Tom Eastep wrote: > Elio Tondo wrote: > >> and in the masq file: >> >> #INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC >> eth0 eth1!192.158.10.5,192.158.10.60 >> >> (masquerading for all machines in loc except for the two with static NAT). >> >> It used to work with no problems with Shorewall 3.0 and also with earlier >> 3.2 releases > > I need to know which earlier 3.2 release(s).
I found a bug that may explain this problem. But it is a "day-1" 3.2 bug so I don't know if the attached patch to /usr/share/shorewall/compiler will correct your problem or not. At any rate, what you were doing (exclusing the static nat addresses from masquerade) is unnecessary. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Index: releasenotes.txt
===================================================================
--- releasenotes.txt (revision 4590)
+++ releasenotes.txt (working copy)
@@ -242,8 +242,8 @@
You set the default level of verbosity using the VERBOSITY option in
shorewall.conf. If you don't set it (as would be the case if you use your
- old shorewall.conf file) then VERBOSITY defaults to a value of 2 which
- results in behavior compatible with previous Shorewall versions.
+ old shorewall.conf file) then VERBOSITY defaults to a value of 2
+ which results in behavior compatible with previous Shorewall versions.
A value of 1 suppresses some of the output (like the old -q option did)
while a value of 0 makes Shorewall almost silent. A value of -1
suppresses all output except warning and error messages.
@@ -321,17 +321,12 @@
a) When you run 'compile' on one system and then run the generated script
on another system under Shorewall Lite, there are certain limitations.
- 1) A compatible version of Shorewall Lite must be running on the remote
- system. Going forward, the goal is that any minor version of
- the current major version will be compatible. So if the
- program is compiled using Shorewall 3.2.x, any 3.2.y version
- or 3.p.q version (where p > 2) of Shorewall Lite will be compatible.
- 2) The 'detectnets' interface option is not allowed.
- 3) DYNAMIC_ZONES=Yes is not allowed.
- 4) You must supply the file /etc/shorewall/capabilities to provide
+ 1) The 'detectnets' interface option is not allowed.
+ 2) DYNAMIC_ZONES=Yes is not allowed.
+ 3) You must supply the file /etc/shorewall/capabilities to provide
the compiler with knowledge of the capabilities of the system
where the script is to be run. See below.
- 5) If your /etc/shorewall/params file contains code other than simple
+ 4) If your /etc/shorewall/params file contains code other than simple
assignment statements with contant values, then you should move
that code to /etc/shorewall/init. That way, the code will be
executed on the target system when the compiled script is run and
Index: compiler
===================================================================
--- compiler (revision 4574)
+++ compiler (working copy)
@@ -6041,7 +6041,7 @@
__EOF__
for destnet in $(separate_list $destnets); do
indent >&3 << __EOF__
- run_iptables -t nat -A $chain -s \$network $(dest_ip_range $destnet) $proto $sports $policy -j $netchain
+ run_iptables -t nat -A $chain -s \$network $(dest_ip_range $destnet) $proto $ports $policy -j $newchain
__EOF__
done
indent >&3 << __EOF__
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
