On 07/04/2017 02:03 AM, Vieri Di Paola via Shorewall-users wrote: > ________________________________ > From: Tom Eastep <[email protected]> >> >>> Checking /etc/shorewall/providers... ERROR: Providers interfaces may >>> not specify 'routefilter' when USE_DEFAULT_RT=Yes >> >> That error is expected as 'routefilter' causes Martians when > >> USE_DEFAULT_RT=Yes. Use 'rpfilter' instead. > > > OK, so I guess "shorewall start" should also throw that error and abort. If > not, continue, but warn about it. > > In "interfaces" I'm now using options such as: > > net4 enp7s0f0 > optional,tcpflags,nosmurfs,logmartians,proxyarp=0,arp_ignore=1,sourceroute=0,rpfilter > > However, if I restart shorewall and dump afterwards I get this result: > > # grep /rp_filter swdump > /proc/sys/net/ipv4/conf/all/rp_filter = 0 > /proc/sys/net/ipv4/conf/default/rp_filter = 0 > /proc/sys/net/ipv4/conf/enp10s0/rp_filter = 0 > /proc/sys/net/ipv4/conf/enp5s0/rp_filter = 0 > /proc/sys/net/ipv4/conf/enp6s0/rp_filter = 0 > /proc/sys/net/ipv4/conf/enp7s0f0/rp_filter = 0 > /proc/sys/net/ipv4/conf/enp7s0f1/rp_filter = 0 > /proc/sys/net/ipv4/conf/enp7s0f2/rp_filter = 0 > /proc/sys/net/ipv4/conf/enp7s0f3/rp_filter = 0 > /proc/sys/net/ipv4/conf/enp8s5/rp_filter = 0 > /proc/sys/net/ipv4/conf/lo/rp_filter = 0 > > # shorewall show capabilities | grep RPFilter > RPFilter Match (RPFILTER_MATCH): Available > > # shorewall version > 5.1.4.4 > > Why isn't /proc/sys/net/ipv4/conf/enp7s0f0/rp_filter = 1? > > Am I required to set this with sysctl? > > Also, I'm currently checking and enabling /proc/sys/net/ipv4/ip_forward via > sysctl. Is there a reason why shorewall doesn't enable it directly when > required? > If shorewall can't do that directly then maybe "shorewall check" could check > the value of ip_forward, and warn the user to enable it if required. > root@debianvm:/etc/shorewall# shorewall status Shorewall-5.1.5 Status at debianvm - Tue Jul 4 08:56:52 PDT 2017
Shorewall is stopped State:Stopped Tue Jul 4 08:56:48 PDT 2017 (/var/lib/shorewall/firewall compiled Tue Jul 4 08:36:58 PDT 2017 by Shorewall version 5.1.5) root@debianvm:/etc/shorewall# shorewall start Compiling using Shorewall 5.1.5... Processing /etc/shorewall/params ... Processing /etc/shorewall/shorewall.conf... Loading Modules... Compiling /etc/shorewall/zones... Compiling /etc/shorewall/interfaces... Compiling /etc/shorewall/hosts... Determining Hosts in Zones... Locating Action Files... Compiling /etc/shorewall/policy... Adding Anti-smurf Rules Adding rules for DHCP Compiling TCP Flags filtering... Compiling Kernel Route Filtering... Compiling Martian Logging... Compiling Accept Source Routing... Compiling /etc/shorewall/providers... ERROR: Providers interfaces may not specify 'routefilter' when USE_DEFAULT_RT=Yes /etc/shorewall/providers (line 10) root@debianvm:/etc/shorewall# -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
