From: Tom Eastep <teastep@shorewall.net> Date: Sun, 26 Dec 2010 20:17:39 -0800> ''shorewall show zones''joule:/etc/shorewall# shorewall show zones Shorewall 4.4.11.6 Zones at joule - Mon Dec 27 08:20:36 PST 2010 fw (firewall) net (ipv4) MainBoard:0.0.0.0/0 loc (ipv4) Loc+:0.0.0.0/0 vpn (ipv4) tun0:0.0.0.0/0 Nevertheless, addresses exist. joule:/etc/shorewall# ip addr show 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: LocPCI1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000 link/ether 00:50:ba:52:79:1c brd ff:ff:ff:ff:ff:ff inet 172.23.4.1/24 brd 172.23.4.255 scope global LocPCI1 inet6 fe80::250:baff:fe52:791c/64 scope link valid_lft forever preferred_lft forever 3: LocPCI2: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000 link/ether 00:50:ba:e0:9a:eb brd ff:ff:ff:ff:ff:ff 4: MainBoard: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:03:47:c2:94:65 brd ff:ff:ff:ff:ff:ff inet 24.108.32.156/22 brd 255.255.255.255 scope global MainBoard inet6 fe80::203:47ff:fec2:9465/64 scope link valid_lft forever preferred_lft forever 5: LocACS29H901847: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:1d:7e:01:3f:ba brd ff:ff:ff:ff:ff:ff inet 172.23.5.1/24 brd 172.23.5.255 scope global LocACS29H901847 inet6 fe80::21d:7eff:fe01:3fba/64 scope link valid_lft forever preferred_lft forever 6: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100 link/none inet 10.4.0.1 peer 10.4.0.2/32 scope global tun0> ''shorewall dump''http://carnot.yi.org/ShorewallDump This is the most elementary problem I''ve found. joule:/etc/shorewall# host joule Host joule not found: 3(NXDOMAIN) peter@joule:~$ host curie curie has address 172.23.4.2 peter@joule:~$ host heaviside heaviside has address 172.23.5.2 My weak hypothesis: the problem is in name to address resolution; no problem in Shorewall. Thanks, ... Peter E. -- Telephone 1 360 450 2132. Shop pages http://carnot.yi.org/ accessible as long as the old drives survive. Personal pages http://members.shaw.ca/peasthope/ . ------------------------------------------------------------------------------ Learn how Oracle Real Application Clusters (RAC) One Node allows customers to consolidate database storage, standardize their database environment, and, should the need arise, upgrade to a full multi-node Oracle RAC database without downtime or disruption http://p.sf.net/sfu/oracle-sfdevnl
On 12/27/10 8:06 AM, peasthope@shaw.ca wrote:> From: Tom Eastep <teastep@shorewall.net> > Date: Sun, 26 Dec 2010 20:17:39 -0800 >> ''shorewall show zones'' > > joule:/etc/shorewall# shorewall show zones > Shorewall 4.4.11.6 Zones at joule - Mon Dec 27 08:20:36 PST 2010 > > fw (firewall) > net (ipv4) > MainBoard:0.0.0.0/0 > loc (ipv4) > Loc+:0.0.0.0/0 > vpn (ipv4) > tun0:0.0.0.0/0Peter, The log message you posted is: Dec 26 18:32:48 joule kernel: [10586.307679] Shorewall:FORWARD:REJECT:IN=LocACS29H901847 OUT=LocPCI1 SRC=172.23.5.2 DST=172.23.4.2 LEN=44 TOS=0x00 PREC=0x00 TTL=31 ID=5498 PROTO=TCP SPT=1120 DPT=21 WINDOW=8192 RES=0x00 SYN URGP=0 The input interface is LocACS29H901847 and the output interface is LocPCI1 (You did read Shorewall FAQ 17, right?). Do you see either of those interfaces in the output of ''shorewall show zones''? Hint: *All* interfaces on the firewall that have an IPv4 address *must* be defined in /etc/shorewall/interfaces and *must* be associated with a zone, either in /etc/shorewall/interfaces or in /etc/shorewall/hosts. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Learn how Oracle Real Application Clusters (RAC) One Node allows customers to consolidate database storage, standardize their database environment, and, should the need arise, upgrade to a full multi-node Oracle RAC database without downtime or disruption http://p.sf.net/sfu/oracle-sfdevnl
On 12/27/10 9:36 AM, Tom Eastep wrote:> On 12/27/10 8:06 AM, peasthope@shaw.ca wrote: >> From: Tom Eastep <teastep@shorewall.net> >> Date: Sun, 26 Dec 2010 20:17:39 -0800 >>> ''shorewall show zones'' >> >> joule:/etc/shorewall# shorewall show zones >> Shorewall 4.4.11.6 Zones at joule - Mon Dec 27 08:20:36 PST 2010 >> >> fw (firewall) >> net (ipv4) >> MainBoard:0.0.0.0/0 >> loc (ipv4) >> Loc+:0.0.0.0/0 >> vpn (ipv4) >> tun0:0.0.0.0/0 > > Peter, > > The log message you posted is: > > Dec 26 18:32:48 joule kernel: [10586.307679] > Shorewall:FORWARD:REJECT:IN=LocACS29H901847 OUT=LocPCI1 SRC=172.23.5.2 > DST=172.23.4.2 LEN=44 TOS=0x00 PREC=0x00 TTL=31 ID=5498 PROTO=TCP > SPT=1120 DPT=21 WINDOW=8192 RES=0x00 SYN URGP=0 > > The input interface is LocACS29H901847 and the output interface is > LocPCI1 (You did read Shorewall FAQ 17, right?). Do you see either of > those interfaces in the output of ''shorewall show zones''? > > Hint: *All* interfaces on the firewall that have an IPv4 address *must* > be defined in /etc/shorewall/interfaces and *must* be associated with a > zone, either in /etc/shorewall/interfaces or in /etc/shorewall/hosts.Duh -- My sincere apologies. I missed the LOC+. What I suspect that you need the ''routeback'' OPTION in the /etc/shorewall/interfaces entry for LOC+. -Tom -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Learn how Oracle Real Application Clusters (RAC) One Node allows customers to consolidate database storage, standardize their database environment, and, should the need arise, upgrade to a full multi-node Oracle RAC database without downtime or disruption http://p.sf.net/sfu/oracle-sfdevnl