Thanks, works great.
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Shorewall-users mailing l
- Original Message -
> From: Tom Eastep
> This works:
> ?begin perl shorewall "$ENV{OVPN_MASQ}"
If I copy your line verbatim I get:
ERROR: Invalid BEGIN PERL directive
If I use this line:
?PERL shorewall "$ENV{OVPN_MASQ}"
I get:
Use of uninitialized value $ENV{"OVPN_MASQ"} in stri
- Original Message -
> From: Tom Eastep
> On 10/10/2016 08:48 AM, Vieri Di Paola wrote:
>> Hi,
>>
>> Is there a way to pass variables defined in "params" to the child
>> processes spawned by SHELL or BEGIN SHELL?
>>
>> I
Hi,
I'm getting the folloowing error when I 'shorewall check':
ERROR: Invalid IPSEC Option (192.168.151.48) SHELL@/etc/shorewall/masq
My offending line in /etc/shorewall/masq:
?SHELL echo "\$OVPN_MASQ"
/etc/shorewall/params:
OVPN_STATIC_IP[client1]=192.168.151.48
OVPN_MASQ_IP[client1]=10.215.144
Hi,
Is there a way to pass variables defined in "params" to the child processes
spawned by SHELL or BEGIN SHELL?
I'd like to read a variable set in "params" within "SHELL".
Thanks,
Vieri
--
Check out the vibrant tech commu
>>> On 3/21/2016 6:39 AM, Vieri Di Paola wrote:
>>>> Hi,
>>>>
>>>> I would like to intercept http traffic ONLY to one destination and send it
>>>> to Squid (test system).
>>>>
>>>> I'm not sure I'm wr
> On 3/21/2016 6:39 AM, Vieri Di Paola wrote:
>> Hi,
>>
>> I would like to intercept http traffic ONLY to one destination and send it
>> to Squid (test system).
>>
>> I'm not sure I'm writing the shorewall mangle rules correctly.
>>
Hi,
I would like to intercept http traffic ONLY to one destination and send it to
Squid (test system).
I'm not sure I'm writing the shorewall mangle rules correctly.
I have this:
DIVERT $IF_WAN 89.16.167.134/32 tcp - 80
TPROXY(3129) $IF_LAN 89.16.167.134/32 tcp 80
Wh
>> The following fails (performed from Shorewall firewall host with IP
>> addr. 10.215.144.91):
>>
>> # telnet 10.252.194.207 25
>>
>> I can see the following while trying to connect to the remote host in
>> the CAIB zone:
>>
>> # tcpdump -n -i enp2s0f0 host 10.2
Hi,
The following fails (performed from Shorewall firewall host with IP addr.
10.215.144.91):
# telnet 10.252.194.207 25
I can see the following while trying to connect:
# tcpdump -n -i enp2s0f0 host 10.252.194.207
12:55:50.044861 IP 172.20.11.62.39027 > 10.252.194.207.25: Flags [S], seq
3930
Hi,
The following fails (performed from Shorewall firewall host with IP addr.
10.215.144.91):
# telnet 10.252.194.207 25
I can see the following while trying to connect to the remote host in the CAIB
zone:
# tcpdump -n -i enp2s0f0 host 10.252.194.207
12:55:50.044861 IP 172.20.11.62.39027 > 10
Hi,
Sorry if I post this message again but I just realized I sent it as HTML.
I'm trying to configure LSM with multiple ISPs.
I'm using shorewall 5 and the "persistent" option.
I currently can't use my providers' remote gateways because they do not reply
to pings so for now I use known DN
Hi,
I'm trying to configure LSM with multiple ISPs.
I'm using shorewall 5 and the "persistent" option.
I currently can't use my providers' remote gateways because they do not reply
to pings so for now I use known DNS servers.
I'm attaching a shorewall dump and other files right after LSM report
Hi,
I'm not experiencing a communication issue but I'm not sure I understand how
"traceroute" works.
I don't know if the shorewall dump I'm attaching can be of any use but here
goes.
A host in the "ibs" zone with IP addr. 10.215.237.228 performs a traceroute to
a host in the "lan" zone with I
> From: Tom Eastep
>
> As I explained earlier, that rule needs to be at priority 998.
I'm sorry if I'm such a pain by keeping this thread alive but I'd really like
to understand the works behind this.
As you said, you suggested to put the rule at priority 998.
However, that was when my "main"
> From: Tom Eastep
> You seem to have TC_EXPERT=Yes, however -- you probably want to change
> it to No.
I never changed that option and it has always been off:
# grep EXPERT /etc/shorewall/shorewall.conf
TC_EXPERT=No
I did use "loose" though in "providers" but took it out now. I guess that's
> From: Tom Eastep
> You can already specify 'default' in rtrules.
I rearranged a few things and it now seems to be working for the most part.
Load balancing is just one thing I don't know if it's working as expected.
I tried two methods mentioned in previous posts.
1) using "mangle" and "pr
> Here's what we can do:
>
> a) Make both CAIB and IBS 'fallback' providers. That will generate a
> multi-path route in the 'default' table.
>
> b) Add a rule with priority 998 that routes traffic that you want
> balanced between the two via the default table.
I configured shorewall as you su
> The traffic is being routed back out of enp5s3 as a result of this route
> in the main table:
>
> 10.215.0.0/16 dev enp5s3 proto kernel scope link src 10.215.144.91
enp5s3 is the NIC to the "lan" zone. Hosts in this zone must be withn these IP
ranges:
10.215.144.0/22
10.215.246.0/23
10.215.2
> We still need the iptrace output. That output is directed according to
> the current setting of LOG_BACKEND. If you want the output to be handled
> by syslog-ng, use LOG_BACKEND=LOG.
My LOG_BACKEND= is blank and I wrongly thought the default was LOG.
So before I read your reply I ran:
sysct
>>> From: Tom Eastep
>>>
>>>
>>> You can nevertheless do what you want by adding a provider for interface
>>> enp4s1. Make it the 'primary' provider (if your version of Shorewall
>>> doesn't support the 'primary' option, use 'balance'). Then use the
>>> mangle rules that I suggested to balance tr
>>> From: Tom Eastep
>>>
>>>
>>> You can nevertheless do what you want by adding a provider for interface
>>> enp4s1. Make it the 'primary' provider (if your version of Shorewall
>>> doesn't support the 'primary' option, use 'balance'). Then use the
>>> mangle rules that I suggested to balance tr
> - Original Message -
> From: Tom Eastep
>
>
> You can nevertheless do what you want by adding a provider for interface
> enp4s1. Make it the 'primary' provider (if your version of Shorewall
> doesn't support the 'primary' option, use 'balance'). Then use the
> mangle rules that I sug
On 9/8/2015 4:32 AM, Vieri Di Paola wrote:
>>
>>> Add this in /etc/shorewall/mangle:
>>>
>>> INLINE(MARK(1)):P10.215.247.194 10.215.236.221 ; \
>>> -m statistic --mode random --probability 0.50
>>> MARK(2):P10.215.247.194 10.21
Hi,
My goal is to have 2 NICs associated to 2 providers for specific private IP
address ranges (eg. all traffic to/from 10.215.224.0/20 should go through these
two providers).
Another NIC allows access to Internet and that should be the default route.
The other NIC of course is connected to the
> Add this in /etc/shorewall/mangle:
>
> INLINE(MARK(1)):P10.215.247.194 10.215.236.221 ; \
> -m statistic --mode random --probability 0.50
> MARK(2):P10.215.247.194 10.215.236.221 { test=0/0xff }
>
> -Tom
I suppose you meant this:
INLINE(1):P10.215.247.194 10.215.236.221
>> Also, how can I correctly configure the routing tables? Given the
>> above example, should I remove 10.215.224.0/20 from the "main"
>> routing table
>
> Yes.
>
>> and add the following to "routes"?>>
>> CAIB 10.215.224.0/20 $ADDR_GW_CAIB $IF_CAIB
>> IBS 10.215.22
Hi,
I'm trying to understand how to correctly configure load balancing and
policy-based routing within shorewall.
I have the typical local (lan) and internet (wan) zones.
I also have 2 "providers" (not ISPs, just remote private networks) as defined
here:
CAIB 1 1 - $IF_CA
>
> From: Tom Eastep
> To: shorewall-users@lists.sourceforge.net
> Sent: Tuesday, August 25, 2015 6:51 PM
> Subject: Re: [Shorewall-users] nested zones
>> On 8/25/2015 12:39 AM, Vieri Di Paola wrote:
>> Hi,
>> I'm not
> From: Tom Eastep
> To: shorewall-users@lists.sourceforge.net
> Sent: Sunday, May 31, 2015 4:34 AM
> Subject: Re: [Shorewall-users] find_loopback_interfaces: command not found
>
> What is the output of 'shorewall version -a'?
It seems that my package manager didn't upgrade shorewall-core as ex
Hi,
The comand below works fine but I get an error message.
# shorewall show capabilities
/usr/share/shorewall/lib.cli-std: line 327: find_loopback_interfaces: command
not found
Shorewall has detected the following iptables/netfilter capabilities:
[...]
Am I missing something?
# shorewall version
Hi,
Can the shorewall rules TARPIT action be used to automatically blacklist all IP
addresses that try to connect to the tarpit ports?
Can a custom shell command be triggered/executed whenever there's an "action
match" (eg. attacker connects to a port where there's a shorewall TARPIT rule
and sh
From: Tom Eastep
To: Vieri Di Paola ; Shorewall Users
Sent: Wednesday, May 7, 2014 5:57 PM
Subject: Re: [Shorewall-users] cannot ping through shorewall firewall (second
example)
On 5/7/2014 6:01 AM, Vieri Di Paola wrote:
>> Hi again,
>>
&g
Never mind. I solved it when I compared these values:
cat /proc/sys/net/netfilter/nf_conntrack_count
cat /proc/sys/net/netfilter/nf_conntrack_max
I had to increase /proc/sys/net/netfilter/nf_conntrack_max.
Sorry for the noise.
Vieri
- Original Message -
From: Vieri Di Paola
To
Hi,
Recently I've been seeing network failures on my shorewall firewall. For no
apparent reason (no rules changes - server untouched) some connections started
failing.
For instance, I can see the following:
# ping 10.215.5.95
PING 10.215.5.95 (10.215.5.95) 56(84) bytes of data.
ping: sendmsg:
>
> From: Tom Eastep
> To: shorewall-users@lists.sourceforge.net
> Sent: Monday, January 20, 2014 4:31 PM
> Subject: Re: [Shorewall-users] conditional in params
>
> 'params' may, of course, use any of the shell's conditionals ('if
> ;
> then...fi', etc).
Hi,
Is it possible to put a conditional statement in /etc/shorewall/params?
Such as an "?IF/?ENDIF" block? (tried it but got "command not found" error when
running shorewall)
So I guess the "params" file isn't a config file (thus it can't use ?IF).
Thanks,
Vieri
---
--- On Tue, 11/27/12, Simon Hobson wrote:
> Though if you have something trying to contact lots of IP
> addresses,
> it will do more ARP lookups rather than directing the
> packets via the
> default gateway when they aren't on the same subnet.
Now that you mention it, in my simplified exampl
--- On Tue, 11/27/12, Simon Hobson wrote:
> if you have a lot of devices on a network then there will
> naturally
> be a lot more broadcast traffic than if you have only a few
> devices.
> This is independent of length of subnet mask - ie 2 devices
> will
> create the same broadcast traffic o
Thanks for taking the time to reply!
Please let me rephrase my query (and simplify it) because it's not easy for me
to explain so I'll try to lay it out straight.
loc: my local LAN with just 2 hosts: 10.215.147.1 and 10.215.144.1 with default
gateway 10.215.144.91. Let's just suppose for a mome
Hi,
My network is 10.215.0.0/255.255.0.0.
I set it up this way for convenience only. Actually, all my hosts are within
10.215.144-147.xxx and 10.215.246-248.xxx (shorewall zone 'loc').
I have a router linking me to another location (shorewall zone net2) where
there are other hosts within, say,
--- On Tue, 9/18/12, Lee Brown wrote:
> FYI, if you are not tied to Linux, *BSD has pfsync/ucarp which provides
> a stateful failover solution. Search google for BSD ucarp pfsync.
> Caveat: I've not implemented this, but it seems a nice solution.
Thanks. I'm aware of the BSD solution.
Howeve
--- On Tue, 9/18/12, Tom Eastep wrote:
> > Maybe I'm saying something completely absurd and wrong
> so please bear with me.
> > Since both the client and server are right behind
> shorewall routers at both ends, would it make sense to
> block/drop ICMP altogether in order to avoid error message
--- On Mon, 9/17/12, Tom Eastep wrote:
> It depends on how net1 fails. If an error ICMP is returned
> to either of
> the endpoints, then the connection will be broken.
Maybe I'm saying something completely absurd and wrong so please bear with me.
Since both the client and server are right beh
Hi,
I would appreciate it if I could get some advice before setting up a firewall
with a failover procedure.
Network layout:
loc1
|
net1 --- Shorewall1 --- net2
||
net1 --- Shorewall2 --- net2
|
loc2
loc1: 10.0.0.0/16
loc2:
OK, so it seems to be clear now.
One simple way is to do the following:
1) upgrade to kernel >= 2.6.39 and compile it with ipset and xtables support
2) install ipset v.6 (no kernel patching and rebuilding required) for userspace
tools
3) no need to install xtables-addons.
Thanks,
Vieri
---
After recompiling the kernel (same version but applied the netfilter
"netlink.patch"):
# shorewall show -f capabilities | grep -i ipset
IPSET_MATCH=
OLD_IPSET_MATCH=
IPSET_V5=
I think I'm better off upgrading my kernel.
--
--- On Fri, 3/23/12, Mr Dash Four wrote:
> > (I think "hash:ip" is what shorewall uses by default)
> >
> As far as I know there is no such thing as "default ipset
> type" in
> shorewall, but I stand to be corrected if that is not the
> case.
I'm not sure, really, just read somewhere the fo
--- On Fri, 3/23/12, Tom Eastep wrote:
> What is the output of
>
> ipset --version
# ipset --version
ipset v6.11, protocol version: 6
--
This SF email is sponsosred by:
Try Windows Azure free for 90 days Click
--- On Fri, 3/23/12, Mr Dash Four wrote:
> > # ipset version
> > ipset v6.11, protocol version: 6
> >
> It looks as though ipset is functioning properly. The only
> thing I can
> think of is if your PATH is not set up properly or your
> "IPSET" option
> in shorewall.conf is wrong.
# grep
--- On Fri, 3/23/12, Mr Dash Four wrote:
> From: Mr Dash Four
> Subject: Re: [Shorewall-users] shorewall ipsets
> To: "Shorewall Users"
> Date: Friday, March 23, 2012, 1:38 PM
>
> > # shorewall version
> > 4.4.27.3
> >
> > installed xtables-addons version 1.39
> > http://xtables-addons.sourc
Hi,
I'm trying to check if my system supports ipsets and if shorewall detects it.
# shorewall version
4.4.27.3
installed xtables-addons version 1.39
http://xtables-addons.sourceforge.net/
installed ipset version: 6.11
http://ipset.netfilter.org/
# shorewall show capabilities | grep -i ipset
Hi,
I have a Shorewall multi-ISP gateway/router (host1) and beneath it another
shorewall router (host2) with Squid installed on the same box. I also have
another Squid server within one of host2's subnets.
Host1 does packet marking via tcrules in order to filter traffic accordingly
amongst ava
Hi,
Suppose I have these rules:
DNATnet3:aaa.bbb.ccc.ddd loc:10.215.144.10 tcp 3389
DNATnet3loc:10.215.144.21 tcp 3389 - - 12/min:18
Then I guess it means that EVERYONE from net3 will connect to 10.215.144.21
except aaa.bbb.ccc.ddd which will connect to 10.
Hi,
I think there's a small error here:
http://www.shorewall.net/ManualChains.html
quote:
"
The rule from the Port Knocking article:
#ACTION SOURCEDEST PROTO DEST PORT(S)
SSHKnock net $FWtcp 22,1599,1600,1601
becomes
--- On Wed, 6/15/11, Tom Eastep wrote:
> You forgot to add eth1 to the COPY column in your providers
> file.
Ah... thanks!
Vieri
--
EditLive Enterprise is the world's most technically advanced content
authoring tool
Hi,
I had a typical multi-ISP setup with just 1 LAN. Now I have the same thing
except I added a DMZ and both subnets (LAN & DMZ) need to be masqueraded in
order to reach the web.
Ping tests from DMZ to NET fail (LOC to NET work as usual):
icmp requests seem to go out to the correct ISP and icmp
Hi,
It's unclear to me if I can specify MAC addresses in "dynamic" rules.
eg. "shorewall allow from ~00-11-22-33-44-55"
(I know I couldn't use "to" here but "from" should be allowed)
Is the above call legitimate?
Thanks
Vieri
--
Hi,
Dynamic blacklisting does not take into account the "blacklist" option in
/etc/shorewall/interfaces.
Does this mean that dynamic blacklisting is always applied "globally", ie. to
all interfaces?
Can I run "shorewall drop to " only for packets going through, say, eth0
but NOT eth3?
If so,
--- On Fri, 5/13/11, Ed W wrote:
> On 12/05/2011 08:31, Vieri Di Paola
> wrote:
> > Just in case someone's interested:
> > newer kernel versions seem to require the user set:
> >
> > sysctl -w net.netfilter.nf_conntrack_acct=1
>
> Or you can set a
--- On Fri, 5/6/11, Tom Eastep wrote:
> >> Have you tried running 'contract -L'? That's what
> >> 'shorewall show connections' does if conntrack is
>
> >> installed.
> >
> > I'm supposing you meant "conntrack -L".
> > I didn't have it installed so I grabbed the package.
> > Still, conntrack -L
--- On Fri, 5/6/11, Tom Eastep wrote:
> From: Tom Eastep
> Subject: Re: [Shorewall-users] shorewall show connections with bytes and
> packets
> To: "Shorewall Users"
> Date: Friday, May 6, 2011, 5:29 PM
>
> On May 6, 2011, at 7:12 AM, Vieri Di Paola wrot
Hi,
I used a custom script to count packets and bytes from "shorewall show
connections". I noticed that on another more recent server, this script fails
because /proc/net/nf_conntrack does not contain either bytes or packets.
Example while opening www.google.com:
ipv4 2 tcp 6 431999 E
This seems to help and I'm supposing it's enough.
interfaces file:
caib $IF_CAIB detect arp_filter=1
--
WhatsUp Gold - Download Free Network Management Software
The most intuitive, comprehensive, and cost-effective netw
Hi,
I've run into a network problem and I'm trying to figure out the quickest route
out.
I have a shorewall router with several zones but I have different physical
hosts with the same IP addresses in 2 different zones (lan and caib).
My interfaces file contains the following:
lan $IF_LAN
Hi,
I'm setting up a test network like this:
- host in lan zone at 10.215.146.89 with default gw 10.215.144.91
- shorewall firewall as router (ROUTER1) with eth0 interfacing the lan zone
with 10.215.144.91/16 and eth1 with IP addr. 172.16.0.1/23 pointing to a wan
zone
- another shorewall router
--- On Tue, 4/5/11, Simon Hobson wrote:
> Vieri Di Paola wrote:
>
> >Can a shorewall bridge (with management IP address) be
> used as a
> >host's default gateway?
> >
> >HOST1 in loc/lan zone (10.215.146.89) -> Shorewall
> bridge
> >(10.215.1
Hi,
Can a shorewall bridge (with management IP address) be used as a host's default
gateway?
HOST1 in loc/lan zone (10.215.146.89) -> Shorewall bridge (10.215.144.91) ->
Gateway (10.215.144.90)
Suppose I need to do a quick network change and I can't update the hundreds of
HOSTs in the loc/lan
--- On Sun, 3/27/11, Tom Eastep wrote:
> Okay -- this is very subtle and I will try to make it less
> so, but the
> problem has to do with your hosts.FHM entries.
>
> I assume that you know which bridge port the IPSEC tunnels
> come in
> through (eth0 or eth1). So specify that interface rather
--- On Sun, 3/27/11, Tom Eastep wrote:
> Okay -- this is very subtle and I will try to make it less
> so, but the
> problem has to do with your hosts.FHM entries.
>
> I assume that you know which bridge port the IPSEC tunnels
> come in
> through (eth0 or eth1). So specify that interface rather
--- On Fri, 3/25/11, Tom Eastep wrote:
> > --- On Thu, 3/24/11, Tom Eastep
> wrote:
> >
> >>> --- On Thu, 3/24/11, Vieri Di Paola
> >> wrote:
> >>>
> >>>> If I setup eth0 and eth1 as routed
> interfaces (no
> >> br
--- On Thu, 3/24/11, Tom Eastep wrote:
> > --- On Thu, 3/24/11, Vieri Di Paola
> wrote:
> >
> >> If I setup eth0 and eth1 as routed interfaces (no
> bridge)
> >> on "SW BOX 1" I need to do masquerading of the loc
> zone.
> >
>
I have a bridge setup with lan and wan bp-zones.
I'm pinging successfully from a host in the lan bp-zone with IP addr
10.215.146.70 to a host in the wan bp-zone with IP addr 10.215.146.89 and this
is reflected in the Conntrack Table (see dump).
According to the documentation I should be able to
--- On Thu, 3/24/11, Vieri Di Paola wrote:
> If I setup eth0 and eth1 as routed interfaces (no bridge)
> on "SW BOX 1" I need to do masquerading of the loc zone.
Or maybe not...
--
Enable y
--- On Thu, 3/24/11, Tom Eastep wrote:
> On 3/24/11 2:09 AM, Vieri Di Paola
> wrote:
> > Hi,
> >
> > According to http://www.shorewall.net/bridge-Shorewall-perl.html:
> >
> > -> rules are not
> allowed
> > -> rules are
> not all
Hi,
According to http://www.shorewall.net/bridge-Shorewall-perl.html:
-> rules are not allowed
-> rules are not allowed
"Policies from a non-BP zone to a BP are disallowed.
Rules where the SOURCE is a non-BP zone and the DEST is a BP zone are
disallowed."
/etc/shorewall/zones defines a a
--- On Thu, 2/24/11, Tom Eastep wrote:
> > So this should fail (DROP) but it doesn't:
> >
> > ping 192.168.144.90 (from 192.168.211.39)
>
> Looks like br0 is the 'net' zone and the implicit
> net->net policy is
> ACCEPT. If you don't want that, you need to add an explicit
> net->net
> polic
Hi,
This is probably a dumb question but I'm successfully pinging from host1 to
host2 via a shorewall bridge when I would be expecting NOT to.
So this should fail (DROP) but it doesn't:
ping 192.168.144.90 (from 192.168.211.39)
Could you please have a look at the Shorewall dump?
http://213.96
--- On Thu, 2/24/11, Simon Hobson wrote:
> >In other words, can I have a DHCP server on one side of
> the bridge
> >leasing IP addresses ONLY for that side and another
> DHCP server on
> >the other side giving out IP addresses ONLY for that
> side?
>
> Yes, you can do that, just don't allow t
Hi,
Can a Shorewall bridge (with firewall rules as in
http://www.shorewall.net/bridge-Shorewall-perl.html) block DHCPD traffic?
In other words, can I have a DHCP server on one side of the bridge leasing IP
addresses ONLY for that side and another DHCP server on the other side giving
out IP add
--- On Mon, 2/21/11, Sander Klein wrote:
> Even if the bridge is filtering traffic, the filtered
> traffic will
> still loop. Do you have a functioning spanning-tree setup?
STP was enabled on the shorewall bridge but wasn't on the second bridge I
accidentally connected. I suppose that if ST
Hi,
My network is as follows:
Shorewall gateway/router (10.215.144.92) --- INTERNAL SWITCH 1 (LAN1) ---
Shorewall bridge (10.215.144.91) --- LAN2 (10.215.0.0)
I configured 10.215.144.91 as in the guide
http://www.shorewall.net/3.0/NewBridge.html (it's an "old" box).
This morning I accidentall
--- On Tue, 8/10/10, Tom Eastep wrote:
> An alternative would be:
>
> sudo iptables -A dynamic -d 123.123.123.123 -j DROP
>
> and
>
> sudo iptables -D dynamic -d 123.123.123.123 -j DROP
Thanks again!
Vieri
--- On Tue, 8/10/10, Trent O'Callaghan wrote:
> Although at Linux command line you could do:
>
> sudo ip route add blackhole 123.123.123.123
>
> And remove it with:
>
> sudo ip route del blackhole 123.123.123.123
Thanks!
-
--- On Mon, 8/9/10, Tom Eastep wrote:
> Shorewall blacklisting blacklists the SOURCE address, not
> the
> DESTINATION address. From the 'show connections' output,
> the original
> connection was TO 123.123.123.123, not FROM that host.
>
> So after blacklisting that IP, you can still connect to
Hi,
I'm trying to figure out how to interrupt a connection temporarily.
Suppose I want to stop traffic going to 123.123.123.123 then re-allow it later
on.
I have BLACKLISTNEWONLY=Yes in shorewall.conf.
On my shorewall bridge I run:
# tcpkill -i br0 "dst host 123.123.123.123"
This interrupts m
--- On Tue, 3/30/10, Simon Hobson wrote:
> Firstly, I don't see why you have the shorewall box set as
> the
> default gateway - it isn't a gateway for any traffic and so
> you are
> forcing most traffic to be handled twice.
I know I should set the default gateway as what I labeled as . Will c
--- On Mon, 3/29/10, Vieri Di Paola wrote:
> So I'll place it on a web server asap.
shorewall dump:
http://213.96.91.201/temp/status.txt.gz
--
Download Intel® Parallel Studio Eval
Try the new
--- On Mon, 3/29/10, Tom Eastep wrote:
> > I'm attaching the shorewall dump (old SW version).
> >
>
> Dump?
>
quote:
Your mail to 'Shorewall-users' with the subject
Re: [Shorewall-users] bridge and routing
Is being held until the list moderator can review it for approval.
The reason
--- On Fri, 3/26/10, Tom Eastep wrote:
> Very brief problem report! :-)
Sorry, Fridays are Fridays.
Here's what I wanted to report:
I configured a shorewall system as a bridge with an IP address. The bridge is a
firewall in between two LANs (say, loc and net). There's a router within "loc"
--
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got hig
--- On Sun, 11/22/09, Tom Eastep wrote:
> > Can/should shorewall start before the NICs are brought
> up?
>
> It can be, if you don't use any Shorewall constructs that
> require
> networking to be started.
> If Shorewall starts before named, you cannot use DNS names
> in your
> configuration.
Hi,
Which "services" are required to start before shorewall at boot time?
Can/should shorewall start before the NICs are brought up?
The init script examples in the shorewall package vary:
init.sh: $local_fs $remote_fs $syslog
init.debian.sh: $network
Thanks for your help,
Vieri
-
--- On Sat, 8/29/09, Tom Eastep wrote:
> I think that the page now makes sense. Please have a look.
It does. Thanks.
Vieri
--
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
tria
Hello,
I'm reading this guide on ipv6 (really just getting my "feet wet"):
http://www.shorewall.net/6to4.htm
In the section "Configuring IPv6 using my script" I can read that the IPv6
interfaces are:
INTERFACES="eth2 eth4"
and that correlates fine with the first diagram/figure.
However, further
--- On Sat, 8/29/09, Christ Schlacta wrote:
> I'm aware of, but have never tried a
> technique called tarpitting that
> is supposed to be very useful in your situation.
I think that the TARPIT target has made it into the latest kernels/iptables but
I haven't checked.
I don't know if shorewal
Hi,
I'm in the process of building a custom liveCD that will be used as a
firewall/multi-ISP gateway (read-only media).
The idea is that the liveCD should boot any x86 system. This implies that the
motherboard and NICs may vary (hardware replacement because of system failure).
Linux displays
--- On Thu, 9/25/08, Chuck Kollars <[EMAIL PROTECTED]> wrote:
> tool that can identify port
> 443 connections that don't use W3C-sanctioned encryption
> handshake methods
That could be interesting.
Thank you and the rest of the ML users for the feedback.
Vieri
--
--- On Thu, 9/25/08, Roberto C. Sánchez <[EMAIL PROTECTED]> wrote:
> > > [ First, please fix your mail client to properly
> wrap lines. ]
> >
> > I'm using Yahoo's webmail.
> > Will have to subscribe from another account.
> >
> If you use "plain text" instead of "rich
> text" it should work prop
--- On Thu, 9/25/08, Roberto C. Sánchez <[EMAIL PROTECTED]> wrote:
> [ First, please fix your mail client to properly wrap lines. ]
I'm using Yahoo's webmail.
Will have to subscribe from another account.
> Your best bet is to use squid. Squid has a nice acl feature that allows
> you do block b
301 - 400 of 441 matches
Mail list logo