________________________________
From: Tom Eastep <[email protected]>
>
> I see that you are using interface names as the SOURCE in your
> masquerade/snat rules. That has been deprecated for years (and generates
> warnings during compilation).
I've been using Shorewall since 2002/2003. I always used the "masq" file until
now.
The warning didn't bother me much because it says that the interface must be up
and configured beforehand.
My /etc/shorewall/snat includes another file.
# cat /etc/shorewall/snat
?IF $FW_TYPE
INCLUDE /SAMBA/${FW_TYPE}_extra/snat.FHM
?ENDIF
# grep params.TYPE /etc/shorewall/params
INCLUDE /SAMBA/firewall_type/params.TYPE
# cat /SAMBA/firewall_type/params.TYPE
FW_TYPE=gateway
Similar setup for the "masq" file.
Here are the results of the tests you asked for, and a few more:
-rw------- 1 root root 63 Jul 3 08:21 /etc/shorewall/snat
-rw-r--r-- 1 root root 836 Jul 3 08:18 /SAMBA/gateway_extra/snat.FHM
-rw------- 1 root root 63 Jul 3 08:21 /etc/shorewall/masq
-rw-r--r-- 1 root root 0 Jul 3 08:18 /SAMBA/gateway_extra/masq.FHM
10.215.0.0/16 proto kernel scope link src 10.215.144.92
172.16.0.0/28 proto kernel scope link src 172.16.0.2
192.168.147.0/24 scope link
192.168.210.0/23 via 172.16.0.1 metric 9
192.168.212.0/24 via 172.16.0.1 metric 9
I'd like to point out that this morning I emptied my snat file and used my old
masq file instead.
The failing pings started working again.
I can take a breath of fresh air now.
The next step is to find out how to write my snat files correctly.
I tried replacing the interfaces ($IF_LAN, $IF_DMZ) with IP addresses, but that
"didn't seem to work" either. I'll need to study the man page.
Here's the "failing" snat file:
# cat /SAMBA/gateway_extra/snat.FHM
# Rules generated from masq file by Shorewall 5.1.4.4 - Tue Jun 27 11:42:04
CEST 2017
#
SNAT($IF_ISP4_IP) $IF_ISP3_IP $IF_ISP4
SNAT($IF_ISP4_IP) $IF_ISP2_IP $IF_ISP4
SNAT($IF_ISP4_IP) $IF_ISP1_IP $IF_ISP4
SNAT($IF_ISP3_IP) $IF_ISP4_IP $IF_ISP3
SNAT($IF_ISP3_IP) $IF_ISP2_IP $IF_ISP3
SNAT($IF_ISP3_IP) $IF_ISP1_IP $IF_ISP3
SNAT($IF_ISP2_IP) $IF_ISP4_IP $IF_ISP2
SNAT($IF_ISP2_IP) $IF_ISP3_IP $IF_ISP2
SNAT($IF_ISP2_IP) $IF_ISP1_IP $IF_ISP2
SNAT($IF_ISP1_IP) $IF_ISP4_IP $IF_ISP1
SNAT($IF_ISP1_IP) $IF_ISP3_IP $IF_ISP1
SNAT($IF_ISP1_IP) $IF_ISP2_IP $IF_ISP1
SNAT($IF_ISP4_IP) $IF_LAN $IF_ISP4
SNAT($IF_ISP3_IP) $IF_LAN $IF_ISP3
SNAT($IF_ISP2_IP) $IF_LAN $IF_ISP2
SNAT($IF_ISP1_IP) $IF_LAN $IF_ISP1
SNAT($IF_ISP4_IP) $IF_DMZ $IF_ISP4
SNAT($IF_ISP3_IP) $IF_DMZ $IF_ISP3
SNAT($IF_ISP2_IP) $IF_DMZ $IF_ISP2
SNAT($IF_ISP1_IP) $IF_DMZ $IF_ISP1
Here's the "working" masq file:
# cat /SAMBA/gateway_extra/masq.FHM
#INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC
MARK
$IF_ISP4 $IF_ISP3_IP $IF_ISP4_IP
$IF_ISP4 $IF_ISP2_IP $IF_ISP4_IP
$IF_ISP4 $IF_ISP1_IP $IF_ISP4_IP
#
$IF_ISP3 $IF_ISP4_IP $IF_ISP3_IP
$IF_ISP3 $IF_ISP2_IP $IF_ISP3_IP
$IF_ISP3 $IF_ISP1_IP $IF_ISP3_IP
#
$IF_ISP2 $IF_ISP4_IP $IF_ISP2_IP
$IF_ISP2 $IF_ISP3_IP $IF_ISP2_IP
$IF_ISP2 $IF_ISP1_IP $IF_ISP2_IP
#
$IF_ISP1 $IF_ISP4_IP $IF_ISP1_IP
$IF_ISP1 $IF_ISP3_IP $IF_ISP1_IP
$IF_ISP1 $IF_ISP2_IP $IF_ISP1_IP
#
$IF_ISP4 $IF_LAN $IF_ISP4_IP
$IF_ISP3 $IF_LAN $IF_ISP3_IP
$IF_ISP2 $IF_LAN $IF_ISP2_IP
$IF_ISP1 $IF_LAN $IF_ISP1_IP
#
$IF_ISP4 $IF_DMZ $IF_ISP4_IP
$IF_ISP3 $IF_DMZ $IF_ISP3_IP
$IF_ISP2 $IF_DMZ $IF_ISP2_IP
$IF_ISP1 $IF_DMZ $IF_ISP1_IP
> Please send me (privately), your /var/lib/shorewall/firewall file.
OK.
Vieri
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
