-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On 2016-06-14 14:04, Sascha Toelkes wrote:
> Have you considered signing the new key with your old personal key?
> That could make it easier to verify.
+1
BTW: Sourceforge is altering every message. So maybe it is better to
use Inline PGP instead
Hi,
Nicola Ferrari (#554252) wrote:
> Asking "shorewall check" I get:
> Checking /etc/shorewall/hosts...
> ERROR: Dynamic nets require Ipset Match in your kernel and iptables
> /etc/shorewall/hosts (line 12)
Please run `shorewall show capabilities`
If it says
> ipset V5 (IPSET_V5): Not
Hi,
got the following bug report on Gentoo:
https://bugs.gentoo.org/show_bug.cgi?id=578076
Copying from https://bugs.gentoo.org/show_bug.cgi?id=578076#c2:
> Seems like I am the lucky one, in the meantime I was able to track
> down the problem to an inline matching issue. This box has an older
Hi,
Tom Eastep wrote:
> The PAGER isn't compiled into the generated script; the script doesn't
> produce output requiring a pager. So it is strictly within the CLI that
> PAGER is used.
Mh, OK. I only noticed that when I set "PAGER=foo" in shorewall[6].conf
I'll get an error regarding PAGER on
Hi,
I like the new PAGER support added in v5.0.6.
However, as package maintainer, I am asking myself if I should set this
to something per default or leave it up to the user.
For example on Gentoo we have `eselect pager` which will set an
environment variable "$PAGER".
Debian/Ubuntu has
Hi,
thanks for the release.
The website says 5.0.3 is current. I guess the webpage is wrong or is
shorewall-5.0.2 already superseded?
-Thomas
--
Presto, an open source distributed SQL query engine for big data,
Hi,
while testing shorewall-5.0.1 with linux-4.2.3 I was hit by
> nf_conntrack: table full, dropping packet
after calling `shorewall6 update -A` (which failed on my system because
shorewall6 is not probably configured):
> # shorewall6 update -A
> Updating Shorewall6 configuration to 5.0.1...
>
Hi,
if you cannot do that using gateway/router search for IP policy routing.
With the RPDB (ip rule add ...) you should be able to handle that.
Normally you would set up something like this where you configure your
network. But you can also add these commands to shorewall's start file
so that
Hi,
On 2014-12-13 18:34, Giuseppe Vitillaro wrote:
As a gentoo user I hope the patch will get
in the mainstream as soon as possibile.
I know is not your job, but just as an advice:
better to open a bug in the shorewall gentoo
bugzilla asking for attention or this patch will
Hi,
On 2014-10-18 23:52, Tom Eastep wrote:
This is not fixed. Now I'll get the following error:
/var/lib/shorewall/.start: line 2075: echo: write error: No such file or
directory
WARNING: Unable to set log backend to ipt_LOG
The only change between 4.6.4.1 and 4.6.4.2:
Now the error
Hi,
I found the problem with my modified loadmodule function in lib.common:
https://bpaste.net/show/53a60c6f043c
Now my start output:
Initializing...
lm: ip_conntrack_amanda
failed,
/lib/modules/3.16.6-gentoo/kernel/net/ipv4/netfilter/ip_conntrack_amanda.ko
failed,
Hi,
On 2014-10-19 18:07, Tom Eastep wrote:
Shorewall 4.6.4.3 corrects the problem on these remaining systems.
Confirmed, thank you Tom!
-Thomas
--
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers
Hi Tom,
Tom Eastep wrote:
Shorewall 4.6.4.2 is now available for download.
Problems corrected since 4.6.4.1:
1) Setting LOGBACKEND=ipt_LOG could result in the following startup
failure at boot:
Starting shorewall ...
/var/lib/shorewall/firewall: line 2080: echo:
Hi Tom,
you wrote:
Did you just re-release 4.6.4 or issued 4.6.4.1?
I simply pushed a patch to the 4.6.4 branch.
Yup, was looking at master, my fault.
I can confirm that 4.6.4.1 fixes the problem. Thanks!
There's another defect:
commit 815e93e80c3b11d584be08c02c3343af09674412
Author:
Hi Tom,
like reported yesterday to shorewall-devel [1], upgrading from previous
versions to shorewall-4.6.4 requires *two* restarts. That's not a good
experience:
# shorewall status
Shorewall-4.6.4 Status at gentoo-x64 - Fri Oct 10 23:30:16 CEST 2014
Shorewall is running
State:Started (Fri
Hi,
On 2014-10-11 01:02, Tom Eastep wrote:
Patch has been pushed
I don't see the patch yet. Maybe it will take some hours..
Did you just re-release 4.6.4 or issued 4.6.4.1?
There's another defect:
commit 815e93e80c3b11d584be08c02c3343af09674412
Author: Tom Eastep teas...@shorewall.net
Hi,
Tom Eastep wrote:
On 9/24/2014 11:55 AM, Hristo Benev wrote:
It is missing from FTP :)
ftp://ftp.shorewall.net/pub/shorewall/4.6/shorewall-4.6.4-beta1/
As it should be. This is a *Beta* -- it goes in the
pub/shorewall/developement/4.6 directory.
Tom, I think you misunderstood Hristo.
Hi,
this was changed in the not yet released v4.6.4 version. That's maybe the
reason why your distribution is shipping a different service file.
Here's the commit:
http://sourceforge.net/p/shorewall/code/ci/a03f00bf0f326aefb86973d15f3484183
fd6fa8b/
Does the commit message answers all your
Hi,
Tom Eastep wrote:
Works fine here, but the Shorewall documentation is out of date. Rather
than logging to kern.warning, the TRACE records are now logged to ulogd:
[...]
I'll update the documentation.
This is configurable. To see the current active logger,
# sysctl
Hi Tom,
You wrote:
Our convention is that when a new version is released, the prior release
is moved into the 'superseded' directory.
That's a real problem for us.
I am suggesting the following change:
1)
http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.3/superseded/
should become
Hi Tom,
is there a reason why you pulled the previous version (4.6.3.2)
immediately after you announced 4.6.3.3?
I am asking because the Gentoo ebuilds for example are referencing the
shorewall.net mirror as authoritative source. So when you pull the old
version but we haven't yet updated the
Hi,
PGNd wrote:
I've set up central management of several hundred firewalls.
I am really wondering how you can manage several hundred systems without a
configuration management tool.
If you are already using a configuration management tool (salt, ansible,
puppet, chef) why don't you use it for
Now I understand.
Thank you Tom for the explanation!
-Thomas
--
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight -
Hi Tom,
thank you for your reply. What I still don't understand:
shorewall6 reports
Compiling /etc/shorewall6/blrules...
ERROR: ipset names in Shorewall configuration files require Ipset Match in
your kernel and iptables /etc/shorewall6/blrules (line 12)
when running kernel 3.14.13.
Hi,
I tested the new patch (IPSET6a.patch) successful with shorewall and
shorewall6 against linux kernel 3.10.49, 3.14.13 and 3.15.6.
No problems, no deprecated messages. Everything works!
Thank you Tom.
-Thomas
--
Hi,
Tom Eastep wrote:
Thought that only one box was affected but now I noticed that shorewall6
on all the other boxes running kernel =3.14 won't compile anymore with
the same error.
I didn't noticed that before, because shorewall was current on these
systems so there was no need to call the
On 2014-07-19 18:28, Thomas D. wrote:
If you are still unable to reproduce, I will try to reproduce it with a
stock Debian Jessie kernel.
I was able to reproduce it on a stock Debian Jessie with
# uname -a
Linux vm-jessie-x64 3.14-1-amd64 #1 SMP Debian 3.14.12-1 (2014-07-11) x86_64
GNU
Hi,
Tom Eastep wrote:
Yes -- I have reproduced it.
And I have come up with a *much* simpler patch.
Good job!
I have verified that IPSET6b.patch is still working with linux kernel
3.10.49, 3.4.13 and 3.15.6!
But I don't understand the patch. For me it looks like you only switched
the
qt(
Hi,
strange problem:
All I did was upgrading a box from linux-3.10.49 to linux-3.14.13 kernel.
But with 3.14.13, shorewall6 doesn't start:
# shorewall6 safe-restart
Compiling...
Processing /etc/shorewall6/params ...
Processing /etc/shorewall6/shorewall6.conf...
Loading Modules...
Hi,
Tom Eastep wrote:
Shorewall 4.5.21.3 is now available for download.
Wrong version number (guess it should be 4.5.21.11) or did you really
re-release v4.5.21.3 from 2013?
-Thomas
--
Open
Hi,
Tom Eastep wrote:
Problems corrected since 4.5.21.3:
1) The Broadcast actions have been corrected:
o --dst-type BROADCAST has been removed from the IPv6 version
BTW: I still see
Nov 25 18:14:20 fw2 kernel: [263893.233375] xt_addrtype: ipv6 does
not support BROADCAST matching
Hi,
Brian J. Murrell wrote:
So, just to make sure I have this right, disregard all of the previously
discussed solution WRT to actions, etc. and simply add to the shorewall
blacklist file:
+fail2ban
+fail2ban_perm
and then create the two ipsets with:
ipset -N fail2ban_perm iphash
Hi,
Brian J. Murrell wrote:
Have a look at the deprecated BLACKLISTNEWONLY
I'm already using this with =No.
or the new BLACKLIST option:
http://www.shorewall.net/manpages/shorewall.conf.html
Probably not available in the 4.4.26.1 that I'm using on Ubuntu LTS.
Yeah:
Added in
Hi Tom,
Tom Eastep wrote:
The Shorewall team is pleased to announce the availability of Shorewall
4.5.21.
[...]
Did you miss my mail in shorewall-devel [1] or was it too late for 4.5.21?
See also:
=
[1]
http://thread.gmane.org/gmane.comp.security.shorewall.devel/3970/focus=3973
Hi,
matt darfeuille wrote:
Thus it would be nice if durring start shorewall
could check if the directory subsys is present in /var/lock/, if not
creat the directory subsys!
Are you using an official Debian package?
This gets complicated. On Gentoo we faced the same problem (google for
Hi,
# uname -a
Linux hk2server 3.4.0-cloud #1 SMP Thu May 24 05:12:36 EDT 2012 i686
GNU/Linux
Seems like you are running a custom kernel.
Have you verified that you kernel has support for LOG target at all?
Check for CONFIG_NETFILTER_XT_TARGET_LOG.
-Thomas
Hi,
Steve Wray wrote:
I don't have access to the config file the kernel was built with. How
would I otherwise find out?
Well, modprobe/modinfo xt_LOG should also give you a hint.
I find these kernel modules with 'log' in their names and there doesn't
seem to be a match.
I agree,
#
Hi,
good question.
First, I am not sure if I experience the same problem:
On my Gentoo test systems with shorewall-4.5.19 and shorewall-4.5.20
(not yet in tree), both require iptables-1.4.20, I don't see a problem
on boot with shorewall-init (not yet in tree, too) nor shorewall itself
(the test
Hi,
Grant wrote:
I'm using the following rule on 3 different systems running
shorewall-4.5.18 on Gentoo:
ACCEPT all all icmp - - - 10/sec:20
shorewall starts fine on 2 of the systems but on the 3rd it fails to
start with the following error:
[...]
shorewall starts fine if I remove
Hi,
On 8/17/2013 5:55 PM, Benny Pedersen wrote:
Tom Eastep skrev den 2013-08-18 00:13:
Shorewall 4.5.20 RC 1 is now available for testing.
in 4.5.18 there is a reference of /var/lock/subsys with does not exists
default on gentoo, i just created thiese dirs and it runs as intended
How
40 matches
Mail list logo