On 12/17/2017 6:47 PM, Matt Darfeuille wrote: > On 12/17/2017 6:01 PM, Tom Eastep wrote: >> On 12/16/2017 10:50 AM, Matt Darfeuille wrote: >>> Hi, >>> >>> If I set in /etc/shorewall/params: >>> >>> NET_IF=enp2s0 >>> >>> and in /etc/shorewall/stoppedrules: >>> >>> ACCEPT net $FW:&$NET_IF tcp 22 >>> >>> I get the folloing error while stopping Shorewall: >>> >>> $ shorewall debug stop >>> Stopping Shorewall.... >>> Preparing iptables-restore input... >>> Running debug_restore_input... >>> Bad argument `6' >>> Try `iptables -h' or 'iptables --help' for more information. >>> ERROR: Command "/sbin/iptables --wait -t filter -A INPUT -s >>> 172.17.211.254 -d -p 6 --dport 22 -i enp2s0 -j ACCEPT" Failed >>> Terminated >>> >>> The address for the --destination option is missing. >> >> The real problem here is that the compiler should flag 'net' as invalid. >> Zone names (other than $FW) aren't allowed in the stoppedrules file. >> Or is 'net' actually the name of an interface? >> >> In my test case: >> >> Checking /home/teastep/test/stoppedrules... >> ERROR: Unknown Interface (net) /home/teastep/test/stoppedrules (line 17) >> teastep@debianvm:~/test$ >> > > What I meant was: > > ACCEPT $NET_IF $FW:&$NET_IF tcp 22 > > I mixed up the syntax with the rules file, sorry!!! :) >
Hi Tom, My understanding, is that, it is allowed to specify in the firewall zone an interface name in the stoppedrules file. E.G.: ACCEPT enp2s0 $FW:&enp2s0 tcp 22 If yes, '$FW:&enp2s0' needs to also be specified in the rules file: ACCEPT net $FW:&enp2s0 tcp 22 If I do 'shorewall start/reload' followed by stop it works as expected but if I do: $shorewall debug clear Clearing Shorewall.... Preparing iptables-restore input... Running debug_restore_input... Bad argument `6' Try `iptables -h' or 'iptables --help' for more information. ERROR: Command "/sbin/iptables --wait -t filter -A INPUT -s 172.17.211.254 -d -p 6 --dport 22 -i enp2s0 -j ACCEPT" Failed Terminated In other words: is there some restrictions using '$FW:&intname' in the dest column of the stoppedrules file. -Matt -- Matt Darfeuille ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
