here, I'll help. my tc is behaving wierdly.
my router had to get updated early (debian 5) and now everything is more
or less working (a harddrive died) so I updated to the latest shorewall
4.4.9 and my kernel is now 2.6.32-bpo.4-amd64. I haven't built ipp2p
yet nor ipset matching, but I have
I added :F as you suggested to the two rules, but now it still doesn't
work, and all my bt traffic is still getting dumped into 10:11
The configs are still the same as my previous paste with the addition of
:F http://pastebin.com/vuevjvmc
Christophe wrote:
> Le mardi 18 mai 2010 à 2
aah, I made a few changes, now it's using classify, and everything seems
to be working almost perfectly. I decided to try it, and it seems to
have fixed it.
On 5/19/2010 15:38, Tom Eastep wrote:
> 'shorewall show tc', we can't be of much help.
--
torrent machien in the src column, tcp,udp in the proto column, and DROP
in the first column.
On 7/2/2010 16:18, Grant wrote:
>>> My ISP has warned me to stop uploading bittorrent data. I'd still
>>> like to download, but miro reports an active upload rate even though
>>> I've specified a maximu
also, a better option is to either force encrypted peer connections
only, or better yet to switch ISPs. yours seems exceedingly lacking.
On 7/2/2010 16:18, Grant wrote:
>>> My ISP has warned me to stop uploading bittorrent data. I'd still
>>> like to download, but miro reports an active upload
sounds pretty simple, your policy file should only have
allalldrop
and your rules should have something like
ACCEPTsrcdesttcp8080
replace src and dest with the appropriate src and dest, or use 0.0.0.0/0
to let anything from or to anywhere on port 8080 pass.
anything el
Shorewall doesn't run in memory, it just prepares rules for iptables
and loads them in a sane fashion. Therefore, the requirements for
shorewall aren't anything more than the sum of the components. as
that's the case, there are people running effective linux firewalls on
pentium 2 and pentiu
If you pick up an inexpensive dual core CPU at frys/newegg and a
couple gigabit cards you'll be in excellent shape. there's little you
can't do with that kinda processing power routing wise (there is an
upper limit to the number of vpn clients you could accomidate if you
decided to add a vpn
is there a way to configure shorewall to allow all traffic on a new
device (vlan actually) temporarily, and to treat that device as
completely unprotected (but also not add routing rules for it) so I can
handle finalizing some config information for that vlan before
converting it/adding it to a
I'm converting my network from a "one interface per segment" to a
"single connection with vlans", well, some hardware I have requires
using different vlan IDs. suffice it to say I need bridges to connect a
few different vlans that should all be one but can't be because of
firmware constraints.
On 12/12/2010 2:39 PM, Simon Hobson wrote:
> Christ Schlacta wrote:
>> ... far as I can tell, the bridges are set up right and working,
> Does traffic flow if you clear Shorewall (ie do "shorewall clear") ?
> If not then you need to fix that before trying to get Shorewall
On 12/15/2010 1:35 AM, Phil Foxton wrote:
> /eth0\
> FW -eth1-ISP
> \eth2/
>
> the other
> provides redundancy in case of NIC failure.
it also covers path failure, switch failure, etc. basically, *!isp
failure where
if ipmi is unfirewalled, any user who can jack into an open port can just
use ipmi. that's not good. you should segregate ipmi to a dedicated vlan
at the switch if possible. iptables rules are probably not the best way to
go about securing this situation.
On Thu, Jan 20, 2011 at 8:56 AM, Tom Ea
u 20 January 2011 15:57:22 Christ Schlacta wrote:
> > if ipmi is unfirewalled, any user who can jack into an open port can just
> > use ipmi. that's not good. you should segregate ipmi to a dedicated
> vlan
> > at the switch if possible. iptables rules are probably
I'm not sure about your errors, but I've found in most cases that you
simply must fiddle with your VPN software until it works, because it
never works right as documented. I must ask, however, why don't you use
a two interface router and a custom switch instead of the single
interface router?
I installed the universal configuration, then followed the guide to
enable NFS, but NFS failed miserably whenever shorewall was started or
stopped. only cleared allowed NFS traffic to function properly. I'm
using ubuntu 11.4, which I believe is using nfs4. sec is set to
sec=sys. not sure if
Thank you. that tip about specifying ports does seem to have helped. I
now have a firewalled system instead of completely open :)
On 9/7/2011 15:10, Roberto C. Sánchez wrote:
On Wed, Sep 07, 2011 at 01:38:28PM -0700, Christ Schlacta wrote:
I installed the universal configuration, then
I would like to dnat certain protocols (HTTP, HTTPS, SSH) to the
contents of an ipset (lan:+serviceshost or similar) where the ipset is
ensured to contain only one host, but can be changed dynamically when
services are in maintenance mode and go to the "services are down"
message on another ser
Can you recommend an alternate method to accomplish my desired outcome?
I want to switch dynamically which host a (set of) dnat rules point to
without having to restart shorewall.
On 9/17/2011 14:38, Tom Eastep wrote:
> On Sep 17, 2011, at 2:02 PM, Christ Schlacta wrote:
>
>> I w
I was reading through the config files, and noticed that many of them
would be well suited by being replaced or supplemented with an
(optionally optional) shiny new XML format that would allow the user to
specify only the needed attributes and not have to fill in -s where not
needed. Would pre
tloc:10.0.0.1tcp80;MARK="88"
just an arbitrary example, but it might inspire you :)
On 9/25/2011 08:49, Tom Eastep wrote:
On Sun, 2011-09-25 at 01:20 -0700, Christ Schlacta wrote:
I was reading through the config files, and noticed that many of them
would be well suite
I thought of another benefit to a shiny new XML format
All the files could be merged into a single shorewall.xml file with
different sections.
true
...
...
etc...
Again, this could optionally be accomplished with any format that can
implement nested key-value pairs like json. I'm not f
On 9/25/2011 16:20, Tom Eastep wrote:
> I've implemented the simple extension that you suggested earlier. That will
> have to do.
Much appreciated :) Thank you very much~
--
All of the data generated in your IT infrastru
On 9/25/2011 23:45, Simon Hobson wrote:
> Christ Schlacta wrote:
>> I thought of another benefit to a shiny new XML format
>>
>> All the files could be merged into a single shorewall.xml file with
>> different sections.
>>
>> true
>>
>>
>&
On 9/26/2011 07:04, Tom Eastep wrote:
On Mon, 2011-09-26 at 00:02 -0700, Christ Schlacta wrote:
However, the implication, which I failed to make effectively, is that
SIMPLE configs (like the Universal) could be merged into a single file,
or more complex configs merged into a single file for
On 9/26/2011 16:49, Tom Eastep wrote:
> What, exactly, confuses you about Shorewall-lite?
The config is there, but it's here, and there's also another config here
and there.. I'm sure if I sat down and did it, I'd get it eventually,
but it's imposing.
--
t have the same routes, etc. Combine that with the use
of a make file, and I just don't see how it all fits together. :-S
On 9/26/2011 17:35, Tom Eastep wrote:
> On Sep 26, 2011, at 5:31 PM, Christ Schlacta wrote:
>
>> On 9/26/2011 16:49, Tom Eastep wrote:
>>> What, e
On 9/29/2011 01:33, Simon Hobson wrote:
> Mark van Dijk wrote:
>
>> Actually, I'd like to go one step further and suggest to not bring this
>> extra overhead into the project. It is a clear example of putting the
>> cart in front of the horse. A better idea is that someone who needs
>> this would w
y might be interesting, but let's not put it on Tom's
> plate. Maybe you can show some kind of comparison?
>
> In fact, you could just go ahead and fork shorewall... and when it
> works as you envision you can invite list members to review it. At
> least one other list member (C
I'm trying to configure lldp on all the systems in my LAN, and they all
run shorewall. I'm trying to figure out what rules to add to shorewall,
but there's no mention of it in the documentation that I can find, and I
don't know enough about lldp to figure out what files need to be changed
and
I don't know if I could explain it in greater detail, but it's primary
purpose is to facilitate detailed mapping of the network via automated
means.
On 10/1/2011 17:59, Tom Eastep wrote:
> On Oct 1, 2011, at 5:39 PM, Christ Schlacta wrote:
>
>> I'm trying to configure
On 10/19/2011 17:14, Alan Madill wrote:
>
> On 10/19/2011 3:38 PM, Tom Eastep wrote:
>> On Wed, 2011-10-19 at 15:27 -0700, Alan Madill wrote:
What I am struggling with is using IP aliases on a single interface on the
firewall to communicate with the upstream router. I'm thinking it might
Is there a ubuntu PPA that tracks the most recent shorewall releases? I
didn't find one at the downloads page.
On 11/5/2011 10:59, Tom Eastep wrote:
> 4.4.25.2 is now available for download.
>
> Problems Corrected:
>
> 1) Previously, if all the following were true:
>
> - AUTOMAKE=Yes
>
So, I'm looking to set up a virtual router on my vlan enabled network.
I've got the modem on vlan 5, the LAN on vlan 10, and a guest vlan on
vlan 20. I'm sufficiently certain that, barring the addition of the
necessary shorewall rules to accomidate a virtual router, my vm host is
sufficiently
I keep getting this message in my firewall log. it's on the port that
is running torrents, and I suspect a misbehaving client somewhere, or a
misbehaving ISP somewhere. I'm not overly sure, but the message is
quite annoying, and I'd like to suppress it if possible using shorewall.
the message
I've got my network logically divided by the last octet of the IP address.
1-9 = reserved for temporary testing systems ONLY
10-63 = reserved for infrastructure devices ("routers", switches, APs, etc.)
64-127 = reserved for dedicated servers (everything is going virtual.
one vmachine per service
14 at 23:08 -0800, Christ Schlacta wrote:
my major question is.. I want to be able to set up a policy or a rule
similar to:
ACCEPTlan(+all child zones)wantcpport.
and I also want to know, what happens when a packet is allowed by one
rule, but disallowed by another rule? for ex
It's not a bad idea if it works with your virtualization technology.
There are several guides in the documentation section of the Shorewall
site dealing with various networking technologies. You should identify
the one that's closest to how your virtualization technology works (with
regard to
I've got a couple of systems running shorewall, and I want an ipset
added on any of these hosts to appear on all of these hosts. Are there
any good tools that already exist to do this, or am I on my own?
--
Keep Your De
I'm only suggesting an idea here, but you may be able to use shell
variables to make something like this happen in your params file.
On 1/24/2012 11:20, Troy Telford wrote:
> I've used a tunnel broker for IPv6 for quite some time; the biggest
> advantage is a static IP address.
>
> For bandwidth&
So will there be Shorewall 4.5.1, or what ?
On 2/13/2012 07:01, Tom Eastep wrote:
On 02/13/2012 05:30 AM, Simon Matter wrote:
Thanks for the new release!
It looks like the LIBEXEC / PERLLIB handling is broken now :)
I hope attached patch fixes it.
Looks like it does -- thanks, Simon.
-Tom
-
I'm new, my name's Christ, and I've started using shorewall in the
past few weeks.
problem I'm having, is thus:
Web/ACCEPT users servs
Web/ACCEPT users $FW #Accept Web traffic.
REDIRECTusers 3129tcp www #forward
it to myself
Web/ACCEP
the OP ? thanks again Tom~
On Mon, May 11, 2009 at 6:39 PM, Tom Eastep wrote:
> Christ Schlacta wrote:
>> I'm new, my name's Christ, and I've started using shorewall in the
>> past few weeks.
>>
>> problem I'm having, is thus:
>> Web/ACCEP
why not just use NTP/REDIRECT in rules and nothing in masq ?
On Thu, May 14, 2009 at 7:25 AM, Jeff Gregor wrote:
> There was a a series of posts a couple of months ago that I found in the
> archives that addressed the same situation that I cam dealing with. I
> tried the solution described in tho
I just read another post where the author suggests migrating to
shorewall-perl. I think it's a great idea, but i was wondering if
there are any major caveats or gotchas, or if it's a simple switch.
I'm not near my man pages and I don't have the time to thourougly
research right now, but any inform
I QOS filtered an entire subnet to use half my max upload, and low
priority. my other subnet is configured to have up to 100% and high
priority.
wan01 4*full/10 full1
default,tos-minimize-delay
wan02 4*full/10 fu
http://bitch.aarcane.info/shorewall_dump
also, I've acquired the numbers in tcdevices from doing benchmarks at
speakeasy.net and then underestimating the values.
On Mon, May 18, 2009 at 2:31 PM, Tom Eastep wrote:
> Christ Schlacta wrote:
>> I QOS filtered an entire subnet to u
I've been tweaking on it today, and had kept the p2p hosts limited
using their internal limiters until today, so I'll have to let it run
and gather more stats while I can.
On Mon, May 18, 2009 at 3:27 PM, Tom Eastep wrote:
> Christ Schlacta wrote:
>> http://bitch.aarcane.
That's a good question and I've wondered that myself a time or two...
On Jun 13, 2009, at 7:55, Colin Alston wrote:
> I've been digging through the various manuals and am a bit irritated
> with limitation on the rules system
>
> Why do I have to specify a source zone to allow a source IP range
I have entries in my tcrules file like the following..
1:F 10.0.0.0/24 0.0.0.0/0 tcp 4500 # Ragnarok
1:F 0.0.0.0/0 10.0.0.0/24 tcp - 4500
1:F 10.0.0.0/24 0.0.0.0/0 udp 4500
1:F 0.0.0.0/0 10.0.0.0/24 udp - 4500
1:F
sounds like you need ACCEPT+ rules in your rules file.
Jayme Sanches wrote:
> Hi,
>
> I have a centos 5.3 with shorewall 4.2.10 and transparent
> squid...(REDIRECT loc3128 tcp 80 - !192.168.1.254)
>
> It's working fine with 2 NIC, eth0 - net and eth1 - loc
>
> Now I need configur
I'm aware of, but have never tried a technique called tarpitting that
is supposed to be very useful in your situation.
On Aug 29, 2009, at 1:18, Michael Mansour wrote:
> Hi,
>
> I've been working the past 8 hrs combatting DDoS attacks on websites
> and dedicated servers I host for clients.
>
I found the article I was reading before about a tarpitting solution
that doesn't simply take the website offline.
http://www.secureworks.com/research/threats/ddos/
Tom Eastep wrote:
> Christ Schlacta wrote:
>> I'm aware of, but have never tried a technique called tarp
I just lost all my shorewall6 configs and half my shorewall configs
because I forgot to add them to the NoUpgrade list before I upgraded.
I'm nearly in tears trying to fix it, and as always IRC support is
useless in finding a solution to prevent it from happening again..
---
em. I had most of my configs in the NoUpgrade list, but had changed
them since then, and forgot to add the new ones.
Tom Eastep wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Christ Schlacta wrote:
>> I just lost all my shorewall6 configs and half my shorewall
to
reestablish internet connectivity from the ground up if our router was
physically stolen and had to be re-built from parts from the local outlet.
Simon Hobson wrote:
> Christ Schlacta wrote:
>> I just lost all my shorewall6 configs and half my shorewall configs
>> because I forgo
In general you should never have a windows machine in a dmz.Thats the
biggest problem with this setup
On Sep 4, 2009, at 11:31, Simon Hobson wrote:
> I wrote:
>
>> It's not dangerous, but it is tricky to set up. I
>> did something not too dissimilar a while ago -
>> multi-zone firewall for a m
no, I'm saying exposing windows to the internet is always a bad idea.
it should NEVER be in a dmz, and should always be protected by the
firewall with a policy reject or policy drop.
Simon Hobson wrote:
> Christ Schlacta wrote:
>> In general you should never have a window
:op. My bad
On Sep 4, 2009, at 18:22, Tom Eastep wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Christ Schlacta wrote:
>> no, I'm saying exposing windows to the internet is always a bad idea.
>> it should NEVER be in a dmz, and should always be protec
okay, so here's what I've been called upon to do:
I have two ISPs and two separate LANs (we have a two-family household)
lets call them lan1 and lan2, and isp1 and isp2.
I've been asked if I could configure a router such that..
all traffic from lan1 is sent through isp1 by default, and all traffi
None of my systems can use lld2d to map the network when connected via
wireless, but it works fine over the wireful network. the wireless is
client -> hostapd -> ath5k -> bridge -> kernel with shorewall handling
the bridge and kernel, as best I can explain it. on the bridge is also
a wired de
if you have dedicated fiber, why are you bothering with the overhead of
vpn as well?
Keith Mitchell wrote:
> I'm trying to connect a branch office to my main office.
>
> I have data and voice that need to flow between the branch office and
> the main one.
>
> I have a VPN setup for the data, a
that's an excellent idea if it's not already in, I throw in my hat for a
feature request.
Joshua J. Kugler wrote:
> So after using Shorewall for years, I've been taking my first foray into
> real router devices by playing with a MikroTik Routerboard 750. Nice
> little unit, 400MHz Mips CPU, 32
63 matches
Mail list logo
