Re: [Shorewall-users] Alternative to Linux/ProxyARP with BSD Unix

On Tue, Jul 23, 2019 at 8:41 AM Simon Matter via Shorewall-users < shorewall-users@lists.sourceforge.net> wrote: > Hi, > > We're using proxyarped hosts as described here > http://www.shorewall.org/ProxyARP.htm to run firewalls without the hassle > of doing NAT. It works so well that I was wonderin

Re: [Shorewall-users] Unexpected behaviour with shorewall check

My bad. I had a call in the initdone script which caused this. On Mon, Nov 26, 2018 at 2:19 PM Tom Eastep wrote: > On 11/26/18 7:55 AM, Lee Brown wrote: > > Version 4.6.1.2 / CentOS 6.10 > > > > I have a rule: > > DROP isp:+bogons all > > > > I m

[Shorewall-users] Unexpected behaviour with shorewall check

Version 4.6.1.2 / CentOS 6.10 I have a rule: DROP isp:+bogons all I made a minor change to the ip list, then performed: shorewall check This loaded the new ip list into the shorewall configuration. I would not expect a check command to effect the active configuration. Regards - - lee On Sun,

Re: [Shorewall-users] shorewall.net

It was back when I checked a little while ago. On Mon, Oct 1, 2018 at 8:30 PM, teastep wrote: > Hi Erich, > > The domain expired on Sept 28, and I just renewed it today. So it should > reappear as DNS gets updated. > > Tom > > Sent via the Samsung Galaxy S8, an AT&T 4G LTE smartphone > > ---

Re: [Shorewall-users] How can I...?

On Sun, Jul 29, 2018 at 9:28 AM, Simon Hobson wrote: > Tom Eastep wrote: > > >> will look like with the new configuration /before/ I activate it and > >> possibly cut myself off because of my bad routing setup. > > > There is no current way to do what you are asking for. > > But there is the saf

[Shorewall-users] How can I...?

Shorewall 5.1.10.2 I can preview the iptables that shorewall will generate with this #shorewall check -r | less I can preview the generated firewall script #shorewall compile /tmp/sw which requires (unreliable) human parsing. Can I preview the rule and routes that will be generated more easily t

Re: [Shorewall-users] Snort with Shorewall ?

On Fri, May 25, 2018 at 4:36 PM, Tom Eastep wrote: > On 05/25/2018 02:55 AM, Toussaint OTTAVI wrote: > > Hi all, > > > Is there any recent howto about installing Snort with Shorewall in IPS > > mode (ie, drop attacks, not just report them) ? > > > > Unfortunately there is not such a howto. > >

Re: [Shorewall-users] Snort with Shorewall ?

On Fri, May 25, 2018 at 7:01 PM, Lee Brown wrote: > On Fri, May 25, 2018 at 4:36 PM, Tom Eastep wrote: > >> On 05/25/2018 02:55 AM, Toussaint OTTAVI wrote: >> > Hi all, >> > >> Is there any recent howto about installing Snort with Shorewall in IPS >>

Re: [Shorewall-users] NFTables on the roadmap?

On Mon, Oct 31, 2016 at 11:27 AM, Tom Eastep wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > On 10/31/2016 10:44 AM, Ob Noxious wrote: > > Hi, > > > > You probably already know most of its contents but here's a nice > > introduction to NFTables: > > > > http://developers.redhat.com

Re: [Shorewall-users] Disable SIP Helpers in CentOS 5.9

Per FAQ 77 > If your kernel version is 2.6.20 or earlier: > > rmmod ip_nat_sip > rmmod ip_conntrack_sip > > maybe On Mon, Nov 2, 2015 at 9:54 AM, Ryan Joiner wrote: > Hello - I run Centos 6 on many firewalls and am able to turn of the SIP > helpers by running

Re: [Shorewall-users] Shorewall module Sip

Tom is right, You will need something like an Ingate SIParator which is a box that inspects and re-writes the packets as it forwards (SIP is designed for a LAN). We had to purchase one of these to connect a node on our commercial ShoreTel system to

Re: [Shorewall-users] SIP messaging - Masquarading troubles

On Thu, May 14, 2015 at 3:28 PM, Eric Koome wrote: > Hi all, > > I have two servers with public and private IP address running a sip proxy on > eth0 and asterisk box on eth1. Each box is running Shorewall 4.5.21. Making > calls within a server is fine but I would like the sip proxy to also use

Re: [Shorewall-users] Problem with H323 Helpers

On Sun, Apr 12, 2015 at 7:48 PM, Mike Lander wrote: > > > > > > > > What you need to do is: > > > > a) Edit /etc/shorewall/conntrack and comment out the H323 part: > > > > # ?if __CT_TARGET && __H323_HELPER > > # CT:helper:RAS all - udp 1719 > > # CT:helper:Q.931 all - tcp 1720 > > # ?endif > > >

Re: [Shorewall-users] Suspected Trojan

> Shorewall can't tell you the pid because Netfilter doesn't provide a > capability that would allow Shorewall to request the PID in log messages! > >> >> I can't believe that no one's ever thought of these things before. >> > > Shorewall is a firewall configuration tool, not an IDS. If you want an

Re: [Shorewall-users] Manually specify gateway MAC

On Sun, Jul 6, 2014 at 9:48 AM, Tom Eastep wrote: > On 7/6/2014 8:57 AM, Tom Eastep wrote: >> On 7/6/2014 7:55 AM, Tom Eastep wrote: >>> On 7/6/2014 3:08 AM, Lee Brown wrote: >>>> Hi, >>>> >>>> One of the providers I use has their gateway

[Shorewall-users] Shorewall 4.6.1.2 / CentOS6.5 / ipset / SELinux

Dear All, I could find no reference to SELinux in the documentation to this, hopefully it helps others. When I added ipset into the mix and played around from the command line, everything worked as expected. However during boot, shorewall complains: 00:36:00 ERROR: ipset names in Shorewall confi

[Shorewall-users] Manually specify gateway MAC

Hi, One of the providers I use has their gateway on the other side of a radio bridge several miles away. Occasionally the MAC detection that Shorewall does fails and prevents Shorewall from starting. Is there a way to specify the MAC address manually for these gateways in the providers file? I

Re: [Shorewall-users] rtrule that changed based on time-of-day

On Tue, Jun 24, 2014 at 5:14 AM, Brian J. Murrell wrote: > > On Mon, 2014-06-23 at 08:29 -0700, Tom Eastep wrote: > > > > I would be much more willing to add a TIME column to the mangle > > (formerly tcrules) file. > > Fair enough. I just mentioned tcrules since I don't have mangle file > support

[Shorewall-users] Documentation out of date links

The useful links page has a few problems: NIST guide http://csrc.nist.gov/publications/nistpubs/800-41-Rev1/sp800-41-rev1.pdf PPPS - good Netfilter site - good LARTC - good Clustering - good Iproute - obsolete? Iproute2 Downloads - https://www.kernel.org/pub/linux/utils/net/iproute2/ LEAF - g

Re: [Shorewall-users] shorewall show filters not working

On Sun, May 25, 2014 at 7:11 PM, Lee Brown wrote: > On Sun, May 25, 2014 at 11:31 AM, Tom Eastep wrote: >> >> On 5/24/2014 11:18 AM, Lee Brown wrote: >> > On Fri, May 23, 2014 at 9:19 AM, Tom Eastep wrote: >> >> On 5/22/2014 7:35 PM, Lee Brown wrote: >

Re: [Shorewall-users] shorewall show filters not working

On Sun, May 25, 2014 at 11:31 AM, Tom Eastep wrote: > > On 5/24/2014 11:18 AM, Lee Brown wrote: > > On Fri, May 23, 2014 at 9:19 AM, Tom Eastep wrote: > >> On 5/22/2014 7:35 PM, Lee Brown wrote: > >>> Hi list, > >>> > >>> I recently in

Re: [Shorewall-users] shorewall show filters not working

On Fri, May 23, 2014 at 9:19 AM, Tom Eastep wrote: > On 5/22/2014 7:35 PM, Lee Brown wrote: >> Hi list, >> >> I recently installed shorewall 4.5.21.9 on Centos6.5 (2.6.32) on metal >> and another install of 4.6.0 on Slackware 14.1 (3.10.17) in a KVM under >>

[Shorewall-users] shorewall show filters not working

Hi list, I recently installed shorewall 4.5.21.9 on Centos6.5 (2.6.32) on metal and another install of 4.6.0 on Slackware 14.1 (3.10.17) in a KVM under it. I notice that on both these systems shorewall show filters iterates the devices but provides no output. I believe the 'tc' tool may have cha

Re: [Shorewall-users] multi ISP - port based routing

On Tue, Apr 1, 2014 at 2:25 PM, İlker Aktuna wrote: > Yes. In fact, that's my real problem. > When I try to connect to my SIP proxy (Asterisk) from internet, I come > from ppp0 address. > However, Asterisk decides to reply with ppp1 address sometimes. And then I > can not register, because my sip

Re: [Shorewall-users] multi ISP - port based routing

On Tue, Apr 1, 2014 at 2:25 PM, İlker Aktuna wrote: > Yes. In fact, that's my real problem. > When I try to connect to my SIP proxy (Asterisk) from internet, I come > from ppp0 address. > However, Asterisk decides to reply with ppp1 address sometimes. And then I > can not register, because my sip

Re: [Shorewall-users] multi ISP - port based routing

On Tue, Apr 1, 2014 at 2:25 PM, İlker Aktuna wrote: > Yes. In fact, that's my real problem. > When I try to connect to my SIP proxy (Asterisk) from internet, I come > from ppp0 address. > However, Asterisk decides to reply with ppp1 address sometimes. And then I > can not register, because my sip

Re: [Shorewall-users] quagga zebra + shorewall Strange Problem

On Sat, Sep 14, 2013 at 9:01 AM, Tom Eastep wrote: > On 09/14/2013 08:17 AM, Tom Eastep wrote: > > FWIW, my failed experiments were on my main gateway that runs Debian 7. > And the Shorewall configuration that works on Foobar 6 fails on Debian 7. > -Tom FYI, Works fine on CentOS 5 too. [CA

Re: [Shorewall-users] Fwd: Where to put custom rules

On Sat, Sep 7, 2013 at 5:33 PM, Tom Eastep wrote: > On 9/7/2013 5:08 PM, Lee Brown wrote: >> Hi All, >> >> I have a custom TC configuration where I'm building the tc hierarchy >> manually with the tcstart script. I also need to add custom iptables >> rul

[Shorewall-users] Fwd: Where to put custom rules

Hi All, I have a custom TC configuration where I'm building the tc hierarchy manually with the tcstart script. I also need to add custom iptables rules in the mangle table to classify the packets. Currently I'm using started to insert the iptables commands, but that's way too late in the process.

Re: [Shorewall-users] NAT/masq out of specific IP with multi-ISP

On Thu, Sep 5, 2013 at 2:40 PM, Tracy Reed wrote: > I've got a few bucks available for a really good Shorewall consultant > since I > haven't yet been able to figure this one out myself... > > On Tue, Sep 03, 2013 at 11:49:22AM PDT, Tracy Reed spake thusly: > > Hello all, > > > > I am running sho

Re: [Shorewall-users] sip conntrack dropping packets?

On my CentOS 6.4 box (2.6.32-358.14.1.el6.x86_64) I found that nf_conntrack_sip and nf_nat_sip caused problems with sip traffic (silently dropping traffic) and I run without them. I was getting random non connection issues (failed registration) before I removed those modules. My regular custom tr

[Shorewall-users] 3 HFSC questions

HI All, I know this isn't Shorewall specific, but I've found the best information on the math behind the HFSC calculations in the shorewall documentation. Please feel free to point me somewhere else. Regarding this paragraph: Assume that both class

Re: [Shorewall-users] Inbound traffic policing

affic > and your outbound traffic is clearly limited by 3mb/s. So if you only > provide normal services with lots more outbound traffic then inbound > traffic then you should be fine without any traffic policing. But as I said > prior I'm no expert, so if someone can prove me wrong,

[Shorewall-users] Inbound traffic policing

Hi everybody, This is not strictly a Shorewall question, so please feel free to point me at the right book, technical something to consume. This will be TCP traffic and my TCP knowledge is weak. I have a possible scenario coming up like this: SiteA -- MPLS@3mb/s -- SiteB -- Internet@50mb/s Obv

Re: [Shorewall-users] Shorewall Setup Suggestions Requested

ing from scratch, I'd recommend steering away from the default VLAN which is typically 1 for network devices -- at least if you are security conscious. I wasn't aware of this coming in. This means if I don't configure a port specifically,

Re: [Shorewall-users] failover setup

On Mon, Sep 17, 2012 at 8:44 AM, Tom Eastep wrote: > On 09/17/2012 06:06 AM, Vieri Di Paola wrote: > > Hi, > > > > I would appreciate it if I could get some advice before setting up a > firewall with a failover procedure. > > > > Network layout: > > > > loc1 > > | > > net

Re: [Shorewall-users] DHCP/MAC/IP filtering

On Sat, May 26, 2012 at 4:11 AM, Ed W wrote: > On 23/05/2012 20:50, Lee Brown wrote: > > Oh, I hadn't realized that, thank you. Shorewall is only used to > > configure iptables, I modify chains directly after that as my > > shorewall restart cycle is rather slow

Re: [Shorewall-users] DHCP/MAC/IP filtering

On Wed, May 23, 2012 at 12:28 PM, Simon Hobson wrote: > Lee Brown wrote: > > >I'm sorry Tom, but I don't understand how the leases assigned from > >the DHCP server automatically add MAC's it has given an address out > >to, nor remove MAC's for ex

Re: [Shorewall-users] DHCP/MAC/IP filtering

On Wed, May 23, 2012 at 10:39 AM, Tom Eastep wrote: > On 05/23/2012 08:06 AM, Lee Brown wrote: > > Hello everybody, > > > > Is there a tool that can, for a new connection, verify that the RFC1918 > > IP match what was assigned by DHCP? (firewall gateway with DHCP for &

[Shorewall-users] DHCP/MAC/IP filtering

iling around on google has yielded nothing helpful. I'm not the best at guessing good search terms, so please feel free to throw those at me. Thank you, Lee Brown -- Live Security Virtual Conference Exclusive live event

Re: [Shorewall-users] Multiple ISP / USE_DEFAULT_ROUTE issue

On Tue, Jan 17, 2012 at 12:59 PM, Tom Eastep wrote: > > On Jan 17, 2012, at 11:22 AM, Lee Brown wrote: > > > > On Tue, Jan 17, 2012 at 10:29 AM, Tom Eastep wrote: > >> On 01/17/2012 08:25 AM, Lee Brown wrote: >> > Hi Tom, >> > >> > With USE

Re: [Shorewall-users] Multiple ISP / USE_DEFAULT_ROUTE issue

On Sun, Jan 15, 2012 at 1:28 PM, Tom Eastep wrote: > > > I've have a shorewall dump before/after these changes if somebody is > interested in looking over it all. It's about 100K compressed. > > > Please tar up the dump along with /etc/shorewall. > That was over 128k and got rejected. Is it OK

[Shorewall-users] Multiple ISP / USE_DEFAULT_ROUTE issue

Shorewall version: 4.4.19 I need a little advice before flailing around some more :) I have a multi-ISP setup using 5 providers which works very nicely. I'm trying to introduce OSPF routing updates into the picture but the software only updates the main routing table, which poses a problem for me

Re: [Shorewall-users] Multi-ISP question

On Wed, Nov 30, 2011 at 5:00 PM, Tom Eastep wrote: > On Wed, 2011-11-30 at 12:23 -0800, Lee Brown wrote: > > On Wed, Nov 30, 2011 at 10:47 AM, Tom Eastep > > wrote: > > > What exactly is your concern with connection tracking? Can't you > > simply disable the i

Re: [Shorewall-users] Multi-ISP question

On Wed, Nov 30, 2011 at 10:47 AM, Tom Eastep wrote: > > On Nov 29, 2011, at 7:32 PM, Lee Brown wrote: > > I currently have a multi-ISP config and it's working great. Host is a > CentOS5.4 machine. Shorewall 4.4.19.1 > > I've been asked to add a new ISP which

[Shorewall-users] Multi-ISP question

1.7:192.168.0.0/24 eth1.9:!(10.0.0.0/8,192.168 ... etc...) eth1.7:192.168.0.0/24 eth1.5:!(10.0.0.0/8,192.168 ... etc...) Any suggestions are most welcome, Lee Brown -- All the data continuously generated in your IT

[Shorewall-users] Logging specific Classified packets

Hi All, I'm not convinced I have my tcrules correctly setup and looking at the counters in the mangle table's tcpost doesn't really help much as I can't tell what is the final match. Is there a way to match packets in iptables based on the classifier? i.e. so I can LOG packets classified with 1:1

Re: [Shorewall-users] Turning providers on/off

> > Hi, > > I have a multi-ISP situation (working well) whereby I need to turn off one > of my ISP's once a cap has been reached. > I can turn it off quite easily by replacing the default route in the main > table: > > default > nexthop via 10.1.5.3 dev eth1.5 weight 1 > nexthop vi

[Shorewall-users] Turning providers on/off

Hi, I have a multi-ISP situation (working well) whereby I need to turn off one of my ISP's once a cap has been reached. I can turn it off quite easily by replacing the default route in the main table: default nexthop via 10.1.5.3 dev eth1.5 weight 1 nexthop via XX.XXX.XX.33 dev

[Shorewall-users] Upgrade Question

Hi all, I'm currently running Shorewall 4.4.0.2 on CentOS5.4 (2.6.18-164.15.1.el5) and plan to upgrade ShoreWall to current. In order to do the upgrade, do I need to walk through each point-release (ie 4.4.1, 4.4.2, 4.4.3) or can I jump to the latest version? I'm having problems with MASQ/SNAT w