Sam wrote:
> Usually you can just add an addition IP alias to the external nic. Something
> like: ifconfig eth1:1 192.168.100.6 up
>
> "eth1" here is the external nic and the ":1" is the alias number.
I'd agree that this sounds like a likely fix - but the OP hasn't said yet how
he actually co
Vieri Di Paola wrote:
> I just got it working with ISC dhcrelay, but it's actually because I
> changed the remote DHCP server's configuration.
> In ISC terminology I'd have to use "shared-network", and in
> Microsoft's lingo it would have to be superscope + scopes. Basically,
> I created an "empt
PGNet Dev wrote:
> checking link mtus on my
>
> local,
>
> ifconfig | grep mtu
> enp2s0: flags=4163 mtu 1500
> enp3s0: flags=4163 mtu 1500
> lo: flags=73 mtu 65536
> wg0: flags=209 mtu 1420
>
> & remote boxes
>
> ifconfig
Nicola Ferrari (#554252) wrote:
> Is there any better way to proceed?
Now I've got access to some of my saved bits, this is how I got interface stats
- not really my own work, someone else suggested ways of doing it in Bash
without spawning masses of new processes and chewing through CPU cycle
Depending what your requirements are, I would suggest you look into RRDtool.
You still need to get the byte counts out - but RRDtool will take care of the
logging and conversion to traffic rates, as well as drawing pretty graphs.
Cacti is whole new level up again, but manages many aspects of coll
Tom Eastep wrote:
> Carsten probably can't get a dump, since he has no connectivity to the
> server once Shorewall has started. As he says, the most obvious cause
> would be an incorrect interface name somewhere in the config...
In this case, a shell script along the lines of :
shorewall start
Ryan Joiner wrote:
> We have been given a /31 IP schema from an ISP which I have never had to do
> before, I've always had /30 or /29 subnets handed to us from ISP.
>
> Anyone know if Centos 7 and Shorewall can handle this? Here is basically the
> information given to us by the ISP. I'm assumi
David Watkins wrote:
> Here's a very small sample:
>
> From 1.11.238.26 - 1 packet to udp(37970)
> From 1.23.252.46 - 1 packet to udp(37970)
> From 1.55.167.27 - 3 packets to tcp(8291,8728)
>
...
> I have two questions:
> 1. What's going on here and should I be worried?
Not sure, but
Ah, it's just (literally this minute) popped back into my head - I'm fairly
certain that Linux bridging doesn't support VLANs like that. I've had a number
of Shorewall boxes with VLAN trunking, but I had a bridge for each VLAN - with
each VLAN interface connected to it's specific bridge.
As an a
Vieri Di Paola wrote:
> My configuration is driving me bonkers. It's a bit complex, but I've
> isolated the failing behavior (I can reproduce it). Here's an overview
> of what happens:
>
> I have 3 switch ports configured to allow all traffic (no vlan
> restrictions).
> The shorewall NIC is a L
Tom Eastep wrote:
> The good news is that a very small part of the compiler is dedicated to
> converting the intermediate form back into iptables commands. For the
> most part, modifying Shorewall to generate nft input involves only that
> small part.
Well that's good news. "All that's needed" n
Erich Titl wrote:
> But back to shorewall, do you see any way
> your work could be carried on?
One of the issues is that iptables is being deprecated. AIUI, it's already to
the stage where nft must be installed and ipt cmd line tools are being
relabelled *-legacy - and they call translation to
Tom Eastep wrote:
> ... while I have continued to develop and support Shorewall, I feel that it
> is now time to say goodbye.
Well I can't really add anything to what's already been said. Thank you so much
for what has been an excellent and reliable package, with support that make's
many com
Bohuslav Moravec wrote:
> I have this working network configuration with two VLANs and a Linux router
> with DHCP server and Shorewall.
>
> ISP
> |
> | eth0
> |---|
> | |
> | Shorewall |
> | |
>
Tom Eastep wrote:
>> will look like with the new configuration /before/ I activate it and
>> possibly cut myself off because of my bad routing setup.
> There is no current way to do what you are asking for.
But there is the safe restart option, where if you do cut yourself off, you can
just wa
Răzvan Sandu wrote:
> I now have:
>
> IMAPS/ACCEPT:info net $FW
>
>
> and I want to exclude *two* adddress ranges from the net zone, like in:
>
>
> IMAPS/ACCEPT:info net:!aa.bb.cc.0/24 $FW
> ...
As an alternative which would be easier to read/maintain when you get a few
more add
FYI, you may find this message of interest :
https://mailarchive.ietf.org/arch/msg/v6ops/UUCfiwM-BXF83meRKwfTYL-gZpc
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! ht
Luke Jordan wrote:
> ping from a server (external) to isp 1 - he give a response, but the
> response time is a nightmare:
>
> $ ping6 2a01:170:1150:4:a:a:a:a
> PING 2a01:170:1150:4:a:a:a:a(2a01:170:1150:4:a:a:a:a) 56 data bytes
> 64 bytes from 2a01:170:1150:4:a:a:a:a: icmp_seq=1 ttl=55 time=1212
Luke Jordan wrote:
> I wish to have a ipv6-multi-homing with static configuration, nat and
> rtrules/mangle. for ipv4 it run without problems with shorewall.
The short answer is that NAT is not supported in IPv6 - and I can see the
arguments in favour of that, knowing just how much NAT screws t
Udo Schacht-Wiegand wrote:
> this is my first post to this list, and I hope I can reply to an already
> existing thread.
Welcome.
But no, it's poor netiquette to reply to another thread to start your own. When
you do that, your message should have reference headers linking it to that
other t
I wrote:
> What I ended up doing was to install (on the router) a local resolver running
> a slave zone for a couple of our own domains - then as long as the DNS is set
> to start before the firewall, the DNS names I used would be available locally.
I also considered creating a params file with
John McMonagle wrote:
> If for some reason dns is not available at shorewall start time will
> shorewall fail?
Yes.
I know the problem you are trying to solve, been there, done that. What I ended
up doing was to install (on the router) a local resolver running a slave zone
for a couple of ou
Johannes Graumann wrote:
> 1) Are there any nice, comprehensive interfaces to sort through the
> plethora of switches available with filters for more than the bare
> bones protocol requirements usually present?
Not that I know of - PITA isn't it ?
> 2) Can anyone recommend a switch that fulfill
Rommel Rodriguez Toirac wrote:
> I know is hard to belive, but I have not access from Internet or to Internet
> from my job. All my network is in a Private range of 172.16.x.x IPs
> Any computer out of this range will access to my network. For example the
> municipal network of X is in subnet
Rommel Rodriguez Toirac wrote:
> First, I live in Cuba and here the access to Internet is a little different
> that in the rest of the world. Let say just different.
> My ISP (in my case the national network level) give the ranges
> 172.16.120.0/24 to my network and from 172.16.121.0/29 to the
Rommel Rodriguez Toirac wrote:
>> Your DNS server is returning *private* (RFC1918) addresses to systems in
>> the Municipal Network. To those systems, it must return the public IP
>> address of your firewall. This is addressed by using split DNS -- let
>> your DMZ server handle local clients a
cac...@quantum-sci.com wrote:
> Eh, except I got bounced with:
>
> SMTP error from remote mail server after RCPT TO:
> :
>504 5.5.2 : Helo command rejected: need fully-qualified hostname
You would have the same problem sending mail direct to me as well - your mail
server is not correctly co
cac...@quantum-sci.com wrote:
> Eh, except I got bounced with:
>
> SMTP error from remote mail server after RCPT TO:
> :
> 504 5.5.2 : Helo command rejected: need fully-qualified hostname
You would sending mail direct to me as well - your mail server is not correctly
configured !
Your mail
cac...@quantum-sci.com wrote:
> Anyone know why Shorewall settings seem to have no effect on allowing SMTP
> out?
Why do you think that ?
> I'm getting:
>
> # dmesg
> [181685.067416] Shorewall:fw-net:ACCEPT:IN= OUT=eth0 SRC=72.251.231.102
> DST=199.127.58.3 LEN=48 TOS=0x00 PREC=0x00 TTL=64 I
P H wrote:
> How can I setup Shorewall to work without putting the Modem in Bridge Mode.
As Tom asks, how will you be interfacing with it ?
I'm using VDSL2 in the UK, and it's as simple as setting up a PPP client to do
PPPoE with the ISP and treating the PPP interface as a separate interface i
Lennart Sorensen wrote:
> On Mon, Jul 31, 2017 at 11:35:34AM -0500, Justin Pryzby wrote:
>> No - OpenVPN (not VON)
Ah, typo :-(
> Or libreswan (the replacement for openswan that is actually being
> maintained).
Ah, didn't know about that one. I knew openswan wasn't being maintained.
B dcunha wrote:
> I have a remote site and need to setup a site to site vpn
> site A i have shorewall
> site B cisco asa 5300
This is out of scope for Shorewall. Shorewall will manage policies/rules for
traffic through the tunnel(s) once established - but you need a different tool
to manage t
On 28 Jul 2017, at 22:52, Remco Barendse wrote:
> I have a server who's only purpose is to run a bunch of virtualized guests
> (libvirt/kvm).
> The server has 4 NIC's that are all bridged. 2 are connected to internet, 2
> to private lan.
> The guests have their own firewall and get their ip ei
Mark Morgan Lloyd wrote:
>> Not too sure about the 50:50 split - never done it that way. But I think the
>> way to do it will be to define both providers with the balance option, and
>> set at the same priority.
>
> The problem there is that the balance facility- if I understand it correctly-
Mark Morgan Lloyd wrote:
> Apologies if this turns out to be an FAQ, but I'm having trouble getting to
> grips with things.
>
> I've got a Raspberry Pi (little ARM box) here running Debian "Jessie" with
> the as-supplied Shorewall 4.6. As well as eth0 (192.168.1.5) as the
> "internal" side of
andreil1 wrote:
> shorewall disable LTC1 <— Doesn’t work
>
> ERROR: LTC1 is not an optional provider interface: Firewall state not changed
> /usr/share/shorewall/lib.common: line 93: 28414 Terminated
> $SHOREWALL_SHELL $script $options $@
>
> Should I mark both providers (main LT
andreil1 wrote:
> I have this setup of shorewall with 2 ISPs, and need to auto-switch
> connection if main (LTC1) provider fails, and the revert back if it becomes
> alive.
>
> *** shorewall.conf ***
> USE_DEFAULT_RT=Yes
>
> *** providers ***
> LTC1 1 0x1 - eth0 gw1.xx.x
Dario Lesca wrote:
> Hi, I must enable QoS in shorewall-4.5.4 on a Centos 6
>
> I have setup a IPSEC tunnell with provider, in which must transit only
> VoIP traffic.
> Now I can Ping and access to the contact center, and it can access the
> local phone, all now work fine, but I must enable the
Sam wrote:
> Squid can apparently break through https now though, but I have not looked
> into it.
It's easy to proxy HTTPS **IFF** you have enough control over the clients. "All
you need to do" is create a self signed cert valid for "*" and install that as
a root cert on your clients - then
Tuomo Soini wrote:
>> I'm not sure that's still the case - Happy Eyeballs has been updated
>> a bit over the years. AIUI, it doesn't attempt a connection and then
>> fall back if it fails - it makes two connections (via 4 & 6) and
>> waits to see which one gives an answer first.
>
> Exactly. Tha
Tuomo Soini wrote:
> Reason for the issue is browser creates tcp connection with proxy, not
> with remote site so browser doesn't know tcp connection failed with
> destination site - so ipv6 to ipv4 fallback can't work.
I'm not sure that's still the case - Happy Eyeballs has been updated a bit o
On 1 Jul 2017, at 19:20, Tom Eastep wrote:
> For those who run both Shorewall and Shorewall6, I've written a new
> article describing how to share almost all of the configuration files
> between both products.
>
> See: http://www.shorewall.org/SharedConfig.html
Wow ! Thanks.
I've only had a qu
Julio Torres wrote:
> Hello everybody.
> I have set up an interface in bridge mode with eth0 and eth1. the
> configuration on interfaces: eth0 is connected to the router and eth1 is
> connected to local network.
>
> I work with mac verification
>
> MACLIST_TABLE=mangle
> MACLIST_DISPOSITION=D
andreil1 wrote:
> I have 2 links and this config:
>
> LTC1 1 0x1 - eth0gw1.xx.xx.xx
> track,balance=1 -
> BTC2 2 0x2 - eth1gw2.yy.yy.yytrack
> -
>
> net eth0tcpflags,nosmurfs,rpfilter,sour
Vieri Di Paola wrote:
> Another issue I would like to solve or mitigate has to do with client hosts
> that access http-authenticated web sites through a load-balancing gateway
> such as in the above example.
> A simple example is when a LAN host logs into a forum via HTTP while going
> out ISP
Will Lowe wrote:
> Can someone help me understand this particular log message? It is from a
> Ricoh Printer on my main net to a computer on an adjacent net which is also
> under my control.. Neither the printer nor this computer should be
> communicating with each other for any reason. The com
Tom Eastep wrote:
>> So clearly a transient error, but any ideas what could have caused
>> it ? I know manglement will be asking for more than "sh*t happens"
>> !
>
> The details about the failure would have been written to STDERR prior
> to logging those messages.
That'll be lost then, there's
Had an oddball yesterday, when the office lost internet connectivity. In the
logs I found
May 4 12:44:12 *** logger: ERROR:Shorewall 'enable ***' failed
May 4 12:44:13 *** logger: Shorewall Stopped
One of the configured FTTC (VDSL2) providers had gone down and come back up,
and I have a script
Simon Hobson wrote:
> But there is an important thing to remember about software firewalling like
> this. If you go out and spend loads of dosh on a firewall device from the
> likes of Cisco, part of what that money buys you is a hardware packet
> processing engine.
> The firs
Daniel Pocock wrote:
>> For something really latency sensitive, you might be better just running a
>> firewall on the server.
>
> That would be preferable, but in this case space for physical servers is
> limited.
Sorry, I don't understand this bit. All I'm suggesting is that for a really
lat
Daniel Pocock wrote:
> I'm noticing latency doubles when things go through the firewall. In
> particular, I have recently set up a couple of virtual desktops and I'm
> trying to access them with the SPICE protocol. It is supposed to be
> more efficient than VNC or RDP but I'm finding there is a
Göran Höglund wrote:
> I am trying to understand the logic for defining virtual interfaces (and
> VLAN) on an interface towards internet.
OK, I don't see anything to do with VLANs in the rest of the message - do you
really mean VLANs ?
> Then I create a virtual interface on eth0 as eth0:3, th
Nerijus Baliunas wrote:
> I have in rules file:
> DNATnet loc:10.10.10.12 tcp 443
>
> I want to temporarily open 443 on firewall itself so that connections to tcp
> port 443
> from outside would go to fw, not 10.10.10.12.
>
> I run command:
> # shorewall open all 81.x.x.x t
darrin.tho...@123mail.org wrote:
> Before I start down that road with what appears to be a redundant process, is
> there a convenient way to get that ddlcient-tracked IP into shorewall
> 'params', or wherever it'd NEED to be to get picked up early enough to be
> (re)used ina shorewall (re)start
darrin.tho...@123mail.org wrote:
> ip route add default via 10.0.1.1 dev wlan0
>
> doesn't do any good either. Or anything else I've tried so far.
You really should not be having to do that - the device should be setting the
default route from the DHCP offer. I'd be looking to try and fix that
On 15 Mar 2017, at 17:59, darrin.tho...@123mail.org wrote:
> Well, I just can't get this to work.
>
> For this simpleset scenario I can envision:
>
> net (ISP-assigned IP = XX.XX.XX.XX)
> | ( eth 0 )
> router
> |
> |- ( eth1, static IP addr: 10.0.0.1 )
>
darrin.tho...@123mail.org wrote:
> I do see plenty of these
>
> Mar 14 08:31:21 rbox kernel: [53995.695471] SW:[P4]wifi02net:ACCEPT
> IN=wlan0 OUT=enp1s0 SRC=10.128.128.200 DST=8.8.8.8 LEN=63 TOS=0x00 PREC=0x00
> TTL=63 ID=27812 DF PROTO=UDP SPT=15906 DPT=53 LEN=43
>
> Mar 14 08:3
Tom Eastep wrote:
>> I feel some experimentation to see if (manually added) accounting
>> rules will work in the Rawpost chain ...
>>
>
> Beware that the rawpost table has been removed in recent kernels. It
> was used for stateless SNAT which is now done in the mangle table.
Pity, it would hav
wrote:
> I feel some experimentation to see if (manually added) accounting rules will
> work in the Rawpost chain ...
s/chain/table/
Well that didn't take long. Seems the rawpost table isn't installed by default
(at least on the Debian systems I work with). it's available in the
xtables-addo
Tom Eastep wrote:
> -BEGIN PGP SIGNED MESSAGE-
>> The diagram is useful, but doesn't show where accounting rules fit
>> into it.
>
> It actually does. With ACCOUNTING_TABLE=mangle, all rules are in the
> mangle table. When you section the accounting file, the rules in each
> section are
Tom Eastep wrote:
>> Is there any way to fix this ?
>
> Partially. With ACCOUNTING_TABLE=mangle, rules in the PREROUTING
> section of the accounting file are traversed prior to DNAT.
> Unfortunately, rules in the POSTROUTING section are still traversed
> before SNAT/MASQUERADE. See
> http://www.
I wrote:
> I've had accounting (counting traffic by IP) running for ages on other
> routers (ethernet interfaces), but I'm struggling to to get it going on a
> newer one with a PPPoE interface. Everything looks OK in terms of the
> iptables rules setup - but I'm just not getting reasonable figu
I've had accounting (counting traffic by IP) running for ages on other routers
(ethernet interfaces), but I'm struggling to to get it going on a newer one
with a PPPoE interface. Everything looks OK in terms of the iptables rules
setup - but I'm just not getting reasonable figures. Does anyone k
al...@myfastmail.com wrote:
> The VPS uses a dummy network of 10.2.0.0/24
> The local server+LAN use 10.1.0.0/24
> The vpn endpoints are 10.99.99.{1,2} -- nothing else on that subnet
>
> So IIUC that meets the non-overlapping subnet requirements
Yes. You'd be surprised how often I see questions
al...@myfastmail.com wrote:
> launch query & axfr FROM my desktop AT a nameserver across a VPN --
> *NOT* a public one -- and make sure the responses get sent back correctly.
>
> I'll admit I've gotten to the point where I've just been trying things
> blindly & randomly. When I've turned
Tuomo Soini wrote:
> What do you mean with NPTv6 ?
I assume he wants to use NPT (Network Prefix Translation) to avoid the
complications of multihoming systems with multiple IPv6 providers.
--
Check out the vibrant te
Luis Felipe Dominguez Vega wrote:
> Well here i am again I have a problem with IPs, see this:
>
> -
> | Another |
> | Place |-R1-- (..) (a VPN Provider) --R2 - GW (Shorewall PC)
> -- My Net
> -
>
> Into the "Another Place" has 10.11.0.0/24 ips throw
Luis Felipe Dominguez Vega wrote:
> Well to the routers i can access because are owns by my VPN provider, but if
> i do a Source Nat fix the problem?? and how to do that??
I assume you meant to write that you *can't* access them ?
Basically, unless they have been given a route to your interna
Ob Noxious wrote:
> Wherever possible, I create a macro to wrap it up. This makes the "rules"
> files look nice but I still have to manually specify all the info on the
> "masq" file.
>
> Ex 1: simple :)
>
> rules:
> NTP(ACCEPT) { source=lan dest=net:$NTP_HOST }
>
> masq:
> $IF_NET { source=
Ob Noxious wrote:
> Ok this is normal behaviour for MTR :-) Thanks
And traceroute.
It occurs to me, you might not know how traceroute works - it's fairly simple
and obvious once yo see it.
When you send a packet, one of the header fields is Time To Live (TTL). The
defaults vary between OSs, b
Ob Noxious wrote:
> What I wasn't expecting is the amount of these log entries by merely using a
> somewhat "normal" tool such as "mtr-tiny".
>From the network traffic PoV, MTR is not "normal" - the traffic it generates
>is far from normal.
"Normal" traffic will rarely generate TTL Exceeded re
Grant wrote:
> I've been using shorewall for awhile with net0 on the WAN and net1 on
> the LAN. I just switched to PPPoE so now I have ppp0 in addition to
> net0 and net1. I've replaced net0 with ppp0 everywhere in my
> shorewall config and added net0 as a second interface in the loc zone
> alo
Brian Marshall wrote:
> No problem blocking PPPoE from the loc zone, I'm just not sure the protocol
> number(s) I would use to achieve that.
They aren't even IP packets, and as far as I can see should not be getting
forwarded at all. As below, they are ether type 0x8863 or 0x8864 vs 0x0800 for
I wrote:
> Presumably there's no problem blocking all PPPoE traffic from the loc zone ?
And looking at https://tools.ietf.org/html/rfc2516 it says :
> The ETHER_TYPE is set to either 0x8863 (Discovery Stage) or 0x8864 (PPP
> Session Stage).
But how is the device spoofing the PPPoE LCP Terminat
Brian Marshall wrote:
> I'm trying to learn if shorewall can drop/reject PPP LCP traffic.
>
> I have a Bering/LEAF setup running shorewall and also pppoe for shared DSL
> connection. 'loc' is eth1, 'net' is ppp0/eth0
> One of the machines in 'loc' zone has an unknown application running that
Steven Kiehl wrote:
> Thanks for the response, Simon. Like everyone else in the world, it's Time
> Warner service. It's all negotiated over DHCP/DHCPv6. Do I need to unblock
> something for RA services perhaps?
Yes, you will need to be able to receive RAs in order to get your gateway. The
d
Steven Kiehl wrote:
> So, after several months, I've decided to take another crack at upgrading to
> IPv6. I followed the directions on the shorewall IPv6 support page as far as
> I can tell, and also dug well into the Linux documentation noted in that
> article. Thanks for all your efforts i
On 27 May 2016, at 08:21, Michele Alessandrini wrote:
> The PC has a DHCP server for the eth1 interface. Now, in the interfaces
> file I did not add the "dhcp" option to the eth1 interface, and the
> default policy is rejecting packets from loc to fw, so I was expecting
> that DHCP would not
אריה קלטר wrote:
> Both internal networks are on the same subnet and the servers on each subnet
> are on the same internal IP, by the server role.
> The question is that
> Both firewalls attacked, so i need to create them from start
> Can i unify them to one FW that will do NAT seperatly, with s
Tom Eastep wrote:
>> I get this error when starting apt update:
>> W: Fehlschlag beim Holen von
>> http://repo.saltstack.com/apt/debian/8/amd64/latest/dists/jessie/Release.gpg
>> Verbindung mit repo.saltstack.com:80 kann nicht aufgebaut werden
>> (2604:a880:400:d0::2:e001). - connect (101: Das N
On 5 Apr 2016, at 06:42, Thomas Schneider wrote:
> This is the output:
> root@vm103-db:~# ip -f inet6 addr show
> 1: lo: mtu 65536
> inet6 ::1/128 scope host
>valid_lft forever preferred_lft forever
> 9: eth0@if10: mtu 1500 qlen 1000
> inet6 fe80::3065:65ff:fe39:3035/64 scope l
Marc Mertes wrote:
> Just to be 100% sure - eth3:!$MasqExcl means that I have for DESTINATION
> $MasqExcl no masq,
> and all IPs on my local network are visible for $MasqExcl?
Yes. See http://shorewall.net/manpages/shorewall-masq.html
On 4 Apr 2016, at 12:24, c.mo...@web.de wrote:
> I have NOT configured any IPv6 connection.
> That's why I said it makes no sense that apt update is trying to resolve an
> IPv6 address.
OK, we'll take a step back.
Apt is **NOT** trying to resolve an IPv6 address. It will have done a DNS
looku
Marc Mertes wrote:
> after a few years of useing shorewall now, I run into a "special case"
> of a new masquerading need, and I´m not sure if this is possible.
> I´ve already browsed through the mail archive - but there is not exactly
> my case discussed, just some where close to - or I didn´t
Thomas Schneider wrote:
> However, now I have a weired issue that apt update fails to access IPv6
> addresses on clients loc (= 10.0.0.0/24) and dmz (=10.1.0.0/24):
...
> Fehl http://ftp.tu-chemnitz.de/pub/linux/debian/debian/ unstable/main
> isc-dhcp-client amd64 4.3.3-9
Brian J. Murrell wrote:
> The problem is that the rate that these cracking attempts comes in is
> overwhelming
Not just for fail2ban ! Considering how small the packets are, getting 1/2Mbps
of traffic from just one attack is quite a request rate.
> for fail2ban at times and thousands of attemp
Felipe Román wrote:
> ... of 100mbit (I know simon, that's the correct unit, and to be sure I
> tested it and works like a charm)
Just being pedantic, the config file is "wrong" in this. If someone writes mbit
without specifying that this is the config file syntax then as an engineer I'll
int
Felipe Román wrote:
> to the point.
> I have a "problem" with QoS, we have different speed in the network
> provider link, 100mbit download and 100mbit upload in the national
> connections, and 10mbit download and 10mbit upload on international
> connections.
*IFF* you can define a rule for o
Csányi Pál wrote:
> Can I set up my network so so RasPi can be reachable from LAN with
> it's FQDN: cspl.hu?
2 ways :
1) My preference is to configure the DNS so when resolved internally, the name
will resolve to the internal address. Lookup split-horizon DNS.
2) Configure the firewall to hai
John Candlish wrote:
> Looking further at this it seems to be related to differing MSS values
> for the ppp0, eth3 physical interfaces, and also the virtual interface
> of the webserver in the DMZ.
...
> I suppose that this can be tuned via the MTU of the effected
> interfaces or by the MSS param
Brian J. Murrell wrote:
> As we all know, one cannot really shape/limit inbound traffic other
> than to "police" it. Or at least that was the state of things the last
> time I was in this neighborhood. Maybe things have changed since then.
Not really, in as much as the traffic has already arri
c.mo...@web.de wrote:
> Hello!
>
> I need your support to define an appropriate configuration for the network
> architecture I have documented in the attachment.
>
> There are some things that make this network architecture "special":
> 1. 2 default gateways according to this howto
> https:/
Exga wrote:
> Thank you for the reply!
>
> I have the route setup but it only seems to make it to the shorewall router,
> how would I allow the packets to continue to the VPN gateway?
You need a policy or rule that will permit the traffic, and you need IP
Forwarding set to on - or the kernel
Kade Hampson wrote:
> I have been looking at this for the past two days without any success.
> I run a layer 3 VPN with the gateway sitting on 192.168.0.254 but I cannot
> for the life of me get shorewall to forward packets for subnet 192.168.1.0/24
> to the gateway…
>
> Please help me, I am
Rich Wales wrote:
> OK, I just saw a reference to the MultiISP.html page. Hopefully that will
> answer my question?
There's a lot more in that page than you need - specifically you don't need any
of the routing rules, providers file, etc.
All you need to do is specify rules in the masq file,
> Simon - thank you very much for pointing out the obvious... which I couldn't
> see
We've all been there - just like this, been staring at the screen so long we've
got square eyes, certain we've not missed anything. Then some smarta**e walks
past and points out the bloomin obvious :D
You'd be
Marcelo Bello wrote:
> On my box sometimes the adsl connection is falling on ppp1/ppp2 and not
> always on ppp0.
>
> I could investigate hacks to ensure it always goes to ppp0 but I just read on
> the pppd mailing list that they consider best practice to never assume on
> which ppp+ interface
Norman Henderson wrote:
> MAIN SYMPTOM: Another box 10.0.69.20 on the same VLAN vlan1 sends a
> Ping to the firewall as 10.0.69.1. The ping reply is generated
> however, it is sent back to 10.0.69.20 on vlan3 instead of vlan1 and,
> of course, does not arrive.
OK, looking in the dump I can see w
shorew...@iotti.biz wrote:
> The
> annoying thing is that the associated interface (ppp0 for me) disappears,
> then it is reacreated when the link is re-established. Unfortunately when
> this happens the routing tables established by shorewall get corrupted: in
> particular, all the routes involvi
Nigel Aves wrote:
> I'm building a Centos 7 server and the interface names are no longer eth*
> but (on this machine) are:-
>
> enp2s0 - Outside world
> enp8s0 - Internal network
> enp7s0 - Internal network
Welcome to the brave new world of SystemD malware - where everyone must suffer
cra
1 - 100 of 491 matches
Mail list logo
