Tom Eastep | 1 Apr 16:13 2008
Picon

Re: shorewall configuration problem

Tom Hendrickx wrote:
> Hi everyone!
> 
> I've been setting up a leaf system with shorewall on it, but it doesn't 
> really work. I've followed the next steps to configure it:
> 
> www.shorewall.net/3.0/NewBridge.html
> 
> this with a few modification because both interface are in the local 
> network : loc and the idea is to have a server on one side and an 
> ordinary computer accessing the server for instance only by port:80
> btw : this is only for testing purposes
> 
> As attachment I've included the trace..

 From the trace:

    ERROR: Invalid zone definition for zone loc

That error means that you are either:

a) trying to define the zone 'loc' in both the /etc/shorewall/interfaces and 
/etc/shorewall/hosts files

	interfaces

	loc	br0	...

	hosts

(Continue reading)

Tom Hendrickx | 1 Apr 16:24 2008
Picon

Re: shorewall configuration problem

Hi,

Citeren Tom Eastep <teastep <at> shorewall.net>:

> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
> Content-Transfer-Encoding: quoted-printable
>
> Tom Hendrickx wrote:
>> Hi everyone!
>>
>> I've been setting up a leaf system with shorewall on it, but it 
>> doesn't really work. I've followed the next steps to configure it:
>>
>> www.shorewall.net/3.0/NewBridge.html
>>
>> this with a few modification because both interface are in the local 
>> network : loc and the idea is to have a server on one side and an 
>> ordinary computer accessing the server for instance only by port:80
>> btw : this is only for testing purposes
>>
>> As attachment I've included the trace..
>
> From the trace:
>
>    ERROR: Invalid zone definition for zone loc
>
> That error means that you are either:
>
> a) trying to define the zone 'loc' in both the 
> /etc/shorewall/interfaces and /etc/shorewall/hosts files
(Continue reading)

Tom Eastep | 1 Apr 16:36 2008
Picon

Re: shorewall configuration problem

Tom Hendrickx wrote:

> 
> my entries are almost exactly  like in the example
> www.shorewall.net/3.0/NewBridge.html
> only in the hosts I've not used any exceptions
> and for interfaces I've used standard options out of leaf and followed
> www.shorewall.net/SimpleBridge.html

You can't mix and match between those two articles and expect it to work. 
You either need to restrict connections through your bridge or you don't -- 
there's no middle ground.

> 
> 
> My interfaces file looks like this:
> #ZONE   INTERFACE       BROADCAST       OPTIONS                         
> loc    br0              192.168.1.255   
> routeback,dhcp,routefilter,norfc1918
> #LAST LINE -- ADD YOUR ENTRIES 
> BEFORE THIS ONE -- DO NOT REMOVE   and my hosts file like this:
> #ZONE   HOST(S)                                 OPTIONS                 
> loc     br0:192.168.1.0/24                                     
> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO 
> NOT REMOVE
 > thx for the reply!

That configuration makes no sense and Shorewall is telling you that. The 
entry in /etc/shorewall/hosts is redundant since you have already defined 
the 'loc' zone to include ALL hosts routed through br0. What possible value 
(Continue reading)


Gmane