>> Hi Tom, I'm sending this email to you directly. I greatly appreciate
>> you taking a look at my log but please don't post any of its private
>> info to the list.
>
> You need to set IP_FORWARDING=Yes in shorewall.conf.
Fixed! Th
has the original saved in a .bak file.
I just ran shorewall update and restarted shorewall but masquerade
still doesn't work. Could kernel requirements have changed?
- Grant
--
Check out the vibrant tech commu
shorewall update
>
> does it then work?
Can I see the changes it wants to make without writing them?
- Grant
--
Check out the vibrant tech community on one of the world's most
u have to update your config because it now uses the snat file
> instead of masq.
I was sure this would do it but it isn't masquerading after rebooting
the router. I used Example 1 here:
http://shorewall.net/manpages/shorewall-snat.html
- Grant
-
My masquerade config is simple exactly like Example 1 here:
http://shorewall.org/manpages/shorewall-masq.html
It has worked for a very long time and works on 5.0.15.6 but not on
5.1.4.4 or 5.1.5. Any ideas?
- Grant
browsing seems to work fine, you can
> access you email, etc. Then you find you can't send an email, and certain web
> sites fail (eg when sending a form or uploading a file).
This page:
http://shorewall.net/manpages/shorewall.conf.html
references CONFIG_IP_NF_TARGET_TCPMSS for CLAMPMS
. Everything seems to be working fine. Does it sound
like I've made any glaring errors?
I read that CLAMPMSS=Yes is usually required when using PPPoE. Do I
need it if things are working fine without it?
Are there any other config changes to consider when switching from
DHCP to PPPoE?
- Grant
oo. I had the DROP rule at the
bottom of my rules file after various ACCEPT rules.
I've also just implemented nginx limit_req along with fail2ban to
automate this sort of thing.
- Grant
--
___
in the nginx log. Shorewall runs on the same machine as my web
server. Could shorewall/iptables somehow see a different IP address
than the one seen and logged by nginx?
- Grant
wow - thank you Tom, changed to xis and working fine now :-[
thanks and regards,
grant pasley.
xtranet.
On 8/8/2016 3:54 PM, Tom Eastep wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> On 08/08/2016 04:25 AM, Grant Pasley wrote:
>> Hi there,
>>
>> I
=31893 DF PROTO=TCP
SPT=51902 DPT=3389 WINDOW=8192 RES=0x00 SYN URGP=0
--
thanks and regards,
grant pasley.
xtranet.
---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus
Shorewall 5.0.8.2 Dump at sentinel.wavelengths.co.za - Mon Aug 8 09
in the dnat chain.
can anyone enlighten me on what i am missing perhaps? i have been going
over and over the config for days and cannot seem to find anything?
thanks,
grant.
---
This email is free from viruses and malware because avast! Antivirus protection
is active.
http://www.avast.com
router with pppoe and a dnat rule it works.
thanks,
grant.
On 9/8/2014 5:10 AM, Tom Eastep wrote:
On 9/7/2014 7:45 PM, Grant Pasley wrote:
good day all
i have shorewall-4.6.3.2 running on centos 2.6.32-431.23.3.el6.x86_64. i
have 2 ethernet interfaces, eth0 and eth1. eth0 is lan
. Input is in
/var/lib/shorewall/.iptables-restore-input
/usr/share/shorewall/lib.common: line 113: 5485 Terminated
$SHOREWALL_SHELL $script $options $@
shorewall starts fine if I remove the rate limit. Can anyone tell me
what is wrong? I've tried 4.5.19 as well.
- Grant
anyone tell me
what is wrong? I've tried 4.5.19 as well.
Sounds like your kernel configuration on the third system differs.
Check CONFIG_NETFILTER_XT_MATCH_LIMIT.
Bingo. Thanks Thomas.
- Grant
--
Learn the latest
shorewall-4.5.8.2 is running fine but when I 'shorewall trace restart'
I can see numerous errors in the output. Should these be tracked
down
and fixed if shorewall is working fine?
Can anyone offer advice with this?
- Grant
Grant, I think you will probably be more likely to get some
sure I have a lot
of stuff compiled in that I don't need.
- Grant
--
The Go Parallel Website, sponsored by Intel - in partnership with Geeknet,
is your hub for all things parallel software development, from weekly
regenerate the
capabilities file?
- Grant
--
The Go Parallel Website, sponsored by Intel - in partnership with Geeknet,
is your hub for all things parallel software development, from weekly thought
leadership blogs to news
shorewall-4.5.8.2 is running fine but when I 'shorewall trace restart'
I can see numerous errors in the output. Should these be tracked down
and fixed if shorewall is working fine?
Can anyone offer advice with this?
- Grant
shorewall-4.5.8.2 is running fine but when I 'shorewall trace restart'
I can see numerous errors in the output. Should these be tracked down
and fixed if shorewall is working fine?
- Grant
--
Free Next-Gen Firewall
for shorewall/interfaces say Each interface may be listed only
once in this file. so how can I define both loc and net since my laptop
communicates to/from both via eth0?
- Grant
Alternatively, you can have just one zone and define any rules for on-net
traffic to include the local network IP/netmask
So I'm sure I'm configuring things correctly, could someone confirm that I
would have no loc zone if my only interface is eth0 connected to a separate
router?
- Grant
--
LogMeIn Rescue: Anywhere, Anytime Remote support
also, a better option is to either force encrypted peer connections
only, or better yet to switch ISPs. yours seems exceedingly lacking.
Thanks, I didn't realize miro had an encrypted connection option but it does.
- Grant
My ISP has warned me to stop uploading bittorrent data. I'd still
am assuming that you are using the command line client, since you do
not specify a specific client application you are using.
Regards,
-Roberto
Thank you Roberto. It sounds like miro will not be able to limit the
upload rate to zero. Is there a way to do this in shorewall?
- Grant
, not the source and destination of the
data. Is that right?
- Grant
--
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com
of the product.
OK, I've replaced it with routerfilter and logmartians.
- Grant
-Tom
--
SOLARIS 10 is the OS for Data Centers - provides features such as DTrace,
Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW
${VARDIR}/.restart $debugging re [ !! ]
It looks like the command executes without error, but I can't seem to
start shorewall. Could there still be a problem with wlan0, or does
'ip route ls dev wlan0' executing confirm all is well?
- Grant
-Tom
the routes through interface wlan0
My interfaces file has:
loc wlan0 detect tcpflags,detectnets,nosmurfs
Where do I need to look for my error?
- Grant
--
This SF.Net email is sponsored by the Verizon Developer
Make sure that you have 'wlan0' defined in your 'zones' file.
Are you sure? I have the following zones file and it works fine when
using madwifi (ath0) instead of ath5k (wlan0).
fw firewall
net ipv4
loc ipv4
- Grant
I'm switching my router/AP from the wireless madwifi driver
router's IP is 192.168.0.1, would I specify 192.168.0.0/24 as the ADDRESS?
- Grant
--
This SF.Net email is sponsored by the Verizon Developer Community
Take advantage of Verizon's best-in-class app development support
and making connections. Does anyone know why
shorewall doesn't know wlan0 is up? Shorewall started when I was
using the madwifi driver and starting the Gentoo /etc/init.d/net.wlan0
script, but hostapd needs to start wlan0 when using ath5k in master
mode.
- Grant
- 5060
1 0.0.0.0/0 0.0.0.0/0 udp 8000
1 0.0.0.0/0 0.0.0.0/0 udp - 8000
Thanks, done.
- Grant
--
This SF.net email is sponsored by:
SourcForge Community
SourceForge
873
- Grant
--
This SF.net email is sponsored by:
SourcForge Community
SourceForge wants to tell your story.
http://p.sf.net/sfu/sf-spreadtheword
___
Shorewall-users mailing list
0.0.0.0/0 0.0.0.0/0 udp 993
4 0.0.0.0/0 0.0.0.0/0 tcp 873
4 $FW 0.0.0.0/0 tcp 873
- Grant
--
This SF.net email is sponsored by:
SourcForge Community
All of a sudden tonight my web browsing and ssh performance is
terrible. I'm on a cable connection and I'm wondering if it could be
due to evening bandwidth contention or ISP throttling. If so, I
suppose tcdevices numbers are out the window. Can anything be done?
- Grant
for the link. It sounds like my download pipe needs to be full
when running that test. Do you know of a good way to do that?
- Grant
--
This SF.net email is sponsored by:
SourcForge Community
SourceForge wants to tell your
matched.
Illuminating
- Grant
--
This SF.net email is sponsored by:
SourcForge Community
SourceForge wants to tell your story.
http://p.sf.net/sfu/sf-spreadtheword
full*9/10 5
eth06 full*1/10 full*9/10 6 default
- Grant
--
This SF.net email is sponsored by:
SourcForge Community
SourceForge wants to tell your story.
http://p.sf.net/sfu/sf-spreadtheword
or SOURCE
ports. Does anyone know how that works with SIP phones? I did an
'nmap localhost' of the system running twinkle and it has all ports
closed. Does that mean they should be DEST ports above?
- Grant
2 0.0.0.0/0 0.0.0.0/0 tcp 22
2 0.0.0.0/0 0.0.0.0/0
0.0.0.0/0 tcp 873
tcclasses:
eth01 full*5/10 full1
eth02 full*3/10 full2
eth03 full*2/10 full3
eth04 full*1/10 full4 default
Why would I want to set CEIL to any less than full?
- Grant
-tcdevices.html and I'd
like to move the inbound queue off of my cable provider, but it
doesn't say how to do that. Should I just set it to the max?
- Grant
--
This SF.net email is sponsored by:
SourcForge Community
tcp 873
3 0.0.0.0/0 0.0.0.0/0 udp 873
- Grant
--
This SF.net email is sponsored by:
SourcForge Community
SourceForge wants to tell your story.
http://p.sf.net/sfu/sf-spreadtheword
. Is there a way to scan for
REJECTions so you can tell if you need to be DROPping any that you
aren't?
- Grant
--
This SF.net email is sponsored by:
SourcForge Community
SourceForge wants to tell your story.
http://p.sf.net/sfu/sf
$FW tcp 99
ACCEPT net:1.2.3.4 $FW udp 99
This ends up dropping all traffic to port 99 regardless of originating
IP address. Can I do what I described?
- Grant
--
This SF.net email is sponsored by:
SourcForge Community
:1.2.3.4 $FW tcp 99
ACCEPT net:1.2.3.4 $FW udp 99
This ends up dropping all traffic to port 99 regardless of originating
IP address. Can I do what I described?
Put the rules in the order in which you want them applied.
Fixed, thank you!
- Grant
I've been reading about DROP vs. REJECT and some are saying that DROP
causes problems without any benefit. Do you guys agree? Should DROP
normally not be used at all?
- Grant
--
This SF.net email is sponsored
DROP? Is it supposed to leave the
requester wondering whether or not there is a service running at that
location?
- Grant
--
This SF.net email is sponsored by:
SourcForge Community
SourceForge wants to tell your story
for downloading
new packages via Portage, but it sounds like I won't be able to do
that.
Grant -- We really have no idea of what you are trying to do. Your
questions don't indicate where the clients are, relative to the fireall,
and where the servers are. So I have been answering your questions based
for downloading
new packages via Portage, but it sounds like I won't be able to do
that.
Grant -- We really have no idea of what you are trying to do. Your
questions don't indicate where the clients are, relative to the fireall,
and where the servers are. So I have been answering your questions based
-m owner --uid-owner someuser -m tcp --dport http -j REJECT
- Grant
--
This SF.net email is sponsored by:
SourcForge Community
SourceForge wants to tell your story.
http://p.sf.net/sfu/sf-spreadtheword
for downloading
new packages via Portage, but it sounds like I won't be able to do
that.
- Grant
--
This SF.net email is sponsored by:
SourcForge Community
SourceForge wants to tell your story.
http://p.sf.net/sfu/sf-spreadtheword
though I'm
forwarding a different port than the one the client is set to listen
on. How can that be?
- Grant
-
SF.Net email is sponsored by:
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell
the client will somewhat work
with incoming connections blocked.
But how can it possibly do that?
- Grant
-
SF.Net email is sponsored by:
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services
the client will somewhat work
with incoming connections blocked.
But how can it possibly do that?
Because it's primary connections are outgoing, not incoming.
-Tom
But how could anyone make a request of the machine if there are no
ports forwarded to it?
- Grant
shorewall settings. The ports have never been forwarded
properly.
- Grant
-
SF.Net email is sponsored by:
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services
for just about anything Open
will fail is inbound connections, so other peers
cannot connect to you and that means you will most likely NOT be able
to seed once you have completed your download - tut tut.
How can I test that? I've done a whole lot of seeding and ended up
with some really high ratios.
- Grant
and then try to send
them stuff. On an active torrent, they won't take long to find
something to upload.
If that is how it works then that would explain it.
- Grant
-
SF.Net email is sponsored by:
Check out the new
removed
the box from the live connections and have created a mock setup with
slightly different addresses.
Thanks,
Grant
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Jerry Vonau
Sent: Thursday, May 24, 2007 10:08 PM
To: Shorewall Users
Subject: Re
That solved it. Thanks a million, Jerry!
Thanks,
Grant
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Jerry Vonau
Sent: Friday, May 25, 2007 7:08 PM
To: Shorewall Users
Subject: Re: [Shorewall-users] MultiISP problems with the track option
Grant
. Any suggestions would be appreciated.
Thanks,
Grant Scheffert
Pantheon Computer Systems
507-835-2212
If all the human potential that's being directed towards creating and
fighting spam went to science instead, we'd have a cure for cancer
60 matches
Mail list logo