Re: [Shorewall-users] CARP in Shorewall?
> That having been said, I'm confident that conntrackd and keepalived > can work with Shorewall; I haven't spent any time trying to configure > such a setup. In the past, I've setup ucarp and conntrackd with shorewall 4.6.4 on CentOS. I should have notes somewhere. -- Ciao, Filippo -- The Command Line: Reinvented for Modern Developers Did the resurgence of CLI tooling catch you by surprise? Reconnect with the command line and become more productive. Learn the new .NET and ASP.NET CLI. Get your free copy! http://sdm.link/telerik ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] mangle/rtrules problem
Thank you - so I take it there's nothing conceptually wrong with my approach. It'll be next Wednesday before I can get to the machine again to take a dump though. In fact for other reasons it looks like we'll have to do this Internet routing lessons another way, but even so I'd like to understand this for my own satisfaction. - Philip On 27/10/2016 22:57, Tom Eastep wrote: > On 10/27/2016 2:34 PM, Philip Le Riche wrote: > > Everything in shorewall.conf I didn't seem to need or fully understand I > > left as out-of-the-box. MARK_IN_FORWARD_CHAIN is set to no so the > > default prerouting chain would appear to be correct. > > Okay > > > > Does Wireshark cohabit comfortably with Shorewall if I wanted to > > actually see the packets coming in or going out? I presume it monitors > > the raw socket rather than going anywhere near the IP stack. > > Yes > > Or can I > > use a LOG action to show routing decisions, including those in rtrules? > > (I have limited access to the machine so I'm afraid I can't just go and > > try it.) > > No. > > > If you will send me the output of 'shorewall dump' collected as > described at http://www.shorewall.org/support.htm#Guidelines, I'll be > happy to take a look. > > -Tom > > -- > The Command Line: Reinvented for Modern Developers > Did the resurgence of CLI tooling catch you by surprise? > Reconnect with the command line and become more productive. > Learn the new .NET and ASP.NET CLI. Get your free copy! > http://sdm.link/telerik > ___ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > -- The Command Line: Reinvented for Modern Developers Did the resurgence of CLI tooling catch you by surprise? Reconnect with the command line and become more productive. Learn the new .NET and ASP.NET CLI. Get your free copy! http://sdm.link/telerik___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Moving to CentOS7 - Disabling nf_nat_sip and nf_conntrack_sip
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 10/27/2016 10:14 PM, Ryan Joiner wrote: > Hello, I provide SIP trunking to a bunch of my customers and I also > mainly have them use shorewall. I have been using CentOS 6 for > some time and disabling the nf_nat_sip and nf_conntrack_sip modules > have always helped with SIP trunking. In fact, it has been a > requirement for SIP trunking to work properly. > > For CentOS 7 it seems like these modules don't exist. I'm > wondering if you happen to know if that is true or if their name > just changed. So far in my testing I have found that the SIP > trunking just works using shorewall and CentOS 7 without disabling > any modules, but I just want to be sure there's not something else > that might bite me later. > > Thanks for everything! On my Centos 7 installation, both nf_conntrack_sip.ko and nf_nat_sip.ko exist in /lib/modules/... and modprobe successfully loads them. - -Tom - -- Tom Eastep\ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \ -BEGIN PGP SIGNATURE- Version: GnuPG v2 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJYE4RNAAoJEJbms/JCOk0QcPsP/A9DMmLOgH276bhpO5zTGJYu 7r6mVmWvDZhsAscTT0F76Z8JRRwuRRuR3Nctt2pIeMDclzRPHUlI/x47kBGsn2ot Kn8zA+gOAi4/aEwvIaA4XoAHINKK/3vNGdeocfDOmOoceW3ju/7LZlw2eGvsTuEx 8rrcN2lF1whZgibUKydOXsyg7du/N9rEen5j5Qxc6HLl1AG9hMj4lrPC0X+/hlvM haA0xKPyU/lU/OvDlhe/nLzHvCzm/m+lyXnsPkf5wrnDtD59Zqcap+wpKR9me29D /ExtUX/H4qVP8wcfTRdu+8344m2myuE+jPEF75WyE14oCB/UJ8P3hYJyIX8k9m5x EYiPNp5gkfc6rTo37FDlVbtmpLcxgE9hOnKYSTNN5RXl5lCdVJ8rB1Mxst4aamF1 NRxqs17VauhrhM62Sm2gWFS65xCZO9qDGkk8qBVnZNdzTjeg37fkqkzyRX9ar8gZ yqI5IqcT0LcwZq/PHO2t7Ff0xylACCxbVYeYwK0yevY9uG3yuVJugEfs/XKreksL sUwLIfyHt1dINq1uBgmqp5o83HnlrezzAiO4wy/oqBqKXfGtwNoMwbKeCWxUPDlj 7PDlYTPbK4MyeFktrhCJk2ulGYW6rYQ+LxW8amHlpVe2OPm5bg1EtYCdMJzGGi08 6dADsduA7tAXnGKWb9JA =1dqh -END PGP SIGNATURE- -- The Command Line: Reinvented for Modern Developers Did the resurgence of CLI tooling catch you by surprise? Reconnect with the command line and become more productive. Learn the new .NET and ASP.NET CLI. Get your free copy! http://sdm.link/telerik ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Moving to CentOS7 - Disabling nf_nat_sip and nf_conntrack_sip
On 10/28/2016 10:01 AM, Tom Eastep wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > On 10/27/2016 10:14 PM, Ryan Joiner wrote: >> Hello, I provide SIP trunking to a bunch of my customers and I also >> mainly have them use shorewall. I have been using CentOS 6 for >> some time and disabling the nf_nat_sip and nf_conntrack_sip modules >> have always helped with SIP trunking. In fact, it has been a >> requirement for SIP trunking to work properly. >> >> For CentOS 7 it seems like these modules don't exist. I'm >> wondering if you happen to know if that is true or if their name >> just changed. So far in my testing I have found that the SIP >> trunking just works using shorewall and CentOS 7 without disabling >> any modules, but I just want to be sure there's not something else >> that might bite me later. >> >> Thanks for everything! > On my Centos 7 installation, both nf_conntrack_sip.ko and > nf_nat_sip.ko exist in /lib/modules/... and modprobe successfully > loads them. > > - -Tom > - -- > Tom Eastep\ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \ > -BEGIN PGP SIGNATURE- > Version: GnuPG v2 > Comment: GPGTools - http://gpgtools.org > > iQIcBAEBCAAGBQJYE4RNAAoJEJbms/JCOk0QcPsP/A9DMmLOgH276bhpO5zTGJYu > 7r6mVmWvDZhsAscTT0F76Z8JRRwuRRuR3Nctt2pIeMDclzRPHUlI/x47kBGsn2ot > Kn8zA+gOAi4/aEwvIaA4XoAHINKK/3vNGdeocfDOmOoceW3ju/7LZlw2eGvsTuEx > 8rrcN2lF1whZgibUKydOXsyg7du/N9rEen5j5Qxc6HLl1AG9hMj4lrPC0X+/hlvM > haA0xKPyU/lU/OvDlhe/nLzHvCzm/m+lyXnsPkf5wrnDtD59Zqcap+wpKR9me29D > /ExtUX/H4qVP8wcfTRdu+8344m2myuE+jPEF75WyE14oCB/UJ8P3hYJyIX8k9m5x > EYiPNp5gkfc6rTo37FDlVbtmpLcxgE9hOnKYSTNN5RXl5lCdVJ8rB1Mxst4aamF1 > NRxqs17VauhrhM62Sm2gWFS65xCZO9qDGkk8qBVnZNdzTjeg37fkqkzyRX9ar8gZ > yqI5IqcT0LcwZq/PHO2t7Ff0xylACCxbVYeYwK0yevY9uG3yuVJugEfs/XKreksL > sUwLIfyHt1dINq1uBgmqp5o83HnlrezzAiO4wy/oqBqKXfGtwNoMwbKeCWxUPDlj > 7PDlYTPbK4MyeFktrhCJk2ulGYW6rYQ+LxW8amHlpVe2OPm5bg1EtYCdMJzGGi08 > 6dADsduA7tAXnGKWb9JA > =1dqh > -END PGP SIGNATURE- > > -- > The Command Line: Reinvented for Modern Developers > Did the resurgence of CLI tooling catch you by surprise? > Reconnect with the command line and become more productive. > Learn the new .NET and ASP.NET CLI. Get your free copy! > http://sdm.link/telerik > ___ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users What would be the command to disable them for CentOS7? I have searched a bunch but couldn't find anything. Do the modules exist as a native part of CentOS, or is that added in by Shorewall (Sorry for dumb question)? -- The Command Line: Reinvented for Modern Developers Did the resurgence of CLI tooling catch you by surprise? Reconnect with the command line and become more productive. Learn the new .NET and ASP.NET CLI. Get your free copy! http://sdm.link/telerik ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Moving to CentOS7 - Disabling nf_nat_sip and nf_conntrack_sip
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 10/28/2016 12:11 PM, Ryan Joiner wrote: > What would be the command to disable them for CentOS7? I have > searched a bunch but couldn't find anything. a) rmmod nf_nat_sip rmmod nf_conntrack_sip a) Set AUTOHELPERS=No in shorewall.conf. b) Set HELPERS in shorewall.conf to the list of helpers you actually want. c) Use standard macros for rules in the rules file that require a helper, such as ftp. > Do the modules exist as a native part of CentOS, or is that added > in by Shorewall (Sorry for dumb question)? > They are a native part of Centos -- Shorewall never installs kernel modules. - -Tom - -- Tom Eastep\ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \ -BEGIN PGP SIGNATURE- Version: GnuPG v2 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJYE78PAAoJEJbms/JCOk0Q6RQP/1ORsmq4aJ2Ck+H3cb/vJYCc DSnjp2sNfV4Eg4zAumezz1oKLuhl9OIFIVyod8Gr7BO7Yu+48ypEgqX2r61vN2UN ueXHCQUmo76Sd43bzyxgImnG5tP8YMq3cUQspciA/owDSm7PB9gfiak/L7Q18xS0 SFjMfjJwruO4gKzg0x8Qli7OPL6/1KVD2L3zxbYcUMClRvTIiKjn6OvY0xnD8LHj vWF3QoAD2+UbTrE5nK+MIEYWrMwVrWBFs8Wa+PHsYvJNMS+ZcucREpz7K5Rmz2i2 x1EBw0tmBSKTPfS5/zmSrNpMI7oZehrvwPSeAJU5UmFSkkPVQdnDGo9QuGg8QOdN BVFO5/qo0a6jc7jxU1EpL76JFxyHVqmK0PEenUVnm5AxGqO9VJT7/yBPMyojaI0Q gSFBxVL0eBXu7eYThyVDEHhrZIMYfURw3NLofpPtGMheYEEN+I9LB2uraW51f1NP wdmpJy/1+x5JesAeNaxgLDyeWdFq1N47pJYrB0x+4vn+fQ/bWu/K7io82qRS2cJr D74QOg/cjSSVS/sqoRYnKWJs3n+MXGuJbNGgncpGPi0rcQjkEX2oVF/TEHmp1Aj6 K8DVAaZwLXf75jgueifFMYWbYktWSaZHo0kiNxJgHQqCs4MW3lzdCAPmVUMn90AH j07JSvQ5hi6LK1B1YGap =F97L -END PGP SIGNATURE- -- The Command Line: Reinvented for Modern Developers Did the resurgence of CLI tooling catch you by surprise? Reconnect with the command line and become more productive. Learn the new .NET and ASP.NET CLI. Get your free copy! http://sdm.link/telerik ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] unsuscribe
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 10/23/2016 05:32 AM, Nico Pagliaro wrote: > > Please see http://http://www.shorewall.org/FAQ.htm#faq98 - -Tom - -- Tom Eastep\ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \ -BEGIN PGP SIGNATURE- Version: GnuPG v2 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJYE9IDAAoJEJbms/JCOk0QAaoP/15BvyOM/xpDRuyFLRrPQFIB Bd5ZU3D3N8AERFgyjhjUspTVMbwi6MMeGuKtae6TBKYD/rMjry2ok6UvhQPhfNPw N6Ca278XOe2QmQOELUUcmTbw++vfOWfkRn1QuXWKrmjWik14/9+N4CwUXhh5i9b5 KKSp29oBkamKB1KcEZpOvESaZVQwznpLZXW32dVFCGS1QlTWjL0WZtGxBx4DrAG0 8hhIuxWFjxNVAuDTSJzLLB0+XrSAlpuaOxDvPyA/vIM9t1nupRz/8sxLNKGxKAyf ZlfYESBbjD+YxGYOfC/4pgF0H2W036nnPex8/2iISPOvAY0cQv4ZvNwtpfTg2IFB 1cZqZIqo0nQOPU2z8zGX9k6xqq5s0gQCvT8RI33N6zjGNKkck70H841WvAbEjp/u Iusa9fBjkV59F3wzZRGlqA/wEfFh5p41iX25zBkhD9kWr2tzeDpA4JBrhjP7HTn6 ctBn/+VAGgSck4QgYwuKOiOUpiZKFz4gjDpujdB0r7bp4PNLjj/qWGt0EQ9oNXBF q0DCJm1mZrxp0MrlD4x+qgiaRk3zpvFN1k0ypJgHXhXiEwO1V9QgI6XY8dAMQkZW lv2rasrrCitRdUFzH7rSlAuyex5dx2z+fCJDyFI9SK6p4jT5GY/dONvukVdn/h8H ruxdtDjH2H6K6n/H8MVv =BrXd -END PGP SIGNATURE- -- The Command Line: Reinvented for Modern Developers Did the resurgence of CLI tooling catch you by surprise? Reconnect with the command line and become more productive. Learn the new .NET and ASP.NET CLI. Get your free copy! http://sdm.link/telerik ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
