Re: [Shorewall-users] stoppedrules file in 4.5.4

Wed, 28 Aug 2013 15:51:39 -0700 

On 8/28/2013 12:41 PM, Tom Eastep wrote:

On 8/27/2013 2:02 PM, Thomas Harold wrote:

We have a bonded pair of ethernet ports (eth0+eth1 -> bond0) defined in
/etc/shorewall/interfaces as:

loc bond0

The /etc/shorewall/zones is:

fw      firewall
loc     ipv4
net     ipv4

When shorewall is stopped, I want to still allow traffic from the local
zone (bond0) to the firewall to open up SSH.  So in
/etc/shorewall/stoppedrules I put:

ACCEPT    $FW      bond0
ACCEPT    bond0    $FW    tcp    22

But "nmap -Pn -p 1-1024 172.30.0.2" reports that all ports are filtered
when shorewall is stopped.

Are there other files that need to be configured to make use of
/etc/shorewall/stoppedrules?


No.

Please forward the output of 'shorewall dump' taken when the firewall is
in the stopped state.

-Tom



Thanks, Tom.

So a little background here:
- We're running a multi-ISP configuration, a cable modem (wancbl) and a T1 line (want1). Cable modem is the primary, T1 is the fallback.
- Internal connection to the LAN is a bonded pair (bond0) of ethernet devices in active-fallback mode.
- NAT/MASQ outbound through the cable modem works, but doesn't fallback to the T1; so it's almost, but not quite, setup.
There's possibly other errors in the setup, but at the moment I'm more interested in /etc/shorewall/stoppedrules. I've tried different ACCEPT rules such as specifying the local IP address range, using "loc" in the SOURCE/DEST column and using "bond0".

Attachment: shorewall-running-dump.gz
Description: application/gzip

Attachment: shorewall-stopped-dump.gz
Description: application/gzip

------------------------------------------------------------------------------
Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more!
Discover the easy way to master current and previous Microsoft technologies
and advance your career. Get an incredible 1,500+ hours of step-by-step
tutorial videos with LearnDevNow. Subscribe today and save!
http://pubads.g.doubleclick.net/gampad/clk?id=58040911&iu=/4140/ostg.clktrk
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to