.5 2:T 0.0.0.0/0 0.0.0.0/0 udp 53 2:T 0.0.0.0/0 0.0.0.0/0 tcp 53 3:T 0.0.0.0/0 0.0.0.0/0 tcp 22 3:T 0.0.0.0/0 0.0.0.0/0 tcp 5900 4:T 0.0.0.0/0 0.0.0.0/0 tcp 80,443,8080,8088 # Bittorrent/Usenet 5:T 0.0.0.0/0 0.0.0.0/0 tcp 6974 5:T 0.0.0.0/0 0.0.0.0/0 udp 6974 5:T 0.0.0.0/0 192.168.1.2 5:T 192.168.1.2 0.0.0.0/0* ip addr show **==========================* 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth2: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000 link/ether 00:30:65:7b:b2:c4 brd ff:ff:ff:ff:ff:ff 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000 link/ether 00:01:02:a6:54:0b brd ff:ff:ff:ff:ff:ff inet6 fe80::201:2ff:fea6:540b/64 scope link valid_lft forever preferred_lft forever 4: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000 link/ether 00:10:4b:c5:99:de brd ff:ff:ff:ff:ff:ff inet 192.168.1.1/24 brd 192.168.1.255 scope global eth0 inet6 fe80::210:4bff:fec5:99de/64 scope link valid_lft forever preferred_lft forever 5: tap0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc htb state UNKNOWN qlen 500 link/ether 00:ff:6f:ae:70:0f brd ff:ff:ff:ff:ff:ff inet6 fe80::2ff:6fff:feae:700f/64 scope link valid_lft forever preferred_lft forever 6: tap1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 576 qdisc pfifo_fast state UNKNOWN qlen 500 link/ether 00:1e:2a:47:bf:0d brd ff:ff:ff:ff:ff:ff inet 24.102.132.193/24 brd 255.255.255.255 scope global tap1 7: tap2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 576 qdisc pfifo_fast state UNKNOWN qlen 500 link/ether 00:10:4b:c5:99:dd brd ff:ff:ff:ff:ff:ff inet 24.102.139.228/24 brd 255.255.255.255 scope global tap2 8: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN link/ether 00:01:02:a6:54:0b brd ff:ff:ff:ff:ff:ff inet6 fe80::201:2ff:fea6:540b/64 scope link valid_lft forever preferred_lft forever* ip route show **==========================* 192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.1 24.102.139.0/24 dev tap2 proto kernel scope link src 24.102.139.228 24.102.132.0/24 dev tap1 proto kernel scope link src 24.102.132.193 default nexthop via 24.102.132.1 dev tap1 weight 1 nexthop via 24.102.139.1 dev tap2 weight 1 default via 24.102.132.1 dev tap1 * * *rules **=========================*Ping/ACCEPT ptd1 $FW SSH/ACCEPT ptd1:$NRDC,$NCXOFFICE,$ALAN $FW HTTP/ACCEPT ptd1:$NRDC,$NCXOFFICE,$ALAN $FW DNAT ptd2 loc:192.168.1.2:80 tcp 80 - $PTD2* * ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
Donald wrote:> This may be one of those, you''re doing it wrong, and there is a far > easier way to do it than the way you are doing it. Please let me know. > > *Problem* > **- Seems like rules to the firewall work fine. However, the DNAT rule > will not work over its dead body. When I had the 3 NIC setup, that DNAT > rule worked fine.Please refer to http://www.shorewall.net/support.htm#Guidelines for the information we need to solve this type of problem. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
My apologies, I should have clarified. Shorewall starts w/out any issue. When doing a shorewall dump, I get the error message: /var/log/shorewall.log does not exist. * Shorewall Verbose start* ===========================dumbledore:~# shorewall -vv check Checking... Processing /etc/shorewall/params ... Loading Modules... Shorewall has detected the following capabilities: Address Type Match: Available CLASSIFY Target: Available CONNMARK Target: Available Capability Version: 4.0.15 Comments: Available Connection Tracking Match: Available Connmark Match: Available Extended CONNMARK Target: Available Extended Connmark Match: Available Extended Mark Target: Available Extended Multi-port Match: Available Extended Reject: Available Hashlimit Match: Available IP Range Match: Available IPP2P Match: Not Available Ipset Match: Not Available MARK Target: Available Mangle FORWARD Chain: Available Multi-port Match: Available NAT: Available NFQUEUE Target: Available New Connection Tracking Match syntax: Available Owner Match: Available Packet Mangling: Available Packet Type Match: Available Packet length Match: Available Physdev Match: Available Physdev-is-bridged support: Available Policy Match: Available Raw Table: Available Recent Match: Available Repeat match: Available TCPMSS Match: Available Checking /etc/shorewall/zones... Checking /etc/shorewall/interfaces... Interface "world br0 - bridge,dhcp" Validated Interface "wan br0:eth1 - " Validated Interface "dmz br0:tap0 - " Validated Interface "ptd1 tap1 detect dhcp,routeback,upnp" Validated Interface "ptd2 tap2 detect dhcp,routeback,upnp" Validated Interface "loc eth0 detect dhcp,routeback" Validated Determining Hosts in Zones... fw (firewall) loc (ipv4) eth0:0.0.0.0/0 ptd1 (ipv4) tap1:0.0.0.0/0 ptd2 (ipv4) tap2:0.0.0.0/0 wan (bport4) eth1:0.0.0.0/0 dmz (bport4) tap0:0.0.0.0/0 world (ipv4) br0:0.0.0.0/0 Preprocessing Action Files... Pre-processing /usr/share/shorewall/action.Drop... ..Expanding Macro /usr/share/shorewall/macro.Auth... ..End Macro /usr/share/shorewall/macro.Auth ..Expanding Macro /usr/share/shorewall/macro.AllowICMPs... ..End Macro /usr/share/shorewall/macro.AllowICMPs ..Expanding Macro /usr/share/shorewall/macro.SMB... ..End Macro /usr/share/shorewall/macro.SMB ..Expanding Macro /usr/share/shorewall/macro.DropUPnP... ..End Macro /usr/share/shorewall/macro.DropUPnP ..Expanding Macro /usr/share/shorewall/macro.DropDNSrep... ..End Macro /usr/share/shorewall/macro.DropDNSrep Pre-processing /usr/share/shorewall/action.Reject... ..Expanding Macro /usr/share/shorewall/macro.Auth... ..End Macro /usr/share/shorewall/macro.Auth ..Expanding Macro /usr/share/shorewall/macro.SMB... ..End Macro /usr/share/shorewall/macro.SMB Checking /etc/shorewall/policy... Policy for wan to dmz is ACCEPT using chain wan2dmz Policy for dmz to wan is ACCEPT using chain dmz2wan Policy for loc to ptd1 is ACCEPT using chain loc2ptd1 Policy for loc to ptd2 is ACCEPT using chain loc2ptd2 Policy for loc to fw is ACCEPT using chain loc2fw Policy for loc to fw is REJECT using chain loc2all Policy for loc to ptd1 is REJECT using chain loc2all Policy for loc to ptd2 is REJECT using chain loc2all Policy for loc to wan is REJECT using chain loc2all Policy for loc to dmz is REJECT using chain loc2all Policy for loc to world is REJECT using chain loc2all Policy for fw to ptd1 is ACCEPT using chain fw2ptd1 Policy for fw to ptd2 is ACCEPT using chain fw2ptd2 Policy for fw to loc is ACCEPT using chain fw2loc Policy for fw to loc is REJECT using chain fw2all Policy for fw to ptd1 is REJECT using chain fw2all Policy for fw to ptd2 is REJECT using chain fw2all Policy for fw to wan is REJECT using chain fw2all Policy for fw to dmz is REJECT using chain fw2all Policy for fw to world is REJECT using chain fw2all Policy for ptd1 to fw is DROP using chain ptd12fw Policy for ptd1 to loc is DROP using chain ptd12loc Policy for ptd1 to fw is DROP using chain ptd12all Policy for ptd1 to loc is DROP using chain ptd12all Policy for ptd1 to ptd2 is DROP using chain ptd12all Policy for ptd1 to wan is DROP using chain ptd12all Policy for ptd1 to dmz is DROP using chain ptd12all Policy for ptd1 to world is DROP using chain ptd12all Policy for ptd2 to fw is DROP using chain ptd22fw Policy for ptd2 to loc is DROP using chain ptd22loc Policy for ptd2 to fw is DROP using chain ptd22all Policy for ptd2 to loc is DROP using chain ptd22all Policy for ptd2 to ptd1 is DROP using chain ptd22all Policy for ptd2 to wan is DROP using chain ptd22all Policy for ptd2 to dmz is DROP using chain ptd22all Policy for ptd2 to world is DROP using chain ptd22all Policy for fw to loc is REJECT using chain all2all Policy for fw to ptd1 is REJECT using chain all2all Policy for fw to ptd2 is REJECT using chain all2all Policy for fw to wan is REJECT using chain all2all Policy for fw to dmz is REJECT using chain all2all Policy for fw to world is REJECT using chain all2all Policy for loc to fw is REJECT using chain all2all Policy for loc to ptd1 is REJECT using chain all2all Policy for loc to ptd2 is REJECT using chain all2all Policy for loc to wan is REJECT using chain all2all Policy for loc to dmz is REJECT using chain all2all Policy for loc to world is REJECT using chain all2all Policy for ptd1 to fw is REJECT using chain all2all Policy for ptd1 to loc is REJECT using chain all2all Policy for ptd1 to ptd2 is REJECT using chain all2all Policy for ptd1 to wan is REJECT using chain all2all Policy for ptd1 to dmz is REJECT using chain all2all Policy for ptd1 to world is REJECT using chain all2all Policy for ptd2 to fw is REJECT using chain all2all Policy for ptd2 to loc is REJECT using chain all2all Policy for ptd2 to ptd1 is REJECT using chain all2all Policy for ptd2 to wan is REJECT using chain all2all Policy for ptd2 to dmz is REJECT using chain all2all Policy for ptd2 to world is REJECT using chain all2all Policy for wan to fw is REJECT using chain all2all Policy for wan to loc is REJECT using chain all2all Policy for wan to ptd1 is REJECT using chain all2all Policy for wan to ptd2 is REJECT using chain all2all Policy for wan to dmz is REJECT using chain all2all Policy for wan to world is REJECT using chain all2all Policy for dmz to fw is REJECT using chain all2all Policy for dmz to loc is REJECT using chain all2all Policy for dmz to ptd1 is REJECT using chain all2all Policy for dmz to ptd2 is REJECT using chain all2all Policy for dmz to wan is REJECT using chain all2all Policy for dmz to world is REJECT using chain all2all Policy for world to fw is REJECT using chain all2all Policy for world to loc is REJECT using chain all2all Policy for world to ptd1 is REJECT using chain all2all Policy for world to ptd2 is REJECT using chain all2all Policy for world to wan is REJECT using chain all2all Policy for world to dmz is REJECT using chain all2all Checking /etc/shorewall/routestopped for critical hosts... Checking /etc/shorewall/routestopped... Adding rules for DHCP $doing UPnP Checking Kernel Route Filtering... Checking /etc/shorewall/providers ... Provider "ptd1 1 1 main tap1 detect track,balance,optional eth0" Checked Provider "ptd2 2 2 main tap2 detect track,balance,optional eth0" Checked Checking /etc/shorewall/route_rules... Routing rule "192.168.1.2 - ptd2 1000" Checked Routing rule "192.168.1.0/24 - ptd1 1000" Checked Checking /etc/shorewall/masq... Masq record "tap1 192.168.1.0/24 24.102.132.193" Checked Masq record "tap1 24.102.139.228 24.102.132.193" Checked Masq record "tap2 192.168.1.0/24 24.102.139.228" Checked Masq record "tap2 24.102.132.193 24.102.139.228" Checked Checking MAC Filtration -- Phase 1... Checking MAC Verification for -- Phase 1... Checking /etc/shorewall/rules... ..Expanding Macro /usr/share/shorewall/macro.Ping... Rule "PARAM - - icmp 8" Checked ..End Macro /usr/share/shorewall/macro.Ping Rule "Ping/ACCEPT ptd1 fw" Checked ..Expanding Macro /usr/share/shorewall/macro.SSH... Rule "PARAM - - tcp 22" Checked ..End Macro /usr/share/shorewall/macro.SSH Rule "SSH/ACCEPT ptd1:216.107.0.0/24,216.164.165.144/28,76.79.33.246 fw" Checked ..Expanding Macro /usr/share/shorewall/macro.HTTP... Rule "PARAM - - tcp 80" Checked ..End Macro /usr/share/shorewall/macro.HTTP Rule "HTTP/ACCEPT ptd1:216.107.0.0/24,216.164.165.144/28,76.79.33.246 fw" Checked Rule "ACCEPT ptd1:216.155.55.0/24 fw" Checked Rule "DNAT ptd2 loc:192.168.1.2:8080 tcp 80 - 24.102.139.228" Checked Generating Transitive Closure of Used-action List... Processing /usr/share/shorewall/action.Reject for chain Reject... Checking ... ..Expanding Macro /usr/share/shorewall/macro.Auth... ..End Macro ..Expanding Macro /usr/share/shorewall/macro.AllowICMPs... ..End Macro ..Expanding Macro /usr/share/shorewall/macro.SMB... ..End Macro ..Expanding Macro /usr/share/shorewall/macro.DropUPnP... ..End Macro ..Expanding Macro /usr/share/shorewall/macro.DropDNSrep... ..End Macro Processing /usr/share/shorewall/action.Drop for chain Drop... ..Expanding Macro /usr/share/shorewall/macro.Auth... ..End Macro ..Expanding Macro /usr/share/shorewall/macro.AllowICMPs... ..End Macro ..Expanding Macro /usr/share/shorewall/macro.SMB... ..End Macro ..Expanding Macro /usr/share/shorewall/macro.DropUPnP... ..End Macro ..Expanding Macro /usr/share/shorewall/macro.DropDNSrep... ..End Macro Checking MAC Filtration -- Phase 2... Checking MAC Verification for -- Phase 2... Applying Policies... Policy ACCEPT from fw to loc using chain fw2loc Policy ACCEPT from fw to ptd1 using chain fw2ptd1 Policy ACCEPT from fw to ptd2 using chain fw2ptd2 Policy REJECT from fw to world using chain fw2world Policy ACCEPT from loc to fw using chain loc2fw Policy ACCEPT from loc to ptd1 using chain loc2ptd1 Policy ACCEPT from loc to ptd2 using chain loc2ptd2 Policy REJECT from loc to world using chain loc2world Policy DROP from ptd1 to fw using chain ptd12fw Policy DROP from ptd1 to loc using chain ptd12loc Policy DROP from ptd1 to ptd2 using chain ptd12ptd2 Policy DROP from ptd1 to world using chain ptd12world Policy DROP from ptd2 to fw using chain ptd22fw Policy DROP from ptd2 to loc using chain ptd22loc Policy DROP from ptd2 to ptd1 using chain ptd22ptd1 Policy DROP from ptd2 to world using chain ptd22world Policy ACCEPT from wan to dmz using chain wan2dmz Policy ACCEPT from dmz to wan using chain dmz2wan Policy REJECT from world to fw using chain world2fw Policy REJECT from world to loc using chain world2loc Policy REJECT from world to ptd1 using chain world2ptd1 Policy REJECT from world to ptd2 using chain world2ptd2 Checking /etc/shorewall/tcdevices... Tcdevice "tap0 1550kbit 5600kbit" Checked. Checking /etc/shorewall/tcclasses... Tcclass "tap0 1 25*full/100 full 1 tos=0x68/0xfc,tos=0xb8/0xfc" Checked. Tcclass "tap0 2 15*full/100 full 2 " Checked. Tcclass "tap0 3 20*full/100 full 3 tos-minimize-delay " Checked. Tcclass "tap0 4 30*full/100 full 4 " Checked. Tcclass "tap0 5 10*full/100 75*full/10 5 default " Checked. Checking /etc/shorewall/tcrules... TC Rule "1:T 0.0.0.0/0 0.0.0.0/0 icmp echo-request" Checked TC Rule "1:T 0.0.0.0/0 0.0.0.0/0 icmp echo-reply" Checked TC Rule "1:T 192.168.1.5 0.0.0.0/0 " Checked TC Rule "1:T 0.0.0.0/0 192.168.1.5 " Checked TC Rule "2:T 0.0.0.0/0 0.0.0.0/0 udp 53" Checked TC Rule "2:T 0.0.0.0/0 0.0.0.0/0 tcp 53" Checked TC Rule "3:T 0.0.0.0/0 0.0.0.0/0 tcp 22" Checked TC Rule "3:T 0.0.0.0/0 0.0.0.0/0 tcp 5900" Checked TC Rule "4:T 0.0.0.0/0 0.0.0.0/0 tcp 80,443,8080,8088" Checked TC Rule "5:T 0.0.0.0/0 0.0.0.0/0 tcp 6974" Checked TC Rule "5:T 0.0.0.0/0 0.0.0.0/0 udp 6974" Checked TC Rule "5:T 0.0.0.0/0 192.168.1.2" Checked TC Rule "5:T 192.168.1.2 0.0.0.0/0" Checked On Thu, Aug 27, 2009 at 12:40 PM, Tom Eastep <teastep@shorewall.net> wrote:> Donald wrote: > > > This may be one of those, you''re doing it wrong, and there is a far > > easier way to do it than the way you are doing it. Please let me know. > > > > *Problem* > > **- Seems like rules to the firewall work fine. However, the DNAT rule > > will not work over its dead body. When I had the 3 NIC setup, that DNAT > > rule worked fine. > > Please refer to http://www.shorewall.net/support.htm#Guidelines for the > information we need to solve this type of problem. > > -Tom > -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________ > > > > ------------------------------------------------------------------------------ > Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day > trial. Simplify your report design, integration and deployment - and focus > on > what you do best, core application coding. Discover what''s new with > Crystal Reports now. http://p.sf.net/sfu/bobj-july > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > >------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
Donald wrote:> My apologies, > > I should have clarified. Shorewall starts w/out any issue. When doing > a shorewall dump, I get the error message: /var/log/shorewall.log does > not exist. > * > Shorewall Verbose start*We don''t want to see the output of Verbose start -- *we want to see the output of ''shorewall dump''* collected as described in the guidelines. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
Donald wrote:> My apologies, > > I should have clarified. Shorewall starts w/out any issue. When doing > a shorewall dump, I get the error message: /var/log/shorewall.log does > not exist.The Guidelines mention the proper setting of LOGFILE before collecting the dump. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
Tom Eastep wrote:> Donald wrote: >> My apologies, >> >> I should have clarified. Shorewall starts w/out any issue. When doing >> a shorewall dump, I get the error message: /var/log/shorewall.log does >> not exist. > > The Guidelines mention the proper setting of LOGFILE before collecting > the dump.Since you are obviously having a bad day, let me see if I can make this clear. Shorewall has no control over where Netfilter log messages go. If you use the default logging setup in the sample configurations (e.g., you use level ''info'' everywhere), then the destination of the log messages is wherever your logging daemon sends them. This is explained in http://www.shorewall.net/shorewall_logging.html. Given that Shorewall can''t predict where the messages are written, the user must give Shorewall that information; that is the purpose of the LOGFILE setting in shorewall.conf. Again -- LOGFILE doesn''t determine where messages are logged; it tells /sbin/shorewall where to find them. Log messages are a key debugging aid for you and for us. So the ''shorewall dump'' command includes them. Clearly if LOGFILE points to a non-existant file, the dump output won''t contain any log messages. That''s why the error message that you saw is generated. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july