On 7/28/22 1:55 PM, Eric Teeter wrote:
As it doesn't seam to effect anything
It affects Traffic Shaping.
I have used it on Debian and didn't have an issue
in Debian shorewall depends on iproute2
in Debian tc is installed by iproute2
___
On 7/28/22 10:47 AM, Eric Teeter wrote:
I'm assuming there's a missing dependency for tc.
Anyone know what needs to installed?
https://shorewall.org/shorewall_prerequisites.htm
Shorewall Requires:
A Linux kernel that supports Netfilter (No, it won't work on
BSD or
Hi,
On 7/6/21 4:31 PM, Justin Pryzby wrote:
Shorewall @ "Public Server":
/rules
ACCEPT net$FW:AA.AA.AA.AAtcp12345
DNATnetvpn:10.10.10.99tcp12345-
AA.AA.AA.AA
Shorewall @
I'm setting up public access to a remote/internal server, on a specific port,
over a private VPN.
Topology is:
Net
|
| eth0 (IP = AA.AA.AA.AA)
"Public Server" (Shorewall)
| vpn0 <-> "Private Edge:vpn0"
|
| eth0 (IP =
Justin,
On 7/5/21 7:13 PM, Justin Pryzby wrote:
Could you try &{MYIPV6} ?
...
The docs say this, so if it's empty, that would make sense.
https://shorewall.org/configuration_file_basics.htm#AddressVariables
|A second form is also available beginning with Shorewall 4.5.11
|%{variable}
|Unlike
In a shorewall6-lite 5.2.8 config, I want to get externally defined data (an
IP6 addr),
cat /etc/shorewall/MYIP6.current
[2600:::xxx0::56]
and assign its content to a dynamic variable for use in SW
Selecting from
Extension Scripts (User Exits)
thad,
look with tcpdump @ icmp6 traffic across your ext router interface while you
ping6 from your lan; for your setup
tcpdump -n -i enp2s0 icmp6
you'll likely see 'echo request' going out, from your desktop IP address, but
no 'echo reply' returning.
the "net" needs to know to
I've added provider marks
@ Router1 /providers
#NAMENUMMARK DUPINTFC GW OPTS
ispA 1 0x100- EXT_IFdetect track,balance
vpnA 2 0x200- VPN_IF10.1.1.2track,fallback
@ Router2
I've got 2 routers, both running shorewall, and a server.
I'm trying to get routeback working correctly for the following config.
Currently, inbound traffic gets to its intended DEST, but the reply routes back
over the wrong path.
I'm missing some some route(back) config; the DNAT rules don't
ok, 'UNCLE!'
what shorewall rule do I need to PASS this
2020-11-23T19:53:48.470332-08:00 test kernel: SW:[P4]OUTPUT:REJECT IN=
OUT=enp3s0 SRC=10.100.100.100 DST=10.100.100.130 LEN=112 TOS=0x00 PREC=0xC0
TTL=64 ID=22257 PROTO=ICMP TYPE=3 CODE=1 [SRC=10.100.100.130 DST=10.100.100.100
LEN=84
On 9/30/20 10:52 AM, JadoNena via Shorewall-users wrote:
>> Everything you need should be on that page, below the text I quoted.
>
> It isn't. None of that answers the question I asked. That's why I am asking.
> But ok anyway.
>
> I removed Shorewall and switched to OPNsense. It took care of
On 9/9/20 12:56 PM, Tom Eastep wrote:
> Ignore my last post -- /etc/iproute2/rt_tables IS automatically updated,
> unless KEEP_RT_TABLES=Yes.
ah, that'd provide an explanation
I'd 'imported'
USE_RT_NAMES=Yes
from prior configs, and (likely) had never touched
On 9/9/20 10:07 AM, Tom Eastep wrote:
> Have you set USE_RT_NAMES=Yes? That setting will cause provider names to
> appear in 'ip' commands rather that provider numbers. With
> USE_RT_NAMES=Yes, you must edit /etc/iproute2/rt_tables to provide the
> proper name->number mappings.
yep,
i've set
/init
DYN_IP=$( dig A dyn.example.com @1.1.1.1 +short 2>/dev/null )
then use
%{DYN_IP}
in my SW configs, e.g. in /rules.
if I want to add a fallback value, what's the correct syntax/usage?
in fool_sm config, e.g., I use the form
On 6/8/20 10:32 AM, Tom Eastep wrote:
> Why not assign this host a static IP address via DHCP? That's what I do
> with my local systems.
hm... not sure I follow.
the 'local' box does get its external IPv4 address from the ISP.
( technically, it's actually getting it from the modem, configured
On 6/8/20 10:16 AM, Tom Eastep wrote:
> As shipped, shorewall6.conf includes 'AllowICMPs' in the
> BLACKLIST_DEFAULT, DROP_DEFAULT, and REJECT_DEFAULT settings. The
> AllowICMPs action accepts all ICMP6 packet types required by RFC 4890.
it that's sufficient, then I'm good.
atm, my
On 6/8/20 8:13 AM, Simon Hobson wrote:
> I am really not an expert in IPv6 :-(
heh. is _anyone_? much voudou req'd! ;-)
> will drop it AND send back an ICMP6 PTB (Packet Too Big) message to the
> source - thus explicitly telling the source to use smaller packets for that
> flow. If the PTB
i've setup dualstack IPv4 & IPv6 across my lan.
IPv4 via my local ISP's gateway; IPv6 over a wireguard VPN link through a cloud
VM, using native IPv6.
shorewall(6)-lite is is place on all boxes.
afaict so far, all IPv6 traffic flows -- at least, I've had no widespread
issues browsing ...
On 6/7/20 1:47 PM, Tom Eastep wrote:
> Yes. As a general rule, address variables can be used anywhere that a
> host IP address can be used, unless documented otherwise.
great, thx.
that takes care of the 'local' shorewall instance's tracking etc of a dynamic
IP address.
that 'local' IP
if i define a static param value in
/params
MY_STATIC_IP=1.2.3.4
i can use, e.g.,
/snat
SNAT($MY_STATIC_IP) ...
if, instead I define an AddressVariable
/init
MY_DYN_IP=$( cat /some/path/to/latest_EXT_IP )
is this, then,
On 6/5/20 4:11 PM, PGNet Dev wrote:
>> That rule will be wiped out the next time you 'shorewall6 reload' or
verified that to be the case
moved all the wireguard-config ip(6)tables @remote rules to shorewall
kept only the iproute rules in wireguard config @remote
added a system override
On 6/5/20 3:56 PM, Tom Eastep wrote:
>> *AND* @remote,
>>
>> /etc/wireguard/wg0
>>
>> +PostUp = ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
>> +PostDown = ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
>>
>
> That rule will be wiped out the next
On 6/2/20 9:24 PM, Tom Eastep wrote:
> I know nothing about Wireguard, but this article seems relevant (note
> the 'Required key not available):
>
> https://bbs.archlinux.org/viewtopic.php?id=232754
good hint!
adding @local,
/etc/wireguard/wg0
+ AllowedIPs =
On 6/2/20 2:28 PM, Tom Eastep wrote:
> For route (such as these) in the main routing table, I prefer the system
> networking config files.
easily enough done in wireguard conf,
@remote
/etc/wireguard/wg0.conf
[Interface]
...
+ PostUp = ip
On 6/1/20 4:51 PM, Tom Eastep wrote:
>> @ local
> You are missing a default route: via fd10:254:254::1 dev wg0
>> @ remote
> That route is incorrect -- it should be via fd10:254:254::1 dev wg0.
Thanks! Obviously non-obvious to me :-/
Such routes can be set/handled by
system
hi,
i've got two linux machines
uname -rm
5.6.15-24.gfe7831e-default x86_64
iptables -V
iptables v1.8.4 (legacy)
connected via a wireguard VPN.
shorewall{,6}-lite, v5.2.4.5 runs on both.
The two machines are config'd as
(1) remote
On 3/21/20 9:44 AM, Witold Tosta wrote:
> Is it necessary to restart the shorewall firewall when the cronjob script
> updates the ipset?
fyi,
https://shorewall.org/ipsets.html#Ipsets
...
Zone definition. Using the /etc/shorewall/hosts file, you can define a zone
based on the (dynamic)
On 3/16/20 1:27 PM, Tom Eastep wrote:
> With your configuration, shorewall-init is ensuring that only
> connections allowed by your 'stopped' configurations are being allowed
> between the time that your external interface(s) comes up and the time
> that shorewall-lite and shorewall6-lite are
i'm running distro-pkg'd shorewall 5.2.3.7, on opensuse leap15.1.
it's deployed on my boxes as shorewall-lite + shorewall-init.
once up, it runs fine.
on upgrade by package manager, "Something(tm)" in the install process causes
the fw to immediately start blocking traffic.
if the upgrade's in
On 12/7/19 10:38 PM, Matt Darfeuille wrote:
> HTH.
It did, thx! Mainly to confirm that this is NOT a firewall issue.
Rather this FireStick is flaky as all get out ... NO problems with any vanilla
Android- or X86-stick.
Knowing that, I've got some options to play with.
o/
I'm inserting an Amazon FireStick (Android-based) into my lan.
All SW firewall/routing/etc is done on a linux box for my LAN.
The FireStick needs to communicate with a server @ 10.1.1.101 on my lan.
The target's got fwd/reverse DNS setup,
host target.lan.loc
On 10/27/17 8:48 AM, cac...@quantum-sci.com wrote:
In fact half the time, REJECTs and DROPs are -not- logged, and I have to
figure out why without the aid of informational messages.
Shorewall does a great job of doing exactly what it's told to do.
If "half the time, REJECTs and DROPs are
On 03/31/2017 02:47 AM, norm.aud...@gmail.com wrote:
> I wonder if that is such a good idea...
Actually quite handy when centrally managing/compiling multiple
firewalls for differently configured remotes. Each remote's data dir
gets its own capabilities file ...
On 03/30/2017 11:14 AM, PGNet Dev wrote:
> And what's in your `capabilities` file for the FW you're compiling?
Just in case, consider also regenerating your capabilities file, to match your
actual/current capabilities, specifically including ipset after having
installed/upgraded it
c
On 03/30/2017 11:04 AM, Norman Henderson wrote:
> Thanks, both of you. The possibly significant difference in ipset list
> is that I have Revision: 6 versus 5. (ipset -v gives v6.29, protocol
> version: 6)
here, it's
ipset -v
ipset v6.32, protocol version: 6
as well
On 03/30/2017 09:34 AM, Matt Darfeuille wrote:
> On 3/30/2017 8:34 AM, Norman Henderson wrote:
>> Thank you Ian. Matt, I've done some more tests and this really looks like a
>> shorewall bug.
Did you update your capabilities?
What's the output of
shorewall-lite show capabilities | grep
On 04/04/2016 08:27 AM, Tom Eastep wrote:
> You will probably need to use this form instead or the compiler will
> complain about the quotes:
>
> INLINE(DROP) net $FW tcp 25 ; -m string --algo bm --string 'ylmf-pc'
string matches in SW rules appear quite useful.
I tend to organize my *IP* lists
I compile SW configs locally, and push to remote shorewall-lite instances.
I've recently upgraded my build machine to
shorewall version
4.6.13
uname -r
4.3.0-3.g733f8ab-default
Two new issues have cropped up.
(1) When the remote's
> Have you checked your .rpmmacros file?
cat ~/.rpmmacros
%_topdir %(echo $HOME)/rpmbuild
%_smp_mflags %( \
[ -z "$RPM_BUILD_NCPUS" ] \\\
&& RPM_BUILD_NCPUS="`/usr/bin/nproc 2>/dev/null || \\\
/usr/bin/getconf
> I don't see how this can be a defect in build50:
>
> teastep@gateway:~/shorewall/tools/build$ fgrep rpmbuild build50
> do_rpmbuild() {
> RPM=yes rpmbuild --target noarch-linux $@ >> $LOGFILE 2>&1
> do_or_die do_rpmbuild "-ba $RPMDIR/SPECS/${2}.spec"
>
On 11/09/2015 08:29 AM, Tom Eastep wrote:
> On 11/09/2015 07:24 AM, Tom Eastep wrote:
>
>>
>> I realized this morning that this is most likely due to missing 5.0.1
>> tracking branches. In that case, the build will use the 'master' branch
>> which is 5.0.2-RC1.
>>
>> In both the 'release' and
I'm working on rpm-packaging v5x from upstream sources.
The unpacked docs tarball
shorewall-docs-xml-5.0.1.1
provides the doc source files in, obviously, xml format.
Old SW 4x versions provided the build45/build46 scripts -- afaict,
there's no equivalent for v5x (there's an old build5 --
On 11/08/2015 01:04 PM, Tom Eastep wrote:
> Why don't you simply download shorewall-docs-html.5.0.1.1?
Simply because there are no v5.0-specific docs suggesting to do so, and,
as we'd just recently chatted in #irc, I'm trying to put together a
complete build, with doc-gaps filled, for v5 for
Building v5x using the newly available 'build50' script, the tarball
build's OK
build50 -tcslL6ix 5.0.1.1
...
Creating
/usr/local/src/SHOREWALL-BUILD/build/shorewall-docs-xml-5.0.1.1 tarballs
Shorewall 5.0.1.1 Build complete - Sun Nov 8
I'm modifying a shorewall6-lite instance to MultiISP support.
My initial config -- migrated from a working IPv4 multiISP setup -- is
/providers
...
native6 1 0x100 main EXT_IF detect track,balance
10 he6 2 0x200 main
On 08/11/2015 01:08 AM, Simon Hobson wrote:
Unless I'm missing something, packets to/from link local addresses won't be
routed - and so should never go past the first hop.
If that's the case -- makes sense, now that you mention, but worth a
check -- then
ACCEPT net:fe80::/10 $FW udp 546
I've switched ISPs, and need to pull an IPv6 dhcp6-lease from the ISP
provided modem.
To get the lease I opened
ACCEPT net:fe80::::36df:cef3:332d2:aac1 $FW udp 546
where the [fe80::::36df:cef3:332d2:aac1] is the LinkLocal
address of the modem's internal
47 matches
Mail list logo