Re: [Shorewall-users] Error when using mangle mark range
On 11/26/2014 4:25 AM, Hesham Shakil Ahmed wrote:
> Shorewall doesn’t create the correct rule when using MARK(range) in mangle
>
> Trying the following rule:
>
> MARK(0x100-0x200/0xff00) 10.0.0.0/8 0.0.0.0/0
>
> fails with error:
> Bad argument `0x100/0xff00'
> Error occurred at line: 90
> Try `iptables-restore -h' or 'iptables-restore --help' for more information.
>ERROR: iptables-restore Failed. Input is in
> /var/lib/shorewall/.iptables-restore-input
>
> The rule created is "-A tcpre -s 10.0.0.0/8 -m statistic --mode nth --every 2
> --packet 0 -j MARK 0x100/0xff00”
>
> Its missing —set-mark after -j MARK directive
>
My apologies for the delay in answering your email - I've been traveling
abroad for the last three weeks. The attached patch seems to correct the
problem.
Thanks,
-Tom
--
Tom Eastep\ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \
diff --git a/Shorewall/Perl/Shorewall/Tc.pm b/Shorewall/Perl/Shorewall/Tc.pm
index 02e31e6..0cbde42 100644
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -260,6 +260,8 @@ sub process_mangle_rule1( $$ ) {
$chain ||= $designator;
$chain ||= $default_chain;
+ $option = '--set-mark';
+
my $chainref = ensure_chain( 'mangle', $chain = $chainnames{$chain}
);
for ( my $packet = 0; $packet < $marks; $packet++, $markval +=
$increment ) {
signature.asc
Description: OpenPGP digital signature
--
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] How to get rid of nf_conntrack_sip ?
On 11/26/2014 5:32 AM, Artur Uszyński wrote: > Hello. > > Shorewall 4.6.4.1 > kernel 3.10.0 > In shorewall.conf I have "DONT_LOAD=nf_conntrack_sip,nf_nat_sip" > In shorewall.conf I have "AUTOHELPERS=No", HELPERS is empty. > SIP section in /etc/shorewall/conntrack is commented out (checked - no sip > entries in raw table after shorewall start). > "ports=0" is specified in /etc/shorewall/helpers for appropriate *sip lines > (or alternatively all *sip lines commented out). > There are not any rules specifying port 5060 in /etc/shorewall/rules. > > Despite doing the above steps, nf_conntrack_sip is being loaded during every > restart of shorewall (although nf_nat_sip obeys my disposition and never gets > loaded). > > Also, after doing "shorewall compile OUTPUT ." inside /etc/shorewall, > nf_conntrack_sip module gets automatically loaded (yes, after dry copilation > of rules), although resulting OUTPUT file does not contain anything which > would load this module. > > nf_conntrack_sip is always at the top of lsmod output, no other modules use > it. > > I ended up adding "rmmod nf_conntrack_sip" to /ec/shorewall/started. > > The same happens for shorewall6. > > Is there any way to properly skip loading of this module ? My apologies for the slow response - I've been traveling in New Zealand for the last three weeks. You must also specify DONT_LOAD=nf_conntrack_sip in /etc/shorewall6/shorewall6.conf and comment out the sip lines in /etc/shorewall6/conntrack. If you do that, you should be able to restart either shorewall or shorewall6 without the SIP helper being loaded. I have verified that in my own configuration. There, I have AUTOHELPERS=Yes in both .conf files. Regards, -Tom -- Tom Eastep\ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \ signature.asc Description: OpenPGP digital signature -- Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Multi ISP: How to set a permanent route for a disabled provider
On 12/12/2014 11:57 AM, MBB wrote: > > Is it possible to configure shorewall that it adds a permanent route to > host 2.2.2.2 in table main, that even when provider SURF is disabled the > pings to host 2.2.2.2 go through IF web1? > > > > I'd appreciate any hint to solve this riddle. You must use your distribution's network configuration tools to add such a route. -Tom -- Tom Eastep\ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \ signature.asc Description: OpenPGP digital signature -- Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Error when using mangle mark range
Please don’t apologize! Thank you for your great work. > On Dec 13, 2014, at 7:06 PM, Tom Eastep wrote: > > On 11/26/2014 4:25 AM, Hesham Shakil Ahmed wrote: >> Shorewall doesn’t create the correct rule when using MARK(range) in mangle >> >> Trying the following rule: >> >> MARK(0x100-0x200/0xff00) 10.0.0.0/8 0.0.0.0/0 >> >> fails with error: >> Bad argument `0x100/0xff00' >> Error occurred at line: 90 >> Try `iptables-restore -h' or 'iptables-restore --help' for more information. >> ERROR: iptables-restore Failed. Input is in >> /var/lib/shorewall/.iptables-restore-input >> >> The rule created is "-A tcpre -s 10.0.0.0/8 -m statistic --mode nth --every >> 2 --packet 0 -j MARK 0x100/0xff00” >> >> Its missing —set-mark after -j MARK directive >> > > My apologies for the delay in answering your email - I've been traveling > abroad for the last three weeks. The attached patch seems to correct the > problem. > > Thanks, > -Tom > -- > Tom Eastep\ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \ > -- > Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server > from Actuate! Instantly Supercharge Your Business Reports and Dashboards > with Interactivity, Sharing, Native Excel Exports, App Integration & more > Get technology previously reserved for billion-dollar corporations, FREE > http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk___ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users -- Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Dynamic Zone with shorewall-core 4.5.21.9.
On 12/1/2014 2:45 AM, Giuseppe Vitillaro wrote:
> I'm experimenting a problem using a dynamic zone
>
> I defined long ago, and working without a problem
>
> for months, with shorewall-core 4.5.21.9 under gentoo.
...
>
> Switching to a "dynamic_shared" zone
>
> ast:net ipv4 dynamic_shared
> solve the problem, but I'm still curious to
> understand what is going on here.
>
>
>
> What the matter? A mistake in my configuration?
>
> A "bug" introuced in version 4.5.21.6?
Yes. The intent of that change was to eliminate periods from ipset names
but the sed comment was incorrect. The attached patch should correct the
problem.
Regards,
-Tom
PS -- my apologies for the slow response; I've been out of the country
for the last three weeks.
--
Tom Eastep\ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \
diff --git a/Shorewall-core/lib.cli b/Shorewall-core/lib.cli
index b869403..9f991c6 100644
--- a/Shorewall-core/lib.cli
+++ b/Shorewall-core/lib.cli
@@ -1959,7 +1959,7 @@ add_command() {
ipset=6_${zone}_${interface};
fi
- ipset=$(echo $ipset | sed 's/./_/g');
+ ipset=$(echo $ipset | sed 's/\./_/g');
if ! qt $IPSET -L $ipset; then
fatal_error "Zone $zone, interface $interface does not have a
dynamic host list"
signature.asc
Description: OpenPGP digital signature
--
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] QoS for GRE
On 11/26/2014 4:22 PM, jone...@teksavvy.com wrote: > Hello, > > Is there support within Shorewall for applying QoS to GRE ? Looks > like a popular way of doing that is be the use of a so-called > pre-classify option. Is there an equivalent in Linux or, any other way > to apply QoS to GRE ? > > I've read somewhere the following although I"m not sure what is the > practical meaning of it: > > "You can set up your queues on top of your physical Ethernet devices, >then mark packets going through tunnels to go into particular >queues." > > Any suggestions/comments welcomed. There is currently no support in Shorewall for applying QoS to tunneled packets. -Tom -- Tom Eastep\ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \ signature.asc Description: OpenPGP digital signature -- Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Macrofied DNAT not working
On 12/3/2014 10:05 AM, Philip Le Riche wrote:
> Probably something silly I'm doing but I don't see it for the moment.
>
> I had rules:
> DNATschlpinet:${Pinet}.1tcpssh-
> ${Schlnet}.129
> DNATschlpinet:${Pinet}.1tcp5900-
> ${Schlnet}.129
> plus another 7 pairs with consecutive destination and original
> destination addresses.
>
> I needed to add an http rule and expand it to 16 IP addresses, so I
> wrote a macro.Pi:
> PARAM - - tcp 5900:5909 - -
> PARAM - - tcp ssh - -
> PARAM - - tcp http- -
>
> and replaced all the former rules by 16 after the fashion:
> Pi(DNAT)schlpinet:${Pinet}.1- - -
> ${Schlnet}.129
> (I generalised the VNC port while I was at it.)
>
> Connections utilising those rules were then refused. I don't see why.
>
I don't either, but if you will send me the original rules file, the
modified rules file and your macro file then I will take a look.
-Tom
PS - My apologies for the slow response; I've been traveling abroad and
only had mobile phone internet access.
--
Tom Eastep\ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \
signature.asc
Description: OpenPGP digital signature
--
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Dynamic Zone with shorewall-core 4.5.21.9.
On Saturday 13 December 2014 08:48:17 Tom Eastep wrote: > On 12/1/2014 2:45 AM, Giuseppe Vitillaro wrote: > > I'm experimenting a problem using a dynamic zone > > > > I defined long ago, and working without a problem > > > > for months, with shorewall-core 4.5.21.9 under gentoo. > ... > > > > Switching to a "dynamic_shared" zone > > > > ast:net ipv4 dynamic_shared > > solve the problem, but I'm still curious to > > understand what is going on here. > > > > > > > > What the matter? A mistake in my configuration? > > > > A "bug" introuced in version 4.5.21.6? > > Yes. The intent of that change was to eliminate periods from ipset names > but the sed comment was incorrect. The attached patch should correct the > problem. > > Regards, > -Tom > > PS -- my apologies for the slow response; I've been out of the country > for the last three weeks. > Thank you so much, don't worry for the delay. My bet was for a bug, it is easy to forget an "escape" with sed ;-) Thank you so much for the patch, appreciated. As a gentoo user I hope the patch will get in the mainstream as soon as possibile. I know is not your job, but just as an advice: better to open a bug in the shorewall gentoo bugzilla asking for attention or this patch will automatically go down from the upstream to the gentoo portage? Regards, G. Vitillaro. -- Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Dynamic Zone with shorewall-core 4.5.21.9.
On 12/13/2014 9:34 AM, Giuseppe Vitillaro wrote: > > Thank you so much, don't worry for the delay. > > My bet was for a bug, it is easy to forget > an "escape" with sed ;-) > > Thank you so much for the patch, appreciated. > > As a gentoo user I hope the patch will get > in the mainstream as soon as possibile. > The Gentoo maintainer is good at promptly picking up my patches. -Tom -- Tom Eastep\ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \ signature.asc Description: OpenPGP digital signature -- Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Macrofied DNAT not working
Thanks Tom -
It must've been something silly as it seems to be working ok now.
(Unfortunately I only get access to the firewall briefly once a week.)
Regards - Philip
On 13/12/2014 17:01, Tom Eastep wrote:
> On 12/3/2014 10:05 AM, Philip Le Riche wrote:
>> Probably something silly I'm doing but I don't see it for the moment.
>>
>> I had rules:
>> DNATschlpinet:${Pinet}.1tcpssh-
>> ${Schlnet}.129
>> DNATschlpinet:${Pinet}.1tcp5900-
>> ${Schlnet}.129
>> plus another 7 pairs with consecutive destination and original
>> destination addresses.
>>
>> I needed to add an http rule and expand it to 16 IP addresses, so I
>> wrote a macro.Pi:
>> PARAM - - tcp 5900:5909 - -
>> PARAM - - tcp ssh - -
>> PARAM - - tcp http- -
>>
>> and replaced all the former rules by 16 after the fashion:
>> Pi(DNAT)schlpinet:${Pinet}.1- - -
>> ${Schlnet}.129
>> (I generalised the VNC port while I was at it.)
>>
>> Connections utilising those rules were then refused. I don't see why.
>>
> I don't either, but if you will send me the original rules file, the
> modified rules file and your macro file then I will take a look.
>
> -Tom
>
> PS - My apologies for the slow response; I've been traveling abroad and
> only had mobile phone internet access.
>
>
> --
> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
> with Interactivity, Sharing, Native Excel Exports, App Integration & more
> Get technology previously reserved for billion-dollar corporations, FREE
> http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
>
>
> ___
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
--
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
