> Shorewall version 5.2.8 on RHEL 7 virtualized on Ovirt hypervisors,
> routing and filtering traffic between 5 networks full of VMs via VLANs
> in Ovirt.
> All virtual VM interfaces (including Shorewall VM), are on 10 Gbps.
>
> Effective speed between VMs on same network segment is full 10 Gbps.
>
Hi,
>
>> Some comments:
>> (1) It's recommended to use HTTP(ACCEPT) and HTTPS(ACCEPT) rather than
>> Web(ACCEPT) which just combines the two.
>
> I don't understand why Web exist so, if not recommanded to use it.
> I replaced Web by HTTP and HTTPS lines, and of course, nothing changed.
>
I guess
Hi Philip,
> This may be an underlying Linux problem but I first of all need to run
> it past you guys and gals here as few people on Linux forums will be
> familiar with Shorewall.
>
> We have a Shorewall firewall at the school where I volunteer, protecting
> the school network from a Raspberry P
Hi Yassine,
> Hello All,
>
> Today,
> Something caught my attention while looking for errors in log files.
>
> [code]
> root@messagerie-principale[10.10.10.19] ~ # tail -f
> /var/log/apache2/roundcube.error /var/log/fail2ban.log
> /var/log/apache2/mail.radioalgerie.dz.error /var/log/dovecot.log
>
Hi,
> I am trying to route traffic from LOC to a network I have configured in
> the routes file.
I may be wrong here but I think the routes file is used for special cases
when you have more than one internet connections and such things.
For your case, did you add a routing entry to the hosts rou
M Vieri Di Paola
> wrote:
>
>> On Wed, Nov 9, 2022 at 8:15 AM Simon Matter
>> wrote:
>> >
>> > > The Fortinet admin has set the following in his FW:
>> > >
>> > > set protocol 6
>> > > set timeout 28
> Hi,
>
> There are hosts in my LAN behind a Shorewall FW that need to keep
> Oracle connections alive (tcp 1521) with other hosts that are behind a
> remote Fortinet Fortiguard FW.
>
> The Fortinet admin has set the following in his FW:
>
> set protocol 6
> set timeout 2880
> Il giorno sab, 02/04/2022 alle 18.18 +0200, Simon Matter ha scritto:
>> So, what speed do you get when you check on the firewall itself?
>
> I have install and run speedtest-cli, this is last check:
>
> Tes
> Il giorno sab, 02/04/2022 alle 10.37 +0200, Simon Matter ha scritto:
>> I'd suggest to check with ethtool if all interfaces are really on
>> 1Gbps.
>> This sound like you have a 100Mbps somewhere.
>
> This is ethtool output[1]
>
> the only difference compare
> Il giorno ven, 01/04/2022 alle 14.44 -0400, Robert K Coffman Jr. -Info
> From Data Corp. ha scritto:
>> Do you have any traffic shaping configured?
> No, it is not configured
>
> cat /etc/shorewall/tc* | grep -v '^#'|wc -l
> 0
>
>> >
>> > Seem that the firewall pass through limited the traffic s
> Hello Matt,
>
> Thank you so much for your reply. Unfortunately when I perform the
> 'shorewall clear' command, I lose all access to the outside world
Maybe you have to enable ip forwarding once you disable shorewall?
Simon
> (internet) so I am unable to test.
>
> Thank you for your time.
>
>
> I'd say the problem is on the host that might not have all packages
> updated, namely the ca-certificates (or equivalent) package. At a first
> glance it doesn't seem like a firewall problem.
>
> @Vieri, please try to do a yum/apt (or equivalent depending on the
> machine OS package manager) upda
Hi Vieri,
> Hi,
>
> I'm trying to solve some possible SIP issues in my LAN, and I'd like
> to temporarily disable SIP-related Linux kernel modules.
> It seems that shorewall loads the modules according to the content of
> /usr/share/shorewall/helpers. Instead of touching that file I'd rather
> set
> On Sun, 2022-02-06 at 10:58 -0500, Brian J. Murrell wrote:
>>
>>
>> Well, it is, in that shorewall is using obsoleted interfaces.
>
>
> There is now an MR at
> https://gitlab.com/shorewall/code/-/merge_requests/5 to migrate to
> newer, supported interfaces.
What's wrong with the other method you
> Hi
> I like to setup shorewall to accept connection from my IP from port 4442
> and shorewall will forwared that to port 22 ssh
> I tried this but doesn't work
> ACCEPTnet:192.168.0.203 fw tcp 22 4442
I'm quite sure you want to use a DNAT or REDIRECT rule here instead
>> Please check, it should probably be
>
>> ?FORMAT 2
>
>> Note the space!
>
> The output is:
>
>
> [root@franz-820 shorewall]# tail -n 7 interfaces
> ?FORMAT 2
> net wlp2s0 detect
> net wlp0s20f0u1 detect
> net enp0s31f6 detect
> dockdocker0 bridge
>
>
> [root@franz-8
>
>> This assumes that the content of '/etc/shorewall' was not modified.
>
>> Please try this
>
>> $ tail -n 7 interfaces
>> ?FORMAT2
>> net wlp2s0 detect
>> net wlp0s20f0u1 detect
>> net enp0s31f6 detect
>> dock docker0 bridge
>> $ shorewall check && shorewall start
>
> The output is:
>
>
>
> [roo
> Hi,
>
> I configured dhcrelay on my shorewall router to send DHCP requests to
> a remote DHCP server. I need to listen for DHCP requests on on one
> interface (say lan.1). However, this interface has multiple IP
> addresses/netmasks. The remote DHCP server has only one scope and only
> one of the
> Hi,
>
> I configured dhcrelay so that clients in my "lan1" zone should get IP
> addr. leases from a server in my "ibs" zone.
>
> This is the command I run:
>
> /usr/sbin/dhcrelay -q -i lan.1 10.215.137.54
>
> BTW, a foreground run shows messages such as:
>
> Forwarded BOOTREQUEST for a4:bb:6d:03:
> Hi,
>
> What does this message mean, and what should I look for to fix it?
>
> Error: Invalid prefix for given prefix length.
>ERROR: Command "ip -4 route replace 10.215.106.193/26 via
> 172.28.17.110 dev ibs table 254" Failed
>
> In my routes file I have:
>
> main10.215.106.0/26
>> On 10/6/20 8:50 AM, Matt Darfeuille wrote:
>>> On 10/6/2020 5:11 PM, Tom Eastep wrote:
>>>> On 10/6/20 7:33 AM, Simon Matter wrote:
>>>>>> On Tue, Oct 06, 2020 at 03:59:06PM +0200, Simon Matter wrote:
>>>>>>>>> Compilation
> On Wed, Oct 7, 2020 at 1:31 PM Simon Matter
> wrote:
>>
>> > Hi,
>> >
>> > If my rules allow HTTP and HTTPS access (ports 80, 443) with an ACCEPT
>> > rule such as the following
>> >
>> > ACCEPTlan1:10.215.144.0/23wan
> Hi,
>
> If my rules allow HTTP and HTTPS access (ports 80, 443) with an ACCEPT
> rule such as the following
>
> ACCEPTlan1:10.215.144.0/23wantcp,udp80,443
>
> I'd like to know why I am seeing the following in the shorewall log
> when a user accesses a web page:
>
> kernel: Shorewa
> On 10/6/20 8:50 AM, Matt Darfeuille wrote:
>> On 10/6/2020 5:11 PM, Tom Eastep wrote:
>>> On 10/6/20 7:33 AM, Simon Matter wrote:
>>>>> On Tue, Oct 06, 2020 at 03:59:06PM +0200, Simon Matter wrote:
>>>>>>>> Compilation will only happen
> On Tue, Oct 06, 2020 at 03:59:06PM +0200, Simon Matter wrote:
>> >> Compilation will only happen when '/etc/shorewall' is modified.
>> >> So if I'm not mistaking, updating the firewall will not trigger a
>> >> recompilation.
>> >>
> On 10/4/20 10:18 AM, Matt Darfeuille wrote:
>> On 10/4/2020 6:58 PM, Simon Matter wrote:
>>> Hi,
>>>
>>> I've just updated Shorewall from 5.2.7 to 5.2.8 and did a reload just
>>> to
>>> see that the rules haven't been updated
> On 10/4/20 10:18 AM, Matt Darfeuille wrote:
>> On 10/4/2020 6:58 PM, Simon Matter wrote:
>>> Hi,
>>>
>>> I've just updated Shorewall from 5.2.7 to 5.2.8 and did a reload just
>>> to
>>> see that the rules haven't been updated
Hi,
I've just updated Shorewall from 5.2.7 to 5.2.8 and did a reload just to
see that the rules haven't been updated:
[root@abc ~]# shorewall reload
Reloading Shorewall
Initializing...
Processing /etc/shorewall/init ...
Setting net.netfilter.nf_conntrack_max = 1048576
Processing /etc/shore
> On Sat, Jul 11, 2020 at 9:49 PM Tom Eastep wrote:
>>
>> On 7/11/20 2:40 AM, Vieri Di Paola wrote:
>>
>> What was your 'shorewall iptrace command?
>
> If I just run 'shorewall iptrace' with no filter, won't that just
> trace all packets?
>
>> > I saved a tcpdump taken on the Shorewall system to a
> On Tue, Oct 29, 2019 at 3:17 PM Simon Matter
> wrote:
>>
>> So you have 4 real cores, not 8. From how I understand it one fully used
>> core (one of the 4) can have a negative impact on its (virtual) sibling.
>
> Yes, but why does the following command have absolut
> Hi,
>
> On Tue, Oct 29, 2019 at 2:54 PM Simon Matter via Shorewall-users
> wrote:
>>
>> ~1 minute? Do you have an insane number of rules somehow?
>
> Yes.
>
>> One thing I was wondering, are the 8 cores real cores or 4 with HT?
>
> # lscpu
&g
Hi,
> Hi,
>
> I have a rather busy network, and my ksoftirqd processes are using
> quite a lot of CPU. I'm trying to optimize my NIC settings, but I
> think I can't get any better unless I change hardware.
>
> However, I want to make sure I prioritize CPU power for the ksoftirqd
> processes becaus
Hi,
We're using proxyarped hosts as described here
http://www.shorewall.org/ProxyARP.htm to run firewalls without the hassle
of doing NAT. It works so well that I was wondering how the same could be
achieved on other operating systems like the different BSD Unices.
Does anybody know if the same m
> OK, I'm seeing a very odd behavior here, but at least I can now easily
> reproduce the issue.
>
> I have a test host with IP address 192.168.215.200 pinging continously
> the Shorewall FW at 192.168.215.1.
> At first, I connect it to Switch Port with VLAN ID 11 Untagged (enp8s5
> on the FW is con
> On 03/08/2018 08:40 AM, Tom Eastep wrote:
>> On 03/07/2018 02:31 AM, Simon Matter wrote:
>>>> On 3/7/2018 8:58 AM, Simon Matter wrote:
>>>>> Hi Tom and all,
>>>>>
>>>>> I've just decided to add some more autodetection code so
> On 3/7/2018 8:58 AM, Simon Matter wrote:
>> Hi Tom and all,
>>
>> I've just decided to add some more autodetection code some params file.
>>
>> One of the lines looks something like this:
>> read -rs LOC_NETADDR DUMMY 2> /dev/null < <(ip -o
Hi Tom and all,
I've just decided to add some more autodetection code some params file.
One of the lines looks something like this:
read -rs LOC_NETADDR DUMMY 2> /dev/null < <(ip -o route list proto kernel
scope link dev "$LOC_IF" 2> /dev/null)
The result was a shell error:
/etc/shorewall/params
> My masquerade config is simple exactly like Example 1 here:
>
> http://shorewall.org/manpages/shorewall-masq.html
>
> It has worked for a very long time and works on 5.0.15.6 but not on
> 5.1.4.4 or 5.1.5. Any ideas?
Hi,
I think you have to update your config because it now uses the snat file
>
>
> From: Simon Matter
>
>>> This is the failing ping performed on $FW:
>>>
>>> # ping -I 10.215.246.91 10.215.236.123 -c 1
>>
>> Last week you asked the list about a possible arp cache issue. Did you
>
> Hi,
>
> I used to ping correctly from the shorewall FW to a remote host's IP
> address in particular zone (CAIB, see below).
>
> Somehow, this ping is failing now, and I don't know if it's a config error
> on my behalf or that the remote host stopped replying.
>
> This is the failing ping perform
>
>
> From: Simon Matter
>>
>> Exactly, what about the rest of the network, switches/routers, how do
>> they
>
>> know about the FW change? (I guess the easiest solution would be to
>> simply> reboot those devices after
> Hi,
>
> I'm trying to update to shorewall 5.1 with a config that is *supposedly*
> working with 5.0.
>
> In any case, I'm trying to ping from a host in lan zone with IP addr.
> 10.215.144.48 to a host in IBS zone with IP addr. 10.215.9.172.
> ICMP traffic should be allowed but the client isn't re
> On Fri, 24 Mar 2017 08:19:49 -0700 Tom Eastep
> wrote:
>
>> > I tried, but got: ERROR: A non-empty SWITCH column requires
>> > Condition Match in your kernel and iptables /etc/shorewall/rules
>> > (line 58)
>> >
>> > It is a CentOS 6 system, probably it does not have Condition
>> > Match?
>>
>>
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> On 03/15/2017 06:28 PM, Ryan Joiner wrote:
>> Ahh, I do see that and that would definitely be a problem.
>>
>> What's odd though is I copied and pasted it from the sample file
>> and I'm pretty sure it was not incorrect. Maybe that is the
>>
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> On 03/09/2017 09:27 AM, Tom Eastep wrote:
>
>>
>> Actually, it looks like PERSISTENT=Yes will already work for the
>> reload command.
>>
>
> And the -n option is available with the 'reload' command.
Hi Tom,
you're right, both methods are the
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> On 03/09/2017 08:20 AM, Simon Matter wrote:
>>> -BEGIN PGP SIGNED MESSAGE- Hash: SHA256
>>>
>>> On 03/08/2017 10:15 PM, Simon Matter wrote:
>>>
>>>>
>>>> After
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> On 03/08/2017 10:15 PM, Simon Matter wrote:
>
>>
>> After doing countless reloads I found a way to prevent those
>> connections from being killed. Removing "routefilter" from eth2
>> seems to
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> On 03/08/2017 11:14 AM, Simon Matter wrote:
>>> -BEGIN PGP SIGNED MESSAGE- Hash: SHA256
>>>
>>> On 03/07/2017 11:33 PM, Simon Matter wrote:
>>>> Hi Tom and all,
>>>>
&
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> On 03/07/2017 11:33 PM, Simon Matter wrote:
>> Hi Tom and all,
>>
>> Since upgrading from shorewall-5.1.1 to shorewall-5.1.2.1 I have a
>> new problem with longstanding TCP connections being killed during
&
> Hi Tom and all,
>
> Since upgrading from shorewall-5.1.1 to shorewall-5.1.2.1 I have a new
> problem with longstanding TCP connections being killed during "shorewall
> reload".
Just in case it help I've attached a diff of the compiled firewall script.
Simon
firewall.diff
Description: Binary da
Hi Tom and all,
Since upgrading from shorewall-5.1.1 to shorewall-5.1.2.1 I have a new
problem with longstanding TCP connections being killed during "shorewall
reload".
This has never happened before so I guess it has something to do with the
new defaults.
An interesting point is that it happens
> On 26.1.2017. 18:00, Tom Eastep wrote:
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA256
>>
>> On 01/26/2017 03:38 AM, Ivica Glavocic wrote:
>>> Hi all
>>>
>>> Linux multi interface box, Oracle Enterprise Linux 6.8 x64 (RHEL
>>> with unbreakable kernel 4.1.12-61.1.25.el6uek.x86_64), clean
>>>
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> On 11/04/2016 12:28 AM, Simon Matter wrote:
>>> -BEGIN PGP SIGNED MESSAGE- Hash: SHA256
>>>
>>> The Shorewall Team is pleased to announce the availability of
>>> Shorewall 5.0.14.
>
>
>
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On 10/28/2016 12:11 PM, Ryan Joiner wrote:
> What would be the command to disable them for CentOS7? I have
> searched a bunch but couldn't find anything.
a) rmmod nf_nat_sip
rmmod nf_conntrack_s
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> The Shorewall Team is pleased to announce the availability of
> Shorewall 5.0.14.
Hi Tom and Team,
Thanks for the new release!
I just found a little issue, it can be seen by comparing the samples as
shown below. First I was trying what kind
>
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA256
>>
>> On 10/28/2016 12:11 PM, Ryan Joiner wrote:
>>
>>> What would be the command to disable them for CentOS7? I have
>>> searched a bunch but couldn't find anything.
>> a) rmmod nf_nat_sip
>> rmmod nf_conntrack_sip
>> a) Set AUTOHELPE
> On Tue, Oct 11, 2016 at 5:49 PM, Tom Eastep wrote:
>
> I believe that this particular class of user blunder is best guarded
>> against by setting IGNOREUNKNOWNVARIABLES=No in shorewall[6].conf,
>>
>
> Oh dear! Is there something you didn't thought about when designing
> Shorewall? :-) It really
Hi Tom,
Thanks for all you work on shorewall, I wish you all the best!
Regards,
Simon
> I have a health issue that I will be dealing with. Hope to be back next
> week.
>
> -Tom
> --
> Tom Eastep\ When I die, I want to go like my Grandfather who
> Shoreline, \ died peacefully in h
> The Shorewall Team is pleased to announce the availability of Shorewall
> 5.0.0.
Hi Tom and Team,
thanks for the new release and all the hard work you did on it!
I'm wondering about the impact of the recent change concerning
"WORKAROUNDS". Should I expect that shorewall-5 will still run on a
> Hi all,
>
> I have two servers with public and private IP address running a sip proxy
> on eth0 and asterisk box on eth1. Each box is running Shorewall 4.5.21.
> Making calls within a server is fine but I would like the sip proxy to
> also use asterisk box on the other machine for load balancing.
> Thank you,
>
> On 11.12.2014 16:43, Eric Teeter wrote:
>
>> I have summited a few macros myself, one macro.ActiveDir which is vary
>> complicated.
>>
>> PARAM - - udp 655
>> PARAM - - tcp 655
>>
>
> I'll write a macro, with proper comments, ad I'll be happy to
> On 5/16/2014 2:10 AM, Simon Matter wrote:
>>> The Shorewall team is pleased to announce the availability of Shorewall
>>> 4.6.0.
>>
>> Hi Tom and all,
>>
>> Thanks for the new release!
>>
>> I found an issue I'm not sure how to solv
> The Shorewall team is pleased to announce the availability of Shorewall
> 4.6.0.
Hi Tom and all,
Thanks for the new release!
I found an issue I'm not sure how to solve, sorry for finding it only now
that the release is out.
I was having this in my tcrules file:
#
# fix udp checksums for dhcl
> After poking around, I ran the following command: /sbin/mii-tool -v
> eth_wan
>
>
>
> and got these results:
>
>
>
> eth_wan: negotiated 100baseTx-FD flow-control, link ok
>
> product info: vendor 00:50:43, model 11 rev 1
>
> basic mode: autonegotiation enabled
>
> basic status: autonego
> It's not.
>
> # ethtool -k eth1
> Offload parameters for eth1:
> rx-checksumming: on
> tx-checksumming: on
> scatter-gather: on
> tcp-segmentation-offload: off
> udp-fragmentation-offload: off
> generic-segmentation-offload: off
> generic-receive-offload: off
> large-receive-offload: off
> ntuple
> http://www.shorewall.net/VPNBasics.html#tunnels
>
> The /etc/shorewall/tunnels file provides no functionality that could not
> be
> implemented using entries in /etc/shorewall/rules and I have elimination
> of
> the /etc/shorewall/tunnels file as a long-term goal.
>
> Is this still the case? Is
>> On 10/7/2013 6:18 AM, Simon Matter wrote:
>>> Hi Tom and all,
>>>
>>> I started to play a bit with the AutoBL action on a CentOS 6 box and
>>> ran
>>> into the following problems:
>>>
>>> 1) The action.AutoBL doesn
> On 10/7/2013 6:18 AM, Simon Matter wrote:
>> Hi Tom and all,
>>
>> I started to play a bit with the AutoBL action on a CentOS 6 box and ran
>> into the following problems:
>>
>> 1) The action.AutoBL doesn't work for me until I patch it like so:
>&
Hi Tom and all,
I started to play a bit with the AutoBL action on a CentOS 6 box and ran
into the following problems:
1) The action.AutoBL doesn't work for me until I patch it like so:
--- /usr/share/shorewall/action.AutoBL.orig 2013-10-01
00:59:42.0 +0200
+++ /usr/share/shorewall/ac
> It looks as problem in 4.5.20 folder only.
>
> http://canada.shorewall.net/pub/shorewall/4.5/shorewall-4.5.20/releasenotes.txt
> Forbidden
> You don't have permission to access
> /pub/shorewall/4.5/shorewall-4.5.20/releasenotes.txt
> on this server.
>
>
> Apache Server at canada.shorewall.net Por
> On Saturday, August 03, 2013 04:25:46 PM johnny bowen wrote:
>> IP Forwarding is used when you need to send packets from one interface
> to
>> another. So if you're using Shorewall there's a good change you're doing
>> this if you're using it as a firewall for a LAN. By default it's turned
>> off
> Hi all:
>
> I'm running a public ntp server (member of the ntp.org pool) behind my
> Shorewall box.
>
> The ntp server is up and running and I see on my status page on ntp.org
> that all is well with my ntp server.
>
> However a few hosts are filling my firewall logs with packets that looks
> to
> Il 25/02/2013 12.28, Simon Matter ha scritto:
>>> Hello to the list,
>>> I update a RedHat server from 6.3 to 6.4 and install the last shorewall
>>> rpm 4.5.13.0-1.el6, after this shorewall not start at boot and show
>>> the
>>> error ERROR:
> Hello to the list,
> I update a RedHat server from 6.3 to 6.4 and install the last shorewall
> rpm 4.5.13.0-1.el6, after this shorewall not start at boot and show the
> error ERROR: Your kernel/iptables do not include state match support. No
> version of Shorewall will run on this system, after
Hi Tom and all,
I've just updated a box to 4.5.11.1 and it won't start with
Loading Modules...
ERROR: Invalid modules file entry /usr/share/shorewall/modules.xtables
(line 45)
from /usr/share/shorewall/modules (line 23)
Looks like this patch is wrong
--- shorewall-4.5.11/modules.xtables
> I've got a project coming up that requires me to protect hosts from each
> other within a network. Specifically, we've a class C subnet, and some
> addresses are assigned to customers (only a handful) we resell bandwidth
> to. At present they are just plugged into our frontend network - not as
>
> On Mon, 8 Oct 2012, Tom Eastep wrote:
>
>> On 10/08/2012 04:44 AM, andre...@apf.it wrote:
>>> On Sun, 7 Oct 2012, Elio Tondo wrote:
>>>
On 07/10/2012 02:20, Tom Eastep ha wrote:
> On 10/6/12 7:57 AM, andre...@apf.it wrote:
>>
>> Are there some simple work around to use shore
>Hello,
>During Shorewall/Shorewall6 installation the following files are
> installed:
>
> /etc/logrotate.d/shorewall:
>
> /var/log/shorewall-init.log {
> missingok
> notifempty
> create 0600 root root
> }
>
> /etc/logrotate.d/shorewall6:
>
> /var/log/shorewall6-init.log {
> missing
> The Shorewall Team is pleased to announce the availability of Shorewall
> 4.5.0.
Hi Tom and Team,
Thanks for the new release!
It looks like the LIBEXEC / PERLLIB handling is broken now :)
I hope attached patch fixes it.
Thanks,
Simon--- shorewall-4.5.0/install.sh.orig 2012-02-12 20:12:07.0
> Hi list,
>
> Just wanted to throw out a heads up. I am not sure if it is just my
> setup or quite
> possibly a CentOS feature, but here goes.
>
> I upgraded my CentOS 6.1 to 6.2 yesterday and when I did some checking
> I had
> found out the upgrade disabled shorewall startup. It had even c
> On Tue, 2011-11-01 at 08:06 +0100, Simon Matter wrote:
>
>> While 4.4.25 works fine on our RHEL6 systems I just discovered that it
>> doesn't work on the old RHEL4 based systems. The problem is with traffic
>> shaping, with tcdevices:
>>
>> eth1
> The Shorewall team is pleased to announce the availability of Shorewall
> 4.4.25.
Hi,
While 4.4.25 works fine on our RHEL6 systems I just discovered that it
doesn't work on the old RHEL4 based systems. The problem is with traffic
shaping, with tcdevices:
eth1 5000kbit500kbit
> On Tue, 2011-10-18 at 07:25 +0200, Simon Matter wrote:
>
>> That's what I get:
>>
>> # shorewall check
>> Checking...
>> Global symbol "$rate" requires explicit package name at
>> /usr/libexec/shorewall/Shorewall/Tc.pm line 583.
>&
> On Mon, 2011-10-17 at 13:14 +0200, Simon Matter wrote:
>
>>
>> Thanks, I quickly tested it on one of the existing systems with 4.4.24
>> but
>> it fails to compile - I guess I need 4.4.25beta for it.
>
> Just tested the attached version on 4.4.24.1.
T
>
> On Oct 15, 2011, at 1:17 PM, Tom Eastep wrote:
>
>>
>> On Oct 14, 2011, at 8:45 AM, Simon Matter wrote:
>>>>
>>>> Finally, disabling generic-receive-offload fixes the whole mess :)
>>>>
>>
>> For future reference, what ty
>
> On Oct 14, 2011, at 8:45 AM, Simon Matter wrote:
>>>
>>> Finally, disabling generic-receive-offload fixes the whole mess :)
>>>
>
> For future reference, what type of NIC do you have that shows this
> behavior?
It's an intel adapter as
>>> On Thu, 2011-10-13 at 19:57 -0700, Tom Eastep wrote:
>>>> On Oct 13, 2011, at 7:27 PM, Tom Eastep wrote:
>>>> > On Oct 13, 2011, at 7:18 PM, Tom Eastep wrote:
>>>> >> On Oct 13, 2011, at 1:22 PM, Simon Matter wrote:
>>&g
>> On Thu, 2011-10-13 at 19:57 -0700, Tom Eastep wrote:
>>> On Oct 13, 2011, at 7:27 PM, Tom Eastep wrote:
>>> > On Oct 13, 2011, at 7:18 PM, Tom Eastep wrote:
>>> >> On Oct 13, 2011, at 1:22 PM, Simon Matter wrote:
>>> >>>
>>>
> On Thu, 2011-10-13 at 19:57 -0700, Tom Eastep wrote:
>> On Oct 13, 2011, at 7:27 PM, Tom Eastep wrote:
>> > On Oct 13, 2011, at 7:18 PM, Tom Eastep wrote:
>> >> On Oct 13, 2011, at 1:22 PM, Simon Matter wrote:
>> >>>
>> >>> Tom, did yo
> On Wed, 2011-10-12 at 17:53 +0200, Simon Matter wrote:
>> > On Wed, 2011-10-12 at 06:48 -0700, Tom Eastep wrote:
>> >
>> >> No, sorry - I've tried to reproduce this problem on Foobar6.1 which
>> is
>> >> RHEL6-based and I'm seeing no
> On Wed, 2011-10-12 at 17:53 +0200, Simon Matter wrote:
>> > On Wed, 2011-10-12 at 06:48 -0700, Tom Eastep wrote:
>> >
>> >> No, sorry - I've tried to reproduce this problem on Foobar6.1 which
>> is
>> >> RHEL6-based and I'm seeing no
> On Wed, 2011-10-12 at 06:48 -0700, Tom Eastep wrote:
>
>> No, sorry - I've tried to reproduce this problem on Foobar6.1 which is
>> RHEL6-based and I'm seeing no problem.
>
> I've done a bit more testing. Foobar6.1 is running kernel
> 2.6.32-131.17.1 whereas my Centos6 installation is running
> 2
> On Tue, 2011-10-11 at 06:50 -0700, Tom Eastep wrote:
>> On Tue, 2011-10-11 at 06:37 -0700, Tom Eastep wrote:
>>
>> >
>> > You might try this suggestion from the Shorewall TC HOWTO:
>> >
>> > Note
>> >
>> > For fast lines, the actually download speed may be well below
>> >
> On Tue, 2011-10-11 at 10:55 -0700, Tom Eastep wrote:
>> On Tue, 2011-10-11 at 19:33 +0200, Simon Matter wrote:
>>
>> > Thanks for your effort in the early morning :)
>> > I'll try what you suggested. The funny thing is that the RHEL4 boxes
>> with
> On Tue, 2011-10-11 at 06:50 -0700, Tom Eastep wrote:
>> On Tue, 2011-10-11 at 06:37 -0700, Tom Eastep wrote:
>>
>> >
>> > You might try this suggestion from the Shorewall TC HOWTO:
>> >
>> > Note
>> >
>> > For fast lines, the actually download speed may be well below
>> >
Hi,
I've just realized that something seems to be wrong with traffic shaping
on two systems which were running RHEL4 and are now running RHEL6. While
trying to find what is wrong I even simplified the config but it just
doesn't seem to work as it has with EL4. The test config looks like this
(eth2
> Simon Matter wrote:
>
>>I'm afraid I don't really understand all details and also I don't have
>> any
>>experience with ADSL/PPPoE stuff. But I have something using Cable here
>>which looks a bit similar so maybe you could try like so:
>>
> Possibly OT since this may or may not involve Shorewall - it largely
> depends on what I can get to work !
>
> I need to setup a router on an ASDL line where multiple IPs are
> provided by the ISP.
>
> Hardware wise, we'd probably use a Linksys WRT54GL running OpenWRT
> and a Draytek Vigor 120 mo
>
> This thread on OpenVPN has made me wonder if I have this setup correctly.
> (I'm not exactly a shorewall-noobie,
> but I find much of the shorewall talk difficult to follow.)
>
> I have a VPN zone:
> --
> vpn ipv4
> --
> and a
> On Tue, 2011-06-14 at 07:12 -0700, Tom Eastep wrote:
>> On Tue, 2011-06-14 at 15:52 +0200, Simon Matter wrote:
>> > I understand that the wildcard "+" is catched here but how would a
>> > wildcard like "eth+" work in this case?
>>
>> It
1 - 100 of 146 matches
Mail list logo