Shorewall 5 on EL7
Alteeve Wiki :: How To :: Shorewall 5 on EL7 |
This covers setup and maintenance of Shorewall 5 on Enterprise Linux 7.x (RHEL, CentOS and derivatives).
- Note: A previous version of this tutorial for EL6 and Shorewall 4.x is: "Shorewall on RPM-based Servers"
This tutorial will introduce the basic concepts of firewalling by taking an Internet connection and sharing it with a local subnetwork of computers. It will also act as a DHCP server for the internal network. This combination of DHCP server and internet routing will cover the most common use case for shorewall; Acting as a traditional Internet router.
Install
Install is trivial via the EPEL repository.
Adding the EPEL Repo
If your firewall does not yet have EPEL installed, do so now:
rpm -Uvh https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
Rename Interfaces
For this tutorial, we will use two network interfaces. To make them easier to track, rename the two interfaces to reflect their role. We will use lan0 for the internal network and wan0 for the interface connected to the outside Internet.
If you are unfamiliar with renaming interfaces in EL7, please pause and follow this tutorial:
Install Shorewall 5
Now to install Shorewall 5, and while we're at it, we will install DHCP server as well.
yum install shorewall dhcp
That was easy.
Setup
You need to decide which interface will have your internet connection on it and which will connect to your internal network. For this tutorial;
- lan0; Faces the internal network, has the IP 10.200.255.254/16 and provides DHCP services to the LAN.
- wan0; Faces the Internet.
Configuring Shorewall
All configuration files are in the /etc/shorewall directory, unless explicitly defined. The main Shorewall configuration file, which we will edit last is /etc/shorewall/shorewall.conf.
The files to edit are listed in the order we will edit them in the following subsections.
Backups
Before we start, we will create a backups directory and save original copies of the files there.
mkdir /etc/shorewall/backups
cp /etc/shorewall/zones /etc/shorewall/backups/
cp /etc/shorewall/interfaces /etc/shorewall/backups/
cp /etc/shorewall/policy /etc/shorewall/backups/
cp /etc/shorewall/rules /etc/shorewall/backups/
cp /etc/shorewall/masq /etc/shorewall/backups/
cp /etc/shorewall/shorewall.conf /etc/shorewall/backups/
zones
This controls the main "zones" used by Shorewall. The fw is special in that it defines the firewall itself. The wan zone is the Internet-facing network (wan0 in this tutorial). The lan is the local network, the internal network of machines the firewall is protecting, which is lan0 in this tutorial. Both lan0 and wan0 are ipv4 networks.
Append two new lines telling shorewall that we have two new ipv4 networks that it will use so that the zones file looks like:
###############################################################################
#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS
fw firewall
wan ipv4
lan ipv4
interfaces
Just above, we told shorewall that we had two new ipv4 networks. In the interfaces configuration file, we link these networks to physical interfaces.
To link the new networks to the physical interfaces, append the following entries so that the interfaces file looks like:
?FORMAT 2
###############################################################################
#ZONE INTERFACE OPTIONS
lan lan0 dhcp
wan wan0
policy
Here you tell shorewall what the default policy is for each network when receiving new connection requests. You don't need to worry about ESTABLISHED and RELATED connections as shorewall handles these rules. The choices are:
Action | Description |
---|---|
ACCEPT | Accept the connection. |
DROP | Ignore the connection request. |
REJECT | Return an appropriate error to the connection request. |
You can also set the log level for connection requests that fall off the chain and hit these policies. It's a good idea to log info level so you can see twits trying to do "bad things(tm)". The one downside to using info is that it pushes a lot of data into the log files, which might make debugging other issues on the firewall. It's really up to you in the end.
Append the following default policies so that the policy file looks like:
###############################################################################
#SOURCE DEST POLICY LOGLEVEL LIMIT CONNLIMIT
# Let everything from the firewall machine out onto the WAN.
fw wan ACCEPT
# Likewise, allow everything from the firewall out onto the local network.
fw lan ACCEPT
# Don't allow incoming connections from the WAN into the fireall *or* into the
# local network. Add 'info' here if you want to log failed connection attempts.
wan all DROP info
# Don't allow incoming connections from the local network into the firewall.
lan fw DROP
# Let machines on the local network out onto the web
lan wan ACCEPT
rules
This is really the heart of the firewall.
Here you tell shorewall what the exceptions there are to the default policies. The first rule to match is used.
The example below shows a setup where remote access in to the firewall itself is allowed only on port 22000 (modified SSH port). An example SSH forward from the external TCP port 3022 to an internal server on the private network listening on the standard SSH TCP port 22.
This example can be easily adapted to any other use. Just create a new entry per line, choosing the external port and pointing it at the desired IP address the internal machine is using and the TCP the internal machine's server is listening on. You can use the same external and internal TCP port if you wish to make the connection more seamless for external users. It is entirely up to you.
We'll also add a couple special rules that tells shorewall to respond to ICMP ping requests. Some people don't like this as ping sweeps are a quick way for malicious people to find servers on the net. Personally, I find the usefulness of being able to ping my firewall more beneficial. Also, "security through obscurity is no security at all".
Append rules so that the it file looks like.
vim /etc/shorewall/rules
##############################################################################################################################################################
#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK CONNLIMIT TIME HEADERS SWITCH HELPER
?SECTION ALL
?SECTION ESTABLISHED
?SECTION RELATED
?SECTION INVALID
?SECTION UNTRACKED
?SECTION NEW
# Allow pings, because this author finds being able to ping for helpful than
# risky.
Ping(ACCEPT) wan fw
Ping(ACCEPT) lan fw
# Allow SSH into the firewall from the WAN on port 22000 and from the LAN on
# port 22 and 22000.
ACCEPT wan fw tcp 22000
ACCEPT lan fw tcp 22000
ACCEPT lan fw tcp 22
### Example; Enable and adapt to your needs.
# Allow SSH connection from the WAN on external port 3022 to an internal server
# at IP 10.200.255.250 port 22.
#ACCEPT wan lan:10.200.255.250:22 3022
masq
This is the file that handles MASQerading the machines on the local LAN (the lan zone). This is how shorewall provides internet access to an entire subnet of machines on a given network.
So to enable Internet access from your machines, you need to add a line with the Internet facing interface followed by the subnet of the local network that you will be masquerading.
Append masq so that the it file looks like.
vim /etc/shorewall/masq
###################################################################################################################################
#INTERFACE SOURCE ADDRESS PROTO PORT IPSEC MARK USER SWITCH ORIGDEST PROBABILITY
wan0 10.200.0.0/16
shorewall.conf
Once you have the above files in place, you need to enable the firewall.
Edit /etc/shorewall/shorewall.conf and change the following lines:
vim /etc/shorewall/shorewall.conf
STARTUP_ENABLED=No
To:
STARTUP_ENABLED=Yes
To keep the noise in the syslog down, we'll tell shorewall to use a dedicated log file. Change:
LOGFILE=/var/log/messages
To:
LOGFILE=/var/log/shorewall
Starting the Firewall
Disable firewalld
Before we can start using shorewall, we need to stop and disable the built-in firewall called firewalld.
systemctl stop firewalld
systemctl disable firewalld
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
Removed symlink /etc/systemd/system/basic.target.wants/firewalld.service.
Make sure the firewall is off.
systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
Active: inactive (dead)
Jul 02 02:11:20 an-fw05.alteeve.ca systemd[1]: Starting firewalld - dynamic firewall daemon...
Jul 02 02:11:21 an-fw05.alteeve.ca systemd[1]: Started firewalld - dynamic firewall daemon.
Jul 02 03:56:48 an-fw05.alteeve.ca systemd[1]: Stopping firewalld - dynamic firewall daemon...
Jul 02 03:56:50 an-fw05.alteeve.ca systemd[1]: Stopped firewalld - dynamic firewall daemon.
We can double-confirm by looking at iptables-save:
iptables-save
# No output
Starting shorewall
Warning: If there are any problems, this might well lock you out of your firewall. Be sure you have direct access to the firewall before proceeding! |
To start the firewall, simply run:
systemctl start shorewall
systemctl enable shorewall
Created symlink from /etc/systemd/system/basic.target.wants/shorewall.service to /usr/lib/systemd/system/shorewall.service.
Verify that it is running and enabled;
systemctl status shorewall
● shorewall.service - Shorewall IPv4 firewall
Loaded: loaded (/usr/lib/systemd/system/shorewall.service; enabled; vendor preset: disabled)
Active: active (exited) since Sat 2016-07-02 03:59:53 EDT; 53s ago
Main PID: 1568 (code=exited, status=0/SUCCESS)
Jul 02 03:59:53 an-fw05.alteeve.ca shorewall[1568]: Setting up Route Filtering...
Jul 02 03:59:53 an-fw05.alteeve.ca shorewall[1568]: Setting up Martian Logging...
Jul 02 03:59:53 an-fw05.alteeve.ca shorewall[1568]: Setting up Proxy ARP...
Jul 02 03:59:53 an-fw05.alteeve.ca shorewall[1568]: Preparing iptables-restore input...
Jul 02 03:59:53 an-fw05.alteeve.ca shorewall[1568]: Running /sbin/iptables-restore ...
Jul 02 03:59:53 an-fw05.alteeve.ca shorewall[1568]: IPv4 Forwarding Enabled
Jul 02 03:59:53 an-fw05.alteeve.ca shorewall[1568]: Processing /etc/shorewall/start ...
Jul 02 03:59:53 an-fw05.alteeve.ca shorewall[1568]: Processing /etc/shorewall/started ...
Jul 02 03:59:53 an-fw05.alteeve.ca shorewall[1568]: done.
Jul 02 03:59:53 an-fw05.alteeve.ca systemd[1]: Started Shorewall IPv4 firewall.
To see the new rules in place, simply run:
iptables-save
# Generated by iptables-save v1.4.21 on Sat Jul 2 04:01:15 2016
*nat
:PREROUTING ACCEPT [6:1404]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [1:144]
:POSTROUTING ACCEPT [1:144]
:wan0_masq - [0:0]
-A POSTROUTING -o wan0 -j wan0_masq
-A wan0_masq -s 10.200.0.0/16 -j MASQUERADE
COMMIT
# Completed on Sat Jul 2 04:01:15 2016
# Generated by iptables-save v1.4.21 on Sat Jul 2 04:01:15 2016
*mangle
:PREROUTING ACCEPT [83:6436]
:INPUT ACCEPT [83:6436]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [51:6584]
:POSTROUTING ACCEPT [51:6584]
:tcfor - [0:0]
:tcin - [0:0]
:tcout - [0:0]
:tcpost - [0:0]
:tcpre - [0:0]
-A PREROUTING -j tcpre
-A INPUT -j tcin
-A FORWARD -j MARK --set-xmark 0x0/0xff
-A FORWARD -j tcfor
-A OUTPUT -j tcout
-A POSTROUTING -j tcpost
COMMIT
# Completed on Sat Jul 2 04:01:15 2016
# Generated by iptables-save v1.4.21 on Sat Jul 2 04:01:15 2016
*raw
:PREROUTING ACCEPT [91:6852]
:OUTPUT ACCEPT [60:7880]
-A PREROUTING -p udp -m udp --dport 10080 -j CT --helper amanda
-A PREROUTING -p tcp -m tcp --dport 21 -j CT --helper ftp
-A PREROUTING -p udp -m udp --dport 1719 -j CT --helper RAS
-A PREROUTING -p tcp -m tcp --dport 1720 -j CT --helper Q.931
-A PREROUTING -p tcp -m tcp --dport 6667 -j CT --helper irc
-A PREROUTING -p udp -m udp --dport 137 -j CT --helper netbios-ns
-A PREROUTING -p tcp -m tcp --dport 1723 -j CT --helper pptp
-A PREROUTING -p tcp -m tcp --dport 6566 -j CT --helper sane
-A PREROUTING -p udp -m udp --dport 5060 -j CT --helper sip
-A PREROUTING -p udp -m udp --dport 161 -j CT --helper snmp
-A PREROUTING -p udp -m udp --dport 69 -j CT --helper tftp
-A OUTPUT -p udp -m udp --dport 10080 -j CT --helper amanda
-A OUTPUT -p tcp -m tcp --dport 21 -j CT --helper ftp
-A OUTPUT -p udp -m udp --dport 1719 -j CT --helper RAS
-A OUTPUT -p tcp -m tcp --dport 1720 -j CT --helper Q.931
-A OUTPUT -p tcp -m tcp --dport 6667 -j CT --helper irc
-A OUTPUT -p udp -m udp --dport 137 -j CT --helper netbios-ns
-A OUTPUT -p tcp -m tcp --dport 1723 -j CT --helper pptp
-A OUTPUT -p tcp -m tcp --dport 6566 -j CT --helper sane
-A OUTPUT -p udp -m udp --dport 5060 -j CT --helper sip
-A OUTPUT -p udp -m udp --dport 161 -j CT --helper snmp
-A OUTPUT -p udp -m udp --dport 69 -j CT --helper tftp
COMMIT
# Completed on Sat Jul 2 04:01:15 2016
# Generated by iptables-save v1.4.21 on Sat Jul 2 04:01:15 2016
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:Broadcast - [0:0]
:Drop - [0:0]
:Reject - [0:0]
:dynamic - [0:0]
:fw-lan - [0:0]
:fw-wan - [0:0]
:lan-fw - [0:0]
:lan-wan - [0:0]
:lan_frwd - [0:0]
:logdrop - [0:0]
:logflags - [0:0]
:logreject - [0:0]
:reject - [0:0]
:sfilter - [0:0]
:sha-lh-85bd0fbd43893f6cb64f - [0:0]
:sha-rh-1564976a559d45f214cb - [0:0]
:shorewall - [0:0]
:tcpflags - [0:0]
:wan-fw - [0:0]
:wan-lan - [0:0]
:wan_frwd - [0:0]
-A INPUT -i wan0 -j wan-fw
-A INPUT -i lan0 -j lan-fw
-A INPUT -i lo -j ACCEPT
-A INPUT -j Drop
-A INPUT -j LOG --log-prefix "Shorewall:INPUT:DROP:" --log-level 6
-A INPUT -j DROP
-A FORWARD -i wan0 -j wan_frwd
-A FORWARD -i lan0 -j lan_frwd
-A FORWARD -j Reject
-A FORWARD -j LOG --log-prefix "Shorewall:FORWARD:REJECT:" --log-level 6
-A FORWARD -g reject
-A OUTPUT -o wan0 -j fw-wan
-A OUTPUT -o lan0 -j fw-lan
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -j Reject
-A OUTPUT -j LOG --log-prefix "Shorewall:OUTPUT:REJECT:" --log-level 6
-A OUTPUT -g reject
-A Broadcast -m addrtype --dst-type BROADCAST -j DROP
-A Broadcast -m addrtype --dst-type MULTICAST -j DROP
-A Broadcast -m addrtype --dst-type ANYCAST -j DROP
-A Drop
-A Drop -p icmp -m icmp --icmp-type 3/4 -m comment --comment "Needed ICMP types" -j ACCEPT
-A Drop -p icmp -m icmp --icmp-type 11 -m comment --comment "Needed ICMP types" -j ACCEPT
-A Drop -j Broadcast
-A Drop -m conntrack --ctstate INVALID -j DROP
-A Drop -p udp -m multiport --dports 135,445 -m comment --comment SMB -j DROP
-A Drop -p udp -m udp --dport 137:139 -m comment --comment SMB -j DROP
-A Drop -p udp -m udp --sport 137 --dport 1024:65535 -m comment --comment SMB -j DROP
-A Drop -p tcp -m multiport --dports 135,139,445 -m comment --comment SMB -j DROP
-A Drop -p udp -m udp --dport 1900 -m comment --comment UPnP -j DROP
-A Drop -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A Drop -p udp -m udp --sport 53 -m comment --comment "Late DNS Replies" -j DROP
-A Reject
-A Reject -p icmp -m icmp --icmp-type 3/4 -m comment --comment "Needed ICMP types" -j ACCEPT
-A Reject -p icmp -m icmp --icmp-type 11 -m comment --comment "Needed ICMP types" -j ACCEPT
-A Reject -j Broadcast
-A Reject -m conntrack --ctstate INVALID -j DROP
-A Reject -p udp -m multiport --dports 135,445 -m comment --comment SMB -g reject
-A Reject -p udp -m udp --dport 137:139 -m comment --comment SMB -g reject
-A Reject -p udp -m udp --sport 137 --dport 1024:65535 -m comment --comment SMB -g reject
-A Reject -p tcp -m multiport --dports 135,139,445 -m comment --comment SMB -g reject
-A Reject -p udp -m udp --dport 1900 -m comment --comment UPnP -j DROP
-A Reject -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A Reject -p udp -m udp --sport 53 -m comment --comment "Late DNS Replies" -j DROP
-A fw-lan -p udp -m udp --dport 67:68 -j ACCEPT
-A fw-lan -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A fw-lan -j ACCEPT
-A fw-wan -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A fw-wan -j ACCEPT
-A lan-fw -m conntrack --ctstate INVALID,NEW,UNTRACKED -j dynamic
-A lan-fw -p udp -m udp --dport 67:68 -j ACCEPT
-A lan-fw -p tcp -j tcpflags
-A lan-fw -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A lan-fw -p icmp -m icmp --icmp-type 8 -m comment --comment Ping -j ACCEPT
-A lan-fw -p tcp -m tcp --dport 22000 -j ACCEPT
-A lan-fw -p tcp -m tcp --dport 22 -j ACCEPT
-A lan-fw -j Drop
-A lan-fw -j DROP
-A lan-wan -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A lan-wan -j ACCEPT
-A lan_frwd -o lan0 -g sfilter
-A lan_frwd -m conntrack --ctstate INVALID,NEW,UNTRACKED -j dynamic
-A lan_frwd -p tcp -j tcpflags
-A lan_frwd -o wan0 -j lan-wan
-A logdrop -j DROP
-A logflags -j LOG --log-prefix "Shorewall:logflags:DROP:" --log-level 6 --log-ip-options
-A logflags -j DROP
-A logreject -j reject
-A reject -m addrtype --src-type BROADCAST -j DROP
-A reject -s 224.0.0.0/4 -j DROP
-A reject -p igmp -j DROP
-A reject -p tcp -j REJECT --reject-with tcp-reset
-A reject -p udp -j REJECT --reject-with icmp-port-unreachable
-A reject -p icmp -j REJECT --reject-with icmp-host-unreachable
-A reject -j REJECT --reject-with icmp-host-prohibited
-A sfilter -j LOG --log-prefix "Shorewall:sfilter:DROP:" --log-level 6
-A sfilter -j DROP
-A shorewall -m recent --set --name %CURRENTTIME --mask 255.255.255.255 --rsource
-A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -g logflags
-A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -g logflags
-A tcpflags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -g logflags
-A tcpflags -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -g logflags
-A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -g logflags
-A tcpflags -p tcp -m tcp --tcp-flags FIN,PSH,ACK FIN,PSH -g logflags
-A tcpflags -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -g logflags
-A wan-fw -m conntrack --ctstate INVALID,NEW,UNTRACKED -j dynamic
-A wan-fw -p tcp -j tcpflags
-A wan-fw -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A wan-fw -p icmp -m icmp --icmp-type 8 -m comment --comment Ping -j ACCEPT
-A wan-fw -p tcp -m tcp --dport 22000 -j ACCEPT
-A wan-fw -j Drop
-A wan-fw -j LOG --log-prefix "Shorewall:wan-fw:DROP:" --log-level 6
-A wan-fw -j DROP
-A wan-lan -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A wan-lan -j Drop
-A wan-lan -j LOG --log-prefix "Shorewall:wan-lan:DROP:" --log-level 6
-A wan-lan -j DROP
-A wan_frwd -o wan0 -g sfilter
-A wan_frwd -m conntrack --ctstate INVALID,NEW,UNTRACKED -j dynamic
-A wan_frwd -p tcp -j tcpflags
-A wan_frwd -o lan0 -j wan-lan
COMMIT
# Completed on Sat Jul 2 04:01:15 2016
This will print out the actual firewall rules. You will need some experience with iptables to understand all their meaning, but the general flow should be understandable.
Configure DHCP
Note: If you have an external DHCP server, or don't need one, you can stop here. |
This section is not a complete tutorial on DHCP server setup. To read a more comprehensive tutorial, see:
Start, as always, by creating a backup.
mkdir /etc/dhcp/backups
cp /etc/dhcp/dhcpd.conf /etc/dhcp/backups/
Edit the dhcpd.conf file. Remove the default comments at the top and then configure it for your environment.
vim /etc/dhcp/dhcpd.conf
### Global options
# General domain information
option domain-name "alteeve.ca";
option domain-name-servers 8.8.8.8, 8.8.4.4;
# Tell the server that it's authoritative on our network.
authoritative;
# This is required for EL5 operating systems but is optional on EL6 and newer
# Fedoras (F13+, at least). It controls how dynamic DNS updating is handled. In
# our case, we aren't concerned about DDNS so we'll set it to 'none'.
ddns-update-style none;
### Subnet options
subnet 10.200.0.0 netmask 255.255.0.0 {
# This is the DHCP server, but not the actual Internet gateway. So this
# Argument points our clients to the right box.
option routers 10.200.255.254;
# Set our range. This can be whatever you want so long as it fits in
# your netmask.
range 10.200.1.10 10.200.1.250;
# If clients don't ask, make the lease available for the following
# number of seconds. If the client does ask, allow up to this number of
# seconds. 86,400s = 24h.
default-lease-time 86400;
max-lease-time 86400;
}
Start and enable the dhcp server.
systemctl start dhcpd
systemctl enable dhcpd
Created symlink from /etc/systemd/system/multi-user.target.wants/dhcpd.service to /usr/lib/systemd/system/dhcpd.service.
Make sure it started OK:
systemctl status dhcpd
● dhcpd.service - DHCPv4 Server Daemon
Loaded: loaded (/usr/lib/systemd/system/dhcpd.service; enabled; vendor preset: disabled)
Active: active (running) since Sat 2016-07-02 04:14:17 EDT; 36s ago
Docs: man:dhcpd(8)
man:dhcpd.conf(5)
Main PID: 1922 (dhcpd)
Status: "Dispatching packets..."
CGroup: /system.slice/dhcpd.service
└─1922 /usr/sbin/dhcpd -f -cf /etc/dhcp/dhcpd.conf -user dhcpd -group dhcpd --no-pid
Jul 02 04:14:17 an-fw05.alteeve.ca dhcpd[1922]: Sending on LPF/lan0/00:90:fb:4d:3b:a1/10.200.0.0/16
Jul 02 04:14:17 an-fw05.alteeve.ca dhcpd[1922]:
Jul 02 04:14:17 an-fw05.alteeve.ca dhcpd[1922]: No subnet declaration for wan0 (10.255.1.105).
Jul 02 04:14:17 an-fw05.alteeve.ca dhcpd[1922]: ** Ignoring requests on wan0. If this is not what
Jul 02 04:14:17 an-fw05.alteeve.ca dhcpd[1922]: you want, please write a subnet declaration
Jul 02 04:14:17 an-fw05.alteeve.ca dhcpd[1922]: in your dhcpd.conf file for the network segment
Jul 02 04:14:17 an-fw05.alteeve.ca dhcpd[1922]: to which interface wan0 is attached. **
Jul 02 04:14:17 an-fw05.alteeve.ca dhcpd[1922]:
Jul 02 04:14:17 an-fw05.alteeve.ca dhcpd[1922]: Sending on Socket/fallback/fallback-net
Jul 02 04:14:17 an-fw05.alteeve.ca systemd[1]: Started DHCPv4 Server Daemon.
Don't worry about that error. We only want the DHCP server listening for requests on lan0. We can verify that it is by checking syslog;
journalctl -n 100 |grep lan0
Jul 02 04:14:17 an-fw05.alteeve.ca dhcpd[1922]: Listening on LPF/lan0/00:90:fb:4d:3b:a1/10.200.0.0/16
Jul 02 04:14:17 an-fw05.alteeve.ca dhcpd[1922]: Sending on LPF/lan0/00:90:fb:4d:3b:a1/10.200.0.0/16
Perfect!
If all went well, you now have a fully functioning router and firewall.
Any questions, feedback, advice, complaints or meanderings are welcome. | |||
Alteeve's Niche! | Enterprise Support: Alteeve Support |
Community Support | |
© Alteeve's Niche! Inc. 1997-2024 | Anvil! "Intelligent Availability®" Platform | ||
legal stuff: All info is provided "As-Is". Do not use anything here unless you are willing and able to take responsibility for your own actions. |