On Tue, 2010-08-31 at 18:18 -0700, peasth...@shaw.ca wrote:
Folk,
Quoting from http://www.shorewall.net/manpages/shorewall-nesting.html;,
The preferred way [to distinguish zones having ppp interfaces] is
to use the ifname pppd option to change the 'net' interface to
something other than
On Tue, 2010-08-24 at 20:56 -0700, J and T wrote:
Thanks Tom. I also thought of that, but you're right, that would crash
us as well. I would think this would be a common problem, but I can't
seem to find any solution.
Would creating a blackhole or prohibit route on the web-server itself
On Thu, 2010-06-17 at 10:35 -0600, Jeff Taylor wrote:
I assume you're referring to this portion?
25801 1979K MASQUERADE all -- * * 10.0.0.0/16
0.0.0.0/0
2212 112K SNAT all -- * * 10.10.0.0/16 0.0.0.0/0
On Thu, 2010-04-15 at 19:27 +0200, Michael Weickel - iQom Business
Services GmbH wrote:
Hi list,
one of my clients is part of the same subnet as the local Shorewall
interface. If this clients wants to got to the internet its masqueraded by
masq entry and routed out of the egress interface.
On Thu, 2009-10-01 at 09:19 +0530, Rags wrote:
On Wed, Sep 30, 2009 at 11:02 PM, Jerry Vonau jvo...@shaw.ca wrote:
On Wed, 2009-09-30 at 10:38 +0530, Rags wrote:
Hello,
I'm using Shorewall perl 4.4.1.2 with two pppoe connections,
with
fail
On Wed, 2009-09-30 at 10:38 +0530, Rags wrote:
Hello,
I'm using Shorewall perl 4.4.1.2 with two pppoe connections, with
fail-over and load balancing.
When I upgraded to Shorewall-perl, I saw a bunch of warnings pop up
after I start/restart Shorewall. One was about the masq file , wherein
On Tue, 2009-09-22 at 18:51 -0400, Max DiOrio wrote:
Still not working for me. In fact, this time it was worse. Everything stays
registered, but this time I get no audio in either direction, and although it
was working after I enabled the firewall, web access stopped working after a
few
On Sat, 2009-08-29 at 01:18 -0700, Michael Mansour wrote:
Hi,
I've been working the past 8 hrs combatting DDoS attacks on websites and
dedicated servers I host for clients.
They're hitting one specific IP address, but coming from thousands of
external IP addresses.
I use:
On Fri, 2009-06-12 at 08:36 -0700, Mike Lander wrote:
Mike Lander wrote:
not sure how to config shorewall or if I have this bridge right but
now there seems to be several ways to config shorewall here
which shorewall docs should I look at with suse 11.1 and shorewall 4.2.9?
On Wed, 2009-05-27 at 20:09 -0300, Marcos Dione wrote:
NOTE: this mail started as a help call, but I've been wrinting it
through several days, and several tests that lead more to an
investigation that to an actual question. I think it's somewhat usefull,
specially if thewre are comments on why
On Wed, 2009-04-01 at 11:24 -0300, Guilherme Cunha wrote:
Hi,
I have 2 links to ISPs (ISP1 and ISP2) with zone 'net' and other
interface with conection to local network (network).
I need to configure its to divide connection to different
applications.
example:
SSH connection output
On Fri, 2009-01-09 at 10:32 -0600, John McMonagle wrote:
Have a firewall with 2 isps, openvpn, ipsec and ospf in use.
The ospf is primarily for the openvpn tunnels.
I'm phasing out ipsec because of traffic shaping issues.
Been rereading http://www.shorewall.net/MultiISP.html and realize
On Fri, 2009-01-09 at 14:37 -0600, John McMonagle wrote:
Jerry Vonau wrote:
On Fri, 2009-01-09 at 10:32 -0600, John McMonagle wrote:
Example 2 on the MultiIsp page shows that the routes would be in the
main table and rouing rules are used to force the lookup to use the
main table
On Wed, 2008-12-31 at 15:58 -0500, Mark Rutherford wrote:
Thanks for taking a crack at it.
Here is the updated dump.
I tried port 80 and 21 from 70.60.208.84 to 216.176.235.187 with no joy.
Shorewall Guy wrote:
Shorewall Guy wrote:
Mark Rutherford wrote:
No change.
On Wed, 2008-12-24 at 14:31 +0200, Harry Lachanas wrote:
Hi all
I am trying to get ipsets to work
how ever I seem to come across a problem I don't quite understand ..
I wan't friend nets ( white zone ) to be able to log into the firewall
I am using ipsets for this ..
I went through
On Wed, 2008-12-24 at 08:49 -0600, Jerry Vonau wrote:
Should that not be:
net:white ipv4
make that:
white:net ipv4
time for coffee,
Jerry
--
___
Shorewall-users
Linux Advocate wrote:
Dear shorewall users,
i recently got an SDSL line which is working fine ( net surfing,etc) from a
single host ( mandriva 2008.1 , shorewal 4.0.9 )but now when i try to add
another nic and try to share with a few other machines, its not ok.
The modem ip ( Billion
Fabio Correa wrote:
Pay no attention in the version :| i think my problem can solved same as if
i running transparent squid in the local network(
http://www.shorewall.net/Shorewall_Squid_Usage.html) with providers and
tcrules file. what do you think??
Fabio
Should work, your adding the
Nico Pagliaro wrote:
Hi, yes I have multi Isp and I me pptp server listen on the 3 public Ips
that I have, also in my LAN ip and thats the only that works
Which public ip addresses did you test with? From where?
Your missing at least the snat entries from the masq file.
Do you need another
Nico Pagliaro wrote:
Friends, I am having a little problem with my pptp server on my shorewall.
I CAN connect to my pptp server from my LAN but no from Internet. What I am
doing wrong??
Here is my conf
Interfaces:
--
#ZONE INTERFACE BROADCAST OPTIONS
-
Nico Pagliaro wrote:
I put that rule, and the same,. I cant connect...
On Fri, Nov 14, 2008 at 1:06 PM, Jerry Vonau [EMAIL PROTECTED] wrote:
The response was based on the limited info you provided, need to see a
full unedited shorewall dump.
Jerry
Gilberto Nunes wrote:
Hi all and specially Mr. Tom
(Please, do not be acid with me please! I am only a newbie, trying learn
more about shorewall)
I get involved with a Firewall Project in a customer here in my city...
In this customer, he has two Internet Providers.
So, he ask
Gilberto Nunes wrote:
Thanks Jerry
You put some light on my darkness...
But I have a doubt here:
Where I declare the ISP 1 or 2? /etc/shorewall/providers?
Yes, better re-read the Multi-ISP docs
Another question:
In this case, I have to send outgoing traffic through specific
Gilberto Nunes wrote:
Hi
May be...
But I put this:
ACCEPT loc:172.18.0.100net
tcp 1024:
ACCEPT loc:172.18.0.100net
udp 1024:
And work properly for me...
Think you have a default policy of DROP or REJECT for traffic from
loc
[EMAIL PROTECTED] wrote:
Dear all,
If I do cause offence by posting OT here I apologise in advance, I am
however desperate for help and after posting on other forums without any
ideas I know many networking experts will see this here and hope they
can enlighten me. I will gladly donate
Tom Eastep wrote:
Jerry Vonau wrote:
OK, for those of us that are playing along at home ;-), to condense the
thought, what we(?) would be looking at is a single bal table that has
the default routes. The routing rules needed would point to the main
routing table for the routes that would
Tom Eastep wrote:
Jerry Vonau wrote:
...
Getting the squid in loc to work with loose took a bit of effort
but that works now. Give me a bit, I'll have some config info that
worked for me if you want.
Please -- I haven't tested that configuration.
I'll paste together what I brewed up
Tom Eastep wrote:
On Sun, 2008-07-13 at 17:05 -0500, Jerry Vonau wrote:
Guess it's a bug... off to file it.. fyi:
libnetfilter_conntrack-0.0.89-0.1.svn7356.fc9.i386
iptables-1.4.1.1-1.fc9.i386
2.6.25.9-76.fc9.i686
I can confirm the bug in Fedora 9:
[EMAIL PROTECTED] ~]# iptables -t
Tom Eastep wrote:
Jerry Vonau wrote:
Ok, is been more that a couple of days. ;-) With 4.2, is the reason
behind the shorewall test layout, using main 999, is for backwards
compatibility?
Yes.
Getting the squid in loc to work with loose took a bit of effort
but that works now
On Sat, 2008-07-05 at 08:46 -0700, Tom Eastep wrote:
Brian J. Murrell wrote:
On Wed, 2008-07-02 at 07:05 -0700, Tom Eastep wrote:
I'm not sure that I want to give users that much rope to hang
themselves.
For those who are brave, there is a preview of Beta3 available at
On Tue, 2008-07-01 at 07:12 -0700, Tom Eastep wrote:
Brian J. Murrell wrote:
On Mon, 2008-06-30 at 20:45 -0700, Tom Eastep wrote:
I'm still willing to be convinced; but the 'provider tables contain
only default routes' approach is a dead end as far as I'm able to see.
Yeah, it very
Paul Gear wrote:
John Morris wrote:
Hi,
I noticed today that a hosts zone defined as follows wasn't being
matched. I investigated the output of iptables -L -v, and found this:
...
I couldn't find anything in the hosts or zones man pages about this. Am
I doing something wrong, or should
Tom Eastep wrote:
Jerry Vonau wrote:
Paul Gear wrote:
That should be sufficient to say it is documented, but there probably
should be something more explicit about ordering (probably a reference
to Multiple_Zones.html) in
http://www.shorewall.net/manpages/shorewall-zones.html. Any
Gustavo Michels wrote:
Hi all,
I've been using shorewall 3 (3.4.8 now) for a while on a simple gateway
setup for my office. Routing is enabled only for a few hosts and all user
access the internet thru squid, which is running on the shorewall box. I
have a few other services on this box and
Mekabe Ramein wrote:
Thanks for this very nice email.
I hope I can handle it with one of those methods.
Just one question:
How can I understand if my kernel has ipset capability ?
Thanks.
shorewall show capabilities and have a look...
Jerry
Pierre Ossman wrote:
I've been experimenting with the new zone nesting feature, but I'm
getting nowhere and I'm starting to suspect I expect more from it than
it can deliver.
So my first question is if zone nesting relies on the zones being
subsets of each other on a network level? I.e.
I've sent 2 replies to this list, haven't seen either yet
Sorry for the spam, please ignore.
jerry
-
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
Don't miss this year's exciting event. There's still
on 20.xx
2) Post a shorewall dump of the vserver box, the router seems to be fine.
Jerry Vonau wrote:
mess-mate wrote:
Tom Eastep wrote:
Martin Leben wrote:
If you have more questions about vserver networking, I am sure that
you would get better help on a mailing list or forum about vserver
Jerry Vonau wrote:
Felix Bolte wrote:
is there any way to set up such an environment without having 100 zones and
interfaces if i have 100 VL
Have you looked at the hosts file?
Have a look at parallel zones section at:
http://www.shorewall.net/Multiple_Zones.html
You want to control
Tom Eastep wrote:
Brian J. Murrell wrote:
On Sat, 2008-03-29 at 22:39 -0700, Tom Eastep wrote:
Sure -- same solution that has always been available. Start Shorewall
before you start networking.
Yes, but...
Of course you can't use any of Shorewall's features that rely on
detecting the
Andrew Suffield wrote:
If ip_forward is never enabled until shorewall has started, then no
packets will ever pass through the system. You're then left with just
local stuff on the firewall itself, which shouldn't really be an issue
(since you shouldn't be running anything at that point).
Andrew Suffield wrote:
On Sun, Mar 30, 2008 at 03:12:51AM -0500, Jerry Vonau wrote:
Andrew Suffield wrote:
If ip_forward is never enabled until shorewall has started, then no
packets will ever pass through the system. You're then left with just
local stuff on the firewall itself, which
Brian J. Murrell wrote:
I'm using shorewall[-lite] 4.0.5 on an OpenWRT Kamikaze(ish) platform.
As you all probably already know, I have multiple ISP uplinks. One is
DHCP based and the other PPP[oE] based. I also use track and balance on
both interfaces and do some tc based routing.
I'm
Brian J. Murrell wrote:
At least in shorewall 4.0.6, the optional interfaces OPTION does not
appear to be documented.
b.
man shorewall-interfaces maybe?
4.0.8 4.0.9 have entries
Jerry
-
This SF.net email is sponsored
Brian J. Murrell wrote:
On Sat, 2008-03-22 at 14:25 -0500, Jerry Vonau wrote:
See Andrew's reply on this issue for context on answers below...
In /etc/ppp/ip-down(.local) you could source the other provider's
routing table, replace the default gateway in the main table with such
info
Andrew Suffield wrote:
On Sat, Mar 22, 2008 at 04:22:40PM -0500, Jerry Vonau wrote:
No, it's looking for preexisting gateways in the main table which were
removed with the network scripting.
I don't think so. As I said in my original post, I have traced and
tracked through the networking
Daniele Pizzolli wrote:
Hi All,
I'm trying to use shorewall to manage the firewall of a xen dom0
installation but not for the bridges.
I'm using shorewall-perl 4.0.8-1 on a Debian testing.
Basically I want to allow all traffic between the virtual interfaces
connected to the bridge
Guilsson . wrote:
I have a 2 firewalls with 8 interfaces each in HA. Two interfaces of
then are CORPorate and DMZ.
Since I have some devices in DMZ with different default gateway (some
points to FW1 and others to FW2), I needed to create a quite complex
setup of inclusions/exclusions and
Tom Eastep wrote:
Tom Eastep wrote:
Francesco Saverio Giudice wrote:
Hi All,
I have 2 problems with MultiISP configuration: (Shorewall 4.0.8-4 on
CentOS and Kernel 2.6.24 recompiled with netfilter options)
Some days ago I have upgraded configuration from a 3.x version
(single ISP) to
Brian J. Murrell wrote:
Hey you updated the /sbin/dhclient-script in 1999.
On Tue, 2008-02-12 at 19:29 -0600, Jerry Vonau wrote:
My what you miss when your sleeping...
If your talking init scripts here, right?
Well, initscripts in terms of any
of /etc/init.d, /sbin/dhclient-script /etc
Brian J. Murrell wrote:
Part of the problem is the inflexibility of various players. Everything
that deals with routing assumes a single main routing table when in a
more complex world that's not the case and there is no ability to step
in and change that. That's why shorewall's hacks to
Hese wrote:
Sounds like your missing a matching SNAT entry in masq:
eth0VM ip EXT IP tcp 80
Jerry
It was missing indeed, but it seems that adding it does not have any
effect on the problem.
So much for the easy guess, can your post a dump please.
Jerry
Brian J. Murrell wrote:
On Fri, 2007-12-28 at 18:22 -0600, Jerry Vonau wrote:
Brian J. Murrell wrote:
and given the CGCO routing table:
10.8.0.2 dev tun0 proto kernel scope link src 10.8.0.1
67.193.45.68 dev eth0.1 scope link
192.168.200.1 dev ppp0 proto kernel scope link src
Kenneth Gonsalves wrote:
hi,
I am running shorewall 3.2.9 on Mandriva2007 with 2 ISPs. Certain
local IPs are directed to a specific ISP in route_rules, and this was
working perfectly. I had to reinstall Mandriva, and after that this
redirection is not working. My files are:
masq:
eth1
Vernon A. Fort wrote:
Attempting to setup a dual ISP on a gentoo box but I'm not sure how to
configure the routing in the /etc/conf.d/net configuration file. Does
shorewall do all the routing or do I set just the default route to the
PRIMARY outbound ISP?
Vernon
I'd set the gateway
Mike wrote:
Something is weird with this mail client.. had to copy paste
Mike wrote:
I have tried the following for some test until Glenn and I try passing Tos
bit through openvpn with the passtos directive which seems to be supported
now with openvpn. In my case here there is traffic
Glenn Tarbox, PhD wrote:
Hello,
So, I've gotten OpenVPN and Shorewall working in most places... just not
where it really matters (typical :-)
It seems straightforward in many ways... but, my first guess would be that
there's a problem with traffic shaping tables and what the chains end up
James Gray wrote:
Hi All,
We currently have two ISP's set up using QoS and other goodies being managed
by Shorewall 4.0.4-1 (Perl). Everything is working nicely. However, we
would like to port forward (destination NAT) a range of ports for one ISP
only. The other ISP should not allow
see man shorewall-rules for more info.
too fast with the send
example #5
Jerry
-
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and
[EMAIL PROTECTED] wrote:
I trying to setup multi-isp configuration (using latest bering-uClibc
3.1-beta1), and began reading the corresponding doc:
http://www.shorewall.net/3.0/MultiISP.html
I am not clear on how the DNS resolution happens if a DNS request
from one provider goes
Tom Eastep wrote:
Nico Pagliaro wrote:
Hi, I need some help in this problem:
I am having this problem:
I have my vpn client with openvpn and my shorewall fireall at work with
openvpn
server (in the same server)
Now, I need to route my vpn client traffic to this IP:74.53.205.xxx to
be
Tom Eastep wrote:
Jerry Vonau wrote:
Tom Eastep wrote:
Jerry Vonau wrote:
snip
If that is indeed the case then your tip about the route_rules example in
the Multi-ISP doc should solve the problem. The cause of the failure is that
return traffic from 74.53.205.xxx is mis-routed.
I agree
Nico Pagliaro wrote:
Yes, thats right!!
And it works!!! the only thing that I was missing is to copy tun0 interface
in providers.
Now, this work fine in my lab, but in production I have another Shorewall
(older) 3.4.2 and i have made the same, but with non luck ;(
look, when I try from my
Nico Pagliaro wrote:
###
#SOURCE DESTPOLICY LOG LIMIT:BURST
# LEVEL
nic net ACCEPT info
nic fw
Ziga Milek wrote:
I have a PC router that runs Ubuntu Server 7.04 (kernel version
2.6.20-15-server) and Shorewall (latest version) as a firewall. On one of
computers connected to it I run a FTP server. the problem is i cannot
connect to it from outside. The ftp server is set up using serv-u.
Ziga Milek wrote:
When i try to connect to it using flashfxp it says:
[22:16:11] WinSock 2.0 -- OpenSSL 0.9.7g 11 Apr 2005
[22:16:17] [R] Connecting to cauchy.homeip.net - DNS=cauchy.homeip.net
IP=89.212.9.43 PORT=21
[22:16:18] [R] Connection failed (Connection refused)
[22:16:18] [R]
Mike Lander wrote:
Hi Jerry,
I think my whole trouble was masq file the only entry I had
was the first entry below which Tom helped me with that!
I cannot seem to grasp the entries in the masq even though if
I read an existing masq entry I can follow the meaning of it.
The best way
Wilson A. Galafassi Jr. wrote:
hello to tall.
i have a question about the configuration for 2 isps in providers file and
masq file.
my interfaces:
eth0: 192.168.1.254 - loc1
eth1: 172.16.0.254 - net (adsl1)
eth2: 10.1.1.253 - loc2
eth3: 192.168.0.254 - net (adsl2)
my question in
Mike Lander wrote:
snip
: Currently the network is using routeback and static routes
: to route specific traffic to the natted ISP gateway. The only solution I
: could
: think of was, I asked the ISP if they could change the currently
: natted gateway (lan ip on internal) to a
James Gray wrote:
On Wed, 15 Aug 2007 09:55:06 am Tom Eastep wrote:
James Gray wrote:
Tom Eastep wrote:
James Gray wrote:
I thought I followed all the docs but I feel like I've missed something
really basic.
Like maybe Shorewall FAQ 57?
-Tom
Thanks Tom. I really appreciate the fast
Michael Cozzi wrote:
Hi all,
3.5 hours and counting...
This works:
(masq file)
eth1eth0
eth1eth3
This doesn't:
eth1eth0
eth2eth3
Why?
I'll bet eth1 has the default gateway...
FWIW, I have never been able to get
Michael Cozzi wrote:
Hi all,
I've got a network that has to be back up in less than 6 hours (it's
12:33am here)
Here's my problem:
I have two rfc 1918 subnets on the same ethernet card:
LAN1 192.168.0.0/24
LAN2 192.168.1.0/24
I have two ISP's:
Michael Cozzi wrote:
Jerry,
It looks like this:
TDS111-eth1134.215.238.201
TDS222-eth3134.215.230.225
Try:
TDS111maineth1134.215.238.201 track,balance locif
TDS222maineth3134.215.230.225
Mark wrote:
Greetings,
I have a Shorewall configuration with 2 WAN subnets bound to eth0 and eth1
and 2 LAN interfaces bound to eth2 and eth3. We have a web/e-mail server on
eth3 in the 192.168.30.0/24 subnet at 192.168.30.10. I have 2 rules to DNAT
TCP traffic on ports 80 and 110 arriving
Jan Mulders wrote:
Hello all.
Having a few troubles with ProxyARP - Despite being configured in what
looks
to be a correct manner, my server is not responding to incoming ARP
queries.
Take a look:
One machine (external to this entire network) pinging 67.159.49.180, a
client on my VPN
Jan Mulders wrote:
After noting your observations regarding a lack of being able to ping .177,
I have successfully diagnosed that there was a missing route to this IP
address (because I was using a /24 netmask for my tun0 interface).
Some further investigation to try and obtain the right
a bit on ETH2 and ETH3 because I removed
the box from the live connections and have created a mock setup with
slightly different addresses.
Thanks,
Grant
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Jerry Vonau
Sent: Thursday, May 24, 2007 10
Grant Scheffert wrote:
I've been using Shorewall on an older box for 3 years and it has worked
fabulous. But we've expanded to having 2 ISPs so I'm building a new
Fedora 6 firewall with Shorewall 3.4.2 and 4 NICs.
I'm having a problem with outgoing connections when I add the track
option
Jerry Vonau wrote:
Grant Scheffert wrote:
snip
# Shorewall version 3.4 - Providers File
#
#NAMENUMBER MARKDUPLICATE INTERFACE GATEWAY
OPTIONS COPY
ISP1 1 1 maineth2216.x.y.33 track,balance
ETH0
ISP2 2 2 maineth3
mess-mate wrote:
Jerry Vonau [EMAIL PROTECTED] wrote:
| mess-mate wrote:
| Jerry Vonau [EMAIL PROTECTED] wrote:
| | mess-mate wrote:
| | I'm running version 3.2.6 on a debian system.
| |
| | And ETH0_IP=find_first_interface_address eth0
| | is not recognized.
| | What did i
mess-mate wrote:
Jerry Vonau [EMAIL PROTECTED] wrote:
| mess-mate wrote:
| I'm running version 3.2.6 on a debian system.
|
| And ETH0_IP=find_first_interface_address eth0
| is not recognized.
| What did i wrong ?
| best regards
| mess-mate
Sorry for the delay in responding, family issues..
Leandro wrote:
I donĀ“t want to balance outgoing traffic, only incoming traffic go out by
same interfase that they come.
From my experence, without balance nothing works right... Having said
that, you could then give your preferred isp a
Wow.. It's been a while...
Brian J. Murrell wrote:
On Wed, 2007-02-07 at 07:23 -0800, Tom Eastep wrote:
Your problem is how to handle VPN interfaces in a multi-ISP environment --
Not quite even. It's how to make the DUPLICATEd routing tables receive
the same updates that the table it's
Ken D'Ambrosio wrote:
Sorry for the somewhat contorted subject heading -- but it describes what
I'd like to do. I've got a T1 coming in, and a cable modem as backup in
case the T1 flakes out. The host I'm interested in tweaking sits on a
10.x.x.x network -- it sees the T1 as 10.20.1.1 and
84 matches
Mail list logo