Another bug: tcdevices a:eth0 ... b:tun0 ...
tcclasses a:11 ... b:21 ... 1. tcrules a:11 $FW 10.1.1.1 tcp 22 b:21 $FW 10.1.1.1 tcp 22 would not give me what I would like, i.e. traffic shaping through the appropriate eth0 class when the source ($FW) is eth0 and traffic shaping through the appropriate tun0 class when the source ($FW) is tun0. An attempt to do the following: 2. tcrules a:11 eth0 10.1.1.1 tcp 22 b:21 tun0 10.1.1.1 tcp 22 Gives me 2 warnings: 1) "WARNING: Using an interface as the SOURCE in a T: rule requires the interface to be up and configured when Shorewall starts/restarts" for eth0 and 2) "WARNING: default route ignored on interface eth0", plus "ERROR: Unknown Interface (tun0)" (tun0 is UP and RUNNING with a valid IP address). In addition, shorewall, for some unknown bizarre reason, uses eth0's source address to create the CLASSIFY rule in tcpost, which is wrong (see below). "man shorewall-tcrules (SOURCE section)" says: "1. An interface name - matches traffic entering the firewall on the specified interface. May not be used in classify rules or in rules using the :T chain qualifier." which is another non-sensical self-imposed shorewall restriction. Shorewall translates "a:11 $FW 10.1.1.1 tcp 22" to "-A tcpost -p 6 --dport 22 -s $source -d 10.1.1.1 -j CLASSIFY --set-class a:11" in the mangle table, where $source is picked up to be the source of the device in question (eth0). In order to use the second form (2. above) successfully the iptables statement needs to be replaced with the following (using eth0 as an example, but the same is valid for tun0 as well): "-A tcpost -p 6 --dport 22 -o eth0 -d 10.1.1.1 -j CLASSIFY --set-class a:11" on the same table (mangle). I have tried both statements (to replace the complete nonsense shorewall puts in the tcpost chain) successfully and it works, so I think the man page as well as the building of that construct should be amended accordingly. ------------------------------------------------------------------------------ WhatsUp Gold - Download Free Network Management Software The most intuitive, comprehensive, and cost-effective network management toolset available today. Delivers lowest initial acquisition cost and overall TCO of any competing solution. http://p.sf.net/sfu/whatsupgold-sd _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
