On 8/28/2013 12:41 PM, Tom Eastep wrote:
On 8/27/2013 2:02 PM, Thomas Harold wrote:We have a bonded pair of ethernet ports (eth0+eth1 -> bond0) defined in /etc/shorewall/interfaces as:loc bond0 The /etc/shorewall/zones is: fw firewall loc ipv4 net ipv4 When shorewall is stopped, I want to still allow traffic from the local zone (bond0) to the firewall to open up SSH. So in /etc/shorewall/stoppedrules I put: ACCEPT $FW bond0 ACCEPT bond0 $FW tcp 22 But "nmap -Pn -p 1-1024 172.30.0.2" reports that all ports are filtered when shorewall is stopped. Are there other files that need to be configured to make use of /etc/shorewall/stoppedrules?No. Please forward the output of 'shorewall dump' taken when the firewall is in the stopped state. -Tom
Thanks, Tom. So a little background here:- We're running a multi-ISP configuration, a cable modem (wancbl) and a T1 line (want1). Cable modem is the primary, T1 is the fallback.
- Internal connection to the LAN is a bonded pair (bond0) of ethernet devices in active-fallback mode.
- NAT/MASQ outbound through the cable modem works, but doesn't fallback to the T1; so it's almost, but not quite, setup.
There's possibly other errors in the setup, but at the moment I'm more interested in /etc/shorewall/stoppedrules. I've tried different ACCEPT rules such as specifying the local IP address range, using "loc" in the SOURCE/DEST column and using "bond0".
shorewall-running-dump.gz
Description: application/gzip
shorewall-stopped-dump.gz
Description: application/gzip
------------------------------------------------------------------------------ Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more! Discover the easy way to master current and previous Microsoft technologies and advance your career. Get an incredible 1,500+ hours of step-by-step tutorial videos with LearnDevNow. Subscribe today and save! http://pubads.g.doubleclick.net/gampad/clk?id=58040911&iu=/4140/ostg.clktrk
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users