Hi Philip,

> This may be an underlying Linux problem but I first of all need to run
> it past you guys and gals here as few people on Linux forums will be
> familiar with Shorewall.
>
> We have a Shorewall firewall at the school where I volunteer, protecting
> the school network from a Raspberry Pi farm on which students
> necessarily have root privileges. I rebuilt it at home on newer hardware
> with the outside interface IP address reflecting my home 192.168 network
> instead of the school 172. network. I took it in to school today and
> attempted to reconfigure the outside interface IP.
>
> Using the GUI (Linux Mint XFCE), I changed the outside NIC IP address,
> netmask, def g/w and DNS server. In the GUI, the outside NIC (enp2s0)
> has the label SchlNet. Shorewall IP address dependencies are
> encapsulated in /etc/shorewall/params, and I changed those.
>
> After a reboot, the GUI shows SchlNet has lost its configured IP address
> but gained 16 alias addresses added by Shorewall for NAT rules.
> Meanwhile, a new enp2s0 has appeared with an IP address I didn't
> recognise.
>
> ifconfig shows the base enp2s0 with no IP address, plus the 16 expected
> NAT addresses on enp2s0:0:15 (or 1-16 - I forget).
>
> I tried deleting the spurious enp2s0 and reapplying the IP config to
> SchlNet, but the same happed after a reboot.
>
> I also tried deleting SchlNet, configuring the new enp2s0 and renaming
> it SchlNet, with exactly the same result after a reboot.
>
> shorewall stop and shorewall clear before reapplying the config made no
> improvement.
>
> Maybe I should be using the CUI commands, but I'll need to read a man
> page or two first, and I'm not sure whether the GUI tool maintains any
> of its own data. Anyway, a bit of insight from round here would be
> appreciated.

Unfortunately you seem to have more problems with your Linux distribution
than with Shorewall itself.

There are half a dozen of possible ways how your interfaces can get
configured these days. Could be some script or NetworkManager or
systemd-networkd or something else. You should investigate this and then
you may get an idea on how to configure it properly.

These modern tools have advantages but they can also be terrible beasts :)

Regards,
Simon



_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to