-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 12/07/2016 10:29 AM, [email protected] wrote: > Hello, > > > > My linux setup for years has included lxc containers to isolate > services and programs with a bridge, shorewall and dnsmasq managing > access of the containers to the host, each other and the outside > network (via the hosts NICs). All of the required configurations > are ansibled, so it takes comparatively little time to set all for > this up - yet also implies a lack of oversight ... which came to > bite me. > > > > The bridge has assigned 192.168.0.1 and the corresponding subnet. > > > > My /etc/shorewall/zones looks like this: > > fw firewall > > net ipv4 > > dmz ipv4 > > > > The /etc/shorewall/interfaces like so: > > net enp0s+ dhcp,tcpflags,logmartians,nosmurfs,optional > > net wlp2s+ dhcp,tcpflags,logmartians,nosmurfs,optional > > dmz br0 tcpflags,logmartians,nosmurfs,bridge,routeback > > > > The /etc/shorewall/masq like this: > > wlp2s+ 192.168.0.0/16 > > > > When entering a new subnet and setting up a fresh machine I failed > to recognize that the subnet used was actually 192.168.0.0 and with > above setup managed to involuntarily interfere with the routing > outside of my machine. > > > > The main question here is: is there anything beyond paying > attention to the subnets used that either me (in my configuration) > or the local admin (in his setup) could have done to prevent the > interference? > > Am I correct in the assumption that correctly adding > > "enp20s+ 192.168.0.0/16" to the masq file (it was unfortunately an > enp* interface I used) would have prevented much of the issue?
Yes. When you have multiple uplinks, you need to handle SNAT/MASQUERADE out of all of them. It would be prohibitively expensive for Shorewall to try to understand issues like this one. - -Tom - -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJYSKyXAAoJEJbms/JCOk0QlM0QAJsNfXON8lU9FBjDlCvweJYY gxyjG/v3xJghdp4I3p/PkimRSwAT0jQEH9kT45Wv6m8+ixXrziMFf2ewyFXcgqJj Y5kg/z7iw5lc2+ulKynfp4ZuOIwTF6hRuRNwXy09zRP8jgjuPDxeqx9drbI+pyg7 A5Pav2Nvg1z6h4r6xwoj5M7lIMINFyOEAB1z+l+2IaIaZ6QZivldk+DrsYGLDxGo sfEs9YTaZorxYSBSNqoc4AKqNpDIOwGrrmbDgpdXXIuoDx+xNhkVcbl1eR510Ezz Cwr71N8r1boOjjbRoPL3U4a05fSKlcm4o7oyoslkFj8LE5+f9IneqCgG1Q59JR8o itWneXqw2BZ6pF+For9zeceHACvIqdz/L3IwH92Z93EZ6g7nDjt4wXajFa37CQKH aa2KV4hu1AOgIp6245mT2nmj8ucWgB4Qwc0oILE9ieyN3Pc5ALmYF3HWBr47CDkr dZgkCbi0i9B8iI5CRUDbfkT5FX/BxbpDCAb0hSzX90ROhAn1hFMWaNFB4R0HeaK9 a7nnyHQyO/qi4OlnUj61LVc7nxBYtR7F4EhH9TE9N64HjJzETolB9EajHxCvKP5s tE3LeN8XF1kXvAoaDodtSYl9YZBsC6Ra2qnHRgDlwSHj5T2ynX8TD/tiwf4UFG8Q qe3Dy73NWFB2Yo2RwFly =wtiA -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Developer Access Program for Intel Xeon Phi Processors Access to Intel Xeon Phi processor-based developer platforms. With one year of Intel Parallel Studio XE. Training and support from Colfax. Order your platform today.http://sdm.link/xeonphi _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
