On 5/6/11 7:34 PM, Mr Dash Four wrote: > Another bug: > > tcdevices > a:eth0 ... > b:tun0 ... > > tcclasses > a:11 ... > b:21 ... > > 1. > tcrules > a:11 $FW 10.1.1.1 tcp 22 > b:21 $FW 10.1.1.1 tcp 22 > > would not give me what I would like, i.e. traffic shaping through the > appropriate eth0 class when the source ($FW) is eth0
When the source is $FW, there is no source interface. > and traffic shaping > through the appropriate tun0 class when the source ($FW) is tun0. An > attempt to do the following: > > 2. > tcrules > a:11 eth0 10.1.1.1 tcp 22 > b:21 tun0 10.1.1.1 tcp 22 > > Gives me 2 warnings: 1) "WARNING: Using an interface as the SOURCE in a > T: rule requires the interface to be up and configured when Shorewall > starts/restarts" for eth0 and 2) "WARNING: default route ignored on > interface eth0", plus "ERROR: Unknown Interface (tun0)" (tun0 is UP and > RUNNING with a valid IP address). > > In addition, shorewall, for some unknown bizarre reason, uses eth0's > source address to create the CLASSIFY rule in tcpost, which is wrong > (see below). > > "man shorewall-tcrules (SOURCE section)" says: "1. An interface name - > matches traffic entering the firewall on the specified interface. May > not be used in classify rules or in rules using the :T chain qualifier." > which is another non-sensical self-imposed shorewall restriction. > > Shorewall translates "a:11 $FW 10.1.1.1 tcp 22" to "-A tcpost -p 6 > --dport 22 -s $source -d 10.1.1.1 -j CLASSIFY --set-class a:11" in the > mangle table, where $source is picked up to be the source of the device > in question (eth0). > > In order to use the second form (2. above) successfully the iptables > statement needs to be replaced with the following (using eth0 as an > example, but the same is valid for tun0 as well): "-A tcpost -p 6 > --dport 22 -o eth0 -d 10.1.1.1 -j CLASSIFY --set-class a:11" on the same > table (mangle). The two rules you want are: a:11 $FW eth0:10.1.1.1 tcp 22 b:11 $FW tun0:10.1.1.1 tcp 22 -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ WhatsUp Gold - Download Free Network Management Software The most intuitive, comprehensive, and cost-effective network management toolset available today. Delivers lowest initial acquisition cost and overall TCO of any competing solution. http://p.sf.net/sfu/whatsupgold-sd
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
