Re: [Shorewall-users] Error finding primary ip of int in $FW zone stoppedrules file

Sun, 17 Dec 2017 07:43:39 -0800 

On 12/17/2017 8:01 AM, Matt Darfeuille wrote:
> Bottom-posting
> 
> On 12/16/2017 10:09 PM, Bill Shirley wrote:
>> It should be without the &:
>> ACCEPT net $FW:$NET_IF tcp 22
>>
>> Bill
>>
>> On 12/16/2017 1:50 PM, Matt Darfeuille wrote:
>>> Hi,
>>>
>>> If I set in /etc/shorewall/params:
>>>
>>> NET_IF=enp2s0
>>>
>>> and in /etc/shorewall/stoppedrules:
>>>
>>> ACCEPT net $FW:&$NET_IF tcp 22
>>>
>>> I get the folloing error while stopping Shorewall:
>>>
>>> $ shorewall debug stop
>>> Stopping Shorewall....
>>> Preparing iptables-restore input...
>>> Running debug_restore_input...
>>> Bad argument `6'
>>> Try `iptables -h' or 'iptables --help' for more information.
>>>     ERROR: Command "/sbin/iptables --wait -t filter -A INPUT -s
>>> 172.17.211.254 -d  -p 6 --dport 22 -i enp2s0 -j ACCEPT" Failed
>>> Terminated
>>>
>>> The address for the --destination option is missing.
>>>
>>
> 
> According to:
> 
> http://shorewall.org/configuration_file_basics.htm#SOURCE-DEST
> 
> "7.
> The primary IP address of eth0 in the $FW zone - $FW:&eth0 (see Run-time
> Address Variables below)"
> 
> If I do not  add ':&' I get the following:
> 
> "   ERROR: Destination Interface (enp2s0) not allowed when the
> destination zone is the firewall /etc/shorewall/stoppedrules (line 15)"
> 
> 
> Upon further testing the error only arise  when '$FW:&$NET_IF' is not
> used, for instance,  in the rules file, which is expected.
> 

Actually the error is triggerd by specifying '$FW:&intname'in the
stoppedrules file regardless of the rules file.
Assuming that it is allowed in 'stoppedrules'?

/etc/shorewall/stoppedrules:

ACCEPT $NET_IF $FW:&$NET_IF tcp 22

$ shorewall clear

Gives the error above.

shorewall 5.1.10-Beta2

-Matt
-- 
Matt Darfeuille

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to