On 12/20/2012 08:58 AM, Radoslaw Kamil Ejsmont wrote: > Thanks! This sets up traffic like I want it. The only thing left - > tunnels complain about zone net: > > # shorewall check -r /etc/shorewall.testing > Checking... > Processing /etc/shorewall.testing/params ... > Processing /etc/shorewall.testing/shorewall.conf... > Loading Modules... > Checking /etc/shorewall.testing/zones... > Checking /etc/shorewall.testing/interfaces... > Checking /etc/shorewall.testing/hosts... > Determining Hosts in Zones... > Locating Action Files... > Checking /usr/share/shorewall/action.Drop for chain Drop... > Checking /usr/share/shorewall/action.Broadcast for chain Broadcast... > Checking /usr/share/shorewall/action.Invalid for chain Invalid... > Checking /usr/share/shorewall/action.NotSyn for chain NotSyn... > Checking /usr/share/shorewall/action.Reject for chain Reject... > Checking /etc/shorewall.testing/policy... > Adding Anti-smurf Rules > Adding rules for DHCP > Checking TCP Flags filtering... > Checking Kernel Route Filtering... > Checking Martian Logging... > Checking /etc/shorewall.testing/providers... > Checking /etc/shorewall.testing/tcrules... > Checking /etc/shorewall.testing/masq... > Checking MAC Filtration -- Phase 1... > Checking /etc/shorewall.testing/rules... > Checking /etc/shorewall.testing/tunnels... > ERROR: Invalid tunnel ZONE (net) : /etc/shorewall.testing/tunnels > (line 16) > > if I replace it with world, it works fine, but tunnel rules (placed in > world2fw) will never be processed: > > -A lan_in -m conntrack --ctstate NEW,INVALID -j dynamic > -A lan_in -m conntrack --ctstate NEW,INVALID -j smurfs > -A lan_in -p udp --dport 67:68 -j ACCEPT > -A lan_in -p tcp -j tcpflags > -A lan_in -m physdev --physdev-in eth0 -j eth0_in > -A lan_in -m physdev --physdev-in vf-ssw-vpn -j vpn2fw > -A lan_in -j world2fw > > -A eth0_in -m conntrack --ctstate NEW,INVALID -j dynamic > -A eth0_in -s 192.168.0.0/24 -j lan2fw > -A eth0_in -j net2fw > > -A net2fw -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT > -A net2fw -p 6 --dport 22 -j ACCEPT -m comment --comment "SSH" > -A net2fw -p 6 --dport 636 -j ACCEPT -m comment --comment "LDAPS" > -A net2fw -p 17 --dport 1194 -j ACCEPT -m comment --comment "OpenVPN" > -A net2fw -j Reject > -A net2fw -j LOG --log-level 6 --log-prefix "Shorewall:net2fw:REJECT:" > -A net2fw -g reject > > -A world2fw -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT > -A world2fw -p udp --dport 2001 -s 85.214.209.171 -j ACCEPT > -A world2fw -p udp --dport 2002 -s 85.214.204.137 -j ACCEPT > -A world2fw -p udp --dport 1194 -j ACCEPT > -A world2fw -j Reject > > I guess unless I specify policy net -> fw CONTINUE, right? >
That's correct. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
