On 07/10/2017 01:00 AM, Vieri Di Paola via Shorewall-users wrote: > > ________________________________ From: Tom Eastep > <[email protected]> > >> >> the file as converted by 'update' will work if you just get rid of >> the masq file. The trace shows the masq file> being processed, but >> it appears to be simply >> >> ?IF $FW_TYPE ?ENDIF > > > I see now. Shorewall completely ignores the snat file even if masq is > "empty". I had to erase it. Now all's working as expected. > > Actually, my masq file isn't empty as it contains the following > conditional clause: > > # cat /etc/shorewall/masq ?IF $FW_TYPE > > INCLUDE /SAMBA/${FW_TYPE}_extra/masq.FHM > > ?ENDIF > > > I'm using this for convenience because I correctly updated to using > snat on my "fw2" gateway. However, my internal "fw1" firewall has a > more complicated masq file that I need more time to update. So I > wrongly thought that if /SAMBA/${FW_TYPE}_extra/masq.FHM was empty > then Shorewall would not apply any masq rules (because the IF > statement would evaluate to TRUE, but would include an empty file), > but would proceed with snat entries.
I have already updated the code for the next release to process the snat file if the masq file generates no rules, so that others don't fall into that trap. > > Anyway, I'm half-way through. One down, one to go (fw1). I guess I've > had several glitches at the same time: > > - shorewall snat/masq - > - shorewall AUTOMAKE > - hardened kernel and/or hardened package base of my distro > > I'd also like to add that the other issue I reported here: > > https://sourceforge.net/p/shorewall/mailman/message/35920709/ has > been solved now. In that case, even pings from a particular "loc" > host to the shorewall gateway would fail (not masq-related). I > suspect the guilty party could be the kernel or kernel-related tools > as everything else is alike. I'll try to go back to using hardened > systems only once I get both shorewall systems in check. Okay -- let us know what you discover. > > In any case, thank you very much for all the help. You are most welcome. > > I'll let you know if I run into any trouble with "fw1"... ;-) > I'm sure you will :-) -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
