From: Tom Eastep <teastep@shorewall.ne.> Date: Mon, 27 Dec 2010 09:49:29 -0800> My sincere apologies.No offense but I was puzzled.> I missed the LOC+.That''s Loc+ for all interfaces in the loc zone. Pascal style spelling. I described this interface naming scheme a month or two back in response to interest from another list participant. Not sure whether this problem is strictly since that change. Perhaps it won''t work after all. OK, this in the interfaces manual is pertinent. "routeback ... This option is also required when you have used a wildcard in the INTERFACE column if you want to allow traffic between the interfaces that match the wildcard." routeback added. joule:/etc/shorewall# egrep -v ''(^ *#)|(^ *$)'' interfaces net MainBoard detect dhcp,tcpflags,routefilter,nosmurfs,logmartians loc Loc+ detect tcpflags,nosmurfs,routeback vpn tun0 After ''shorewall restart'' the addresses still don''t show. joule:/etc/shorewall# shorewall show zones Shorewall 4.4.11.6 Zones at joule - Mon Dec 27 03:17:16 PST 2010 fw (firewall) net (ipv4) MainBoard:0.0.0.0/0 loc (ipv4) Loc+:0.0.0.0/0 vpn (ipv4) tun0:0.0.0.0/0 Naming the interfaces explicitly is no improvement. joule:/etc/shorewall# egrep -v ''(^ *#)|(^ *$)'' interfaces net MainBoard detect dhcp,tcpflags,routefilter,nosmurfs,logmartians loc LocPCI1 detect tcpflags,nosmurfs,routeback loc LocACS29H901847 detect tcpflags,nosmurfs,routeback vpn tun0 joule:/etc/shorewall# shorewall restart ... joule:/etc/shorewall# shorewall show zones Shorewall 4.4.11.6 Zones at joule - Mon Dec 27 04:05:01 PST 2010 fw (firewall) net (ipv4) MainBoard:0.0.0.0/0 loc (ipv4) LocACS29H901847:0.0.0.0/0 LocPCI1:0.0.0.0/0 vpn (ipv4) tun0:0.0.0.0/0 My interface names are unconventional for Linux but apparently acceptable to udev and ifconfig. Shorewall does not recognize them? If all else fails I can try reverting to the good old ethn interface names. Thanks, ... Peter E. -- Telephone 1 360 450 2132. Shop pages http://carnot.yi.org/ accessible as long as the old drives survive. Personal pages http://members.shaw.ca/peasthope/ . ------------------------------------------------------------------------------ Learn how Oracle Real Application Clusters (RAC) One Node allows customers to consolidate database storage, standardize their database environment, and, should the need arise, upgrade to a full multi-node Oracle RAC database without downtime or disruption http://p.sf.net/sfu/oracle-sfdevnl
From: Tom Eastep <teastep@shorewall.net> Date: Mon, 27 Dec 2010 11:37:40 -0800> Your original post complained that FTP didn''t work and indicated that > you were getting REJECTs out of the FORWARD chain. Are you still seeing > those messages?Progress! FTP from Heaviside to Curie works again and nothing appears in /var/log/syslog. The only change was to replace Loc+ with the two explicit names LocACS29H901847 and LocPCI1. My simplified naming scheme isn''t so simple. I can work in this further but might not respond until tomorrow. Other work overdue. Thanks for the help, ... Peter E. -- Telephone 1 360 450 2132. Shop pages http://carnot.yi.org/ accessible as long as the old drives survive. Personal pages http://members.shaw.ca/peasthope/ . ------------------------------------------------------------------------------ Learn how Oracle Real Application Clusters (RAC) One Node allows customers to consolidate database storage, standardize their database environment, and, should the need arise, upgrade to a full multi-node Oracle RAC database without downtime or disruption http://p.sf.net/sfu/oracle-sfdevnl
On 12/27/10 10:13 AM, peasthope@shaw.ca wrote:> From: Tom Eastep <teastep@shorewall.ne.> > Date: Mon, 27 Dec 2010 09:49:29 -0800 >> My sincere apologies. > > No offense but I was puzzled. > >> I missed the LOC+. > > That''s Loc+ for all interfaces in the loc zone. Pascal style spelling. > I described this interface naming scheme a month or two back in response > to interest from another list participant. Not sure whether this problem > is strictly since that change. Perhaps it won''t work after all. > > OK, this in the interfaces manual is pertinent. > "routeback ... This option is also required when you have used a > wildcard in the INTERFACE column if you want to allow traffic > between the interfaces that match the wildcard." > > routeback added. > > joule:/etc/shorewall# egrep -v ''(^ *#)|(^ *$)'' interfaces > net MainBoard detect dhcp,tcpflags,routefilter,nosmurfs,logmartians > loc Loc+ detect tcpflags,nosmurfs,routeback > vpn tun0 > > After ''shorewall restart'' the addresses still don''t show. > joule:/etc/shorewall# shorewall show zones > Shorewall 4.4.11.6 Zones at joule - Mon Dec 27 03:17:16 PST 2010 > > fw (firewall) > net (ipv4) > MainBoard:0.0.0.0/0 > loc (ipv4) > Loc+:0.0.0.0/0 > vpn (ipv4) > tun0:0.0.0.0/0 >I didn''t expect that to change.> Naming the interfaces explicitly is no improvement. > joule:/etc/shorewall# egrep -v ''(^ *#)|(^ *$)'' interfaces > net MainBoard detect dhcp,tcpflags,routefilter,nosmurfs,logmartians > loc LocPCI1 detect tcpflags,nosmurfs,routeback > loc LocACS29H901847 detect tcpflags,nosmurfs,routeback > vpn tun0 > > joule:/etc/shorewall# shorewall restart > ... > joule:/etc/shorewall# shorewall show zones > Shorewall 4.4.11.6 Zones at joule - Mon Dec 27 04:05:01 PST 2010 > > fw (firewall) > net (ipv4) > MainBoard:0.0.0.0/0 > loc (ipv4) > LocACS29H901847:0.0.0.0/0 > LocPCI1:0.0.0.0/0 > vpn (ipv4) > tun0:0.0.0.0/0 > > My interface names are unconventional for Linux but apparently > acceptable to udev and ifconfig. Shorewall does not recognize > them? If all else fails I can try reverting to the good old > ethn interface names.I suspect that we are trying to solve multiple problems at once here. Your original post complained that FTP didn''t work and indicated that you were getting REJECTs out of the FORWARD chain. Are you still seeing those messages? -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Learn how Oracle Real Application Clusters (RAC) One Node allows customers to consolidate database storage, standardize their database environment, and, should the need arise, upgrade to a full multi-node Oracle RAC database without downtime or disruption http://p.sf.net/sfu/oracle-sfdevnl
peasthope@shaw.ca
2010-Dec-27 19:51 UTC
Re (2): Re (2): Re (2): Re (2): failure of FTP connection
From: Tom Eastep <teastep@shorewall.ne.> Date: Mon, 27 Dec 2010 12:15:03 -0800> I suspect that it will work with ''routeback'' added to Loc+ as well.Correct! Thanks. For sake of interest, why doesn''t ''shorewall show zones'' give the real addresses for the explicit names at least? Regards, ... Peter E. -- Telephone 1 360 450 2132. Shop pages http://carnot.yi.org/ accessible as long as the old drives survive. Personal pages http://members.shaw.ca/peasthope/ . ------------------------------------------------------------------------------ Learn how Oracle Real Application Clusters (RAC) One Node allows customers to consolidate database storage, standardize their database environment, and, should the need arise, upgrade to a full multi-node Oracle RAC database without downtime or disruption http://p.sf.net/sfu/oracle-sfdevnl
On 12/27/10 11:02 AM, peasthope@shaw.ca wrote:> From: Tom Eastep <teastep@shorewall.net> > Date: Mon, 27 Dec 2010 11:37:40 -0800 >> Your original post complained that FTP didn''t work and indicated that >> you were getting REJECTs out of the FORWARD chain. Are you still seeing >> those messages? > > Progress! FTP from Heaviside to Curie works again and nothing > appears in /var/log/syslog. The only change was to replace > Loc+ with the two explicit names LocACS29H901847 and LocPCI1. > My simplified naming scheme isn''t so simple. > > I can work in this further but might not respond until > tomorrow. Other work overdue.I suspect that it will work with ''routeback'' added to Loc+ as well. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Learn how Oracle Real Application Clusters (RAC) One Node allows customers to consolidate database storage, standardize their database environment, and, should the need arise, upgrade to a full multi-node Oracle RAC database without downtime or disruption http://p.sf.net/sfu/oracle-sfdevnl
Tom Eastep
2010-Dec-27 21:32 UTC
Re: Re (2): Re (2): Re (2): Re (2): failure of FTP connection
On 12/27/10 11:51 AM, peasthope@shaw.ca wrote:> From: Tom Eastep <teastep@shorewall.ne.> > Date: Mon, 27 Dec 2010 12:15:03 -0800 >> I suspect that it will work with ''routeback'' added to Loc+ as well. > > Correct! Thanks. > > For sake of interest, why doesn''t ''shorewall show zones'' give the real > addresses for the explicit names at least?It shows them exactly the way that you defined them. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Learn how Oracle Real Application Clusters (RAC) One Node allows customers to consolidate database storage, standardize their database environment, and, should the need arise, upgrade to a full multi-node Oracle RAC database without downtime or disruption http://p.sf.net/sfu/oracle-sfdevnl