Bottom-posting On 12/16/2017 10:09 PM, Bill Shirley wrote: > It should be without the &: > ACCEPT net $FW:$NET_IF tcp 22 > > Bill > > On 12/16/2017 1:50 PM, Matt Darfeuille wrote: >> Hi, >> >> If I set in /etc/shorewall/params: >> >> NET_IF=enp2s0 >> >> and in /etc/shorewall/stoppedrules: >> >> ACCEPT net $FW:&$NET_IF tcp 22 >> >> I get the folloing error while stopping Shorewall: >> >> $ shorewall debug stop >> Stopping Shorewall.... >> Preparing iptables-restore input... >> Running debug_restore_input... >> Bad argument `6' >> Try `iptables -h' or 'iptables --help' for more information. >> ERROR: Command "/sbin/iptables --wait -t filter -A INPUT -s >> 172.17.211.254 -d -p 6 --dport 22 -i enp2s0 -j ACCEPT" Failed >> Terminated >> >> The address for the --destination option is missing. >> >
According to: http://shorewall.org/configuration_file_basics.htm#SOURCE-DEST "7. The primary IP address of eth0 in the $FW zone - $FW:ð0 (see Run-time Address Variables below)" If I do not add ':&' I get the following: " ERROR: Destination Interface (enp2s0) not allowed when the destination zone is the firewall /etc/shorewall/stoppedrules (line 15)" Upon further testing the error only arise when '$FW:&$NET_IF' is not used, for instance, in the rules file, which is expected. -Matt -- Matt Darfeuille ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
