Your message dated Thu, 13 Sep 2012 22:01:44 -0400
with message-id <[email protected]>
and subject line Re: Bug#685522: shorewall: Shorewall generates incorrect rules
from DNAT rules using hostname.
has caused the Debian Bug report #685522,
regarding shorewall: Shorewall generates incorrect rules from DNAT rules using
hostname.
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
685522: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=685522
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: shorewall
Version: 4.5.5.3-1
Severity: important
Hi,
this problem appeared recently.
I was using this kind of rule in /etc/shorewall/rules :
DNAT net loc:apollon TCP www,https,8008,8443
apollon is a hostname resolved via ldap (configured in
/etc/nsswitch.conf).
It worked fine previously, but today I wasn't able to start shorewall
anymore.
A restart gave me this error :
iptables-restore v1.4.14: DNAT: Multiple --to-destination not supported
Error occurred at line: 22
Indeed, the iptables-restore file generated by shorewall contained this
kind of incorrect rule :
-A net_dnat -p 6 -m multiport --dports 80,443,8008,8443 -j DNAT
--to-destination 192.168.122.2 --to-destination 255.255.255.255
I had to replace the hostnames by their related ip address, which seems
to be a creepy workaround.
Thanks for your help,
Paul Ezvan
-- System Information:
Debian Release: wheezy/sid
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=, LC_CTYPE= (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash
Versions of packages shorewall depends on:
ii bc 1.06.95-2+b1
ii debconf [debconf-2.0] 1.5.44
ii iproute 20120521-3
ii iptables 1.4.14-3
ii perl-modules 5.14.2-12
ii shorewall-core 4.5.5.3-1
shorewall recommends no packages.
Versions of packages shorewall suggests:
ii linux-image-2.6.32-5-amd64 [linux-image] 2.6.32-41
ii linux-image-3.2.0-1-amd64 [linux-image] 3.2.6-1
ii linux-image-3.2.0-2-amd64 [linux-image] 3.2.20-1
ii linux-image-3.2.0-3-amd64 [linux-image] 3.2.23-1
pn make <none>
pn shorewall-doc <none>
-- debconf information excluded
--- End Message ---
--- Begin Message ---
On Tue, Aug 21, 2012 at 05:40:23PM +0200, paul wrote:
> I was using this kind of rule in /etc/shorewall/rules :
>
> DNAT net loc:apollon TCP www,https,8008,8443
>
It is not adviseable to use hostnames in your Shorewall configuration,
unless the hostnames can be resolved locally (i.e., by looking in
/etc/hosts).
> apollon is a hostname resolved via ldap (configured in
> /etc/nsswitch.conf).
>
Even LDAP lookups are not foolproof.
> It worked fine previously, but today I wasn't able to start shorewall
> anymore.
> A restart gave me this error :
>
> iptables-restore v1.4.14: DNAT: Multiple --to-destination not supported
> Error occurred at line: 22
>
> Indeed, the iptables-restore file generated by shorewall contained this
> kind of incorrect rule :
>
> -A net_dnat -p 6 -m multiport --dports 80,443,8008,8443 -j DNAT
> --to-destination 192.168.122.2 --to-destination 255.255.255.255
>
It appears that your LDAP returned something incorrect in response to
the lookup.
> I had to replace the hostnames by their related ip address, which seems
> to be a creepy workaround.
>
Actually, bast practice is to always specify the IP address(es).
As this is not a problem in Shorewall, I am closing this bug report.
Regards,
-Roberto
--
Roberto C. Sánchez
http://people.connexer.com/~roberto
http://www.connexer.com
signature.asc
Description: Digital signature
--- End Message ---
