> Doug Sampson wrote:
> > Hi all,
> >
> > I'm seeing these messages in my logs:
> >
> > <..snip..>
> > Apr 25 14:07:30 firewall Shorewall:all2all:REJECT: IN=tun0 OUT= MAC=
> > SRC=10.8.0.14 DST=192.168.1.254 LEN=89 TOS=18 PREC=0x00
> TTL=255 ID=41848 CE
> > PROTO=UDP SPT=5353 DPT=53 LEN=69
>
>
Hi
Doug Sampson wrote:
> Hi all,
>
> I'm seeing these messages in my logs:
>
> <..snip..>
> Apr 25 14:07:30 firewall Shorewall:all2all:REJECT: IN=tun0 OUT= MAC=
> SRC=10.8.0.14 DST=192.168.1.254 LEN=89 TOS=18 PREC=0x00 TTL=255 ID=41848 CE
> PROTO=UDP SPT=5353 DPT=53 LEN=69
This is vpn to fw tr
Hi all,
I'm seeing these messages in my logs:
<..snip..>
Apr 25 14:07:30 firewall Shorewall:all2all:REJECT: IN=tun0 OUT= MAC=
SRC=10.8.0.14 DST=192.168.1.254 LEN=89 TOS=18 PREC=0x00 TTL=255 ID=41848 CE
PROTO=UDP SPT=5353 DPT=53 LEN=69
Apr 25 14:07:44 firewall Shorewall:all2all:REJECT: IN=tun0 OU
Charles Steinkuehler wrote:
If anyone has implemented anything remotely similar to this, I'd
appreciate any pointers.
Several people have reported success. I've tried to capture their
experience in Shorewall FAQ #32.
Since I doubt this is a common setup :), I'll throw out a few key
questions s
Anyone out there played much with advanced routing with Bering + Shorewall?
I'm looking at adding an additional internet connection (consumer-class
cable-modem service) to get enough bandwidth to create a full mirror of
Debian (and keep it in sync) so I can sell CD/DVD images.
Anyway, I've alrea
--On Monday, March 03, 2003 07:56:09 PM -0800 Jabez McClelland
<[EMAIL PROTECTED]> wrote:
Mar 3 17:57:31 firewall kernel:
Shorewall:all2all:REJECT:IN= OUT=eth1
SRC=192.168.1.254 DST=192.168.1.201 LEN=62 TOS=0x00
PREC=0x00 TTL=64 ID=53426 DF PROTO=UDP SPT=53 DPT=1603
LEN=42 (repeated 4x, followe
At 07:56 PM 3/3/2003 -0800, Jabez McClelland wrote:
Dear all,
I wonder if anyone can help explain why I get the
following log entries:
Mar 3 17:57:31 firewall kernel:
Shorewall:all2all:REJECT:IN= OUT=eth1
SRC=192.168.1.254 DST=192.168.1.201 LEN=62 TOS=0x00
PREC=0x00 TTL=64 ID=53426 DF PROTO=UDP SP
Dear all,
I wonder if anyone can help explain why I get the
following log entries:
Mar 3 17:57:31 firewall kernel:
Shorewall:all2all:REJECT:IN= OUT=eth1
SRC=192.168.1.254 DST=192.168.1.201 LEN=62 TOS=0x00
PREC=0x00 TTL=64 ID=53426 DF PROTO=UDP SPT=53 DPT=1603
LEN=42 (repeated 4x, followed by the
Thomas V. Fischer wrote:
Hello all,
I have managed to set a virtual/alias interface in the Bering distrib but
shorewall complains and tells me that I have an illegal character in the
interface and says no aliases.
IS there a way around this...
Please see the Shorewall FAQ (http://www.shorewall
Hello all,
I have managed to set a virtual/alias interface in the Bering distrib but
shorewall complains and tells me that I have an illegal character in the
interface and says no aliases.
IS there a way around this...
Cheers
---
Thomas Fischer, MCSE mailto:[EMAIL PROTECTED]
mailto
On Wednesday 12 February 2003 10:44 pm, Tom Eastep wrote:
> Here is the connection tracking table:
>
> udp 17 177 src=192.168.1.1 dst=12.77.140.250 sport=1347 dport=1193
> src=12.77.140.250 dst=12.243.227.207 sport=1193 dport=1347 [ASSURED] use=1
> udp 17 179 src=192.168.1.1 dst=12.77.14
Sean wrote:
Son of a ...
It worked first try. 2 changes from last time. I went from Shorewall
1.3.12a to 1.3.4. I connected to a MSN user, not an AOL user. Don't
know if either made a difference. I'll send you the shorewall status
file anyway. I didn't bother with the Dachstein ('cause
Ray Olszewski wrote:
At 02:45 PM 2/12/03 -0800, Tom Eastep wrote:
For a first shot on Bering, I think that the procedure that I outlined
before is still appropriate.
I agree, with one possible addition (I'm not sure quite how much
"shorewall status > /tmp/status" reports). I'd like to see
At 02:45 PM 2/12/03 -0800, Tom Eastep wrote:
Sean wrote:
So, after much discussion, is there anything specific you would like me
to do Shorewall before I gather statistics? I can shut off all my other
machines and turn on/off everything/nothing, logg everything...whatever.
Just let me know what.
Sean wrote:
So, after much discussion, is there anything specific you would like me
to do Shorewall before I gather statistics? I can shut off all my other
machines and turn on/off everything/nothing, logg everything...whatever.
Just let me know what. How about Dachstein?
I'll be making my atte
3:46 PM
To: Ray Olszewski
Cc: [EMAIL PROTECTED]
Subject: Re: [leaf-user] Bering/Shorewall vs. Dachstein
Tom Eastep wrote:
>
> Ah -- yes, now I see what you are getting at. Yet, it's apparently not
> working
>
I'm trying to keep up with this thread while at the sa
Tom Eastep wrote:
Ah -- yes, now I see what you are getting at. Yet, it's apparently not
working
I'm trying to keep up with this thread while at the same time following
a distributed training exercise on another monitor. During the lunch
break, I got a chance to look at what Ray wrote
Ray Olszewski wrote:
At 11:34 AM 2/12/03 -0800, Tom Eastep wrote:
8. (Tricky part.) Peer B now switches to sending UDP packets out the
*same* UDP socket to the NAT'd port at Peer A.
9. (Tricky part, part 2.) Peer A now switches to sending UDP packets
out the *same* UDP socket to the NAT'd port
Tom wrote:
> I just read their Magic Bullet paper and I think that it works with
> Dachstein because on Dachstein (as with Seawall), the "Masquerade Port
> Range" is left open by the firewall. This allows incoming SYN packets
> to sail right through the firewall AND will even route it to the corre
At 11:34 AM 2/12/03 -0800, Tom Eastep wrote:
8. (Tricky part.) Peer B now switches to sending UDP packets out the
*same* UDP socket to the NAT'd port at Peer A.
9. (Tricky part, part 2.) Peer A now switches to sending UDP packets out
the *same* UDP socket to the NAT'd port at Peer B.
[...]
The k
8. (Tricky part.) Peer B now switches to sending UDP packets out the
*same* UDP socket to the NAT'd port at Peer A.
9. (Tricky part, part 2.) Peer A now switches to sending UDP packets out
the *same* UDP socket to the NAT'd port at Peer B.
Those "tricky" parts are standard when using UDP.
N
Let me first apologize to everyone here except (I hope) Lynn and Tom. This
is a somewhat tedious thread for leaf-user (it might be better suited to
leaf-devel). But I think it is important to sort out why the EyeBall
service works with Dachstein (ipchains) but not Bering/Shorewall
(iptables), s
On Wednesday 12 February 2003 11:05 am, Ray Olszewski wrote:
> Yeah, this was my reasoning too (though my thinking about TCP is a bit more
> involved). And in reading between the lines a bit, I pretty much inferred
> that EyeBall uses UDP for the p2p part, and TCP only for the connection to
> the
> Tom -- Can you expand on this just a little bit more? (Or Lynn, can
you?)
> This conclusion is kind of where I got to last night, but only for
TCP.
> What is the equivalent of "SYN packet" detection for UDP? Or, to put
it
> another way, how does iptables (or Shorewall) determine the state
> assoc
Ray Olszewski wrote:
But it still leaves unanswered one question that I really would
appreciate your (or somebody's -- Lynn?) help with:
iptables lets me specify state rules for ACCEPTing all packet types, not
just TCP. For UDP, what test does ipchains apply to a packet to classify
it as NEW
At 08:41 AM 2/12/03 -0800, Tom Eastep wrote:
Ray Olszewski wrote:
At 07:13 AM 2/12/03 -0800, Tom Eastep wrote:
Sean E. Covel wrote:
BTW,
I did send Eyeball Chat a help request
[...]
I just read their Magic Bullet paper and I think that it works with
Dachstein because on Dachstein (as with
Ray Olszewski wrote:
At 07:13 AM 2/12/03 -0800, Tom Eastep wrote:
Sean E. Covel wrote:
BTW,
I did send Eyeball Chat a help request
[...]
I just read their Magic Bullet paper and I think that it works with
Dachstein because on Dachstein (as with Seawall), the "Masquerade Port
Range" is l
At 07:13 AM 2/12/03 -0800, Tom Eastep wrote:
Sean E. Covel wrote:
BTW,
I did send Eyeball Chat a help request
[...]
I just read their Magic Bullet paper and I think that it works with
Dachstein because on Dachstein (as with Seawall), the "Masquerade Port
Range" is left open by the firewall. T
Sean,
Sean E. Covel wrote:
Tom,
I'm a complete iptables noob, and you are obviously an expert at this
point. Eyeball Chat does claim that it works with iptables. Is the
connection tracking table a recent addition? Can you think of what
might have to be done for it to work with iptables?
C
Tom,
I'm a complete iptables noob, and you are obviously an expert at this
point. Eyeball Chat does claim that it works with iptables. Is the
connection tracking table a recent addition? Can you think of what
might have to be done for it to work with iptables?
If they ever get back to me ab
Sean E. Covel wrote:
BTW,
I did send Eyeball Chat a help request, but since it is free software,
I'm not holding my breath.
I'm willing to pursue this just to see if this magic silver bullet they
have going actually works. Strange that they have instructions on how
to blow holes in your firewal
BTW,
I did send Eyeball Chat a help request, but since it is free software,
I'm not holding my breath.
I'm willing to pursue this just to see if this magic silver bullet they
have going actually works. Strange that they have instructions on how
to blow holes in your firewall (static patch) if th
Sean E. Covel wrote:
I'd be more than willing to help debug this. I have both the Dachstein
and Bering firewalls setup, I just switch the cables and I'm set to go.
If you want specifics of the setups, tell me what you need and I'll send
it to you.
Under Bering:
a) "shorewall reset"
b) Try to c
I'd be more than willing to help debug this. I have both the Dachstein
and Bering firewalls setup, I just switch the cables and I'm set to go.
If you want specifics of the setups, tell me what you need and I'll send
it to you.
Eyeball Chat says it does NOT use H323 (is that the correct number?)
At 07:14 PM 2/11/03 -0800, Tom Eastep wrote:
Lynn Avants wrote:
That used to be somewhat true until stateful firewalls started being used.
Before that there would have been so many problems with net-based
applications
while filtering high-ports that most firewall's never gave much thought
to bl
At 08:53 PM 2/11/03 -0500, Sean wrote:
Thanks for your responses.
After spending more time on their website, I discovered their
"Any-Firewall-Whitepaper" where it states that I actually don't have a
problem since their technology works transparent to firewalls and
NAT.
Lynn, you are correct. T
Lynn Avants wrote:
That used to be somewhat true until stateful firewalls started being used.
Before that there would have been so many problems with net-based applications
while filtering high-ports that most firewall's never gave much thought
to blocking this traffic under SOHO use.
There is
On Tuesday 11 February 2003 07:53 pm, Sean wrote:
> Thanks for your responses.
>
> After spending more time on their website, I discovered their
> "Any-Firewall-Whitepaper" where it states that I actually don't have a
> problem since their technology works transparent to firewalls and
> NAT.
That
Thanks for your responses.
After spending more time on their website, I discovered their
"Any-Firewall-Whitepaper" where it states that I actually don't have a
problem since their technology works transparent to firewalls and
NAT.
Lynn, you are correct. There are some high UDP ports, but accord
, 2003 4:20 PM
To: [EMAIL PROTECTED]
Subject: Re: [leaf-user] Bering/Shorewall vs. Dachstein
On Sunday 09 February 2003 08:58 pm, Sean wrote:
> I have been using Dachstein for a few years. I recently decided to
give
> Bering a try. I use an app, EyeBall chat, to video chat to relatives.
>
On Sunday 09 February 2003 08:58 pm, Sean wrote:
> I have been using Dachstein for a few years. I recently decided to give
> Bering a try. I use an app, EyeBall chat, to video chat to relatives.
> It worked just fine under Dachstein. It is NOT working under Bering.
> It appears the app uses a nu
I have been using Dachstein for a few years. I recently decided to give
Bering a try. I use an app, EyeBall chat, to video chat to relatives.
It worked just fine under Dachstein. It is NOT working under Bering.
It appears the app uses a number of dynamic UDP and TCP connections for
the audio/vid
--On Monday, December 16, 2002 01:24:49 -0500 Brad Fritz
<[EMAIL PROTECTED]> wrote:
It is probably worth mentioning that, by default, shorewall
silently rejects SMB and NMB traffic:
$ grep -e 135 -e 137 -e 445 /etc/shorewall/common.def
run_iptables -A common -p udp --dport 137:139 -j R
On Sun, 15 Dec 2002 10:48:31 CST Lynn Avants wrote:
> > When looking at your Shorewall logs, how do you decide if you are
> > just being scanned or if someone(s) is trying to make an effort to
> > get access to you box?
>
> Match the destination port to a list like /etc/services and see if
> the
> When looking at your Shorewall logs, how do you decide if you are just
> being scanned or if someone(s) is trying to make an effort to get access
> to you box?
Match the destination port to a list like /etc/services and see if there are
repeated attempts to services such as ssh/telnet/smbd/nmb
I am going to ask what may seem like a silly question, but being an
inquisitive newbie , I am going to ask it anyway...
When looking at your Shorewall logs, how do you decide if you are just
being scanned or if someone(s) is trying to make an effort to get access
to you box?
I am seeing increasin
Hi all,
Just wondering if anyone could let me know if Ipv6 addresses can be used in
Bering rc4.
I would think Bering should support them alright but am unsure about
Shorewall.
Thanks
Paul
---
This sf.net email is sponsored by:ThinkGeek
Welcom
On Wed, 21 Aug 2002 16:29:01 +0200 Blaise Lab wrote:
> Hello,
>
> I use the ip addresses 192.168.100.x on my LAN. My firewall is bering
> 1.0.rc3.
[snip]
> So how can I configure the firewall as he only accepts trafic from LAN to
> Internet only for internal ip addresses 192.168.100.1 to 192
On Wednesday 21 August 2002 09:29, Blaise Lab wrote:
> Hello,
>
> I use the ip addresses 192.168.100.x on my LAN. My firewall is bering
> 1.0.rc3.
> My workstations access to Internet through MS Proxy which has as
> gateway the internal ip address of my firewall...
>
> If a user desactivates the p
Hello,
I use the ip addresses 192.168.100.x on my LAN. My firewall is bering
1.0.rc3.
My workstations access to Internet through MS Proxy which has as gateway the
internal ip address of my firewall...
If a user desactivates the proxy on a workstation and puts the internal ip
address of my firewa
On Mon, 22 Jul 2002, David Pitts wrote:
> This is exactly my problem with Bering and Dachstein (but not with
> Eigerstein!).
>
> Is it too lazy of me to ask someone to offer a script line that will
> allow packets from 10.96.4.1 for Shorewall and Dachstein??
>
I'm afraid so. For Bering, this
nn [mailto:[EMAIL PROTECTED]]
Sent: Monday, 22 July 2002 5:17 AM
To: [EMAIL PROTECTED]
Subject: Re: [leaf-user] Bering/Shorewall question
On Sunday 21 July 2002 16:02, Paul M. Wright, Jr. wrote:
> Lynn -
>
> I'm curious as to your reasoning on this. Doesn't the DHCP lease
> r
On Sun, 21 Jul 2002, Paul M. Wright, Jr. wrote:
>
>
> Thanks for the answer! In the interim, I had double-checked my firewall
> logs and my ISP's DHCP server is now on a private IP address - hence my
> lack of problems with the noRFC1918 option. DHCP assignments are now
> coming from a 172.19
-Original Message-
From: Paul M. Wright, Jr. [mailto:[EMAIL PROTECTED]]
Sent: Sunday, July 21, 2002 2:49 PM
To: 'Ray Olszewski'
Subject: RE: [leaf-user] Bering/Shorewall question
>>The first DHCP lease request (and delivery) occurs before the firewall
>>rules
At 02:02 PM 7/21/02 -0700, Paul M. Wright, Jr. wrote:
> >>Some ISP's use private ip's on their DHCP and DNS servers, though
> >>this is a bad way to save real ip's, it works for them. This is not
> >>the case in your situation however, you would not have received
> >>a DHCP lease if it was.
>
>Lyn
On Sunday 21 July 2002 16:02, Paul M. Wright, Jr. wrote:
> Lynn -
>
> I'm curious as to your reasoning on this. Doesn't the DHCP lease
> request occur before the firewall rules are started?
>
> My ISP is using an RFC1918 DHCP server and I get and maintain a lease
> even with the default Shorewall
>>Some ISP's use private ip's on their DHCP and DNS servers, though
>>this is a bad way to save real ip's, it works for them. This is not
>>the case in your situation however, you would not have received
>>a DHCP lease if it was.
Lynn -
I'm curious as to your reasoning on this. Doesn't the DHC
On Sunday 21 July 2002 14:30, Kim Oppalfens wrote:
> At 21:13 21/07/2002, Cass Tolken wrote:
>
> Your external address 24.46.y.z doesn't appear to be in the rfc1918
> range. So there is no reason to take the norfc1918 out.
> Is your intern dhcp server serving up addresses in this 10 range by
> any
--- Kim Oppalfens <[EMAIL PROTECTED]> wrote:
> At 21:13 21/07/2002, Cass Tolken wrote:
>
> Your external address 24.46.y.z doesn't appear to be in the rfc1918
> range. So there is no reason to take the norfc1918 out. Is your
> intern dhcp server serving up addresses in this 10 range by any
> cha
At 21:13 21/07/2002, Cass Tolken wrote:
Your external address 24.46.y.z doesn't appear to be in the rfc1918 range.
So there is no reason to take the norfc1918 out.
Is your intern dhcp server serving up addresses in this 10 range by any chance?
I don't think so sonce your internal ip is in the 192
--- Kim Oppalfens <[EMAIL PROTECTED]> wrote:
> At 20:28 21/07/2002, Cass Tolken wrote:
>
> Taking out the norfc on should stop logging these.
> It is in there by default because you are not supposed to have an
> address
> in the 10.x.y.z range
> on an external interface. The norfc means to blo
PROTECTED]] On Behalf Of Cass Tolken
Sent: Sunday, July 21, 2002 11:28 AM
To: Leaf User
Subject: [leaf-user] Bering/Shorewall question
Hi there,
I'm a networking newbie so excuse me if this question or my terminolgy
seems strange ;). I'm logging a whole LOT of these hits:
[sn
-
From: Tom Eastep [mailto:[EMAIL PROTECTED]]
Sent: Saturday, July 13, 2002 11:18 AM
To: Paul M. Wright, Jr.
Cc: [EMAIL PROTECTED]
Subject: Re: [leaf-user] Bering/Shorewall 1.3.3 - Accessing internal Web
server
On Sat, 13 Jul 2002, Paul M. Wright, Jr. wrote:
> I just upgraded to the new Shorew
On Sat, 13 Jul 2002, Paul M. Wright, Jr. wrote:
> I just upgraded to the new Shorewall package and am now trying to make an
> internal Web server visible to the Internet. Eventually I'll put it in a
> DMZ so this is just for testing.
>
> I added the following to the Shorewall rules:
>
> #
> DN
What says
cat /etc/hosts.deny ?
Jacques
Le Samedi 13 Juillet 2002 20:02, Paul M. Wright, Jr. a écrit :
> I just upgraded to the new Shorewall package and am now trying to make an
> internal Web server visible to the Internet. Eventually I'll put it in a
> DMZ so this is just for testing.
>
> I
I just upgraded to the new Shorewall package and am now trying to make an
internal Web server visible to the Internet. Eventually I'll put it in a
DMZ so this is just for testing.
I added the following to the Shorewall rules:
#
DNATnet loc:192.168.1.201 tcp 80
#
This doesn't
At 22:08 5/06/2002, Michael D. Schleif wrote:
>Todd Pearsall wrote:
or tc.lrp which can be found in the bering image.
Kim Oppalfens
> >
> > I just gave it a try on my Dachstein 1.02 box (after switching from the
> > small-ipsec to the normal-ipsec kernel file) and I get errors because
> > the
Todd Pearsall wrote:
>
> I just gave it a try on my Dachstein 1.02 box (after switching from the
> small-ipsec to the normal-ipsec kernel file) and I get errors because
> the tc command is not there. Anyone know where I can get it from?
bwidth22.lrp
--
Best Regards,
mds
mds resource
888.25
to:[EMAIL PROTECTED]] On Behalf Of
> Sandro Minola
> Sent: Wednesday, June 05, 2002 11:45 AM
> To: Omar D. Samuels; [EMAIL PROTECTED]; Kim Oppalfens
> Subject: RE: [leaf-user] bering (shorewall) traffic shaping
>
>
> Kim:
> Yes it is possible to use more than one classifier.
uot;Kim Oppalfens"
<[EMAIL PROTECTED]>
Sent: Wednesday, June 05, 2002 10:45 AM
Subject: RE: [leaf-user] bering (shorewall) traffic shaping
> Kim:
> Yes it is possible to use more than one classifier. Absolutely no problem.
> If you are interested in examples how to filter ACK and
Kim:
Yes it is possible to use more than one classifier. Absolutely no problem.
If you are interested in examples how to filter ACK and other special TCP
packets with u32, please have a look at the script contained in the .lrp
package mentioned below.
Omar:
> Is it possible to accomplish traffic
I suspect you can, but you are most likely to get knowledgeable help on
the LARTC list: http://mailman.ds9a.nl/mailman/listinfo/lartc
-Richard
On Tue, 2002-06-04 at 11:13, Kim Oppalfens wrote:
> Hi all,
>
> I am trying to do some traffic shaping and it appears to be working.
> Just have one que
On Tue, 4 Jun 2002, Kim Oppalfens wrote:
> Hi all,
>
> I am trying to do some traffic shaping and it appears to be working.
> Just have one question though, would it be possible to mix fwmark filter
> with the u32 ones?
>
> u32 seems easier for complex rules like filtering on ack/syn/ size of
Is it possible to accomplish traffic shaping with Dachstein?
- Original Message -
From: "Kim Oppalfens" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, June 04, 2002 1:13 PM
Subject: [leaf-user] bering (shorewall) traffic shaping
> Hi all,
>
>
Hi all,
I am trying to do some traffic shaping and it appears to be working.
Just have one question though, would it be possible to mix fwmark filter
with the u32 ones?
u32 seems easier for complex rules like filtering on ack/syn/ size of data
packet and so on.
Thanks in advance
Kim
__
On Sun, 19 May 2002, Shawn wrote:
> If any of these questions would be more appropriate on the Shorewall mailing
> list, please let me know...
>
> I have a small client (about 25 users) currently running SyGate. I will be
> replacing it with Bering in the next week or so and have a couple questi
If any of these questions would be more appropriate on the Shorewall mailing
list, please let me know...
I have a small client (about 25 users) currently running SyGate. I will be
replacing it with Bering in the next week or so and have a couple questions:
1) The client currently uses their ISP
On Sunday 24 February 2002 22:28, HENRY PSENICKA wrote:
> I have been experimenting with Bering as a wireless gateway platform,
> and have finally had some success getting the wireless interfaces to
> work. (Thanks Jacques for building a 2.4.16 variant of LEAF!)
Cool, let us know how this works
This seems like such a basic question I am almost embarrased to ask but
I have reached the point of frustration.
I have been experimenting with Bering as a wireless gateway platform, and
have finally had some success getting the wireless interfaces to work.
(Thanks Jacques for building a 2.4.
79 matches
Mail list logo