shorewall-users July 2011 archive
Main Archive Page > Month Archives  > shorewall-users archives
shorewall-users: Re: [Shorewall-users] Tproxy with Shorewall6

Re: [Shorewall-users] Tproxy with Shorewall6

From: J. Randall Owens <jrowens.sourceforge_at_nospam>
Date: Thu Jul 07 2011 - 11:02:37 GMT
To: Shorewall Users <shorewall-users@lists.sourceforge.net>

On Thu, 7 Jul 2011, Dominic Benson wrote:

> Date: Thu, 7 Jul 2011 00:58:44
> From: Dominic Benson <dominic@lenny.cus.org>
> To: Shorewall Users <shorewall-users@lists.sourceforge.net>
>
> On 7 Jul 2011, at 01:22, Tom Eastep wrote:
>
>> On Jul 6, 2011, at 5:17 PM, J. Randall Owens wrote:
>>>
>>> I don't know about TPROXY in particular, but in most places in shorewall6,
>>> you can enclose the IPv6 addresses (including prefix length) in angle
>>> brackets, like so (all mine are in hosts so far, so these are with
>>> interfaces):
>>> eth0:<2001:470:1::/64,fe80::/10>
>>>
>>> Note that multiple entries are enclosed in one set of brackets, rather
>>> than one pair of brackets per address range.
>>
>> Please also note that <...> is deprecated in favor of the more standard [...].
>>
>
> Hi Tom,
>
> It's on this page:
> http://docs.huihoo.com/shorewall/4.4/manpages6/shorewall6-tcrules.html
>
> I'm almost sure I originally saw it on shorewall.net, but I certainly don't now. Or even in the shorewall-tcrules page - in fact neither of them seem (currently) to make any mention of TPROXY, although
> http://www.shorewall.net/Shorewall_Squid_Usage.html#TPROXY
> does.
>
> I tried the suggestions about encapsulating the address in square or angle brackets, but I still get the error; I've included it below to be sure we're on the same page.
>
> It certainly *seems* to be working; the local squid is only listening on [::1]:3128 and 127.0.0.1:3128, and if I understand correctly the default would be to use the original source interface. Also, if I remove the interface option it stops working.
>
> Dominic
>
> Jul 7 8:35:59 Compiling /etc/shorewall6/tcrules...
> Jul 7 08:35:59 ERROR: Invalid MARK (TPROXY(10,3128,[::1])) : /etc/shorewall6/tcrules (line 4)
> ERROR: Invalid MARK (TPROXY(10,3128,[::1])) : /etc/shorewall6/tcrules (line 4)
>
>
> Jul 7 8:37:14 Compiling /etc/shorewall6/tcrules...
> Jul 7 08:37:14 ERROR: Invalid MARK (TPROXY(10,3128,<::1>)) : /etc/shorewall6/tcrules (line 4)
> ERROR: Invalid MARK (TPROXY(10,3128,<::1>)) : /etc/shorewall6/tcrules (line 4)
>
>
> Jul 7 8:37:40 Compiling /etc/shorewall6/tcrules...
> Jul 7 08:37:40 ERROR: Invalid MARK (TPROXY(10,3128,::1)) : /etc/shorewall6/tcrules (line 4)
> ERROR: Invalid MARK (TPROXY(10,3128,::1)) : /etc/shorewall6/tcrules (line 4)
>

I don't think you've shown us the actual tcrules line 4, have you? Does
it start with "TPROXY(10,3128,::1)" (give or take some brackets) shown in
the error message? I don't see anything on the Shorewall Squid page about
putting an address in the parentheses; it looks like address(es) belong in
the third and optionally second columns.

If that is where you have the [::1], then we'd need to figure out why it's
getting lumped in there when it's sent to process_tc_rule or wherever.

-- J. Randall Owens | http://www.ghiapet.net/ ProofReading Markup Language | http://prml.sourceforge.net/ ------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2 _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users