I’ve created green, blue and red interfaces and firewall rules on my new NethServer gateway, but orange is creating an error. I’m starting in Network and assigning an unused NIC to the role of orange. When I do, shorewall comes back with an error: Unknown source zone (orange) /etc/shorewall/rules line 36. I thought perhaps I should create an orange zone first, but when I try that it tells me that there is already a zone named “orang”.
Previously, I assigned a NIC to a role, then went in and created firewall rules for that particular interface. I wonder if there is some additional step for the DMZ? Any help would be appreciated.
No additional steps needed. What you did seems correct to me. No need to create a zone. When you assign a role to a NIC a zone is “created” under the hood.
I’m suspicious about the error “Unknown source zone (orange) /etc/shorewall/rules line 36” because zone names are limited to 5 chars.
I’d start with:
Thanks for the quick response, Filippo. Before adding the orange NIC, I get no results at all with grep. After adding the NIC, I get a mix of “orange” and “orang”.
/etc/shorewall/policy:# Zone:orange
/etc/shorewall/rules: NFQBY orange net
NFQBY blue orange
The rules entries appear twice. Then, as you say, I also see zones:orang:ipv4, etc.
Here is the actual output of grep after adding the orange interface and grepping “orange”:
/etc/shorewall/policy:# Zone: orange
/etc/shorewall/rules:NFQBY orange net
/etc/shorewall/rules:NFQBY blue orange
/etc/shorewall/rules:NFQBY orange net
/etc/shorewall/rules:NFQBY blue orange
I thought I might be able to edit /etc/shorewall/rules to change orange to orang, but the “rules” file gets restored back to this on a reboot, and perhaps when shorewall is restarted.
However, I just created a 2nd NethServer machine that doesn’t seem to have this problem, so perhaps the issue is some corruption in the installation I’m working with. I’ll keep playing and keep you posted.
The problem seems to occur when I enable the IPS module. Prior to that, the orange interface is added without complaint. After enabling IPS, the following appears in /etc/shorewall/rules:
/etc/shorewall/rules:NFQBY orange net
/etc/shorewall/rules:NFQBY blue orange
/etc/shorewall/rules:NFQBY orange net
/etc/shorewall/rules:NFQBY blue orange
Since network objects are limited to 5 character names, the word “orange” blows up the firewall rules table. This seems to be a bug. I’ll create a new post on the bugs category to report it.