Joffrey FLEURICE wrote:
>
> DMZ eth2detect dhcp
> Local eth1detect dhcp,routeback
> Net eth0detect
> Net ppp0- dhcp
> Maint tun0detect
> Lolo
>
Defining a zone for the 'lo' device is silly and unnecessary; it shouldn't hurt
anything but it won't do a
Tom Eastep wrote:
> David Rea wrote:
>
>> 1) Restart shorewall, clearing all packet counters.
>
> 'shorewall reset' does that a lot faster.
Ah -- but it doesn't reset the tc class counters. Only the Netfilter counters.
-Tom
--
Tom Eastep\ Nothing is foolproof to a sufficiently talented foo
David Rea wrote:
>
> 1) Restart shorewall, clearing all packet counters.
'shorewall reset' does that a lot faster.
> 2) Run `shorewall dump` to verify packet counters for each class are zero.
'shorewall show tc' produces much less output (and shows all of the classes).
'Shorewall show mangle'
Joffrey FLEURICE wrote:
>> If you
>>
>> a) Have the correct REDIRECT rule (which you do); and
>> b) Are accepting $FW->Net HTTP traffic (which you are -- at least with
> your
>> policy); and
>> c) DNS works from your firewall (I assume it does since you are wide
> open >from $FW->Net); then
>
>> T
On Fri, 2006-10-13 at 07:49 -0700, Tom Eastep wrote:
> The VOIP traffic seems to be originating on your firewall and you are not
> marking traffic from fw->net.
My problem was indeed that the packets were not being correctly marked.
By creating the following rules, I cover all my network's IAX voi
Tom Eastep wrote:
> Joffrey FLEURICE wrote:
>>> If you
>>>
>>> a) Have the correct REDIRECT rule (which you do); and
>>> b) Are accepting $FW->Net HTTP traffic (which you are -- at least with
>> your
>>> policy); and
>>> c) DNS works from your firewall (I assume it does since you are wide
>> open >
Joffrey FLEURICE wrote:
>> If you
>>
>> a) Have the correct REDIRECT rule (which you do); and
>> b) Are accepting $FW->Net HTTP traffic (which you are -- at least with
> your
>> policy); and
>> c) DNS works from your firewall (I assume it does since you are wide
> open >from $FW->Net); then
>
>> T
>If you
>
>a) Have the correct REDIRECT rule (which you do); and
>b) Are accepting $FW->Net HTTP traffic (which you are -- at least with
your
>policy); and
>c) DNS works from your firewall (I assume it does since you are wide
open >from $FW->Net); then
>The problem is in your Squid configuration (
Brian J. Murrell wrote:
> On Fri, 2006-13-10 at 08:57 -0700, Tom Eastep wrote:
>> One change -- the user exit will be called maclog rather than maclist (since
>> that file name is already taken).
>
> Great. Can you point me at the commit when you make it? Or just point
> me at your browse_cvs an
On Fri, 2006-13-10 at 08:57 -0700, Tom Eastep wrote:
> One change -- the user exit will be called maclog rather than maclist (since
> that file name is already taken).
Great. Can you point me at the commit when you make it? Or just point
me at your browse_cvs and I can watch for it.
Thanx!
b.
Brian J. Murrell wrote:
> On Thu, 2006-12-10 at 15:52 -0700, Tom Eastep wrote:
>> How about if I add a 'maclist' extension script? It would be invoked just
>> before
>> logging. That way, you can place your 'run_iptables -A' command in that
>> script
>> and they will be inserted at the proper pla
Joffrey FLEURICE wrote:
> In policy
>
> $FW Net ACCEPT
Then what is the point of all of the $FW->Net ACCEPT rules
If you
a) Have the correct REDIRECT rule (which you do); and
b) Are accepting $FW->Net HTTP traffic (which you are -- at least with your
policy); and
c) DNS works from you
David Rea wrote:
>
> My question is not as much "how do I fix it?" as "how do I diagnose the
> problem?" I have set outgoing voip packets to be logged at the 'info'
> level, but this does not appear to include the packet or connection
> marks, so I can't verify that my voip traffic is being marke
Hey guys,
Want some help here...
.
I'm trying to use shorewall to limit the traffic on
my network
eth0 is the lan interface
(192.168.100.254)
###
neve:/etc/shorewall# uname -r2.6.8
tried also w/ kernel 2.6.12, w/ qos/htb support,
with no luck.
On Thu, 2006-12-10 at 15:52 -0700, Tom Eastep wrote:
> How about if I add a 'maclist' extension script? It would be invoked just
> before
> logging. That way, you can place your 'run_iptables -A' command in that script
> and they will be inserted at the proper place in the chain.
Sounds decent.
In policy
$FW Net ACCEPT
Dump.rar join
THX
-Message d'origine-
De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Tom Eastep
Envoyé : jeudi 12 octobre 2006 21:22
À : Shorewall Users
Objet : Re: [Shorewall-users] Tc rules Help with multiISP + squid& squidguard...
Jo
In policy :
-Message d'origine-
De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Tom Eastep
Envoyé : jeudi 12 octobre 2006 21:22
À : Shorewall Users
Objet : Re: [Shorewall-users] Tc rules Help with multiISP + squid& squidguard...
Joffrey FLEURICE wrote:
>
>
> All works,
17 matches
Mail list logo
