Discussion:
[Shorewall-users] ping test fails through firewall (attaching smaller dump)
Tom Eastep
2017-06-23 14:40:16 UTC
Permalink
+ '[' -n 'via 172.20.11.49 dev enp7s0f3 nexthop via 172.28.17.110 dev enp7s0f2 weight 1 ' ']'
+ run_ip route replace default scope global table 253 via 172.20.11.49 dev enp7s0f3 nexthop via 172.28.17.110 dev enp7s0f2 weight 1
+ ip -4 route replace default scope global table 253 via 172.20.11.49 dev enp7s0f3 nexthop via 172.28.17.110 dev enp7s0f2 weight 1
RTNETLINK answers: Invalid argument
+ error_message 'ERROR: Command "ip -4 route' replace default scope global table 253 via 172.20.11.49 dev enp7s0f3 nexthop via 172.28.17.110 dev enp7s0f2 weight '1" Failed'
+ echo ' ERROR: Command "ip -4 route' replace default scope global table 253 via 172.20.11.49 dev enp7s0f3 nexthop via 172.28.17.110 dev enp7s0f2 weight '1" Failed'
ERROR: Command "ip -4 route replace default scope global table 253 via 172.20.11.49 dev enp7s0f3 nexthop via 172.28.17.110 dev enp7s0f2 weight 1" Failed
+ return 1
+ stop_firewall
+ case $COMMAND in
+ set +x
I can send the full trace if required.
There is a bug in 5.1.4.3 :-( Patch attached.

patch /usr/share/shorewall/Shorewall/Providers.pm < FALLBACK.patch

-Tom
--
Tom Eastep \ Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.org \ understand
\_______________________________________________
Tom Eastep
2017-06-26 14:38:19 UTC
Permalink
Post by Tom Eastep
________________________________
Post by Tom Eastep
There is a bug in 5.1.4.3 :-( Patch attached.
patch /usr/share/shorewall/Shorewall/Providers.pm < FALLBACK.patch
Thanks Tom.
That fixed the startup issue.
I'm still having trouble making a simple ping work in the same environment but with shorewall 5.1.4.4.
I'm unable to ping from host with IP addr. 10.215.144.48 in "lan" zone and host with IP addr. 192.168.212.92 in "dmz" zone.
I've even enabled info messages, but I'm unable to get any in my log file. I only get that Shorewall has been started.
I'm attaching the shorewall dump.
I see no evidence of any ping traffic between the time that the counters
were reset and when the dump was taken. What address did you ping and
from where?

-Tom
--
Tom Eastep \ Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.org \ understand
\_______________________________________________
Tom Eastep
2017-06-26 14:40:36 UTC
Permalink
# shorewall version
5.0.15.6
ERROR: Invalid parameter (DROP),Multicast(DROP) /usr/share/shorewall/action.Broadcast (line 1)
from (line EOF)
You can't expect to run a 5.1.4 configuration of 5.0.15 unless you
switch the _DEFAULT settings to values that are know to the older
release (Drop and Reject were the defaults for DROP_DEFAULT and
REJECT_DEFAULT respectively).

-Tom
--
Tom Eastep \ Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.org \ understand
\_______________________________________________
Loading...