[Shorewall-users] Strange error with Centos 7
I installed the minimal version of Centos 7, run a yum upgrade and then yum install shorewall When I test my configuration with shorewall check ( I only set zones interfaces policy) , I always get nf_log: can't load ipt_ULOG, conflicting nfnetlink_log already loaded What can I do to avoid this problem? Thanks a lot Paolo ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
[Shorewall-users] problem with blrules
I want to leave DNS queries and responses pass through blrules restrictions so I wrote in blrules ACCEPT net $FW udp 53 ACCEPT net $FW tcp 53 ACCEPT $FW net udp 53 ACCEPT $FW net tcp 53 DROPnet:+Blacklist all DROPnet:+Blacklist loc DROPnet:+Blacklist $FW DROP$FW net:+Blacklist DROPloc net:+Blacklist DROPall net:+Blacklist but it seems they are blocked anyway, I get Error sending reply with sendto (socket=5): Operation not permitted Thanks for any help Paolo -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Problem with clampmss
Wow putting mss=1358 directly in the options column did the trick! Thanks a lot Paolo On 29/03/2016 17:43, Tom Eastep wrote: > On 03/29/2016 08:38 AM, Paolo Prandini wrote: >> The zones file is: >> >> fw firewall >> net ipv4 >> loc ipv4 >> vpn0ipv4- mss=1358 >> vpn1ipv4- mss=1358 >> ovpnipv4 >> ovpns ipv4 >> wlanipv4 >> sissipv4 >> dmz ipv4 >> >> Do you think I should change it? > > You can certainly try putting the mss options in the OPTIONS column. But > given your zones file, Shorewall is definitely generating the correct rules. > > -Tom > > > > -- > Transform Data into Opportunity. > Accelerate data analysis in your applications with > Intel Data Analytics Acceleration Library. > Click to learn more. > http://pubads.g.doubleclick.net/gampad/clk?id=278785471=/4140 > > > > ___ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > -- Transform Data into Opportunity. Accelerate data analysis in your applications with Intel Data Analytics Acceleration Library. Click to learn more. http://pubads.g.doubleclick.net/gampad/clk?id=278785471=/4140 ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Problem with clampmss
The zones file is: fw firewall net ipv4 loc ipv4 vpn0ipv4- mss=1358 vpn1ipv4- mss=1358 ovpnipv4 ovpns ipv4 wlanipv4 sissipv4 dmz ipv4 Do you think I should change it? Thanks Paolo On 29/03/2016 17:32, Tom Eastep wrote: > On 03/29/2016 08:13 AM, Tom Eastep wrote: >> On 03/28/2016 12:01 PM, Paolo Prandini wrote: >>> I am enclosing it. >>> It seems the same like the old version, but it is not working... >> >> The rules look correct, assuming that you have placed the mss= >> specification in the IN_OPTIONS column in /etc/shorewall/zones. > > Make that OUT_OPTIONS... > > All of the TCPMSS rules have vpn zones as their source. > > -Tom > > > > -- > Transform Data into Opportunity. > Accelerate data analysis in your applications with > Intel Data Analytics Acceleration Library. > Click to learn more. > http://pubads.g.doubleclick.net/gampad/clk?id=278785471=/4140 > > > > ___ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > -- Transform Data into Opportunity. Accelerate data analysis in your applications with Intel Data Analytics Acceleration Library. Click to learn more. http://pubads.g.doubleclick.net/gampad/clk?id=278785471=/4140 ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Block icmp redirect
It is working now. Thanks a lot! Paolo On 28/03/2016 20:27, Tom Eastep wrote: > On 03/28/2016 09:55 AM, Paolo Prandini wrote: >> Sorry, my question was not clear enough. >> I know about settings for sending and accepting redirects. >> Currently I am not either accepting or sending them. >> The question is: can I filter the source for redirects using shorewall >> or are those packets captured by the kernel BEFORE getting to shorewall? >> I would like to filter the source address of IP redirects and have the >> kernel accept only those coming from the routers I want. > > To filter redirects, you must place rules in the RELATED section of the > rules file. If your RELATED_DEFAULT setting is ACCEPT (the default), > then you must place DROP rules in that section for redirects that you > want to reject. > > -Tom > > > > -- > Transform Data into Opportunity. > Accelerate data analysis in your applications with > Intel Data Analytics Acceleration Library. > Click to learn more. > http://pubads.g.doubleclick.net/gampad/clk?id=278785471=/4140 > > > > ___ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > -- Transform Data into Opportunity. Accelerate data analysis in your applications with Intel Data Analytics Acceleration Library. Click to learn more. http://pubads.g.doubleclick.net/gampad/clk?id=278785471=/4140 ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Problem with clampmss
I am enclosing it. It seems the same like the old version, but it is not working... Thanks On 28/03/2016 20:24, Tom Eastep wrote: On 03/28/2016 10:25 AM, Paolo Prandini wrote: Sorry everybody, I ask for your precious advice again. I am switching from shorewall 4.5.6 and kernel 2.6.18 to shorewall 5.0.6 and kernel 2.6.32-573 I used mss=1538 in the in options in zones file and CLAMPMSS=yes to handle an IPSEC connection. But with the new setup the same settings don't do anything anymore! I checked it with wireshark, the settings in SYN get through untouched, while previously the MSS got changed to 1538. The same connection with the old environment works correctly. I would like to add I am using klips. What can I do? Please forward the output of 'shorewall dump'. Thanks, -Tom -- Transform Data into Opportunity. Accelerate data analysis in your applications with Intel Data Analytics Acceleration Library. Click to learn more. http://pubads.g.doubleclick.net/gampad/clk?id=278785471=/4140 ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users a.tgz Description: application/compressed -- Transform Data into Opportunity. Accelerate data analysis in your applications with Intel Data Analytics Acceleration Library. Click to learn more. http://pubads.g.doubleclick.net/gampad/clk?id=278785471=/4140___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
[Shorewall-users] Problem with clampmss
Sorry everybody, I ask for your precious advice again. I am switching from shorewall 4.5.6 and kernel 2.6.18 to shorewall 5.0.6 and kernel 2.6.32-573 I used mss=1538 in the in options in zones file and CLAMPMSS=yes to handle an IPSEC connection. But with the new setup the same settings don't do anything anymore! I checked it with wireshark, the settings in SYN get through untouched, while previously the MSS got changed to 1538. The same connection with the old environment works correctly. I would like to add I am using klips. What can I do? Thanks Paolo -- Transform Data into Opportunity. Accelerate data analysis in your applications with Intel Data Analytics Acceleration Library. Click to learn more. http://pubads.g.doubleclick.net/gampad/clk?id=278785471=/4140 ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Block icmp redirect
Sorry, my question was not clear enough. I know about settings for sending and accepting redirects. Currently I am not either accepting or sending them. The question is: can I filter the source for redirects using shorewall or are those packets captured by the kernel BEFORE getting to shorewall? I would like to filter the source address of IP redirects and have the kernel accept only those coming from the routers I want. Thanks Paolo On 28/03/2016 17:26, Tom Eastep wrote: > On 03/28/2016 02:19 AM, Paolo Prandini wrote: >> Hi, I allowed on my interface only: >> >> Ping(ACCEPT) net all >> >> but I get ICMP redirects anyway. >> How can I block ICMP redirects? >> Or maybe there is a shorewall.conf option? >> Thanks a lot > > To prevent an interface from sending redirects, place this in > /etc/shorewall/init: > > echo 0 > /proc/sys/net/ipv4/conf//send_redirects > > To prevent an interface from accepting redirects, place this in > /etc/shorewall/init: > > echo 0 > /proc/sys/net/ipv4/conf//accept_redirects > > -Tom > > > > -- > Transform Data into Opportunity. > Accelerate data analysis in your applications with > Intel Data Analytics Acceleration Library. > Click to learn more. > http://pubads.g.doubleclick.net/gampad/clk?id=278785471=/4140 > > > > ___ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > -- Transform Data into Opportunity. Accelerate data analysis in your applications with Intel Data Analytics Acceleration Library. Click to learn more. http://pubads.g.doubleclick.net/gampad/clk?id=278785471=/4140 ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
[Shorewall-users] Block icmp redirect
Hi, I allowed on my interface only: Ping(ACCEPT)net all but I get ICMP redirects anyway. How can I block ICMP redirects? Or maybe there is a shorewall.conf option? Thanks a lot Paolo -- Transform Data into Opportunity. Accelerate data analysis in your applications with Intel Data Analytics Acceleration Library. Click to learn more. http://pubads.g.doubleclick.net/gampad/clk?id=278785471=/4140 ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] How to limit bandwidth hog
I am of course interested in controlling both, I know inbound traffic can be a problem, but I remember there is a driver that can make inbound traffic become outbound, let's say so... Thanks again Paolo On 13/09/2014 20.46, Tom Eastep wrote: On 9/13/2014 10:57 AM, Paolo Prandini wrote: I have a question that maybe has a general interest. Sometimes it happens that a customer has really a fast connection and can saturate the bandwidth to our email server, maybe just 5 seconds, but effectively every bit is allocated to this connection, and it is quite annoying for the other users. Is it possible to make connections share the available bandwidth in a fair way? I mean, the total available bandwith is 10 Mb/s and if we have only 1 connection it can use all the 10 Mb/s ( maybe 90% of them? just to allow new connection to show up ) ; but if we have 2 connections they are limited to 5 Mb/s each, and so on. I studied the various howtos for shorewall bandwidth control, but I couldn't figure out a solution. Thanks in advance to everybody for any suggestion! Is this inbound traffic or outbound? -Tom -- Want excitement? Manually upgrade your production database. When you want reliability, choose Perforce Perforce version control. Predictably reliable. http://pubads.g.doubleclick.net/gampad/clk?id=157508191iu=/4140/ostg.clktrk ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users -- Want excitement? Manually upgrade your production database. When you want reliability, choose Perforce Perforce version control. Predictably reliable. http://pubads.g.doubleclick.net/gampad/clk?id=157508191iu=/4140/ostg.clktrk ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
[Shorewall-users] How to limit bandwidth hog
I have a question that maybe has a general interest. Sometimes it happens that a customer has really a fast connection and can saturate the bandwidth to our email server, maybe just 5 seconds, but effectively every bit is allocated to this connection, and it is quite annoying for the other users. Is it possible to make connections share the available bandwidth in a fair way? I mean, the total available bandwith is 10 Mb/s and if we have only 1 connection it can use all the 10 Mb/s ( maybe 90% of them? just to allow new connection to show up ) ; but if we have 2 connections they are limited to 5 Mb/s each, and so on. I studied the various howtos for shorewall bandwidth control, but I couldn't figure out a solution. Thanks in advance to everybody for any suggestion! Paolo -- Want excitement? Manually upgrade your production database. When you want reliability, choose Perforce Perforce version control. Predictably reliable. http://pubads.g.doubleclick.net/gampad/clk?id=157508191iu=/4140/ostg.clktrk ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
[Shorewall-users] tee feature
I would like to use iptables --tee feature to mirror traffic to an IDS Is there an option or a clean way to do it with shorewall? Thanks Paolo -- This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users