On Fri, 2007-02-02 at 08:46 -0500, Shawn Singh wrote:
Hello List,
This is my first post to the list, and as such I apologize for the
length of it. I tried to put as much detail into this as possible.
I recently installed Shorewall on a computer running Gentoo Linux. The
computer has 3
Hi,
did things work without shorewall? Disconnect from the internet
(unplug the cable), run 'shorewall clear' and at least make sure that
the firewall and the client can ping each other before you attempt any
shorewall troubleshooting.
~David
On 2/2/07, Shawn Singh [EMAIL PROTECTED] wrote:
I think the cable is good. I'll try testing it by connecting b/w two
computers that I know have good network setups. At present the end connected
to eth1 is wire scheme A, and the end plugged into the client is wire scheme
B ...
/etc/shorewall/masq:
eth1:192.168.1.1eth1
On 2/2/07, Shawn Singh [EMAIL PROTECTED] wrote:
I suspect my shorewall config is correct, I think something network-wise
might be screwy. I just can't put my figure on what it is.
If you really have the setup that you described, then the only thing
network-wise that you have is your crossover
Is there any interest in having shorewall able to configure
iptables/netfilter on a remote node? i.e. one installs shorewall on
node foo, and executes the shorewall command(s) on node foo but has it
install the actual rules on node bar? Indeed, a single shorewall
installation could install
Brian J. Murrell wrote:
Is there any interest in having shorewall able to configure
iptables/netfilter on a remote node? i.e. one installs shorewall on
node foo, and executes the shorewall command(s) on node foo but has it
install the actual rules on node bar? Indeed, a single shorewall
On Fri, 2007-02-02 at 10:17 -0800, Stephen Carville wrote:
I've been thinking of implementing that but as a wrapper.
Not sure I follow as a wrapper.
My ideas was
to manage separate configurations in a subversion repository
Sure, in SVN if one wishes.
and do the
editing and validation
On Fri, 2007-02-02 at 10:54 -0800, Tom Eastep wrote:
Shorewall can already do this. It's what Shorewall Lite is all about.
See http://www.shorewall.net/CompiledPrograms.html#Lite
Hrm. How much of the grunt work is offloaded from the firewall
system though? I find rule compilation quite
Brian J. Murrell wrote:
On Fri, 2007-02-02 at 10:54 -0800, Tom Eastep wrote:
Shorewall can already do this. It's what Shorewall Lite is all about.
See http://www.shorewall.net/CompiledPrograms.html#Lite
Hrm. How much of the grunt work is offloaded from the firewall
system though? I find
Brian J. Murrell wrote:
Hrm. How much of the grunt work is offloaded from the firewall
system though?
And to put a number on that, I find it's usually about a 10:1
split. The part that's left running on the firewall system appears to
spend almost all its time doing the fork+exec thing for
Andrew Suffield wrote:
Brian J. Murrell wrote:
Hrm. How much of the grunt work is offloaded from the firewall
system though?
And to put a number on that, I find it's usually about a 10:1
split. The part that's left running on the firewall system appears to
spend almost all its time doing
Does the administrative system still need access
to /etc/shorewall/shorewall.conf? I would have thought it would use the
shorewall.conf in the target's export dir:
$ /sbin/shorewall load -c gw
Cannot read /etc/shorewall/shorewall.conf! (Hint: Are you root?)
$ ls
accounting maclist
On Fri, 2007-02-02 at 11:53 -0800, Tom Eastep wrote:
It does for most things. The compiler runs under the SHOREWALL_SHELL
specified in /etc/shorewall/shorewall.conf, however.
Ahhh. As just a minor point of documentation then, in
http://www.shorewall.net/CompiledPrograms.html there is a note
Brian J. Murrell wrote:
But the problem is:
ERROR: Can't determine the IP address of eth1
Of course eth1 lives on the firewall, not the admin box, yet the admin
box is trying to do:
+ find_first_interface_address eth1
+ ip -f inet addr show eth1
...
That is something that is
Tom Eastep wrote:
Brian J. Murrell wrote:
But the problem is:
ERROR: Can't determine the IP address of eth1
Of course eth1 lives on the firewall, not the admin box, yet the admin
box is trying to do:
+ find_first_interface_address eth1
+ ip -f inet addr show eth1
...
That is
Ubuntu packages are not unique in that regard, Fedora Core packages use
-rw---.
On Fri, 2007-02-02 at 12:33 -0800, Tom Eastep wrote:
Brian J. Murrell wrote:
If you are running Shorewall 3.2.6 or later then:
cd export directory
/sbin/shorewall load -c firewall
Tom Eastep wrote:
If you need to set an address in /etc/shorewall/params, here's a trick:
if [ $HOSTNAME = remote ]; then
ADDR=$(find_first_interface_address eth1)
else
ADDR=$(ssh [EMAIL PROTECTED] shorewall-lite call
find_first_interface_address
eth1)
fi
Please disregard --
Hi!
Is it possible to create SNAT using /etc/shorewall/masq without
pointing any outgoing interface? Please refer to below configuration.
eth0 IP: 30.0.0.1/30; default gateway: 30.0.0.2/30 via eth0; my ISP;
eth1 IP: 80.10.20.1/24; the rest of my public IP pool;
eth2 IP: 10.0.2.1/24; private net
On Fri, 2007-02-02 at 12:25 -0800, Tom Eastep wrote:
Or are you calling find_first_interface_address out of your
/etc/shorewall/params script?
~sigh~ Yeah, that's it. I think the Multi-ISP document had me do that.
It seems, I guess, that grabbing capabilities should also grab some
basic
On Fri, 2007-02-02 at 13:07 -0800, Tom Eastep wrote:
Tom Eastep wrote:
If you need to set an address in /etc/shorewall/params, here's a trick:
if [ $HOSTNAME = remote ]; then
ADDR=$(find_first_interface_address eth1)
else
ADDR=$(ssh [EMAIL PROTECTED] shorewall-lite call
Brian J. Murrell wrote:
On Fri, 2007-02-02 at 12:25 -0800, Tom Eastep wrote:
Or are you calling find_first_interface_address out of your
/etc/shorewall/params script?
~sigh~ Yeah, that's it. I think the Multi-ISP document had me do that.
It seems, I guess, that grabbing capabilities
Brian J. Murrell wrote:
So what is the valid way to do that? Just drop the :P (this whole
marking stuff is still fairly green for me yet).
Yes -- just drop the :P.
Might want to update http://www.shorewall.net/FAQ.htm#faq58. :-)
Yep -- thanks.
-Tom
--
Tom Eastep\ Nothing is
Brian J. Murrell wrote:
On Fri, 2007-02-02 at 17:20 -0800, Tom Eastep wrote:
Yep -- thanks.
NP.
Unfortunately, the gains I was hoping for in using shorewall-lite are
just not there, but more importantly... I have this suspicion that
shorewall-lite is not going to deal with an interface
23 matches
Mail list logo
