Re: [Shorewall-users] Shorewall not start at boot

[jonetsu]

On Thu, 19 May 2022 10:34:09 +0200
 wrote:

> And this is looks like when shorewall doesn't work and as I see
> whorewall died, I start it yesterday on terminal

Take a look at Poldi's solution (#3) in :

https://bugs.launchpad.net/ubuntu/+source/shorewall/+bug/1511869

The other comments in the bug report also have pointers.

Looks like the root of the problem is with the auto-generation of a
systemd service file.  The recommendation is that shorewall comes with
its own systemd service file.



___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] Shorewall not start at boot

[jonetsu]

This is what it looks like on a healthy system when managed using
systemd :

% cat /usr/lib/systemd/system/shorewall.service

#
# The Shoreline Firewall (Shorewall) Packet Filtering Firewall
#
# Copyright 2011 Jonathan Underwood 
#
[Unit]
Description=Shorewall IPv4 firewall
Wants=network-online.target
After=network-online.target
Conflicts=iptables.service firewalld.service

[Service]
Type=oneshot
RemainAfterExit=yes
EnvironmentFile=-/etc/sysconfig/shorewall
StandardOutput=syslog
ExecStart=/usr/bin/shorewall $OPTIONS start $STARTOPTIONS
ExecStop=/usr/bin/shorewall $OPTIONS stop
ExecReload=/usr/bin/shorewall $OPTIONS reload $RELOADOPTIONS

[Install]
WantedBy=basic.target


% systemctl status shorewall

* shorewall.service - Shorewall IPv4 firewall
 Loaded: loaded (/usr/lib/systemd/system/shorewall.service;
enabled; vendor> Active: active (exited) since Thu 2022-05-19 04:04:50
EDT; 1min 53s ago Process: 288 ExecStart=/usr/bin/shorewall $OPTIONS
start $STARTOPTIONS (cod> Main PID: 288 (code=exited, status=0/SUCCESS)
CPU: 436ms



___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] Shorewall not start at boot

[jonetsu]

On Wed, 18 May 2022 19:04:54 +0200
 wrote:

> So you are saying there is not possible to run shorewall at boot. It
> is only possible to start it with cmd/terminal

What I am saying is always go back to a reliable way.

You are saying the same when you say that it works fine on previous
Centos versions.

> I have enable shorewall to start at boot with systemctl enable
> shorewall Problem is because sometimes it start automaticly sometimes
> not. So I need some monitoring software which will check if shorewall
> is up if not it will start it.

systemd provides its own way of giving status and that includes
shorewall.

shorewall does not run all the time.  It does not need to.  The kernel
does run and that's what matters.



___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] Shorewall not start at boot

[jonetsu]

On Wed, 18 May 2022 18:12:08 +0200
 wrote:

> I am soure I am not the only one with this problem, but I am also
> soure other guys switched to some other firewall.

>From years of using shorewall on various devices, it always starts from
the command line.

In any problem like this I immediately exclude shorewall.  Which brings
the problem the something you haven't mentioned at all : how is it
started ?

And yes, there is a status available with shorewall : shorewall
status.  You can also list iptables and grep/awk for relevant info.



___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

[Shorewall-users] DSCP marking

[jonetsu]

Hello,

Some time ago I did a user interface for DSCP marking, taking the documentation 
from the tcrules of that time, in which it was mentioned that the DSCP mark can 
be follwoed by either F (forward chain) or T (postrouting - default).  The 
current mangle documentation page does not have these.

First question, why ? :)

Does it mean that these options would break current Shorewall configuration ?  
Eg.:  DSCP(AF11):F

And, would having a prerouting P option, although useless, break configuration ?

Thanks !



--
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity planning
reports.http://sdm.link/zohodev2dev
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

[Shorewall-users] L2TPv3 traffic control ?

[jonetsu]

Hello,

Is there any provision within Shorewall to provide traffic control inside 
L2TPv3 ?

Thanks.




--
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785471=/4140
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] I'll be off of the list for several days

[jonetsu]

Wish you all the best !!

-Original Message- 
> From: "Tom Eastep"  
> To: "Shorewall Users" , "Shorewall 
> Development"  
> Date: 11/17/15 11:13 
> Subject: [Shorewall-users] I'll be off of the list for several days 
> 
> I have a health issue that I will be dealing with. Hope to be back next 
> week.
> 
> -Tom
> -- 
> Tom Eastep        \ When I die, I want to go like my Grandfather who
> Shoreline,         \ died peacefully in his sleep. Not screaming like
> Washington, USA     \ all of the passengers in his car
> http://shorewall.net \
> 
> --
> ___
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users


--
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] Using both IPv4 and IPv6 TC

[jonetsu]

> From: "Tom Eastep"  
> Date: 10/09/15 12:59 

> > When having a complex TC configuration for both IPv4 and IPv6,
> > setting TC_ENABLED=Internal in both Shorewall .conf files seems
> > natural.  Is this the way to proceed ?

> You want TC_ENABLED=Internal in one configuration and TC_ENABLED=Shared
> in the other. See shorewall.conf (5) and shorewall6.conf (5). You then
> created symbolic links from the configuration with the 'shared' setting
> to the tcdevices and tcclasses files in the other configuration.
> 
> Also note the warnings about the settings for CLEAR_TC in both files.


Thanks.  Instead of symlinks, would the same TC files copied in both 
directories also work ?  In other words, why would symlinks matter ?


Thanks.




--
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] Using both IPv4 and IPv6 TC

[jonetsu]

> From: "Tom Eastep"  
> Date: 10/09/15 12:59 

> Also note the warnings about the settings for CLEAR_TC in both files.


It works using files instead of symlinks.  I was simply wondering if Shorewall 
would take into account the nature of the symlinks themselves in its processing.


I have another question regarding Shorewall6 conf: why isn't there a Simple 
option for TC_ENABLED ?


Thanks again.




--
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] Using both IPv4 and IPv6 TC

[jonetsu]

> From: jonetsu <jone...@teksavvy.com> 
> Date: 10/09/15 14:42 


> I have another question regarding Shorewall6 conf: why isn't there a Simple 
> option for TC_ENABLED ?


The above question stemmed from the online shorewall6.conf in which the Simple 
option for TC_ENABLED is not mentioned.  In the Simple Traffic Control 
documentation page, though, the option is mentioned for IPv6 under IPv4/IPv6 
combined Simple configurations.


Cheers.






--
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

[Shorewall-users] Using both IPv4 and IPv6 TC

[jonetsu]

Hello,


When having a complex TC configuration for both IPv4 and IPv6, setting 
TC_ENABLED=Internal in both Shorewall .conf files seems natural.  Is this the 
way to proceed ?


Thanks.




--
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

[Shorewall-users] routeback option explicitly disabled generates error

[jonetsu]

Hello,


Having an undefined zone along with disabling explicitly the routeback option 
generates an error as if the '0' value of the
routeback option (which i assume is disabling the option) is not taken into 
account:


Shorewall 4.6.4.3.


interfaces
  -    eth2        -    arp_filter=0,routeback=0,tcpflags=0,proxyarp=0


Produces:


  ERROR: The routeback option may  not be specified on a multi-zone interface


Would this be a bug ?  It looks like the parsing for the presence of the 
routeback option does not take into account the value. 


Thanks.







--
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] Error output has changed

[jonetsu]

Tom,

I have seen your second message about the bandwidth error missing, and the use 
of TC_INTERNAL.


This solves both this and the missing error for no default TC class !


Thanks for pointing this out !


-Original Message- 
 From: Tom Eastep teas...@shorewall.net 
 To: shorewall-users@lists.sourceforge.net 
 Date: 08/06/15 12:32 
 Subject: Re: [Shorewall-users] Error output has changed 
 
 On 08/04/2015 12:33 PM, jonetsu wrote:
  From: Robert K Coffman Jr. -Info From Data Corp. 
  bcoff...@infofromdata.com 
  Date: 08/04/15 15:18 
  
  The TC files were changed - the error message on the newer version 
  telling you how to update your files.
  
  
  Hmmm... The 'shorewall update -t' command ... That is quite a lot.  The 
  system relies so far on parsing the error output (lines with 'ERROR') from 
  Shorewall's output, after creating the tc* files from user input.  Not 
  having the ERROR lines is one thing, the other is having to convert the 
  machine-generated tcrules file.
  
  
  Why isn't it possible to keep the same ERROR output while moving towards 
  the mangle files ?
  
 
 I'm unable to reproduce this result.
 
 teastep@gateway:~/test$ shorewall check .
    ERROR: No default class defined for device eth0
 teastep@gateway:~/test$ cat tcclasses
 #INTERFACE MARK RATE  CEIL  PRIORITY OPTIONS
 $EXT_IF:110 - 5*full/10 full  1  
 tcp-ack,tos-minimize-delay
 $EXT_IF:120 - 2*full/10 6*full/10 2
 $EXT_IF:130 - 2*full/10 6*full/10 3
 eth2  1 10kbit 10kbit 1  
 tcp-ack,tos-minimize-delay,default
 eth2  3 50kbps  50kbps  2
 
 
 Please:
 
 - shorewall show capabilities  /patch/to/config/caps
 - tar up the configuration directory and send it to me privately.
 
 -Tom
 
 PS -- I'm quite sure that the addition of the mangle file has nothing to
 do with this problem
 
 -- 
 Tom Eastep        \ When I die, I want to go like my Grandfather who
 Shoreline,         \ died peacefully in his sleep. Not screaming like
 Washington, USA     \ all of the passengers in his car
 http://shorewall.net \
 
 -
 --
 -
 ___
 Shorewall-users mailing list
 Shorewall-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/shorewall-users


--
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

[Shorewall-users] mangle documentation example

[jonetsu]

Hello,


The examples shown in the mangle documentation are the same as for tcrules.


I ran:


(config files, including shorewall.conf, are stored in /tmp/shorewall/)


% cd /tmp/shorewall/
% shorewall update -t .


And from a tcrules that is:


#MARK  SOURCE     DEST       PROTO   DPORT(S)  SPORT(S) 


1      0.0.0.0/0  0.0.0.0/0  icmp    echo-request


It created a mangle file that is:


#MARK    SOURCE    DEST    PROTO    DPORT(S)  SPORT(S)


MARK(1) 0.0.0.0/0       0.0.0.0/0       icmp    echo-request




Does it mean nevertheless that according to documentation, a standard tcrules 
configuration can simply find itself in a file called 'mangle' instead of 
'tcrules' ?


If so, is there a need to run 'update -t' ?


Thanks.





--
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

[Shorewall-users] No error reported when missing default tcclass

[jonetsu]

Shorewall 4.6.4.3


Still using tcrules, so I ran 'shorewall update -t .' and it created a mangle 
file, and modified the shorewall.conf file.


The configuration is missing a default tcclass.  Shorewall 4.5.5.3 will report:


% shorewall check .


 [...]
 Checking Martian Logging...
 Checking /tmp/shorewall/tcdevices...
 Checking /tmp/shorewall/tcclasses...
   ERROR: No default class defined for device switch.0001


Version 4.6.4.3 reports nothing:


% shorewall check .


 [...]
 Checking /tmp/shorewall/mangle...
 Checking MAC Filtration -- Phase 1...
 Checking /etc/shorewall/conntrack...
 Checking MAC Filtration -- Phase 2...
 Applying Policies...
 Shorewall configuration verified


Actually, there are no messages about checking tcdevices and tcclasses.  Is 
this a bug ?


Thanks.




TC test configuration for both Shorewall versions (tcrules.bak and mangle in 
4.6.4.3 only - tcrules only for 4.5.5.3)


tcdevices


 #INTERFACE   IN-BANDWITH  OUT-BANDWIDTH
 switch.0001    32mbit    32000kbit    


tcclasses


 #INTERFACE   MARK   RATE   CEIL   PRIORITY    OPTIONS
 switch.0001    10    full*1/5     full     5    
 switch.0001    1    full*4/5     full     1    


tcrules.bak


 #MARK    SOURCE    DEST    PROTO 
 1    0.0.0.0/0    0.0.0.0/0    icmp    echo-request


mangle


 MARK(1) 0.0.0.0/0       0.0.0.0/0       icmp    echo-request







--
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

[Shorewall-users] No error reported when out bandwidth is exceeded in tcclasses

[jonetsu]

Hello,


This is basically the same as the previous post about no error output when a 
default tcclass is missing.  This time around the out bandwidth is exceed.  
Shorewall 4.5.5.3 has a warning output:


 Checking Martian Logging...
 Checking /tmp/shorewall/tcdevices...
 Checking /tmp/shorewall/tcclasses...
   WARNING: Total RATE of classes (38400kbits) exceeds OUT-BANDWIDTH 
(32000kbits)
   /tmp/shorewall/tcclasses (line 3)
   ERROR: No default class defined for device switch.0001


While Shorewall 4.6.4.3 simply goes by without noticing anything. Once again, 
the output of Shorewall 4.6.4.3 does not contain anything that shows it was 
looking at the tcclasses and tcdevices config files.  Are these files actually 
processed ?


Thanks.


tcclasses


 switch.0001    10    full*2/5     full     5    
 switch.0001    1    full*4/5     full     1





--
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

[Shorewall-users] Error output has changed

[jonetsu]

Hello,


I have noticed that between versions 4.5.5.3 and 4.6.4.3 that the
error output concerning a missing TC default class is missing in
the latter, for a same configuration:


4.5.5.3:


Checking /tmp/shorewall/tcdevices...
Checking /tmp/shorewall/tcclasses...
   ERROR: No default class defined for device eth4


4.6.4.3


Checking Martian Logging...
Checking /tmp/shorewall/tcrules...
   WARNING: Non-empty tcrules file (/tmp/shorewall/tcrules);
   consider running 'shorewall update -t'


tcdevices:


eth4    32mbit    32000kbit    


tcclasses:


eth4    10   full*1/5     full     5    
eth4    1    full*4/5     full     1    


tcrules:


1    0.0.0.0/0    0.0.0.0/0    icmp    echo-request




Why has the error output changed and, are there other places that
were modified likewise ?


Thanks.





--
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] Error output has changed

[jonetsu]

From: Robert K Coffman Jr. -Info From Data Corp. bcoff...@infofromdata.com 
Date: 08/04/15 15:18 

 The TC files were changed - the error message on the newer version 
 telling you how to update your files.


Hmmm... The 'shorewall update -t' command ... That is quite a lot.  The system 
relies so far on parsing the error output (lines with 'ERROR') from Shorewall's 
output, after creating the tc* files from user input.  Not having the ERROR 
lines is one thing, the other is having to convert the machine-generated 
tcrules file.


Why isn't it possible to keep the same ERROR output while moving towards the 
mangle files ?






--
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

[Shorewall-users] Reverse Path filtering: iptables and kernel ?

[jonetsu]

Hello,


  When specifying a rpfilter option for an interface, we can see after applying 
the firewall configuration that there is a rpfilter being added for that 
interface, as well as a rpfilter chain.  OTOH, no rp_filter option is set in 
/proc/sys/net/ipv4/conf/interface|all/rp_filter.


What is the difference between what seems to be two different reverse path 
filtering options.  One is being observed by iptables and the other as a kernel 
module ... ?


Thanks.





--
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

[Shorewall-users] TC: connection mark value

[jonetsu]

Hello,

  While it is possible to set the connection mark for a packet, what does the 
RESTORE command do in terms of numerical value ?  Eg. it will put into the 
packet the connection mark, but what is the connection mark in the first place 
and how can this unknown value relate to any mark defined in classes ?  I am 
surely missing something.

Thanks.




--
BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
Develop your own process in accordance with the BPMN 2 standard
Learn Process modeling best practices with Bonita BPM through live exercises
http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
source=Sourceforge_BPM_Camp_5_6_15utm_medium=emailutm_campaign=VA_SF
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] Continuous pings going through a full DROP policy

[jonetsu]

On Wed, 29 Feb 2012 10:33:28 -0800,
Tom Eastep teas...@shorewall.net wrote :

 So to stop an existing ping at with shorewall start/restart, you need
 to flush the conntrack table ('shorewall restart -p'). That requires
 that you install the conntrack utility program (usually, the package
 is called simply 'conntrack').

It was indeed a difference of kernels.

Setting the conntrack ICMP timeout value to 1 for instance, for all
practical purposes, stops the pings just about immediately, which is
fine.  This approach would be less encompassing that having a
shorewall -p which I suspect resets much more than only the ICMP
timeout.  For instance, if an admin is logged in using ssh for setting
up a firewall, using shorewall -p would flush his connection tracking
table which could by detriemental when doing an error such as not
opening a hole for the ssh connection once the firewall is up.  Is it
possible to only flush certain tables ?  A value of 1 as the ICMP
timeout could perhaps have an effect on normal pings when the network
is slow, do you think so ?

Those were the components:

System that does not stop the pings:

shorewall: 4.5.0.1-4.5.1-Beta2
kernel: 3.0.0
iptables: 1.4.8-3
iproute: 20100519-3

System that does stop the pings:

shorewall: 4.0.15
kernel: 2.6.26
iptables: 1.3.6.0
iproute: 20061002-3

Thanks so much for your help.



--
Virtualization  Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing 
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] Continuous pings going through a full DROP policy

[jonetsu]

On Sun, 26 Feb 2012 14:33:16 -0800,
Tom Eastep teas...@shorewall.net wrote :
 
 On Feb 26, 2012, at 2:09 PM, jonetsu wrote:
 
  For a same configuration in which the default policy is drop and
  only one connection is accepted in rules, continuous pinging to
  devices will stop squarely in 4.0.15 as soon as a very basic
  firewall is enabled whereas in 4.4.26.1, pinging will still
  continue after the firewall is enabled.
  
  All tests are done with proper reboot of the unit3 where the
  firewall is applied:
  
  unit1  --- eth4  unit3  eth1   ---unit2
  192.168.3.2  192.168.3.1  172.30.159.103  172.30.159.102
  lan zone  net zone
  
  In this case, continuous pings from unit1 to unit2 will stop when
  the 4.0.15 firewall is applied.  Rebooting unit3 with 4.4.26.1
  (easily made since unit3 is booting from a different compact flash)
  and copying the files from 4.0.15 to it, and executing 'shorewall
  start' will not stop the pings from unit1 to unit2 even though the
  policy is DROP.
  
  Other traffic is effectively stopped, but not so with icmp packets.
  
  I've looked at the changelog an release notes for 4.4.26.1 but did
  not find anything about this.
  
  firewall is very basic, and shorewall.conf is the same:
  
  zones
  fw  firewall
  net ipv4
  lan ipv4
  
  interfaces
  net eth1
  lan eth4
  
  policy
  all all DROP
  
  rules
  (none)
  
  Using the same shorewall.conf might not be appropriate so I also
  tried with the shorewall.conf provided in the 4.4.26.1 version,
  while keeping the same zones, interfaces and policy files.
 
 
 Output of 'shorewall dump' as an attachment, please.

Hmmm.. Not sure if the other one got to you, so here it is.  Sorry for
any duplicate.

Here is the dump.  It was done in the following way:

 - unit3: reboot w/o any iptable commands applied
 - start continuous pings from unit1
 - unit3: shorewall start
 - (continuous pingings still going on)
 - unit3: shorewall dump

 192.168.3.2 = unit1 = pinging unit
 172.30.159.103 = unit3 = shorewall unit
 172.30.159.102 = unit2 = pinging target

 unit eth1 -- fe-4-2 unit3 fe-3-1 -- fe-3-1 eth2

In a parallel iptables-only test it is possible to immediately stop
the pingings when iptables rules are applied by flushing the whole
thing before applying any new rules.

Thanks !




shorewall.dump.bz2
Description: application/bzip
--
Virtualization  Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing 
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] 4.5.1-Beta2 install: no previous version

[jonetsu]

On Sat, 25 Feb 2012 14:59:54 -0800,
Tom Eastep teas...@shorewall.net wrote :
 
 Here's a patch. The same patch should be applied to the installers of
 both Shorewall and Shorewall6.

Thanks.  Now the install proceeds a bit further (Fedora 15) :

./install.sh

Perl/compiler.pl syntax OK
Installing Redhat/Fedora-specific configuration...
Installing Shorewall Version 4.5.1-Beta2
Shorewall 4.5.1-Beta2 requires Shorewall Core which does not appear to
be installed


--
Virtualization  Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing 
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] 4.5.1-Beta2 install: no previous version

[jonetsu]

On Sun, 26 Feb 2012 07:41:10 -0800,
Tom Eastep teas...@shorewall.net wrote :

 On 02/26/2012 04:38 AM, jonetsu wrote:
  Shorewall 4.5.1-Beta2 requires Shorewall Core which does not appear
  to be installed

 You need to install Shorewall-core first. See
 http://www.shorewall.net/Install.htm.

Duh! ;-)  Sorry, that was a rather silly one.  Hopefully the next will
not be.


--
Virtualization  Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing 
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

[Shorewall-users] Continuous pings going through a full DROP policy

[jonetsu]

For a same configuration in which the default policy is drop and only
one connection is accepted in rules, continuous pinging to devices
will stop squarely in 4.0.15 as soon as a very basic firewall is
enabled whereas in 4.4.26.1, pinging will still continue after the
firewall is enabled.

All tests are done with proper reboot of the unit3 where the firewall
is applied:

 unit1  --- eth4  unit3  eth1   ---unit2
 192.168.3.2  192.168.3.1  172.30.159.103  172.30.159.102
 lan zone  net zone

In this case, continuous pings from unit1 to unit2 will stop when the
4.0.15 firewall is applied.  Rebooting unit3 with 4.4.26.1 (easily
made since unit3 is booting from a different compact flash) and
copying the files from 4.0.15 to it, and executing 'shorewall start'
will not stop the pings from unit1 to unit2 even though the policy is
DROP.

Other traffic is effectively stopped, but not so with icmp packets.

I've looked at the changelog an release notes for 4.4.26.1 but did not
find anything about this.

firewall is very basic, and shorewall.conf is the same:

zones
fw  firewall
net ipv4
lan ipv4

interfaces
net eth1
lan eth4

policy
all all DROP

rules
(none)

Using the same shorewall.conf might not be appropriate so I also tried
with the shorewall.conf provided in the 4.4.26.1 version, while
keeping the same zones, interfaces and policy files.





--
Virtualization  Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing 
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

[Shorewall-users] 4.5.1-Beta2 install: no previous version

[jonetsu]

HI,

  I have a Fedora 15 system w/o any Shorewall installed.  Running the
install.sh (as root) yields the following:

 ./install.sh 
 Perl/compiler.pl syntax OK
 Installing Redhat/Fedora-specific configuration...
ERROR: Shorewall = 4.3.5 is not installed

I can yum-install the current Fedora Shorewall, but I found it odd that
the installer needs a previous version - or perhaps this is always the
case with betas ?

Thanks.

--
Virtualization  Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing 
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] 4.5.1-Beta2 install: no previous version

[jonetsu]

On Sat, 25 Feb 2012 17:18:27 -0500,
jonetsu jone...@teksavvy.com wrote :

   I have a Fedora 15 system w/o any Shorewall installed.  Running the
 install.sh (as root) yields the following:
 
  ./install.sh 
  Perl/compiler.pl syntax OK
  Installing Redhat/Fedora-specific configuration...
 ERROR: Shorewall = 4.3.5 is not installed
 
 I can yum-install the current Fedora Shorewall, but I found it odd
 that the installer needs a previous version - or perhaps this is
 always the case with betas ?

Hmmm.  After installing both shorewall-4.4.23.3-1.fc15.noarch and
shorewall-init-4.4.23.3-1.fc15.noarch and
shorewall-lite-4.4.23.3-1.fc15.noarch there's still no compiler.pl
in /usr/share/ for the check in install.sh to succeed.  I'm tempted to
remove that check in install.sh (line 300) but am not sure about the
implications of doing so.

--
Virtualization  Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing 
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] Adding iptable rules for DSCP marking

[jonetsu]

On Mon, 20 Feb 2012 13:42:56 -0800,
Tom Eastep teas...@shorewall.net wrote :

 The Beta containing DSCP support will be released sometime this week;
 probably Saturday. The final release will be around the middle of
 March.

The way I'm going now is that I have a table of DSCP to TC marks.  This
table is processed when there's some tcrules configuration.  Being a
table, it allows for quickly having multiple tcrules mark assigned to a
single DSCP egress mark.  For SIP traffic, for instance, many ports can
be AF31 while RTP is EF.  

Although I am not sure that it provides much more easiness of
configuration.  After all, a tcrule can filter on many ports.  Having
one single DSCP mark as part of a tcrule can very well achieve the same
goal w/o additional table processing overhead.  Would you also think
that having a DSCP-mark-to-TC-mark table is overkill ?

Thanks.

--
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] Adding iptable rules for DSCP marking

[jonetsu]

On Mon, 20 Feb 2012 09:10:30 -0800,
Tom Eastep teas...@shorewall.net wrote :

 If you can wait until 4.5.1 is released, you can set the DSCP field
 with entries in /etc/shorewall/tcrules.

Thanks for the suggestions !  It's appreciated.  

When would be the release of 4.5.1 ?
 

--
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-dev2
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

[Shorewall-users] Adding iptable rules for DSCP marking

[jonetsu]

Hello,

I would like to DSCP-mark some traffic and have this marking set when
shorewall starts.  The 'started' file seems to be the place to put
those extra iptables commands.  Has anyone used the started file for
this purpose ?  Any drawbacks ?

Thanks for any suggestions/comments.



--
Virtualization  Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing 
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users