Re: [gentoo-user] Shorewall configuration
On Tuesday, 1 March 2022 16:40:30 GMT Peter Humphrey wrote: > I hope I'm not facing a complete rehash of firewall config. If so, I may > return the old modem-router to service instead. This page suggests it is simple to achieve, by adding it to your /etc/ nftables.conf file, assuming one is available. Alternatively, it should be a case of finding the right place to add something appropriate in Shorewall's configuration or script file, so that Shorewall itself creates the required ethertype filter. https://serverfault.com/questions/1015896/linux-server-dropping-rx-packets-in-netif-receive-skb-core/1016113#1016113 signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] Shorewall configuration
On Tuesday, 1 March 2022 14:54:24 GMT Michael wrote: > Have you seen this regarding the specific ethertypes: > > https://superuser.com/questions/1574757/unknown-ethertypes-0x88e1-and-0x8912 > -from-my-fritz-box Yes, it's from that site and friends that I've learned what little I have about Home Plug. > Sadly I don't know anything about Shorewall, but you can look at configuring > netfilter with some additional hand-crafted rules to drop the above > ethertypes without logging them. Hm. Shorewall seems to be a complete subsystem to accept broad intentions and craft iptables rules accordingly. I'll see if it's possible to slip something in upstream of it. > However, what I would prefer to do in your circumstances is find if your > router is supported by OpenWRT firmware and configure SQM with FQ-Codel in > it to manage bufferbloat. I expect this should improve your streaming > better than whatever AVM have configured in the box. That route's unlikely to be open to me, though I'll check. I hope I'm not facing a complete rehash of firewall config. If so, I may return the old modem-router to service instead. -- Regards, Peter.
Re: [gentoo-user] Shorewall configuration
On Tuesday, 1 March 2022 12:35:17 GMT Peter Humphrey wrote: > Hello list, > > I use net-firewall/shorewall to protect my machines; it's served me well for > many years. My ISP gave me a FritzBox modem-router recently, in the hope of > better media streaming, but it's spamming my LAN server with HTTP requests > (port 80). The other machines are left alone; just this one is affected. > > The many log entries are not a serious problem, just a nuisance, but I'd > rather not have to put up with them. > > AVM, the modem's maker, says I should set shorewall up on this machine to > accept either port-80 requests or unsolicited packets of type 0x88e1. That > type is HomePlug Management, apparently, and the FritzBox is looking for any > such devices on the LAN. I don't know why it's picked on this one machine > to query, unless it's because it has the lowest IP address. > > Questions: > 1. Will I be opening myself to external HTTP attacks if I open that port to > the modem-router? I assume I will, though no such service is running - at > the moment. > 2. As far as I can see, shorewall filters only on ports, not packet types. > If so, how can I specify a packet type to it? > 3. Does anyone here know how to specify HomePlug in shorewall? > > Google hasn't helped much, nor has the Shorewall website, so I hope someone > here has experience of this. Have you seen this regarding the specific ethertypes: https://superuser.com/questions/1574757/unknown-ethertypes-0x88e1-and-0x8912-from-my-fritz-box Sadly I don't know anything about Shorewall, but you can look at configuring netfilter with some additional hand-crafted rules to drop the above ethertypes without logging them. However, what I would prefer to do in your circumstances is find if your router is supported by OpenWRT firmware and configure SQM with FQ-Codel in it to manage bufferbloat. I expect this should improve your streaming better than whatever AVM have configured in the box. signature.asc Description: This is a digitally signed message part.
[gentoo-user] Shorewall configuration
Hello list, I use net-firewall/shorewall to protect my machines; it's served me well for many years. My ISP gave me a FritzBox modem-router recently, in the hope of better media streaming, but it's spamming my LAN server with HTTP requests (port 80). The other machines are left alone; just this one is affected. The many log entries are not a serious problem, just a nuisance, but I'd rather not have to put up with them. AVM, the modem's maker, says I should set shorewall up on this machine to accept either port-80 requests or unsolicited packets of type 0x88e1. That type is HomePlug Management, apparently, and the FritzBox is looking for any such devices on the LAN. I don't know why it's picked on this one machine to query, unless it's because it has the lowest IP address. Questions: 1. Will I be opening myself to external HTTP attacks if I open that port to the modem-router? I assume I will, though no such service is running - at the moment. 2. As far as I can see, shorewall filters only on ports, not packet types. If so, how can I specify a packet type to it? 3. Does anyone here know how to specify HomePlug in shorewall? Google hasn't helped much, nor has the Shorewall website, so I hope someone here has experience of this. -- Regards, Peter.
[gentoo-user] shorewall configuration
Hi, I'm trying to configure snat with shorewall. I read all manual on the official site + some Gentoo Wiki topics. I made test configuration, but shorewall start didn't start and I can't understand where is the problem. Thank you for any suggestion #shorewall show capatibilities: Shorewall-3.2.9 Chains capatibilities at enigma - Tue Jul 24 16:12:35 EEST 2007 iptables: No chain/target/match by that name #shorewall start log: Compiling... Determining Zones... IPv4 Zones: net loc Firewall Zone: fw Validating interfaces file... Validating hosts file... Validating Policy file... Determining Hosts in Zones... net Zone: ppp0:0.0.0.0/0 loc Zone: eth1:192.168.3.0/24 Pre-processing Actions... Pre-processing /usr/share/shorewall/action.Drop... Pre-processing /usr/share/shorewall/action.Reject... Pre-processing /usr/share/shorewall/action.Limit... Deleting user chains... Compiling /etc/shorewall/routestopped ... Compiling Accounting... Creating Interface Chains... Compiling Proxy ARP Compiling NAT... Compiling NETMAP... Compiling Common Rules Adding Anti-smurf Rules Adding rules for DHCP Enabling RFC1918 Filtering Compiling TCP Flags checking... Compiling Kernel Route Filtering... Compiling Martian Logging... Compiling IP Forwarding... Compiling /etc/shorewall/rules... Compiling /etc/shorewall/tunnels... Compiling Actions... Compiling /usr/share/shorewall/action.Drop for Chain Drop... Compiling /usr/share/shorewall/action.Reject for Chain Reject... Compiling /etc/shorewall/policy... WARNING: NAT disabled; masq rule ignored Compiling /etc/shorewall/tos... Compiling /etc/shorewall/ecn... Compiling Traffic Control Rules... Validating /etc/shorewall/tcdevices... Validating /etc/shorewall/tcclasses... Compiling Rule Activation... Compiling Refresh of Black List... Compiling Refresh of /etc/shorewall/ecn... Validating /etc/shorewall/tcdevices... Validating /etc/shorewall/tcclasses... Shorewall configuration compiled to /var/lib/shorewall/.start Processing /etc/shorewall/params ... Starting Shorewall Initializing... Processing /etc/shorewall/init ... Clearing Traffic Control/QOS Deleting user chains... iptables: No chain/target/match by that name ERROR: Command /sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT Failed Processing /etc/shorewall/stop ... iptables: No chain/target/match by that name iptables: No chain/target/match by that name IP Forwarding Enabled Processing /etc/shorewall/stopped ... /sbin/shorewall: line 529: 9682 Terminated ${VARDIR}/.start $debugging start -- best regards, Aleksey V. Kunitskiy my public GPG/PGP key: http://www.alexey-kv.org.ua/pubkey.asc pgpmI47urpgPL.pgp Description: PGP signature
Re: [gentoo-user] shorewall configuration
On 24 July 2007, Aleksey V. Kunitskiy wrote: Hi, I'm trying to configure snat with shorewall. I read all manual on the official site + some Gentoo Wiki topics. I made test configuration, but shorewall start didn't start and I can't understand where is the problem. Thank you for any suggestion #shorewall show capatibilities: Shorewall-3.2.9 Chains capatibilities at enigma - Tue Jul 24 16:12:35 EEST 2007 iptables: No chain/target/match by that name #shorewall start log: [ snip ] Compiling /etc/shorewall/policy... WARNING: NAT disabled; masq rule ignored [snip ] I think your trouble starts here. Did you try to put any NAT rule into policy? That would be wrong. It belongs to nat. Would you show us your policy file (only the rules in there, *not* all the comments)? Uwe -- Jethro Tull: Maybe, I am not done yet! -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] shorewall configuration
On Tuesday 24 July 2007 17:01, Uwe Thiem wrote: I think your trouble starts here. Did you try to put any NAT rule into policy? That would be wrong. It belongs to nat. Would you show us your policy file (only the rules in there, *not* all the comments)? Uwe I've found where the problem is. Note the following error: iptables: No chain/target/match by that name ERROR: Command /sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT Failed In 99% cases it's because one of features is missed in the kernel configuration. I've turned on 2 modules in kernel and it works. Anyway, thanks! -- best regards, Aleksey V. Kunitskiy my public GPG/PGP key: http://www.alexey-kv.org.ua/pubkey.asc pgprvVE7PhCBs.pgp Description: PGP signature