Enabling IP/MAC binding gives error

v7
dhcp
firewall

(Dominik) #1

Hi everyone,
When I enable IP/MAC binding in Firewall rules →Configure it throws me this error:

Task completed with errors
Configuring shorewall #25 (exit status 1)
Compiling using Shorewall 5.0.14.1...
Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf...
Loading Modules...
Compiling /etc/shorewall/zones...
Compiling /etc/shorewall/interfaces...
Compiling /etc/shorewall/hosts...
Determining Hosts in Zones...
Locating Action Files...
Compiling /etc/shorewall/policy...
Running /etc/shorewall/initdone...
Adding Anti-smurf Rules
Adding rules for DHCP
Compiling TCP Flags filtering...
Compiling Kernel Route Filtering...
Compiling Martian Logging...
Compiling MAC Filtration -- Phase 1...
Compiling /etc/shorewall/maclist...
ERROR: No hosts on enp0s25 have the maclist option specified /etc/shorewall/maclist (line 22)

I have on that server DHCP with configured “IP reservation”.

When I look at /etc/shorewall/maclist i have something like this:

ACCEPT enp0s25 MAC:ADDRESS IP.ADDRESS

so it looks ok, line 22 point to the begining of my maclist… but it look’s like it is not seen by ?? shorewall ?


(Giacomo Sanchietti) #2

I don’t have a machine to test it right now.

Could you please post the content of /etc/shorewall/maclist and /etc/shorewall/interfaces?


(Dominik) #3

/etc/shorewall/interfaces

# ================= DO NOT MODIFY THIS FILE =================
# 
# Manual changes will be lost when this file is regenerated.
#
# Please read the developer's guide, which is available
# at NethServer official site: https://www.nethserver.org
#
# 
#
# Shorewall version 4 - Interfaces File
#
# For information about entries in this file, type "man shorewall-interfaces"
#
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-interfaces.html
#
###############################################################################
?FORMAT 2
###############################################################################
#ZONE		INTERFACE		OPTIONS
#

#
# 20nics
#
# Force GREEN + RED mode with only one interface
net	enp0s25	dhcp,nosmurfs,optional

#
# 40ppp -- optional PPP interfaces: define zone composition in hosts file
#
-      ppp+    optional

/etc/shorewall/maclist

# ================= DO NOT MODIFY THIS FILE =================
# 
# Manual changes will be lost when this file is regenerated.
#
# Please read the developer's guide, which is available
# at NethServer official site: https://www.nethserver.org
#
# 
#
# Shorewall version 4 - Maclist file
#
# For information about entries in this file, type "man shorewall-maclist"
#
# For additional information, see http://shorewall.net/MAC_Validation.html
#
###############################################################################
#DISPOSITION	INTERFACE		MAC			IP ADDRESSES (Optional)

#
# 30hosts
#
ACCEPT	enp0s25	00:11:22:33:44:55	192.168.99.170
ACCEPT	enp0s25	00:11:22:33:44:56	192.168.99.171
ACCEPT	enp0s25	00:11:22:33:44:57	192.168.99.172
ACCEPT	enp0s25	00:11:22:33:44:58	192.168.99.173

etc


(Giacomo Sanchietti) #4

The feature is intended to work on a firewall with 2 network interfaces (green + red).

Honestly I never tested it on in single-nic scenario and probably it can’t work with current templates.
Actually, the maclist options is set only on green interface:

You could try to manually edit the /etc/shorewall/interfaces, add maclist at the end of line:

net enp0s25 dhcp,nosmurfs,optional

Then, try to restart shorewall:

shorewall restart

Maybe it could work, but without a template-custom modification will be soon lost. :slight_smile:


(Dominik) #5

After adding those maclist to interface shorewall throws error

# shorewall restart
Compiling using Shorewall 5.0.14.1...
Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf...
Loading Modules...
Compiling /etc/shorewall/zones...
Compiling /etc/shorewall/interfaces...
   ERROR: Invalid interfaces file entry (too many columns) /etc/shorewall/interfaces (line 29)

So i think this won’t work :frowning:

If you say that that this only works with two interfaces (RED + GREEN) then it breaks down my conception of separating services… because i wan’t that firewall\gateway work like it should without adding services that in case of any hardware disaster(!) that will break network services (DHCP).

Currently my setup is like this:
#1 NS7 server that works as firewall/gateway/openvpn server
#2 NS7 server working as DHCP

My question is: is there posibility to set this up? Maybe like you said by custom template but honestly i don’t get this yet how to change this :wink:


(Giacomo Sanchietti) #6

I don’t think so or at least we need to study it a bit, but I wouldn’t go further into this path.

I think you can setup DHCP directly on your firewall (we use this configuration in productions on many scenarios, including our office). If the firewall breaks, almost anything on the network will not work :wink: But you can replace a broken firewall much quicker than a machine which hosts maybe the DHCP and the mail server.


(Dominik) #7

Hi @giacomo,
I have fired up DHCP on my router and also copied from /var/lib/nethserver/db the hosts file to a new DHCP server by pasting entries from old hosts file to new one - and it worked :slight_smile:

I had to also do this:
signal-event nethserver-hosts-save
signal-event nethserver-hosts-update
signal-event nethserver-dnsmasq-save
signal-event nethserver-dnsmasq-update

and after that the new DHCP server start to assign proper IP addresses to computers in the LAN.