# /sbin/shorewall version
4.4.18.2
# /sbin/shorewall status
Shorewall-4.4.18.2 Status at ws01 - Tue Apr 5 15:04:10 BST 2011
Shorewall is running
State:Started (Tue Apr 5 14:59:59 BST 2011) from /etc/shorewall/
# /sbin/shorewall show zones
Shorewall 4.4.18.2 Zones at ws01 - Tue Apr 5 15:10:01 BST 2011
fw (firewall)
net (ipv4)
+:0.0.0.0/0
General status
==============
Shorewall has been working fine, filtering as expected, external ssh and
other connections to workstation working, all functions appear normal,
until I wanted to add a REDIRECT command so that ssh connections could
be made to the machine on tcp port 1234 in addition to the usual port 22
Minimal rules file used in testing REDIRECT
===========================================
#SECTION ESTABLISHED
#SECTION RELATED
SECTION NEW
#
ACCEPT net $FW tcp 22
ACCEPT net $FW tcp 1234
REDIRECT net 22 tcp 1234
Observed behaviour
==================
1. Compiler (optimiser?) reports error on line 862 of Chains.pm, shown
below:
# /sbin/shorewall restart
Compiling...
(lines omitted for clarity)
Applying Policies...
Generating Rule Matrix...
Optimizing Ruleset...
Can't use an undefined value as an ARRAY reference at
/usr/share/shorewall/Shorewall/Chains.pm line 862.
Restarting Shorewall....
Initializing...
(lines omitted for clarity)
done.
1a. Shorewall starts and functions normally, except REDIRECT does not
appear to be functional.
2. If in shorewall.conf, change OPTIMIZE=15 to OPTIMIZE=3, error is no
longer reported, but REDIRECT is still non-functional.
3. chain 'dnat' appears to be orphaned, i.e. 0 references
# /sbin/shorewall show -t nat
Shorewall 4.4.18.2 nat Table at ws01 - Tue Apr 5 15:55:28 BST 2011
Counters reset Tue Apr 5 15:45:45 BST 2011
Chain PREROUTING (policy ACCEPT 295 packets, 32493 bytes)
pkts bytes target prot opt in out source
destination
Chain POSTROUTING (policy ACCEPT 72 packets, 5387 bytes)
pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 72 packets, 5387 bytes)
pkts bytes target prot opt in out source
destination
Chain dnat (0 references)
pkts bytes target prot opt in out source
destination
0 0 net_dnat all -- * * 0.0.0.0/0
0.0.0.0/0
Chain net_dnat (1 references)
pkts bytes target prot opt in out source
destination
0 0 REDIRECT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:1234 redir ports 22
4. Other chains ( /sbin/shorewall show ) appear normal, but I can send
if that would help.
Many thanks,
George
--
---------------------------------------------------------------------
George Cameron Email: [email protected]
School of Medical Sciences
College of Life Sciences& Medicine
University of Aberdeen
Foresterhill Fax: +44 (0)1224-552514
Aberdeen AB25 2ZD Telephone: +44 (0)1224-553210
Scotland, UK
------------------------------------------------------------------------------
Xperia(TM) PLAY
It's a major breakthrough. An authentic gaming
smartphone on the nation's most reliable network.
And it wants your games.
http://p.sf.net/sfu/verizon-sfdev
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
