[Shorewall-users] bridging and internet
nico at rakar.com
Sat Sep 4 17:39:48 PDT 2004
Tom and all.
After you asked about what version I was using, I checked the Bering
distro and found that it was not updated to shorewall 2.x, so I decided
to move to Bering-uClibc, which seems to be more up to date.
I installed it and configured everything according to your instructions,
but I was still unable to get shorewall to start in this kind of
It failed with error:
"No chain/target/match by that name"
I kept googling for info till I found this page (in Spanish)
The guy had been trying to do something similar to what I'm doing for a
while without success, till he found out that Bering and Bering-uClib
don't load the ipt_physdev module by default, and don't have them on the
boot disk image.
He installed and loaded the module, and it worked.
So I did the same thing, looked for the module inside the modules file
Found it at /2.4.26/kernel/net/ipv4/netfilter/
I added to /etc/modules the line ipt_phys, rebooted and it worked like a
Well. I hope this helps other guys with the same problem.
Tom, maybe you could add a note to your http://shorewall.net/bridge.html
document warning Bering and Bering-uclib users about this issue.
I'm writing a howto for other fellows in my community network. It will
be available at: http://wiki.buenosaireslibre.org/HowTos_2fBridgedFirewall
It's in spanish but if you think it would be helpful if I wrote an
english version as well, I will.
Thanks for your help and for developing Shorewall, it's a great product.
Tom Eastep wrote:
> Nicolás Echániz wrote:
> | This is my interfaces file:
> | #ZONE INTERFACE BROADCAST OPTIONS
> | - br0 10.4.10.31 routefilter
> | net eth0 detect
> | And this is my hosts file:
> | #ZONE HOSTS OPTIONS
> | loc br0:eth1
> | bal br0:eth2
> | bal is the community zone (BuenosAiresLibre)
> | The problem is that when shorewall starts I get this error:
> | iptables v1.2.8: host/network 'eth1' not found
> | which I've come to understand has to do with my declaring br0:eth1 and
> | br0:eth2 in the hosts file.
> | If I replace eth1 with the actual subnet (10.4.10.0/27) it stops
> | complaining, but of course my rules and policies don't work because the
> | firewall doesn't know which fisical interface is connected to which
> | I tried shorewall debug start and the process stops for a long time
> | after this:
> | + eval chain=$net2loc_policychain
> | + chain=net2all
> | + [ -n net2all ]
> | + echo net2all
> | + return
> | + chain=net2all
> | + echo net loc net2all
> | + [ net = loc ]
> | + routeback=
> | + interface=eth0
> | + [ -n ]
> | + forward_chain eth0
> | + chain_base eth0
> | + local c=eth0
> | + echo eth0
> | + echo eth0_fwd
> | + chain1=eth0_fwd
> | + interface=br0
> | + subnet=eth1 <----- I think this is the problem
> | + [ eth0:0.0.0.0/0 != br0:eth1 ]
> | + run_iptables -A eh0_fwd -o br0 -d eth1 -j net2all
> | + iptables -A eth0_fwd -o br0 -d eth1 -j net2all
> | I've tried to solve this on my own, but I'm stuck now and don't know
> | what else to try.
> | I hope you can figure it out.
> | I'll be waiting for your reply :)
> What version of Shorewall are you running? Looks like it doesn't support
> Bridge/Firewall. If you think your version should contain that support,
> then send the entire trace because a few lines from the end of the trace
> are useless to me.
> Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
> Shoreline, \ http://shorewall.net
> Washington USA \ teastep at shorewall.net
> PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
More information about the Shorewall-users