Re: [Shorewall-users] Strangeness with SANE macro - any ideas?
On Fri, Mar 01, 2024 at 12:43:24PM +0200, Tuomo Soini wrote: > On Thu, 29 Feb 2024 17:17:15 -0500 > Roberto C. Sánchez wrote: > > > The odd thing is that I know I have other helpers working correctly. I > > have AUTOHELPERS=Yes in /etc/shorewall/shorewall.conf and things like > > FTP work as expected. > > See this part of documentation. Nobody should have AUTOHELPERS enabled > any more. I suggest you switch to AUTOHELPERS=No and test again because > you likely have later than 3.5 kernel. > > https://shorewall.org/Helpers.html#idm217 > Thanks for the pointer. That did turn out to be exactly the bit of information I needed. In retrospect, when I was troubleshooting the problem and I looked in macro.SANE at "! $AUTOHELPERS" it should have occurred to me that "AUTOHELPERS=Yes" was actually the source of my problem. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Strangeness with SANE macro - any ideas?
On Fri, Mar 01, 2024 at 12:43:24PM +0200, Tuomo Soini wrote: > On Thu, 29 Feb 2024 17:17:15 -0500 > Roberto C. Sánchez wrote: > > > The odd thing is that I know I have other helpers working correctly. I > > have AUTOHELPERS=Yes in /etc/shorewall/shorewall.conf and things like > > FTP work as expected. > > See this part of documentation. Nobody should have AUTOHELPERS enabled > any more. I suggest you switch to AUTOHELPERS=No and test again because > you likely have later than 3.5 kernel. > > https://shorewall.org/Helpers.html#idm217 > Wow. I most definitely missed that. Thanks for the pointer to the FAQ. I will certainly update the config and re-test. The configuration on this particular machine originally dates from 2001, so I'm sure I've missed a few things I should have changed on upgrades. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
[Shorewall-users] Strangeness with SANE macro - any ideas?
Hi Everyone, I know I've been away for a while. I recently encountered something strange with macro.SANE. I relocated the scanner in my office (actually a MFP) away from my desk. It sits next to the machine which is my router/gateway (and which runs Shorewall). Setting up network printing (via CUPS) was straighforward. However, setting up scanning to work over the network proved troublesome. In the end I figured out that even with a SANE/ACCEPT rule that somehow connection tracking wasn't working (based on the presence of "reject" messages in syslog where I correlated the DPT with the port on which a saned was spawned and listening). Today I made another attempt on it and it seems that the way the macro is written, the connection tracking helper does not get loaded: ?if ( __CT_TARGET && ! $AUTOHELPERS && __SANE_HELPER ) PARAM - - tcp 6566 { helper=sane } ?else PARAM - - tcp 6566 ?endif When I restart Shorewall, the output of 'lsmod | sane' showed nf_conntrack_sane with a reference count of 0. Xsane on my workstation recognized the scanner and I could hit "Acquire preview" and it would begin the preview scan process, but then hang. Every single time. However, after copying macro.SANE from /usr/share/shorewall to /etc/shorewall and replacing the above with this: PARAM - - tcp 6566 { helper=sane } Then a restart of shorewall and voilà, 'lsmod | sane' showed nf_conntrack_sane with a reference count of 2. After making this change, scanning started to work perfectly. The odd thing is that I know I have other helpers working correctly. I have AUTOHELPERS=Yes in /etc/shorewall/shorewall.conf and things like FTP work as expected. I'm wondering if anyone might have an idea of what is going with this. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Problema de DNAT con el Shorewall
On Tue, Aug 09, 2022 at 02:38:39PM +0200, Jean-Luc Rémond wrote: > Buenos días a todos, > > Tengo un servidor Debian 11 con el paquete Shorewall 5.2.3.4. > > Quiero acceder con la misma IP publica a los servicios desde el exterior y > también desde la red interna. Gracias a la FAQ 2b he conseguido hacer eso > para los servicios internos del servidor (SSH, Apache y MariaDB). Por eso, > he agregado las instrucciones siguientes en el fichero rules : > > DNAT loc fw:$NET_IP tcp 722 > - $PUB_IP > DNAT loc fw:$NET_IP tcp 3306 > - $PUB_IP > DNAT loc fw:$NET_IP tcp 443 > - $PUB_IP > > Ahora, hemos agregado un otro servidor interno que tiene la IP > 192.168.100.3. Queremos acceder a su servicio Nginx (puerto 443). Para > acceder desde el exterior (con el puerto 59154), he agregado eso : > DNAT net loc:192.168.100.3:443 tcp 59154 > > Y funciona perfectamente. El problema que tengo ahora es que debo acceder a > este servidor interno con la misma dirección (https://ip-publica:59154) > desde la red interna y no consigo hacerlo. > > Puede ayudarme por favor ? > Es dificil estar seguro sin ver la configuración completa, pero me parece posible que falta la opción 'routeback' en una u otra entrada en el fichero interfaces. Saludos, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Multiple ISP today
On Wed, Apr 13, 2022 at 05:37:40PM -0400, rcor...@edos.cl wrote: >HI! > >somebody have a example working with two ISP provider? I`m use shorewall >5.1.10 over centos7. If is necessary can upgrade to 5.2.8 > Start here: https://shorewall.org/MultiISP.html Shorewall 5.1.x is probably new enough to do everything you need. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Problema con Shorewall
Bonjour Jean-Luc, On Thu, Nov 25, 2021 at 02:06:40PM +0100, Jean-Luc Rémond wrote: > Buenos días, > > Tengo un servidor Debian 11 con el paquete Shorewall 5.2.3.4. > > Tengo una IP publica xxx.xxx.xxx.xxx, una IP externa (net) yyy.yyy.yyy.yyy y > una IP local (loc) 192.168.100.2. > Puedo acceder a los servicios de este servidor desde el exterior (ssh en el > puerto 722) con la IP publica (xxx.xxx.xxx.xxx). Desde la red local, puedo > acceder al servicio ssh con la IP local (192.168.100.2) o con la IP externa > (yyy.yyy.yyy.yyy). > > El problema es que no puedo acceder desde la red local al mismo servicio con > la IP publica (xxx.xxx.xxx.xxx). > > Que debo agregar en la configuración para poder acceder a los servicios de > este servidor con la misma dirección IP publica (xxx.xxx.xxx.xxx) desde la > web y también desde la red local ? > > Muchas gracias para ayudarme. > El problema que describes me suena como Shorewall FAQ 2b [0]. Si a caso eso no te ayuda, por favor déjanos saber. Si todavía te hace falta ayuda despues de consular al FAQ 2b, sería bueno si pudieras explicarnos la diferencia en tu configuración entre la IP publica y la IP externa. Saludos, -Roberto [0] https://shorewall.org/FAQ.htm#faq2b -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Disabling logging into journal
On Wed, Sep 08, 2021 at 12:55:50PM +0200, Dario Lesca wrote: >On my rocky Linux 8 sorewall logs are write into /var/log/messages and >into journalctl. >It's possible, and how to do, disable logging into journalctl and to leave >only loggin into /var/log/messages ? I think that you might need this: https://shorewall.org/shorewall_logging.html Regards, -Roberto -- Roberto C. Sánchez ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Link in the Wikipedia.
On Thu, Nov 19, 2020 at 07:47:23AM -0800, pe...@easthope.ca wrote: > Hi, > > I guess everyone is familiar with the article. > https://en.wikipedia.org/wiki/Shorewall > > The infobox has "www.shorewall.net" anchored at www.shorewall.net > which redirects to https://shorewall.org. So I wonder why the link in > the box isn't shorewall.org or https://shorewall.org. > > Is the inconsistency desirable? Any objection to a revision? > It is likely outdate just because nobody has updated since the domain migration. I have no objection to a revision. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] IPv4 or IPv6
On Sat, Oct 31, 2020 at 07:56:27PM +, pe...@kahn.nu wrote: >I have noticed that there are 4 and i6 releases of the firewall. So... Do >i have to install both? Will shorewall protect against ipv4 attacks if I I >have only installed shorewall 6 protection. >Or what? > >Sorry for the stupid question. I could'nt easily find the answer from your >website. No worries. For handling IPv4, you need Shorewall and for handling IPv6 you need Shorewall6. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Shorewall reload doesn't reload?
On Wed, Oct 07, 2020 at 05:10:51PM +0200, Matt Darfeuille wrote: > > Attached is release-master-1-20.10.07.17.04.57-rfc.patch, which applies > Simon's suggestion. > > > Any feedback an testing is appriciated. > Looks good to me. I also created an issue in the shorewall/debian project for me to investigate whether the Debian packages have the same issue. I will address it when I can get to the 5.2.8 update. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Please assist with configuration to transparent tunnel from public access on one server, over a vpn, to service on an internal server
On Wed, Sep 30, 2020 at 05:52:44PM +, JadoNena via Shorewall-users wrote: > > Everything you need should be on that page, below the text I quoted. > > It isn't. None of that answers the question I asked. That's why I am asking. > But ok anyway. > Here is what you stated earlier in the thread: > My situation is still pretty simple. > 2 sites, connected over a VPN. One facing the internet, the other on my LAN, > providing a service. > I want to expose that service to the internet. If you read the documentation I linked, you will find that the 'net' zone in the documentation corresponds to the 'net' zone in your situation and that the 'loc' zone in the documentation corresponds to the 'vpn' in your situation. If you could not make that work, it indicates that something else is causing a problem. Since you refuse to provide the information that we would need to be able to help you determine what that something else is, we are at an impasse. > I removed Shorewall and switched to OPNsense. It took care of it in just a > few minutes. > If that solves your problem, then that is good news. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Please assist with configuration to transparent tunnel from public access on one server, over a vpn, to service on an internal server
On Wed, Sep 30, 2020 at 05:12:18PM +, JadoNena via Shorewall-users wrote: > > Something needs to tell the system to allow that traffic when it comes from > external, not just internal. > > Where do I add the rule or route in Shorewall to do that ? > What are the right documents & examples for managing & redirecting INCOMING > traffic from the internet like this, not outgoing TO the internet ? > https://shorewall.org/two-interface.htm#DNAT Port Forwarding (DNAT) One of your goals may be to run one or more servers on your local computers. Because these computers have RFC-1918 addresses, it is not possible for clients on the Internet to connect directly to them. It is rather necessary for those clients to address their connection requests to the firewall who rewrites the destination address to the address of your server and forwards the packet to that server. When your server responds, the firewall automatically performs SNAT to rewrite the source address in the response. Everything you need should be on that page, below the text I quoted. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Please assist with configuration to transparent tunnel from public access on one server, over a vpn, to service on an internal server
On Wed, Sep 30, 2020 at 04:51:07AM +, JadoNena via Shorewall-users wrote: > > I don't see *any* traffic. > > Since I can connect to the backend from ON the Server1, it looks like the > routes is ok? > > But since I can not connect from EXTERNAL I think something is missing on the > Server1 Shorewall rules? > Until you provide the information detailed on the support page, it is not possible make this determination. If you do not want to post it to a public list, email me directly. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Please assist with configuration to transparent tunnel from public access on one server, over a vpn, to service on an internal server
On Tue, Sep 29, 2020 at 09:51:45PM +, JadoNena via Shorewall-users wrote: > > You need DNAT, as described here: > > > > https://shorewall.org/two-interface.htm#DNAT > > > Ok. That is what I started with. > > There is no advice or example there for how to get that traffic through the > VPN to the back end server. > > Can you help with the rules? > > My test for this working is to > > telnet -4 1.2.3.4 1234 > > from any public site and to get a response from the back end server. > > If I have a service ON the external server I am able to give access to it. > > But so far, if there is no service on the external server, only on the > internal one, across the VPN, I only get > > telnet -4 1.2.3.4 1234 > Trying 1.2.3.4... > telnet: connect to address 1.2.3.4: Connection refused > You are not providing sufficient information to be able to conclusively identify the problem. However, it seems like you either do not have IP forwarding enabled on the Shorewall machine (seems unlikely) or there is a missing route somewhere along the path (more likely). Please provide the information described here: https://shorewall.org/support.htm That should enable a more complete understanding of your problem and allow for troubleshooting in a way that will allow us to help you resolve it. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Please assist with configuration to transparent tunnel from public access on one server, over a vpn, to service on an internal server
On Tue, Sep 29, 2020 at 08:54:42PM +, JadoNena via Shorewall-users wrote: > Hello, > > We're changing offices and I need to set up two servers connected over a VPN. > > One server has a public IP, "1.2.3.4" > > The other server runs a service @ internal IP address "10.0.0.2:1234" > > I want to give access @ 1.2.3.4:1234 and transparently 'tunnel' (don't know > if that's the right word) all the traffic to & from the 10.0.0.1:1234 server. > > With the VPN in the middle, and no service on the external server, though I > got very confused with the SNAT/DNAT and the rules I need. It is now a lot > more complicated than what I did before. > > > If this is what the network looks like: > > > PublicIP1: 1.2.3.4, Interface: eth1 > | > [Server1 with Shorewall] > | > InternalIP1: 10.0.0.1, Interface: dummy1 > | > VPN Endpoint1: 10.200.200.1, Interface: wg1 > | > | > | > | > VPN Endpoint2: 10.200.200.2, Interface: wg2 > | > InternalIP2: 10.0.0.2, Interface: eth2 > | > [Server2 with Shorewall] > | > [ Service, listening on 10.0.0.2:1234] > > > What rules/SNAT/DNAT do I need for each Shorewall firewall to make it work so > the 'world' can access the service? > You need DNAT, as described here: https://shorewall.org/two-interface.htm#DNAT Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Only a desktop computer
On Fri, May 15, 2020 at 05:32:31PM -0400, merlinverde...@infomed.sld.cu wrote: > Hi, > I only have a pc, with this pc (desktop) I connect to the internet. Where > can I find a guide to configure Shorewall in this scenario? > Thanks > This article was written for Shorewall 4.4, but for a simple setup it should still apply. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] wake-on-lan forwarding magic packet
On Mon, Apr 06, 2020 at 02:45:53PM +0200, Vieri Di Paola wrote: > Hi, > > Is it possible to forward WOL magic packet on a network like thie one > I'm showing below? > > HOST running "wakeonlan -i 10.215.255.255 " (in loc1 zone) > --- Shorewall FW router --- HOSTS in loc2 zone (MAC_ADDR found here) > > An ACCEPT rule from loc1 to loc2 for UDP port 9 does not seem to work. > > Not being a bridge (SW FW router), is it simply impossible to forward > this kind of traffic? > Keep in mind that MAC is only meaningful on the same network segment or collision domain. To do what you describe you would need a daemon running on the Shorewall FW router which will answer ARP requests for and then handle forwarding the packets as appropriate. However, then you also need logic to handle all the non-WOL packets that will be recieved as well. Is there any what that you can run wakeonlan on the Shorewall FW router? That should simplify things since that machine will be in the two network segments by virtue of being a router between them. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Shorewall6 documentation corrections
On Mon, Dec 23, 2019 at 09:53:00AM -0800, Tom Eastep wrote: > On 12/23/19 6:23 AM, Roberto C. Sánchez wrote: > > > > I'd like to see if we can exercise the merge request process. Would you > > be willing to submit your proposed change as a merge request? > > > > Roberto, > > I certainly can -- I have several 5.2.3 patches queued up which I can > push to the 5.2.3 branch on Gitlab. They will then show up there as > merge requests (I've done that before). > I had forgotten that we've already done that once before. It seems to be working for us, so let's continue using that approach. > Going forward, how do we want to handle updates to the known problems, > change log and release notes? Traditionally, I have updated known > problems when I have identified a problem then I update that document > again when I am preparing a release (to indicate which release the > defect is corrected in). I typically update the change log and release > notes periodically during the release cycle for both features and bug fixes. > > If we are going to submit changes as merge requests, then maybe updates > to the release documents should be submitted along with the code change > itself. That could be done by including the text in the commit message > body or by submitting a companion update the the release repository. I > don't have a strong opinion either way, but the latter approach would > result in less work for whoever ends up doing the final release work. > I favor including the documentation changes in the same MR as the code changes. I don't have a strong feeling on if the documentation changes should be in the same commit as the code changes or if code and documentation are changed in separate commits that are in the same MR. Though, the larger the code change, the more likely it makes sense to separate the documentation change into a different commit. Regardless, they should be in very near proximity to each other. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] from Shorewall to Shorewall-Lite
On Mon, Dec 23, 2019 at 11:47:21PM +0100, Vieri Di Paola wrote: > On Mon, Dec 23, 2019 at 3:25 PM Roberto C. Sánchez > wrote: > > > > I thought the wiki was set so that anyone who is logged in can edit or > > create content. > > Hi, > > I logged in with my gmail account, but this is what the Wiki section reads: > > quote > This project has no wiki pages > You must be a project member in order to add wiki pages. If you have > suggestions for how to improve the wiki for this project, consider > opening an issue in the issue tracker. > unquote > > I can't see anything that allows me to create a wiki page. > That is strange. I was under the impression that wiki editing was made available to logged in users. I checked the help and it would seem that I was mistaken (perhaps I was thinking of a different site). According to the documentation one must possess Developer permissions in order to create or edit wiki pages. I have added you to the project as a Developer, so you should have access to create and edit wiki pages now. Sadly, GitLab's permissions model is rather coarse, so you also get lots of other permissions (like pushing code commits), which I cannot disable. Please be mindful of what you do with your permissions and, especially, don't push un-reviewed code changes. > No hurry, of course. > > Happy holidays, > And happy holidays to you. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] from Shorewall to Shorewall-Lite
On Mon, Dec 23, 2019 at 10:53:52AM +0100, Vieri Di Paola wrote: > Hi Roberto, > > On Mon, Dec 23, 2019 at 12:57 AM Roberto C. Sánchez > wrote: > > > > Let me encourage you to capture it as a wiki page in GitLab: > > https://gitlab.com/shorewall/code/-/wikis/home > > I logged in with my gmail account. Do I need to be a project member to > publish just one simple wiki page? If so, do I need to file a bug > report/issue within GitLab? > Hi Vieri, I thought the wiki was set so that anyone who is logged in can edit or create content. Please give it a try. If you encounter any problems, let me know and I (or another project admine) will check the wiki settings. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Shorewall6 documentation corrections
On Sun, Dec 22, 2019 at 08:20:47PM -0800, Tom Eastep wrote: > > > On 12/22/19 4:23 PM, Roberto C. Sánchez wrote: > > On Fri, Dec 20, 2019 at 10:05:04AM +0200, Tuomo Soini wrote: > >> On Thu, 21 Nov 2019 14:00:31 -0500 Bill Shirley > >> wrote: > >> > >>> 2) For the SNAT ACTION on the snat man page, there is an > >>> example using IPv4 addresses: Example: > >>> 206.124.146.177-206.124.146.180 This example should probably > >>> use IPv6 addresses. > >>> > >>> I was comparing the above with the documentation for Shorewall > >>> 4.6, which is what I use (shorewall6-4.6.11.1-2.fc22.noarch), > >>> to implement masquerading: > >>> http://www.shorewall.net/manpages6/shorewall6-masq.html 3) > >>> Under the ADDRESS directive, it has an error: Example: > >>> [2001:470:a:227::2]-[2001:470:a:227::10]:1000-1010 Which > >>> generates: ERROR: Correct address range syntax is > >>> '[-]' /etc/shorewall6/masq (line 115) > >>> > >>> What actually works is: > >>> [2001:470:a:227::2-2001:470:a:227::10]:1000-1010 Note: the > >>> internal ']-[' should be just a dash '-'. > >> > >> Ok. That is really a bug in shorewall ipv6 range parser. > >> > > I have created an issue in GitLab to capture this: > > https://gitlab.com/shorewall/code/issues/3 > > > > And I have coded and tested a fix. From this point forward, I think > that I would like to submit fixes to gitlab, but let it be the new > team who decides when to release either point releases or new > minor/major releases. I will keep the fix in my local repository until > the direction is clear. > Tom, I'd like to see if we can exercise the merge request process. Would you be willing to submit your proposed change as a merge request? Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Shorewall6 documentation corrections
On Fri, Dec 20, 2019 at 10:05:04AM +0200, Tuomo Soini wrote: > On Thu, 21 Nov 2019 14:00:31 -0500 > Bill Shirley wrote: > > > 2) For the SNAT ACTION on the snat man page, there is an example > > using IPv4 addresses: Example: 206.124.146.177-206.124.146.180 > > This example should probably use IPv6 addresses. > > > > I was comparing the above with the documentation for Shorewall 4.6, > > which is what I use (shorewall6-4.6.11.1-2.fc22.noarch), to implement > > masquerading: http://www.shorewall.net/manpages6/shorewall6-masq.html > > 3) Under the ADDRESS directive, it has an error: Example: > > [2001:470:a:227::2]-[2001:470:a:227::10]:1000-1010 Which generates: > > ERROR: Correct address range syntax is '[-]' > > /etc/shorewall6/masq (line 115) > > > > What actually works is: > > [2001:470:a:227::2-2001:470:a:227::10]:1000-1010 > > Note: the internal ']-[' should be just a dash '-'. > > Ok. That is really a bug in shorewall ipv6 range parser. > I have created an issue in GitLab to capture this: https://gitlab.com/shorewall/code/issues/3 Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] from Shorewall to Shorewall-Lite
On Thu, Dec 05, 2019 at 09:30:22AM +0100, Vieri Di Paola wrote: > Thanks, Matt! > > Just one last question. I presume it's advisable to use the same > versions of shorewall and shorewall-lite, but not strictly required. > If there were a version incompatibility between the admin system and > any of the "lite systems" in the network, would Shorewall (on the > admin sys) warn me of this? Or do I need to make sure myself that all > of my shorewall/-lite systems are alike? > > Vieri > Hi Vieri, It looks like you went to quite some effort with writing up your guide. Let me encourage you to capture it as a wiki page in GitLab: https://gitlab.com/shorewall/code/-/wikis/home I think it would be beneficial, as others will be able to read it and benefit from it, and perhaps also update it based on their own experiences. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Shorewall6 documentation corrections
Hi Bill, On Thu, Nov 21, 2019 at 02:00:31PM -0500, Bill Shirley wrote: > 1) On this page: http://www.shorewall.net/Manpages6.html > there is no snat link. However, the man page does exist: > http://www.shorewall.net/manpages6/shorewall6-snat.html > > 2) For the SNAT ACTION on the snat man page, there is an example using IPv4 > addresses: > Example: 206.124.146.177-206.124.146.180 > This example should probably use IPv6 addresses. > > I was comparing the above with the documentation for Shorewall 4.6, which is > what I use (shorewall6-4.6.11.1-2.fc22.noarch), > to implement masquerading: > http://www.shorewall.net/manpages6/shorewall6-masq.html > 3) Under the ADDRESS directive, it has an error: > Example: [2001:470:a:227::2]-[2001:470:a:227::10]:1000-1010 > Which generates: > ERROR: Correct address range syntax is '[-]' > /etc/shorewall6/masq (line 115) > > What actually works is: > [2001:470:a:227::2-2001:470:a:227::10]:1000-1010 > Note: the internal ']-[' should be just a dash '-'. > It looks like both documents were removed on June 16, 2017 in commit 42a46d42b6259eac2dbd1b1256c517c635846f38. Also, it looks like none of the man pages made the move over to the new www.shorewall.org hosting. Matt, Tuomo, do you have any idea about what happened with the man pages? > Thanks to all for creating/maintaining such a useful product. > We're trying to keep it going. Thanks for your assistance with support to the user community. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] monitor shorewall
On Fri, Jul 12, 2019 at 03:13:16PM -0700, Tom Eastep wrote: > On 7/12/19 10:49 AM, Justin Pryzby wrote: > > On Fri, Jul 12, 2019 at 07:31:19PM +0200, Damjan Hajsek wrote: > >> Hi > >> > >> I like to know how can I monitor shorewall with monit. > >> > >> So I like to use monit which check if software runs but shorewall have no > >> pid file. > > > > Shorewall isn't a resident daemon so there's no process nor PID. > > > >> Is there any other file created when shorewall is up? > > > > Creating a file isn't great since the file could exist if it wasn't removed > > on > > boot, maybe if there was some issue and root was readonly and fw wasn't > > started. > > > > Can't you just take the exit status of iptables -L |grep -m1 Shorewall ? > > > > Or the exit status of 'shorewall status' > In my own case, I create a file called something like /etc/cron.d/shorewall-status with these entries: @hourly root/sbin/shorewall status >/dev/null ; [ $? -ne 0 ] && /sbin/shorewall status @hourly root/sbin/shorewall6 status >/dev/null ; [ $? -ne 0 ] && /sbin/shorewall6 status That protects against the two mistakes I am most likely to make with Shorewall: 1. Clearing or stopping the firewall and then forgetting to restart 2. Disabling Shorewall from starting on boot or making a configuration change (maybe I forget to restart right then) and on the next boot it fails to start Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
[Shorewall-users] shorewall.org service restored
On Tue, Sep 24, 2019 at 10:55:52AM -0400, Roberto C. Sánchez wrote: > I have received word from Tom that the server which hosts shorewall.org > is down. He is working on restoring service. A follow-up note will be > sent when everything is up and running again. > I have heard back from Tom that the server is back up and running, minus some failed hardware. Replacements are on order. He should be back online shortly as well. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: PGP signature ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
[Shorewall-users] shorewall.org is down
I have received word from Tom that the server which hosts shorewall.org is down. He is working on restoring service. A follow-up note will be sent when everything is up and running again. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: PGP signature ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] ignore interface for FW
On Tue, May 07, 2019 at 08:25:52AM +0200, Stijn De Weirdt wrote: > hi all, > > i'm struggling with a network setup i want to achieve, and i'm not sure > what shorewall features i need to use (or if it can be achieved at all). > > i want to setup a dual gateway of some sort: i have a linux host with 3 > network interfaces: > eth3 is connected to private network, and i need NAT for this network > eth8 is connected to the ISP > eth6 is connected to a local public network. this host supposed to be > the gateway/router for this subnet > > what i now want to achieve is that i can use the gateway IP of eth6 > (*not* the ISP ip from eth8) for the NAT and also that i can setup port > forwarding on the the IP of eth6. > > trying to wrap my head around the issue, i think i want to tell > shorewall to not consider eth8 as part of the FW, and use it for routing > to eth6 and (hopefully) still allow filtering. > > many thanks for any tips (and apologies if this makes no sense ;) > I am not sure that I fully understand what you are describing. However, it seems like it lines up with the three-interface HOWTO [0]. In the terms of the HOWTO, your interfaces would be like this: eth3 - LAN eth8 - Internet/WAN eth6 - DMZ At least, that is what I think you are trying to accomplish. Have a look at the HOWTO and follow-up if you still have questions. Regards, -Roberto [0] http://www.shorewall.org/three-interface.htm -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: PGP signature ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
[Shorewall-users] The Next Chapter for Shorewall
Shorewall Community ... You are likely aware that Tom Eastep, founder and principal developer of Shorewall, recently announced his effective retirement from the Shorewall project after nearly 50 years working in technology and nearly 20 years since he started the project. While Shorewall as a software product can certainly be described as mature, firewalling in Linux continues to evolve and there is no technical reason why Shorewall cannot continue to evolve along with it. To that end, Tom has identified a small group of core contributors with a history of involvement in the Shorewall project to assume control of the future direction of the project. Be assured that the group has already begun discussions on a variety of issues pertaining to the project. As we better organize ourselves and decide upon courses of action that will affect the broader Shorewall community we will make corresponding announcements. Our intent is to continue to grow the community which Tom has so painstakingly built over the years. In the short term we intend to ensure that Shorewall remains actively maintained and will also work to develop a roadmap for the future development of Shorewall. If you have suggestions or ideas, or wish to participate in the public discussions related to these matters, please make use of the shorewall-de...@lists.sourceforge.net mailing list. As always, bug reports and support requests should be directed to the shorewall-users@lists.sourceforge.net mailing list. For the time being, please continue to direct proposed patches for upcoming beta releases and release candidates to the shorewall-de...@lists.sourceforge.net mailing list. We wish Tom well on his travels and thank him for his many years of dedicated service to the Shorewall Community and larger Free Software and Open Source Community. The Shorewall Project Committee Matt Darfeuille Paul Gear Roberto C. Sánchez Tuomo Soini signature.asc Description: PGP signature ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Perl errors with 5.2.0.5 and fedora28
On Wed, Feb 06, 2019 at 11:22:54AM -0500, Alex wrote: > Is this a known problem? Does it affect normal operation? > > # shorewall check > Checking using Shorewall 5.2.0.5... > Unescaped left brace in regex is deprecated here (and will be fatal in > Perl 5.32), passed through in regex; marked by <-- HERE in m/ ^(.*?) > \$({ <-- HERE )? (\d+|[a-zA-Z_]\w*) (?(2)}) (.*)$ / at > /usr/share/perl5/vendor_perl/Shorewall/Config.pm line 2836. > Unescaped left brace in regex is deprecated here (and will be fatal in > Perl 5.32), passed through in regex; marked by <-- HERE in m/ ^(.*?) > \@({ <-- HERE )? (\d+|[a-zA-Z]\w*) (?(2)}) (.*)$ / at > /usr/share/perl5/vendor_perl/Shorewall/Config.pm line 2853. > Unescaped left brace in regex is deprecated here (and will be fatal in > Perl 5.32), passed through in regex; marked by <-- HERE in m/ ^(.*?) > __({ <-- HERE )? (\w+) (?(2)}) (.*)$ / at > /usr/share/perl5/vendor_perl/Shorewall/Config.pm line 2864. > Unescaped left brace in regex is deprecated here (and will be fatal in > Perl 5.32), passed through in regex; marked by <-- HERE in m/ ^(.*?) > \$({ <-- HERE )? (\d+|[a-zA-Z_]\w*) (?(2)}) (.*)$ / at > /usr/share/perl5/vendor_perl/Shorewall/Config.pm line 3794. > Unescaped left brace in regex is deprecated here (and will be fatal in > Perl 5.32), passed through in regex; marked by <-- HERE in m/ ^(.*?) > \@({ <-- HERE )? (\d+|[a-zA-Z_]\w*) (?(2)}) (.*)$ / at > /usr/share/perl5/vendor_perl/Shorewall/Config.pm line 3833. > Unescaped left brace in regex is deprecated here (and will be fatal in > Perl 5.32), passed through in regex; marked by <-- HERE in m/ ^(.*?) > \$({ <-- HERE )? (\d+|[a-zA-Z]\w*) (?(2)}) (.*)$ / at > /usr/share/perl5/vendor_perl/Shorewall/Config.pm line 3849. > Unescaped left brace in regex is deprecated here (and will be fatal in > Perl 5.32), passed through in regex; marked by <-- HERE in m/ ^(.*?) > @({ <-- HERE )?(?:0|chain)(?(2)}) (.*)$ / at > /usr/share/perl5/vendor_perl/Shorewall/Chains.pm line 5822. > This is a known issue. It was also reported in Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=903734 Version 5.2.1.3 of Shorewall fixed it. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Websites Are Down!
On Sat, Jan 12, 2019 at 12:33:48PM -0800, C. Cook wrote: >... and can't get up! > >[Sat Jan 12 11:56:22 2019] FORWARD REJECT IN=eth0 OUT=eth0 Have you specified routeback for eth0 in interfaces? Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Shorewall for CentOS-4.8?
On Wed, Dec 26, 2018 at 06:25:50PM -0500, Lloyd Zusman wrote: >I'm running on the ancient CentOS-4.8, and there is no feasible way to >upgrade this system in the forseeable future. >I'd like to get Shorewall running on that system, if possible, and I >wonder if someone could recommend the proper version of Shorewall to >download that would work on this Stone-Age version of CentOS. >Thank you for any pointers or suggestions. Hi Lloyd, I apologize for the rather unhelpful responses you have received. I am going to assume that you understand the risk of running such an outdated system and that you also have a good reason for doing so. Understanding that you will be limited to an outdated Shorewall, the principal constraints are the versions of Linux, iptables, and Perl available to you. Distrowatch shows Linux 2.6.9 and Perl 5.8.5 as available in RHEL 4.8. Based on that, you can probably run Shorewall 4.6 (it appears that the last release was 4.6.13.4 in January 2016). If for some reason that doesn't work, than you can fall back to 4.2. However, that version is ancient and predates the current Git source control so I cannot easily tell you when it was released. You can probably search for it in the archives. Some articles on the requirements: versions 4.4-4.6: http://www.shorewall.org/4.6/shorewall_prerequisites.htm versions 4.0-4.2: http://www.shorewall.org/4.2/shorewall_prerequisites.htm Additional documentation: http://www.shorewall.org/4.6/Documentation_Index.html http://www.shorewall.org/4.2/Documentation_Index.html I encourage you to carefully read the documentation as many things have changed over the years and it is prudent to understand the particular version of Shorewall you are working with. Additionally, expect that you may not receive the best help if you encounter problems. Feel free to ask here on the list or in IRC, but not many of us still deal with such old versions. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] About iptables using nf_tables backend on Debian
On Mon, Oct 29, 2018 at 01:39:46PM -0700, Tom Eastep wrote: > On 10/29/18 11:04 AM, Vincas Dargis wrote: > > On 2018-10-24 23:34, Tom Eastep wrote: > >> On 10/24/18 9:18 AM, Vincas Dargis wrote: > >>> What does that mean with regards to Shorewall? Could there potentially > >>> be incompatibilities on how Shorewall expects Linux firewall to behave? > >> > >> There could certainly be incompatibilities that effect Shorewall and/or > >> Shorewall6. > > > > Any plans to handle this issue? Maybe worth documenting/noting that > > Debian Buster users are encouraged to use `update-alternatives` system > > for enabling "old" backend? > > > > Or this should be handled by package maintainers? > > My opinion is that we should address issues as they arise after this > iptables change migrates to testing. nf_tables is the direction in which > the Netfilter team are going, and if we immediately direct users to > switch to the old backend, we only delay resolution of compatibility > issues. Eventually, the old backend will go away, so we want all known > issues with the new backend to be resolved by that time. > > I've copied the Debian Shorewall Maintainer for his input. > Tom, I agree with your approach. The release team made an announcement last month detailing the timeline for the Buster release: https://lists.debian.org/debian-devel-announce/2018/09/msg4.html The transition freeze does not affect Shorewall, so the date by which we would need to target a final set of Shorewall packages for Buster would be February 12th. Of course, sooner is better as it allows time for bugs to be discovered by users, reported, and fixed. I have been quite busy with school and work this semester, but once final exams are over I should have some time to be able to get back to Shorewall packaging. I also have not messed with Buster at all, but I can plan to setup a VM for testing as we sort out what changes need to be made in the packaging. If we encounter some unsolvable problem, it would seem we would need to decide between requesting removal of Shorewall from the Buster release (I would much prefer to avoid that) or to document the fallback to the old backend. Either way, a package that works with the new backend would be the ideal solution. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Debian packages for 5.1.8.1 - now available
On Tue, Nov 21, 2017 at 10:45:02AM -0800, Tom Eastep wrote: > > I just did a fresh install of 9.2 on a single-NIC system, installed and > configured Shorewall (one-interface example), and enabled Shorewall > using systemctl. A 'systemctl start shorewall' succeeded. I then > rebooted and observed that Shorewall started correctly, even though the > entry in /etc/network/interfaces for the single NIC specified > 'allow-hotplug'. > > So in summary, I am unable to reproduce your findings. > My experience was the same. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Debian packages for 5.1.8.1 - now available
Hi Øyvind, Thanks for your feedback on the packages. On Tue, Nov 21, 2017 at 11:46:58AM +0100, Øyvind Lode wrote: > I recently installed debian stretch on my router/firewall (fresh > install including reformat). > In jessie I simply had to set startup=1 in /etc/default/shorewall to > have shorewall start my firewall at boot. > In stretch setting startup=1 was not enough. > I also had to manually enable shorewall init script with systemctl > enable shorewall. By default, the shorewall* packages install with no configuration, so the administrator must enable shorewall after it has been configured. In the past, with SysV init and other init systems that had scripts in /etc/init.d, this could be controlled by the "startup" variable in /etc/default/shorewall, for example. This has been documented in /usr/share/doc/shorewall/README.Debian.gz forever (or at least as far back as I can remember). However, with systemd things work a little differently. With the packaging of 5.0.4, the packaging started including the systemd unit file. However, as with the old init script, it is still necessary for the administrator to enable shorewall after configuring it. > I even had to replace allow-hotplug with auto on all nics in > /etc/network/interfaces to have shorewall startup at boot. This is strange. I have not encountered this. Can you describe more details of your configuration so that I can understand this? > All is working as expected now but I did not find any of these > requirements documented either in shorewall docs or in debian specific > changes/docs. > > I'm a very happy shorewall and debian user. > Thanks for packaging the best firewall on the best linux distro :) > I don't much regarding Shorewall, but I am glad you and others benefit from it. And of course Debian is the best Linux distro :) Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
[Shorewall-users] Debian packages for 5.1.8.1 - now available
After far too long a delay, I have resumed packaging Shorewall for Debian. I have just uploaded packages for 5.1.8.1 to Debian unstable. They should shortly be available from https://packages.debian.org If you are not a user of Debian Sid, you can download the packages and install them using 'dpkg -i' as there are no dependencies which cannot be met in Debian Stretch, or even Jessie. If you use the packages and encounter any issues, please be sure to report them to the Debian BTS. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] MySQL Replication with ssl connection and ports configuration
On Tue, Aug 22, 2017 at 12:26:30PM +0200, Davide Marchi wrote: > Hi friends, > I've just configured MySQL Replication, between two VPS Debian Jessie. > > I've open the 3306 port on each server and ssh port (60319), but this seem > not sufficient, > could you suggest me please if I should open other specific TCP/UDP port? > . > > This is the syslog on MASTER: > > Aug 22 11:57:06 server kernel: [17623379.688961] > Shorewall:net-fw:DROP:IN=eth0 OUT= > MAC=00:50:56:3c:a8:50:00:08:e3:ff:fd:90:08:00 SRC=5.189.144.220 > DST=91.205.175.213 LEN=55 TOS=0x00 PREC=0x00 TTL=58 ID=0 DF PROTO=UDP > SPT=38443 DPT=1370 LEN=35 . > > This is the syslog on SLAVE: > > Aug 22 11:57:24 server2 kernel: [11466741.408787] > Shorewall:net-fw:DROP:IN=eth0 OUT= > MAC=00:50:56:3c:fb:65:28:99:3a:4d:23:91:08:00 SRC=82.146.62.226 > DST=5.189.166.16 LEN=40 TOS=0x00 PREC=0x00 TTL=248 ID=5607 PROTO=TCP > SPT=52617 DPT=3390 WINDOW=1024 RES=0x00 SYN URGP=0 . Hi Davide, Diagnosing something like this typically requires the complete output of 'shorewall dump'. However, based on the syslog messages it looks like you simply need to add the 'routeback' option to the eth0 line in /etc/shorewall/interfaces on both hosts. If that does not resolve the problem, please post the complete output of 'shorewall dump' so that we can help you identify the cause. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] How can i disable sfilter on 5.1.4.1 ?
On Mon, Jul 17, 2017 at 11:33:39AM -0500, kazabe wrote: > > /etc/shorewall/interfaces > loc eth0 > sfilter=(192.168.0.0/24,192.168.2.0/24,192.168.3.0/24,192.168.4.0/24,192.168.5.0 > /24,192.168.6.0/24,192.168.7.0/24,192.168.8.0/24,192.168.9.0/24,192.168.10.0/24) > > > Jul 17 10:53:47 CompanyFirewall kernel: FIREWALL-sfilter DROP IN=eth1 > OUT=eth1 SRC=192.168.1.129 DST=104.154.127.85 LEN=1280 TOS=0x00 > PREC=0x00 TTL=63 ID=56231 DF PROTO=TCP SPT=55708 DPT=4070 WINDOW=4414 > RES=0x00 ACK URGP=0 > Jul 17 10:53:47 CompanyFirewall kernel: FIREWALL-sfilter DROP IN=eth1 > OUT=eth1 SRC=192.168.1.111 DST=8.8.8.8 LEN=64 TOS=0x00 PREC=0x00 > TTL=127 ID=18895 PROTO=UDP SPT=51820 DPT=53 LEN=44 > I suspect that you need to add the 'routeback' option to the eth1 entry in interfaces. > > If we do a ping to the google dns 8.8.8.8 from a lan pc, dont receive > answer (and the network connection icon in the system Tray show > alert). But if i do a tracert to 8.8.8.8, the alert dissapear and can > access to internet again. > Can you provide the output of 'shorewall dump' run as root after attempting the ping that fails? Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Shorewall rejects NTP requests
[SNIP] > Chain loc-net (1 references) > pkts bytes target prot opt in out source > destination > 11685 3316K ACCEPT all -- * * 0.0.0.0/0 > 0.0.0.0/0ctstate RELATED,ESTABLISHED > 21402 1627K ACCEPT udp -- * * 0.0.0.0/0 > 0.0.0.0/0udp dpt:123 /* NTP */ > 1373 164K ACCEPT all -- * * 0.0.0.0/00.0.0.0/0 [SNIP] It looks like you have many UDP packets pass from the loc zone to the net zone. Also, the log entries at the bottom of the dump output do not show any drops or rejects for UDP port 123. Could you induce the failure and run 'shorewall dump' again and then provide that output? Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] (no subject)
On Thu, May 11, 2017 at 11:06:40PM -0500, Will Lowe wrote: >Can someone help me understand this particular log message? It is from a >Ricoh Printer on my main net to a computer on an adjacent net which is >also under my control.. Neither the printer nor this computer should be >communicating with each other for any reason. The computer is not maned by >anyone. I've checked with Ricoh and they cannot explain it. And, secondly, >why would Shorewall react to anything not meant to go through it? >Shorewall:FORWARD:REJECT:IN=enp5s2 OUT=enp5s2 >MAC=00:0e:04:24:45:85:00:26:73:9b:d1:c9:08:00 SRC=192.168.1.222 >DST=192.168.3.25 LEN=109 TOS=0x00 PREC=0x00 TTL=63 ID=39208 PROTO=UDP >SPT=161 DPT=61532 LEN=89 I am not sure why your printer is trying to communicate in this manner. Shorewall's behavior is a result of the source and destination addresses being accessible through the same interface and that you probably have not set the routeback option on the interface (enp5s2 in this case). By default Shorewall will not send packets out the same interface which they entered. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Shorewall rejects NTP requests
On Thu, May 11, 2017 at 03:29:06PM +0200, Sven Kobow wrote: >Hi, >I have setup my shorewall firewall as demonstrated in the two interface >sample. So far it is working okay. I only have the problem that it is not >possible to do NTP requests to public NTP servers and I can see that these >requests are rejected by shorewall as there are log entries. >I tried adding rules allowing all NTP traffic from local net to anywhere >and from FW to net or anywhere. But I could not get things working. >When the client is resolving the name of the NTP server to a ipv6 address >request are successfull. Using ipv4 addresses or disabling ipv6 on the >client results in contant failures. >Did anybody experience such a behavior as well? >Thanks Sven, I have not encountered anything like this. Can you send the output of 'shorewall dump' (run as root)? Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Basic openvpnclient setup
On Wed, Jan 25, 2017 at 09:56:13AM -0700, Thomas Fjellstrom wrote: > > I'm basically getting what I had before: > > lan# ping VPNINTHOST > > fw# tcpdump -i eth0 host VPNGW > 09:46:47.60 IP MYIP.57800 > 149.56.251.50.openvpn: UDP, length 85 > 09:46:48.646222 IP MYIP.57800 > 149.56.251.50.openvpn: UDP, length 85 > 09:46:50.665662 IP MYIP.57800 > 149.56.251.50.openvpn: UDP, length 85 > 09:46:51.686162 IP MYIP.57800 > 149.56.251.50.openvpn: UDP, length 85 > 09:46:52.710196 IP MYIP.57800 > 149.56.251.50.openvpn: UDP, length 85 > 09:46:54.729324 IP MYIP.57800 > 149.56.251.50.openvpn: UDP, length 85 > 09:46:55.750166 IP MYIP.57800 > 149.56.251.50.openvpn: UDP, length 85 > 09:46:56.774188 IP MYIP.57800 > 149.56.251.50.openvpn: UDP, length 85 > 09:46:56.830549 IP VPNGWIP.openvpn > MYIP.57800: UDP, length 69 > > and thats it. many packets go out, very few come back. > > The vpn works fine via an openvpn client connection through NetworkManager on > a > local lan computer. But so far not having luck setting it up on the firewall. > This sounds like an OpenVPN routing problem. Have you compared the configurations you are using via NetworkManager and the CLI client? Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Shorewall not starting
On Wed, Jan 25, 2017 at 05:06:38PM +, Philip Le Riche wrote: > I got my Shorewall installation (defending a school network from a > Raspberry Pi farm, with 3rd unfiltered Internet connection) working at > home on an equivalent network though with different network addresses, > and transferred the config files to school. After correcting a couple of > really stoopid misteaks in resetting network and host addresses to > school values it sort of works, but for some reason, Shorewall no longer > starts on boot. > > After boot, shorewall status says it's stopped, and gives the time it > was last started, prior to the most recent reboot. No clues in > /var/log/messages. > > I've checked that STARTUP_ENABLED=Yes is still in my shorewall.conf, and > though I'm not familiar with systemd, I've checked that > shorewall.service in /lib/systemd/system is the same between home and > school setups. However, at school I also seem to have a > shorewall-init.service, not present at home (where Shorewall starts as > it should). > What is the output of these commands? systemctl is-enabled shorewall systemctl is-enabled shorewall-init Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Basic openvpnclient setup
On Wed, Jan 25, 2017 at 08:23:07AM -0700, Thomas Fjellstrom wrote: > Hi. > > I'm having a minor problem setting up shorewall to properly route and allow > openvpn traffic through my firewall. > > I'd like the openvpn client to be running on the firewall, and allow local > machines to connect to and communicate with the private subnet on the other > side of the vpn, but not allow new traffic from the other side into my lan. > > So far I have traffic that is getting sent out my public connection to the > openvpn server, but nothing comes back according to `tcpdump -i extIF host > VPNGATEWAY`. Nothing shows up in the logs stating traffic has been blocked. > policy is set up to log on the final DROP and REJECT rules. > Hi Thomas, What you are describing sounds like a three interface setup. There is a HOWTO here: http://shorewall.net/three-interface.htm You will have local and net zones like in the HOWTO. The main difference is that instead of a DMZ zone you will have a VPN zone, which it sounds like you want to treat sort of like a net zone (traffic is OK to go from your local network to that zone, but not the other way around). It should be just a matter of ensuring you have forwarding (I assume you do or you would have other problems), the right policy (loc -> vpn == OK), and possibly masquerading (depending on the address ranges involved). Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Shorewall not starting
On Thu, Sep 15, 2016 at 09:18:26AM +0100, Philip Le Riche wrote: >OK, thanks, so on this near-clone system, systemd is installed and >systemctl shows shorewall as disabled. When next I can get to the live >system (probably next week) I'll repeat it there, and it sounds like it >should then start on boot. > I hope that fixes the start-on-boot problem for you. >But does that explain why the desktop crashed when I enabled start-on-boot >through shorewall.conf and /etc/defaults/shorewall? Does the desktop need >an ACCEPT $fw $fw rule to talk to its (local) display server, or is the >route from a zone to itself always implicitly allowed? > I think that might be a different issue. Unless you have done something peculiar with your configuration, $FW<->$FW connections should be allowed by default. To properly diagnose this, we will need the output of 'shorewall dump' just after a boot/crash. It would be helpful if you could also include other relevant logs (e.g., the Xorg.log). Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature -- ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Shorewall not starting
On Wed, Sep 14, 2016 at 10:40:37PM +0100, Philip Le Riche wrote: >It reports: >Philip-Desktop ~ # apt-cache policy shorewall >shorewall: > Installed: 5.0.4-1 > That version of Shorewall had a packaging bug such that it wouldn't start on boot on systems running systemd. >I'm having difficulty working out what init system it uses and the release >notes don't seem to say. (I was brought up on SystemV inittab - I've got >the white hair - I just need the walking frame.) Running ps reports >process 1 as /sbin/init splash. There's no /etc/inittab but /etc/init is a >directory containing loads of .conf files including several >upstart-*.conf, smbd.conf and ssh.conf but no shorewall.conf, possibly >because I haven't started it. > What is the output of `apt-cache policy systemd`? If it reports something in the version field for "Installed", then look at the output of `systemctl is-enabled shorewall`. If that spits out "disabled" then you can turn it on with `systemctl enable shorewall` and it will start on boot as you would expect. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature -- ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Shorewall not starting
On Wed, Sep 14, 2016 at 09:31:12PM +0100, Philip Le Riche wrote: >I don't have immediate access to the system and can't easily get precise >subversion numbers but it's running a freshly installed Linux Mint 18 and >Shorewall 5 as offered by the standard repository just a few weeks ago. >I'm also running Apache2, Samba, isc-dhcp-server and openssh-server. I >could be wrong, but to me this has the feel of something to do with the >way shorewall and Mint 18 interact rather than something specific to a >subversion. > I am not a Linux Mint user, so I looked on the Mint package listing page for the current release and Shorewall is not listed as a package in the distribution. Just tell us the Shorewall package version (output of `apt-cache policy shorewall`) so that we can help diagnose the problem. Also, since you indicated originally that your problem has to do with Shorewall not starting at boot, what init system are you using? Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature -- ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Shorewall not starting
On Wed, Sep 14, 2016 at 04:27:15PM +0100, Philip Le Riche wrote: > > After a bit of googling I set startup=1 in /etc/default/shorewall and on > the next reboot following logon the desktop crashed before displaying > anything, dropping me into fallback mode. Now shorewall again doesn't > start on boot. > What version of Shorewall and what installation source (upstream installer or distro packages)? Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature -- ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Shorewall 4.5.15 MAC address in rules problem
>From shorewall-rules(5), DEST section: Restriction: MAC addresses are not allowed (this is a Netfilter restriction). You can only have a MAC in the SOURCE column. Regards, -Roberto On Fri, Jul 01, 2016 at 01:54:08PM -0400, Bill Shirley wrote: > I can't get Shorewall to accept a MAC address in the rules file. MAC > addresses work in > tcrules. > > params: > phil_laptop_mac=~00-50-b6-70-25-63 > > tcrules: > ?COMMENT -masq- phil laptop > $INET2_FWMARK2/$CONNMASK:P $phil_laptop_mac > > rules: > DNATinetmem:$phil_laptop_mac tcp 80,3 > > shorewall check: > Checking /etc/shorewall/rules... > ERROR: Invalid IP Address (~00-50-b6-70-25) /etc/shorewall/rules (line > 104) > > Shorewall thinks it's an IP address instead of a MAC address. Am I doing > something wrong? > It's also dropping the last byte of the MAC address. > > [1:root@elvis shorewall 148]$ rpm -q shorewall > shorewall-4.5.15-1.fc19.noarch > > Bill > > > -- > Attend Shape: An AT Tech Expo July 15-16. Meet us at AT Park in San > Francisco, CA to explore cutting-edge tech and listen to tech luminaries > present their vision of the future. This family event has something for > everyone, including kids. Get more information and register today. > http://sdm.link/attshape > ___ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com -- Attend Shape: An AT Tech Expo July 15-16. Meet us at AT Park in San Francisco, CA to explore cutting-edge tech and listen to tech luminaries present their vision of the future. This family event has something for everyone, including kids. Get more information and register today. http://sdm.link/attshape ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Shorewall + Docker strangeness
On Sun, May 22, 2016 at 05:46:23PM -0700, Tom Eastep wrote: > > It's a bug which manifests itself when Shorewall starts before Docker. > Patch attached. Thanks! That seems to have resolved the issue. Do I still need docker.service in the After= line of shorewall.service? Or is that now redundant? Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature -- Mobile security can be enabling, not merely restricting. Employees who bring their own devices (BYOD) to work are irked by the imposition of MDM restrictions. Mobile Device Manager Plus allows you to control only the apps on BYO-devices by containerizing them, leaving personal data untouched! https://ad.doubleclick.net/ddm/clk/304595813;131938128;j___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
[Shorewall-users] Shorewall + Docker strangeness
I am starting to experiment with Docker on a Linode host. I am running Docker 1.6 (from jessie-backports) and Shorewall 5.0.7.2. I followed the HOWTO on shorewall.org for getting Shorewall setup to interact properly with Docker. However, whenever I reboot my host, I see a console message that Shorewall failed to start. The log shows this: May 22 01:28:57 node01 shorewall[388]: Running /sbin/iptables-restore... May 22 01:28:57 node01 shorewall[388]: iptables-restore v1.4.21: Couldn't load target `DOCKER':No such file or directory May 22 01:28:57 node01 shorewall[388]: Error occurred at line: 29 May 22 01:28:57 node01 shorewall[388]: Try `iptables-restore -h' or 'iptables-restore --help' for more information. May 22 01:28:57 node01 shorewall[388]: ERROR: /sbin/iptables-restore Failed. May 22 01:28:57 node01 logger[784]: Shorewall Stopped May 22 01:28:57 node01 shorewall[388]: Terminated May 22 01:28:57 node01 systemd[1]: shorewall.service: main process exited, code=exited, status=143/n/a May 22 01:28:57 node01 systemd[1]: Failed to start Shorewall IPv4 firewall. May 22 01:28:57 node01 systemd[1]: Unit shorewall.service entered failed state. I have already tried adding docker.service to the After line under [Unit] in shorewall.service, but the problem persists. Do I need to declare the docker0 bridge as option in /etc/shorewall/interfaces? Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature -- Mobile security can be enabling, not merely restricting. Employees who bring their own devices (BYOD) to work are irked by the imposition of MDM restrictions. Mobile Device Manager Plus allows you to control only the apps on BYO-devices by containerizing them, leaving personal data untouched! https://ad.doubleclick.net/ddm/clk/304595813;131938128;j___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Shorewall (5.0.4) not starting at boot on Ubuntu 16.04 server
Hi Wouter, You are correct. The only packaging difference between 5.0.4-1 and 5.0.7-1 is that it now correctly enables the systemd service on installation and disables it on removal. Regards, -Roberto On Fri, Apr 01, 2016 at 08:57:29PM +0200, Wouter Deurholt wrote: >Aha! >I see now (overlooked it before) that the >/etc/systemd/system/shorewall.service I made myself (first post) was not >necessary... and even pointless :). >If you just do a 'sudo systemctl enable shorewall.service' after you >installed shorewall 5.0.4: all is well :). >I recon this is the only change you made in the 5.0.7-1 version, am I >right? > >Good solution for anyone installing this version until it emerges in the >standard repositories. > >Thanks and cheers Roberto! > >Wouter > 2016-04-01 14:11 GMT+02:00 Roberto C. Sánchez <[1]robe...@connexer.com>: > > Wouter, > > That is a problem that I discovered a few weeks after I uploaded 5.0.4. > I was actually surprised that (a) I overlooked it, and (b) nobody ever > reported it. The problem was corrected with the 5.0.7-1 upload to > Debian unstable last week. > > Executing 'systemctl enable shorewall.service' is the appropriate > solution. It is effectively what the package does now after it is > installed. There would not be a need to update to the newer package > unless there was some other more pressing bug fix or new feature that > you required. > > Regards, > > -Roberto > On Fri, Apr 01, 2016 at 01:32:23PM +0200, Wouter Deurholt wrote: > > Greetings, > > > > I installed Shorewall (5.0.4) on my Ubuntu server 16.04 (currently > beta). > > It is functioning perfectly fine when started. There is however one > > problem. It is not starting at boot-time. > > I even tried to add a wait_interface="eno1" and > wait_interface="eno2" to > > my /etc/default/shorewall. > > /etc/default/shorewall > > startup=1 > > [...] > > > > > > /etc/shorewall/shorewall.conf > > STARTUP_ENABLED=Yes > > [...] > > > > > > I can start it up perfectly fine without any errors with > > sudo shorewall start: > > > > I found a solution/workaround somewhere by making a systemd startup > script > > and that works fine as follows: > > > > /etc/systemd/system/shorewall.service > > [Unit] > > Description=Shorewall IPv4 firewall > > Wants=network-online.target > > After=network-online.target > > Conflicts=iptables.service firewalld.service > > > > [Service] > > Type=oneshot > > RemainAfterExit=yes > > EnvironmentFile=-/etc/default/shorewall > > StandardOutput=syslog > > ExecStart=/sbin/shorewall $OPTIONS start $STARTOPTIONS > > ExecStop=/sbin/shorewall $OPTIONS stop > > ExecReload=/sbin/shorewall $OPTIONS reload $RELOADOPTIONS > > > > [Install] > > WantedBy=basic.target > > > > followed by a > > sudo systemctl enable shorewall.service > > > > But the big question is of course: Why is it not (default) starting > at > > boot? > > > > Thanks! > > > > Wouter > > > > > -- > > Transform Data into Opportunity. > > Accelerate data analysis in your applications with > > Intel Data Analytics Acceleration Library. > > Click to learn more. > > [2]http://pubads.g.doubleclick.net/gampad/clk?id=278785471=/4140 > > > ___ > > Shorewall-users mailing list > > [3]Shorewall-users@lists.sourceforge.net > > [4]https://lists.sourceforge.net/lists/listinfo/shorewall-users > > -- > Roberto C. Sánchez > [5]http://people.connexer.com/~roberto > [6]http://www.connexer.com > > -- > Transform Data into Opportunity. > Accelerate data analysis in your applications with > Intel Data Analytics Acceleration Library. > Click to learn more. >
Re: [Shorewall-users] Shorewall (5.0.4) not starting at boot on Ubuntu 16.04 server
Wouter, That is a problem that I discovered a few weeks after I uploaded 5.0.4. I was actually surprised that (a) I overlooked it, and (b) nobody ever reported it. The problem was corrected with the 5.0.7-1 upload to Debian unstable last week. Executing 'systemctl enable shorewall.service' is the appropriate solution. It is effectively what the package does now after it is installed. There would not be a need to update to the newer package unless there was some other more pressing bug fix or new feature that you required. Regards, -Roberto On Fri, Apr 01, 2016 at 01:32:23PM +0200, Wouter Deurholt wrote: >Greetings, > >I installed Shorewall (5.0.4) on my Ubuntu server 16.04 (currently beta). >It is functioning perfectly fine when started. There is however one >problem. It is not starting at boot-time. >I even tried to add a wait_interface="eno1" and wait_interface="eno2" to >my /etc/default/shorewall. > /etc/default/shorewall >startup=1 >[...] > > > /etc/shorewall/shorewall.conf >STARTUP_ENABLED=Yes >[...] > > >I can start it up perfectly fine without any errors with > sudo shorewall start: > >I found a solution/workaround somewhere by making a systemd startup script >and that works fine as follows: > > /etc/systemd/system/shorewall.service >[Unit] >Description=Shorewall IPv4 firewall >Wants=network-online.target >After=network-online.target >Conflicts=iptables.service firewalld.service > >[Service] >Type=oneshot >RemainAfterExit=yes >EnvironmentFile=-/etc/default/shorewall >StandardOutput=syslog >ExecStart=/sbin/shorewall $OPTIONS start $STARTOPTIONS >ExecStop=/sbin/shorewall $OPTIONS stop >ExecReload=/sbin/shorewall $OPTIONS reload $RELOADOPTIONS > >[Install] >WantedBy=basic.target > >followed by a > sudo systemctl enable shorewall.service > >But the big question is of course: Why is it not (default) starting at >boot? > >Thanks! > >Wouter > -- > Transform Data into Opportunity. > Accelerate data analysis in your applications with > Intel Data Analytics Acceleration Library. > Click to learn more. > http://pubads.g.doubleclick.net/gampad/clk?id=278785471=/4140 > ___________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature -- Transform Data into Opportunity. Accelerate data analysis in your applications with Intel Data Analytics Acceleration Library. Click to learn more. http://pubads.g.doubleclick.net/gampad/clk?id=278785471=/4140___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] [RFE] Please include tinc macro in stock shorewall package
On Sat, Sep 19, 2015 at 11:33:30AM +0300, Răzvan Sandu wrote: > > However, I use both shorewall and shorewall6 on CentOS (+ the EPEL > official repository) and the version of shorewall distributed there > (shorewall-4.6.5.3-1.el7.noarch) still don't include any version of > the macro. > > The shorewall package in Debian stable (8.2) is even older: 4.6.4.3-2 > > But I may confirm that the first version of the tinc macro *is* > included in shorewall from Fedora 22 > (shorewall-4.6.11.1-2.fc22.noarch). > > Could you please push a more recent version of shorewall and > shorewall6 in the EPEL repository and in Debian? > Răzvan, Please note that each distro has policies regarding how packages in its stable or released versions. I cannot speak for the way updates to packages in EPEL are handled, but as a Debian Developer I can speak to how it works for Debian. Basically, once a Debian release is marked as stable, the only updates which are permitted are for security fixes and to fix serious bugs. The fixes must be targeted, so there is no wholesale updating of packages in Debian with new upstream releases (except in a very small number of cases where targeted fixes are either not possible or feasible). The bottom line is that they version of the Shorewall package in Debian stale will remain the same for life of the particular stable release. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature -- ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Comparing approcahes to Shorewall firewall on a Xen server. Any experience or recommendations?
On Tue, Apr 21, 2015 at 07:39:37PM +, ale...@vfemail.net wrote: IIUC that's one of three ways I can think of to handle the firewall, (1) 2 ethernet interfaces in the Dom0 host, shorewall on the Dom0 (2) 1 ethernet interfacs in the Dom0 host, 1 eth intfc in a DomU guest, shorewall in the Guest, (3) 2 ethernet interfaces in the DomU guest, shorewall in the DomU guest, guest internal intfc connected to an Ethernet switch. I'm looking for any comments or advice for which way is the 'sanest' approach, and to understand why. I'd appreciate any ideas! Personally, I like the approach of running Shorewall inside of each domU. But then, I employ the every node on the network is untrusted by default approach. I have all the physical interfaces in the dom0 (with the dom0 only filtering traffic on its own virtual interface which is connected to the phsycal bridge interface. Each domU is then connected to the bridg by the dom0, but the domU is responsible for its own filtering. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature -- BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT Develop your own process in accordance with the BPMN 2 standard Learn Process modeling best practices with Bonita BPM through live exercises http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_ source=Sourceforge_BPM_Camp_5_6_15utm_medium=emailutm_campaign=VA_SF___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] repository for Ubuntu Server
On Wed, Nov 26, 2014 at 05:31:14PM -0600, I.S.C. William wrote: A repository for Ubuntu Server and to install the updated version of Shorewall? Thanks http://people.connexer.com/~roberto/debian/ I maintain it for Debian, but it also works with Ubuntu. Debian just went into a freeze, so I don't plan to update until the freeze is over. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature -- Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=157005751iu=/4140/ostg.clktrk___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] checking dependency of -lite products on 'full' products
On Sat, Oct 04, 2014 at 04:34:41PM -0700, PGNd wrote: What's actually the design-intended dependency set by upstream SW? Does any part of a remote-only install -- products = shorewall-core shorewall-lite shorewall6-lite shorewall-init -- require the install of the full products as well? I've packaged the Debian versions of shorewall-lite and shorewall6-lite to only depend on iptables, iproute, and bc. You should not even need shorewall-core. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature -- Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311iu=/4140/ostg.clktrk___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] checking dependency of -lite products on 'full' products
On Sat, Oct 04, 2014 at 05:34:00PM -0700, Tom Eastep wrote: What possible reason would there have been to develop the -lite products if they depended on the full products on the same system? The -lite products depend on Shorewall Core only. Lorenzo originally packaged the -lite products as he was the package maintainer at the time. I was incorrect when I said I packaged as Lorenzo made the first few changelog entries. I'm not sure about his rationale for the dependencies. I know for certain that the packages as far back as 5 years ago (4.4.1) weren't using the install.sh installer since I had migrated from Lorenzo's packages which used some custom .install files in the debian/ directory to get the files where they needed to be. His shorewall package did the same, and so I imagine that he just followed the same pattern. I did update the package at some point to take advantage of install.sh, but the issue of a dependency on shorewall-core never came up. Do I need to have the -lite packages depend on shorewall-core? I am surprised that no bug reports have every been reported on this issue. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature -- Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311iu=/4140/ostg.clktrk___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Shorewall Allow IPSec traffic
On Fri, Sep 26, 2014 at 12:56:01PM +0800, Vincent Ng wrote: Dear All, I have a question here, may i know how to configure when i need to allow the dynamic road warriors to connect my office by using IPSec? -- You don't provide much detail, so the best I can do is tell you to start here: http://shorewall.net/VPNBasics.html http://shorewall.net/IPSEC-2.6.html http://shorewall.net/IPSEC.htm Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature -- Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311iu=/4140/ostg.clktrk___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Best way to block
Emiliano, Have a look at this article: http://shorewall.net/Shorewall_Squid_Usage.html You can just forcibly redirect all web traffic through squid. You can do this transparently, or you can block ports 80 and 443 and require your users to explicitly specify the proxy in their configurations. Regards, -Roberto On August 19, 2014 7:41:30 AM EDT, Emiliano Vazquez emilianovazq...@gmail.com wrote: Hi guys. I'm reading how is the best way to block some IPs on the network to get http/https access. I will send all the traffic trough proxy and need to block those users who eliminate the proxy setting. In Shorewall Blacklist [1] says: The use of this file is deprecated and beginning with Shorewall 4.5.7, the file is no longer installed I want ask what is the best way to do this today. Best regards. Emiliano. [1] http://shorewall.net/manpages/shorewall-blacklist.html -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com -- ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] KLIPS openswan l2tp tunnels
On Thu, Aug 14, 2014 at 06:49:00PM +0100, ray klassen wrote: So back to thjs question. I figured I should wait with pursuing this until was more up to date. I am now current with the latest kernel and shorewall in debian (issues with openswan were hindering) and I tried ppp+ in my masq file and shorewall check gave me something like invalid ipset ppp+ So I looked up ipset and I gather I have to install some more kernel modules to support it, etc. Is that the case and how will that impact the existing iptables (netfilter) infrastructure..? do I just install and it co-exists? Does shorewall need it for wildcard interfaces in the masq file..? What version of Debian, what version of Shorewall, and what version of the kernel? Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature -- ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] KLIPS openswan l2tp tunnels
On Thu, Aug 14, 2014 at 07:47:00PM +0100, ray klassen wrote: debian wheezy Kernel 3.2.0-4-amd64 shorewall 4.5.5.3 That is a very old version of Shorewall. I don't use ipsets so I haven't been particularly paying attention to the changes that Tom has made in regard to ipsets, but I do know that there have been quite a few. You can a very recent version of Shorewall for wheezy here: http://people.connexer.com/~roberto/debian/ Or, you can download the the jessie/sid version from http://packages.debian.org/ and install them with 'dpkg -i'. That may help resolve your issue. I will let Tom weigh in with any specific insights he may have on your problem. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature -- ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] KLIPS openswan l2tp tunnels
On Thu, Aug 14, 2014 at 09:17:11PM +0100, ray klassen wrote: If I can, I stay current with the distro, unless there is a compelling reason to switch. I understand. If it helps you decide, the packages available on my site are virtually identical to the packages I upload into Debian. The only difference is the version numbering (to ensure that upgrading to another Debian release results in you getting packages from the official repo). You could also just add the testing or unstable repositories to your sources.list and use apt pinning to only get the newer Shorewall packages and ignore all the rest. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature -- ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] KLIPS openswan l2tp tunnels
On Thu, Aug 14, 2014 at 10:29:26PM +0100, ray klassen wrote: Aha, so you're the maintainer of those packages are you... Didn't see that. So at least you could reliably tell me if running the latest shorewall won't trigger any other issues with any other wheezy package? generally I avoid sid on production machines. (that said, to solve a specific problem I did just pull down libreswan, compiled the debs and got rid of openswan) The only other thing I worry about with shorewall is when stuff I've included to solve specific issues in a complex environment is now deprecated and what will I do when it's gone? it's a matter of re-hashing (that's desperately trying to remember) why it got included in the first place and then implementing the new, preferred solution without breaking anything. I can tell you that I run only stock Wheezy on my production systems, with the latest Shorewall. I have not encountered any issues using the latest Shorewall on stable, and have been doing so since Shorewall 4.0 (when I took over as maintainer of the Debian packages). I only run sid for development and building packages. Tom tends to leave deprecated features for a fair amount of time. My experience has been that I always have ample time to sort out any changes I need to make. Of course, as you point out, sometimes it is hard to remember *why* you did a specific thing. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature -- ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Can shorewall block specific url
On Fri, Jul 11, 2014 at 12:19:11PM -0700, ARUN CHAKRAPANI RAO wrote: Hi, Please do forgive me if this is the wrong place to as this Q? We are an isp looking for a tool which can block specific url instead of the domain itself. for example [1]http://www.facebook.com/seekinghelp https://twitter.com/canweblockurl The reason being, we get mails from the Government ordering us to block specific url's. We are about to evaluate Shorewall, wanted to know from any one of you as to whether this is possible. If this is not the tool, anybody can guide as to which open source is stable enought to do this job along with the firewall ? The short answer: No. The longer answer: Shorewall is only a front-end for iptables. The only thing that iptables cares about is packets. To block a specific URL, you will need something that works at the application layer. I would look at Squid and see if that does what you need. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature -- ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Interfaces arguments won't compile
Sounds like you have a FORMAT 1 configuration file. If you want to continue using FORMAT 1, you will have to place a '-' in the BROADCAST column to get the compiler to skip it and move on to the options. You can also switch to FORMAT 2. You can have a look at shorewall-interfaces(5) for details. Regards, -Roberto On Tue, Jul 08, 2014 at 01:08:53PM -0400, Db Clinton wrote: Hi, Shorewall on a new installation isn't compiling and reports this error: ERROR: Invalid BROADCAST address /etc/shorewall/interfaces (line 2) I've read that until version 4.2.x there was a bug that could lead to this error, but I'm using 4.4.26.1-1. And in any case, I haven't got a BROADCAST column. The problem goes away when I remove all arguments (tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0) from the interface entry. Any one argument will make the compile fail. As I'd like to use arguments, does anyone have any idea what I should be doing differently? Thanks, David -- Open source business process management suite built on Java and Eclipse Turn processes into business applications with Bonita BPM Community Edition Quickly connect people, data, and systems into organized workflows Winner of BOSSIE, CODIE, OW2 and Gartner awards http://p.sf.net/sfu/Bonitasoft ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature -- Open source business process management suite built on Java and Eclipse Turn processes into business applications with Bonita BPM Community Edition Quickly connect people, data, and systems into organized workflows Winner of BOSSIE, CODIE, OW2 and Gartner awards http://p.sf.net/sfu/Bonitasoft___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] upgrading error shorewall-init
Hi Matt, I'm sorry for having overlooked this for so long. I went ahead and updated the call to dh_installinit in debian/rules so that the package installs symlinks for stopping shorewall-init that match the runlevels specified in the init script. Regards, -Roberto On Sat, Feb 01, 2014 at 01:34:44PM +0100, matt darfeuille wrote: Hi there, The command used on a debian7 box was: root@deb7:~# insserv -v shorewall-init insserv: enable service ../init.d/shorewall-init - /etc/init.d/../rc0.d/K08shorewall-init insserv: enable service ../init.d/shorewall-init - /etc/init.d/../rc6.d/K08shorewall-init insserv: enable service ../init.d/shorewall-init - /etc/init.d/../rcS.d/S11shorewall-init insserv: creating .depend.boot insserv: creating .depend.start insserv: creating .depend.stop root@deb7:~# -Matt On 31 Jan 2014 at 18:08, Roberto C. S�nchez wrote: On Fri, Jan 31, 2014 at 11:35:27PM +0100, matt darfeuille wrote: Hi, while upgrading shorewall to 4.5.21.6 from Roberto C. Snchez's repository the following error comes up regarding shorewall-init: Setting up shorewall-init (4.5.21.6-1~bpo70+1) ... update-rc.d: warning: stop runlevel arguments (none) do not match shorewall-init Default-Stop values (0 6) Easily corrected using insserv though! I did not encounter this problem. How did you correct it? Regards, -Roberto -- Roberto C. Snchez http://people.connexer.com/~roberto http://www.connexer.com -- WatchGuard Dimension instantly turns raw network data into actionable security intelligence. It gives you real-time visual feedback on key security issues and trends. Skip the complicated setup - simply import a virtual appliance and go from zero to informed in seconds. http://pubads.g.doubleclick.net/gampad/clk?id=123612991iu=/4140/ostg.clktrk ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature -- HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions Find What Matters Most in Your Big Data with HPCC Systems Open Source. Fast. Scalable. Simple. Ideal for Dirty Data. Leverages Graph Analysis for Fast Processing Easy Data Exploration http://p.sf.net/sfu/hpccsystems___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Documentation out of date links
On Wed, Jun 11, 2014 at 01:20:45PM -0700, Lee Brown wrote: The useful links page has a few problems: NIST guide http://csrc.nist.gov/publications/nistpubs/800-41-Rev1/sp800-41-rev1.pdf PPPS - good Netfilter site - good LARTC - good Clustering - good Iproute - obsolete? Iproute2 Downloads - https://www.kernel.org/pub/linux/utils/net/iproute2/ LEAF - good Behring - good iptables tutorial https://www.frozentux.net/documents/iptables-tutorial/ Debian sources - good About the author - good Toms presentations - good Shorewall CIA tracker - *dead* Lee, Thanks for the info. I updated the three links you provided and removed the Shorewall CIA tracker link. I have pushed the changes to Git and they will be public the next time site content is published. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature -- HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions Find What Matters Most in Your Big Data with HPCC Systems Open Source. Fast. Scalable. Simple. Ideal for Dirty Data. Leverages Graph Analysis for Fast Processing Easy Data Exploration http://p.sf.net/sfu/hpccsystems___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] host
On Mon, May 26, 2014 at 01:54:24PM +0200, Paolo wrote: Hi list I usually install shorewall to stand-alone servers or into servers that act non only, but also as gateway for other boxes. If I install a dedicated box as firewall, usually I consider dedicated distro like IpCop, PFSense, ZeroShell, ... because they give me a distro already hardened and some tools like graphical reports that are very useful for monitoring activity. Using Munin/Monitorix/... I can have the flexybility of Shorewall and the confort of a visual monitoring system. I like this combination, so sometimes I ask to myself and now to the list: If you are planning to install a box wich primary activity is firewalling (usual NET/LAN/DMZ/WLAN config), wich distro do you consider/prefer? Some particular packages and/or advice for configuration? I use Debian stable, with just the Shorewall and SSH packages and sometimes a few others depending on my specific needs and the environment in which it will run (e.g., NFS, Kerberos, NTP, logcheck, etc.). Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature -- The best possible search technologies are now affordable for all companies. Download your FREE open source Enterprise Search Engine today! Our experts will assist you in its installation for $59/mo, no commitment. Test it for FREE on our Cloud platform anytime! http://pubads.g.doubleclick.net/gampad/clk?id=145328191iu=/4140/ostg.clktrk___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] ERROR: Startup is disabled
On Mon, May 05, 2014 at 02:31:34PM -0700, Mike Andrewjeski wrote: Hi List, Thanks in advance for reading this, any help is gratefully appreciated. odd problem, after upgrading to debian wheezy (Shorewall-4.5.5.3) from debian squeeze and (Shorewall-4.4.11.6-3+squeeze1) when doing a start,restart or refresh I see the error: ERROR: Startup is disabled. Are you running the commands as root? shorewall check shows this: ERROR: The 'zones' file does not exist or has zero size The content of the zones file hasn't changed and has this content in both /etc/shorewall /var/lib/shorewall: fw firewall loc ipv4 eth3:0.0.0.0/0 net ipv4 eth2:0.0.0.0/0 What is the output of 'shorewall dump' (run as root, of course). Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature -- Is your legacy SCM system holding you back? Join Perforce May 7 to find out: #149; 3 signs your SCM is hindering your productivity #149; Requirements for releasing software faster #149; Expert tips and advice for migrating your SCM now http://p.sf.net/sfu/perforce___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] ERROR: Startup is disabled
On Mon, May 05, 2014 at 03:44:48PM -0700, Mike Andrewjeski wrote: On Mon, May 05, 2014 at 02:31:34PM -0700, Mike Andrewjeski wrote: What is the output of 'shorewall dump' (run as root, of course). attached as shore-dump.gz (hope that's ok..) The dump output shows that Shorewall is running. What is the value of STARTUP_ENABLED in /etc/shorewall/shorewall.conf? (I probably should have asked that first). Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature -- Is your legacy SCM system holding you back? Join Perforce May 7 to find out: #149; 3 signs your SCM is hindering your productivity #149; Requirements for releasing software faster #149; Expert tips and advice for migrating your SCM now http://p.sf.net/sfu/perforce___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] ERROR: Startup is disabled
On Mon, May 05, 2014 at 04:06:54PM -0700, Mike Andrewjeski wrote: the value is: STARTUP_ENABLED=Yes BTW, I started by using iptables-restore... I am at a loss. Can you tar up the /etc/shorewall directory and send it to me directly? I'd like to try and reproduce the behavior you are seeing. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature -- Is your legacy SCM system holding you back? Join Perforce May 7 to find out: #149; 3 signs your SCM is hindering your productivity #149; Requirements for releasing software faster #149; Expert tips and advice for migrating your SCM now http://p.sf.net/sfu/perforce___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Address ranges in proxyarp?
On Thu, Mar 27, 2014 at 12:47:29PM -0700, Rich Wales wrote: I'm running Shorewall 4.5.16.1 on an Ubuntu 13.10 system. Is it possible to specify a CIDR range in the proxyarp file? Or do I really need to list each individual IP address separately? From the shorewall-proxyarp(5) man page: This file is used to define Proxy ARP. There is one entry in this file for each IP address to be proxied. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature -- ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Blacklist/Block Apps
On Sat, Feb 08, 2014 at 03:51:38PM +, Donald S. Doyle wrote: This is being done via the Internet and I do not know who it is. Have a great weekend, Don Don, If you are having apps installed on your system via the Internet and you don't know about it, you may have been rooted. I would consider taking it offline, booting from a LiveCD/LiveDVD and verifying the integrity of your system's applications (with something like debsums) and removing anything you do not recognize. A better approach would be to wipe and reinstall your system, but that may not be feasible, depending on how long it has been like this and whether your backups have been compromised. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature -- Managing the Performance of Cloud-Based Applications Take advantage of what the Cloud has to offer - Avoid Common Pitfalls. Read the Whitepaper. http://pubads.g.doubleclick.net/gampad/clk?id=121051231iu=/4140/ostg.clktrk___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Blacklist/Block Apps
On Sat, Feb 08, 2014 at 04:31:13PM +, Donald S. Doyle wrote: How do I prevent being rooted? That question is exceptionally difficult to answer. It depends on many different things. First, you can block all inbound traffic. If you have any services running, then you need to make sure that they are properly secured. If you have anything open to the Internet (like a webserver) you need to make sure that t is properly secured. Even if you have something like Apache properly secured, any applications (e.g., CGI, PHP, etc.) that you have being served by it could be vulnerable. For example, many popular forum and bulletin board packages have many well known vulnerabilities. If you are running things you developed yourself, you need to make sure that you don't have places where a SQL injection can be performed, or where shellcode can be introduced, etc. That is just a small sampling of things that could be possible issues. There are just too many to list them all. Another approach is to wipe the system clean, install it fresh and completely lock it down. Then add applications/services one at a time, making certain that each one is properly configured/secured/etc. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature -- Managing the Performance of Cloud-Based Applications Take advantage of what the Cloud has to offer - Avoid Common Pitfalls. Read the Whitepaper. http://pubads.g.doubleclick.net/gampad/clk?id=121051231iu=/4140/ostg.clktrk___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Blocking IP addresses
On Fri, Feb 07, 2014 at 10:31:59PM +, Donald S. Doyle wrote: Hello, Is there a way to be proactive and block questionable IP addresses before they attempt to communicate with my router? Hi Don, Depending on your definition of questionable, you can make use of any of a number of blacklists (some public, some not). Another approach would be to block an entire range of addresses when a particular address does something you deem to be questionable. Aside from that, I am not sure how you would proactively block IP addresses before they communicate your router. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature -- Managing the Performance of Cloud-Based Applications Take advantage of what the Cloud has to offer - Avoid Common Pitfalls. Read the Whitepaper. http://pubads.g.doubleclick.net/gampad/clk?id=121051231iu=/4140/ostg.clktrk___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Blocking IP addresses
On Fri, Feb 07, 2014 at 11:06:35PM +, Donald S. Doyle wrote: Is there a way to have Shorewall communicate with the listing services (SORBS, Spamhaus, etc.)? Not directly. I would script the process of downloading the list, extracting the IPs to a list of addresses or a list of address ranges, then put the addresses/ranges in a blrules file and then restart Shorewall. There may already be a script floating around for that. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature -- Managing the Performance of Cloud-Based Applications Take advantage of what the Cloud has to offer - Avoid Common Pitfalls. Read the Whitepaper. http://pubads.g.doubleclick.net/gampad/clk?id=121051231iu=/4140/ostg.clktrk___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Blacklist/Block Apps
On Sat, Feb 08, 2014 at 12:34:01AM +, Donald S. Doyle wrote: Hello, It appears that apps are getting installed on the router without my knowing. Supposedly, Citrix, Teamviewer ZOHO have been installed although I cannot find any evidence of it. Is there a way to blacklist/block apps from being installed? Don, There are several possible approaches. The best one will depend largely on the environment and the skills of the administrator, but some sort of mandatory access control (like SELinux) would likely be the overall best. Be aware, though, that lots of apps break in a mandatory access control environment. This would require some amount of testing to ensure that everything functions as expected. Incidentally, I don't think that this something that Shorewall can help with. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature -- Managing the Performance of Cloud-Based Applications Take advantage of what the Cloud has to offer - Avoid Common Pitfalls. Read the Whitepaper. http://pubads.g.doubleclick.net/gampad/clk?id=121051231iu=/4140/ostg.clktrk___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Package for collection only ?
On Thu, Feb 06, 2014 at 10:40:21AM +, Simon Hobson wrote: As a side effect, a couple of the machine I would like to add it to are running older versions (as far back as Lenny). I assume I might stand a slight chance of manually installing later packages if there were less dependencies. If you need help with backporting, I wrote HOWTO on that. It is pretty old, but I have kept it up to date: http://www.connexer.com/articles/debcustomize Let me know if you need any assistance in creating backported packages for your older systems. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature -- Managing the Performance of Cloud-Based Applications Take advantage of what the Cloud has to offer - Avoid Common Pitfalls. Read the Whitepaper. http://pubads.g.doubleclick.net/gampad/clk?id=121051231iu=/4140/ostg.clktrk___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] SSH Access from NET: Error ssh_exchange_identification: read: Connection reset by peer
On Fri, Jan 31, 2014 at 09:23:48AM -0200, José D. Grieco wrote: Hi, any advice?? Em 27-01-2014 14:43, José D. Grieco escreveu: Hi, Roberto, The 'ssh -vvv [1]jdgrieco@192.168.1.10' output is: OpenSSH_5.9p1 Debian-5ubuntu1.1, OpenSSL 1.0.1 14 Mar 2012 debug1: Reading configuration data /home/jdgrieco/.ssh/config debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 19: Applying options for * debug2: ssh_connect: needpriv 0 debug1: Connecting to 192.168.1.10 [192.168.1.10] port 22. debug1: Connection established. debug3: Incorrect RSA1 identifier debug3: Could not load /home/jdgrieco/.ssh/id_rsa as a RSA1 public key debug1: identity file /home/jdgrieco/.ssh/id_rsa type 1 debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048 debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048 debug1: identity file /home/jdgrieco/.ssh/id_rsa-cert type -1 debug1: identity file /home/jdgrieco/.ssh/id_dsa type -1 debug1: identity file /home/jdgrieco/.ssh/id_dsa-cert type -1 debug1: identity file /home/jdgrieco/.ssh/id_ecdsa type -1 debug1: identity file /home/jdgrieco/.ssh/id_ecdsa-cert type -1 ssh_exchange_identification: read: Connection reset by peer Hi José, I apologize for letting this drop off. Wayne does bring up some good points, but the fact that the connection works when clear Shorewall indicates that the problem may be Shorewall-related. I have not encountered this particular problem, so I don't have any suggestion to offer. I talked with Tom in IRC about this, and he and someone else offered a suggestion, but I no longer have the conversation available, and I do not recall the suggestions. If they do not reply in this thread, I recommend joining the IRC channel and asking your question there. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature -- WatchGuard Dimension instantly turns raw network data into actionable security intelligence. It gives you real-time visual feedback on key security issues and trends. Skip the complicated setup - simply import a virtual appliance and go from zero to informed in seconds. http://pubads.g.doubleclick.net/gampad/clk?id=123612991iu=/4140/ostg.clktrk___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] upgrading error shorewall-init
On Fri, Jan 31, 2014 at 11:35:27PM +0100, matt darfeuille wrote: Hi, while upgrading shorewall to 4.5.21.6 from Roberto C. S�nchez's repository the following error comes up regarding shorewall-init: Setting up shorewall-init (4.5.21.6-1~bpo70+1) ... update-rc.d: warning: stop runlevel arguments (none) do not match shorewall-init Default-Stop values (0 6) Easily corrected using insserv though! I did not encounter this problem. How did you correct it? Regards, -Roberto -- Roberto C. S�nchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature -- WatchGuard Dimension instantly turns raw network data into actionable security intelligence. It gives you real-time visual feedback on key security issues and trends. Skip the complicated setup - simply import a virtual appliance and go from zero to informed in seconds. http://pubads.g.doubleclick.net/gampad/clk?id=123612991iu=/4140/ostg.clktrk___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] SSH Access from NET: Error ssh_exchange_identification: read: Connection reset by peer
On Mon, Jan 27, 2014 at 12:46:00PM -0200, José D. Grieco wrote: Hi, I have in rules file: SSH/ACCEPTallall but I can't connect to FW from net interface, only from local interface. If I stop shorewall (shorewall clear) the ssh connection is established without any problem. I using shorewall 4.5.5.3 on a debian machine. Any advice?? José, In order to help you troubleshoot the problem, we will need the output of 'shorewall dump' run as root. In order to make the output useful, run the command with the failing configuration in place and after attempting an SSH connection. Also, the output of 'ssh -vvv [host]' might be helpful, but we may not need that just yet. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature -- CenturyLink Cloud: The Leader in Enterprise Cloud Services. Learn Why More Businesses Are Choosing CenturyLink Cloud For Critical Workloads, Development Environments Everything In Between. Get a Quote or Start a Free Trial Today. http://pubads.g.doubleclick.net/gampad/clk?id=119420431iu=/4140/ostg.clktrk___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Shorewall in a remote Openvz HN
On Tue, Dec 31, 2013 at 10:53:05AM +0100, Zenny wrote: Forgot to mention in my previous query that the machine has no loc (it is a remote machine). Only a machine with two IPs assigned to eth0 and eth0:1 and openvz VMs, fyi. Thank you! Have you had a look at this documentation? http://www.shorewall.fi/Shorewall_and_Aliased_Interfaces.html Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature -- Rapidly troubleshoot problems before they affect your business. Most IT organizations don't have a clear picture of how application performance affects their revenue. With AppDynamics, you get 100% visibility into your Java,.NET, PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! http://pubads.g.doubleclick.net/gampad/clk?id=84349831iu=/4140/ostg.clktrk___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] stopping shorewall-lite also stops shorewall6-lite. how to fix the dependency?
On Sat, Dec 28, 2013 at 10:45:48AM -0800, jen...@promessage.com wrote: There's obviously some incorrect/broken/missing dependency between the two. How do I properly config shorewall /or the systemd unit files to maintain the IPv4 IPv6 shorewall instances' independence? Which distro are you using? Can you have a look at this bug report: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=729256 Are you experiencing anything similar to what was reported in that bug? Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature -- Rapidly troubleshoot problems before they affect your business. Most IT organizations don't have a clear picture of how application performance affects their revenue. With AppDynamics, you get 100% visibility into your Java,.NET, PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! http://pubads.g.doubleclick.net/gampad/clk?id=84349831iu=/4140/ostg.clktrk___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
[Shorewall-users] Announcing the new Shorewall website
The Shorewall website has undergone a major redesign. The old frame-based layout has been traded for a new CSS-based layout, and the old default color scheme has been updated to integrate the colors of the Shorewall website logo. All the content remains and is still in the same locations, so external links to the Shorewall website will continue to work. Initially, the design will be visible on the recently acquired shorewall.org domain at ( http://www.shorewall.org ) for a short time prior to going into production on the main Shorewall site and being replicated to all the mirrors. During this initial period, community feedback and comments would be much appreciated. In November 2008, the Shorewall team held a logo design competition, and in January 2009 a new website logo was chosen. The intent was always to base a new website theme on the new logo. However, for a variety of reasons, the website redesign did not take place as planned. Now, almost 5 yeasr later, the website has been redesigned. Please email feedback/questions/comments to webmas...@shorewall.net. -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature -- Rapidly troubleshoot problems before they affect your business. Most IT organizations don't have a clear picture of how application performance affects their revenue. With AppDynamics, you get 100% visibility into your Java,.NET, PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! http://pubads.g.doubleclick.net/gampad/clk?id=84349831iu=/4140/ostg.clktrk___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Shorewall 4.5.21
On Fri, Oct 04, 2013 at 01:39:32PM +0200, matt darfeuille wrote: Hi tom, Regarding the insserv changes made to shorewall-init-4.5.21/install.sh script do not seem to work on debian7! Installing Debian-specific configuration... Installing Shorewall Init Version 4.5.21 SysV init script init.debian.sh installed in /etc/init.d/shorewall-init Logrotate file installed as /etc/logrotate.d/shorewall-init /sbin/insserv insserv: enable: No such file or directory Hi Matt, It looks like you are using upstream tarballs. Can you please try the official Debian ypackages and see if you have the same issue? I installed from the Debian packages I created on two of my servers which I recently updated to Wheezy and I have not encountered the issue you observed. I just uploaded the packages for 4.5.21-1 late last night/early this morning. You can get them http://packages.debian.org, or I have also set up a wheezy repository at my website: http://people.connexer.com/~roberto/debian/ The packages from my website are signed with my GPG key that is in the Debian keyring and they are identical to those found in Sid. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature -- October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register http://pubads.g.doubleclick.net/gampad/clk?id=60134791iu=/4140/ostg.clktrk___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] help
On Wed, Sep 25, 2013 at 03:26:34PM +, Myron Ramdhani wrote: Hi I have two different subnets in two separate geographical locations. Each subnet needs to be able to connect to each other and route traffic vice versa. On subnet A (10.5.100.0/24), I have a shorewall firewall with a static IP breaking out onto the internet. On subnet B (10.5.101.0/24), I have an ADSL Router With a dynamic IP breaking out onto the internet. Can someone help me with what is the easiest possible way to route traffic between both subnets. I can configure DynDNS on the Router in subnet B, so that will sort out the dynamic IP, however I need to find out how to get shorewall to connect To subnet B. It would seem to me that the best solution would be to create a VPN between the two subnets. You can initiate it from the ADSL subnet to the other subnet with the static IP so that you will not need to mess with DynDNS. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature -- October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register http://pubads.g.doubleclick.net/gampad/clk?id=60133471iu=/4140/ostg.clktrk___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Shorewall and OpenVSwitch on Debian
On Tue, Apr 16, 2013 at 12:06:47PM -0300, Ernesto Domato wrote: Ok, I'll do this and will discuss with the Debian developers responsible of the packaging of shorewall and openvswitch to agree on the change in priority between both packages so this could be fixed. Ernesto, I maintain the Debian Shorewall packages. I am happy to make the change, but it will have to wait until after the Wheezy release. The best thing would be if you could file a bug against the shorewall-init package so that I don't forget about it. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature -- Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Shorewall and OpenVSwitch on Debian
On Mon, Apr 15, 2013 at 04:37:02PM -0300, Ernesto Domato wrote: The problem that I'm having is that shorewall try to run before openvswitch, this makes that shorewall fails because it can't determine the IP of the virtual interface generated by openvswitch that start after shorewall. I am not familiar with OpenVSwitch, but I have all sorts of VPN interfaces filtered by Shorewall, and the fact that they are not there at boot time has never been an issue. Can you provide some specific hints about your configuration? Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature -- Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] How to make internal NAT
On Tue, Apr 09, 2013 at 03:46:29PM +0200, Javier Martinez wrote: Hi every one, i have installed Openvpn�and�shorewall, lastest versions, and all is working fine. It's gratefully to configure access with shorewall.� I have a cuestion that i don`t know how to solve. I have a eth8 ([1]192.168.3.77/24) in my fw linux box where i have installed Openvpn and Shorewall, �and i want to configure that openvpn clients (10.100.2.x/24) �make nat with ([2]192.168.3.77/24) when they go thru 192.168.3.x internal LAN networh. What i want is to get the vpn clients make nat with 192.168.3.x �eth8 when they access to devices/computers �after 192.168.3.x network. I think�perhaps�is a rule, a masq to include ...??? I have tried several but i don�t know how to do. Please, can you tell me how configure rules, masq, to make internal NAT.??? Javier, Have you read the Shorewall OpenVPN documentation? http://www.shorewall.net/OPENVPN.html As to your specific question, you can handle that configuration with either NAT or routing. If you choose NAT, then masq is the right place. However, depending on what services on the LAN you want to make available to the VPN clients, routing may be a better option. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature -- Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Port 80
On Thu, Mar 28, 2013 at 03:20:29AM -0400, Donald S. Doyle wrote: Hello, I currently have port 80 ACCEPT from net to $FW. I am trying to also access other servers through $FW. I know part of this is virtual servers. proxypass, etc., but I also think I do not have the port setup correctly. The net interface is a public IP and the lan interface is private. I poked around the FAQs, but could not find anything that addressed my issue (at least I could not find it). Hi Donald, Is the webserver running on the firewall box? If not, then you will need a rule like: ACCEPT/HTTP net dmz:1.2.3.4 (or loc instead of dmz depending on how you have named the zones and where the webserver is located) If that is not it, please provide the output of 'shorewall dump' so that we can have a look and provide more precise assistance. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature -- Own the Future-Intelreg; Level Up Game Demo Contest 2013 Rise to greatness in Intel's independent game demo contest. Compete for recognition, cash, and the chance to get your game on Steam. $5K grand prize plus 10 genre and skill prizes. Submit your demo by 6/6/13. http://p.sf.net/sfu/intel_levelupd2d___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Port 80
On Thu, Mar 28, 2013 at 11:04:33AM -0400, Donald S. Doyle wrote: Hello, Actually, I have two web servers and I want to have http/port 80 access to the router that Shorewall is on and the 2 web servers. I do not have a dmz, just eth0(wan), $fw eth1(lan). Having said that, should I ACCEPT wan to ANY? That would be a bad idea. Assuming your two webservers on the LAN have public IP addresses, I would do this: ACCEPT/HTTP wan lan:1.2.3.4,1.2.3.5 That will allow port 80 traffic entering from the WAN to only go to the two webserver hosts. If you accept traffic to 'any' that allows port 80 traffic to enter and go to any host on your network (if you have an UPS or a router running a web interface for administration, that could be a bad thing). Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature -- Own the Future-Intelreg; Level Up Game Demo Contest 2013 Rise to greatness in Intel's independent game demo contest. Compete for recognition, cash, and the chance to get your game on Steam. $5K grand prize plus 10 genre and skill prizes. Submit your demo by 6/6/13. http://p.sf.net/sfu/intel_levelupd2d___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Sharewall won't start
On Sun, Mar 24, 2013 at 12:02:59AM -0700, Ryan Joiner wrote: Hey guys, I just installed Shorewall shorewall-4.5.14.0-1.el6.noarch from RPM on CentOS 6. When I start shorewall, I get this message: Starting shorewall: Can't locate Digest/SHA.pm in @INC (@INC contains: SNIP I did do some searching and verified I do have perl-Digest-SHA1 installed. Any thoughts? The file you need (as the error message indicates) is Digest/SHA.pm. The perl-Digest-SHA1 package contains Digest/SHA1.pm. On Debian, Digest/SHA.pm ships as part of the base Perl package. I am not sure about CentOS, but it appears to not be included in the base Perl package. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature -- Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_mar___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Shorewall not starting correctly
Hi Donald, Have you set startup=1 in /etc/default/shorewall (or /etc/default/shorewall6, as applicable)? Regards, -Roberto On Sun, Mar 24, 2013 at 05:28:25PM -0400, Donald S. Doyle wrote: Hello, Let’s try this again. Compressed version of the trace file. Have a great day, Donald S. Doyle President G.E.M. Computer Consulting, LLC 317.250.4448 [1]www.gemcc.com [2]gem-logo CONFIDENTIALITY NOTICE The materials enclosed with this electronic transmission are private and confidential and are the properties of the sender. The information contained in the material is privileged and is intended only for the use of the individual(s) or entity (ies) named above. If you are not the intended recipient, be advised that any unauthorized disclosure, copying, distribution, or the taking of any action in reliance on the contents of this information is strictly prohibited. If you have received this electronic transmission in error, please notify us by telephone. From: Donald S. Doyle [mailto:dsdo...@gemcc.com] Sent: Sunday, March 24, 2013 5:19 PM To: 'shorewall-users@lists.sourceforge.net' Subject: Shorewall not starting correctly Hello, On Ubuntu 12.10, accessing through Webmin, I am running v4.5.5.3. I can manually start Shorewall by clicking the Start Firewall button, but it does not start automatically. In the shorewall.conf file, I have startup_enabled set to YES. If I go to Bootup and Shutdown within Webmin, Shorewall is listed as Start at boot as yes, but Running now is saying No, even though I just manually started it and I know it is running. Also, using MON service monitor, it says “not running as GID uucp, are you using the setgid wrapper?” Any ideas? Thanks in advance. Have a great day, Donald S. Doyle President G.E.M. Computer Consulting, LLC 317.250.4448 [3]www.gemcc.com [4]gem-logo CONFIDENTIALITY NOTICE The materials enclosed with this electronic transmission are private and confidential and are the properties of the sender. The information contained in the material is privileged and is intended only for the use of the individual(s) or entity (ies) named above. If you are not the intended recipient, be advised that any unauthorized disclosure, copying, distribution, or the taking of any action in reliance on the contents of this information is strictly prohibited. If you have received this electronic transmission in error, please notify us by telephone. References Visible links 1. http://www.gemcc.com/ 2. http://www.gemcc.com/ 3. http://www.gemcc.com/ 4. http://www.gemcc.com/ -- Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_mar ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature -- Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_mar___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Splitting ports
On Tue, Mar 19, 2013 at 02:27:32PM -0400, Donald S. Doyle wrote: Is it possible to split a port direction so it goes to one server or another? For example, I want abc.com to be routed to server X and def.com to go to server Y. Is it also possible to have e-mail addresses going to one server or another in the same concept so [1]j...@abc.com will to server E and [2]j...@abc.com goes to server F? If any of this is possible, what is the name of the technology/technique? The websites can be accomplished with a front-end webserver that proxies the requests to the real servers. With Apache, you can do this with the ProxyPass and ProxyPassReverse directives. The email can be accomplished depending on your mail server. I believe that Cyrus and Courier support what you want. I am sure that there are others as well. In both cases, however, you want to take some action based on some application-level notion of the content. Shorewall has no notion of this, and consequently cannot help you. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature -- Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_mar___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Shorewall rules and valid ip specifications
On Thu, Jan 10, 2013 at 07:22:53AM -0500, James wrote: I would expect that if I entered: 192.168.123.3/24 (technically not a whole network, but actually a single host in a /24 sized network, that only 192.168.123.3 would follow this rule. It turns out this actually will apply the rule to the 192.168.123.0/24 network. (Although I didn't exhaustively test this. The way to specify what you want is 192.168.123.3/32. Can this bug be corrected? The advantage is that other scripts and what-nots that use a single ip/cidr variable to refer to one host can be dropped in without worrying that we'll open up the whole network. If ip is a network start, then we know it means the whole thing. It is not a bug. The purpose of the bit mask is to specify which bits form a valid part of the network address versus the host address. Having 192.168.123.3/24 refer to the single host 192.168.123.3 rather than the network 192.168.123 violates the principle of least surprise. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature -- Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft MVPs and experts. ON SALE this month only -- learn more at: http://p.sf.net/sfu/learnmore_122712___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] How could I open Port 1701 for VPN l2tp/ipsec
On Sun, Dec 30, 2012 at 12:40:52AM +0100, tony.blue.mailingl...@gmx.de wrote: Hello Mailinglist, please excuse my bad english - but I am not a native speaker. My Network looks like this: Internet --- dyn. IP --- Firewall (shorewall) --- LAN (192.168.X.X) No I try to connect my iphone (from mobile Internet G3) over VPN (l2tp/ipsec) with the firewall. But I can´t open the necessary Port 1701. What do you have in your /etc/shorewall/tunnels file? Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature -- Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft MVPs and experts. ON SALE this month only -- learn more at: http://p.sf.net/sfu/learnmore_123012___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Trouble with Apache2 ProxyPass
On Sun, Oct 14, 2012 at 01:18:54PM -0400, Casey Bralla wrote: Ext IP - Shorewall - Apache2 at 192.168.2.150 - PROXYPASS - Apache2 at 192.168.1.22 Currently, when I try this, I get a 503 Service Temporarily Unavailable error. The server at 192.1.168.22 works just fine when I access it from within the local subnet. Additionally, thre are no weird errors in any of the apache logs. I am sure this is a firewall problem. This sounds more like an Apache configuration problem. To confirm whether or not it is a Shorewall problem, you can run 'shorewall clear' (followed by a 'shorewall start' once you have tested the connectivity). If after clearing Shorewall, the problem persists, then you have an Apache configuration issue. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature -- Don't let slow site performance ruin your business. Deploy New Relic APM Deploy New Relic app performance management and know exactly what is happening inside your Ruby, Python, PHP, Java, and .NET app Try New Relic at no cost today and get our sweet Data Nerd shirt too! http://p.sf.net/sfu/newrelic-dev2dev___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Absent-minded admin + multi isp
On Thu, May 24, 2012 at 11:24:32AM +0200, Artur Uszyński wrote: Hello. In a situation like this: - a firewall has two or more internet connections, - a firewall runs shorewall 4.5.1 (multiple isps configured) - one connection is broken, - default route in the main routing table leads through the failed connection, - a firewall is 2 km away from admin ;), and after taking the following actions: - logging in to the firewall through working connection, - changing shorewall configuration and making a stupid error in it - doing shorewall stop; shorewall start :s, you must take nearest flight from Europe to Australia to bring the firewall back to life ;) (because returning traffic goes through default, non-working link) Can shorewall handle such cases in a way, which would prevent similar accidents ? Did I miss any option ? If the above scenario was never considered - may I ask to add a possibility to retain appropriate route rules and routing tables after shorewall is stopped ? (extended routestopped functionality ?) Did you mean to execute 'shorewall safe-restart' instead? Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] After the update will not open https
William, Having an external port scanner tell you that your port 80 is should have nothing to do with you not being able to connect to an IP outside your network on port 443. Please provide the output of 'shorewall dump' in order for us to help identify the problem. Regards, -Roberto On Sat, Mar 10, 2012 at 07:39:48AM -0600, I.S.C. William wrote: For example, try entering this site: https://www.cardiologia.org.mx/ and brand connection error only. and I can deduce that if the firewall since it off and if you enter the site. I did a test on the site: http://www.whatsmyip.org/port-scanner/server/ and I mark that the port is closed least 80, and with the firewallup. 2012/3/9 Roberto C. Sánchez robe...@connexer.com William, Can you provide more details as to how you are trying to access the https paages? For example, can you give an example of a URL that you are trying to access and what ever error or unexpected behavior you observe? Also, if you provide the output of 'shorewall dump' we could help with troubleshooting your issue. Regards, -Roberto On Fri, Mar 09, 2012 at 05:35:19PM -0600, I.S.C. William wrote: I have only access checking on port 80, no other port is open, this will check with pages that scan public IP. All this happened since I upgrade to this version, with version3.4.8 had no problem. any ideas? 2012/3/9 I.S.C. William william.koalas...@gmail.com My shorewall 3.4.8 update to 4.4.25.3 using rpm, there were no errors in the update, but I have a detail in the rules, myserver is a proxy firewall (squid / Shorewall) if I can navigate through the pages I can even filter it well, my details areHTTPS pages, I can not open any, which with the previousversion if you could. I have the following: shorewall/interfaces net eth1detect nosmurfs,blacklist loc eth0detect routefilter,blacklist,tcpflags,nosmurfs,logmartians shorewall/zone fw firewall net ipv4 loc ipv4 shorewall/policy fw all ACCEPT net all DROP loc net ACCEPT loc fw REJECT info loc all REJECT info shorewall/rules REDIRECTloc 8080tcp 80,81,82,3128,8000,8080 ACCEPT loc net tcp 443 ACCEPT net loc tcp 443 I can answer simple rules well I filter the internet, the onlydetail is that I will not have the pages https (port 443) are well my rules? Greetings!! -- I.S.C. William López Jiménez -- User Linux # 379636 MSN wljkoal...@hotmail.com Jabber koalas...@jabber.org Web: www.koalasoftmx.tk Twitter: @koalasoft Facebook: william.koalasoft -- I.S.C. William López Jiménez -- User Linux # 379636 MSN wljkoal...@hotmail.com Jabber koalas...@jabber.org Web: www.koalasoftmx.tk Twitter: @koalasoft Facebook: william.koalasoft -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQIcBAEBCAAGBQJPWtNVAAoJECzXeF7dp7IPIJYP/01Lc2ZfB/DdVAaSxyKCuawl kDcLAJ0ryojoA4iQdIltO8O4kpyAmAmsHY7Mj/GRYRqro0JSfQ+yGNIbIk2hWS+0 zNqlPhWKdLsgAbXT7C45k6j5w1KzzfuxkkJoNsrQhi2TFy1eclLshDyniilMbeKY H3g2H/1e8bQ6Rof6Qi6rj0Eu39jdbz7V2ReZLq8SoniTLIodhSx/5BXXTiezz8y0 9Qc8edoT08qpeh82TnhQ3dcLNf+iFni0Z7D8cIJ8b3KEsAzO7shsNdlnuh9tV6du jZU+P4AbejEh/K3oAXLu+oErMqT9nioMJwsMAyQ/JBF5TaRcPzH5jivQM2l0LhKy IFZY6Si3tMF7OI3yVpFPe3hPC/xbbLt3+LXvkS1u7SoVIJXsShW0HgKLv/yR0xm8 d9DqcKzY8Cf0e31QHeQYTaRarZAK1mc9DYyIRPaoPESxj5mzh41MfR7NB9D9s/Pc FPwgJUYRdNELjgT8e8klhqFSuL1zv2/2iGaFrOHxLQ/5SvkT9jkRQc80zNgIIB7o Q7BE/PuKbAh5sa1V6i30eBhqFXb6cCmC7F9Xo9UZx7TxG45jyDMXsfa33TwEVn/M VLeT8L7sGsOLCRRiLKHLIQlhvMeCI8Aw+Xuz7OhR+lWW2WChqpCCt9HshKEQJpBC iTLb6D63nGkzPxq03vLn =/Z7o -END PGP SIGNATURE- -- I.S.C. William López Jiménez -- User Linux # 379636 MSN wljkoal...@hotmail.com Jabber koalas...@jabber.org Web: www.koalasoftmx.tk Twitter: @koalasoft Facebook: william.koalasoft -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature -- Virtualization Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users