shorewall-users January 2012 archive
Main Archive Page > Month Archives  > shorewall-users archives
shorewall-users: Re: [Shorewall-users] Shorewall-users Digest, V

Re: [Shorewall-users] Shorewall-users Digest, Vol 68, Issue 10

From: Tom Eastep <teastep_at_nospam>
Date: Mon Jan 16 2012 - 01:39:11 GMT
To: Shorewall Users <shorewall-users@lists.sourceforge.net>

On Jan 15, 2012, at 12:37 PM, Erik Mundall wrote:

> ... "The successor to 'norfc1918' is NULL_ROUTE_RFC1918=Yes in shorewall.conf."
>
> I have tried that, and the only pings I get back are from the 10.0.0.0 subnet. I get the following response after trying to ping a known printer on my network that would otherwise have been accessible:
>
> ping 192.168.3.142
> connect: Network is unreachable

192.168.3.142 is reached using the default gateway. So unless you use your distribution's IP configuration tools to create a specific route to that host via the default gateway, then NULL_ROUTE_RFC1918=Yes will drop packets to/from that host.

Erik, you can't have it both ways. You know that 192.168.3.142 is an RFC 1918 host that is of interest to you, but nothing in the configuration reflects that knowledge (or you can add an entry to /etc/shorewall/routes). On the other hand, there is a route to 10.0.0.0/24, so that network is exempted from being excluded by NULL_ROUTE_RFC1918=Yes.

-Tom

Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
RSA(R) Conference 2012
Mar 27 - Feb 2
Save $400 by Jan. 27
Register now!
http://p.sf.net/sfu/rsa-sfdev2dev2

_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users