On Wed, Nov 14, 2018 at 12:53 AM Tom Eastep <[email protected]> wrote:
>
> Because you have given interface enp8s5 an IP address and have assigned
> it to the dmz zone, and your rules allow ping from dmz -> fw. The bridge
> configuration never comes into play. In a valid bridge configuration,
> the bridge port interfaces have no IP configuration and are only defined
> to Shorewall as bport interfaces.
You lost me there.
As far as I can tell, I haven't set any IP address to enp8s5 or
assigned it to the dmz zone.
Here's what I have in my interfaces file:
dmz enp5s0 routeback,dhcp,proxyarp=1
dmzx br0 bridge,dhcp,proxyarp=1
dmz0 br0:enp8s5 routeback
dmz1 br0:enp8s5_1 routeback
dmz11 br0:enp8s5_11 routeback
Also, this is my network configuration which is the same as the one
reported in the SW dump:
# ip addr show enp8s5
8: enp8s5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel
master br0 state UP group default qlen 1000
link/ether 00:e3:c0:5f:81:5d brd ff:ff:ff:ff:ff:ff
inet6 fe80::2e3:c0ff:fe5f:815d/64 scope link
valid_lft forever preferred_lft forever
# ip addr show enp8s5_1
60: enp8s5_1@enp8s5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
noqueue master br0 state UP group default qlen 1000
link/ether 00:e3:c0:5f:81:5d brd ff:ff:ff:ff:ff:ff
inet6 fe80::2e3:c0ff:fe5f:815d/64 scope link
valid_lft forever preferred_lft forever
# ip addr show enp8s5_11
61: enp8s5_11@enp8s5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
noqueue master br0 state UP group default qlen 1000
link/ether 00:e3:c0:5f:81:5d brd ff:ff:ff:ff:ff:ff
inet6 fe80::2e3:c0ff:fe5f:815d/64 scope link
valid_lft forever preferred_lft forever
# ip addr show br0
62: br0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc
noqueue state UP group default qlen 1000
link/ether 00:e3:c0:5f:81:5d brd ff:ff:ff:ff:ff:ff
inet 192.168.215.1/24 brd 192.168.215.255 scope global br0
valid_lft forever preferred_lft forever
inet6 fe80::2e3:c0ff:fe5f:815d/64 scope link
valid_lft forever preferred_lft forever
# ip addr show enp5s0
2: enp5s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UP group default qlen 1000
link/ether 68:05:ca:11:64:30 brd ff:ff:ff:ff:ff:ff
inet 192.168.210.1/23 brd 192.168.211.255 scope global enp5s0
valid_lft forever preferred_lft forever
inet 192.168.212.1/24 brd 192.168.212.255 scope global enp5s0
valid_lft forever preferred_lft forever
inet6 fe80::6a05:caff:fe11:6430/64 scope link
valid_lft forever preferred_lft forever
As you can see from the above, enp8s5 does not have an IP address
configured. Only br0 has a management IP address which I need anyway.
Also, br0 only covers enp8s5, enp8s5_1 and enp8s5_11, not enp5s0.
The traffic's source address reported in this dump is not in the dmz
zone but in dmz1, ie. the traffic flow is through the br0 bridge.
Have I overlooked something?
Vieri
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
