Iāve created green, blue and red interfaces and firewall rules on my new NethServer gateway, but orange is creating an error. Iām starting in Network and assigning an unused NIC to the role of orange. When I do, shorewall comes back with an error: Unknown source zone (orange) /etc/shorewall/rules line 36. I thought perhaps I should create an orange zone first, but when I try that it tells me that there is already a zone named āorangā.
Previously, I assigned a NIC to a role, then went in and created firewall rules for that particular interface. I wonder if there is some additional step for the DMZ? Any help would be appreciated.
No additional steps needed. What you did seems correct to me. No need to create a zone. When you assign a role to a NIC a zone is ācreatedā under the hood.
Iām suspicious about the error āUnknown source zone (orange) /etc/shorewall/rules line 36ā because zone names are limited to 5 chars.
Iād start with:
Thanks for the quick response, Filippo. Before adding the orange NIC, I get no results at all with grep. After adding the NIC, I get a mix of āorangeā and āorangā.
/etc/shorewall/policy:# Zone:orange
/etc/shorewall/rules: NFQBY orange net
NFQBY blue orange
The rules entries appear twice. Then, as you say, I also see zones:orang:ipv4, etc.
Here is the actual output of grep after adding the orange interface and grepping āorangeā:
/etc/shorewall/policy:# Zone: orange
/etc/shorewall/rules:NFQBY orange net
/etc/shorewall/rules:NFQBY blue orange
/etc/shorewall/rules:NFQBY orange net
/etc/shorewall/rules:NFQBY blue orange
I thought I might be able to edit /etc/shorewall/rules to change orange to orang, but the ārulesā file gets restored back to this on a reboot, and perhaps when shorewall is restarted.
However, I just created a 2nd NethServer machine that doesnāt seem to have this problem, so perhaps the issue is some corruption in the installation Iām working with. Iāll keep playing and keep you posted.
The problem seems to occur when I enable the IPS module. Prior to that, the orange interface is added without complaint. After enabling IPS, the following appears in /etc/shorewall/rules:
/etc/shorewall/rules:NFQBY orange net
/etc/shorewall/rules:NFQBY blue orange
/etc/shorewall/rules:NFQBY orange net
/etc/shorewall/rules:NFQBY blue orange
Since network objects are limited to 5 character names, the word āorangeā blows up the firewall rules table. This seems to be a bug. Iāll create a new post on the bugs category to report it.