On 07/05/2017 08:22 AM, Tom Eastep wrote: >> >> Thare are no SNAT/MASQUERADE rules being instantiated. Hence, reply >> packets from 8.8.8.8 cannot be routed back you fw2. What is the output >> of 'ls -l /etc/shorewall/snat'? >> > > I am going to be away from home for the day so I need you to gather some > data while I'm away. > > I see that you are using interface names as the SOURCE in your > masquerade/snat rules. That has been deprecated for years (and generates > warnings during compilation). > > Please send me (privately), your /var/lib/shorewall/firewall file. > > Also, please: > > sh -x /var/lib/shorewall/firewall reload > trace 2>&1 > > and send me the 'trace' file. > > Finally, include the output of 'ip route ls dev enp10s0' >
I have just noticed that there are rules in your snat file that don't depend on the input interface and there aren't present either. So it seems that the snat file is not being processed during compilation. So back to my original line of questioning - is /etc/shorewall/snat readable and non-empty? If so, please forward the output of "shorewall trace -vvv check". -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
