On 1/31/2018 8:24 AM, Bernard Drozd wrote: > Hi, > >>> DNS(ACCEPT) $FW net >> This is superfluous given your policy '$FW net ACCEPT". > I corrected this in /etc/shorewall/rules by commenting this line. >
Good. >> From: >> http://shorewall.org/manpages/shorewall-rules.html >> "Warning >> If you masquerade or use SNAT from a local system to the internet, you >> cannot use an ACCEPT rule to allow traffic from the internet to that >> system. You must use a DNAT rule instead." >> EG: >> DNAT net $FW tcp 22 As pointed out by Bill Shirley this is irrelevent to your issue. Thus you don't need to DNAT from the net zone to the firewall zone. What you had originally written is correct and shouldn't be change! :) > Unfortunately it doesn't work for me. > It seems like my shorewall version (5.0.15.6 on newest Ubuntu) accept > only 'ACCEPT' in the /etc/shorewall/rules file. > When I use 'DNAT' instead I receive an error: > ela@akacja:~$ sudo shorewall check > Checking using Shorewall 5.0.15.6... > Unescaped left brace in regex is deprecated here (and will be fatal in > Perl 5.30), passed through in regex; marked by <-- HERE in > m/^(\s*|.*[^&@%]){ <-- HERE (.*)}\s*$/ at > /usr/share/shorewall/Shorewall/Config.pm line 2340. > Unescaped left brace in regex is deprecated here (and will be fatal in > Perl 5.30), passed through in regex; marked by <-- HERE in > m/^(\s*|.*[^&@%]){ <-- HERE (.*)}\s*$/ at > /usr/share/shorewall/Shorewall/Config.pm line 2356. > Unescaped left brace in regex is deprecated here (and will be fatal in > Perl 5.30), passed through in regex; marked by <-- HERE in > m/^(\s*|.*[^&@%]){ <-- HERE (.*)}$/ at > /usr/share/shorewall/Shorewall/Config.pm line 2370. The warning is corrected in a later version of Shorewall! :) > Processing /etc/shorewall/params ... > Processing /etc/shorewall/shorewall.conf... > Loading Modules... > Checking /etc/shorewall/zones... > Checking /etc/shorewall/interfaces... > Determining Hosts in Zones... > Locating Action Files... > Checking /etc/shorewall/policy... > Adding Anti-smurf Rules > Adding rules for DHCP > Checking TCP Flags filtering... > Checking Kernel Route Filtering... > Checking Martian Logging... > Checking /etc/shorewall/snat... > Checking MAC Filtration -- Phase 1... > Checking /etc/shorewall/rules... > ERROR: Invalid or missing server IP address /etc/shorewall/rules > (line 53) > This error is expected and you can safely revert to using "ACCEPT net $FW ...". -Matt -- Matt Darfeuille ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
