uggestions?
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
--
Robert K Coffman Jr.
Info From Data Corp.
3307249000
supp...@infofromdata.com
___
Shorewall-users ma
Do you have any traffic shaping configured?
On 4/1/2022 1:25 PM, Dario Lesca wrote:
On my shorewall firewall 5.1.10.2 on Centos 7 up to date I
have change ADSL providers from 30 Mbit/s to 900 Mbit/s
On the shorewall server with
Real pro tip: OpenVPN with tls-auth. If your packets aren't
signed, you can't snoop the port at all nor communicate with the
service.
On 3/17/2022 8:53 AM, William Papolis
wrote:
(PRO
TIP: I also use a non-standard port for my VPN,
Not exactly true - you can use an VPN tunnel based on TLS and run
FTP through the tunnel.
I also have no point :)
On 3/16/2022 12:36 PM, Tuomo Soini
wrote:
There is no way to do FTP with TLS/SSL completely secure way.
On 9/13/2021 5:57 AM, Dave via Shorewall-users wrote:
I need to route packets to and from another subnet via an OpenVPN
server running on the local subnet.
Why aren't you using the OpenVPN mechanism to create the necessary routes?
For local subnet 192.168.1.0/24 and remote via vpn subnet
The dump wasn't to explain what he was trying to do.
He said it wasn't working. The dump was so that what he actually did
could be reviewed.
- Bob
On 9/30/2020 3:31 PM, PGNet Dev wrote:
it was pretty clear what you're trying to do; it doesn't need a 'dump' to
explain that.
Not an answer to your question, but a suggestion.
Use tls-auth in your OpenVPN configuration.
https://openvpn.net/community-resources/hardening-openvpn-security/
Any packet not signed will just get dropped. Seems a lot easier to manage.
- Bob
On 3/18/2020 12:23 PM, Witold Tosta wrote:
Is it
Yes, but why does the following command have absolutely no negative
impact on my network latency while shorewall reload does?
I didn't see the beginning of this thread, but if you have virtualized
systems, look beyond CPU on the host. There may be other resources
being stressed when you
I was trying to find out the different in the commands and the
consequence of reload vs restart .
http://shorewall.net/starting_and_stopping_shorewall.htm#Starting
Tom is retired from Shorewall development, you should probably just have
emailed the list.
- Bob
I don't know anything about this, but your rule says CH and the lookup
says CN. Do those need to match?
- Bob
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
Try "touch /var/log/messages.log" and then taking the dump. I don't
know arch but you might need sudo or elevated permissions to do this.
- Bob
On 7/4/2018 4:51 PM, Connor Schlesiger wrote:
Greetings,
My apologies for the delay; I've been on holiday.
I quickly tried `shorewall dump` as
I have a HP printer that's mis-behaving. It gets an IPv4 address from
DHCP and is happy.
A possible non-shorewall fix - is there updated firmware for the printer?
--
Check out the vibrant tech community on one of the
Maybe I don't understand what you are doing, but why do you have both an
ACCEPT rule and a DNAT on the same port from the same zone? It seems
your DNAT rule will never be triggered, though you say it is?
- Bob
On 9/15/2017 6:32 AM, andreil1 wrote:
DNAT currently working
ACCEPT net dmz tcp
It can still be used but would require additional hardware on the Cisco end.
- Bob
On 7/31/2017 12:35 PM, Justin Pryzby wrote:
No - OpenVPN (not VON) is popular but not a standard protocol like ipsec, and
doesn't interoperate with cisco (or other) vendor.
> Unfortunately one of my servers (192.168.0.3) is not able to communicate
> with any other subnets, including WAN.
Kade,
If 192.168.0.2 is working fine and 192.168.0.3 can communicate to its
own subnet with no issue, I'd check the default gateway on 192.168.0.3.
- Bob
> tun0 VPN_NET
Your source would be your local LAN, and I believe you want to
masquerade the traffic through tun0 if that is the tunnel you are using:
tun0 eth1 (or some variation that defines your local LAN)
- Bob
> seem to be a way for me to push up a route to the server
That doesn't seem to be desirable behavior - any client could
effectively DOS the box. The admin of the server needs to make that change.
- Bob
--
Check out
> So far I have traffic that is getting sent out my public connection to the
> openvpn server, but nothing comes back according to `tcpdump -i extIF host
> VPNGATEWAY`. Nothing shows up in the logs stating traffic has been blocked.
> policy is set up to log on the final DROP and REJECT rules.
> Try setting 'IP_FORWARDING=on' in shorewall.conf.
I'm not any good at reading the dump, but if Matt's advice doesn't fix
it, make sure you allow traffic between the zones that your local
subnets are in. Make sure the subnet mask of your devices on those
subnets matches what the firewall
On 12/20/2016 3:24 PM, Luis Felipe Dominguez Vega wrote:
> note that i can change the address of "Another Place".
This is the solution.
- Bob Coffman
--
Developer Access Program for Intel Xeon Phi Processors
Access to
> zoneA { dest=zoneA,zoneB,zoneC policy=REJECT loglevel=info }
> zoneB { dest=zoneB,zoneC,zoneA policy=REJECT loglevel=info }
> zoneC { dest=zoneC,zoneA,zoneB policy=REJECT loglevel=info }
Fewer lines doesn't make this less confusing or error prone in my mind.
- Bob
Does your OpenVPN server have a "redirect-gateway" set? Looks like your
DNS queries are being sent through the tunnel.
- Bob
--
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM
You could easily maintain a separate shorewall configuration to apply
during your window, and copy them into the shorewall (using a cron task)
at the appointed hour and restart shorewall, then a second one to
restore your original rules at 7:59AM. I don't know of a better way to
do this.
-
> then you end up with the client side
> trying to reach your internal server through the local IP.
That's exactly right.
> So I am hoping for an answer - not a work-around.
Split DNS is the answer, the workaround is in FAQ 2.
- Bob
> The (nat)router will not handle loop back
The best way to fix this is with DNS, so that you don't go to the public
IP at all.
See Shorewall FAQ 2.
- Bob
--
___
Why has the error output changed and, are there other places that
were modified likewise ?
The TC files were changed - the error message on the newer version
telling you how to update your files.
- Bob
--
I would personally:
1. Allow mail traffic from the web server subnet to the email server subnet
2. Create a host file entry on the web server telling it the non-public
IP of the email server.
- Bob
--
On 3/26/2015 12:32 PM, Thomas Winkler wrote:
I used your settings but still it doesn't work when I run shorewall.
If the client can't connect, which is what I assume you mean when you
say it doesn't work then you should have something in the shorewall
log that will give you a clue as to why.
On my OpenVPN server, I'm using openvpn rather than openvpnclient in the
tunnels file.
- Bob
--
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with
On 6/20/2014 4:21 AM, Roland RoLaNd wrote: I just added a new server
to my web cluster, at low load all is good but
at peek time i get this :
Take a look at
http://antmeetspenguin.blogspot.com/2011/01/high-performance-linux-router.html
as a starting point.
- Bob
kernel:[321835.288989]
On 12/3/2013 3:30 PM, Fábio Rabelo wrote:
Yes ... there are the problem ???
Possibly. Take a look at https://forums.openvpn.net/topic8157.html. I
would consider not doing that, as it may make things simpler long term.
Ed,
Not sure it is the best way, but I would do it this way:
Add additional internal interface (192.168.2.0?) for his connection to
your firewall. His device would plug in there.
Add additional external IP for masq/nat for his network to your external
interface.
Another strategy would be
NTP(DNAT) net loc:192.168.1.2
It appears to me that these should not be getting blocked. Do you have
another interface these packets are arriving on perhaps - that is not in
the NET zone?
- Bob
--
This
On 6/26/2013 10:08 AM, emilianovazq...@gmail.com wrote:
You aren't using a private network an this is your first trouble.
You can't know this from the information provided. Also, the answer to
the question won't change based on the IP address range he is using.
- Bob
Alan,
Post your tc* files and I'll take a look.
- Bob
Does someone have a working example they can share?
--
Own the Future-Intel(R) Level Up Game Demo Contest 2013
Rise to greatness in Intel's independent game demo
Sam,
I'm not sure what you are running into, but if you did a quick swap and
test, your switches may not have caught up to the changes by the time
you tested. I ran into that when doing a midday cutover to a new
firewall. You can avoid that by pinging from Leaf to the DNAT target
and
Andy,
Some things that may be helpful.
1. In rules, first match (from top of file) for any given connection
wins.
2. If no rules match, then the policies take effect. Same deal - first
match.
3. Shorewall.net has excellent documentation on all Shorewall can do.
For a basic firewall you
Is it possible/advisable to configure shorewall on the host to act as a
firewall for the virtual machines, each having one or more static public IP
address?
May not apply to VBox but what I did on ESXi is create a private vlan
with my hosting servers and a public vlan that faces the
I have found that if I put an OUT-BANDWIDTH in tcinterface which is low
enough, then it is easier to observe if traffic control works,
I just caught this mid-thread, so if this isn't relevant please ignore.
I spent most of my time with traffic control fine tuning the outbound
bandwidth
I don't know if it has anything to do with your error but the below
looks wrong.
- Bob Coffman
On 1/21/2010 4:28 AM, m...@rk Lombaard wrote:
params:
ETH0_IP=$(find_first_interface_address eth2)
ETH2_IP=$(find_first_interface_address eth0)
Is there a shorewall way to solve this problem?
I would start with http://www.shorewall.net/MultiISP.html.
Sounds like the track option may solve this.
- Bob Coffman
--
Come build with us! The BlackBerry(R) Developer
I don't have to support SIP so I may be out of line here, but couldn't
you enable logging on everything and see what the firewall is blocking?
--
Come build with us! The BlackBerryreg; Developer Conference in SF, CA
is
also, I've acquired the numbers in tcdevices from doing benchmarks at
speakeasy.net and then underestimating the values.
This is a timely post, based on my my recent attempts and ultimately
successes in setting up QOS/TC. Any corrections to this information are
appreciated.
You may want to
Darvin,
What is needed is described at: http://www.shorewall.net/support.htm
--
Check out the new SourceForge.net Marketplace.
It is the best place to buy or sell services for
just about anything Open Source.
When I was using it before I hacked pop-before-smtp
to open the full network to users and was wondering if there was a
built in way to do this now.
This question is not at all clear, but it sounds like you are describing a
VPN.
I've looked through the FAQ and Troubleshooting guides but I'm still having
problems getting a dnat rule to work
Is it possible your ISP blocks connections to high ports?
-
This SF.Net email is sponsored by the Moblin Your
shorewall does not stop, do not responding.
Does anything at all happen when you try to restart Shorewall?
I'm not sure what is going on, but this doesn't sound like a Shorewall
problem.
-
This SF.Net email is
This, I believe, is Shorewall FAQ 2.
-
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK win great prizes
Grand prize is a trip for two
I suspect your interface with address 172.16.168.1 is actually in the loc
zone. It should work with loc:172.16.168.1.
_
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Scott
Ruckh
Sent: Tuesday, August 12, 2008 2:22 AM
To: shorewall-users@lists.sourceforge.net
if it was DNS the images and other resources should load quickly, which
isn't the case.
Not necessarily. The images other intra-page content may be hosted on
different servers from the page you are loading. What you are describing is
classic DNS latency, although I've also heard that OpenDNS
The follow-up answer to this issue was that it seems that the Intel
PRO/1000 dual-port PCIe card does indeed not function correctly in
promiscuous mode when connected to a 100Mbps hub. (In this particular
One thing to consider is that the traffic on a dual speed hub is actually
segmented
51 matches
Mail list logo