Hi,
Following the instructions Here:
http://www.shorewall.net/Shorewall-Lite.html
Trying to get shorewall-lite working in Linino Linux (nee OpenWRT) on an
Arduino Yun.
I have the Shorewall config files set up in the export dir and am trying
to load now. (BTW 'load' is depreciated, maybe update
On 3/20/19 8:27 AM, Tom Eastep wrote:
> On 3/18/19 3:28 AM, C. Cook wrote:
>> Can anyone recommend a solution? Tracing this out I find that Shorewall
>> is not actually port-forwarding my WireGuard-in port.
>>
>> # tcpdump -i eth0 port wgin
>> tcpdump: verbose out
h channels' .conf files. The
number must be the same for both channels. I have no idea what this does.
On 3/19/19 12:09 PM, Erich Titl wrote:
> Hi
>
> Am 18.03.2019 um 06:28 schrieb C. Cook:
>> Can anyone recommend a solution? Tracing this out I find that Shorewall
>>
router and no change. I
have never seen it before where port-forwarding does not work.
I'd rather not post my shorewall dump here for the permanent record.
Alternatively can someone recommend another firewall?
On 3/17/19 1:02 PM, C. Cook wrote:
> On 3/17/19 11:05 AM, C. Cook wrote:
On 3/17/19 11:05 AM, C. Cook wrote:
>
> I've studied the docs and am thoroughly confused about whether to use
> arprules, mangle, policy, providers, proxyarp, routes, rtrules, snat,
> or tunnels, or some combination. I sure hope someone can advise.
>
> I have a Wire
I've studied the docs and am thoroughly confused about whether to use
arprules, mangle, policy, providers, proxyarp, routes, rtrules, snat, or
tunnels, or some combination. I sure someone can advise.
I have a Wireguard server with three interfaces:
- inWG - remote devices (phones, laptops) come i
On 2/20/19 3:40 PM, Simon Hobson wrote:
> Erich Titl wrote:
>
>> But back to shorewall, do you see any way
>> your work could be carried on?
> One of the issues is that iptables is being deprecated. AIUI, it's already to
> the stage where nft must be installed and ipt cmd line tools are being
>
NNNOOO!!!
On 2/17/19 8:27 PM, Tom Eastep wrote:
> Shorewall Community ...
>
> I am now in my mid 70s and have spent almost 50 years in tech-related
> industries. More than three years ago, I retired from my position at
> Hewlett Packard Enterprise, and while I have continued to develop and
>
On 1/29/19 3:58 PM, Tom Eastep wrote:
> On 1/29/19 9:22 AM, C. Cook wrote:
>> Something is wrong with packet routing in WireGuard. My outgoing
>> channel to AzireVPN works fine (the whole LAN is routed through it) but
>> the incoming channel can never complete th
Something is wrong with packet routing in WireGuard. My outgoing
channel to AzireVPN works fine (the whole LAN is routed through it) but
the incoming channel can never complete the connexion handshake.
Incoming is a separate channel with separate interface and port. It's
for remote phone, laptop
On 1/25/19 3:48 AM, Kevin Olbrich wrote:
> Hi!
>
> I want to say thank you to all involved in the project (development,
> debug, etc.)!
> Especially Tom, who seems to work a lot on Shorewall to make it even
> better with each update.
>
> Many projects that I lead use shorewall, routers as well as s
On 1/20/19 1:15 PM, C. Cook wrote:
>
> Thanks Tom.
>
>
>>> Suddenly I started getting Shorewall DROPs on my LAN members from
>>> various _public_ IPs to ports 80, 443, and so on! This has never
>>> happened in 10+ years of using Shorewall. I r
Thanks Tom.
>> Suddenly I started getting Shorewall DROPs on my LAN members from
>> various _public_ IPs to ports 80, 443, and so on! This has never
>> happened in 10+ years of using Shorewall. I realized that it must be my
>> Frontier Communications fiber ONT that has 10.1.1.1 and it's letting
I've recently changed all my LAN addresses from 192.168.111.0/24 to
10.1.1.0/24, for simplicity and refinement.
One odd thing I found was that I could not assign 10.1.1.1 because it
said some MAC address already had that. So I worked around that.
Suddenly I started getting Shorewall DROPs on my
On 1/13/19 11:24 AM, Tom Eastep wrote:
> On 1/13/19 11:21 AM, C. Cook wrote:
>>> What you are trying to do *will never work*. You are accepting web
>>> connections on the public IP address on the Shorewall router, port
>>> forwarding them to the web server who is
> What you are trying to do *will never work*. You are accepting web
> connections on the public IP address on the Shorewall router, port
> forwarding them to the web server who is trying to reply out of the WG
> server. There are two problems with this idea:
>
> a) The WG server can't reverse the
On 1/12/19 1:24 PM, C. Cook wrote:
>
>
> On 1/12/19 1:10 PM, C. Cook wrote:
>>
>>
>> On 1/12/19 12:45 PM, C. Cook wrote:
>>>
>>>
>>> On 1/12/19 12:37 PM, Roberto C. Sánchez wrote:
>>>> On Sat, Jan 12, 2019 at 12:33:48PM -0800, C.
On 1/12/19 1:10 PM, C. Cook wrote:
>
>
> On 1/12/19 12:45 PM, C. Cook wrote:
>>
>>
>> On 1/12/19 12:37 PM, Roberto C. Sánchez wrote:
>>> On Sat, Jan 12, 2019 at 12:33:48PM -0800, C. Cook wrote:
>>>>... and can't get up!
>>>>
&
On 1/12/19 12:45 PM, C. Cook wrote:
>
>
> On 1/12/19 12:37 PM, Roberto C. Sánchez wrote:
>> On Sat, Jan 12, 2019 at 12:33:48PM -0800, C. Cook wrote:
>>>... and can't get up!
>>>
>>>[Sat Jan 12
On 1/12/19 12:37 PM, Roberto C. Sánchez wrote:
> On Sat, Jan 12, 2019 at 12:33:48PM -0800, C. Cook wrote:
>>... and can't get up!
>>
>>[Sat Jan 12 11:56:22 2019] FORWARD REJECT IN=eth0 OUT=eth0
>^^
... and can't get up!
[Sat Jan 12 11:56:22 2019] FORWARD REJECT IN=eth0 OUT=eth0
MAC=00:1f:5b:23:51:f2:f6:b5:2f:a2:db:8e:08:00 SRC=5.158.83.30
DST=10.1.1.30 LEN=48 TOS=0x00 PREC=0x00 TTL=42 ID=47070 DF PROTO=TCP
SPT=60896 DPT=443 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B401030307)
[Sat Jan 12
On 1/10/19 8:53 AM, Tom Eastep wrote:
> On 1/9/19 3:08 PM, C. Cook wrote:
>
>> I got it. I was missing a snat MASQUERADE entry on the WG server.
>>
>> WireGuard service for my LAN is now fully functional. The VM running WG
>> server has channels for in from
On 1/9/19 2:57 PM, Tom Eastep wrote:
> On 1/9/19 1:25 PM, C. Cook wrote:
>> I guess I don't understand the concept of SNATting, or whether I in fact
>> need it. Seems like it's the reverse of DNAT, for going -out-.
>>
>> I have a KVM VM which is a WireGuar
I guess I don't understand the concept of SNATting, or whether I in fact
need it. Seems like it's the reverse of DNAT, for going -out-.
I have a KVM VM which is a WireGuard server. It's working fine with the
tunnel VPN going out. But I also want all the other machines in the LAN
to send their u
On 1/8/19 10:24 AM, Tom Eastep wrote:
> On 1/7/19 10:02 AM, C. Cook wrote:
>> I have a WireGuard server running in a KVM virtual machine in my LAN.
>> (CentOS 7.6) It accepts WG connections from the outside (phone, laptop)
>> and this is working fine with port-forarding, bu
I have a WireGuard server running in a KVM virtual machine in my LAN.
(CentOS 7.6) It accepts WG connections from the outside (phone, laptop)
and this is working fine with port-forarding, but I also intend it to be
the Azire VPN access to the outside for the LAN.
This question is about the latter
On 1/6/19 11:21 PM, Tuomo Soini wrote:
> On Sun, 6 Jan 2019 15:26:58 -0800
> "C. Cook" wrote:
>
>> LOGFORMAT does not seem to be the right variable, but I can't see in
>> the virtual machine's tiny window what might be.
> LOGFORMAT is the correct varia
On 1/6/19 3:19 PM, Justin Pryzby wrote:
> On Sun, Jan 06, 2019 at 03:17:10PM -0800, C. Cook wrote:
>> I am trying to set up some WireGuard VPN channels, and one of them is
>> called incomingWG.
>>
>> Wireguard starts up just fine with this as an interface, but Shorewall
I am trying to set up some WireGuard VPN channels, and one of them is
called incomingWG.
Wireguard starts up just fine with this as an interface, but Shorewall
is unhappy with this as a zone.
I changed the zone to all lower-case, but same.
Why is it upset with a valid interface?
__
On 12/31/18 10:32 AM, Tom Eastep wrote:
> On 12/29/18 2:26 PM, C. Cook wrote:
>> On 12/28/18 1:34 PM, Tom Eastep wrote:
>>> On 12/28/18 10:08 AM, C. Cook wrote:
>>>> Idk whether this is a Shorewall question or not.
>>>>
>>>> My LAN has a class
On 12/28/18 1:34 PM, Tom Eastep wrote:
> On 12/28/18 10:08 AM, C. Cook wrote:
>> Idk whether this is a Shorewall question or not.
>>
>> My LAN has a class C of 192.168.1.0. The gateway for all LAN members is
>> 192.168.1.1
>>
>> Now one of the LAN members
Idk whether this is a Shorewall question or not.
My LAN has a class C of 192.168.1.0. The gateway for all LAN members is
192.168.1.1
Now one of the LAN members is a KVM VM at 192.168.1.16, and it is the
Wireguard VPN server. Remote machines come in through the gateway and
are port-forwarded to
On 12/26/18 3:25 PM, Lloyd Zusman wrote:
> I'm running on the ancient CentOS-4.8, and there is no feasible way to
> upgrade this system in the forseeable future.
>
> I'd like to get Shorewall running on that system, if possible, and I
> wonder if someone could recommend the proper version of Shorew
On 12/23/18 12:29 PM, C. Cook wrote:
> On 12/23/18 11:59 AM, C. Cook wrote:
>> In the router I am trying to DNAT an IP that should be _encapsulated
>> in the tunnel_. It must be that I should DNAT the LAN address of the
>> WG server.
>>
>> *DOH!!*
>>
>
On 12/23/18 11:59 AM, C. Cook wrote:
> In the router I am trying to DNAT an IP that should be _encapsulated
> in the tunnel_. It must be that I should DNAT the LAN address of the
> WG server.
>
> *DOH!!*
>
> Now it is fscking pinging the WG server 10.1.5.16 from the phone!
On 12/23/18 11:12 AM, Justin Pryzby wrote:
> On Sun, Dec 23, 2018 at 10:49:30AM -0800, C. Cook wrote:
>> On 12/23/18 9:04 AM, Tom Eastep wrote:
>>> Clearly, your routing table indicates that the packet should be sent out
>>> of eth0 rather than eth1, and since eth0
On 12/22/18 5:04 PM, Justin Pryzby wrote:
> On Sat, Dec 22, 2018 at 04:17:59PM -0800, C. Cook wrote:
>> I've set up WireGuard on a VM in my LAN. In the LAN's router I am
>> port-forwarding my chosen (UDP) WireGuard port to the WireGuard server
>> in the LAN. (All
On 12/23/18 9:04 AM, Tom Eastep wrote:
> Clearly, your routing table indicates that the packet should be sent out
> of eth0 rather than eth1, and since eth0 doesn't have the 'routeback'
> option, the packet is being dropped in the FORWARD chain (see Shorewall
> FAQ 17).
>
> -Tom
Ok on the router
I've set up WireGuard on a VM in my LAN. In the LAN's router I am
port-forwarding my chosen (UDP) WireGuard port to the WireGuard server
in the LAN. (All CentOS 7.6) I've forwarded the shorewall.dmp from the
WG server to Tom.
For the life of me I can not get the WG phone app communicating with t
39 matches
Mail list logo
