On Thu, Jun 4, 2009 at 1:03 PM, Ljubomir Ljubojevic
off...@plcomputers.netwrote:
Can not say how to
do that in shorewall.
Just add more IPs in the destination field of the DNAT. Iptables will do
round-robin between them. This will not work if your application needs
session-tracking for
On Fri, Dec 12, 2008 at 1:47 AM, Harry Lachanas grha...@freemail.gr wrote:
If say openvpn is running on firewall should by started with
a) --locall 0
or
b) --local xx.xx.xx.xx
???
And if you're running with multiple interfaces, you better be running
OpenVPN 2.1RC with --multihome.
We certainly would need a shorewall dump to figure this out.
Prasanna.
On Fri, Nov 7, 2008 at 12:33 PM, [EMAIL PROTECTED] wrote:
I've blocked an IP-range in my blacklist-file. The row in the file looks
like this:
88.191.0.0/16
This should block any and all traffic from addresses in the
On Fri, Nov 7, 2008 at 2:00 PM, [EMAIL PROTECTED] wrote:
On Fri, Nov 7, 2008 at 12:33 PM, [EMAIL PROTECTED] wrote:
I've blocked an IP-range in my blacklist-file. The row in the file looks
like this:
88.191.0.0/16
Do you have blacklist in the interfaces file for the WAN interface?
Weird,
There's no blacklist chain in your dump. I have 4.0 and there's a
blacklist chain created with a drop from this subnet.
Not sure if this is a regression in 4.2.x that you're using.
Prasanna.
On Fri, Nov 7, 2008 at 2:27 PM, [EMAIL PROTECTED] wrote:
Yes. All the regular entries work.
On Thu, Aug 28, 2008 at 11:48 AM, Phibee Network Operation Center
[EMAIL PROTECTED] wrote:
Prasanna Krishnamoorthy a écrit :
On Thu, Aug 28, 2008 at 10:58 AM, Phibee Network Operation Center
[EMAIL PROTECTED] wrote:
Hi
i am search the solution into shorewall for increase the wait tcp time
On Tue, Aug 12, 2008 at 5:13 AM, Keith Mitchell [EMAIL PROTECTED] wrote:
Is this legal?
In a multi-isp setup, is it legal to setup an internal host in the
shorewall/nat file with the same IP and two different external ip's?
It should work (not used it myself)
Now depending on your default
On Tue, Apr 22, 2008 at 11:29 AM, Joseph L. Casale
[EMAIL PROTECTED] wrote:
If you need to access the ADSL modem from your LAN, you need to give
eth0 an IP in the same range as the ADSL modem's LAN IP and you can
put eth0 in the WAN zone I guess.
Well, its more complicated than that :) I
On Tue, Apr 22, 2008 at 11:17 AM, Joseph L. Casale
[EMAIL PROTECTED] wrote:
What do I do about eth0 in the shorewall configuration ?
Nothing.
-Tom
Tom, I hate to hijack the OP's thread but I was literally about to post
regarding the same topic. Is it the most secure way in the
On Nov 20, 2007 2:25 AM, Adam Niedzwiedzki [EMAIL PROTECTED] wrote:
Hi guys,
I'm looking at setting up LVS (Linux Virtual Server) on my router/firewall
machine. (I'm using keepalived to do it)
I'm using shorewall for the firewall setup, there is NO masq on the firewall
config.
On Nov 7, 2007 5:37 AM, Tom Eastep [EMAIL PROTECTED] wrote:
Example:
0x100 192.168.1.440.0.0.0/0
0x200 0.0.0.0/0 0.0.0.0/0 tcp 25
A TCP packet from 192.168.1.44 with destination port 25 would end
up with a mark value of 0x300 whereas the
On Nov 7, 2007 8:35 AM, Tom Eastep [EMAIL PROTECTED] wrote:
Prasanna Krishnamoorthy wrote:
If I add a mark for traffic shaping in this case, prior to the above
two rules, making them look like
0x11 192.168.1.44 0.0.0.0/0
0x100 192.168.1.440.0.0.0/0
0x200 0.0.0.0/0
. If the destination
port is on the firewall, then you need only an accept.
Prasanna.
Prasanna Krishnamoorthy [EMAIL PROTECTED] 說:
On 10/26/07, Wilson Kwok wrote:
Hello,
We have a video conference server using tcp and udp 3001 prot in
internal,
external user said that can't connect to video server
On 10/26/07, alex [EMAIL PROTECTED] wrote:
Hi Tom!
I found one bug with parsing macro file when i want to use
'ORIGINAL DEST' parameter. When i create macro file with follow
content:
You may want to say what version of shorewall you are using.
Prasanna.
--
www.elinanetworks.com
On 10/26/07, Wilson Kwok [EMAIL PROTECTED] wrote:
Hello,
We have a video conference server using tcp and udp 3001 prot in
internal,
external user said that can't connect to video server and held on 3001 fail,
the following is file configuration,
nat: 1.2.3.4 eth1:3
On 10/12/07, Bart Verstraete [EMAIL PROTECTED] wrote:
Ping/ACCEPT
net:proxy.ovh.net,proxy.p19.ovh.net,proxy.rbx.ovh.net,ping.ovh.net $FW
...
would it be possible if the domain name is a dynamic ip?
Shorewall tries to resolve the IP once on 'shorewall start', and adds
this into iptables.
On 10/12/07, Andrew Suffield [EMAIL PROTECTED] wrote:
Hint: don't bother. Those were all authentication *failures*, so your
system is already secure. You don't have an issue.
Simple trick, change the port.. Works against most of the port
scanning bots. Also, don't have root account allowed to
On 10/12/07, Bart Verstraete [EMAIL PROTECTED] wrote:
I don't think the ovh.net domainnames are dynamic? But if I use that
rule I also can ping it from my private dynamic ip? And that I dont
wanne! Then you can ping it from other pc's too.
No, if you use the rules you've given you can ping
We've user samba + squid. Not integrated with shorewall, if by that
you mean only samba authenticated users' IP's are allowed in
shorewall.
Prasanna.
On 8/21/07, Louis Kruger [EMAIL PROTECTED] wrote:
Has anybody used this trio especially for authentication of users on the
local net before
On 8/15/07, Linux Advocate [EMAIL PROTECTED] wrote:
But tom, my understanding of traffic within a zone is
correct right? shorewall doesn't do anything to
traffic in a zone , between machines/ printers right?
assuming that the printer and machine are on the same switch, the
traffic will not even
On 5/28/07, Simon Hobson [EMAIL PROTECTED] wrote:
You can't do that with a packet filter - you need to use a proxy that
understands the semantics of the HTTP protocol and can filter based
on the site name rather than the IP address.
Squid proxy + squidguard, or dans guardian.
Use a whitelist
Hello,
On 5/23/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
We've tried to add it to our gateway machine and have been unsuccessful in
doing anything other than allowing vpn users to see the gateway machine on
the LAN. Perhaps we are using the wrong syntax in adding a static route?
The
On 5/1/07, Frank Parker [EMAIL PROTECTED] wrote:
When typing ifconfig
I get eth1 and lo
I do not see the eth0 the connection between router/modem.
I wanted to set up a two interface firewall but it seems that my computer
does not recognize the eth0 interface.
I still have internet
On 4/27/07, Mark J Hewitt [EMAIL PROTECTED] wrote:
I have seem lots of posts regarding VPN tunnels, but I'm still not
getting the Shorewall config right, so here is my first post asking for
help!
I think that you're going to have to make a nice network diagram and
host it somewhere. I can't
On 4/17/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
Basically I want to do this: allow unrestricted VPN traffic to flow through
the servers (which works now, thanks to your articles), but not allow access
to any service to anyone unless they are on the vpn. (unable to check email,
download
Hi All,
I need to setup some pure L2TP (no IPSEC) tunnels over a private
network. Basically there'll be ppp on L2TP on UDP.
I use shorewall to configure the firewall. Thanks Tom!
Looks like L2TP needs a conntrack module, since the data connection
which is setup is on a different (dynamic) port
nameif does exactly what you've described - fix the interface name and
mac address.
You'll need to put in a mactab file, and make sure nameif runs at the
beginning of your /etc/init.d/networking
You can give whatever names you want - wan0, lan0, dmz0, or anything
else.. some programs might crib
On 3/29/07, Tristan DEFERT [EMAIL PROTECTED] wrote:
But: cannot reach DMZ A from DMZ B nor DMZ B from DMZ A.
Under normal setup of DMZ, outgoing connection from the DMZ are
blocked. That's the point of the DMZ right? How is your DMZ rule
setup?
So if somebody can give me any clue that may allow
On 3/28/07, Toralf Niebuhr [EMAIL PROTECTED] wrote:
I use dnsmasq on my router.
and i configured dhcpd like this
subnet 192.168.0.0 netmask 255.255.255.0 {
range 192.168.0.10 192.168.0.99;
option domain-name-servers 192.168.0.1;
option netbios-name-servers 192.168.0.1;
In the dump you sent, I see
tcp 6 431984 ESTABLISHED src=192.168.0.11 dst=209.85.129.147
sport=1092 dport=80 packets=5 bytes=711 src=209.85.129.147
dst=89.62.111.143 sport=80 dport=1092 packets=4 bytes=2376 [ASSURED]
mark=0 use=1
which implies that the connection was established and packets
On 3/6/07, Mikael Kermorgant [EMAIL PROTECTED] wrote:
Thank you very much for all these aswers. I'll try to protect these
virtual hosts in another way.
The best way to do it is to setup the VM interface in 'host-only'
mode. This basically forwards all traffic from the VM onto one of the
vmnetX
Is your application even running on localhost? Sounds like it isn't.
Try
netstat -anp | grep 2048
and make sure that there's the corresponding process listening on
127.0.0.1:2048.
Prasanna.
On 1/6/07, Sebastian Raring [EMAIL PROTECTED] wrote:
Tom Eastep wrote:
Try:
REDIRECT loc
From experience and what I've read, IPSEC is easy to setup and work
with where there is no natting/firewalling.
Where there is natting/firewalling IPSEC or the firewall/nat is not so
trivial to setup.
Your choice is based on the amount of time you are ready to spend. In
this two site-scenario, I
On 12/28/06, David Rea [EMAIL PROTECTED] wrote:
class htb 1:163 parent 1:1 leaf 163: prio 2 quantum 1500 rate
68000bit ceil 307000bit burst 1533b/8 mpu 0b overhead 0b cburst
1652b/8 mpu 0b overhead 0b level 0
Sent 1609927 bytes 6855 pkt (dropped 0, overlimits 0
Hi,
1) Did you check the shorewall-tunnels file?
2) Did you verify if openvpn is dropping the packet or iptables?
3) Did you add the policy on both nodes?
You can do the second by checking the openvpn.log file, and the
shorewall.log file (assuming you've gotten ulogd installed).
Also, one VPN
Choices depend on whether you want point to point between all three
sites, or whether you can take the hit of one extra hop.
In the latter case, you can simply setup one server and make all else
clients. All traffic will be routed through your server of course.
Prasanna.
On 12/25/06, roman
On 10/20/06, Tom Eastep [EMAIL PROTECTED] wrote:
You can capture a trace with tcpdump (using -w) then analyze it on another
system with Ethereal.
Which is in fact the recommended mode of operation, since it has had
quite a few exploits in the past, though I suppose running it for a
few minutes
37 matches
Mail list logo