On 03/15/2016 12:51 AM, Thomas Schneider wrote:
> Hello!
> 
> With regards to the recommended settings in shorewall.conf
> TC_BITS=8
> PROVIDER_OFFSET=8
> PROVIDER_BITS=4
> is this a best-practice?
> Because initially the parameters are not set.

They are not set for historical reasons -- by setting them as shown
above, you are reserving 8 bites for future traffic shapping configuration.
> 
> Unfortunately I get an error when starting shorewall:
> [...]
> Mar 15  8:22:39    Finishing matrix...
> Mar 15  8:22:39 Creating iptables-restore input...
> Mar 15  8:22:39 Shorewall configuration compiled to
> /var/lib/shorewall/.start
> Mär 15 08:22:39 Starting Shorewall....
> Mär 15 08:22:39   ERROR: Can't determine the IP address of eth2
> Mär 15 08:22:39   ERROR:Shorewall start failed:Firewall state not changed
> 
> I assume this is related to the network configuration where eth2 is
> bridged to vmbr2:
> [...]
> auto eth2
> iface eth2 inet manual
> 
> auto vmbr2
> iface vmbr2 inet static
>         address  192.168.1.14
>         netmask  255.255.255.0
>         bridge_ports eth2
>         bridge_stp off
>         bridge_fd 0
> 
> root@pc4-svp:~# ifconfig
> eth0      Link encap:Ethernet  Hardware Adresse 74:d4:35:1a:f6:0f
>           inet Adresse:217.xxx.xxx.xxx  Bcast:255.255.255.255 
> Maske:255.255.255.192
>           inet6-Adresse: fe80::76d4:35ff:fe1a:f60f/64
> Gültigkeitsbereich:Verbindung
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metrik:1
>           RX packets:20460 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:94 errors:0 dropped:0 overruns:0 carrier:0
>           Kollisionen:0 Sendewarteschlangenlänge:1000
>           RX bytes:1684356 (1.6 MiB)  TX bytes:8729 (8.5 KiB)
>           Interrupt:20 Speicher:f7d00000-f7d20000
> 
> eth1      Link encap:Ethernet  Hardware Adresse 00:15:17:91:9c:b8
>           UP BROADCAST MULTICAST  MTU:1500  Metrik:1
>           RX packets:0 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
>           Kollisionen:0 Sendewarteschlangenlänge:1000
>           RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
>           Interrupt:16 Speicher:f7c60000-f7c80000
> 
> eth2      Link encap:Ethernet  Hardware Adresse 00:15:17:91:9c:b9
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metrik:1
>           RX packets:2306 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:2293 errors:0 dropped:0 overruns:0 carrier:0
>           Kollisionen:0 Sendewarteschlangenlänge:1000
>           RX bytes:335489 (327.6 KiB)  TX bytes:1260503 (1.2 MiB)
>           Interrupt:17 Speicher:f7c20000-f7c40000
> 
> lo        Link encap:Lokale Schleife
>           inet Adresse:127.0.0.1  Maske:255.0.0.0
>           inet6-Adresse: ::1/128 Gültigkeitsbereich:Maschine
>           UP LOOPBACK RUNNING  MTU:65536  Metrik:1
>           RX packets:1 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:1 errors:0 dropped:0 overruns:0 carrier:0
>           Kollisionen:0 Sendewarteschlangenlänge:0
>           RX bytes:104 (104.0 B)  TX bytes:104 (104.0 B)
> 
> tap121i0  Link encap:Ethernet  Hardware Adresse 46:f6:a2:8f:8e:10
>           inet6-Adresse: fe80::44f6:a2ff:fe8f:8e10/64
> Gültigkeitsbereich:Verbindung
>           UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metrik:1
>           RX packets:1810 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:1740 errors:0 dropped:0 overruns:0 carrier:0
>           Kollisionen:0 Sendewarteschlangenlänge:500
>           RX bytes:991546 (968.3 KiB)  TX bytes:270132 (263.8 KiB)
> 
> vmbr0     Link encap:Ethernet  Hardware Adresse f2:b4:7f:3d:67:f9
>           inet Adresse:10.0.0.1  Bcast:10.0.0.255  Maske:255.255.255.0
>           inet6-Adresse: fe80::f0b4:7fff:fe3d:67f9/64
> Gültigkeitsbereich:Verbindung
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metrik:1
>           RX packets:0 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:18 errors:0 dropped:0 overruns:0 carrier:0
>           Kollisionen:0 Sendewarteschlangenlänge:0
>           RX bytes:0 (0.0 B)  TX bytes:1548 (1.5 KiB)
> 
> vmbr1     Link encap:Ethernet  Hardware Adresse 00:15:17:91:9c:b8
>           inet Adresse:10.1.0.1  Bcast:10.1.0.255  Maske:255.255.255.0
>           UP BROADCAST MULTICAST  MTU:1500  Metrik:1
>           RX packets:0 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
>           Kollisionen:0 Sendewarteschlangenlänge:0
>           RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
> 
> vmbr2     Link encap:Ethernet  Hardware Adresse 00:15:17:91:9c:b9
>           inet Adresse:192.168.178.10  Bcast:192.168.1.255 
> Maske:255.255.255.0
>           inet6-Adresse: fe80::215:17ff:fe91:9cb9/64
> Gültigkeitsbereich:Verbindung
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metrik:1
>           RX packets:1389 errors:0 dropped:377 overruns:0 frame:0
>           TX packets:472 errors:0 dropped:0 overruns:0 carrier:0
>           Kollisionen:0 Sendewarteschlangenlänge:0
>           RX bytes:123341 (120.4 KiB)  TX bytes:257435 (251.4 KiB)
> 
> 
> 
> Can you please advise?

Then use vmbr2 as the interface for that provider rather than eth2 since
it is the bridge that has an IP address.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

Attachment: signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785231&iu=/4140
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to