________________________________
From: Tom Eastep <[email protected]>
>
> the file as converted by 'update' will work
> if you just get rid of the masq file. The trace shows the masq file> being
> processed, but it appears to be simply
>
> ?IF $FW_TYPE
> ?ENDIF
I see now. Shorewall completely ignores the snat file even if masq is "empty".
I had to erase it. Now all's working as expected.
Actually, my masq file isn't empty as it contains the following conditional
clause:
# cat /etc/shorewall/masq
?IF $FW_TYPE
INCLUDE /SAMBA/${FW_TYPE}_extra/masq.FHM
?ENDIF
I'm using this for convenience because I correctly updated to using snat on my
"fw2" gateway. However, my internal "fw1" firewall has a more complicated masq
file that I need more time to update.
So I wrongly thought that if /SAMBA/${FW_TYPE}_extra/masq.FHM was empty then
Shorewall would not apply any masq rules (because the IF statement would
evaluate to TRUE, but would include an empty file), but would proceed with snat
entries.
Anyway, I'm half-way through. One down, one to go (fw1).
I guess I've had several glitches at the same time:
- shorewall snat/masq
- shorewall AUTOMAKE
- hardened kernel and/or hardened package base of my distro
I'd also like to add that the other issue I reported here:
https://sourceforge.net/p/shorewall/mailman/message/35920709/
has been solved now. In that case, even pings from a particular "loc" host to
the shorewall gateway would fail (not masq-related). I suspect the guilty party
could be the kernel or kernel-related tools as everything else is alike. I'll
try to go back to using hardened systems only once I get both shorewall systems
in check.
In any case, thank you very much for all the help.
I'll let you know if I run into any trouble with "fw1"... ;-)
Vieri
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
