In helping a user on IRC today, I was dismayed to find that a bug that was supposedly fixed in Shorewall 3.4.4 was not fixed. Furthermore, I found that the bug is present as far back as 3.2.6 (I didn't look back further since 3.2.6 was the release where the user (re-) discovered the bug.
If HIGH_ROUTE_MARKS=No, then PREROUTING and OUTPUT marking rules are behaving as if TC_EXPERT=Yes was specified in shorewall.conf. In other words, these rules are being applied even if the connection has been marked as being associated with a particular ISP. The symptoms in this users case were that requests through ISP1 that were port-forwarded to an SMTP server were being replied through ISP2. The reason was that there was a tcrule which selected ISP2 for all connections from the SMTP server. I've prepared errata patches as follows: http://www1.shorewall.net/pub/shorewall/3.2/shorewall-3.2.10/errata/patches/Shorewall/patch-3.2.10-2.diff http://www1.shorewall.net/pub/shorewall/3.4/shorewall-3.4.6/errata/patches/Shorewall/patch-3.4.6-1.diff http://www1.shorewall.net/pub/shorewall/4.0/shorewall-4.0.2/errata/patches/Shorewall-shell/patch-shell-4.0.2-2.diff The 3.2.10 patch applies to all 3.2 releases from at least 3.2.6 onward and to 3.4 releases 3.4.0-3.4.3 (with offset). The 3.4.6 patch will also work on 3.4.4 and 3.4.5 (again, with possible offset). It is also possible to work around the problem by adding these two rules at the beginning of your tcrules file: CONTINUE:P 0.0.0.0/0 0.0.0.0/0 - - - - !0 CONTINUE $FW 0.0.0.0/0 - - - - !0 -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: This is a digitally signed message part
------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
