Re: [Shorewall-users] First experience (next)

On 09/18/2015 11:51 AM, Ob Noxious wrote: > On Mon, Sep 14, 2015 at 4:33 AM, Tom Eastep > wrote: > > Now... > Shell# ip link add name vbridge type bridge (or : brctl addbr vbridge) > Shell# ip link set dev vbridge address 00:11:22:33:44:55 up > > => Everything works

Re: [Shorewall-users] First experience (next)

On Mon, Sep 14, 2015 at 4:33 AM, Tom Eastep wrote: > Shell# ip link add name ${iface} ${macaddr} type bridge > > Shell# ip link set dev ${iface} up promisc on > > That's the problem > > > Shell# brctl setfd ${iface} 2 > Dear dear dear! I've solved the problem and it was a really NASTY one! N

Re: [Shorewall-users] First experience (next)

On Wed, Sep 16, 2015 at 7:51 PM, Tom Eastep wrote: I've been running containers for three years now and have never had to > place the bridge in promiscuous mode to give the containers full > internet access. > I would like that too but currently, I can't figure a way to achieve this. > I can o

Re: [Shorewall-users] First experience (next)

On 09/15/2015 03:42 PM, Ob Noxious wrote: > On Tue, Sep 15, 2015 at 6:00 PM, Tom Eastep > wrote: > > > Maybe I'm missing something but how can I expect the LXC containers to > > reach any OTHER host other than the one the containers are running on? > > >

Re: [Shorewall-users] First experience (next)

On Tue, Sep 15, 2015 at 6:00 PM, Tom Eastep wrote: > Maybe I'm missing something but how can I expect the LXC containers to > > reach any OTHER host other than the one the containers are running on? > > > > Without the promiscous mode, containers can only see each other and the > > host but nothi

Re: [Shorewall-users] First experience (next)

On 9/15/2015 8:30 AM, Ob Noxious wrote: > On Mon, Sep 14, 2015 at 4:33 AM, Tom Eastep > wrote: > > > Shell# ip link add name ${iface} ${macaddr} type bridge > > Shell# ip link set dev ${iface} up promisc on > > That's the problem > > > Maybe I'm mi

Re: [Shorewall-users] First experience (next)

On Mon, Sep 14, 2015 at 4:33 AM, Tom Eastep wrote: > Shell# ip link add name ${iface} ${macaddr} type bridge > > Shell# ip link set dev ${iface} up promisc on > > That's the problem > Maybe I'm missing something but how can I expect the LXC containers to reach any OTHER host other than the o

Re: [Shorewall-users] First experience (next)

On 9/13/2015 6:10 PM, Ob Noxious wrote: > On Sun, Sep 13, 2015 at 11:36 PM, Tom Eastep > wrote: > > > If you need more information, don't hesitate to ask. Thank you very much > > for trying to help with the case. > > It looks to me as if either the bridg

Re: [Shorewall-users] First experience (next)

On Sun, Sep 13, 2015 at 11:36 PM, Tom Eastep wrote: > If you need more information, don't hesitate to ask. Thank you very much > > for trying to help with the case. > > It looks to me as if either the bridge is mis-behaving or the traffic is > being sent with the broadcast L2 address. > > Please

Re: [Shorewall-users] First experience (next)

On 9/12/2015 4:01 PM, Ob Noxious wrote: > On Tue, Sep 8, 2015 at 8:24 PM, Tom Eastep > wrote: > > Please forward the output of 'shorewall dump' collected as described at > http://www.shorewall.org/support.htm#Guidelines. > > > Sorry for the late reply, I've

Re: [Shorewall-users] First experience (next)

On Tue, Sep 8, 2015 at 8:24 PM, Tom Eastep wrote: Please forward the output of 'shorewall dump' collected as described at > http://www.shorewall.org/support.htm#Guidelines. > Sorry for the late reply, I've been drowning with work lately. Please find the "shorewall dump" attached. The IP addres

Re: [Shorewall-users] First experience (next)

On 9/8/2015 7:56 AM, Ob Noxious wrote: > On Mon, Sep 7, 2015 at 7:51 PM, Tom Eastep > wrote: > > > "interfaces" file: > > net eth0 nets=(!10.1.1.0/24 > ),nosmurfs,rpfilter > > vdmz vbr nets=(10.1.1.0/24 <

Re: [Shorewall-users] First experience (next)

On Mon, Sep 7, 2015 at 7:51 PM, Tom Eastep wrote: > "interfaces" file: > > net eth0 nets=(!10.1.1.0/24 ),nosmurfs,rpfilter > > vdmz vbr nets=(10.1.1.0/24 ),nosmurfs,rpfilter > [...] > > Thanks for any clue on this matter. > > Have you looked at Shorew

Re: [Shorewall-users] First experience (next)

On 9/6/2015 2:57 PM, Ob Noxious wrote: > On Sun, Sep 6, 2015 at 8:38 PM, Tom Eastep > wrote: > > > > > I'm really enjoying Shorewall for now. It's a bit "complex" for the > > newcomer but highly configurable, to an impressive level I must say. > > > >

Re: [Shorewall-users] First experience (next)

On Sun, Sep 6, 2015 at 8:38 PM, Tom Eastep wrote: > > I'm really enjoying Shorewall for now. It's a bit "complex" for the > > newcomer but highly configurable, to an impressive level I must say. > > > > Glad to hear that it is working for you. > I confirm that I'm liking Shorewall a lot! It is

Re: [Shorewall-users] First experience (next)

On Sun, Sep 6, 2015 at 11:57 PM, Ob Noxious wrote: "interfaces" file: > net eth0 nets=(!10.1.1.0/24),nosmurfs,rpfilter > vdmz vbr nets=(!10.1.1.0/24),nosmurfs,rpfilter > Shoot! Of course, the vdmz zone does NOT have the "!" in the nets() option... -- ObNox --

Re: [Shorewall-users] First experience (next)

On 9/6/2015 3:17 AM, Ob Noxious wrote: > Hi, > > Please disregard my previous comment about the invalid TCP flags FIN,RST > and PSH,FIN passing through "tcpflags" chain. They indeed passthrough > but are blocked later by the "?SECTION INVALID" of the "rules" file. > They simply were silently dropp

[Shorewall-users] First experience (next)

Hi, Please disregard my previous comment about the invalid TCP flags FIN,RST and PSH,FIN passing through "tcpflags" chain. They indeed passthrough but are blocked later by the "?SECTION INVALID" of the "rules" file. They simply were silently dropped because INVALID_LOG_LEVEL was unset in shorewall