Hi Tom and everyone, After creating the capabilities file (KLUDGEFREE=yes)Compiling shorewall now works fine, but my two shorewall-lite servers seem to just ignore all rules and the policys.
Setup as follows: Br0 with interface eth0(net) and eth1(loc) Eth2 (dmz) Br0 has no IP Entries in file interfaces. #ZONE INTERFACE BROADCAST OPTIONS pub br0 - bridge net br0:eth0 loc br0:eth1 dmz eth2 detect Entries in file: zones: #ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS fw firewall pub ipv4 net:pub bport4 loc:pub bport4 dmz ipv4 Some entries from file rules: ACCEPT dmz fw udp 161 ACCEPT dmz fw tcp 1311 ACCEPT net loc udp 8116 ACCEPT net loc tcp 80,443,8080 ACCEPT net loc ESP I connected a laptop on port eth0 (net) and another laptop on port eth1 . I tried to connect to some ports from net to loc that should get dropped, but they get accepted. I already took a look on the shorewall-lite servers in the log files with "shorewall show log. The only content I receive is: Shorewall Lite 4.4.24.1 Log (/var/log/messages) at shwall01 - Mi 16. Nov 09:58:00 CET 2011 Counters reset Mi 16. Nov 09:46:03 CET 2011 Any idea on this ? Best Regards Alex -----Ursprüngliche Nachricht----- Von: [email protected] [mailto:[email protected]] Gesendet: Dienstag, 15. November 2011 16:12 An: [email protected] Betreff: Re: [Shorewall-users] shorewall bridging firewall set up Thanks Tom, after copying the correct capabilities file everything works just fine! Greetings Alex -----Ursprüngliche Nachricht----- Von: Tom Eastep [mailto:[email protected]] Gesendet: Dienstag, 15. November 2011 15:44 An: Shorewall Users Betreff: Re: [Shorewall-users] shorewall bridging firewall set up On Tue, 2011-11-15 at 14:29 +0000, [email protected] wrote: > But I'm actually getting another error: > > I'm running Centos 5.7 with iptables 1.3.5 And while compiling on the > management system with the command: > Shorewall load firewallDNSname I really recommend running 'shorewall check .' until you get the configuration clean. > > I receive the error: > ERROR: Your iptables is not recent enough to support bridge ports : > /opt/shwallexport/fw01/interface (line 233) You generate the capabilities file on the *firewall* system, and it is that system's iptables that is missing the "Repeat match" capability. In the capabilities file, it is listed as KLUDGEFREE. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ RSA(R) Conference 2012 Save $700 by Nov 18 Register now http://p.sf.net/sfu/rsa-sfdev2dev1 _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ RSA(R) Conference 2012 Save $700 by Nov 18 Register now http://p.sf.net/sfu/rsa-sfdev2dev1 _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
