[Shorewall-users] ubuntu 7.10 and vlans

Miguel Mon, 11 Feb 2008 13:43:18 -0800

Hi, im having a hard time trying to setup vlan filtering in shorewall 
3.4,  i have ubuntu 7.10 and the vlan  setup is working ok, this is my 
config:


/etc/network/interfaces:

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto eth1
auto vlan179
auto vlan152

# VALN 179 (PUBLIC)
iface   vlan179 inet static
        address 200.20.xxx.yyy
        netmask 255.255.255.248
        gateway 200.20.xxx.yyy
        vlan_raw_device eth0

# VLAN 152 (MPLS)
iface   vlan152 inet static
        address 10.215.0.5
        netmask 255.255.255.0
        vlan_raw_device eth0

# VLAN 1 (MONITOREO)
iface   eth1 inet static
        address 10.2.64.206
        netmask 255.255.255.0

/etc/shorewall/zones
###############################################################################
#ZONE   TYPE            OPTIONS         IN                      OUT
#                                       OPTIONS                 OPTIONS
fw         firewall
net        ipv4
mgmnt      ipv4
mpls       ipv4
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

/etc/shorewall/interfaces
###############################################################################
#ZONE   INTERFACE       BROADCAST       OPTIONS
net     vlan179         detect          norfc1918,blacklist
mgmnt   eth1            detect         
mpls    vlan152         detect
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

/etc/shorewall/policy
###############################################################################
#SOURCE         DEST            POLICY          LOG             LIMIT:BURST
#                                               LEVEL
$FW            net                ACCEPT
mgmnt          all                ACCEPT
mpls           all                ACCEPT
net            all                DROP     info
all            all                REJECT   info
#LAST LINE -- DO NOT REMOVE

 i can ping to the outside, so vlan179 is working fine:
PING www.yahoo-ht3.akadns.net (69.147.114.210) 56(84) bytes of data.
64 bytes from f1.www.vip.re3.yahoo.com (69.147.114.210): icmp_seq=1 
ttl=54 time=57.3 ms

if i try to ping the vlan152 or eth1 subnet, i got this error

 From 10.2.64.206 icmp_seq=1 Destination Host Unreachable
 From 10.215.0.1 icmp_seq=1 Destination Host Unreachable

and in /var/log/messages

Feb 11 15:25:21 cacti kernel: [ 1399.457252] 
Shorewall:all2all:REJECT:IN= OUT=eth1 SRC=10.2.64.206 DST=10.2.64.1 
LEN=70 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=35998 DPT=161 LEN=50

if i run shorewall clear, i can reach all subnets, any hints?
regards

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

[Shorewall-users] ubuntu 7.10 and vlans

Reply via email to