- Original Message -
From: Nigel Aves
> But following this post, when I try and change "DYNAMIC_BLACKLIST" it always
> errors out. (Tried both
> solutions in email)>
> ERROR: Invalid value (ipset-only,timeout=3600::info) for DYNAMIC_BLACKLIST
>
> or
>
> ERROR: Invalid value (ipset
I was trying to implement this "ipset" solution and I keep hitting a brick
wall. I'm no expert on this, so I was hoping for some guidance.
I have searched and searched trying to find the solution but to no avail.
In the Shorewall dump I have the following (which from some documentation seems
to
- Original Message -
From: Tom Eastep
> First, remove the ADD rules from /etc/shorewall/rules.
>
> You can then copy action.Drop to /etc/shorewall/ and then add this to
> the copy as the last line:>
>ADD(SW_DBL4:src)
Unfortunately, private IP addresses from my dmz zone were also p
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On 11/30/2016 08:13 AM, Brian J. Murrell wrote:
> Hi,
>
> When I try to do a restore action with shorewall-lite 5.0.13.4 I
> get:
>
> # /usr/sbin/shorewall-lite -qq restore ipset v6.24: Element cannot
> be added to the set: it's already added ERROR
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On 11/30/2016 08:04 AM, Brian J. Murrell wrote:
> Is having to set STARTUP_ENABLED on the shorewall-lite side
> intended?
>
It is not intended, and on my own Shorewall-lite test system (5.0.14),
it does not seem to be required.
- -Tom
- --
Tom Ea
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On 11/30/2016 03:41 AM, Vieri Di Paola wrote:
>
>
> - Original Message - From: Tom Eastep
>
>> Configure ipset-based dynamic blacklisting:
>> DYNAMIC_BLACKLIST=ipset-only,timeout=3600::info then put this at
>> the bottom of your rules:
>
Hi,
When I try to do a restore action with shorewall-lite 5.0.13.4 I get:
# /usr/sbin/shorewall-lite -qq restore
ipset v6.24: Element cannot be added to the set: it's already added
ERROR: Cannot restore /etc/shorewall-lite/state/restore-ipsets with
Shorewall running: Firewall state not changed
Is having to set STARTUP_ENABLED on the shorewall-lite side intended?
Seems to be a newish requirement and odd at that, on the shorewall-lite
end at least. The shorewall-lite.conf doesn't even have the header and
variable to set the way the shorewall.conf does.
Cheers,
b.
signature.asc
Descr
- Original Message -
From: Tom Eastep
> Configure ipset-based dynamic blacklisting:
> DYNAMIC_BLACKLIST=ipset-only,timeout=3600::info
> then put this at the bottom of your rules:
> ADD(SW_DBL4,src)net$FW
I seem to have a few issues with the ipset-based solution.
The first is
Thanks Tom. Do I have to sit on anyone's knee? :-)
Bill
On 11/29/2016 6:37 PM, Tom Eastep wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> On 11/29/2016 06:56 AM, Bill Shirley wrote:
>> Santa, add to my Christmas wish list: the switch test in the mangle
>> table. I have two sites
Sorry for delay
I'm pretty sure those proto 4 IPIP is ESP packets - I was using ping for
testing and was capturing them with tshark, and they were marked ESP there.
2016-11-30 1:24 GMT+03:00 Tom Eastep :
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> On 11/28/2016 10:19 AM, Tom Eastep
11 matches
Mail list logo
