Re: [Shorewall-users] My macro is flawed?

Tom Eastep Fri, 01 Dec 2006 07:24:31 -0800

Tom Eastep wrote:
> Ed wrote:
>> On Thursday 30 November 2006 16:46, Tom Eastep wrote:
>>> PARAM   DEST    SOURCE  47
>> Hi,
>> I followed Tom's advice and upgraded to Shorewall 3.2.4.  After making the 
>> changes needed after the upgrade and making sure it all worked, I went on to 
>> try and get the PPTP VPN working... yes, OpenVPN is in the pipeline ;)
>>
>> This is what I did and these are the errors I get... any help would be 
>> appreciated.
>>
>> BTW, this is my config
>>
>> [INTERNET]<---> eth0-[FW SHOREWALL 3.2.4]-eth2 <---> eth0-[VPN SHOREWALL 
>> 3.0.8]
>>
>> The macro in on the firewall (FW).  I guess I missunderstood something...
>>
>> Test run 1:
>> PARAM   192.168.253.2   - 47
>> PARAM   -       -                   tcp     1723
>> PARAM   -       -                   47      -
>>
>> Dec  1 09:49:50 fw01 Shorewall:dmz2all:REJECT:IN=eth2 OUT=eth3 
>> SRC=192.168.253.2 DST=192.168.1.10 LEN=65 TOS=0x00 PREC=0x00 TTL=63 ID=5337 
>> DF PROTO=47
>>
>> Test run 2:
>> PARAM   -      192.168.253.2   47
> 
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/shorewall-users
> 
>> PARAM   -       -                   tcp     1723
>> PARAM   -       -                   47      -
>>
>> ERROR: Undefined Server Zone in rule "ACCEPT fw 
>> 192.168.253.2:dmz:192.168.253.2 47 - - - - -"
>>
>> Test run 3:
>> PARAM   -      dmz:192.168.253.2   47
>> PARAM   -       -                   tcp     1723
>> PARAM   -       -                   47      -
>>
>> ERROR: Only DNAT, SAME and REDIRECT rules may specify destination port 
>> mapping; rule "ACCEPT fw dmz:192.168.253.2:dmz:192.168.253.2 47 - - - - -"
> 
> So why didn't you add the entry to your macro that I gave in in my last 
> message?
> That is *all* that you had to do after upgrading? You did not have to change
> your entry in /etc/shorewall/rules; you had to make NO other changes to the 
> macro.
>


In other words, you macro should look *exactly* like this:

#ACTION SOURCE  DEST    PROTO   DEST    SOURCE  ORIGINAL        RATE    USER/
#                               PORT    PORT(S) DEST            LIMIT   GROUP
PARAM   -       -       tcp     1729
PARAM   -       -       47
PARAM   DEST    SOURCE  47
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ [EMAIL PROTECTED]
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

signature.asc
Description: OpenPGP digital signature

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] My macro is flawed?

Reply via email to