Mike Lander wrote: > >> Mike Lander wrote: >> >>> not sure how to config shorewall or if I have this bridge right but >>> now there seems to be several ways to config shorewall here >>> which shorewall docs should I look at with suse 11.1 and shorewall 4.2.9? >> Hi Mike, >> >> 'brctl show br0' will show you the bridge configuration. > Tom > > linux-rwu0:~ # brctl show br0 > bridge name bridge id STP enabled interfaces > br0 8000.0016177efed1 no eth1 > tap0 > >> Do you need to firewall traffic through the bridge? If not, simply set >> 'routeback' on 'br0' and you are finished. That's >> http://www.shorewall.net/SimpleBridge.html. If you need to firewall >> traffic through the bridge, then you need to folllow >> http://www.shorewall.net/bridge-Shorewall-perl.html. > > I do need to firewall traffic to the internet eth0, however traffic > between the bridge I just need traffic shaping. I remove the push > route and bridge option. > > Items I changed in shorewall from stock two interface is in interfaces,masq, > and routestopped > which is correct according to simple bridge I believe. I changed these as > follows > > net eth0 detect tcpflags,nosmurfs > loc br0 detect routeback > > masq > eth0 br0 > > routestopped > br0 - > > However when starting the bridge with /etc/init.d/bridge, I lose connectivity > with > the internet from the firewall and lan. I believe routing in the > /etc/init.d/bridge > is incorrect. I followed examples and I believe the gateway is incorrect. > Here is /etc/init.d/bridge, ip route ls and ifconfig. > > #!/bin/bash > > ########openvpn bridge-script################# > # Set up Ethernet bridge on Linux > # Requires: bridge-utils > ################################# > > # Define Bridge Interface > br="br0" > > # Define list of TAP interfaces to be bridged > tap="tap0" > > # Define a list of physical ethernet interfaces to be bridged > # with TAP interface(s) above. > # > eth="eth1" > eth_ip="10.194.79.191" > eth_netmask="255.255.255.0" > eth_broadcast="10.194.79.255" > default_gw=10.194.79.191 > > # Path to the system networking script > # For Debian > #NETWORK="/etc/init.d/networking" > # For SuSE > NETWORK="/etc/init.d/network" > > # Path to the openvpn start/stop script > OPENVPN_INIT="/etc/init.d/openvpn" > > # Path to the openvpn binary > OPENVPN="/usr/sbin/openvpn" > > # Path to the brctl binary > BRCTL="/sbin/brctl" > > # Path to the ifconfig binary > IFCONFIG="/sbin/ifconfig" > > # Path to the route binary > ROUTE="/sbin/route" > > do_start(){ > > for i in $tap; do > $OPENVPN --mktun --dev $i > done > > $BRCTL addbr $br > > for i in $eth; do > $BRCTL addif $br $i > done > > for i in $tap; do > $BRCTL addif $br $i > done > > for i in $eth; do > $IFCONFIG $i 0.0.0.0 promisc up > done > > for i in $tap; do > $IFCONFIG $i 0.0.0.0 promisc up > done > > $IFCONFIG $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast > > $ROUTE add default gw $default_gw > > $OPENVPN_INIT start > > } > > do_stop(){ > > $IFCONFIG $br down > $BRCTL delbr $br > > for i in $tap; do > $OPENVPN --rmtun --dev $i > $IFCONFIG $i down > $NETWORK force-reload > done > > $OPENVPN_INIT stop > > } > > case "$1" in > > start) > do_start > ;; > stop) > do_stop > ;; > restart) > do_stop > sleep 1 > do_start > ;; > *) > echo "usage: $0 start|stop|restart" >&2 > exit 3 > ;; > esac > exit 0 > > linux-rwu0:~ # ip route ls > 75.149.172.80/28 dev eth0 proto kernel scope link src 75.149.172.88 > 10.194.79.0/24 dev br0 proto kernel scope link src 10.194.79.191 > 169.254.0.0/16 dev eth0 scope link > 127.0.0.0/8 dev lo scope link > default via 10.194.79.191 dev br0 scope link > default via 75.149.172.94 dev eth0 > > The gateway to br0 is the problem I think. Since the firewall already has > a gateway do enter 75.149.172.94 as the gateway in /etc/init.d/bridge?
Mike -- You seem to be one of the folks who mistakenly believes that every interface needs a default gateway. That is simply not true. You only need multiple default routes when you have multiple links to the internet. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensing option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
