setup):
> 0 6 - 13/Mar/2024:16:19:50 + Sh6:rplog:DROP:IN=AMS2
> SRC=2001:470:1:18::3:1280 DST=fdbf:1d37:bbe0:0:48::35 LEN=1240 TC=0
> FLOWLBL=0 HOPLIMIT=240 PROTO=ICMPV6 TYPE=2 CODE=0 MTU=1280
Note rplog here. That means rpfilter is preventing this packet. That
means you have a probl
block
packet too big icmpv6. So you can't reach any of their servers with
IPv6 behind VPN.
--
Tuomo Soini
Foobar Linux services
+358 40 5240030
Foobar Oy <https://foobar.fi/>
___
Shorewall-users mailing list
Shorewall-users@
TOHELPERS enabled
any more. I suggest you switch to AUTOHELPERS=No and test again because
you likely have later than 3.5 kernel.
https://shorewall.org/Helpers.html#idm217
--
Tuomo Soini
Foobar Linux services
+358 40 5240030
Foobar Oy <https
don't have
issues with startup failing if ipset is missing which was one issue
we found with ipset based solution.
https://github.com/FoobarOy/foomuuri/wiki/Configuration#resolve
That's not shorewall but created by guys who used shorewall for 20
years.
--
Tuomo Soini
Foobar Linux services
+358
.exist.com tcp 443
I suggest you read this part of documentation before using dns names in
your config. Especially the first Caution.
https://shorewall.org/manpages/shorewall-names.html#idm30
--
Tuomo Soini
Foobar Linux services
+358 40 5240030
Foobar Oy
2.168.0.0/24 eth0
So source must be a network, not an interface.
Also note /etc/shoreall/masq is deprecated.
--
Tuomo Soini
Foobar Linux services
+358 40 5240030
Foobar Oy <https://foobar.fi/>
___
Shorewall-users mailing li
nstalled. Other than that, I'm not
> remembering anything.
It also works very well with iptables-nft (so without iptables-legacy).
--
Tuomo Soini
Foobar Linux services
+358 40 5240030
Foobar Oy <https://foobar.fi/>
___
Shorewall-users mail
tocol name, so shorewall developers decided to
add HTTP and HTTPS macros which are actual protocol names instead. But
to make sure old firewall installs won't break on shorewall upgrade,
old Web macro was left there.
--
Tuomo Soini
Foobar Linux services
+358 40 5240030
Foob
should be /var/log/syslog. Because shorewall does not itself do logging
(kernel does) LOGFILE in shorewall.conf tells shorewall where from to
find the log, not where to log.
--
Tuomo Soini
Foobar Linux services
+358 40 5240030
Foobar Oy <https://foobar.fi/>
___
On Tue, 6 Jun 2023 09:51:05 -0400
Alex wrote:
> On Wed, May 3, 2023 at 4:55 PM Tuomo Soini wrote:
>
> > Read the announcement message from netfilter mailinglist archive.
> >
> > https://marc.info/?l=netfilter=168198959919079=2
>
>
> Is there a mig
Read the announcement message from netfilter mailinglist archive.
https://marc.info/?l=netfilter=168198959919079=2
--
Tuomo Soini
Foobar Linux services
+358 40 5240030
Foobar Oy <https://foobar.fi/>
___
Shorewall-users mailing list
Shorewall
to do any routing related
stuff and especially NOT multi-isp.
BGP4 routing is by definition asymmetric and managed by routing daemon.
You also do not want to have default route on your system at all.
--
Tuomo Soini
Foobar Linux services
+358 40 5240030
Foobar Oy <https://foobar.fi/>
___
ng and then this rule works just fine.
>
> I could not find a setting for this in shorewall.conf, but it's easy
> enough to have it applied at every boot, so I'm fine.
You can add that config to /etc/sysctl.d/50-local.conf for example.
--
0 TTL=128 ID=4850 DF
> PROTO=TCP SPT=51232 DPT=1883 WINDOW=64240 RES=0x00 SYN URGP=0
REDIRECT does not change destination ip - you
need to change your software to listen all ip addresses for redirect to
work. DNAT is the way if you need to change destination ip.
--
Tuomo Soini
Foobar Linux s
hout logging, if you don't want to see those packets, add
dropInvalid to DROP_DEFAULT. It is that easy.
--
Tuomo Soini
Foobar Linux services
+358 40 5240030
Foobar Oy <https://foobar.fi/>
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
ee data port in command packet
to open data connection and because TLS encrypts command channel
conntrack module can't handle it. That is why FTP has always been
horrible option for data transfers with firewalling.
FTP is dead - move to SFTP which uses ssh protocol.
--
Tuomo Soini
Foobar Linux serv
well.
I take from this your issue is pure logging of this access.
I'd just drop that connection try without logging like this:
HTTP(DROP) net: $FW
--
Tuomo Soini
Foobar Linux services
+358 40 5240030
Foobar Oy <https://foobar.fi/>
from inet zone, dhcp
> interface is getting ipv4 address .
> But for ipv6 the advertise packets(packets from dhcpv6 server) are
> getting dropped by the firewall. Why is this happening? Any input
> will be helpful.
check /etc/shorewall6/interfaces for option dhcp
--
Tuomo Soini
Fo
On Sat, 12 Feb 2022 13:45:45 -0500
"Brian J. Murrell" wrote:
> On Tue, 2022-02-08 at 10:36 +0200, Tuomo Soini wrote:
> >
> > I'll test the patch on rhel7 based system and we'll see if that
> > works there - I don't think there is any older supported distro out
acket, not untracked.
So alternive way would be to add this rule back but at this time to
NEW section.
> ACCEPT net:192.168.0.0/24 $FW udp - 1900
If you send packet to multicast address but you get response from
unicast address, that is a new connection.
--
Tuomo Soin
which
is a good thing.
I'll test the patch on rhel7 based system and we'll see if that works
there - I don't think there is any older supported distro out there...
--
Tuomo Soini
Foobar Linux services
+358 40 5240030
Foobar Oy <https://foobar.fi/>
_
16384 0
> nf_log_common 16384 2 nf_log_ipv4,nf_log_ipv6
> nf_defrag_ipv6 16384 1 nf_conntrack
Are you compiling your own kernel?
You sure do need nf_reject_ipv6.
--
Tuomo Soini
Foobar Linux services
+358 40 5240030
Foobar Oy <https://foobar.fi/>
__
an just do routing and don't need to do
proxyndp. Giving single network would be violation of rfcs, everybody
need proper IPv6 block from their isp, like /60 at minimum (16
networks) or /56 (256 networks).
--
Tuomo Soini
Foobar Linux services
+358 40 5240030
eal (not public)
addresses in /etc/hosts on all servers so that packets won't go to
firewall.
--
Tuomo Soini
Foobar Linux services
+358 40 5240030
Foobar Oy <https://foobar.fi/>
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.ne
routing, but it doesn't appear to have any ability to delete
> unwanted routes.
That means dedicated link must have ip address with netmask /32 and
static host route to other machine. Other interface has normal config.
It would be easier if you could use different network address for
dedicat
Unfortunately that is not possible because logging goes to journal and
then rsyslog reads logs from journal to log files.
--
Tuomo Soini
Foobar Linux services
+358 40 5240030
Foobar Oy <https://foobar.fi/>
___
Shorewall-users mailing list
Shorewall-users@
eway from interface script, correct place to configure
is in /etc/shorewall/providers
--
Tuomo Soini
Foobar Linux services
+358 40 5240030
Foobar Oy <https://foobar.fi/>
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
ace.
And with multi-isp you are always required to reload shorewall after
operations to interface.
--
Tuomo Soini
Foobar Linux services
+358 40 5240030
Foobar Oy <https://foobar.fi/>
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.
used if you
have it. If you have that script you should check what's in
/var/lib/shorewall/eth0.status file...
--
Tuomo Soini
Foobar Linux services
+358 40 5240030
Foobar Oy <https://foobar.fi/>
___
Shorewall-users mailing list
Shor
On Fri, 9 Jul 2021 10:33:34 +0100
Norman and Audrey Henderson wrote:
> HELP!
> I have a system in the cloud that was running Ubuntu 16.04 and
> ifupdown. One interface eth0 with two addresses, 0.38.15.82 and
> 0.38.15.83/29.
Network 0/8 is reserved and can not be used.
--
Tuomo S
On Tue, 18 May 2021 17:57:32 -0400
tha...@letterboxes.org wrote:
> Feels like I'm finally close to getting this all working at the same
> time. I'm still missing the last piece -- ping6 from LAN to 'NET
I'd guess you forgot to enable ipv6 forwarding.
--
Tuomo Soini
Foobar Linux service
ref medium
2601:681:4100:d593::/64 dev tun0 proto kernel metric 256 pref medium
Using same network behind two interfaces won't work. You can't use same
network for OpenVPN and Wireguard VPN, routing won't work.
--
Tuomo Soini
Foobar Linux services
+358 40 5240030
Foobar Oy <https://foobar.fi/&
ewall development is done. https://shorewall.org is
generated from there. So https://shorewall.org is your primary
documentation source still.
--
Tuomo Soini
Foobar Linux services
+358 40 5240030
Foobar Oy <https://foobar.fi/>
___
Shorewall-users ma
SW router. Am I right?
That's not quite enough. When dhcp clients want to renew leases they
need unicast dhcp access to your dns server. You can do that in rules
with DHCPfwd macro.
DHCPfwd(ACCEPT) lan1ibs:10.215.137.54
Macro will allow traffic to both directions.
--
Tuomo Soini
Foobar Linux
a day.
Remember to set shorewall-init or shorewall (but only one of these) to
save ipsets. Or your shorewall will fail to start on boot.
--
Tuomo Soini
Foobar Linux services
+358 40 5240030
Foobar Oy <https://foobar.fi/>
___
Shore
On Wed, 18 Nov 2020 18:34:39 +0100
Marko Horn via Shorewall-users
wrote:
> do you know about a step by step guide for "ipset shorewall guide"?
https://shorewall.org/blacklisting_support.htm#idm79
--
Tuomo Soini
Foobar Linux services
+358 40 5240030
Foobar Oy <h
klisting. You don't even need to
reload shorewall to update ipset blacklist.
--
Tuomo Soini
Foobar Linux services
+358 40 5240030
Foobar Oy <https://foobar.fi/>
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.
On Mon, 5 Oct 2020 01:42:59 +0200
Vieri Di Paola wrote:
> > I seriously doubt that the TLS handshake works when you try using
> > HTTPS. The proxy is a 'man in the middle' in that case.
You can't do transparent proxy for https.
--
Tuomo Soini
Foobar Linux services
+358 40 52400
be <http://www.aquabio.be/>
> Oude Kaai 26
> 2300 Turnhout
> Belgium
>
> Direct Line: +32 14 47 27 16
> Mobile: +32 495 50 38 95
>
> Tel: +32 14 47 27 10
> Fax: +32 14 42 09 24
>
> Please consider the environment before printing this e-mail
>
>
> > Op
al ip from firewall1 to
firewall2 and network continues to work in some seconds. Nothing else
changes but network flow moves from firewall to another.
--
Tuomo Soini
Foobar Linux services
+358 40 5240030
Foobar Oy <https://foobar.fi/>
___
Shore
ore.
This would work:
DNS(ACCEPT) vpn1,vpn2,vpn3 $INT_DNS
Or reverse idea, use all and exclude zones you don't want.
DNS(ACCEPT) all!net $INT_DNS
--
Tuomo Soini
Foobar Linux services
+358 40 5240030
Foobar Oy <https://foobar.fi/>
pgpG9X6pmk41v.pgp
Description: OpenPGP digital signa
hrough the 4G provider...
>
> Or, the opposite, create a sort of list of devices in my network (tv
> box, tablet,..) and force them to be routed through the ADSL provider,
> not wasting 4G traffic..
Exactly.
--
Tuomo Soini
Foobar Linux services
+358 40 52
rom 5.0+ documentation tree.
--
Tuomo Soini
Foobar Linux services
+358 40 5240030
Foobar Oy <https://foobar.fi/>
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
ed. Reason: We must not document bugs. We need to fix them.
--
Tuomo Soini
Foobar Linux services
+358 40 5240030
Foobar Oy <https://foobar.fi/>
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
-2001:470:a:227::10]:1000-1010
> Note: the internal ']-[' should be just a dash '-'.
Ok. That is really a bug in shorewall ipv6 range parser.
--
Tuomo Soini
Foobar Linux services
+358 40 5240030
Foobar Oy <https://foobar.fi/>
___
Shorew
On Fri, 11 Jan 2019 16:20:53 +0100
Norman Henderson wrote:
> Trouble is, it doesn't look like it works that way - but I need to
> watch it for a while. Anyway I guess it isn't really Shorewall doing
> this, rather iproute2.
No. It's kernel which handles routing.
--
Tuomo Soini
Foo
%s ". That will give you more
characters to spend in zone names. For every two characters you strip
out from LOGFORMAT you get one character more for zone names.
--
Tuomo Soini
Foobar Linux services
+358 40 5240030
Foobar Oy <https://foobar.fi/>
___
On Fri, 4 Jan 2019 10:17:12 -0800
Tom Eastep wrote:
> We have no plans to make the Shorewall web sites and mirrors
> accessible via https.
Finnish mirror is only accessible with https. Try
https://shorewall.fi/.
--
Tuomo Soini
Foobar Linux services
+358 40 5240030
Foobar Oy
On Mon, 04 Jun 2018 21:12:54 -0400
"Brian J. Murrell" wrote:
> On Mon, 2018-06-04 at 23:51 +0300, Tuomo Soini wrote:
> >
> > Update to centos 7 latest kernels (3.10.0-862.*.el7) will fix the
> > issue.
>
> My Shorewall gateway is OpenWRT, so identif
7) will fix the
issue. Big ipv6 update was in kernel 3.10.0-862.el7. That eliminated
ipv6 neighbour cache, just like ipv4 code already worked.
--
Tuomo Soini
Foobar Linux services
+358 40 5240030
Foobar Oy <https://foobar.fi/>
pgpyj3Cjgum2g.pgp
D
You are using the deprecated Drop default action.
> Please see http://www.shorewall.net/Actions.html
Please note: action.Reject is deprecated. Not REJECT. And same for
action.Drop versus DROP.
http://www.shorewall.net/Actions.html#Default
And check for new shorewall.conf from 5.1.12.1 - you
complains about it not being a /64 but it works.
/64 is absolute requirement for stateless autoconfiguration. It can not
work properly on smaller network.
--
Tuomo Soini <t...@foobar.fi>
Foobar Linux services
+358 40 5240030
Foobar Oy <https://foobar.fi/>
--
> Am I understanding correctly that Libreswan does -not- do NAT-T
> properly? If so, is there some way to mitigate this?
Libreswan does nat-t just fine.
--
Tuomo Soini <t...@foobar.fi>
Foobar Linux services
+358 40 5240030
Foobar Oy <ht
ysconfig.txt for
> IPSEC setup.
As one of the Libreswan authors I'd note it's "Libreswan" - no capital
letters in the middle of the name, please.
When suggesting manual keying, please note it is horribly insecure and
should not be used:
https://tools.ietf.org/html/rfc8221#section-3
--
On Sun, 2 Jul 2017 12:14:14 +0100
Simon Hobson <li...@thehobsons.co.uk> wrote:
> Tuomo Soini <t...@foobar.fi> wrote:
>
> > Reason for the issue is browser creates tcp connection with proxy,
> > not with remote site so browser doesn't know tcp connection failed
>
know tcp connection failed with
destination site - so ipv6 to ipv4 fallback can't work.
--
Tuomo Soini <t...@foobar.fi>
Foobar Linux services
+358 40 5240030
Foobar Oy <http://foobar.fi/>
pgpG921nt5GOW.pgp
Description: OpenPGP digit
t; sets an IEEE
> 802.3ad dynamic link aggregation policy which my router supports/is
> configured.
It's not about router - it's about switch your server is connected to.
Switch must support 802.3ad for bonding to work. Only active-backup
mode works with every switch without problems.
--
Tu
y one address is assigned. I am guessing that shorewall is
> reading the ifcfg-enp4s0f* files directly rather that after the bond
> is set up???
Shorewall only knows of what you have configured, shorewall doesn't
read ifcfg files. If you configure bonding, leave slave interfaces out
from shorewall
On Mon, 26 Dec 2016 08:15:49 +0100
Luke Jordan <lujjor...@gmail.com> wrote:
> Hi,
>
> it is possible to use NPTv6 for a multi-homing setup with shorewall6?
What do you mean with NPTv6 ?
--
Tuomo Soini <t...@foobar.fi>
Foobar Linux services
+358 40 5240030
Foobar
sually tunnel type ipsecnat is what you want instead of
tunnel type ipsec.
--
Tuomo Soini <t...@foobar.fi>
Foobar Linux services
+358 40 5240030
Foobar Oy <http://foobar.fi/>
--
Check out the vibrant tech commun
:
> > [Unit]
> > After=network-online.target
> >
>
> Simply set LOCKFILE to the same value in both shorewall.conf and
> shorewall6.conf.
>
> -Tom
I did the ordering for services but that is wrong approach. Like using
same LOCKFILE is.
Correct thing is to dete
get noarch-linux $@ >> $LOGFILE 2>&1
> > do_or_die do_rpmbuild "-ba $RPMDIR/SPECS/${2}.spec"
> > teastep@gateway:~/shorewall/tools/build$
There is no taget called "noarch-linux" on any rpm based system I know
of. It's "noarch".
--
Tuo
ers when I said 5.0.0 is out :-(.
Another request by admins was this change to all config files:
sed -i -e 's/Shorewall \ version\ 5/Shorewall/'
Reason: shorewall version is not relevant on config files. Config file
version is, but there is already ?VERSION for that.
--
Tuomo Soini <t...
ll software.
Also there is a real problem in 5.0.0. Default value for
LEGACY_RESTART=No - and old configs don't have this option! So
this breaks all system with old configs now by causing traffic to stop
during restart.
--
Tuomo Soini <t...@foobar.fi>
Foobar Linux services
+358 40 524
try to modify/add config in providers file, then i get this
error:
Multi-isp is not correct way to configure multiple ip aliases. Check
http://shorewall.net/Shorewall_and_Aliased_Interfaces.html to find out
correct ways to handle multiple ip addresses.
--
Tuomo Soini t...@foobar.fi
Foobar
.
--
Tuomo Soini t...@foobar.fi
Foobar Linux services
+358 40 5240030
Foobar Oy http://foobar.fi/
signature.asc
Description: PGP signature
--
Android apps run on BlackBerry 10
Introducing the new BlackBerry 10.2.1 Runtime
systems where you do something
like this: Note, I only use lsm for ipv4 here.
/etc/sysconfig/lsm:
#!/bin/sh
#
# LSM to Shorewall Multi-ISP integration script
#
# Copyright © 2009-2013 Tuomo Soini t...@foobar.fi
#
DAEMON_COREFILE_LIMIT=unlimited
VARDIR=$(/sbin/shorewall show vardir)
if [ $1
On Wed, 11 Apr 2012 15:42:58 -0600
Orion Poplawski or...@cora.nwra.com wrote:
+PERLLIBDIR=${PREFIX}/share/perl5
I think this should be ${PREFIX}/share/perl5/vendor_perl accodring
fedora perl packaging guidelines.
Only system perl installs to /usr/share/perl5.
--
Tuomo Soini t...@foobar.fi
names generally are for
protocols or software.
macro.Prelude works for Prelude IDS
This makes more sense in naming point.
--
Tuomo Soini t...@foobar.fi
Foobar Linux services
+358 40 5240030
Foobar Oy http://foobar.fi
.
--
Tuomo Soini t...@foobar.fi
Foobar Linux services
+358 40 5240030
Foobar Oy http://foobar.fi/
--
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
change things.
--
Tuomo Soini t...@foobar.fi
Foobar Linux services
+358 40 5240030
Foobar Oy http://foobar.fi/
signature.asc
Description: PGP signature
--
Keep Your Developer Skills Current with LearnDevNow!
The most
was not updated.
So just like I suspected: running shorewall-init causes conntrack to
load early enough for sysctl.
--
Tuomo Soini t...@foobar.fi
Foobar Linux services
+358 40 5240030
Foobar Oy http://foobar.fi/
signature.asc
Description: PGP signature
*full/10 2 default
eth2 3 2*full/10 8*full/10 2
--
Tuomo Soini t...@foobar.fi
Foobar Linux services
+358 40 5240030
Foobar Oy http://foobar.fi/
--
All the data continuously generated in your IT infrastructure contains
.
I guess it's unpatched centos - there was that kind of bug in rhel-5
iptables which was fixed by iptables update.
--
Tuomo Soini t...@foobar.fi
Foobar Linux services
+358 40 5240030
Foobar Oy http://foobar.fi
bug in kernel so this is SuSE issue.
Btw. 4.4.8 is not latest shorewall. 4.4.8.4 is.
--
Tuomo Soini t...@foobar.fi
Foobar Linux services
+358 40 5240030
Foobar Oy http://foobar.fi
Shorewall warn me :
ERROR: Interface eth2.303 is not usable -- Provider freenew (1024)
Cannot be Added
Terminated
I guess you don't have interface option optional for eth2.303. You must
have interface option optional for every interface swping might return
failed.
--
Tuomo Soini t
Simon Matter wrote:
Somehow the 4.4.4.2 patches are not the way they should be. You may want
to check your build scripts I think.
patch-6-4.4.4.2 and patch-6-lite-4.4.4.2 seem to be wrong. That's
propably because 4.4.4.1 was skipped so there was no 4.4.4.1 to compare
against.
--
Tuomo Soini
recognizes NETKEY and will never create ipsec0 interface
like openswan + klips.
--
Tuomo Soini t...@foobar.fi
Foobar Linux services
+358 40 5240030
Foobar Oy http://foobar.fi/
--
Let Crystal Reports handle the reporting - Free
and it will work.
--
Tuomo Soini t...@foobar.fi
Foobar Linux services
+358 40 5240030
Foobar Oy http://foobar.fi/
--
Enter the BlackBerry Developer Challenge
This is your chance to win up to $100,000 in prizes
this hard coded
policy? Right now I've had to add dmz dmz REJECT to my file in order
to get the behaviour I want.
Try dmz dmz REJECT info instead. If you want to prevent that traffic,
you propably want to log it too.
You have special setup if you want to protect against zone2zone traffic.
- --
Tuomo
3.4 versions questionable because only real changes
to shorewall-shell-4 and shorewall-common-4 are packaging related.
- --
Tuomo Soini [EMAIL PROTECTED]
Linux and network services
+358 40 5240030
Foobar Oy http://foobar.fi/
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.6 (GNU/Linux
which is
vital part of shorewall version to version update requirements.
- --
Tuomo Soini [EMAIL PROTECTED]
Linux and network services
+358 40 5240030
Foobar Oy http://foobar.fi/
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.6 (GNU/Linux
82 matches
Mail list logo