Thanks.
Le mercredi 29 janvier 2014 8h09, Fred Maillou a écrit :
Hi,
> Your Shorewall version isn't recent enough to be able to add such a rule
> then.
Version is 4.5.2.2. I see that the most recent version includes an action.RST
file. Would it be possible to copy that file int
do offsite troubleshooting without having to upgrade
shorewall.
Thanks.
Le mardi 28 janvier 2014 15h50, Tom Eastep a écrit :
On 1/28/2014 12:17 PM, Fred Maillou wrote:
> I'm afraid I do not understand the usage context. Eg.:
>
> The following in rules:
>
> RST(LOG) all
I'm afraid I do not understand the usage context. Eg.:
The following in rules:
RST(LOG) all all
Gives:
ERROR: Unknown action (RST(LOG)) : /etc/shorewall/rules (line 15)
Thanks.
Le mardi 28 janvier 2014 15h09, Tom Eastep a écrit :
On 1/28/2014 11:22 AM, Fred Maillou
Hello,
What would be the syntax to log TCP RST packets ? This is for
troubleshooting purposes.
Thanks.
--
WatchGuard Dimension instantly turns raw network data into actionable
security intelligence. It gives you real
Hello,
Would it be possible to specify a subnet in masq/source, as in for example
192.168.1.0/24, instead of a series of individual IPs ?
Thanks.
--
Rapidly troubleshoot problems before they affect your business. Most
Hello,
When using a default policy of DROP, should there be a rule declared
explicitly for a defined static NAT ? In other words, is it normal to see NAT
traffic pass along when there is no rule that explicitly allows it ?
Fred.
---
e ?
Thanks!
Fred.
De : Tom Eastep
À : shorewall-users@lists.sourceforge.net
Envoyé le : lundi 30 Septembre 2013 9h42
Objet : Re: [Shorewall-users] Processing precedence: rule/MASQ
On 9/30/2013 4:53 AM, Fred Maillou wrote:
>> There is a similar diagram at
>
De : Tom Eastep
À : shorewall-users@lists.sourceforge.net
Envoyé le : vendredi 27 Septembre 2013 9h35
Objet : Re: [Shorewall-users] Processing precedence: rule/MASQ
On 9/26/2013 8:28 AM, Fred Maillou wrote:
>>> On Thu, Sep 26, 2013 at 11:41 AM, Fred Maillou
>>>
>> On Thu, Sep 26, 2013 at 11:41 AM, Fred Maillou wrote:
>> In masquerading, which one gets processed first, a firewall
>> rule, or the masquerading ? I'd think masquerading gets >
>> processed first, but I'm not certain.
> De : Guilsson G
>
Hi,
In masquerading, which one gets processed first, a firewall rule, or the
masquerading ? I'd think masquerading gets processed first, but I'm not
certain.
Thanks !
--
October Webinars: Code for Performance
Free In
Hello,
Earlier this year I contacted Patrick McHardy for fixing a SIP conntrack
problem and he produced a patch. Unfortunately, I do not have the exchanged
emails although I'd presume the patch made to the netfilter modules upstream.
The work Patrick did was per contract. He's the maintaine
> On 04/19/2013 02:13 PM, Fred Maillou wrote:
> > Hello,
> >
> > sshguard detects brute force attacks and blocks IPs according to a
> > certain algorithm. For it to work it needs a rule:
> >
> > iptables -N sshguard
> > iptables -A INPUT -j sshgua
Hello,
sshguard detects brute force attacks and blocks IPs according to a certain
algorithm. For it to work it needs a rule:
iptables -N sshguard
iptables -A INPUT -j sshguard
And so in Shorewall's started.d/ I created a file and added;
#!/bin/bash
iptables -N sshguard
iptables -I INPU
Hello !
Sorry for the recent spam email. Looks like the yahoo account
got hacked.--
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p
4 février 2013 13h10
Objet : Re: [Shorewall-users] (no subject)
On 02/14/2013 10:02 AM, Fred Maillou wrote:
> Hello,
>
> Is there any mechanism provided by Shorewall that would handle
> MASQ interfaces that are not up when Shorewall starts ? The
> documentation mentions
Hello,
Is there any mechanism provided by Shorewall that would handle
MASQ interfaces that are not up when Shorewall starts ? The
documentation mentions - if I remember correctly - that the use
of interfaces for such purpose is obsolete(d). But there are
some situations in which an interface m
Hello Tom,
>> What is the setting of CLEAR_TC in shorewall.conf?
> In both test cases it is:
> CLEAR_TC=Yes
Was this identified as a bug ? Or is it something done wrong (although the
test cases seems quite straightforward).
Thanks!-
Simon Hobson wrote:
> It depends a lot on your setup. In many cases, loading SIP
> helper will completely screw up your connection, in others it's
> needed. A good example of where NAT == Broken.
> Personally I make a point of disabling any SIP helper and
> configuring the endpoints to deal wi
> What is the setting of CLEAR_TC in shorewall.conf?
In both test cases it is:
CLEAR_TC=Yes--
Master SQL Server Development, Administration, T-SQL, SSAS, SSIS, SSRS
and more. Get SQL Server skills now (including 2012) wit
Hello,
Using recent Shorewall versions (4.5.11 and 4.5.3) it seems
that an active TC config is not removed when using 'restart' with
a config that does not have any TC parameters. Version 4.5.2
does remove a TC config.
Here's how the test is made.
1) state: no firewall config applied. ip
Hello,
Are there general guidelines around on how to configure Shorewall for use
with SIP phones ? Especially regarding (some?) Cisco SIP phones which are
expecting a reply at port 5060 while sending from an arbitrary high port.
Thanks !
> My bad -- I was thinking of TOS specification in
> tcclasses/tcfilters. For tcrules, simply type 'shorewall show
> mangle'.
Thanks. Do you know if there's any side effect to specify a value of
0x24 ? As far as I see it from the Shorewall use, 0x20 would be an
off-limit value as it is associat
>> I'm asking as I'm getting into troubleshooting what seems at first
>> outlook a problem in not having the same result when for instance
>> the string 'Minimize-Delay' is used when compared to using the
>> string '0x10'.
> Those are different - 0x10 assumes a mask of 0xff while
> 'Minimize-Dela
Hello Tom,
In tcrules' tos field, what would be the right way of
specifying a numerical value ? Both '16' and '0x10' sucessfully
pass the 'shorewall check' test - does this mean that both are
valid ? I've looked at the configuration_file_basics page but
did not seem to find an explicit referen
Hello Tom,
Here is am excerpt of a run of 'shorewall start .' :
Initializing...
/usr/share/shorewall//modules: 19: ?INCLUDE: not found
/usr/share/shorewall//modules: 23: ?INCLUDE: not found
/usr/share/shorewall//modules: 27: ?INCLUDE: not found
/usr/share/shorewall//modules: 31: ?INCLUDE: no
(sorry, I simply pressed 'reply' on this Yahoo thing and the
reply went to your personal email when I intended it to be in the
mailing list - so here it is in the mailing list)
Hi Tom,
>> Are there persistent connection tracking (and related)
>> parameters set at install time that would make do w
> What you are seeing is a result of the way that connection
> tracking works. You can always use the '-p' option when you
> start/restart Shorewall (that does the 'conntrack -F' for you).
The drawback with this is that all tables would be flushed,
including established ssh connections on other in
Hello,
When using a simple MASQ config such as:
dds-4-1c01ppp 172.59.1.0/24 172.59.3.10
It happens from time to time that after applying the config, a
172.59.1.1 IP is not translated into .3.10. It is actually not
translated until a 'conntrack -F' is issued that flushes all
co
Hello,
Is there any way to clear the TC stats without having any disruption ?
Thanks.
--
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed a
> mDNS is a protocol for auto-discovery within a LAN; why are you trying
> to route it?
It is non-routable to another network which would use this mDNS. If the dest.
IP of those packets can be changed (see my follow-up question to this) than a
static route can route them out to other devices on
> Is there any special setup in Shorewall in order to change the
> destination IP address of mDNS packets ?
More specifically, it could perhaps be done in PREROUTING. Would
this be the right formulation in rules:
# ACTION SOURCE DEST
DNAT:P net $fw ...
Eg. is the 'tag' for pre/post rou
Hello,
Is there any special setup in Shorewall in order to change the destination IP
address of mDNS packets ? The actual mDNS address is not routable and would
need to be changed to a routable multicast address, which is serviced by a
static route. I've seen that the DNAT page mentions a D
> There are two related concepts here: Addresses and Labels. An
> _address_ is just an additional (secondary) IP addresses on an
> interface. A _label_ is one of those silly things of the form
> : that ifconfig thrust upon us and that
> the Debian ifup/ifdown system continues to burden us with.
Th
Hello,
The 'interfaces' documentation for nat mentions the use of
ADD_IP_ALIASES in shorewall.conf. It mentions:
"Interfaces that have the EXTERNAL address. If ADD_IP_ALIASES=Yes
in shorewall.conf(5), Shorewall will automatically add the
EXTERNAL address to this interface. Also if ADD_IP_ALIAS
Hello,
What would be the allowed maximum numerical limit when setting a
priority in tcclasses ?
Thanks.--
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat land
> HTB assumes a value of 1600 (1500+100) if the HTB is not
> specified. So if the actual MTU is not 1500, I'm also adding
> 100 to the actual value.
H... If not sure I get this 'if the HTB is not specified'.
The HTB default is 1600. So if MTU 1500 is read then 100 is
added to match, that seem
Hello,
In lib.core the MTU value that is queried from the ip utility
finds itself added a value of 100:
get_device_mtu1() # $1 = device
{
local output
output="$($IP link list dev $1 2> /dev/null)" # quotes required for /bin/ash
local mtu
if [ -n "$output" ]; then
mtu=$(fi
Hello,
DSCP marks are not restored in a RESTORE TC rule. This is probably right
because DSCP marks are packet mangling whereas regular TC marks are internal
and can be restored. Could you pleae confirm that DSCP marks should not/will
not be restored when using a RESTORE TC directive ?
Many
n 5/4/12 7:16 AM, Fred Maillou wrote:
>>>> shorewall [trace|debug [nolock]] [-options] refresh [-D directory ]
> [chain...]
>
>>>> Basic patch attached:
>
>>> Thanks ! Will it be part of the next release as well ?
>
>> It will be in Shorewall
>>> shorewall [trace|debug [nolock]] [-options] refresh [-D directory ]
>>>[chain...]
>>> Basic patch attached:
>> Thanks ! Will it be part of the next release as well ?
> It will be in Shorewall 4.5.3 Beta 2
The patch works fine. Although so far it seems that 'refresh' is
not a big time sa
__
De : Tom Eastep
À : shorewall-users@lists.sourceforge.net
Envoyé le : mercredi 2 mai 2012 13h57
Objet : Re: [Shorewall-users] shorewall refresh
On 05/02/2012 10:24 AM, Fred Maillou wrote:
> Hello,
>
> The idea in using 'shorewall refresh' would be to re-apply an existi
Hello,
The idea in using 'shorewall refresh' would be to re-apply an existing TC
configuration. In other words, 'shorewall restart' was already executed (and
included a TC config), and sometime later, a 'refresh' would be done, using the
same config files. The problem seems to be that the '
> Make the interface 'optional'. Then you can use: 'shorewall
> disable ; shorewall enable '.
Which 'optional' option would that be ? The 'shorewall enable'
documentation mentions providers. And 'optional'
in (tc)interfaces does not seem to be related.
Thanks
Hello,
Is there a way to refresh (as in the 'refresh' command) the TC configuration
only ? It should take less time to only re-apply a TC config instead of a
complete firewall. The use case is when WAN interfaces disappears from system
view for a brief moment then come back in operation. A
On 04/20/2012 06:47 AM, Fred Maillou wrote:
>> As the 4.5.2.2 tcrules manpage shows, the default chain for
>> DSCP marks is postrouting. Is this still true if
>> shorewall.conf has the > 'MARK_IN_FORWARD_CHAIN=Yes' option ?
> Actually, the manpage is wrong --
Hello,
As the 4.5.2.2 tcrules manpage shows, the default chain for DSCP marks is
postrouting. Is this still true if shorewall.conf has the
'MARK_IN_FORWARD_CHAIN=Yes' option ?
Thanks.
--
For Developers, A Lot Can Hap
> Beta 4 was pretty broken. These problems are not present in RC 2.
OK! Thanks.--
Better than sec? Nothing is better than sec when it comes to
monitoring Big Data applications. Try Boundary one-second
resolution app monit
The '- not found' has to do with:
elif - -f ${SHOREAWLLRC_HOME}/.shorewallrc;
instead of:
elif [ -f ${SHOREAWLLRC_HOME}/.shorewallrc ];
The .start has also the same syntax.--
Better than sec? Nothing is better tha
>> I see the following when using 4.5.2 beta version. The config
>> files are in the current directory.
>> # shorewall check .
>> /sbin/shorewall: 47: -: not found
>> Checking...
>> # shorewall start .
>> /sbin/shorewall: 47: -: not found
>> Compiling...
>> Apart from that, normal compilation oc
Hello,
I see the following when using 4.5.2 beta version. The config files are in
the current directory.
# shorewall check .
/sbin/shorewall: 47: -: not found
Checking...
# shorewall start .
/sbin/shorewall: 47: -: not found
Compiling...
Apart from that, normal compilation occurs OK.
Th
> If you are asking if Shorewall clears any current TC
> configuration, the answer is Yes, unless CLEAR_TC=No in
> shorewall.conf.
Thanks. Could it be that the behaviour of this option has
changed since 4.0.15 ? I have a 4.0.15 configuration that has
CLEAR_TC=yes but allows a qos VLAN marking th
Hello,
I'd like to know if Shorewall, in recent versions (as compared
to 4.0.15) is currently making some kind of traffic control parameter
reset before installing a traffic control configuration.
Thanks.--
This SF emai
Hello,
> Beta 4 is now available for testing.
Is there any whenabouts of a 4.5.2 release ?
Thanks.--
This SF email is sponsosred by:
Try Windows Azure free for 90 days Click Here
http://p.sf.net/sfu/sfd2d-msazure__
> They are all optional but you have to specify at least one of them.
> Otherwise, there is no point in having the entry at all.
Right. Thanks.
Fred.--
This SF email is sponsosred by:
Try Windows Azure free for 90 days
Hello,
The following simple TC config:
# cat tcinterfaces
#INTERFACE TYPE IN-BANDWIDTH OUT-BANDWIDTH
fe-cm-1 - - 56kbit
# cat tcpri
#BAND PROTO PORT(S) ADDRESS IN-INTERFACE
1 - - - -
Yields:
ERROR: Invalid tcpri entry
Hello,
It looks like the length field in tcrules is not parsed correctly according
to what I understand from the docs. It seems that a :max value would be
permitted. However, the following:
#MARK SOURCE DEST PROTO DPORT(S) SPORT(S) USER TEST LENGTH
TOS
: tcrules and test
On 03/13/2012 01:07 PM, Fred Maillou wrote:
> The use case is applying DNAT in firewall rules for a certain traffic.
> Traffic control is also wished for the same traffic, as well as DSCP
> marking. And so, there is a tcrule that will mark those packets to be
> routed to
(EF) 0.0.0.0/0 0.0.0.0/0 all - - - 100
Thanks.
De : Tom Eastep
À : shorewall-users@lists.sourceforge.net
Envoyé le : mardi 13 mars 2012 15h43
Objet : Re: [Shorewall-users] tcrules and test
On 03/13/2012 12:07 PM, Fred Maillou wrote
Hello,
Can the test of tcrules be used to detect packets in POSTROUTING ?
Thanks,
Fred.
--
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is
Hello,
With a string of ">=477" in the length field of tcrules, 'shorewall check'
reports no error whereas iptables-restore has a problem during 'shorewall
start':
iptables-restore v1.4.8: length invalid: ">=477"
Error occurred at line: 30
Fred.---
Hello,
Using shorewall-4.5.1-Beta2, I have seen that DSCP values CS6 and
CS7 are provoking a configuration check error. All other DSCP
values are OK.
tcrules:
DSCP(CS7) 172.30.159.102 0.0.0.0/0 all
# shorewall check
[...]
ERROR: Invalid DSCP (CS7) : /tmp/shorewall/tcrules (line 2)
> Search the manpage for 'DSCP' -- you can also specify that in
> the MARK/CLASSIFY column to set the DSCP value.
Thanks. Is it then possible to MARK/CLASSIFY (for a tcclass) and
at the same time apply a DSCP mark for egress ? Would it need
two tcrules with the same matching parameters, one to m
De : Tom Eastep
À : Fred Maillou ; Shorewall Users
Envoyé le : lundi 27 février 2012 11h56
Objet : Re: [Shorewall-users] New DSCP field (re: Adding iptable rules for DSCP
marking)
On Feb 27, 2012, at 7:38 AM, Fred Maillou wrote:
Hello,
>
>
Hello,
Will this DSCP feature be able to actually mark DSCP, as per
the original poster use-case description ?
Fred.--
Try before you buy = See our experts in action!
The most comprehensive online learning library for
64 matches
Mail list logo