[Shorewall-users] bridging and internet

Sat Sep 4 17:39:48 PDT 2004

Tom and all.

After you asked about what version I was using, I checked the Bering 
distro and found that it was not updated to shorewall 2.x, so I decided 
to move to Bering-uClibc, which seems to be more up to date.

I installed it and configured everything according to your instructions, 
but I was still unable to get shorewall to start in this kind of 
configuration.
It failed with error:
"No chain/target/match by that name"

I kept googling for info till I found this page (in Spanish)
http://www.aconcagua.cl/wordpress/

The guy had been trying to do something similar to what I'm doing for a 
while without success, till he found out that Bering and Bering-uClib 
don't load the ipt_physdev module by default, and don't have them on the 
boot disk image.
He installed and loaded the module, and it worked.

So I did the same thing, looked for the module inside the modules file 
Bering-uClibc_2.2.0_modules_2.4.26.tar.gz.
Found it at /2.4.26/kernel/net/ipv4/netfilter/

I added to /etc/modules the line ipt_phys, rebooted and it worked like a 
charm.

Well. I hope this helps other guys with the same problem.

Tom, maybe you could add a note to your http://shorewall.net/bridge.html 
document warning Bering and Bering-uclib users about this issue.

I'm writing a howto for other fellows in my community network.  It will 
be available at: http://wiki.buenosaireslibre.org/HowTos_2fBridgedFirewall
It's in spanish but if you think it would be helpful if I wrote an 
english version as well, I will.

Thanks for your help and for developing Shorewall, it's a great product.

Best regards,

Nicolás Echániz

Tom Eastep wrote:

> Nicolás Echániz wrote:
>
> |
> | This is my interfaces file:
> | #ZONE    INTERFACE      BROADCAST     OPTIONS
> | -           br0            10.4.10.31        routefilter
> | net      eth0           detect
> |
> | And this is my hosts file:
> | #ZONE    HOSTS                        OPTIONS
> | loc      br0:eth1
> | bal      br0:eth2
> |
> | bal is the community zone (BuenosAiresLibre)
> |
> | The problem is that when shorewall starts I get this error:
> | iptables v1.2.8: host/network 'eth1' not found
> |
> | which I've come to understand has to do with my declaring br0:eth1 and
> | br0:eth2 in the hosts file.
> | If I replace eth1 with the actual subnet (10.4.10.0/27) it stops
> | complaining, but of course my rules and policies don't work because the
> | firewall doesn't  know which fisical interface is connected to which 
> zone.
> |
> | I tried shorewall debug start and the process stops for a long time
> | after this:
> | + eval chain=$net2loc_policychain
> | + chain=net2all
> | + [ -n net2all ]
> | + echo net2all
> | + return
> | + chain=net2all
> | + echo net loc net2all
> | + [ net = loc ]
> | + routeback=
> | + interface=eth0
> | + [ -n  ]
> | + forward_chain eth0
> | + chain_base eth0
> | + local c=eth0
> | + echo eth0
> | + echo eth0_fwd
> | + chain1=eth0_fwd
> | + interface=br0
> | + subnet=eth1    <----- I think this is the problem
> | + [ eth0:0.0.0.0/0 != br0:eth1 ]
> | + run_iptables -A eh0_fwd -o br0 -d eth1 -j net2all
> | + iptables -A eth0_fwd   -o   br0   -d   eth1   -j   net2all
> |
> |
> | I've tried to solve this on my own, but I'm stuck now and don't know
> | what else to try.
> |
> | I hope you can figure it out.
> | I'll be waiting for your reply :)
>
> What version of Shorewall are you running? Looks like it doesn't support
> Bridge/Firewall. If you think your version should contain that support,
> then send the entire trace because a few lines from the end of the trace
> are useless to me.
>
> -Tom
> --
> Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep at shorewall.net
> PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key