shorewall lässt sich nur starten wenn ppp0 up ist

[x-tux]

Hallo!

ich habe ein problem mit MDK-10 und shorewall,
meine konstellation ist folgende:

eth0 loc <--- IP 192.168.x.1
eth1 net <---IP 10.0.x.10

(shorewall version 2.0.1)

wenn ich jetzt den rechner starte bekomme ich die meldung:

Loading /usr/share/shorewall/functions...
Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf...
Restarting Shorewall...
Loading Modules...
Initializing...
Shorewall has detected the following iptables/netfilter capabilities:
NAT: Available
Packet Mangling: Available
Multi-port Match: Available
Connection Tracking Match: Available
Determining Zones...
Zones: net loc
Validating interfaces file...
Validating hosts file...
Validating Policy file...
Determining Hosts in Zones...
Net Zone: ppp+:0.0.0.0/0 eth1:0.0.0.0/0
Local Zone: eth0:0.0.0.0/0
Processing /etc/shorewall/init ...
Deleting user chains...
Setting up Accounting...
Creating Interface Chains...
Configuring Proxy ARP
Setting up NAT...
Host 192.168.x.0 NAT 10.0.x.10 on ppp0
Setting up NETMAP...
Adding Common Rules
IP Forwarding Enabled
Processing /etc/shorewall/tunnels...
Pre-processing Actions...
Pre-processing /usr/share/shorewall/action.DropSMB...
Pre-processing /usr/share/shorewall/action.RejectSMB...
Pre-processing /usr/share/shorewall/action.DropUPnP...
Pre-processing /usr/share/shorewall/action.RejectAuth...
Pre-processing /usr/share/shorewall/action.DropPing...
Pre-processing /usr/share/shorewall/action.DropDNSrep...
Pre-processing /usr/share/shorewall/action.AllowPing...
Pre-processing /usr/share/shorewall/action.AllowFTP...
Pre-processing /usr/share/shorewall/action.AllowDNS...
Pre-processing /usr/share/shorewall/action.AllowSSH...
Pre-processing /usr/share/shorewall/action.AllowWeb...
Pre-processing /usr/share/shorewall/action.AllowSMB...
Pre-processing /usr/share/shorewall/action.AllowAuth...
Pre-processing /usr/share/shorewall/action.AllowSMTP...
Pre-processing /usr/share/shorewall/action.AllowPOP3...
Pre-processing /usr/share/shorewall/action.AllowIMAP...
Pre-processing /usr/share/shorewall/action.AllowTelnet...
Pre-processing /usr/share/shorewall/action.AllowVNC...
Pre-processing /usr/share/shorewall/action.AllowVNCL...
Pre-processing /usr/share/shorewall/action.AllowNTP...
Pre-processing /usr/share/shorewall/action.AllowRdate...
Pre-processing /usr/share/shorewall/action.AllowNNTP...
Pre-processing /usr/share/shorewall/action.AllowTrcrt...
Pre-processing /usr/share/shorewall/action.AllowSNMP...
Pre-processing /usr/share/shorewall/action.AllowPCA...
Pre-processing /usr/share/shorewall/action.Drop...
Pre-processing /usr/share/shorewall/action.Reject...
Processing /etc/shorewall/rules...
Rule "ACCEPT loc net TCP 20:22,25,53,80,110,1863,3128,5190,6891:6900,6699,10000,7950" added.
Rule "ACCEPT loc net UDP 20:22,25,53,80,110,1863,3128,5190,6257,6891:6900,10000" added.
Rule "ACCEPT net loc TCP 21,22,25,53,80,110,1863,3128,5190,6891:6900,6699,10000,7950" added.
Rule "ACCEPT net loc UDP 21,22,25,53,80,110,1863,3128,5190,6257,6891:6900,10000" added.
Rule "ACCEPT fw loc UDP 137:139" added.
Rule "ACCEPT fw loc TCP 137,139" added.
Rule "ACCEPT fw loc UDP 1024: 137" added.
Rule "ACCEPT loc fw UDP 137:139" added.
Rule "ACCEPT loc fw TCP 137,139" added.
Rule "ACCEPT loc fw UDP 1024: 137" added.
Rule "ACCEPT loc fw TCP 21,22,25,53,80,110,3128,10000" added.
Processing Actions...
Processing /usr/share/shorewall/action.Drop...
Rule "RejectAuth" added.
Rule "dropBcast" added.
Rule "DropSMB" added.
Rule "DropUPnP" added.
Rule "dropNonSyn" added.
Rule "DropDNSrep" added.
Processing /usr/share/shorewall/action.Reject...
Rule "RejectAuth" added.
Rule "dropBcast" added.
Rule "RejectSMB" added.
Rule "DropUPnP" added.
Rule "dropNonSyn" added.
Rule "DropDNSrep" added.
Processing /usr/share/shorewall/action.RejectAuth...
Rule "REJECT - - tcp 113" added.
Processing /usr/share/shorewall/action.DropSMB...
Rule "DROP - - udp 135" added.
Rule "DROP - - udp 137:139" added.
Rule "DROP - - udp 445" added.
Rule "DROP - - tcp 135" added.
Rule "DROP - - tcp 139" added.
Rule "DROP - - tcp 445" added.
Processing /usr/share/shorewall/action.DropUPnP...
Rule "DROP - - udp 1900" added.
Processing /usr/share/shorewall/action.DropDNSrep...
Rule "DROP - - udp - 53" added.
Processing /usr/share/shorewall/action.RejectSMB...
Rule "REJECT - - udp 135" added.
Rule "REJECT - - udp 137:139" added.
Rule "REJECT - - udp 445" added.
Rule "REJECT - - tcp 135" added.
Rule "REJECT - - tcp 139" added.
Rule "REJECT - - tcp 445" added.
Processing /etc/shorewall/policy...
Policy ACCEPT for fw to net using chain fw2net
Policy REJECT for fw to loc using chain all2all
Policy DROP for net to loc using chain net2all
Policy DROP for loc to fw using chain loc2fw
Policy DROP for loc to net using chain loc2net
Masqueraded Networks and Hosts:
To 0.0.0.0/0 from 192.168.48.0/24 through ppp+
Processing /etc/shorewall/tos...
Rule "all all tcp - ssh 16" added.
Rule "all all tcp ssh - 16" added.
Rule "all all tcp - ftp 16" added.
Rule "all all tcp ftp - 16" added.
Rule "all all tcp ftp-data - 8" added.
Rule "all all tcp - ftp-data 8" added.

Processing /etc/shorewall/ecn...
Activating Rules...
Adding IP Addresses...
Device "ppp0" does not exist.
Cannot find device "ppp0"
Processing /etc/shorewall/stop ...
IP Forwarding Enabled
Processing /etc/shorewall/stopped ...
Terminated

hier meine configs...

interfaces:

Code: Select all

#ZONE	 INTERFACE	BROADCAST	OPTIONS
#
net 	 ppp+ -					
net	 eth1 -
loc 	 eth0 -

zones: (dmz noch nicht eingebaut)

Code: Select all

#ZONE	DISPLAY		COMMENTS
net	Net		Internet
loc	Local		Local networks

masq:

Code: Select all

#INTERFACE	        SUBNET		ADDRESS
ppp+			 192.168.x.0/24

nat:

Code: Select all

#EXTERNAL	INTERFACE	INTERNAL	ALL	 		LOCAL
#						INTERFACES
10.0.x.10	ppp0		192.168.x.0	yes			no

policy:

Code: Select all

#SOURCE		DEST		POLICY		LOG		LIMIT:BURST
#						LEVEL
loc		net		DROP
loc 		$FW		DROP
$FW		net		ACCEPT
net		all		DROP		info
#
# THE FOLLOWING POLICY MUST BE LAST
#	
all		all		REJECT		info 

shorewall.conf:

Code: Select all

LOGFILE=/var/log/messages
LOGFORMAT="Shorewall:%s:%s:"
LOGRATE=
LOGBURST=
BLACKLIST_LOGLEVEL=
LOGNEWNOTSYN=info
MACLIST_LOG_LEVEL=info
TCP_FLAGS_LOG_LEVEL=info
RFC1918_LOG_LEVEL=info
SMURF_LOG_LEVEL=info
BOGON_LOG_LEVEL=info
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
SHOREWALL_SHELL=/bin/sh
SUBSYSLOCK=/var/lock/subsys/shorewall
STATEDIR=/var/lib/shorewall
MODULESDIR=
FW=fw
IP_FORWARDING=On
ADD_IP_ALIASES=Yes
ADD_SNAT_ALIASES=No
TC_ENABLED=No
CLEAR_TC=Yes
MARK_IN_FORWARD_CHAIN=No
CLAMPMSS=No
ROUTE_FILTER=No
DETECT_DNAT_IPADDRS=No
MUTEX_TIMEOUT=60
NEWNOTSYN=no
ADMINISABSENTMINDED=Yes
BLACKLISTNEWONLY=Yes
MODULE_SUFFIX=
DISABLE_IPV6=No
BRIDGING=No
BLACKLIST_DISPOSITION=DROP
MACLIST_DISPOSITION=REJECT
TCP_FLAGS_DISPOSITION=DROP

wenn ich aber ne verbindung aufgebaut habe startet die firewall ohne probleme.
ich denke das es an der ip liegt die übergeben werden soll , ich kann mir aber auch irren
wenn jemand helfen könnte wäre ich sehr dankbar


gruss, x-tux

[x-tux]

Hallo!

ich habe den fehler gefunden

nat:
Code:
#EXTERNAL INTERFACE INTERNAL ALL LOCAL
# INTERFACES
10.0.x.10 ppp0 192.168.x.0 yes no


muss in
nat:
Code:
#EXTERNAL INTERFACE INTERNAL ALL LOCAL
# INTERFACES
10.0.x.10 eth1 192.168.x.0 yes no

geändert werden.

gruss, x-tux