Hi Tom, et. al. I have tested blacklist for the first time and have found a error with my configuration or a bug. Following <http://www.shorewall.net/FAQ.htm#faq84> http://www.shorewall.net/FAQ.htm#faq84 I place a blacklist entry against my external interface but Shorewall check gives: Checking /etc/shorewall/blacklist... WARNING: The entries in /etc/shorewall/blacklist have been ignored because there are no ''blacklist'' interfaces : /etc/shorewall/blacklist (line 15) Now where my configuration is different to most is my external interface is a bonded pair eth2 & eth5 so I tested adding eth2 blackest entry to interfaces and the warning disappeared. Should I ignore the warning or should I put in interface entries for all interfaces that make up the bonded interface? Regards, Trent ------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
On 6/30/10 11:22 PM, Trent O''Callaghan wrote:> I have tested blacklist for the first time and have found a error with > my configuration or a bug. > > > Following http://www.shorewall.net/FAQ.htm#faq84 I place a blacklist > entry against my external interface but Shorewall check gives: > > Checking /etc/shorewall/blacklist... > > WARNING: The entries in /etc/shorewall/blacklist have been ignored > because there are no ''blacklist'' interfaces : /etc/shorewall/blacklist > (line 15) > > Now where my configuration is different to most is my external interface > is a bonded pair eth2 & eth5 so I tested adding eth2 blackest entry to > interfaces and the warning disappeared. > > Should I ignore the warning or should I put in interface entries for all > interfaces that make up the bonded interface?If you have ''blacklist'' specified on any interface in /etc/shorewall/interfaces, you should not receive that warning message. So I would like you to: a) shorewall show -f capabilities > /etc/shorewall/caps b) tar -czf shorewall.tgz /etc/shorewall c) Send me the shorewall.tgz archive. Be that as it may, you should not be describing eth2 and eth5 to Shorewall at all but rather should only mention the bondN device (e.g., ''bond0''); it is that device that should have the ''blacklist'' option. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
Hi Tom, Your reply has given me some idea''s on where to look for my configuration error. Bond1 does not exhibit the issue so looking for what differs between Bond0 and Bond1 gives: root@nper-r1:/etc/shorewall# grep bond1 * hosts:hw001 bond1:10.2.1.0/24 routeback hosts:bcast bond1:255.255.255.255 interfaces:- bond1 detect dhcp,tcpflags rules:ACCEPT+ hw001:bond1:10.240.1.7 dmz tcp root@nper-r1:/etc/shorewall# grep bond0 * hosts:inet bond0:0.0.0.0/0!180.233.128.0/23,180.233.131.0/24 hosts:pub bond0:180.233.131.0/24,aaa.bbb.ccc.208/30,xxx.yyy.zzz.0/24,180.233.128.0/23 hosts:bcast bond0:255.255.255.255 interfaces:- bond0 detect blacklist,nosmurfs,tcpflags masq:bond0:!xxx.yyy.zzz.0/24 192.168.0.0/21,10.2.0.0/24,10.2.1.0/24,10.2.2.0/24,10.2.3.0/24!10.2.1.7 180.233.131.7 masq:bond0:xxx.yyy.zzz.0/24 192.168.0.0/21,10.2.0.0/24,10.2.1.0/24,10.2.2.0/24,10.2.3.0/24!10.2.1.7 xxx.yyy.zzz.73 rules:ACCEPT+ inet:bond0:aaa.bbb.ccc.209 $FW tcp 179 rules:ACCEPT+ inet:bond0:xxx.yyy.zzz.253 $FW tcp 179 rules:ACCEPT+ inet:bond0:xxx.yyy.zzz.240 $FW tcp 179 So I tested with masq for bond0 disabled - Result Checking /etc/shorewall/blacklist... WARNING: The entries in /etc/shorewall/blacklist have been ignored because there are no ''blacklist'' interfaces : /etc/shorewall/blacklist (line 15) Testing with: hosts:inet bond0:0.0.0.0/0 - Result Checking /etc/shorewall/blacklist... WARNING: The entries in /etc/shorewall/blacklist have been ignored because there are no ''blacklist'' interfaces : /etc/shorewall/blacklist (line 15) Testing without zone:pub - Result Checking /etc/shorewall/blacklist... WARNING: The entries in /etc/shorewall/blacklist have been ignored because there are no ''blacklist'' interfaces : /etc/shorewall/blacklist (line 15) I have also tested changing all the bond0 settings to eth2 - Result Checking /etc/shorewall/blacklist... WARNING: The entries in /etc/shorewall/blacklist have been ignored because there are no ''blacklist'' interfaces : /etc/shorewall/blacklist (line 15) So I think this proves my configuration as the issue but no luck yet isolating it. ... success at last ... hosts:#inet bond0:0.0.0.0/0!180.233.128.0/23,180.233.131.0/24 hosts:inet bond0:0.0.0.0/1,128.0.0.0/1!180.233.128.0/23,180.233.131.0/24 Making just this change has removed the " WARNING: The entries in /etc/shorewall/blacklist have been ignored because there are no ''blacklist'' interfaces ". root@nper-r1:~# iptables -L -n > black-fixed root@nper-r1:~# diff black-last black-fixed 147a148,164> Chain blacklst (2 references) > target prot opt source destination > DROP all -- 0.0.0.0/8 0.0.0.0/0 > DROP all -- 10.0.0.0/8 0.0.0.0/0 > DROP all -- 127.0.0.0/8 0.0.0.0/0 > DROP all -- 169.254.0.0/16 0.0.0.0/0 > DROP all -- 172.16.0.0/12 0.0.0.0/0 > DROP all -- 192.0.0.0/24 0.0.0.0/0 > DROP all -- 192.0.2.0/24 0.0.0.0/0 > DROP all -- 192.88.99.0/24 0.0.0.0/0 > DROP all -- 198.18.0.0/15 0.0.0.0/0 > DROP all -- 198.51.100.0/24 0.0.0.0/0 > DROP all -- 203.0.113.0/24 0.0.0.0/0 > DROP all -- 224.0.0.0/4 0.0.0.0/0 > DROP all -- 240.0.0.0/4 0.0.0.0/0 > DROP all -- 255.255.255.255 0.0.0.0/0 >176a194> blacklst all -- 0.0.0.0/0 0.0.0.0/0 ctstateINVALID,NEW 182a201> blacklst all -- 0.0.0.0/0 0.0.0.0/0 ctstateINVALID,NEW Can you see any unwanted side effects to the fixed setup? Kind regards, Trent O''Callaghan Network Manager www.nearmap.com -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: Thursday, 1 July 2010 9:29 PM To: shorewall-users@lists.sourceforge.net Subject: Re: [Shorewall-users] http://www.shorewall.net/FAQ.htm#faq84 On 6/30/10 11:22 PM, Trent O''Callaghan wrote:> I have tested blacklist for the first time and have found a error with > my configuration or a bug. > > > Following http://www.shorewall.net/FAQ.htm#faq84 I place a blacklist > entry against my external interface but Shorewall check gives: > > Checking /etc/shorewall/blacklist... > > WARNING: The entries in /etc/shorewall/blacklist have been ignored > because there are no ''blacklist'' interfaces : /etc/shorewall/blacklist > (line 15) > > Now where my configuration is different to most is my external > interface is a bonded pair eth2 & eth5 so I tested adding eth2 > blackest entry to interfaces and the warning disappeared. > > Should I ignore the warning or should I put in interface entries for > all interfaces that make up the bonded interface?If you have ''blacklist'' specified on any interface in /etc/shorewall/interfaces, you should not receive that warning message. So I would like you to: a) shorewall show -f capabilities > /etc/shorewall/caps b) tar -czf shorewall.tgz /etc/shorewall c) Send me the shorewall.tgz archive. Be that as it may, you should not be describing eth2 and eth5 to Shorewall at all but rather should only mention the bondN device (e.g., ''bond0''); it is that device that should have the ''blacklist'' option. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
On 7/1/10 6:41 PM, Trent O''Callaghan wrote:> > Can you see any unwanted side effects to the fixed setup? >I''m sorry, but I don''t understand a thing you have posted. You are making random changes to your configuration and finally made the warning disappear. I think that this may be a bug but without the information I asked for, we won''t make any progress toward a solution. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
On 7/1/10 10:17 PM, Trent O''Callaghan wrote:> Hi Tom, > > Sorry for the confusing email. > > the attachment is only for your use to check for a Bug. > Happy to receive your findings vi [Shorewall-users] >Thanks, Trent. Your workaround is okay; another approach would be to specify ''blacklist'' in the host file entry that includes 0.0.0.0/0 rather than breaking that net into two /1''s: inet bond0:0.0.0.0/0!xxx.xxx.128.0/23,xxx.xxx.131.0/24 blacklist I will give some thought toward how to make this work with your original configuration. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
Hi Tom, I have tried Host file with: inet bond0:0.0.0.0/0!xxx.xxx.128.0/23,xxx.xxx.131.0/24 blacklist This works and achieves the same result as breaking the 0.0.0.0/0 net into two /1''s So I will stick with this method unless you come up with an update to Shorewall so that ''blacklist'' is not required in hosts. Thanks, Trent O''Callaghan -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: Friday, 2 July 2010 9:59 PM To: Shorewall Users Subject: Re: [Shorewall-users] http://www.shorewall.net/FAQ.htm#faq84 On 7/1/10 10:17 PM, Trent O''Callaghan wrote:> Hi Tom, > > Sorry for the confusing email. > > the attachment is only for your use to check for a Bug. > Happy to receive your findings vi [Shorewall-users] >Thanks, Trent. Your workaround is okay; another approach would be to specify ''blacklist'' in the host file entry that includes 0.0.0.0/0 rather than breaking that net into two /1''s: inet bond0:0.0.0.0/0!xxx.xxx.128.0/23,xxx.xxx.131.0/24 blacklist I will give some thought toward how to make this work with your original configuration. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
On 7/4/10 5:49 PM, Trent O''Callaghan wrote:> Hi Tom, > > I have tried Host file with: > inet bond0:0.0.0.0/0!xxx.xxx.128.0/23,xxx.xxx.131.0/24 blacklist > > This works and achieves the same result as breaking the 0.0.0.0/0 net into > two /1''s > > So I will stick with this method unless you come up with an update to > Shorewall so that ''blacklist'' is not required in hosts.Thanks, Trent. 4.4.11 will include a fix that will allow you to remove that workaround. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
Hi Tom, As I deployed ''blacklist'' I missed a step shown in http://www.shorewall.net/blacklisting_support.htm "You specify the interfaces whose incoming packets you want checked against the blacklist using the "blacklist" option in /etc/shorewall/interfaces." But this made no difference, proving to me that only and entry in /etc/shorewall/hosts as shown below, is required with Shorewall version 4.4.10~Beta4-1 on Ubuntu Kind regards, Trent -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: Monday, 5 July 2010 8:54 AM To: shorewall-users@lists.sourceforge.net Subject: Re: [Shorewall-users] http://www.shorewall.net/FAQ.htm#faq84 On 7/4/10 5:49 PM, Trent O''Callaghan wrote:> Hi Tom, > > I have tried Host file with: > inet bond0:0.0.0.0/0!xxx.xxx.128.0/23,xxx.xxx.131.0/24 blacklist > > This works and achieves the same result as breaking the 0.0.0.0/0 net > into two /1''s > > So I will stick with this method unless you come up with an update to > Shorewall so that ''blacklist'' is not required in hosts.Thanks, Trent. 4.4.11 will include a fix that will allow you to remove that workaround. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
On 7/5/10 11:40 PM, Trent O''Callaghan wrote:> Hi Tom, > > As I deployed ''blacklist'' I missed a step shown in > http://www.shorewall.net/blacklisting_support.htm > > "You specify the interfaces whose incoming packets you want checked against > the blacklist using the > "blacklist" option in /etc/shorewall/interfaces." > > But this made no difference, proving to me that only and entry in > /etc/shorewall/hosts as shown below, > is required with Shorewall version 4.4.10~Beta4-1 on UbuntuThis is fixed in 4.4.10.3 and in 4.4.11-Beta3. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first