Tom Eastep wrote: > Elio Tondo wrote: > >> and in the masq file: >> >> #INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC >> eth0 eth1!192.158.10.5,192.158.10.60 >> >> (masquerading for all machines in loc except for the two with static NAT). >> >> It used to work with no problems with Shorewall 3.0 and also with earlier >> 3.2 releases > > I need to know which earlier 3.2 release(s).
I found a bug that may explain this problem. But it is a "day-1" 3.2 bug so I don't know if the attached patch to /usr/share/shorewall/compiler will correct your problem or not. At any rate, what you were doing (exclusing the static nat addresses from masquerade) is unnecessary. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Index: releasenotes.txt =================================================================== --- releasenotes.txt (revision 4590) +++ releasenotes.txt (working copy) @@ -242,8 +242,8 @@ You set the default level of verbosity using the VERBOSITY option in shorewall.conf. If you don't set it (as would be the case if you use your - old shorewall.conf file) then VERBOSITY defaults to a value of 2 which - results in behavior compatible with previous Shorewall versions. + old shorewall.conf file) then VERBOSITY defaults to a value of 2 + which results in behavior compatible with previous Shorewall versions. A value of 1 suppresses some of the output (like the old -q option did) while a value of 0 makes Shorewall almost silent. A value of -1 suppresses all output except warning and error messages. @@ -321,17 +321,12 @@ a) When you run 'compile' on one system and then run the generated script on another system under Shorewall Lite, there are certain limitations. - 1) A compatible version of Shorewall Lite must be running on the remote - system. Going forward, the goal is that any minor version of - the current major version will be compatible. So if the - program is compiled using Shorewall 3.2.x, any 3.2.y version - or 3.p.q version (where p > 2) of Shorewall Lite will be compatible. - 2) The 'detectnets' interface option is not allowed. - 3) DYNAMIC_ZONES=Yes is not allowed. - 4) You must supply the file /etc/shorewall/capabilities to provide + 1) The 'detectnets' interface option is not allowed. + 2) DYNAMIC_ZONES=Yes is not allowed. + 3) You must supply the file /etc/shorewall/capabilities to provide the compiler with knowledge of the capabilities of the system where the script is to be run. See below. - 5) If your /etc/shorewall/params file contains code other than simple + 4) If your /etc/shorewall/params file contains code other than simple assignment statements with contant values, then you should move that code to /etc/shorewall/init. That way, the code will be executed on the target system when the compiled script is run and Index: compiler =================================================================== --- compiler (revision 4574) +++ compiler (working copy) @@ -6041,7 +6041,7 @@ __EOF__ for destnet in $(separate_list $destnets); do indent >&3 << __EOF__ - run_iptables -t nat -A $chain -s \$network $(dest_ip_range $destnet) $proto $sports $policy -j $netchain + run_iptables -t nat -A $chain -s \$network $(dest_ip_range $destnet) $proto $ports $policy -j $newchain __EOF__ done indent >&3 << __EOF__
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users