Re: [Shorewall-users] Throughput problem

> Shorewall version 5.2.8 on RHEL 7 virtualized on Ovirt hypervisors, > routing and filtering traffic between 5 networks full of VMs via VLANs > in Ovirt. > All virtual VM interfaces (including Shorewall VM), are on 10 Gbps. > > Effective speed between VMs on same network segment is full 10 Gbps. >

Re: [Shorewall-users] why do I have requests from inside apache server with source ports 80 and 443

Hi, > >> Some comments: >> (1) It's recommended to use HTTP(ACCEPT) and HTTPS(ACCEPT) rather than >> Web(ACCEPT) which just combines the two. > > I don't understand why Web exist so, if not recommanded to use it. > I replaced Web by HTTP and HTTPS lines, and of course, nothing changed. > I guess

Re: [Shorewall-users] IP address change not surviving reboot

Hi Philip, > This may be an underlying Linux problem but I first of all need to run > it past you guys and gals here as few people on Linux forums will be > familiar with Shorewall. > > We have a Shorewall firewall at the school where I volunteer, protecting > the school network from a Raspberry P

Re: [Shorewall-users] ineffective shorewall ban

Hi Yassine, > Hello All, > > Today, > Something caught my attention while looking for errors in log files. > > [code] > root@messagerie-principale[10.10.10.19] ~ # tail -f > /var/log/apache2/roundcube.error /var/log/fail2ban.log > /var/log/apache2/mail.radioalgerie.dz.error /var/log/dovecot.log >

Re: [Shorewall-users] ROUTES file and routing traffic

Hi, > I am trying to route traffic from LOC to a network I have configured in > the routes file. I may be wrong here but I think the routes file is used for special cases when you have more than one internet connections and such things. For your case, did you add a routing entry to the hosts rou

Re: [Shorewall-users] TTL on Oracle connections

M Vieri Di Paola > wrote: > >> On Wed, Nov 9, 2022 at 8:15 AM Simon Matter >> wrote: >> > >> > > The Fortinet admin has set the following in his FW: >> > > >> > > set protocol 6 >> > > set timeout 28

Re: [Shorewall-users] TTL on Oracle connections

> Hi, > > There are hosts in my LAN behind a Shorewall FW that need to keep > Oracle connections alive (tcp 1521) with other hosts that are behind a > remote Fortinet Fortiguard FW. > > The Fortinet admin has set the following in his FW: > > set protocol 6 > set timeout 2880

Re: [Shorewall-users] Slow firewall pass through network LAN speed ( <99 Mbit/s) after change ISP to 900 Mbit/s ADSL line

> Il giorno sab, 02/04/2022 alle 18.18 +0200, Simon Matter ha scritto: >> So, what speed do you get when you check on the firewall itself? > > I have install and run speedtest-cli, this is last check: > > Tes

Re: [Shorewall-users] Slow firewall pass through network LAN speed ( <99 Mbit/s) after change ISP to 900 Mbit/s ADSL line

> Il giorno sab, 02/04/2022 alle 10.37 +0200, Simon Matter ha scritto: >> I'd suggest to check with ethtool if all interfaces are really on >> 1Gbps. >> This sound like you have a 100Mbps somewhere. > > This is ethtool output[1] > > the only difference compare

Re: [Shorewall-users] Slow firewall pass through network LAN speed ( <99 Mbit/s) after change ISP to 900 Mbit/s ADSL line

> Il giorno ven, 01/04/2022 alle 14.44 -0400, Robert K Coffman Jr. -Info > From Data Corp. ha scritto: >> Do you have any traffic shaping configured? > No, it is not configured > > cat /etc/shorewall/tc* | grep -v '^#'|wc -l > 0 > >> > >> > Seem that the firewall pass through limited the traffic s

Re: [Shorewall-users] Google Classroom Video not making it through firewall

> Hello Matt, > > Thank you so much for your reply. Unfortunately when I perform the > 'shorewall clear' command, I lose all access to the outside world Maybe you have to enable ip forwarding once you disable shorewall? Simon > (internet) so I am unable to test. > > Thank you for your time. > >

Re: [Shorewall-users] Unable to connect to an HTTPS service

> I'd say the problem is on the host that might not have all packages > updated, namely the ca-certificates (or equivalent) package. At a first > glance it doesn't seem like a firewall problem. > > @Vieri, please try to do a yum/apt (or equivalent depending on the > machine OS package manager) upda

Re: [Shorewall-users] Do not load specific Linux kernel modules

Hi Vieri, > Hi, > > I'm trying to solve some possible SIP issues in my LAN, and I'd like > to temporarily disable SIP-related Linux kernel modules. > It seems that shorewall loads the modules according to the content of > /usr/share/shorewall/helpers. Instead of touching that file I'd rather > set

Re: [Shorewall-users] Socket6::gethostbyname2 not implemented on this architecture

> On Sun, 2022-02-06 at 10:58 -0500, Brian J. Murrell wrote: >> >> >> Well, it is, in that shorewall is using obsoleted interfaces. > > > There is now an MR at > https://gitlab.com/shorewall/code/-/merge_requests/5 to migrate to > newer, supported interfaces. What's wrong with the other method you

Re: [Shorewall-users] Shorewall 5.2.3.2 - Port forwarding

> Hi > I like to setup shorewall to accept connection from my IP from port 4442 > and shorewall will forwared that to port 22 ssh > I tried this but doesn't work > ACCEPTnet:192.168.0.203 fw tcp 22 4442 I'm quite sure you want to use a DNAT or REDIRECT rule here instead

Re: [Shorewall-users] Shorewalll blocks Docker url

>> Please check, it should probably be > >> ?FORMAT 2 > >> Note the space! > > The output is: > > > [root@franz-820 shorewall]# tail -n 7 interfaces > ?FORMAT 2 > net wlp2s0 detect > net wlp0s20f0u1 detect > net enp0s31f6 detect > dockdocker0 bridge > > > [root@franz-8

Re: [Shorewall-users] Shorewalll blocks Docker url

> >> This assumes that the content of '/etc/shorewall' was not modified. > >> Please try this > >> $ tail -n 7 interfaces >> ?FORMAT2 >> net wlp2s0 detect >> net wlp0s20f0u1 detect >> net enp0s31f6 detect >> dock docker0 bridge >> $ shorewall check && shorewall start > > The output is: > > > > [roo

Re: [Shorewall-users] dhcp relay agent

> Hi, > > I configured dhcrelay on my shorewall router to send DHCP requests to > a remote DHCP server. I need to listen for DHCP requests on on one > interface (say lan.1). However, this interface has multiple IP > addresses/netmasks. The remote DHCP server has only one scope and only > one of the

Re: [Shorewall-users] dhcrelay

> Hi, > > I configured dhcrelay so that clients in my "lan1" zone should get IP > addr. leases from a server in my "ibs" zone. > > This is the command I run: > > /usr/sbin/dhcrelay -q -i lan.1 10.215.137.54 > > BTW, a foreground run shows messages such as: > > Forwarded BOOTREQUEST for a4:bb:6d:03:

Re: [Shorewall-users] routing error when reloading shorewall

> Hi, > > What does this message mean, and what should I look for to fix it? > > Error: Invalid prefix for given prefix length. >ERROR: Command "ip -4 route replace 10.215.106.193/26 via > 172.28.17.110 dev ibs table 254" Failed > > In my routes file I have: > > main10.215.106.0/26

Re: [Shorewall-users] Shorewall reload doesn't reload?

>> On 10/6/20 8:50 AM, Matt Darfeuille wrote: >>> On 10/6/2020 5:11 PM, Tom Eastep wrote: >>>> On 10/6/20 7:33 AM, Simon Matter wrote: >>>>>> On Tue, Oct 06, 2020 at 03:59:06PM +0200, Simon Matter wrote: >>>>>>>>> Compilation

Re: [Shorewall-users] accept HTTP request / drop HTTP reply

> On Wed, Oct 7, 2020 at 1:31 PM Simon Matter > wrote: >> >> > Hi, >> > >> > If my rules allow HTTP and HTTPS access (ports 80, 443) with an ACCEPT >> > rule such as the following >> > >> > ACCEPTlan1:10.215.144.0/23wan

Re: [Shorewall-users] accept HTTP request / drop HTTP reply

> Hi, > > If my rules allow HTTP and HTTPS access (ports 80, 443) with an ACCEPT > rule such as the following > > ACCEPTlan1:10.215.144.0/23wantcp,udp80,443 > > I'd like to know why I am seeing the following in the shorewall log > when a user accesses a web page: > > kernel: Shorewa

Re: [Shorewall-users] Shorewall reload doesn't reload?

> On 10/6/20 8:50 AM, Matt Darfeuille wrote: >> On 10/6/2020 5:11 PM, Tom Eastep wrote: >>> On 10/6/20 7:33 AM, Simon Matter wrote: >>>>> On Tue, Oct 06, 2020 at 03:59:06PM +0200, Simon Matter wrote: >>>>>>>> Compilation will only happen

Re: [Shorewall-users] Shorewall reload doesn't reload?

> On Tue, Oct 06, 2020 at 03:59:06PM +0200, Simon Matter wrote: >> >> Compilation will only happen when '/etc/shorewall' is modified. >> >> So if I'm not mistaking, updating the firewall will not trigger a >> >> recompilation. >> >>

Re: [Shorewall-users] Shorewall reload doesn't reload?

> On 10/4/20 10:18 AM, Matt Darfeuille wrote: >> On 10/4/2020 6:58 PM, Simon Matter wrote: >>> Hi, >>> >>> I've just updated Shorewall from 5.2.7 to 5.2.8 and did a reload just >>> to >>> see that the rules haven't been updated

Re: [Shorewall-users] Shorewall reload doesn't reload?

> On 10/4/20 10:18 AM, Matt Darfeuille wrote: >> On 10/4/2020 6:58 PM, Simon Matter wrote: >>> Hi, >>> >>> I've just updated Shorewall from 5.2.7 to 5.2.8 and did a reload just >>> to >>> see that the rules haven't been updated

[Shorewall-users] Shorewall reload doesn't reload?

Hi, I've just updated Shorewall from 5.2.7 to 5.2.8 and did a reload just to see that the rules haven't been updated: [root@abc ~]# shorewall reload Reloading Shorewall Initializing... Processing /etc/shorewall/init ... Setting net.netfilter.nf_conntrack_max = 1048576 Processing /etc/shore

Re: [Shorewall-users] Cannot ping between hosts in the same zone but with different netmasks

> On Sat, Jul 11, 2020 at 9:49 PM Tom Eastep wrote: >> >> On 7/11/20 2:40 AM, Vieri Di Paola wrote: >> >> What was your 'shorewall iptrace command? > > If I just run 'shorewall iptrace' with no filter, won't that just > trace all packets? > >> > I saved a tcpdump taken on the Shorewall system to a

Re: [Shorewall-users] preempt and ksoftirqd

> On Tue, Oct 29, 2019 at 3:17 PM Simon Matter > wrote: >> >> So you have 4 real cores, not 8. From how I understand it one fully used >> core (one of the 4) can have a negative impact on its (virtual) sibling. > > Yes, but why does the following command have absolut

Re: [Shorewall-users] preempt and ksoftirqd

> Hi, > > On Tue, Oct 29, 2019 at 2:54 PM Simon Matter via Shorewall-users > wrote: >> >> ~1 minute? Do you have an insane number of rules somehow? > > Yes. > >> One thing I was wondering, are the 8 cores real cores or 4 with HT? > > # lscpu &g

Re: [Shorewall-users] preempt and ksoftirqd

Hi, > Hi, > > I have a rather busy network, and my ksoftirqd processes are using > quite a lot of CPU. I'm trying to optimize my NIC settings, but I > think I can't get any better unless I change hardware. > > However, I want to make sure I prioritize CPU power for the ksoftirqd > processes becaus

[Shorewall-users] Alternative to Linux/ProxyARP with BSD Unix

Hi, We're using proxyarped hosts as described here http://www.shorewall.org/ProxyARP.htm to run firewalls without the hassle of doing NAT. It works so well that I was wondering how the same could be achieved on other operating systems like the different BSD Unices. Does anybody know if the same m

Re: [Shorewall-users] shorewall VLANs and network ranges

> OK, I'm seeing a very odd behavior here, but at least I can now easily > reproduce the issue. > > I have a test host with IP address 192.168.215.200 pinging continously > the Shorewall FW at 192.168.215.1. > At first, I connect it to Switch Port with VLAN ID 11 Untagged (enp8s5 > on the FW is con

Re: [Shorewall-users] How is params file really executed?

> On 03/08/2018 08:40 AM, Tom Eastep wrote: >> On 03/07/2018 02:31 AM, Simon Matter wrote: >>>> On 3/7/2018 8:58 AM, Simon Matter wrote: >>>>> Hi Tom and all, >>>>> >>>>> I've just decided to add some more autodetection code so

Re: [Shorewall-users] How is params file really executed?

> On 3/7/2018 8:58 AM, Simon Matter wrote: >> Hi Tom and all, >> >> I've just decided to add some more autodetection code some params file. >> >> One of the lines looks something like this: >> read -rs LOC_NETADDR DUMMY 2> /dev/null < <(ip -o

[Shorewall-users] How is params file really executed?

Hi Tom and all, I've just decided to add some more autodetection code some params file. One of the lines looks something like this: read -rs LOC_NETADDR DUMMY 2> /dev/null < <(ip -o route list proto kernel scope link dev "$LOC_IF" 2> /dev/null) The result was a shell error: /etc/shorewall/params

Re: [Shorewall-users] shorewall-5.1.4.4 won't masquerade

> My masquerade config is simple exactly like Example 1 here: > > http://shorewall.org/manpages/shorewall-masq.html > > It has worked for a very long time and works on 5.0.15.6 but not on > 5.1.4.4 or 5.1.5. Any ideas? Hi, I think you have to update your config because it now uses the snat file

Re: [Shorewall-users] routing issue with rtrules (with SW dump)

> > > From: Simon Matter > >>> This is the failing ping performed on $FW: >>> >>> # ping -I 10.215.246.91 10.215.236.123 -c 1 >> >> Last week you asked the list about a possible arp cache issue. Did you >

Re: [Shorewall-users] routing issue with rtrules (with SW dump)

> Hi, > > I used to ping correctly from the shorewall FW to a remote host's IP > address in particular zone (CAIB, see below). > > Somehow, this ping is failing now, and I don't know if it's a config error > on my behalf or that the remote host stopped replying. > > This is the failing ping perform

Re: [Shorewall-users] traffic does not flow through firewall/router

> > > From: Simon Matter >> >> Exactly, what about the rest of the network, switches/routers, how do >> they > >> know about the FW change? (I guess the easiest solution would be to >> simply> reboot those devices after

Re: [Shorewall-users] traffic does not flow through firewall/router

> Hi, > > I'm trying to update to shorewall 5.1 with a config that is *supposedly* > working with 5.0. > > In any case, I'm trying to ping from a host in lan zone with IP addr. > 10.215.144.48 to a host in IBS zone with IP addr. 10.215.9.172. > ICMP traffic should be allowed but the client isn't re

Re: [Shorewall-users] open command

> On Fri, 24 Mar 2017 08:19:49 -0700 Tom Eastep > wrote: > >> > I tried, but got: ERROR: A non-empty SWITCH column requires >> > Condition Match in your kernel and iptables /etc/shorewall/rules >> > (line 58) >> > >> > It is a CentOS 6 system, probably it does not have Condition >> > Match? >> >>

Re: [Shorewall-users] Can't Figure Out What I'm Doing Wrong

> -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > On 03/15/2017 06:28 PM, Ryan Joiner wrote: >> Ahh, I do see that and that would definitely be a problem. >> >> What's odd though is I copied and pasted it from the sample file >> and I'm pretty sure it was not incorrect. Maybe that is the >>

Re: [Shorewall-users] TCP connection dead after shorewall reload

> -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > On 03/09/2017 09:27 AM, Tom Eastep wrote: > >> >> Actually, it looks like PERSISTENT=Yes will already work for the >> reload command. >> > > And the -n option is available with the 'reload' command. Hi Tom, you're right, both methods are the

Re: [Shorewall-users] TCP connection dead after shorewall reload

> -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > On 03/09/2017 08:20 AM, Simon Matter wrote: >>> -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 >>> >>> On 03/08/2017 10:15 PM, Simon Matter wrote: >>> >>>> >>>> After

Re: [Shorewall-users] TCP connection dead after shorewall reload

> -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > On 03/08/2017 10:15 PM, Simon Matter wrote: > >> >> After doing countless reloads I found a way to prevent those >> connections from being killed. Removing "routefilter" from eth2 >> seems to

Re: [Shorewall-users] TCP connection dead after shorewall reload

> -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > On 03/08/2017 11:14 AM, Simon Matter wrote: >>> -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 >>> >>> On 03/07/2017 11:33 PM, Simon Matter wrote: >>>> Hi Tom and all, >>>> &

Re: [Shorewall-users] TCP connection dead after shorewall reload

> -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > On 03/07/2017 11:33 PM, Simon Matter wrote: >> Hi Tom and all, >> >> Since upgrading from shorewall-5.1.1 to shorewall-5.1.2.1 I have a >> new problem with longstanding TCP connections being killed during &

Re: [Shorewall-users] TCP connection dead after shorewall reload

> Hi Tom and all, > > Since upgrading from shorewall-5.1.1 to shorewall-5.1.2.1 I have a new > problem with longstanding TCP connections being killed during "shorewall > reload". Just in case it help I've attached a diff of the compiled firewall script. Simon firewall.diff Description: Binary da

[Shorewall-users] TCP connection dead after shorewall reload

Hi Tom and all, Since upgrading from shorewall-5.1.1 to shorewall-5.1.2.1 I have a new problem with longstanding TCP connections being killed during "shorewall reload". This has never happened before so I guess it has something to do with the new defaults. An interesting point is that it happens

Re: [Shorewall-users] Shorewall init script missing

> On 26.1.2017. 18:00, Tom Eastep wrote: >> -BEGIN PGP SIGNED MESSAGE- >> Hash: SHA256 >> >> On 01/26/2017 03:38 AM, Ivica Glavocic wrote: >>> Hi all >>> >>> Linux multi interface box, Oracle Enterprise Linux 6.8 x64 (RHEL >>> with unbreakable kernel 4.1.12-61.1.25.el6uek.x86_64), clean >>>

Re: [Shorewall-users] [Shorewall-announce] Shorewall 5.0.14

> -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > On 11/04/2016 12:28 AM, Simon Matter wrote: >>> -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 >>> >>> The Shorewall Team is pleased to announce the availability of >>> Shorewall 5.0.14.

Re: [Shorewall-users] Moving to CentOS7 - Disabling nf_nat_sip and nf_conntrack_sip

> > > -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 10/28/2016 12:11 PM, Ryan Joiner wrote: > What would be the command to disable them for CentOS7? I have > searched a bunch but couldn't find anything. a) rmmod nf_nat_sip rmmod nf_conntrack_s

Re: [Shorewall-users] [Shorewall-announce] Shorewall 5.0.14

> -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > The Shorewall Team is pleased to announce the availability of > Shorewall 5.0.14. Hi Tom and Team, Thanks for the new release! I just found a little issue, it can be seen by comparing the samples as shown below. First I was trying what kind

Re: [Shorewall-users] Moving to CentOS7 - Disabling nf_nat_sip and nf_conntrack_sip

> >> -BEGIN PGP SIGNED MESSAGE- >> Hash: SHA256 >> >> On 10/28/2016 12:11 PM, Ryan Joiner wrote: >> >>> What would be the command to disable them for CentOS7? I have >>> searched a bunch but couldn't find anything. >> a) rmmod nf_nat_sip >> rmmod nf_conntrack_sip >> a) Set AUTOHELPE

Re: [Shorewall-users] Stricter "interfaces" check

> On Tue, Oct 11, 2016 at 5:49 PM, Tom Eastep wrote: > > I believe that this particular class of user blunder is best guarded >> against by setting IGNOREUNKNOWNVARIABLES=No in shorewall[6].conf, >> > > Oh dear! Is there something you didn't thought about when designing > Shorewall? :-) It really

Re: [Shorewall-users] [Shorewall-devel] I'll be off of the list for several days

Hi Tom, Thanks for all you work on shorewall, I wish you all the best! Regards, Simon > I have a health issue that I will be dealing with. Hope to be back next > week. > > -Tom > -- > Tom Eastep\ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in h

Re: [Shorewall-users] Shorewall 5.0.0

> The Shorewall Team is pleased to announce the availability of Shorewall > 5.0.0. Hi Tom and Team, thanks for the new release and all the hard work you did on it! I'm wondering about the impact of the recent change concerning "WORKAROUNDS". Should I expect that shorewall-5 will still run on a

Re: [Shorewall-users] SIP messaging - Masquarading troubles

> Hi all, > > I have two servers with public and private IP address running a sip proxy > on eth0 and asterisk box on eth1. Each box is running Shorewall 4.5.21. > Making calls within a server is fine but I would like the sip proxy to > also use asterisk box on the other machine for load balancing.

Re: [Shorewall-users] Please add support for tinc VPN in Shorewall

> Thank you, > > On 11.12.2014 16:43, Eric Teeter wrote: > >> I have summited a few macros myself, one macro.ActiveDir which is vary >> complicated. >> >> PARAM - - udp 655 >> PARAM - - tcp 655 >> > > I'll write a macro, with proper comments, ad I'll be happy to

Re: [Shorewall-users] [Shorewall-announce] Shorewall 4.6.0

> On 5/16/2014 2:10 AM, Simon Matter wrote: >>> The Shorewall team is pleased to announce the availability of Shorewall >>> 4.6.0. >> >> Hi Tom and all, >> >> Thanks for the new release! >> >> I found an issue I'm not sure how to solv

Re: [Shorewall-users] [Shorewall-announce] Shorewall 4.6.0

> The Shorewall team is pleased to announce the availability of Shorewall > 4.6.0. Hi Tom and all, Thanks for the new release! I found an issue I'm not sure how to solve, sorry for finding it only now that the release is out. I was having this in my tcrules file: # # fix udp checksums for dhcl

Re: [Shorewall-users] new to shorewall > need help with incorrect eth_wan link negotiation

> After poking around, I ran the following command: /sbin/mii-tool -v > eth_wan > > > > and got these results: > > > > eth_wan: negotiated 100baseTx-FD flow-control, link ok > > product info: vendor 00:50:43, model 11 rev 1 > > basic mode: autonegotiation enabled > > basic status: autonego

Re: [Shorewall-users] Multiple ISP + traffic shapping = poor download speed

> It's not. > > # ethtool -k eth1 > Offload parameters for eth1: > rx-checksumming: on > tx-checksumming: on > scatter-gather: on > tcp-segmentation-offload: off > udp-fragmentation-offload: off > generic-segmentation-offload: off > generic-receive-offload: off > large-receive-offload: off > ntuple

Re: [Shorewall-users] Is /etc/shorewall/tunnels still on the way out?

> http://www.shorewall.net/VPNBasics.html#tunnels > > The /etc/shorewall/tunnels file provides no functionality that could not > be > implemented using entries in /etc/shorewall/rules and I have elimination > of > the /etc/shorewall/tunnels file as a long-term goal. > > Is this still the case? Is

Re: [Shorewall-users] AutoBL issues on CentOS 6

>> On 10/7/2013 6:18 AM, Simon Matter wrote: >>> Hi Tom and all, >>> >>> I started to play a bit with the AutoBL action on a CentOS 6 box and >>> ran >>> into the following problems: >>> >>> 1) The action.AutoBL doesn

Re: [Shorewall-users] AutoBL issues on CentOS 6

> On 10/7/2013 6:18 AM, Simon Matter wrote: >> Hi Tom and all, >> >> I started to play a bit with the AutoBL action on a CentOS 6 box and ran >> into the following problems: >> >> 1) The action.AutoBL doesn't work for me until I patch it like so: >&

[Shorewall-users] AutoBL issues on CentOS 6

Hi Tom and all, I started to play a bit with the AutoBL action on a CentOS 6 box and ran into the following problems: 1) The action.AutoBL doesn't work for me until I patch it like so: --- /usr/share/shorewall/action.AutoBL.orig 2013-10-01 00:59:42.0 +0200 +++ /usr/share/shorewall/ac

Re: [Shorewall-users] hShorewall 4.5.20

> It looks as problem in 4.5.20 folder only. > > http://canada.shorewall.net/pub/shorewall/4.5/shorewall-4.5.20/releasenotes.txt > Forbidden > You don't have permission to access > /pub/shorewall/4.5/shorewall-4.5.20/releasenotes.txt > on this server. > > > Apache Server at canada.shorewall.net Por

Re: [Shorewall-users] IP forwarding

> On Saturday, August 03, 2013 04:25:46 PM johnny bowen wrote: >> IP Forwarding is used when you need to send packets from one interface > to >> another. So if you're using Shorewall there's a good change you're doing >> this if you're using it as a firewall for a LAN. By default it's turned >> off

Re: [Shorewall-users] NTP attack?

> Hi all: > > I'm running a public ntp server (member of the ntp.org pool) behind my > Shorewall box. > > The ntp server is up and running and I see on my status page on ntp.org > that all is well with my ntp server. > > However a few hosts are filling my firewall logs with packets that looks > to

Re: [Shorewall-users] RESOLVED: Re: RedHat 6.4 - ERROR: Your kernel/iptables do not include state match support. No version of Shorewall will run on this system

> Il 25/02/2013 12.28, Simon Matter ha scritto: >>> Hello to the list, >>> I update a RedHat server from 6.3 to 6.4 and install the last shorewall >>> rpm 4.5.13.0-1.el6, after this shorewall not start at boot and show >>> the >>> error ERROR:

Re: [Shorewall-users] RedHat 6.4 - ERROR: Your kernel/iptables do not include state match support. No version of Shorewall will run on this system

> Hello to the list, > I update a RedHat server from 6.3 to 6.4 and install the last shorewall > rpm 4.5.13.0-1.el6, after this shorewall not start at boot and show the > error ERROR: Your kernel/iptables do not include state match support. No > version of Shorewall will run on this system, after

[Shorewall-users] Typos in 4.5.11.1?

Hi Tom and all, I've just updated a box to 4.5.11.1 and it won't start with Loading Modules... ERROR: Invalid modules file entry /usr/share/shorewall/modules.xtables (line 45) from /usr/share/shorewall/modules (line 23) Looks like this patch is wrong --- shorewall-4.5.11/modules.xtables

Re: [Shorewall-users] Protecting hosts from each other

> I've got a project coming up that requires me to protect hosts from each > other within a network. Specifically, we've a class C subnet, and some > addresses are assigned to customers (only a handful) we resell bandwidth > to. At present they are just plugged into our frontend network - not as >

Re: [Shorewall-users] selinux

> On Mon, 8 Oct 2012, Tom Eastep wrote: > >> On 10/08/2012 04:44 AM, andre...@apf.it wrote: >>> On Sun, 7 Oct 2012, Elio Tondo wrote: >>> On 07/10/2012 02:20, Tom Eastep ha wrote: > On 10/6/12 7:57 AM, andre...@apf.it wrote: >> >> Are there some simple work around to use shore

Re: [Shorewall-users] logrotate configs for Shorewall

>Hello, >During Shorewall/Shorewall6 installation the following files are > installed: > > /etc/logrotate.d/shorewall: > > /var/log/shorewall-init.log { > missingok > notifempty > create 0600 root root > } > > /etc/logrotate.d/shorewall6: > > /var/log/shorewall6-init.log { > missing

Re: [Shorewall-users] [Shorewall-announce] Shorewall 4.5.0

> The Shorewall Team is pleased to announce the availability of Shorewall > 4.5.0. Hi Tom and Team, Thanks for the new release! It looks like the LIBEXEC / PERLLIB handling is broken now :) I hope attached patch fixes it. Thanks, Simon--- shorewall-4.5.0/install.sh.orig 2012-02-12 20:12:07.0

Re: [Shorewall-users] CentOS 6.1 to 6.2 upgrade FYI

> Hi list, > > Just wanted to throw out a heads up. I am not sure if it is just my > setup or quite > possibly a CentOS feature, but here goes. > > I upgraded my CentOS 6.1 to 6.2 yesterday and when I did some checking > I had > found out the upgrade disabled shorewall startup. It had even c

Re: [Shorewall-users] [Shorewall-devel] Shorewall 4.4.25

> On Tue, 2011-11-01 at 08:06 +0100, Simon Matter wrote: > >> While 4.4.25 works fine on our RHEL6 systems I just discovered that it >> doesn't work on the old RHEL4 based systems. The problem is with traffic >> shaping, with tcdevices: >> >> eth1

Re: [Shorewall-users] [Shorewall-devel] Shorewall 4.4.25

> The Shorewall team is pleased to announce the availability of Shorewall > 4.4.25. Hi, While 4.4.25 works fine on our RHEL6 systems I just discovered that it doesn't work on the old RHEL4 based systems. The problem is with traffic shaping, with tcdevices: eth1 5000kbit500kbit

Re: [Shorewall-users] TC issues after updating from RHEL4 to RHEL6

> On Tue, 2011-10-18 at 07:25 +0200, Simon Matter wrote: > >> That's what I get: >> >> # shorewall check >> Checking... >> Global symbol "$rate" requires explicit package name at >> /usr/libexec/shorewall/Shorewall/Tc.pm line 583. >&

Re: [Shorewall-users] TC issues after updating from RHEL4 to RHEL6

> On Mon, 2011-10-17 at 13:14 +0200, Simon Matter wrote: > >> >> Thanks, I quickly tested it on one of the existing systems with 4.4.24 >> but >> it fails to compile - I guess I need 4.4.25beta for it. > > Just tested the attached version on 4.4.24.1. T

Re: [Shorewall-users] TC issues after updating from RHEL4 to RHEL6

> > On Oct 15, 2011, at 1:17 PM, Tom Eastep wrote: > >> >> On Oct 14, 2011, at 8:45 AM, Simon Matter wrote: >>>> >>>> Finally, disabling generic-receive-offload fixes the whole mess :) >>>> >> >> For future reference, what ty

Re: [Shorewall-users] TC issues after updating from RHEL4 to RHEL6

> > On Oct 14, 2011, at 8:45 AM, Simon Matter wrote: >>> >>> Finally, disabling generic-receive-offload fixes the whole mess :) >>> > > For future reference, what type of NIC do you have that shows this > behavior? It's an intel adapter as

Re: [Shorewall-users] TC issues after updating from RHEL4 to RHEL6

>>> On Thu, 2011-10-13 at 19:57 -0700, Tom Eastep wrote: >>>> On Oct 13, 2011, at 7:27 PM, Tom Eastep wrote: >>>> > On Oct 13, 2011, at 7:18 PM, Tom Eastep wrote: >>>> >> On Oct 13, 2011, at 1:22 PM, Simon Matter wrote: >>&g

Re: [Shorewall-users] TC issues after updating from RHEL4 to RHEL6

>> On Thu, 2011-10-13 at 19:57 -0700, Tom Eastep wrote: >>> On Oct 13, 2011, at 7:27 PM, Tom Eastep wrote: >>> > On Oct 13, 2011, at 7:18 PM, Tom Eastep wrote: >>> >> On Oct 13, 2011, at 1:22 PM, Simon Matter wrote: >>> >>> >>>

Re: [Shorewall-users] TC issues after updating from RHEL4 to RHEL6

> On Thu, 2011-10-13 at 19:57 -0700, Tom Eastep wrote: >> On Oct 13, 2011, at 7:27 PM, Tom Eastep wrote: >> > On Oct 13, 2011, at 7:18 PM, Tom Eastep wrote: >> >> On Oct 13, 2011, at 1:22 PM, Simon Matter wrote: >> >>> >> >>> Tom, did yo

Re: [Shorewall-users] TC issues after updating from RHEL4 to RHEL6

> On Wed, 2011-10-12 at 17:53 +0200, Simon Matter wrote: >> > On Wed, 2011-10-12 at 06:48 -0700, Tom Eastep wrote: >> > >> >> No, sorry - I've tried to reproduce this problem on Foobar6.1 which >> is >> >> RHEL6-based and I'm seeing no

Re: [Shorewall-users] TC issues after updating from RHEL4 to RHEL6

> On Wed, 2011-10-12 at 17:53 +0200, Simon Matter wrote: >> > On Wed, 2011-10-12 at 06:48 -0700, Tom Eastep wrote: >> > >> >> No, sorry - I've tried to reproduce this problem on Foobar6.1 which >> is >> >> RHEL6-based and I'm seeing no

Re: [Shorewall-users] TC issues after updating from RHEL4 to RHEL6

> On Wed, 2011-10-12 at 06:48 -0700, Tom Eastep wrote: > >> No, sorry - I've tried to reproduce this problem on Foobar6.1 which is >> RHEL6-based and I'm seeing no problem. > > I've done a bit more testing. Foobar6.1 is running kernel > 2.6.32-131.17.1 whereas my Centos6 installation is running > 2

Re: [Shorewall-users] TC issues after updating from RHEL4 to RHEL6

> On Tue, 2011-10-11 at 06:50 -0700, Tom Eastep wrote: >> On Tue, 2011-10-11 at 06:37 -0700, Tom Eastep wrote: >> >> > >> > You might try this suggestion from the Shorewall TC HOWTO: >> > >> > Note >> > >> > For fast lines, the actually download speed may be well below >> >

Re: [Shorewall-users] TC issues after updating from RHEL4 to RHEL6

> On Tue, 2011-10-11 at 10:55 -0700, Tom Eastep wrote: >> On Tue, 2011-10-11 at 19:33 +0200, Simon Matter wrote: >> >> > Thanks for your effort in the early morning :) >> > I'll try what you suggested. The funny thing is that the RHEL4 boxes >> with

Re: [Shorewall-users] TC issues after updating from RHEL4 to RHEL6

> On Tue, 2011-10-11 at 06:50 -0700, Tom Eastep wrote: >> On Tue, 2011-10-11 at 06:37 -0700, Tom Eastep wrote: >> >> > >> > You might try this suggestion from the Shorewall TC HOWTO: >> > >> > Note >> > >> > For fast lines, the actually download speed may be well below >> >

[Shorewall-users] TC issues after updating from RHEL4 to RHEL6

Hi, I've just realized that something seems to be wrong with traffic shaping on two systems which were running RHEL4 and are now running RHEL6. While trying to find what is wrong I even simplified the config but it just doesn't seem to work as it has with EL4. The test config looks like this (eth2

Re: [Shorewall-users] Multiple public IPs, same IP in LAN and PPPoE client ?

> Simon Matter wrote: > >>I'm afraid I don't really understand all details and also I don't have >> any >>experience with ADSL/PPPoE stuff. But I have something using Cable here >>which looks a bit similar so maybe you could try like so: >>

Re: [Shorewall-users] Multiple public IPs, same IP in LAN and PPPoE client ?

> Possibly OT since this may or may not involve Shorewall - it largely > depends on what I can get to work ! > > I need to setup a router on an ASDL line where multiple IPs are > provided by the ISP. > > Hardware wise, we'd probably use a Linksys WRT54GL running OpenWRT > and a Draytek Vigor 120 mo

Re: [Shorewall-users] Problem With OpenVPN Connectivity

> > This thread on OpenVPN has made me wonder if I have this setup correctly. > (I'm not exactly a shorewall-noobie, > but I find much of the shorewall talk difficult to follow.) > > I have a VPN zone: > -- > vpn ipv4 > -- > and a

Re: [Shorewall-users] [Shorewall-announce] Shorewall 4.4.20.2

> On Tue, 2011-06-14 at 07:12 -0700, Tom Eastep wrote: >> On Tue, 2011-06-14 at 15:52 +0200, Simon Matter wrote: >> > I understand that the wildcard "+" is catched here but how would a >> > wildcard like "eth+" work in this case? >> >> It

  1   2   >