[Shorewall-users] Advice on shorewall-init and ipsets (fail2ban)
As a note, I'm a photographer who likes to run their own server for web sites / email server, but I am no sys-admin person. I have though been using Shorewall for a number of years now. I've been building a new server to replace my aging server. Centos 7 / VirtualMin install for software / admin. BUT I have had to use Kernel 4.x so that the Ryzen processor was recognized correctly. I copied all the shorewall files across, checked configuration and shorewall started up OK. But I could never get shorewall to start at boot. Tried all hints I could find on internet to no avail. Loaded Shorewall-init, set up the conf file. But now every-time I tried to start it would fail with an error about the ipset "f2b" (- from fail2ban). I took all references out of the conf files for Shorewall, did a "shorewall compile". This seems to have solved the error messages I was getting. Questions. 1/ When using shorewall-init does shorewall itself have to be running, or is the compiled shorewall rules loaded directly into iptables? 2/ When using fail2ban should I still be trying to push the banned ip's into shorewall, or should I change the settings to push directly into iptables? 3/ Anything I might have missed ( )? Kind Regards - Nigel Aves. ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Advice on shorewall-init and ipsets (fail2ban)
Well, I thought I had this working, but no. So confused ( :) ) .. Start Fail2Ban and do a list of ipsets [root@apache-web-server ~]# ipset list Name: SW_DBL4 Type: hash:net Revision: 6 Header: family inet hashsize 1024 maxelem 65536 timeout 3600 counters Size in memory: 384 References: 0 Members: Name: BlackList Type: hash:ip,port Revision: 5 Header: family inet hashsize 1024 maxelem 65536 timeout 3600 Size in memory: 128 References: 0 Members: [root@apache-web-server ~]# Run a check of Shorewall setup Checking configuration .. Checking using Shorewall 5.1.10.2... Processing /etc/shorewall/params ... Processing /etc/shorewall/shorewall.conf... Loading Modules... Checking /etc/shorewall/zones... Checking /etc/shorewall/interfaces... Determining Hosts in Zones... Locating Action Files... Checking /etc/shorewall/policy... Running /etc/shorewall/initdone... Adding Anti-smurf Rules Adding rules for DHCP Checking TCP Flags filtering... Checking Kernel Route Filtering... Checking Martian Logging... Checking /etc/shorewall/masq... Checking MAC Filtration -- Phase 1... Checking /etc/shorewall/rules... Checking /usr/share/shorewall/deprecated/action.Drop for chain Drop... WARNING: "You are using the deprecated Drop default action. Please see http://www.shorewall.net/Actions.html /etc/shorewall/rules (line 117) Checking /etc/shorewall/conntrack... Checking MAC Filtration -- Phase 2... Applying Policies... Shorewall configuration verified .. your firewall configuration looks OK. Apart from not being able to figure out what's wrong with (a rule I was advised me to add! :) ) # Filter out noise # Drop net $FW all Check the ipsets and both are still there. Now try to start Shorewall Failed to start firewall : Compiling using Shorewall 5.1.10.2... Processing /etc/shorewall/params ... Processing /etc/shorewall/shorewall.conf... Loading Modules... Compiling /etc/shorewall/zones... Compiling /etc/shorewall/interfaces... Determining Hosts in Zones... Locating Action Files... Compiling /etc/shorewall/policy... Running /etc/shorewall/initdone... Adding Anti-smurf Rules Adding rules for DHCP Compiling TCP Flags filtering... Compiling Kernel Route Filtering... Compiling Martian Logging... Compiling /etc/shorewall/masq... Compiling MAC Filtration -- Phase 1... Compiling /etc/shorewall/rules... Compiling /usr/share/shorewall/deprecated/action.Drop for chain Drop... WARNING: "You are using the deprecated Drop default action. Please see http://www.shorewall.net/Actions.html /etc/shorewall/rules (line 117) Compiling /etc/shorewall/conntrack... Compiling MAC Filtration -- Phase 2... Applying Policies... Generating Rule Matrix... Optimizing Ruleset... Creating iptables-restore input... Shorewall configuration compiled to /var/lib/shorewall/.start Starting Shorewall Initializing... Processing /etc/shorewall/init ... Processing /etc/shorewall/tcclear ... Setting up Route Filtering... Setting up Martian Logging... Setting up Proxy ARP... Preparing iptables-restore input... Running /sbin/iptables-restore --wait 60... iptables-restore v1.4.21: Set BlackList doesn't exist. Error occurred at line: 141 Try `iptables-restore -h' or 'iptables-restore --help' for more information. ERROR: iptables-restore Failed. Input is in /var/lib/shorewall/.iptables-restore-input Processing /etc/shorewall/stop ... Processing /etc/shorewall/tcclear ... Preparing iptables-restore input... Running /sbin/iptables-restore --wait 60... Processing /etc/shorewall/stopped ... /usr/share/shorewall/lib.common: line 93: 15184 Terminated $SHOREWALL_SHELL $script $options $@ Now I list ipsets [root@apache-web-server ~]# ipset list Name: SW_DBL4 Type: hash:net Revision: 6 Header: family inet hashsize 1024 maxelem 65536 timeout 3600 counters Size in memory: 384 References: 0 Members: [root@apache-web-server ~]# and "BlackList" has vanished. shorewall/init # # Shorewall -- /etc/shorewall/init # # Add commands below that you want to be executed at the beginning of # a "shorewall start", "shorewall-reload" or "shorewall restart" command. # # For additional information, see # http://shorewall.net/shorewall_extension_scripts.htm # ### ipset create BlackList hash:ip,port timeout 3600 -exist shorewall/rules # # Shorewall -- /etc/shorewall/rules # ?SECTION ALL DROP:info net:+BlackList $FW ?SECTION ESTABLISHED ?SECTION RELATED ?SECTION INVALID ?SECTION UNTRACKED ?SECTION NEW --- cut rules none of them related to ipsets. # turn on ipset from fail2ban # DROP:info net:+BlackList $FW # old >>DROP:info net:+f2b all # # Filter out noise # Drop net $FW all # # turn on ipset to stop testing ports from outside # ADD(SW_DBL4:src):info net $FW # Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ___ Shorewall-users ma
[Shorewall-users] Whitelisting and ipsets
Shorewall version 5.2.3.4 Ubuntu Server 20.04.1 Apache web server with mod_security I've run into an issue that no matter what I have tried, no success. This started a few days ago, my internal network keeps getting "cut off" from Google. Can not search, open google.com, google messenger service ... I tracked it down to ipsets being created for Google IP addresses, what really surprised me was that I was also getting (occasionally) their DNS servers, 8.8.8.8 and 8.8.4.4 - I've spent a couple of days now trying to find the root cause. I needed a bandaid to stop the rest of the family complaining ( :) ) so this morning I looked at Shorewall Whitelisting using "blrules", and added this to the blrules file. WHITELIST net:172.217.0.0/16 all WHITELIST net:8.8.4.4 all WHITELIST net:8.8.8.8 all Ran a Shorewall restart but I am still seeing entries when I do "ipset list SW_DBL4" 172.217.3.206 timeout 597 packets 1 bytes 52 172.217.14.195 timeout 598 packets 1 bytes 52 Any ideas as to what I might have done wrong? Kind Regards, Stay Safe, Nigel. Shorewall 5.2.3.4 Dump at apache-web-server.twin-peaks-video.com - Sun Nov 15 12:31:31 MST 2020 Shorewall is running State:Started Sun Nov 15 12:31:21 MST 2020 from /etc/shorewall/ (/var/lib/shorewall/firewall compiled Sun Nov 15 12:31:21 MST 2020 by Shorewall version 5.2.3.4) Counters reset Sun Nov 15 12:31:21 MST 2020 Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 29 3117 net-fw all -- enp6s0 * 0.0.0.0/00.0.0.0/0 44 5221 loc-fw all -- enp5s0 * 0.0.0.0/00.0.0.0/0 10 1146 ACCEPT all -- lo * 0.0.0.0/00.0.0.0/0 0 0 DROP all -- * * 0.0.0.0/00.0.0.0/0 ADDRTYPE match dst-type BROADCAST 0 0 DROP all -- * * 0.0.0.0/00.0.0.0/0 ADDRTYPE match dst-type ANYCAST 0 0 DROP all -- * * 0.0.0.0/00.0.0.0/0 ADDRTYPE match dst-type MULTICAST 0 0 reject all -- * * 0.0.0.0/00.0.0.0/0 [goto] Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 137 62669 net-locall -- enp6s0 enp5s0 0.0.0.0/00.0.0.0/0 114 35602 loc-netall -- enp5s0 enp6s0 0.0.0.0/00.0.0.0/0 0 0 DROP all -- * * 0.0.0.0/00.0.0.0/0 ADDRTYPE match dst-type BROADCAST 0 0 DROP all -- * * 0.0.0.0/00.0.0.0/0 ADDRTYPE match dst-type ANYCAST 0 0 DROP all -- * * 0.0.0.0/00.0.0.0/0 ADDRTYPE match dst-type MULTICAST 0 0 reject all -- * * 0.0.0.0/00.0.0.0/0 [goto] Chain OUTPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 29 24395 ACCEPT all -- * enp6s0 0.0.0.0/00.0.0.0/0 50 27119 fw-loc all -- * enp5s0 0.0.0.0/00.0.0.0/0 10 1146 ACCEPT all -- * lo 0.0.0.0/00.0.0.0/0 0 0 DROP all -- * * 0.0.0.0/00.0.0.0/0 ADDRTYPE match dst-type BROADCAST 0 0 DROP all -- * * 0.0.0.0/00.0.0.0/0 ADDRTYPE match dst-type ANYCAST 0 0 DROP all -- * * 0.0.0.0/00.0.0.0/0 ADDRTYPE match dst-type MULTICAST 0 0 reject all -- * * 0.0.0.0/00.0.0.0/0 [goto] Chain dbl_log (4 references) pkts bytes target prot opt in out source destination 52 27913 SETall -- * * 0.0.0.0/00.0.0.0/0 add-set SW_DBL4 src exist timeout 600 52 27913 DROP all -- * * 0.0.0.0/00.0.0.0/0 Chain fw-loc (1 references) pkts bytes target prot opt in out source destination 50 27119 ACCEPT all -- * * 0.0.0.0/00.0.0.0/0 ctstate RELATED,ESTABLISHED 0 0 ACCEPT udp -- * * 0.0.0.0/00.0.0.0/0 udp spts:67:68 dpts:67:68 /* DHCPfwd */ 0 0 ACCEPT tcp -- * * 0.0.0.0/00.0.0.0/0 tcp flags:0x04/0x04 0 0 ACCEPT tcp -- * * 0.0.0.0/00.0.0.0/0 tcp flags:0x11/0x11 0 0 ACCEPT udp -- * * 0.0.0.0/00.0.0.0/0 multiport dports 135,445 /* SMB */
Re: [Shorewall-users] Whitelisting and ipsets
Justin, Thank you for your reply. Bad News followed by Good News! Justin Thanks for the response. By chance I discovered that Gmail had stuffed your reply in Spam :( >> Are you running a cronjob which is messing with it ? I've checked the Cron jobs and I don't see anything that could be causing this issue. (It's an issue that "started a few days ago, and I've not changed anything in Cron for a few months. >> When / how often are the ipsets being changed/added ? This is almost happening on a constant basis. I clear all the ipsets, everything works OK, then in 5 to 15 minutes (searching, google.com, messenger (on Chromebook) , it all stops working and those two IP numbers are right back in the ipsets. And what makes things even more confusing is that Firefox will connect and work perfectly, even when Chrome will not! So I might be barking up the wrong tree. Going to have a look at "psacct" now. *ADDED LATTER *(had to rewrite as the original message had become too large) This makes it stranger but I seem to have become lucky. I did not understand how Firefox worked all OK, but Chrome did not. If ipsets were blocking incoming requests to Chrome, they should also have been blocking everything, including Firefox. So I downloaded and installed Opera to see if that would work. The issue has now magically gone away. So whatever was causing this issue, seems to be related to Chrome and my PC that I work on . . Many Thanks, Stay Safe, Nigel. On Sun, Nov 15, 2020 at 12:36 PM Nigel Aves wrote: > Shorewall version 5.2.3.4 > Ubuntu Server 20.04.1 > Apache web server with mod_security > > I've run into an issue that no matter what I have tried, no success. This > started a few days ago, my internal network keeps getting "cut off" from > Google. Can not search, open google.com, google messenger service ... I > tracked it down to ipsets being created for Google IP addresses, what > really surprised me was that I was also getting (occasionally) their DNS > servers, 8.8.8.8 and 8.8.4.4 - I've spent a couple of days now trying to > find the root cause. > > I needed a bandaid to stop the rest of the family complaining ( :) ) so > this morning I looked at Shorewall Whitelisting using "blrules", and added > this to the blrules file. > > WHITELIST net:172.217.0.0/16 all > WHITELIST net:8.8.4.4 all > WHITELIST net:8.8.8.8 all > > Ran a Shorewall restart but I am still seeing entries when I do "ipset > list SW_DBL4" > > 172.217.3.206 timeout 597 packets 1 bytes 52 > 172.217.14.195 timeout 598 packets 1 bytes 52 > > Any ideas as to what I might have done wrong? > > Kind Regards, Stay Safe, Nigel. > > ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
[Shorewall-users] Issue with IPSETS
I've run into a strange issue, and it's only been happening over the last couple of months. But every now and then we lose the connection to Facebook (and very very occasionally to Google) and no one can connect. But if I clear the IPSETS then Facebook will start working again. Has anyone else seen this or know how to stop it? Many Thanks - Nigel. ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] shorewall with rocky 9
I had a similar issue with Debian 12 ,,, Discovered this works in the snat file: MASQUERADE enp38s0 enp36s0 Might be worth a try. Nigel. On Wed, Feb 14, 2024 at 3:22 AM wrote: > Hi! > > is a simple scenario with 2 NIC, WAN and LAN. > > LAN-> WAN with full access > > same config with shorewall 5.1 dont work with 5.2 > > snat file contain: > > MASQUERADE 192.168.1.0/24 enp32s0f0 > > shorewall.conf change startup=YES > > some command to try debug why work with 5.1 but same config dont with > 5.2? > > Thx > > El 2024-02-13 18:49, Tuomo Soini escribió: > > On Tue, 13 Feb 2024 21:15:52 + > > Rodrigo Araujo wrote: > > > >> It works fine here with rpms rebuilt from the Fedora src.rpm packages > >> and iptables-legacy packages from EPEL. > >> > >> Ensure you remove (or at least disable and stop) firewalld, and also > >> make sure the ipset package is installed. Other than that, I'm not > >> remembering anything. > > > > It also works very well with iptables-nft (so without iptables-legacy). > > > ___ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > -- *Be Safe Out There.* *Nigel Aves* p.s. We have many fine video podcasts on YouTube. These are all interview-based, and pretty well cover every subject. All our shows are here *Captn's Lounge Studios <https://tinyurl.com/2vurn3yw>* Please Subscribe to *CIT* *Come be interviewed: At The Captn's Lounge. <https://youtu.be/paL0uRkZ69o?si=pUm3pWe8hAXScdC8>* ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] shorewall with rocky 9
All I'm doing is saying how it works on my server. On Wed, Feb 14, 2024 at 7:05 AM Tuomo Soini wrote: > On Wed, 14 Feb 2024 06:35:02 -0700 > Nigel Aves wrote: > > > I had a similar issue with Debian 12 ,,, Discovered this works in the > > snat file: > > > > MASQUERADE enp38s0 enp36s0 > > This is not correct syntax. Like man page shorewall-snat says: > > #ACTIONSOURCE DEST > MASQUERADE 192.168.0.0/24 eth0 > > So source must be a network, not an interface. > > Also note /etc/shoreall/masq is deprecated. > > -- > Tuomo Soini > Foobar Linux services > +358 40 5240030 > Foobar Oy <https://foobar.fi/> > > > ___ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > -- *Be Safe Out There.* *Nigel Aves* p.s. We have many fine video podcasts on YouTube. These are all interview-based, and pretty well cover every subject. All our shows are here *Captn's Lounge Studios <https://tinyurl.com/2vurn3yw>* Please Subscribe to *CIT* *Come be interviewed: At The Captn's Lounge. <https://youtu.be/paL0uRkZ69o?si=pUm3pWe8hAXScdC8>* ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Accessing the DNAT'ted webserver from inside the LAN
If I am reading this correctly, the DNAT server is your gateway, so make the internal Gateway to that server's LAN address. Nigel. On Tue, Sep 3, 2024 at 12:12 PM wrote: > > Hi! > > how to put a rule for access a DNAT server from LAN? > > i try to search how without success > > Thx > > ___ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > -- *Be Safe Out There.* *Nigel Aves* p.s. We have many fine video podcasts on YouTube. These are all interview-based, and pretty well cover every subject. All our shows are here *Captn's Lounge Studios <https://captnslounge.com/>* Or on YouTube CIT Network <https://www.youtube.com/@citnetwork5407> Please Subscribe to *CIT* *Come be interviewed: At The Captn's Lounge. <https://youtu.be/paL0uRkZ69o?si=pUm3pWe8hAXScdC8>* ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
[Shorewall-users] Adding download control for internal interface - qdisk errors out
Shorewall version 4.4.7 I have managed to configure Shorewall successfully for traffic shaping on the upload and that all seems to be working ok. Today I'm trying to control downloading as well, rather than using Squids delay pools. I followed the on-line documentation but when I try to start Shorewall the following message pops up. Setting up Traffic Control... RTNETLINK answers: File exists ERROR: Command "tc qdisc add dev eth1 parent 2:2 handle 2: sfq quantum 1500 limit 127 perturb 10" Failed Processing /etc/shorewall/stop ... I have had a hunt around and can not find out what I have done wrong. (No surprises there, I'm no sysadm type person). Any help as to what I have done wrong will be gratefully received. Nigel. Here are the files (when just using the ppp0 everything works perfectly, commented out the eth1 lines to get the firewall working) tcdevices ppp0 6200kbit 4400kbit eth1 - 100mbits tcclasses ppp01 5*full/100 full1 tcp-ack,tos-minimize-delay ppp02 47*full/100 full2 ppp03 10*full/100 full3 ppp04 5*full/100 full4 ppp05 29*full/100 full5 ppp06 4*full/100 full6 default #eth11 5*full/100 full1 tcp-ack #eth13 10*full/100 full2 #eth14 5*full/100 full3 #eth15 70*full/100 full4 #eth16 10*full/100 full5 default I think it's the tcclasses it does not like because if I keep the tcrules for just the ppp0 interface I still get the error message when I un-comment "eth1" tcrules 1:F0.0.0.0/00.0.0.0/0 icmpecho-request 1:F0.0.0.0/00.0.0.0/0 icmpecho-reply 2:T207.224.48.222 0.0.0.0/0 tcp - 80,443 3:T0.0.0.0/00.0.0.0/0 tcp 53 3:T0.0.0.0/00.0.0.0/0 udp 53 # 3:Fppp0 eth1 tcp -53 # 3:Fppp0 eth1 udp -53 4:T0.0.0.0/00.0.0.0/0 tcp 25 4:T0.0.0.0/00.0.0.0/0 udp 25 # 4:Fppp0 eth1 tcp -25 # 4:Fppp0 eth1 udp -25 5:T0.0.0.0/00.0.0.0/0 tcp 80,443 # 5:Fppp0 eth1 tcp - 80,443 I've also tried not using eth1 but 192.168.1.0/24 -- SOLARIS 10 is the OS for Data Centers - provides features such as DTrace, Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW http://p.sf.net/sfu/solaris-dev2dev ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Adding download control for internal interface - qdisk errors out
Thanks Tom, no hurry . -Original Message- From: Tom Eastep [mailto:teas...@shorewall.net] Sent: Tuesday, February 16, 2010 18:19 To: Shorewall Users Subject: Re: [Shorewall-users] Adding download control for internal interface - qdisk errors out Nigel Aves wrote: > Please find enclosed a zip of the "dump" file I'll try to get to this in the next several days. Thanks, -Tom -- Tom Eastep\ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \ -- SOLARIS 10 is the OS for Data Centers - provides features such as DTrace, Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW http://p.sf.net/sfu/solaris-dev2dev ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users -- SOLARIS 10 is the OS for Data Centers - provides features such as DTrace, Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW http://p.sf.net/sfu/solaris-dev2dev ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Adding download control for interna l interface - qdisk errors out
On Tue, 16 Feb 2010 22:52:45 -0800, Tom Eastep wrote: > Nigel Aves wrote: >> Thanks Tom, no hurry . > > I've been able to reproduce the problem here. > > -Tom Sounds like we found a bug. Thanks for your very prompt action on this - Nigel. -- >From the desk of Nigel http://soft-focus-imagining.com http://rational-alchemy.com http://twin-peaks-video.com -- SOLARIS 10 is the OS for Data Centers - provides features such as DTrace, Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW http://p.sf.net/sfu/solaris-dev2dev ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Adding download control for internal interface - qdisk errors out
Tom, Patch worked perfectly ... Thank you. Nigel. -Original Message- From: Tom Eastep [mailto:teas...@shorewall.net] Sent: Wednesday, February 17, 2010 07:37 To: Shorewall Users Subject: Re: [Shorewall-users] Adding download control for internal interface - qdisk errors out Tom Eastep wrote: > Nigel Aves wrote: >> Thanks Tom, no hurry . > > I've been able to reproduce the problem here. Here's a patch: patch /usr/share/shorewall/Shorewall/Tc.pm < sfqclassnum.diff Please let me know if it works for you. -Tom -- Tom Eastep\ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \ -- Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Shorewall Development Schedule
I agree with Trent. Shorewall is a mature, well craft product that pretty well (if not does) supports everything that a user would want a firewall to do. I'm just not the person to do this (not being a programmer) but if there was thing I would like to see enhanced and that's the plugin module for Shorewall on Webmin and possibly some "setup" documentation for a dummy like me! Nigel. -Original Message- From: Trent O'Callaghan [mailto:trent.ocallag...@nearmap.com] Sent: Monday, March 08, 2010 17:24 To: 'Shorewall Users' Subject: Re: [Shorewall-users] Shorewall Development Schedule Hi Tom, I concur on Shorewall reaching maturity. Thanks for your sustained efforts to respond to the need for a open source firewall in the ever evolving linux world. Kind regards, Trent O'Callaghan Network Manager www.nearmap.com -Original Message- From: Tom Eastep [mailto:teas...@shorewall.net] Sent: Tuesday, 9 March 2010 5:38 AM To: Shorewall Users; Shorewall Development Subject: [Shorewall-users] Shorewall Development Schedule As Shorewall reaches maturity, it seems unlikely that the pace of development typical of the past 9 years will be sustained. Over that time, major releases have occurred approximately once per year; the last major release (4.4) was in August 2009. I do not currently have an active 4.5 development branch so it is very unlikely that we will see a 4.6 release this year. Going forward, I would expect a new minor release every 2-3 months. These minor releases will be preceded by Beta and RC releases like we have been having since 4.4.6. -Tom -- Tom Eastep\ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \ -- Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users -- Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Problem with traffic shaping
I am no expert on this but your tcrules file is missing. You need to define those rules so shorewall knows what traffic to mark On 8/23/2010 11:16, Jonh Jonh wrote: Traffic Shaping I try to limit bandwidth, but doesn't work. Don't limit bandwidth correctly . I'm using openwrt, shorewall 4.2.4, dasnguardian 2.10.0.3 and squid 2.6.STABLE14. My configuration is: shorewall version 4.2.4 Kernel r...@localhost:/etc/shorewall# uname -r 2.6.25.20 r...@localhost:/etc/shorewall# cat zones fw firewall loc ipv4 net ipv4 r...@localhost:/etc/shorewall# cat policy fw all ACCEPT - - loc all ACCEPT - - net all DROP- - all all REJECT - - r...@localhost:/etc/shorewall# cat masq eth0eth1 r...@localhost:/etc/shorewall# cat rules ACCEPT net fw tcp 22- - REDIRECTloc 8080tcp 80 - - - - REDIRECTloc 16667 tcp 1863- - - - r...@localhost:/etc/shorewall# cat tcclasses eth11 fullfull2 default eth12 5kbit 5kbit 2 r...@localhost:/etc/shorewall# cat tcdevices eth14000kbit600kbit atte. Jonh -- http://p.sf.net/sfu/intel-atom-d2d ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users -- from the desk of Nigel http://soft-focus-imagining.com http://twin-peaks-video.com and for the skeptical side of you http://rational-alchemy.com <>-- Sell apps to millions through the Intel(R) Atom(Tm) Developer Program Be part of this innovative community and reach millions of netbook users worldwide. Take advantage of special opportunities to increase revenue and speed time-to-market. Join now, and jumpstart your future. http://p.sf.net/sfu/intel-atom-d2d___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
[Shorewall-users] Interface names
Quick question on interface names. I'm building a Centos 7 server and the interface names are no longer eth* but (on this machine) are:- enp2s0 - Outside world enp8s0 - Internal network enp7s0 - Internal network I've tried checking the documentation but can not find a definitive answer. Will Shorewall - Interfaces be OK with these new names, or should I try and revert back to the eth* naming schema. (and it's a bit of a hit and miss getting those names back, but dead easy to loose all your networking! :) ) Nigel. <>-- Full-scale, agent-less Infrastructure Monitoring from a single dashboard Integrate with 40+ ManageEngine ITSM Solutions for complete visibility Physical-Virtual-Cloud Infrastructure monitoring from one console Real user monitoring with APM Insights and performance trend reports Learn More http://pubads.g.doubleclick.net/gampad/clk?id=247754911&iu=/4140___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Interface names
Brian, Looks like the answer is "yes" it will work ok with the new names. Thank you. Mathew, I followed a number of on-line helps. The problem I ran into was that if the core is updated, as soon as you re-boot it goes back to the newer naming convention and no interfaces are working anymore. Thanks to both, Nigel. On 10/7/2015 6:11 PM, Brian Burch wrote: On 08/10/15 00:44, Mathew Crane wrote: Hi Nigel, The new udev device naming schema is a bit daunting at first. I recommend at least looking over Red Hat's own documentation in regards to this: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Networking_Guide/ch-Consistent_Network_Device_Naming.html If you want to revert to the old-style naming: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Networking_Guide/sec-Disabling_Consistent_Network_Device_Naming.html Most modern distros are headed down the systemd-udevd path. I recommend using the CentOS 7 defaults and renaming via /etc/udev/rules.d/70-persistent-net.rules instead of disabling the feature altogether. Here's an example for yours. Replace ATTR{address}== with the MAC addresses of your interfaces. Easiest way to get these to take effect is to reboot. /etc/udev/rules.d/70-persistent-net.rules: SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{dev_id}=="0x0", ATTR{address}=="00:0e:b7:34:10:38", ATTR{type}=="1", KERNEL=="enp*", NAME="eth0" SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{dev_id}=="0x0", ATTR{address}=="00:0e:b7:34:10:39", ATTR{type}=="1", KERNEL=="enp*", NAME="eth1" SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{dev_id}=="0x0", ATTR{address}=="00:0e:b7:34:10:3a", ATTR{type}=="1", KERNEL=="enp*", NAME="eth2" You can get creative with the naming. For mine, I use 'wan0', 'lan0', 'wifi0', etc. Hope this helps! mateo On Wed, Oct 7, 2015 at 7:03 PM, Nigel Aves mailto:ni...@twin-peaks-video.com>> wrote: Quick question on interface names. I'm building a Centos 7 server and the interface names are no longer eth* but (on this machine) are:- enp2s0 - Outside world enp8s0 - Internal network enp7s0 - Internal network I've tried checking the documentation but can not find a definitive answer. Will Shorewall - Interfaces be OK with these new names, or should I try and revert back to the eth* naming schema. One of my ubuntu servers has its interfaces automatically names as p33p1 and p34p1. I simply changed the old eth0/eth1 names to the new ones in these shorewall files and it has been working fine for a couple of years: * interfaces (obviously!) * hosts (because I have multiple subnets on both interfaces) * masq * tcinterfaces Why not just "grep -lir eth /etc/shorewall/ and edit the files? HTH Brian (and it's a bit of a hit and miss getting those names back, but dead easy to loose all your networking! :) ) Nigel. -- Full-scale, agent-less Infrastructure Monitoring from a single dashboard Integrate with 40+ ManageEngine ITSM Solutions for complete visibility Physical-Virtual-Cloud Infrastructure monitoring from one console Real user monitoring with APM Insights and performance trend reports Learn More http://pubads.g.doubleclick.net/gampad/clk?id=247754911&iu=/4140 ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net <mailto:Shorewall-users@lists.sourceforge.net> https://lists.sourceforge.net/lists/listinfo/shorewall-users -- Full-scale, agent-less Infrastructure Monitoring from a single dashboard Integrate with 40+ ManageEngine ITSM Solutions for complete visibility Physical-Virtual-Cloud Infrastructure monitoring from one console Real user monitoring with APM Insights and performance trend reports Learn More http://pubads.g.doubleclick.net/gampad/clk?id=247754911&iu=/4140 ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users -- ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users -- from the desk of Nigel http://soft-focus-imagining.com http://twin-peaks-video.com <>-- ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] blacklist if connection attempt on unused port
I was trying to implement this "ipset" solution and I keep hitting a brick wall. I'm no expert on this, so I was hoping for some guidance. I have searched and searched trying to find the solution but to no avail. In the Shorewall dump I have the following (which from some documentation seems to be correct, and what I need):- Ipset Match (IPSET_MATCH): Available Ipset Match Counters (IPSET_MATCH_COUNTERS): Available Ipset Match Nomatch (IPSET_MATCH_NOMATCH): Available ipset V5 (IPSET_V5): Available But following this post, when I try and change "DYNAMIC_BLACKLIST" it always errors out. (Tried both solutions in email) ERROR: Invalid value (ipset-only,timeout=3600::info) for DYNAMIC_BLACKLIST or ERROR: Invalid value (ipset-only,timeout=3600) for DYNAMIC_BLACKLIST I'd be very grateful if someone could point me in the right direction as to what I am doing wrong. Many Thanks - Nigel On 11/28/2016 6:06 AM, Vieri Di Paola wrote: From: Tom Eastep Configure ipset-based dynamic blacklisting:> > DYNAMIC_BLACKLIST=ipset-only,timeout=3600::info then put this at the bottom of your rules: ADD(SW_DBL4,src)net$FW I believe the seperator is : instead of ,. I have this now in rules: ADD(SW_DBL4:src) net1 $FW ADD(SW_DBL4:src) net2 $FW ADD(SW_DBL4:src) net3 $FW and this in shorewall.conf: DYNAMIC_BLACKLIST=ipset-only,timeout=3600 ipset list SW_DBL4 shows that the set is growing fast... I understand there's no special flag requirement for net "interfaces", not even "blacklist" as we're using ipsets here, not files. Thanks, Vieri -- ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users -- from the desk of Nigel http://soft-focus-imagining.com http://twin-peaks-video.com <>-- ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] blacklist if connection attempt on unused port
Vieri, Thank you for your help. I'm running Shorewall 5.0.8.2-1.el7, so that explains it. Typically I prefer to use the updates as they become "official" in the repositories. (I'm no Linux expert :) and I use Webmin / Virtualmin to help me keep the system running ). I'll hold off for the moment, though I did find all the required RPMs. Kind Regards - Nigel. On 12/1/2016 12:49 AM, Vieri Di Paola wrote: - Original Message - From: Nigel Aves But following this post, when I try and change "DYNAMIC_BLACKLIST" it always errors out. (Tried both solutions in email)> ERROR: Invalid value (ipset-only,timeout=3600::info) for DYNAMIC_BLACKLIST or ERROR: Invalid value (ipset-only,timeout=3600) for DYNAMIC_BLACKLIST I had the same issue with an older Shorewall 5 version. Just upgrade. I'm using 5.0.14.1 now. Vieri -- ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users -- from the desk of Nigel http://soft-focus-imagining.com http://twin-peaks-video.com <>-- ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Yahoo mail connection issue
Pete, Do you have a AT&T or Bellsouth email address? If you do, or know someone who does, check out the email header. I've found in the past that it is a good source for debugging. Nigel. email address? If you do look at the header information. On 1/5/2017 8:29 AM, pgeenhuizen wrote: I'm not sure if this is a shorewall issue or not, but I hope that someone can give me some pointers or ideas how to try to solve this issue I'm running Shorewall 4.6.13 on Centos 6.8, and my own mail server. I have this rule in place for my email DNATnet loc:192.xxx.xxx.16 tcp http,https,imap,imaps,smtp,smtps My problem is that whenever someone using an AT&T phone or form Bellsouth.net sends me email it fails and the email is returned to the sender as failed with this error "Mail server for "geenhuizen.net" unreachable for too long" Apparently both AT&T and Bellsouth use yahoo mail service, however if someone on Yahoo mail sends me an email it works just fine. I've looked through /var/log/maillog but can't find the connection at all, and I can't find any connection in the shorewall logs either. I must confess that I don't know what to specifically look for in the shorewall logs. So what to do? Thanks Pete -- from the desk of Nigel http://soft-focus-imagining.com http://twin-peaks-video.com <>-- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] blacklist if connection attempt on unused port
I've become a little stuck on setting up ipset correctly. I followed the instructions from an email as follows: DYNAMIC_BLACKLIST=ipset-only,timeout=3600::info and in Rules at end ADD(SW_DBL4:src)net$FW and after some testing everything seemed to be working all OK. Using Shorewall 5.0.14.1 I have port 80 (web server) and 25 (Postfix server) open in my Rules file. Internal network using 192.168.1.1 on eth1 But as soon as I tried using the browser on my local network machine web sites, like Facebook, just stopped working. I've tried to find a simple (I'm no IT specialist, just home hobbyist) explanation as to what I have done wrong or missed, and seemed to have hit a brick wall. If someone could point me in right direction I would be very gratefully. Kind Regards, Nigel Aves. In case it helps, here is my rules file. DHCPfwd/ACCEPTlocfw # # DHCPfwd/ACCEPT$FWloc # # Accept for web -server ACCEPTnet$FWtcp80 # no ssl # ACCEPTnet$FW tcp443 # # # Turn FTP off when not transfering files from VideoKing # # FTP/ACCEPTnetfw-21 # ACCEPTnet$FWtcp6000:6100 # ## use Webmin while away, turn off when returned. Here is the setting # Don't forget to turn on for trips. # # ACCEPTnet$FW tcp1 # # SMTP/ACCEPTnet$FW-25 # DNS(ACCEPT)$FWnet #Accept DNS connections from the firewall to the network # SSH(ACCEPT)loc$FW # #Accept SSH connections from the local network for administration # Ping(ACCEPT)loc$FW # #Allow Ping from the local network # # ## Internal accepts # #Cable TV forward DNATnetloc:192.168.1.180udp27177 DNATnetloc:192.168.1.180udp27178 DNATnetloc:192.168.1.180tcp27177 DNATnetloc:192.168.1.180tcp27178 # ACCEPT loc$FW tcp ACCEPT loc$FW udp # DNS(ACCEPT) loc$FW SMB(ACCEPT) loc$FW SMB(ACCEPT) $FWloc # DNS(ACCEPT) phone$FW # # Drop Ping from the "bad" net zone.. and prevent your log from being flooded.. # Ping(DROP)net$FW ACCEPT$FWlocicmp ACCEPT$FWneticmp # ACCEPT$FWphoneicmp # # turn on ipset to stop testing ports from outside # # ADD(SW_DBL4:src)net$FW <>-- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] blacklist if connection attempt on unused port
Tom, Just tested your fix. Everything seems to be working perfectly from the outside and the inside. Many Thanks, Nigel. On 1/18/2017 10:12 AM, Tom Eastep wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 01/18/2017 07:01 AM, Nigel Aves wrote: I've become a little stuck on setting up ipset correctly. I followed the instructions from an email as follows: DYNAMIC_BLACKLIST=ipset-only,timeout=3600::info and in Rules at end ADD(SW_DBL4:src)net$FW and after some testing everything seemed to be working all OK. Using Shorewall 5.0.14.1 I have port 80 (web server) and 25 (Postfix server) open in my Rules file. Internal network using 192.168.1.1 on eth1 But as soon as I tried using the browser on my local network machine web sites, like Facebook, just stopped working. I've tried to find a simple (I'm no IT specialist, just home hobbyist) explanation as to what I have done wrong or missed, and seemed to have hit a brick wall. If someone could point me in right direction I would be very gratefully. Kind Regards, Nigel Aves. In case it helps, here is my rules file. DHCPfwd/ACCEPTlocfw # # DHCPfwd/ACCEPT$FWloc # # Accept for web -server ACCEPTnet$FWtcp80 # no ssl # ACCEPTnet$FW tcp443 # # # Turn FTP off when not transfering files from VideoKing # # FTP/ACCEPTnet fw-21 # ACCEPTnet$FWtcp6000:6100 # ## use Webmin while away, turn off when returned. Here is the setting # Don't forget to turn on for trips. # # ACCEPTnet$FW tcp1 # # SMTP/ACCEPTnet$FW-25 # DNS(ACCEPT) $FWnet #Accept DNS connections from the firewall to the network # SSH(ACCEPT)loc$FW # #Accept SSH connections from the local network for administration # Ping(ACCEPT)loc$FW # #Allow Ping from the local network # # ## Internal accepts # #Cable TV forward DNATnet loc:192.168.1.180udp27177 DNATnetloc:192.168.1.180 udp27178 DNATnetloc:192.168.1.180tcp27177 DNAT netloc:192.168.1.180tcp27178 # ACCEPT loc $FW tcp ACCEPT loc$FW udp # DNS(ACCEPT) loc$FW SMB(ACCEPT) loc$FW SMB(ACCEPT) $FWloc # DNS(ACCEPT) phone $FW # # Drop Ping from the "bad" net zone.. and prevent your log from being flooded.. # Ping(DROP)net$FW ACCEPT $FWlocicmp ACCEPT$FWnet icmp # ACCEPT$FWphoneicmp # # turn on ipset to stop testing ports from outside # # ADD(SW_DBL4:src)net $FW I suspect that you are blacklisting the upstream DNS name servers. Try this: # # Filter out noise # Dropnet $FW # # turn on ipset to stop testing ports from outside # ADD(SW_DBL4:src):info net $FW - -Tom - -- Tom Eastep\ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \ -BEGIN PGP SIGNATURE- Version: GnuPG v2 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJYf6ITAAoJEJbms/JCOk0QBzcP+gKRcT1wkYJ3fGV0ETSvTW4T uyR5b6JnAYOQcv6iXT9H3t5BPjX2oeuz9sARuOxLp0fPiD4l6WZyg6JC4pmRo1fm uO4LNquBTmGimlJNS+HE86y8v19xTsubiofKumEekyYY4OVvxopogEVYA8B4k8tr U2cXkYIAbCM4r1sfF+tfkfZRVnEfaYhGNRIntVZLfFIjNKHYMiCW0P1gFFf14EkQ TuZ4I0v7Wn+p2ADeXi5xzcj1/1nxuLHWTIWxzrXcI6Kd1cRwbKLWvGY8zCuMBxSm Fgp4dL03gQQPwQ2pb9BhKGvi3Bk0CBjiMAWFQ9zFUgOJ7I79iAg384xffpzqd9/b a8gAtXDR7f01DU8nuAxJZxP78+2w23D8OOPSsoTNEY+44ghO7nElpP88UViaW2Yi UA1JcVo/fA6UMCPYyI1Z65vNVtmPyF1f65QIZWTd9AscoG3UsRFsNhHGihjjiGJP s/7Hh+RSE3UXq7b/LrvYFdEyNTyF+gUL1NzoiCaKZPEO1xiSPP71uoQ8IIufxDjt Bq+QL8uzPza+cSVizGG3BeAyUPndZWvruaMGYK7UvXii0KIIJ2WKDruwOJznpxVH OkRkQRyr21AEmgf5sqcA1xurDhYRK4owBGNreJ8hfcXxR1DO7ZkWgSHsQl8pdcIl +sUjPxll2PfUOca4CW7m =j8jw -END PGP SIGNATURE- -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users -- from the desk of Nigel http://soft-focus-imagining.com http://twin-peaks-video.com <>-- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
[Shorewall-users] Testing if ipsets are working.
Is there a way of "knowing" that ipsets are working correctly? I've looked through the dump file and that does not seem to contain the information I need. The reason I ask, is that I have changed fail2ban to use ipsets to pass the information across to shorewall. The reason I have done this is because the old method stopped working after implementing "blacklist if connection attempt on unused port" 2017-02-22 16:57:20,757 fail2ban.filter [5721]: INFO [postfix-sasl] Found 94.102.60.172 2017-02-22 16:57:33,148 fail2ban.filter [5721]: INFO [postfix-sasl] Found 89.248.171.234 2017-02-22 16:57:54,557 fail2ban.filter [5721]: INFO [postfix-sasl] Found 91.200.12.121 2017-02-22 17:03:52,523 fail2ban.filter [5721]: INFO [postfix-sasl] Found 185.29.9.175 2017-02-22 17:04:46,613 fail2ban.filter [5721]: INFO [postfix-sasl] Found 91.200.12.121 2017-02-22 17:04:47,222 fail2ban.actions[5721]: NOTICE [postfix-sasl] 91.200.12.121 already banned 2017-02-22 17:11:38,149 fail2ban.filter [5721]: INFO [postfix-sasl] Found 91.200.12.121 2017-02-22 17:18:33,651 fail2ban.filter [5721]: INFO [postfix-sasl] Found 91.200.12.121 I have tried two different methods in the rules file. DROP:info net:+f2b $FW>> this was from a tutorial I discovered and ADD(f2b:src):infonet$FW >> this is a modified version of Tom's "blacklist if connection " I have created the ipset all OK and get IPs # ipset list f2b Name: f2b Type: hash:ip Revision: 1 Header: family inet hashsize 1024 maxelem 65536 timeout 300 Size in memory: 20048 References: 1 Members: 91.200.12.121 timeout 83162 95.211.209.158 timeout 83163 87.241.171.225 timeout 290 124.228.112.30 timeout 227 181.120.35.243 timeout 78 146.0.235.55 timeout 237 If anyone could point me in the right direct, it would really help. I'm loosing too much hair scratching my head! Many Thanks, Nigel. -- from the desk of Nigel http://soft-focus-imagining.com http://twin-peaks-video.com <>-- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
[Shorewall-users] Warning Message on following rule ADD(SW_DBL4:src):info net $FW
I recently implemented "blacklist if connection attempt on unused port" from Tom's help and one of the rules was the following:- ADD(SW_DBL4:src):infonet$FW When I do a configuration check I get the following warning Checking /usr/share/shorewall/action.Drop for chain Drop... Checking /usr/share/shorewall/action.Broadcast for chain Broadcast... *WARNING: Log Prefix shortened to "Shorewall:net-fw:ADD(SW_DBL4 " /etc/shorewall/rules (line 121)* Checking /etc/shorewall/conntrack... Checking MAC Filtration -- Phase 2... not sure if this is causing an issue or not, but thought I should pass it along. Nigel Aves. -- from the desk of Nigel http://soft-focus-imagining.com http://twin-peaks-video.com <>-- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Warning Message on following rule ADD(SW_DBL4:src):info net $FW
Bill, Thanks for reply. I'm very uncertain what it should be changed too. Thom E. published the setting in an email to help out on a problem I was having getting IPv4 ipsets to work. Nigel. On 2/22/2017 7:41 PM, Bill Shirley wrote: Look at the LOGTAGONLY section of this page: http://www.shorewall.org/shorewall_logging.html It has an example of using a more meaningful tag (IPv6 tunneling). Bill On 2/22/2017 7:56 PM, Nigel Aves wrote: I recently implemented "blacklist if connection attempt on unused port" from Tom's help and one of the rules was the following:- ADD(SW_DBL4:src):infonet$FW When I do a configuration check I get the following warning Checking /usr/share/shorewall/action.Drop for chain Drop... Checking /usr/share/shorewall/action.Broadcast for chain Broadcast... *WARNING: Log Prefix shortened to "Shorewall:net-fw:ADD(SW_DBL4 " /etc/shorewall/rules (line 121)* Checking /etc/shorewall/conntrack... Checking MAC Filtration -- Phase 2... not sure if this is causing an issue or not, but thought I should pass it along. Nigel Aves. -- from the desk of Nigel http://soft-focus-imagining.com http://twin-peaks-video.com -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users -- from the desk of Nigel http://soft-focus-imagining.com http://twin-peaks-video.com <>-- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Warning Message on following rule ADD(SW_DBL4:src):info net $FW
Thank you Vieri, I'll give it a go. On 2/23/2017 9:04 AM, Vieri Di Paola wrote: - Original Message - From: Nigel Aves Thanks for reply. I'm very uncertain what it should be changed too. Thom E. published the setting in an email to help out on a problem I was having getting IPv4 ipsets to work. You can try: LOGTAGONLY=Yes and then in your rules file, add this to every action: :info:mytag where "mytag" can be anything you want. You can then grep it in the log. -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users -- from the desk of Nigel http://soft-focus-imagining.com http://twin-peaks-video.com <>-- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users