Re: [Shorewall-users] FORWARD DROP Problem - squeze -> wheezy

Thu, 23 May 2013 13:45:26 -0700 

On 05/23/2013 12:54 PM, [email protected] wrote:
> hello,
> 
> i have a setup which worked without a problem on debian squeeze
> (shorewall 4.4.11.6-3) and now don't work any more on debian wheezy
> (shorewall 4.5.5.3-3).
> 
> the setup inlcudes 2 bridges br0 which briges to eth0 and br1 which
> bridges all virtual machines in a virtual lan.
> 
>> brctl show
> 
> bridge name     bridge id               STP enabled     interfaces
> br0             8000.001517ee821c       no              eth0
> br1             8000.fe54365c6402       no              vnet0
>                                                         vnet1
>                                                         vnet2
> 
> if i try to ping/connect the lan machines i get drops.
> 
> Shorewall:FORWARD:DROP:IN=br1 OUT=br1 PHYSIN=vnet0 PHYSOUT=vnet2
> MAC=52:54:36:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=10.12.10.5
> DST=10.12.10.2 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP
> TYPE=8 CODE=0 ID=2686 SEQ=187
> 
> 
> /etc/shorewall/policy
> .....
> lan                   $FW                     ACCEPT          info
> lan                   net                     ACCEPT          info
> lan                   lan                     ACCEPT          info
> ....
> 
> 
> /etc/shorewall/shorewall.conf
> ....
> #this is set to Keep on squeeze and it is working
> IP_FORWARDING=Yes
> ....
> 
> /etc/sysctl.conf
> ....
> net.ipv4.ip_forward=1
> ....
> 
> 
> it's quite strange because, as i said before, the same setup works for
> me on squeeze (i am deploying with puppet).
> 
> if i disable filtering the vmachines can ping each other.
> /etc/sysctl.conf
> ....
> net.bridge.bridge-nf-call-ip6tables = 0
> net.bridge.bridge-nf-call-iptables = 0
> net.bridge.bridge-nf-call-arptables = 0
> ....
> 
> any ideas?

Add the 'routeback' option for br1 in /etc/shorewall/interfaces.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

Attachment: signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service 
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to