Re: [Shorewall-users] Shorewall not start at boot
On Thu, 19 May 2022 10:34:09 +0200 wrote: > And this is looks like when shorewall doesn't work and as I see > whorewall died, I start it yesterday on terminal Take a look at Poldi's solution (#3) in : https://bugs.launchpad.net/ubuntu/+source/shorewall/+bug/1511869 The other comments in the bug report also have pointers. Looks like the root of the problem is with the auto-generation of a systemd service file. The recommendation is that shorewall comes with its own systemd service file. ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Shorewall not start at boot
This is what it looks like on a healthy system when managed using systemd : % cat /usr/lib/systemd/system/shorewall.service # # The Shoreline Firewall (Shorewall) Packet Filtering Firewall # # Copyright 2011 Jonathan Underwood # [Unit] Description=Shorewall IPv4 firewall Wants=network-online.target After=network-online.target Conflicts=iptables.service firewalld.service [Service] Type=oneshot RemainAfterExit=yes EnvironmentFile=-/etc/sysconfig/shorewall StandardOutput=syslog ExecStart=/usr/bin/shorewall $OPTIONS start $STARTOPTIONS ExecStop=/usr/bin/shorewall $OPTIONS stop ExecReload=/usr/bin/shorewall $OPTIONS reload $RELOADOPTIONS [Install] WantedBy=basic.target % systemctl status shorewall * shorewall.service - Shorewall IPv4 firewall Loaded: loaded (/usr/lib/systemd/system/shorewall.service; enabled; vendor> Active: active (exited) since Thu 2022-05-19 04:04:50 EDT; 1min 53s ago Process: 288 ExecStart=/usr/bin/shorewall $OPTIONS start $STARTOPTIONS (cod> Main PID: 288 (code=exited, status=0/SUCCESS) CPU: 436ms ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Shorewall not start at boot
On Wed, 18 May 2022 19:04:54 +0200 wrote: > So you are saying there is not possible to run shorewall at boot. It > is only possible to start it with cmd/terminal What I am saying is always go back to a reliable way. You are saying the same when you say that it works fine on previous Centos versions. > I have enable shorewall to start at boot with systemctl enable > shorewall Problem is because sometimes it start automaticly sometimes > not. So I need some monitoring software which will check if shorewall > is up if not it will start it. systemd provides its own way of giving status and that includes shorewall. shorewall does not run all the time. It does not need to. The kernel does run and that's what matters. ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Shorewall not start at boot
On Wed, 18 May 2022 18:12:08 +0200 wrote: > I am soure I am not the only one with this problem, but I am also > soure other guys switched to some other firewall. >From years of using shorewall on various devices, it always starts from the command line. In any problem like this I immediately exclude shorewall. Which brings the problem the something you haven't mentioned at all : how is it started ? And yes, there is a status available with shorewall : shorewall status. You can also list iptables and grep/awk for relevant info. ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
[Shorewall-users] DSCP marking
Hello, Some time ago I did a user interface for DSCP marking, taking the documentation from the tcrules of that time, in which it was mentioned that the DSCP mark can be follwoed by either F (forward chain) or T (postrouting - default). The current mangle documentation page does not have these. First question, why ? :) Does it mean that these options would break current Shorewall configuration ? Eg.: DSCP(AF11):F And, would having a prerouting P option, although useless, break configuration ? Thanks ! -- What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports.http://sdm.link/zohodev2dev ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
[Shorewall-users] L2TPv3 traffic control ?
Hello, Is there any provision within Shorewall to provide traffic control inside L2TPv3 ? Thanks. -- Transform Data into Opportunity. Accelerate data analysis in your applications with Intel Data Analytics Acceleration Library. Click to learn more. http://pubads.g.doubleclick.net/gampad/clk?id=278785471=/4140 ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] I'll be off of the list for several days
Wish you all the best !! -Original Message- > From: "Tom Eastep"> To: "Shorewall Users" , "Shorewall > Development" > Date: 11/17/15 11:13 > Subject: [Shorewall-users] I'll be off of the list for several days > > I have a health issue that I will be dealing with. Hope to be back next > week. > > -Tom > -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \ > > -- > ___ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users -- ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Using both IPv4 and IPv6 TC
> From: "Tom Eastep"> Date: 10/09/15 12:59 > > When having a complex TC configuration for both IPv4 and IPv6, > > setting TC_ENABLED=Internal in both Shorewall .conf files seems > > natural. Is this the way to proceed ? > You want TC_ENABLED=Internal in one configuration and TC_ENABLED=Shared > in the other. See shorewall.conf (5) and shorewall6.conf (5). You then > created symbolic links from the configuration with the 'shared' setting > to the tcdevices and tcclasses files in the other configuration. > > Also note the warnings about the settings for CLEAR_TC in both files. Thanks. Instead of symlinks, would the same TC files copied in both directories also work ? In other words, why would symlinks matter ? Thanks. -- ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Using both IPv4 and IPv6 TC
> From: "Tom Eastep"> Date: 10/09/15 12:59 > Also note the warnings about the settings for CLEAR_TC in both files. It works using files instead of symlinks. I was simply wondering if Shorewall would take into account the nature of the symlinks themselves in its processing. I have another question regarding Shorewall6 conf: why isn't there a Simple option for TC_ENABLED ? Thanks again. -- ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Using both IPv4 and IPv6 TC
> From: jonetsu <jone...@teksavvy.com> > Date: 10/09/15 14:42 > I have another question regarding Shorewall6 conf: why isn't there a Simple > option for TC_ENABLED ? The above question stemmed from the online shorewall6.conf in which the Simple option for TC_ENABLED is not mentioned. In the Simple Traffic Control documentation page, though, the option is mentioned for IPv6 under IPv4/IPv6 combined Simple configurations. Cheers. -- ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
[Shorewall-users] Using both IPv4 and IPv6 TC
Hello, When having a complex TC configuration for both IPv4 and IPv6, setting TC_ENABLED=Internal in both Shorewall .conf files seems natural. Is this the way to proceed ? Thanks. -- ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
[Shorewall-users] routeback option explicitly disabled generates error
Hello, Having an undefined zone along with disabling explicitly the routeback option generates an error as if the '0' value of the routeback option (which i assume is disabling the option) is not taken into account: Shorewall 4.6.4.3. interfaces - eth2 - arp_filter=0,routeback=0,tcpflags=0,proxyarp=0 Produces: ERROR: The routeback option may not be specified on a multi-zone interface Would this be a bug ? It looks like the parsing for the presence of the routeback option does not take into account the value. Thanks. -- ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Error output has changed
Tom, I have seen your second message about the bandwidth error missing, and the use of TC_INTERNAL. This solves both this and the missing error for no default TC class ! Thanks for pointing this out ! -Original Message- From: Tom Eastep teas...@shorewall.net To: shorewall-users@lists.sourceforge.net Date: 08/06/15 12:32 Subject: Re: [Shorewall-users] Error output has changed On 08/04/2015 12:33 PM, jonetsu wrote: From: Robert K Coffman Jr. -Info From Data Corp. bcoff...@infofromdata.com Date: 08/04/15 15:18 The TC files were changed - the error message on the newer version telling you how to update your files. Hmmm... The 'shorewall update -t' command ... That is quite a lot. The system relies so far on parsing the error output (lines with 'ERROR') from Shorewall's output, after creating the tc* files from user input. Not having the ERROR lines is one thing, the other is having to convert the machine-generated tcrules file. Why isn't it possible to keep the same ERROR output while moving towards the mangle files ? I'm unable to reproduce this result. teastep@gateway:~/test$ shorewall check . ERROR: No default class defined for device eth0 teastep@gateway:~/test$ cat tcclasses #INTERFACE MARK RATE CEIL PRIORITY OPTIONS $EXT_IF:110 - 5*full/10 full 1 tcp-ack,tos-minimize-delay $EXT_IF:120 - 2*full/10 6*full/10 2 $EXT_IF:130 - 2*full/10 6*full/10 3 eth2 1 10kbit 10kbit 1 tcp-ack,tos-minimize-delay,default eth2 3 50kbps 50kbps 2 Please: - shorewall show capabilities /patch/to/config/caps - tar up the configuration directory and send it to me privately. -Tom PS -- I'm quite sure that the addition of the mangle file has nothing to do with this problem -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \ - -- - ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users -- ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
[Shorewall-users] mangle documentation example
Hello, The examples shown in the mangle documentation are the same as for tcrules. I ran: (config files, including shorewall.conf, are stored in /tmp/shorewall/) % cd /tmp/shorewall/ % shorewall update -t . And from a tcrules that is: #MARK SOURCE DEST PROTO DPORT(S) SPORT(S) 1 0.0.0.0/0 0.0.0.0/0 icmp echo-request It created a mangle file that is: #MARK SOURCE DEST PROTO DPORT(S) SPORT(S) MARK(1) 0.0.0.0/0 0.0.0.0/0 icmp echo-request Does it mean nevertheless that according to documentation, a standard tcrules configuration can simply find itself in a file called 'mangle' instead of 'tcrules' ? If so, is there a need to run 'update -t' ? Thanks. -- ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
[Shorewall-users] No error reported when missing default tcclass
Shorewall 4.6.4.3 Still using tcrules, so I ran 'shorewall update -t .' and it created a mangle file, and modified the shorewall.conf file. The configuration is missing a default tcclass. Shorewall 4.5.5.3 will report: % shorewall check . [...] Checking Martian Logging... Checking /tmp/shorewall/tcdevices... Checking /tmp/shorewall/tcclasses... ERROR: No default class defined for device switch.0001 Version 4.6.4.3 reports nothing: % shorewall check . [...] Checking /tmp/shorewall/mangle... Checking MAC Filtration -- Phase 1... Checking /etc/shorewall/conntrack... Checking MAC Filtration -- Phase 2... Applying Policies... Shorewall configuration verified Actually, there are no messages about checking tcdevices and tcclasses. Is this a bug ? Thanks. TC test configuration for both Shorewall versions (tcrules.bak and mangle in 4.6.4.3 only - tcrules only for 4.5.5.3) tcdevices #INTERFACE IN-BANDWITH OUT-BANDWIDTH switch.0001 32mbit 32000kbit tcclasses #INTERFACE MARK RATE CEIL PRIORITY OPTIONS switch.0001 10 full*1/5 full 5 switch.0001 1 full*4/5 full 1 tcrules.bak #MARK SOURCE DEST PROTO 1 0.0.0.0/0 0.0.0.0/0 icmp echo-request mangle MARK(1) 0.0.0.0/0 0.0.0.0/0 icmp echo-request -- ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
[Shorewall-users] No error reported when out bandwidth is exceeded in tcclasses
Hello, This is basically the same as the previous post about no error output when a default tcclass is missing. This time around the out bandwidth is exceed. Shorewall 4.5.5.3 has a warning output: Checking Martian Logging... Checking /tmp/shorewall/tcdevices... Checking /tmp/shorewall/tcclasses... WARNING: Total RATE of classes (38400kbits) exceeds OUT-BANDWIDTH (32000kbits) /tmp/shorewall/tcclasses (line 3) ERROR: No default class defined for device switch.0001 While Shorewall 4.6.4.3 simply goes by without noticing anything. Once again, the output of Shorewall 4.6.4.3 does not contain anything that shows it was looking at the tcclasses and tcdevices config files. Are these files actually processed ? Thanks. tcclasses switch.0001 10 full*2/5 full 5 switch.0001 1 full*4/5 full 1 -- ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
[Shorewall-users] Error output has changed
Hello, I have noticed that between versions 4.5.5.3 and 4.6.4.3 that the error output concerning a missing TC default class is missing in the latter, for a same configuration: 4.5.5.3: Checking /tmp/shorewall/tcdevices... Checking /tmp/shorewall/tcclasses... ERROR: No default class defined for device eth4 4.6.4.3 Checking Martian Logging... Checking /tmp/shorewall/tcrules... WARNING: Non-empty tcrules file (/tmp/shorewall/tcrules); consider running 'shorewall update -t' tcdevices: eth4 32mbit 32000kbit tcclasses: eth4 10 full*1/5 full 5 eth4 1 full*4/5 full 1 tcrules: 1 0.0.0.0/0 0.0.0.0/0 icmp echo-request Why has the error output changed and, are there other places that were modified likewise ? Thanks. -- ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Error output has changed
From: Robert K Coffman Jr. -Info From Data Corp. bcoff...@infofromdata.com Date: 08/04/15 15:18 The TC files were changed - the error message on the newer version telling you how to update your files. Hmmm... The 'shorewall update -t' command ... That is quite a lot. The system relies so far on parsing the error output (lines with 'ERROR') from Shorewall's output, after creating the tc* files from user input. Not having the ERROR lines is one thing, the other is having to convert the machine-generated tcrules file. Why isn't it possible to keep the same ERROR output while moving towards the mangle files ? -- ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
[Shorewall-users] Reverse Path filtering: iptables and kernel ?
Hello, When specifying a rpfilter option for an interface, we can see after applying the firewall configuration that there is a rpfilter being added for that interface, as well as a rpfilter chain. OTOH, no rp_filter option is set in /proc/sys/net/ipv4/conf/interface|all/rp_filter. What is the difference between what seems to be two different reverse path filtering options. One is being observed by iptables and the other as a kernel module ... ? Thanks. -- One dashboard for servers and applications across Physical-Virtual-Cloud Widest out-of-the-box monitoring support with 50+ applications Performance metrics, stats and reports that give you Actionable Insights Deep dive visibility with transaction tracing using APM Insight. http://ad.doubleclick.net/ddm/clk/290420510;117567292;y ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
[Shorewall-users] TC: connection mark value
Hello, While it is possible to set the connection mark for a packet, what does the RESTORE command do in terms of numerical value ? Eg. it will put into the packet the connection mark, but what is the connection mark in the first place and how can this unknown value relate to any mark defined in classes ? I am surely missing something. Thanks. -- BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT Develop your own process in accordance with the BPMN 2 standard Learn Process modeling best practices with Bonita BPM through live exercises http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_ source=Sourceforge_BPM_Camp_5_6_15utm_medium=emailutm_campaign=VA_SF ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Continuous pings going through a full DROP policy
On Wed, 29 Feb 2012 10:33:28 -0800, Tom Eastep teas...@shorewall.net wrote : So to stop an existing ping at with shorewall start/restart, you need to flush the conntrack table ('shorewall restart -p'). That requires that you install the conntrack utility program (usually, the package is called simply 'conntrack'). It was indeed a difference of kernels. Setting the conntrack ICMP timeout value to 1 for instance, for all practical purposes, stops the pings just about immediately, which is fine. This approach would be less encompassing that having a shorewall -p which I suspect resets much more than only the ICMP timeout. For instance, if an admin is logged in using ssh for setting up a firewall, using shorewall -p would flush his connection tracking table which could by detriemental when doing an error such as not opening a hole for the ssh connection once the firewall is up. Is it possible to only flush certain tables ? A value of 1 as the ICMP timeout could perhaps have an effect on normal pings when the network is slow, do you think so ? Those were the components: System that does not stop the pings: shorewall: 4.5.0.1-4.5.1-Beta2 kernel: 3.0.0 iptables: 1.4.8-3 iproute: 20100519-3 System that does stop the pings: shorewall: 4.0.15 kernel: 2.6.26 iptables: 1.3.6.0 iproute: 20061002-3 Thanks so much for your help. -- Virtualization Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/ ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Continuous pings going through a full DROP policy
On Sun, 26 Feb 2012 14:33:16 -0800, Tom Eastep teas...@shorewall.net wrote : On Feb 26, 2012, at 2:09 PM, jonetsu wrote: For a same configuration in which the default policy is drop and only one connection is accepted in rules, continuous pinging to devices will stop squarely in 4.0.15 as soon as a very basic firewall is enabled whereas in 4.4.26.1, pinging will still continue after the firewall is enabled. All tests are done with proper reboot of the unit3 where the firewall is applied: unit1 --- eth4 unit3 eth1 ---unit2 192.168.3.2 192.168.3.1 172.30.159.103 172.30.159.102 lan zone net zone In this case, continuous pings from unit1 to unit2 will stop when the 4.0.15 firewall is applied. Rebooting unit3 with 4.4.26.1 (easily made since unit3 is booting from a different compact flash) and copying the files from 4.0.15 to it, and executing 'shorewall start' will not stop the pings from unit1 to unit2 even though the policy is DROP. Other traffic is effectively stopped, but not so with icmp packets. I've looked at the changelog an release notes for 4.4.26.1 but did not find anything about this. firewall is very basic, and shorewall.conf is the same: zones fw firewall net ipv4 lan ipv4 interfaces net eth1 lan eth4 policy all all DROP rules (none) Using the same shorewall.conf might not be appropriate so I also tried with the shorewall.conf provided in the 4.4.26.1 version, while keeping the same zones, interfaces and policy files. Output of 'shorewall dump' as an attachment, please. Hmmm.. Not sure if the other one got to you, so here it is. Sorry for any duplicate. Here is the dump. It was done in the following way: - unit3: reboot w/o any iptable commands applied - start continuous pings from unit1 - unit3: shorewall start - (continuous pingings still going on) - unit3: shorewall dump 192.168.3.2 = unit1 = pinging unit 172.30.159.103 = unit3 = shorewall unit 172.30.159.102 = unit2 = pinging target unit eth1 -- fe-4-2 unit3 fe-3-1 -- fe-3-1 eth2 In a parallel iptables-only test it is possible to immediately stop the pingings when iptables rules are applied by flushing the whole thing before applying any new rules. Thanks ! shorewall.dump.bz2 Description: application/bzip -- Virtualization Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] 4.5.1-Beta2 install: no previous version
On Sat, 25 Feb 2012 14:59:54 -0800, Tom Eastep teas...@shorewall.net wrote : Here's a patch. The same patch should be applied to the installers of both Shorewall and Shorewall6. Thanks. Now the install proceeds a bit further (Fedora 15) : ./install.sh Perl/compiler.pl syntax OK Installing Redhat/Fedora-specific configuration... Installing Shorewall Version 4.5.1-Beta2 Shorewall 4.5.1-Beta2 requires Shorewall Core which does not appear to be installed -- Virtualization Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/ ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] 4.5.1-Beta2 install: no previous version
On Sun, 26 Feb 2012 07:41:10 -0800, Tom Eastep teas...@shorewall.net wrote : On 02/26/2012 04:38 AM, jonetsu wrote: Shorewall 4.5.1-Beta2 requires Shorewall Core which does not appear to be installed You need to install Shorewall-core first. See http://www.shorewall.net/Install.htm. Duh! ;-) Sorry, that was a rather silly one. Hopefully the next will not be. -- Virtualization Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/ ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
[Shorewall-users] Continuous pings going through a full DROP policy
For a same configuration in which the default policy is drop and only one connection is accepted in rules, continuous pinging to devices will stop squarely in 4.0.15 as soon as a very basic firewall is enabled whereas in 4.4.26.1, pinging will still continue after the firewall is enabled. All tests are done with proper reboot of the unit3 where the firewall is applied: unit1 --- eth4 unit3 eth1 ---unit2 192.168.3.2 192.168.3.1 172.30.159.103 172.30.159.102 lan zone net zone In this case, continuous pings from unit1 to unit2 will stop when the 4.0.15 firewall is applied. Rebooting unit3 with 4.4.26.1 (easily made since unit3 is booting from a different compact flash) and copying the files from 4.0.15 to it, and executing 'shorewall start' will not stop the pings from unit1 to unit2 even though the policy is DROP. Other traffic is effectively stopped, but not so with icmp packets. I've looked at the changelog an release notes for 4.4.26.1 but did not find anything about this. firewall is very basic, and shorewall.conf is the same: zones fw firewall net ipv4 lan ipv4 interfaces net eth1 lan eth4 policy all all DROP rules (none) Using the same shorewall.conf might not be appropriate so I also tried with the shorewall.conf provided in the 4.4.26.1 version, while keeping the same zones, interfaces and policy files. -- Virtualization Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/ ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
[Shorewall-users] 4.5.1-Beta2 install: no previous version
HI, I have a Fedora 15 system w/o any Shorewall installed. Running the install.sh (as root) yields the following: ./install.sh Perl/compiler.pl syntax OK Installing Redhat/Fedora-specific configuration... ERROR: Shorewall = 4.3.5 is not installed I can yum-install the current Fedora Shorewall, but I found it odd that the installer needs a previous version - or perhaps this is always the case with betas ? Thanks. -- Virtualization Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/ ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] 4.5.1-Beta2 install: no previous version
On Sat, 25 Feb 2012 17:18:27 -0500, jonetsu jone...@teksavvy.com wrote : I have a Fedora 15 system w/o any Shorewall installed. Running the install.sh (as root) yields the following: ./install.sh Perl/compiler.pl syntax OK Installing Redhat/Fedora-specific configuration... ERROR: Shorewall = 4.3.5 is not installed I can yum-install the current Fedora Shorewall, but I found it odd that the installer needs a previous version - or perhaps this is always the case with betas ? Hmmm. After installing both shorewall-4.4.23.3-1.fc15.noarch and shorewall-init-4.4.23.3-1.fc15.noarch and shorewall-lite-4.4.23.3-1.fc15.noarch there's still no compiler.pl in /usr/share/ for the check in install.sh to succeed. I'm tempted to remove that check in install.sh (line 300) but am not sure about the implications of doing so. -- Virtualization Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/ ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Adding iptable rules for DSCP marking
On Mon, 20 Feb 2012 13:42:56 -0800, Tom Eastep teas...@shorewall.net wrote : The Beta containing DSCP support will be released sometime this week; probably Saturday. The final release will be around the middle of March. The way I'm going now is that I have a table of DSCP to TC marks. This table is processed when there's some tcrules configuration. Being a table, it allows for quickly having multiple tcrules mark assigned to a single DSCP egress mark. For SIP traffic, for instance, many ports can be AF31 while RTP is EF. Although I am not sure that it provides much more easiness of configuration. After all, a tcrule can filter on many ports. Having one single DSCP mark as part of a tcrule can very well achieve the same goal w/o additional table processing overhead. Would you also think that having a DSCP-mark-to-TC-mark table is overkill ? Thanks. -- Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Adding iptable rules for DSCP marking
On Mon, 20 Feb 2012 09:10:30 -0800, Tom Eastep teas...@shorewall.net wrote : If you can wait until 4.5.1 is released, you can set the DSCP field with entries in /etc/shorewall/tcrules. Thanks for the suggestions ! It's appreciated. When would be the release of 4.5.1 ? -- Try before you buy = See our experts in action! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-dev2 ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
[Shorewall-users] Adding iptable rules for DSCP marking
Hello, I would like to DSCP-mark some traffic and have this marking set when shorewall starts. The 'started' file seems to be the place to put those extra iptables commands. Has anyone used the started file for this purpose ? Any drawbacks ? Thanks for any suggestions/comments. -- Virtualization Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/ ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users