Re: [Shorewall-users] SHELL and masq

Thanks, works great. -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot ___ Shorewall-users mailing l

Re: [Shorewall-users] SHELL and masq

- Original Message - > From: Tom Eastep > This works: > ?begin perl shorewall "$ENV{OVPN_MASQ}" If I copy your line verbatim I get: ERROR: Invalid BEGIN PERL directive If I use this line: ?PERL shorewall "$ENV{OVPN_MASQ}" I get: Use of uninitialized value $ENV{"OVPN_MASQ"} in stri

Re: [Shorewall-users] access shell variables in params from SHELL

- Original Message - > From: Tom Eastep > On 10/10/2016 08:48 AM, Vieri Di Paola wrote: >> Hi, >> >> Is there a way to pass variables defined in "params" to the child >> processes spawned by SHELL or BEGIN SHELL? >> >> I

[Shorewall-users] SHELL and masq

Hi, I'm getting the folloowing error when I 'shorewall check': ERROR: Invalid IPSEC Option (192.168.151.48) SHELL@/etc/shorewall/masq My offending line in /etc/shorewall/masq: ?SHELL echo "\$OVPN_MASQ" /etc/shorewall/params: OVPN_STATIC_IP[client1]=192.168.151.48 OVPN_MASQ_IP[client1]=10.215.144

[Shorewall-users] access shell variables in params from SHELL

Hi, Is there a way to pass variables defined in "params" to the child processes spawned by SHELL or BEGIN SHELL? I'd like to read a variable set in "params" within "SHELL". Thanks, Vieri -- Check out the vibrant tech commu

Re: [Shorewall-users] shorewall, tproxy and squid

>>> On 3/21/2016 6:39 AM, Vieri Di Paola wrote: >>>> Hi, >>>> >>>> I would like to intercept http traffic ONLY to one destination and send it >>>> to Squid (test system). >>>> >>>> I'm not sure I'm wr

Re: [Shorewall-users] shorewall, tproxy and squid

> On 3/21/2016 6:39 AM, Vieri Di Paola wrote: >> Hi, >> >> I would like to intercept http traffic ONLY to one destination and send it >> to Squid (test system). >> >> I'm not sure I'm writing the shorewall mangle rules correctly. >>

[Shorewall-users] shorewall, tproxy and squid

Hi, I would like to intercept http traffic ONLY to one destination and send it to Squid (test system). I'm not sure I'm writing the shorewall mangle rules correctly. I have this: DIVERT $IF_WAN 89.16.167.134/32 tcp - 80 TPROXY(3129) $IF_LAN 89.16.167.134/32 tcp 80 Wh

Re: [Shorewall-users] wrong source IP address when trying to connect from firewall

>> The following fails (performed from Shorewall firewall host with IP >> addr. 10.215.144.91): >> >> # telnet 10.252.194.207 25 >> >> I can see the following while trying to connect to the remote host in >> the CAIB zone: >> >> # tcpdump -n -i enp2s0f0 host 10.2

[Shorewall-users] wrong source IP address when trying to connect from firewall

Hi, The following fails (performed from Shorewall firewall host with IP addr. 10.215.144.91): # telnet 10.252.194.207 25 I can see the following while trying to connect: # tcpdump -n -i enp2s0f0 host 10.252.194.207 12:55:50.044861 IP 172.20.11.62.39027 > 10.252.194.207.25: Flags [S], seq 3930

[Shorewall-users] wrong source IP address when trying to connect from firewall

Hi, The following fails (performed from Shorewall firewall host with IP addr. 10.215.144.91): # telnet 10.252.194.207 25 I can see the following while trying to connect to the remote host in the CAIB zone: # tcpdump -n -i enp2s0f0 host 10.252.194.207 12:55:50.044861 IP 172.20.11.62.39027 > 10

[Shorewall-users] shorewall 5 multi ISP and LSM

Hi, Sorry if I post this message again but I just realized I sent it as HTML. I'm trying to configure LSM with multiple ISPs. I'm using shorewall 5 and the "persistent" option. I currently can't use my providers' remote gateways because they do not reply to pings so for now I use known DN

[Shorewall-users] shorewall 5 multi ISP and LSM

Hi, I'm trying to configure LSM with multiple ISPs. I'm using shorewall 5 and the "persistent" option. I currently can't use my providers' remote gateways because they do not reply to pings so for now I use known DNS servers. I'm attaching a shorewall dump and other files right after LSM report

[Shorewall-users] traceroute

Hi, I'm not experiencing a communication issue but I'm not sure I understand how "traceroute" works. I don't know if the shorewall dump I'm attaching can be of any use but here goes. A host in the "ibs" zone with IP addr. 10.215.237.228 performs a traceroute to a host in the "lan" zone with I

Re: [Shorewall-users] providers track option and rtrules

> From: Tom Eastep > > As I explained earlier, that rule needs to be at priority 998. I'm sorry if I'm such a pain by keeping this thread alive but I'd really like to understand the works behind this. As you said, you suggested to put the rule at priority 998. However, that was when my "main"

Re: [Shorewall-users] providers track option and rtrules

> From: Tom Eastep > You seem to have TC_EXPERT=Yes, however -- you probably want to change > it to No. I never changed that option and it has always been off: # grep EXPERT /etc/shorewall/shorewall.conf TC_EXPERT=No I did use "loose" though in "providers" but took it out now. I guess that's

Re: [Shorewall-users] providers track option and rtrules

> From: Tom Eastep > You can already specify 'default' in rtrules. I rearranged a few things and it now seems to be working for the most part. Load balancing is just one thing I don't know if it's working as expected. I tried two methods mentioned in previous posts. 1) using "mangle" and "pr

Re: [Shorewall-users] providers track option and rtrules

> Here's what we can do: > > a) Make both CAIB and IBS 'fallback' providers. That will generate a > multi-path route in the 'default' table. > > b) Add a rule with priority 998 that routes traffic that you want > balanced between the two via the default table. I configured shorewall as you su

Re: [Shorewall-users] providers track option and rtrules

> The traffic is being routed back out of enp5s3 as a result of this route > in the main table: > > 10.215.0.0/16 dev enp5s3 proto kernel scope link src 10.215.144.91 enp5s3 is the NIC to the "lan" zone. Hosts in this zone must be withn these IP ranges: 10.215.144.0/22 10.215.246.0/23 10.215.2

Re: [Shorewall-users] providers track option and rtrules

> We still need the iptrace output. That output is directed according to > the current setting of LOG_BACKEND. If you want the output to be handled > by syslog-ng, use LOG_BACKEND=LOG. My LOG_BACKEND= is blank and I wrongly thought the default was LOG. So before I read your reply I ran: sysct

Re: [Shorewall-users] providers track option and rtrules

>>> From: Tom Eastep >>> >>> >>> You can nevertheless do what you want by adding a provider for interface >>> enp4s1. Make it the 'primary' provider (if your version of Shorewall >>> doesn't support the 'primary' option, use 'balance'). Then use the >>> mangle rules that I suggested to balance tr

Re: [Shorewall-users] providers track option and rtrules

>>> From: Tom Eastep >>> >>> >>> You can nevertheless do what you want by adding a provider for interface >>> enp4s1. Make it the 'primary' provider (if your version of Shorewall >>> doesn't support the 'primary' option, use 'balance'). Then use the >>> mangle rules that I suggested to balance tr

Re: [Shorewall-users] providers track option and rtrules

> - Original Message - > From: Tom Eastep > > > You can nevertheless do what you want by adding a provider for interface > enp4s1. Make it the 'primary' provider (if your version of Shorewall > doesn't support the 'primary' option, use 'balance'). Then use the > mangle rules that I sug

Re: [Shorewall-users] load balance only from one host

On 9/8/2015 4:32 AM, Vieri Di Paola wrote: >> >>> Add this in /etc/shorewall/mangle: >>> >>> INLINE(MARK(1)):P10.215.247.194 10.215.236.221 ; \ >>> -m statistic --mode random --probability 0.50 >>> MARK(2):P10.215.247.194 10.21

[Shorewall-users] providers track option and rtrules

Hi, My goal is to have 2 NICs associated to 2 providers for specific private IP address ranges (eg. all traffic to/from 10.215.224.0/20 should go through these two providers). Another NIC allows access to Internet and that should be the default route. The other NIC of course is connected to the

Re: [Shorewall-users] load balance only from one host

> Add this in /etc/shorewall/mangle: > > INLINE(MARK(1)):P10.215.247.194 10.215.236.221 ; \ > -m statistic --mode random --probability 0.50 > MARK(2):P10.215.247.194 10.215.236.221 { test=0/0xff } > > -Tom I suppose you meant this: INLINE(1):P10.215.247.194 10.215.236.221

Re: [Shorewall-users] load balance only from one host

>> Also, how can I correctly configure the routing tables? Given the >> above example, should I remove 10.215.224.0/20 from the "main" >> routing table > > Yes. > >> and add the following to "routes"?>> >> CAIB 10.215.224.0/20 $ADDR_GW_CAIB $IF_CAIB >> IBS 10.215.22

[Shorewall-users] load balance only from one host

Hi, I'm trying to understand how to correctly configure load balancing and policy-based routing within shorewall. I have the typical local (lan) and internet (wan) zones. I also have 2 "providers" (not ISPs, just remote private networks) as defined here: CAIB    1   1   -   $IF_CA

Re: [Shorewall-users] nested zones

> > From: Tom Eastep > To: shorewall-users@lists.sourceforge.net > Sent: Tuesday, August 25, 2015 6:51 PM > Subject: Re: [Shorewall-users] nested zones >> On 8/25/2015 12:39 AM, Vieri Di Paola wrote: >> Hi, >> I'm not

Re: [Shorewall-users] find_loopback_interfaces: command not found

> From: Tom Eastep > To: shorewall-users@lists.sourceforge.net > Sent: Sunday, May 31, 2015 4:34 AM > Subject: Re: [Shorewall-users] find_loopback_interfaces: command not found > > What is the output of 'shorewall version -a'? It seems that my package manager didn't upgrade shorewall-core as ex

[Shorewall-users] find_loopback_interfaces: command not found

Hi, The comand below works fine but I get an error message. # shorewall show capabilities /usr/share/shorewall/lib.cli-std: line 327: find_loopback_interfaces: command not found Shorewall has detected the following iptables/netfilter capabilities: [...] Am I missing something? # shorewall version

[Shorewall-users] shorewall tarpit auto-blacklist

Hi, Can the shorewall rules TARPIT action be used to automatically blacklist all IP addresses that try to connect to the tarpit ports? Can a custom shell command be triggered/executed whenever there's an "action match" (eg. attacker connects to a port where there's a shorewall TARPIT rule and sh

Re: [Shorewall-users] cannot ping through shorewall firewall (second example)

From: Tom Eastep To: Vieri Di Paola ; Shorewall Users Sent: Wednesday, May 7, 2014 5:57 PM Subject: Re: [Shorewall-users] cannot ping through shorewall firewall (second example) On 5/7/2014 6:01 AM, Vieri Di Paola wrote: >> Hi again, >> &g

Re: [Shorewall-users] ping: sendmsg: Operation not permitted

Never mind. I solved it when I compared these values: cat /proc/sys/net/netfilter/nf_conntrack_count cat /proc/sys/net/netfilter/nf_conntrack_max I had to increase /proc/sys/net/netfilter/nf_conntrack_max. Sorry for the noise. Vieri - Original Message - From: Vieri Di Paola To

[Shorewall-users] ping: sendmsg: Operation not permitted

Hi, Recently I've been seeing network failures on my shorewall firewall. For no apparent reason (no rules changes - server untouched) some connections started failing. For instance, I can see the following: # ping 10.215.5.95 PING 10.215.5.95 (10.215.5.95) 56(84) bytes of data. ping: sendmsg:

Re: [Shorewall-users] conditional in params

> > From: Tom Eastep > To: shorewall-users@lists.sourceforge.net > Sent: Monday, January 20, 2014 4:31 PM > Subject: Re: [Shorewall-users] conditional in params > > 'params' may, of course, use any of the shell's conditionals ('if > ; > then...fi', etc).

[Shorewall-users] conditional in params

Hi, Is it possible to put a conditional statement in /etc/shorewall/params? Such as an "?IF/?ENDIF" block? (tried it but got "command not found" error when running shorewall) So I guess the "params" file isn't a config file (thus it can't use ?IF). Thanks, Vieri ---

Re: [Shorewall-users] broadcasts

--- On Tue, 11/27/12, Simon Hobson wrote: > Though if you have something trying to contact lots of IP > addresses, > it will do more ARP lookups rather than directing the > packets via the > default gateway when they aren't on the same subnet. Now that you mention it, in my simplified exampl

Re: [Shorewall-users] broadcasts

--- On Tue, 11/27/12, Simon Hobson wrote: > if you have a lot of devices on a network then there will > naturally > be a lot more broadcast traffic than if you have only a few > devices. > This is independent of length of subnet mask - ie 2 devices > will > create the same broadcast traffic o

Re: [Shorewall-users] broadcasts

Thanks for taking the time to reply! Please let me rephrase my query (and simplify it) because it's not easy for me to explain so I'll try to lay it out straight. loc: my local LAN with just 2 hosts: 10.215.147.1 and 10.215.144.1 with default gateway 10.215.144.91. Let's just suppose for a mome

[Shorewall-users] broadcasts

Hi, My network is 10.215.0.0/255.255.0.0. I set it up this way for convenience only. Actually, all my hosts are within 10.215.144-147.xxx and 10.215.246-248.xxx (shorewall zone 'loc'). I have a router linking me to another location (shorewall zone net2) where there are other hosts within, say,

Re: [Shorewall-users] failover setup

--- On Tue, 9/18/12, Lee Brown wrote: > FYI, if you are not tied to Linux, *BSD has pfsync/ucarp which provides > a stateful failover solution.  Search google for BSD ucarp pfsync. > Caveat: I've not implemented this, but it seems a nice solution. Thanks. I'm aware of the BSD solution. Howeve

Re: [Shorewall-users] failover setup

--- On Tue, 9/18/12, Tom Eastep wrote: > > Maybe I'm saying something completely absurd and wrong > so please bear with me. > > Since both the client and server are right behind > shorewall routers at both ends, would it make sense to > block/drop ICMP altogether in order to avoid error message

Re: [Shorewall-users] failover setup

--- On Mon, 9/17/12, Tom Eastep wrote: > It depends on how net1 fails. If an error ICMP is returned > to either of > the endpoints, then the connection will be broken. Maybe I'm saying something completely absurd and wrong so please bear with me. Since both the client and server are right beh

[Shorewall-users] failover setup

Hi, I would appreciate it if I could get some advice before setting up a firewall with a failover procedure. Network layout: loc1 | net1 --- Shorewall1 --- net2 || net1 --- Shorewall2 --- net2 | loc2 loc1: 10.0.0.0/16 loc2:

Re: [Shorewall-users] shorewall ipsets

OK, so it seems to be clear now. One simple way is to do the following: 1) upgrade to kernel >= 2.6.39 and compile it with ipset and xtables support 2) install ipset v.6 (no kernel patching and rebuilding required) for userspace tools 3) no need to install xtables-addons. Thanks, Vieri ---

Re: [Shorewall-users] shorewall ipsets

After recompiling the kernel (same version but applied the netfilter "netlink.patch"): # shorewall show -f capabilities | grep -i ipset IPSET_MATCH= OLD_IPSET_MATCH= IPSET_V5= I think I'm better off upgrading my kernel. --

Re: [Shorewall-users] shorewall ipsets

--- On Fri, 3/23/12, Mr Dash Four wrote: > > (I think "hash:ip" is what shorewall uses by default) > >    > As far as I know there is no such thing as "default ipset > type" in > shorewall, but I stand to be corrected if that is not the > case. I'm not sure, really, just read somewhere the fo

Re: [Shorewall-users] shorewall ipsets

--- On Fri, 3/23/12, Tom Eastep wrote: > What is the output of > >     ipset --version # ipset --version ipset v6.11, protocol version: 6 -- This SF email is sponsosred by: Try Windows Azure free for 90 days Click

Re: [Shorewall-users] shorewall ipsets

--- On Fri, 3/23/12, Mr Dash Four wrote: > > # ipset version > > ipset v6.11, protocol version: 6 > >    > It looks as though ipset is functioning properly. The only > thing I can > think of is if your PATH is not set up properly or your > "IPSET" option > in shorewall.conf is wrong. # grep

Re: [Shorewall-users] shorewall ipsets

--- On Fri, 3/23/12, Mr Dash Four wrote: > From: Mr Dash Four > Subject: Re: [Shorewall-users] shorewall ipsets > To: "Shorewall Users" > Date: Friday, March 23, 2012, 1:38 PM > > > # shorewall version > > 4.4.27.3 > > > > installed xtables-addons version 1.39 > > http://xtables-addons.sourc

[Shorewall-users] shorewall ipsets

Hi, I'm trying to check if my system supports ipsets and if shorewall detects it. # shorewall version 4.4.27.3 installed xtables-addons version 1.39 http://xtables-addons.sourceforge.net/ installed ipset version: 6.11 http://ipset.netfilter.org/ # shorewall show capabilities | grep -i ipset

[Shorewall-users] HTTP proxy and packet marking

Hi, I have a Shorewall multi-ISP gateway/router (host1) and beneath it another shorewall router (host2) with Squid installed on the same box. I also have another Squid server within one of host2's subnets. Host1 does packet marking via tcrules in order to filter traffic accordingly amongst ava

[Shorewall-users] rule priority

Hi, Suppose I have these rules: DNATnet3:aaa.bbb.ccc.ddd loc:10.215.144.10 tcp 3389 DNATnet3loc:10.215.144.21 tcp 3389 - - 12/min:18 Then I guess it means that EVERYONE from net3 will connect to 10.215.144.21 except aaa.bbb.ccc.ddd which will connect to 10.

[Shorewall-users] port knocking

Hi, I think there's a small error here: http://www.shorewall.net/ManualChains.html quote: " The rule from the Port Knocking article: #ACTION SOURCEDEST PROTO DEST PORT(S) SSHKnock net $FWtcp 22,1599,1600,1601 becomes

Re: [Shorewall-users] multi-ISP and masq

--- On Wed, 6/15/11, Tom Eastep wrote: > You forgot to add eth1 to the COPY column in your providers > file. Ah... thanks! Vieri -- EditLive Enterprise is the world's most technically advanced content authoring tool

[Shorewall-users] multi-ISP and masq

Hi, I had a typical multi-ISP setup with just 1 LAN. Now I have the same thing except I added a DMZ and both subnets (LAN & DMZ) need to be masqueraded in order to reach the web. Ping tests from DMZ to NET fail (LOC to NET work as usual): icmp requests seem to go out to the correct ISP and icmp

[Shorewall-users] dynamic firewall rules and mac addresses

Hi, It's unclear to me if I can specify MAC addresses in "dynamic" rules. eg. "shorewall allow from ~00-11-22-33-44-55" (I know I couldn't use "to" here but "from" should be allowed) Is the above call legitimate? Thanks Vieri --

[Shorewall-users] dynamic blacklist

Hi, Dynamic blacklisting does not take into account the "blacklist" option in /etc/shorewall/interfaces. Does this mean that dynamic blacklisting is always applied "globally", ie. to all interfaces? Can I run "shorewall drop to " only for packets going through, say, eth0 but NOT eth3? If so,

Re: [Shorewall-users] shorewall show connections with bytes and packets

--- On Fri, 5/13/11, Ed W wrote: > On 12/05/2011 08:31, Vieri Di Paola > wrote: > > Just in case someone's interested: > > newer kernel versions seem to require the user set: > > > > sysctl -w net.netfilter.nf_conntrack_acct=1 > > Or you can set a

Re: [Shorewall-users] shorewall show connections with bytes and packets

--- On Fri, 5/6/11, Tom Eastep wrote: > >> Have you tried running 'contract -L'? That's what > >> 'shorewall show connections' does if conntrack is > > >> installed. > > > > I'm supposing you meant "conntrack -L". > > I didn't have it installed so I grabbed the package. > > Still, conntrack -L

Re: [Shorewall-users] shorewall show connections with bytes and packets

--- On Fri, 5/6/11, Tom Eastep wrote: > From: Tom Eastep > Subject: Re: [Shorewall-users] shorewall show connections with bytes and > packets > To: "Shorewall Users" > Date: Friday, May 6, 2011, 5:29 PM > > On May 6, 2011, at 7:12 AM, Vieri Di Paola wrot

[Shorewall-users] shorewall show connections with bytes and packets

Hi, I used a custom script to count packets and bytes from "shorewall show connections". I noticed that on another more recent server, this script fails because /proc/net/nf_conntrack does not contain either bytes or packets. Example while opening www.google.com: ipv4 2 tcp 6 431999 E

Re: [Shorewall-users] ARP

This seems to help and I'm supposing it's enough. interfaces file: caib $IF_CAIB detect arp_filter=1 -- WhatsUp Gold - Download Free Network Management Software The most intuitive, comprehensive, and cost-effective netw

[Shorewall-users] ARP

Hi, I've run into a network problem and I'm trying to figure out the quickest route out. I have a shorewall router with several zones but I have different physical hosts with the same IP addresses in 2 different zones (lan and caib). My interfaces file contains the following: lan $IF_LAN

[Shorewall-users] 1 shorewall router + 1 shorewall gateway/router + proxyarp

Hi, I'm setting up a test network like this: - host in lan zone at 10.215.146.89 with default gw 10.215.144.91 - shorewall firewall as router (ROUTER1) with eth0 interfacing the lan zone with 10.215.144.91/16 and eth1 with IP addr. 172.16.0.1/23 pointing to a wan zone - another shorewall router

Re: [Shorewall-users] bridge as gateway

--- On Tue, 4/5/11, Simon Hobson wrote: > Vieri Di Paola wrote: > > >Can a shorewall bridge (with management IP address) be > used as a > >host's default gateway? > > > >HOST1 in loc/lan zone (10.215.146.89) -> Shorewall > bridge > >(10.215.1

[Shorewall-users] bridge as gateway

Hi, Can a shorewall bridge (with management IP address) be used as a host's default gateway? HOST1 in loc/lan zone (10.215.146.89) -> Shorewall bridge (10.215.144.91) -> Gateway (10.215.144.90) Suppose I need to do a quick network change and I can't update the hundreds of HOSTs in the loc/lan

Re: [Shorewall-users] shorewall bridge: BP-zone to BP-zone rules and policies

--- On Sun, 3/27/11, Tom Eastep wrote: > Okay -- this is very subtle and I will try to make it less > so, but the > problem has to do with your hosts.FHM entries. > > I assume that you know which bridge port the IPSEC tunnels > come in > through (eth0 or eth1). So specify that interface rather

Re: [Shorewall-users] shorewall bridge: BP-zone to BP-zone rules and policies

--- On Sun, 3/27/11, Tom Eastep wrote: > Okay -- this is very subtle and I will try to make it less > so, but the > problem has to do with your hosts.FHM entries. > > I assume that you know which bridge port the IPSEC tunnels > come in > through (eth0 or eth1). So specify that interface rather

Re: [Shorewall-users] shorewall bridge

--- On Fri, 3/25/11, Tom Eastep wrote: > > --- On Thu, 3/24/11, Tom Eastep > wrote: > > > >>> --- On Thu, 3/24/11, Vieri Di Paola > >> wrote: > >>> > >>>> If I setup eth0 and eth1 as routed > interfaces (no > >> br

Re: [Shorewall-users] shorewall bridge

--- On Thu, 3/24/11, Tom Eastep wrote: > > --- On Thu, 3/24/11, Vieri Di Paola > wrote: > > > >> If I setup eth0 and eth1 as routed interfaces (no > bridge) > >> on "SW BOX 1" I need to do masquerading of the loc > zone. > > >

[Shorewall-users] shorewall bridge: BP-zone to BP-zone rules and policies

I have a bridge setup with lan and wan bp-zones. I'm pinging successfully from a host in the lan bp-zone with IP addr 10.215.146.70 to a host in the wan bp-zone with IP addr 10.215.146.89 and this is reflected in the Conntrack Table (see dump). According to the documentation I should be able to

Re: [Shorewall-users] shorewall bridge

--- On Thu, 3/24/11, Vieri Di Paola wrote: > If I setup eth0 and eth1 as routed interfaces (no bridge) > on "SW BOX 1" I need to do masquerading of the loc zone. Or maybe not... -- Enable y

Re: [Shorewall-users] shorewall bridge

--- On Thu, 3/24/11, Tom Eastep wrote: > On 3/24/11 2:09 AM, Vieri Di Paola > wrote: > > Hi, > > > > According to http://www.shorewall.net/bridge-Shorewall-perl.html: > > > > -> rules are not > allowed > > -> rules are > not all

[Shorewall-users] shorewall bridge

Hi, According to http://www.shorewall.net/bridge-Shorewall-perl.html: -> rules are not allowed -> rules are not allowed "Policies from a non-BP zone to a BP are disallowed. Rules where the SOURCE is a non-BP zone and the DEST is a BP zone are disallowed." /etc/shorewall/zones defines a a

Re: [Shorewall-users] traffic should be dropped but goes through

--- On Thu, 2/24/11, Tom Eastep wrote: > > So this should fail (DROP) but it doesn't: > > > > ping 192.168.144.90  (from 192.168.211.39) > > Looks like br0 is the 'net' zone and the implicit > net->net policy is > ACCEPT. If you don't want that, you need to add an explicit > net->net > polic

[Shorewall-users] traffic should be dropped but goes through

Hi, This is probably a dumb question but I'm successfully pinging from host1 to host2 via a shorewall bridge when I would be expecting NOT to. So this should fail (DROP) but it doesn't: ping 192.168.144.90 (from 192.168.211.39) Could you please have a look at the Shorewall dump? http://213.96

Re: [Shorewall-users] DHCPD

--- On Thu, 2/24/11, Simon Hobson wrote: > >In other words, can I have a DHCP server on one side of > the bridge > >leasing IP addresses ONLY for that side and another > DHCP server on > >the other side giving out IP addresses ONLY for that > side? > > Yes, you can do that, just don't allow t

[Shorewall-users] DHCPD

Hi, Can a Shorewall bridge (with firewall rules as in http://www.shorewall.net/bridge-Shorewall-perl.html) block DHCPD traffic? In other words, can I have a DHCP server on one side of the bridge leasing IP addresses ONLY for that side and another DHCP server on the other side giving out IP add

Re: [Shorewall-users] shorewall bridge

--- On Mon, 2/21/11, Sander Klein wrote: > Even if the bridge is filtering traffic, the filtered > traffic will > still loop. Do you have a functioning spanning-tree setup? STP was enabled on the shorewall bridge but wasn't on the second bridge I accidentally connected. I suppose that if ST

[Shorewall-users] shorewall bridge

Hi, My network is as follows: Shorewall gateway/router (10.215.144.92) --- INTERNAL SWITCH 1 (LAN1) --- Shorewall bridge (10.215.144.91) --- LAN2 (10.215.0.0) I configured 10.215.144.91 as in the guide http://www.shorewall.net/3.0/NewBridge.html (it's an "old" box). This morning I accidentall

Re: [Shorewall-users] connection rejection

--- On Tue, 8/10/10, Tom Eastep wrote: > An alternative would be: > > sudo iptables -A dynamic -d 123.123.123.123 -j DROP > > and > > sudo iptables -D dynamic -d 123.123.123.123 -j DROP Thanks again! Vieri

Re: [Shorewall-users] connection rejection

--- On Tue, 8/10/10, Trent O'Callaghan wrote: > Although at Linux command line you could do: > > sudo ip route add blackhole 123.123.123.123 > > And remove it with: > > sudo ip route del blackhole 123.123.123.123 Thanks! -

Re: [Shorewall-users] connection rejection

--- On Mon, 8/9/10, Tom Eastep wrote: > Shorewall blacklisting blacklists the SOURCE address, not > the > DESTINATION address. From the 'show connections' output, > the original > connection was TO 123.123.123.123, not FROM that host. > > So after blacklisting that IP, you can still connect to

[Shorewall-users] connection rejection

Hi, I'm trying to figure out how to interrupt a connection temporarily. Suppose I want to stop traffic going to 123.123.123.123 then re-allow it later on. I have BLACKLISTNEWONLY=Yes in shorewall.conf. On my shorewall bridge I run: # tcpkill -i br0 "dst host 123.123.123.123" This interrupts m

Re: [Shorewall-users] bridge and routing

--- On Tue, 3/30/10, Simon Hobson wrote: > Firstly, I don't see why you have the shorewall box set as > the > default gateway - it isn't a gateway for any traffic and so > you are > forcing most traffic to be handled twice. I know I should set the default gateway as what I labeled as . Will c

Re: [Shorewall-users] bridge and routing

--- On Mon, 3/29/10, Vieri Di Paola wrote: > So I'll place it on a web server asap. shorewall dump: http://213.96.91.201/temp/status.txt.gz -- Download Intel® Parallel Studio Eval Try the new

Re: [Shorewall-users] bridge and routing

--- On Mon, 3/29/10, Tom Eastep wrote: > > I'm attaching the shorewall dump (old SW version). > > > > Dump? > quote: Your mail to 'Shorewall-users' with the subject Re: [Shorewall-users] bridge and routing Is being held until the list moderator can review it for approval. The reason

Re: [Shorewall-users] bridge and routing

--- On Fri, 3/26/10, Tom Eastep wrote: > Very brief problem report! :-) Sorry, Fridays are Fridays. Here's what I wanted to report: I configured a shorewall system as a bridge with an IP address. The bridge is a firewall in between two LANs (say, loc and net). There's a router within "loc"

[Shorewall-users] bridge and routing

-- Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got hig

Re: [Shorewall-users] boot sequence

--- On Sun, 11/22/09, Tom Eastep wrote: > > Can/should shorewall start before the NICs are brought > up? > > It can be, if you don't use any Shorewall constructs that > require > networking to be started. > If Shorewall starts before named, you cannot use DNS names > in your > configuration.

[Shorewall-users] boot sequence

Hi, Which "services" are required to start before shorewall at boot time? Can/should shorewall start before the NICs are brought up? The init script examples in the shorewall package vary: init.sh: $local_fs $remote_fs $syslog init.debian.sh: $network Thanks for your help, Vieri -

Re: [Shorewall-users] ipv6

--- On Sat, 8/29/09, Tom Eastep wrote: > I think that the page now makes sense. Please have a look. It does. Thanks. Vieri -- Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day tria

[Shorewall-users] ipv6

Hello, I'm reading this guide on ipv6 (really just getting my "feet wet"): http://www.shorewall.net/6to4.htm In the section "Configuring IPv6 using my script" I can read that the IPv6 interfaces are: INTERFACES="eth2 eth4" and that correlates fine with the first diagram/figure. However, further

Re: [Shorewall-users] Combatting DDoS attack

--- On Sat, 8/29/09, Christ Schlacta wrote: > I'm aware of, but have never tried a > technique called tarpitting that  > is supposed to be very useful in your situation. I think that the TARPIT target has made it into the latest kernels/iptables but I haven't checked. I don't know if shorewal

[Shorewall-users] shorewall on a livecd: best approach to detect interfaces

Hi, I'm in the process of building a custom liveCD that will be used as a firewall/multi-ISP gateway (read-only media). The idea is that the liveCD should boot any x86 system. This implies that the motherboard and NICs may vary (hardware replacement because of system failure). Linux displays

Re: [Shorewall-users] block unwanted traffic masked as HTTP

--- On Thu, 9/25/08, Chuck Kollars <[EMAIL PROTECTED]> wrote: > tool that can identify port > 443 connections that don't use W3C-sanctioned encryption > handshake methods That could be interesting. Thank you and the rest of the ML users for the feedback. Vieri --

Re: [Shorewall-users] block unwanted traffic masked as HTTP

--- On Thu, 9/25/08, Roberto C. Sánchez <[EMAIL PROTECTED]> wrote: > > > [ First, please fix your mail client to properly > wrap lines. ] > > > > I'm using Yahoo's webmail. > > Will have to subscribe from another account. > > > If you use "plain text" instead of "rich > text" it should work prop

Re: [Shorewall-users] block unwanted traffic masked as HTTP

--- On Thu, 9/25/08, Roberto C. Sánchez <[EMAIL PROTECTED]> wrote: > [ First, please fix your mail client to properly wrap lines. ] I'm using Yahoo's webmail. Will have to subscribe from another account. > Your best bet is to use squid. Squid has a nice acl feature that allows > you do block b

<    1   2   3   4   5   >