Hi Tom, Your reply has given me some idea's on where to look for my configuration error.
Bond1 does not exhibit the issue so looking for what differs between Bond0 and Bond1 gives: r...@nper-r1:/etc/shorewall# grep bond1 * hosts:hw001 bond1:10.2.1.0/24 routeback hosts:bcast bond1:255.255.255.255 interfaces:- bond1 detect dhcp,tcpflags rules:ACCEPT+ hw001:bond1:10.240.1.7 dmz tcp r...@nper-r1:/etc/shorewall# grep bond0 * hosts:inet bond0:0.0.0.0/0!180.233.128.0/23,180.233.131.0/24 hosts:pub bond0:180.233.131.0/24,aaa.bbb.ccc.208/30,xxx.yyy.zzz.0/24,180.233.128.0/23 hosts:bcast bond0:255.255.255.255 interfaces:- bond0 detect blacklist,nosmurfs,tcpflags masq:bond0:!xxx.yyy.zzz.0/24 192.168.0.0/21,10.2.0.0/24,10.2.1.0/24,10.2.2.0/24,10.2.3.0/24!10.2.1.7 180.233.131.7 masq:bond0:xxx.yyy.zzz.0/24 192.168.0.0/21,10.2.0.0/24,10.2.1.0/24,10.2.2.0/24,10.2.3.0/24!10.2.1.7 xxx.yyy.zzz.73 rules:ACCEPT+ inet:bond0:aaa.bbb.ccc.209 $FW tcp 179 rules:ACCEPT+ inet:bond0:xxx.yyy.zzz.253 $FW tcp 179 rules:ACCEPT+ inet:bond0:xxx.yyy.zzz.240 $FW tcp 179 So I tested with masq for bond0 disabled - Result = Checking /etc/shorewall/blacklist... WARNING: The entries in /etc/shorewall/blacklist have been ignored because there are no 'blacklist' interfaces : /etc/shorewall/blacklist (line 15) Testing with: hosts:inet bond0:0.0.0.0/0 - Result = Checking /etc/shorewall/blacklist... WARNING: The entries in /etc/shorewall/blacklist have been ignored because there are no 'blacklist' interfaces : /etc/shorewall/blacklist (line 15) Testing without zone:pub - Result = Checking /etc/shorewall/blacklist... WARNING: The entries in /etc/shorewall/blacklist have been ignored because there are no 'blacklist' interfaces : /etc/shorewall/blacklist (line 15) I have also tested changing all the bond0 settings to eth2 - Result = Checking /etc/shorewall/blacklist... WARNING: The entries in /etc/shorewall/blacklist have been ignored because there are no 'blacklist' interfaces : /etc/shorewall/blacklist (line 15) So I think this proves my configuration as the issue but no luck yet isolating it. ... success at last ... hosts:#inet bond0:0.0.0.0/0!180.233.128.0/23,180.233.131.0/24 hosts:inet bond0:0.0.0.0/1,128.0.0.0/1!180.233.128.0/23,180.233.131.0/24 Making just this change has removed the " WARNING: The entries in /etc/shorewall/blacklist have been ignored because there are no 'blacklist' interfaces ". r...@nper-r1:~# iptables -L -n > black-fixed r...@nper-r1:~# diff black-last black-fixed 147a148,164 > Chain blacklst (2 references) > target prot opt source destination > DROP all -- 0.0.0.0/8 0.0.0.0/0 > DROP all -- 10.0.0.0/8 0.0.0.0/0 > DROP all -- 127.0.0.0/8 0.0.0.0/0 > DROP all -- 169.254.0.0/16 0.0.0.0/0 > DROP all -- 172.16.0.0/12 0.0.0.0/0 > DROP all -- 192.0.0.0/24 0.0.0.0/0 > DROP all -- 192.0.2.0/24 0.0.0.0/0 > DROP all -- 192.88.99.0/24 0.0.0.0/0 > DROP all -- 198.18.0.0/15 0.0.0.0/0 > DROP all -- 198.51.100.0/24 0.0.0.0/0 > DROP all -- 203.0.113.0/24 0.0.0.0/0 > DROP all -- 224.0.0.0/4 0.0.0.0/0 > DROP all -- 240.0.0.0/4 0.0.0.0/0 > DROP all -- 255.255.255.255 0.0.0.0/0 > 176a194 > blacklst all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW 182a201 > blacklst all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW Can you see any unwanted side effects to the fixed setup? Kind regards, Trent O'Callaghan Network Manager www.nearmap.com -----Original Message----- From: Tom Eastep [mailto:[email protected]] Sent: Thursday, 1 July 2010 9:29 PM To: [email protected] Subject: Re: [Shorewall-users] http://www.shorewall.net/FAQ.htm#faq84 On 6/30/10 11:22 PM, Trent O'Callaghan wrote: > I have tested blacklist for the first time and have found a error with > my configuration or a bug. > > > Following http://www.shorewall.net/FAQ.htm#faq84 I place a blacklist > entry against my external interface but Shorewall check gives: > > Checking /etc/shorewall/blacklist... > > WARNING: The entries in /etc/shorewall/blacklist have been ignored > because there are no 'blacklist' interfaces : /etc/shorewall/blacklist > (line 15) > > Now where my configuration is different to most is my external > interface is a bonded pair eth2 & eth5 so I tested adding eth2 > blackest entry to interfaces and the warning disappeared. > > Should I ignore the warning or should I put in interface entries for > all interfaces that make up the bonded interface? If you have 'blacklist' specified on any interface in /etc/shorewall/interfaces, you should not receive that warning message. So I would like you to: a) shorewall show -f capabilities > /etc/shorewall/caps b) tar -czf shorewall.tgz /etc/shorewall c) Send me the shorewall.tgz archive. Be that as it may, you should not be describing eth2 and eth5 to Shorewall at all but rather should only mention the bondN device (e.g., 'bond0'); it is that device that should have the 'blacklist' option. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
