Hello!

With regards to the recommended settings in shorewall.conf
TC_BITS=8
PROVIDER_OFFSET=8
PROVIDER_BITS=4
is this a best-practice?
Because initially the parameters are not set.

Unfortunately I get an error when starting shorewall:
[...]
Mar 15  8:22:39    Finishing matrix...
Mar 15  8:22:39 Creating iptables-restore input...
Mar 15 8:22:39 Shorewall configuration compiled to /var/lib/shorewall/.start
Mär 15 08:22:39 Starting Shorewall....
Mär 15 08:22:39   ERROR: Can't determine the IP address of eth2
Mär 15 08:22:39   ERROR:Shorewall start failed:Firewall state not changed

I assume this is related to the network configuration where eth2 is bridged to vmbr2:
[...]
auto eth2
iface eth2 inet manual

auto vmbr2
iface vmbr2 inet static
        address  192.168.1.14
        netmask  255.255.255.0
        bridge_ports eth2
        bridge_stp off
        bridge_fd 0

root@pc4-svp:~# ifconfig
eth0      Link encap:Ethernet  Hardware Adresse 74:d4:35:1a:f6:0f
inet Adresse:217.xxx.xxx.xxx Bcast:255.255.255.255 Maske:255.255.255.192 inet6-Adresse: fe80::76d4:35ff:fe1a:f60f/64 Gültigkeitsbereich:Verbindung
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metrik:1
          RX packets:20460 errors:0 dropped:0 overruns:0 frame:0
          TX packets:94 errors:0 dropped:0 overruns:0 carrier:0
          Kollisionen:0 Sendewarteschlangenlänge:1000
          RX bytes:1684356 (1.6 MiB)  TX bytes:8729 (8.5 KiB)
          Interrupt:20 Speicher:f7d00000-f7d20000

eth1      Link encap:Ethernet  Hardware Adresse 00:15:17:91:9c:b8
          UP BROADCAST MULTICAST  MTU:1500  Metrik:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          Kollisionen:0 Sendewarteschlangenlänge:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
          Interrupt:16 Speicher:f7c60000-f7c80000

eth2      Link encap:Ethernet  Hardware Adresse 00:15:17:91:9c:b9
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metrik:1
          RX packets:2306 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2293 errors:0 dropped:0 overruns:0 carrier:0
          Kollisionen:0 Sendewarteschlangenlänge:1000
          RX bytes:335489 (327.6 KiB)  TX bytes:1260503 (1.2 MiB)
          Interrupt:17 Speicher:f7c20000-f7c40000

lo        Link encap:Lokale Schleife
          inet Adresse:127.0.0.1  Maske:255.0.0.0
          inet6-Adresse: ::1/128 Gültigkeitsbereich:Maschine
          UP LOOPBACK RUNNING  MTU:65536  Metrik:1
          RX packets:1 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1 errors:0 dropped:0 overruns:0 carrier:0
          Kollisionen:0 Sendewarteschlangenlänge:0
          RX bytes:104 (104.0 B)  TX bytes:104 (104.0 B)

tap121i0  Link encap:Ethernet  Hardware Adresse 46:f6:a2:8f:8e:10
inet6-Adresse: fe80::44f6:a2ff:fe8f:8e10/64 Gültigkeitsbereich:Verbindung
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500 Metrik:1
          RX packets:1810 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1740 errors:0 dropped:0 overruns:0 carrier:0
          Kollisionen:0 Sendewarteschlangenlänge:500
          RX bytes:991546 (968.3 KiB)  TX bytes:270132 (263.8 KiB)

vmbr0     Link encap:Ethernet  Hardware Adresse f2:b4:7f:3d:67:f9
          inet Adresse:10.0.0.1  Bcast:10.0.0.255 Maske:255.255.255.0
inet6-Adresse: fe80::f0b4:7fff:fe3d:67f9/64 Gültigkeitsbereich:Verbindung
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metrik:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:18 errors:0 dropped:0 overruns:0 carrier:0
          Kollisionen:0 Sendewarteschlangenlänge:0
          RX bytes:0 (0.0 B)  TX bytes:1548 (1.5 KiB)

vmbr1     Link encap:Ethernet  Hardware Adresse 00:15:17:91:9c:b8
          inet Adresse:10.1.0.1  Bcast:10.1.0.255 Maske:255.255.255.0
          UP BROADCAST MULTICAST  MTU:1500  Metrik:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          Kollisionen:0 Sendewarteschlangenlänge:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

vmbr2     Link encap:Ethernet  Hardware Adresse 00:15:17:91:9c:b9
inet Adresse:192.168.178.10 Bcast:192.168.1.255 Maske:255.255.255.0 inet6-Adresse: fe80::215:17ff:fe91:9cb9/64 Gültigkeitsbereich:Verbindung
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metrik:1
          RX packets:1389 errors:0 dropped:377 overruns:0 frame:0
          TX packets:472 errors:0 dropped:0 overruns:0 carrier:0
          Kollisionen:0 Sendewarteschlangenlänge:0
          RX bytes:123341 (120.4 KiB)  TX bytes:257435 (251.4 KiB)



Can you please advise?

THX


Am 26.02.2016 um 20:46 schrieb Tom Eastep:
On 02/24/2016 03:22 AM, c.mo...@web.de wrote:
Fair enough.
Defining /etc/shorewall/masq and /etc/shorewall/rules is not difficult.
But the problem starts
with /etc/shorewall/providers, /etc/shorewall/rtrules
and /etc/shorewall/interfaces.
And last but not least the setting of USE_DEFAULT_RT.
I see no reason why USE_DEFAULT_RT=Yes would not be appropriate.

You obviously have two providers -- one out of eth0 and one out of eth2.
Given that eth0 has a static IP address, I'm assuming that the gateway
is also static so just specify it in the providers entry.

I'll assume these settings in shorewall.conf.

TC_BITS=8
PROVIDER_OFFSET=8
PROVIDER_BITS=4

ISP1    1       0x100   eth0    <gateway1>        primary
ISP2    2       0x200   eth2    192.168.178.1   fallback

Your rtrules file will depend on how you want traffic routed. I assume
that 10.1.0.0/24 want to route out of eth0, so you would have this entry:

10.1.0.0/24             -       ISP1    1000

Similarly, 192.168.178.0/24 wants to route out of ISP2:

192.168.178.0/24        -       ISP2    1000

The interfaces file will have the 'net' zone for both eth0 and eth2:

?FORMAT 2
net     eth0    dhcp,...
net     eth2    ...

-Tom


------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140


_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785231&iu=/4140
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to