Hello,
I would like to DSCP-mark some traffic and have this marking set when
shorewall starts. The 'started' file seems to be the place to put
those extra iptables commands. Has anyone used the started file for
this purpose ? Any drawbacks ?
Thanks for any suggestions/comments.
On Mon, 20 Feb 2012 09:10:30 -0800,
Tom Eastep wrote :
> If you can wait until 4.5.1 is released, you can set the DSCP field
> with entries in /etc/shorewall/tcrules.
Thanks for the suggestions ! It's appreciated.
When would be the release of 4.5.1 ?
--
On Mon, 20 Feb 2012 13:42:56 -0800,
Tom Eastep wrote :
> The Beta containing DSCP support will be released sometime this week;
> probably Saturday. The final release will be around the middle of
> March.
The way I'm going now is that I have a table of DSCP to TC marks. This
table is processed w
HI,
I have a Fedora 15 system w/o any Shorewall installed. Running the
install.sh (as root) yields the following:
./install.sh
Perl/compiler.pl syntax OK
Installing Redhat/Fedora-specific configuration...
ERROR: Shorewall >= 4.3.5 is not installed
I can yum-install the current Fedora
On Sat, 25 Feb 2012 17:18:27 -0500,
jonetsu wrote :
> I have a Fedora 15 system w/o any Shorewall installed. Running the
> install.sh (as root) yields the following:
>
> ./install.sh
> Perl/compiler.pl syntax OK
> Installing Redhat/Fedora-specific configuration...
>
On Sat, 25 Feb 2012 14:59:54 -0800,
Tom Eastep wrote :
> Here's a patch. The same patch should be applied to the installers of
> both Shorewall and Shorewall6.
Thanks. Now the install proceeds a bit further (Fedora 15) :
./install.sh
Perl/compiler.pl syntax OK
Installing Redhat/Fedora-specif
On Sun, 26 Feb 2012 07:41:10 -0800,
Tom Eastep wrote :
> On 02/26/2012 04:38 AM, jonetsu wrote:
> > Shorewall 4.5.1-Beta2 requires Shorewall Core which does not appear
> > to be installed
> You need to install Shorewall-core first. See
> http://www.shorewall.net/Install.
For a same configuration in which the default policy is drop and only
one connection is accepted in rules, continuous pinging to devices
will stop squarely in 4.0.15 as soon as a very basic firewall is
enabled whereas in 4.4.26.1, pinging will still continue after the
firewall is enabled.
All test
On Sun, 26 Feb 2012 14:33:16 -0800,
Tom Eastep wrote :
> On Feb 26, 2012, at 2:09 PM, jonetsu wrote:
>
> > For a same configuration in which the default policy is drop and
> > only one connection is accepted in rules, continuous pinging to
> > devices will stop squarel
On Wed, 29 Feb 2012 10:33:28 -0800,
Tom Eastep wrote :
> So to stop an existing ping at with shorewall start/restart, you need
> to flush the conntrack table ('shorewall restart -p'). That requires
> that you install the conntrack utility program (usually, the package
> is called simply 'conntrac
Hello,
While it is possible to set the connection mark for a packet, what does the
RESTORE command do in terms of numerical value ? Eg. it will put into the
packet the connection mark, but what is the connection mark in the first place
and how can this unknown value relate to any mark define
Hello,
When specifying a rpfilter option for an interface, we can see after applying
the firewall configuration that there is a rpfilter being added for that
interface, as well as a rpfilter chain. OTOH, no rp_filter option is set in
/proc/sys/net/ipv4/conf//rp_filter.
What is the differ
Hello,
I have noticed that between versions 4.5.5.3 and 4.6.4.3 that the
error output concerning a missing TC default class is missing in
the latter, for a same configuration:
4.5.5.3:
Checking /tmp/shorewall/tcdevices...
Checking /tmp/shorewall/tcclasses...
ERROR: No default class define
From: "Robert K Coffman Jr. -Info From Data Corp."
Date: 08/04/15 15:18
> The TC files were changed - the error message on the newer version
> telling you how to update your files.
Hmmm... The 'shorewall update -t' command ... That is quite a lot. The system
relies so far on parsing the er
Hello,
The examples shown in the mangle documentation are the same as for tcrules.
I ran:
(config files, including shorewall.conf, are stored in /tmp/shorewall/)
% cd /tmp/shorewall/
% shorewall update -t .
And from a tcrules that is:
#MARK SOURCE DEST PROTO DPORT(S) SPOR
Shorewall 4.6.4.3
Still using tcrules, so I ran 'shorewall update -t .' and it created a mangle
file, and modified the shorewall.conf file.
The configuration is missing a default tcclass. Shorewall 4.5.5.3 will report:
% shorewall check .
[...]
Checking Martian Logging...
Checking /tm
Hello,
This is basically the same as the previous post about no error output when a
default tcclass is missing. This time around the out bandwidth is exceed.
Shorewall 4.5.5.3 has a warning output:
Checking Martian Logging...
Checking /tmp/shorewall/tcdevices...
Checking /tmp/shorewall/
shorewall-users@lists.sourceforge.net
> Date: 08/06/15 12:32
> Subject: Re: [Shorewall-users] Error output has changed
>
> On 08/04/2015 12:33 PM, jonetsu wrote:
> > From: "Robert K Coffman Jr. -Info From Data Corp."
> >
> > Date: 08/04/15 15:18
> >
> >
Hello,
Having an undefined zone along with disabling explicitly the routeback option
generates an error as if the '0' value of the
routeback option (which i assume is disabling the option) is not taken into
account:
Shorewall 4.6.4.3.
interfaces
- eth2 - arp_filter=0,routeba
Hello,
When having a complex TC configuration for both IPv4 and IPv6, setting
TC_ENABLED=Internal in both Shorewall .conf files seems natural. Is this the
way to proceed ?
Thanks.
--
_
> From: "Tom Eastep"
> Date: 10/09/15 12:59
> > When having a complex TC configuration for both IPv4 and IPv6,
> > setting TC_ENABLED=Internal in both Shorewall .conf files seems
> > natural. Is this the way to proceed ?
> You want TC_ENABLED=Internal in one configuration and TC_ENABLED=Sha
> From: "Tom Eastep"
> Date: 10/09/15 12:59
> Also note the warnings about the settings for CLEAR_TC in both files.
It works using files instead of symlinks. I was simply wondering if Shorewall
would take into account the nature of the symlinks themselves in its processing.
I have anoth
> From: jonetsu
> Date: 10/09/15 14:42
> I have another question regarding Shorewall6 conf: why isn't there a Simple
> option for TC_ENABLED ?
The above question stemmed from the online shorewall6.conf in which the Simple
option for TC_ENABLED is not mentioned. In t
Wish you all the best !!
-Original Message-
> From: "Tom Eastep"
> To: "Shorewall Users" , "Shorewall
> Development"
> Date: 11/17/15 11:13
> Subject: [Shorewall-users] I'll be off of the list for several days
>
> I have a health issue that I will be dealing with. Hope to be back
Hello,
Is there any provision within Shorewall to provide traffic control inside
L2TPv3 ?
Thanks.
--
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Accelerati
Hello,
Some time ago I did a user interface for DSCP marking, taking the documentation
from the tcrules of that time, in which it was mentioned that the DSCP mark can
be follwoed by either F (forward chain) or T (postrouting - default). The
current mangle documentation page does not have these
On Wed, 18 May 2022 18:12:08 +0200
wrote:
> I am soure I am not the only one with this problem, but I am also
> soure other guys switched to some other firewall.
>From years of using shorewall on various devices, it always starts from
the command line.
In any problem like this I immediately exc
On Wed, 18 May 2022 19:04:54 +0200
wrote:
> So you are saying there is not possible to run shorewall at boot. It
> is only possible to start it with cmd/terminal
What I am saying is always go back to a reliable way.
You are saying the same when you say that it works fine on previous
Centos vers
This is what it looks like on a healthy system when managed using
systemd :
% cat /usr/lib/systemd/system/shorewall.service
#
# The Shoreline Firewall (Shorewall) Packet Filtering Firewall
#
# Copyright 2011 Jonathan Underwood
#
[Unit]
Description=Shorewall IPv4 firewall
Wants=network-on
On Thu, 19 May 2022 10:34:09 +0200
wrote:
> And this is looks like when shorewall doesn't work and as I see
> whorewall died, I start it yesterday on terminal
Take a look at Poldi's solution (#3) in :
https://bugs.launchpad.net/ubuntu/+source/shorewall/+bug/1511869
The other comments in the bu
30 matches
Mail list logo
