Re: [Shorewall-users] shorewall with rocky 9

2024-02-14 Thread Nigel Aves 
All I'm doing is saying how it works on my server.

On Wed, Feb 14, 2024 at 7:05 AM Tuomo Soini  wrote:

> On Wed, 14 Feb 2024 06:35:02 -0700
> Nigel Aves  wrote:
>
> > I had a similar issue with Debian 12 ,,, Discovered this works in the
> > snat file:
> >
> > MASQUERADE enp38s0 enp36s0
>
> This is not correct syntax. Like man page shorewall-snat says:
>
> #ACTIONSOURCE  DEST
> MASQUERADE 192.168.0.0/24  eth0
>
> So source must be a network, not an interface.
>
> Also note /etc/shoreall/masq is deprecated.
>
> --
> Tuomo Soini 
> Foobar Linux services
> +358 40 5240030
> Foobar Oy <https://foobar.fi/>
>
>
> ___
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>


-- 
*Be Safe Out There.*
*Nigel Aves*

p.s. We have many fine video podcasts on YouTube. These are all
interview-based, and pretty well cover every subject.

All our shows are here *Captn's Lounge Studios
<https://tinyurl.com/2vurn3yw>* Please Subscribe to *CIT*

*Come be interviewed:  At The Captn's Lounge.
<https://youtu.be/paL0uRkZ69o?si=pUm3pWe8hAXScdC8>*
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] shorewall with rocky 9

2024-02-14 Thread Nigel Aves 
I had a similar issue with Debian 12 ,,, Discovered this works in the snat
file:

MASQUERADE enp38s0 enp36s0

Might be worth a try.

Nigel.

On Wed, Feb 14, 2024 at 3:22 AM  wrote:

> Hi!
>
> is a simple scenario with 2 NIC, WAN and LAN.
>
> LAN-> WAN with full access
>
> same config with shorewall 5.1 dont work with 5.2
>
> snat file contain:
>
> MASQUERADE  192.168.1.0/24  enp32s0f0
>
> shorewall.conf change startup=YES
>
> some command to try debug why work with 5.1 but same config dont with
> 5.2?
>
> Thx
>
> El 2024-02-13 18:49, Tuomo Soini escribió:
> > On Tue, 13 Feb 2024 21:15:52 +
> > Rodrigo Araujo  wrote:
> >
> >> It works fine here with rpms rebuilt from the Fedora src.rpm packages
> >> and iptables-legacy packages from EPEL.
> >>
> >> Ensure you remove (or at least disable and stop) firewalld, and also
> >> make sure the ipset package is installed. Other than that, I'm not
> >> remembering anything.
> >
> > It also works very well with iptables-nft (so without iptables-legacy).
>
>
> ___
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>


-- 
*Be Safe Out There.*
*Nigel Aves*

p.s. We have many fine video podcasts on YouTube. These are all
interview-based, and pretty well cover every subject.

All our shows are here *Captn's Lounge Studios
<https://tinyurl.com/2vurn3yw>* Please Subscribe to *CIT*

*Come be interviewed:  At The Captn's Lounge.
<https://youtu.be/paL0uRkZ69o?si=pUm3pWe8hAXScdC8>*
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

[Shorewall-users] Issue with IPSETS

2021-07-05 Thread Nigel Aves 
I've run into a strange issue, and it's only been happening over the last
couple of months.

But every now and then we lose the  connection to Facebook (and very very
occasionally to Google) and no one can connect. But if I clear the IPSETS
then Facebook will start working again.

Has anyone else seen this or know how to stop it?

Many Thanks - Nigel.
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] Whitelisting and ipsets

2020-11-16 Thread Nigel Aves 
Justin,

Thank you for your reply. Bad News followed by Good News!

Justin

Thanks for the response. By chance I discovered that Gmail had stuffed your
reply in Spam :( 

>>   Are you running a cronjob which is messing with it ?

I've checked the Cron jobs and I don't see anything that could be causing
this issue. (It's an issue that "started a few days ago, and I've not
changed anything in Cron for a few months.


>>   When / how often are the ipsets being changed/added ?

This is almost happening on a constant basis. I clear all the ipsets,
everything works OK, then in 5 to 15 minutes (searching, google.com,
messenger (on Chromebook) , it all stops working and those two IP numbers
are right back in the ipsets.

And what makes things even more confusing  is that Firefox will connect and
work perfectly, even when Chrome will not! So I might be barking up the
wrong tree.

Going to have a look at  "psacct" now.

*ADDED LATTER  *(had to rewrite as the original message had become too
large)

This makes it stranger but I seem to have become lucky.

I did not understand how Firefox worked all OK, but Chrome did not. If
ipsets were  blocking incoming requests to Chrome, they should also have
been blocking everything, including Firefox.

So I downloaded and installed Opera to see if that would work. The issue
has now magically gone away. So whatever was causing this issue, seems to
be related to Chrome and my PC that I work on .
.

Many Thanks, Stay Safe, Nigel.


On Sun, Nov 15, 2020 at 12:36 PM Nigel Aves  wrote:

>  Shorewall version 5.2.3.4
> Ubuntu Server 20.04.1
> Apache web server with mod_security
>
> I've run into an issue that no matter what I have tried, no success. This
> started a few days ago,  my internal network keeps getting "cut off" from
> Google. Can not search, open google.com, google messenger service ... I
> tracked it down to ipsets being created for Google IP addresses, what
> really surprised me was that I was also getting (occasionally) their DNS
> servers, 8.8.8.8 and 8.8.4.4 - I've spent a couple of days now trying to
> find the root cause.
>
> I needed a bandaid to stop the rest of the family complaining ( :) ) so
> this morning I looked at Shorewall Whitelisting using "blrules", and added
> this to the blrules file.
>
> WHITELIST net:172.217.0.0/16  all
> WHITELIST net:8.8.4.4  all
> WHITELIST net:8.8.8.8  all
>
> Ran a Shorewall restart but I am still seeing entries when I do "ipset
> list SW_DBL4"
>
> 172.217.3.206 timeout 597 packets 1 bytes 52
> 172.217.14.195 timeout 598 packets 1 bytes 52
>
> Any ideas as to what I might have done wrong?
>
> Kind Regards, Stay Safe, Nigel.
>
>
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

[Shorewall-users] Whitelisting and ipsets

2020-11-15 Thread Nigel Aves 
 Shorewall version 5.2.3.4
Ubuntu Server 20.04.1
Apache web server with mod_security

I've run into an issue that no matter what I have tried, no success. This
started a few days ago,  my internal network keeps getting "cut off" from
Google. Can not search, open google.com, google messenger service ... I
tracked it down to ipsets being created for Google IP addresses, what
really surprised me was that I was also getting (occasionally) their DNS
servers, 8.8.8.8 and 8.8.4.4 - I've spent a couple of days now trying to
find the root cause.

I needed a bandaid to stop the rest of the family complaining ( :) ) so
this morning I looked at Shorewall Whitelisting using "blrules", and added
this to the blrules file.

WHITELIST net:172.217.0.0/16  all
WHITELIST net:8.8.4.4  all
WHITELIST net:8.8.8.8  all

Ran a Shorewall restart but I am still seeing entries when I do "ipset list
SW_DBL4"

172.217.3.206 timeout 597 packets 1 bytes 52
172.217.14.195 timeout 598 packets 1 bytes 52

Any ideas as to what I might have done wrong?

Kind Regards, Stay Safe, Nigel.
Shorewall 5.2.3.4 Dump at apache-web-server.twin-peaks-video.com - Sun Nov 15 
12:31:31 MST 2020

Shorewall is running
State:Started Sun Nov 15 12:31:21 MST 2020 from /etc/shorewall/ 
(/var/lib/shorewall/firewall compiled Sun Nov 15 12:31:21 MST 2020 by Shorewall 
version 5.2.3.4)

Counters reset Sun Nov 15 12:31:21 MST 2020

Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target prot opt in out source   destination 

   29  3117 net-fw all  --  enp6s0 *   0.0.0.0/00.0.0.0/0   

   44  5221 loc-fw all  --  enp5s0 *   0.0.0.0/00.0.0.0/0   

   10  1146 ACCEPT all  --  lo *   0.0.0.0/00.0.0.0/0   

0 0 DROP   all  --  *  *   0.0.0.0/00.0.0.0/0   
 ADDRTYPE match dst-type BROADCAST
0 0 DROP   all  --  *  *   0.0.0.0/00.0.0.0/0   
 ADDRTYPE match dst-type ANYCAST
0 0 DROP   all  --  *  *   0.0.0.0/00.0.0.0/0   
 ADDRTYPE match dst-type MULTICAST
0 0 reject all  --  *  *   0.0.0.0/00.0.0.0/0   
[goto] 

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target prot opt in out source   destination 

  137 62669 net-locall  --  enp6s0 enp5s0  0.0.0.0/00.0.0.0/0   

  114 35602 loc-netall  --  enp5s0 enp6s0  0.0.0.0/00.0.0.0/0   

0 0 DROP   all  --  *  *   0.0.0.0/00.0.0.0/0   
 ADDRTYPE match dst-type BROADCAST
0 0 DROP   all  --  *  *   0.0.0.0/00.0.0.0/0   
 ADDRTYPE match dst-type ANYCAST
0 0 DROP   all  --  *  *   0.0.0.0/00.0.0.0/0   
 ADDRTYPE match dst-type MULTICAST
0 0 reject all  --  *  *   0.0.0.0/00.0.0.0/0   
[goto] 

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target prot opt in out source   destination 

   29 24395 ACCEPT all  --  *  enp6s0  0.0.0.0/00.0.0.0/0   

   50 27119 fw-loc all  --  *  enp5s0  0.0.0.0/00.0.0.0/0   

   10  1146 ACCEPT all  --  *  lo  0.0.0.0/00.0.0.0/0   

0 0 DROP   all  --  *  *   0.0.0.0/00.0.0.0/0   
 ADDRTYPE match dst-type BROADCAST
0 0 DROP   all  --  *  *   0.0.0.0/00.0.0.0/0   
 ADDRTYPE match dst-type ANYCAST
0 0 DROP   all  --  *  *   0.0.0.0/00.0.0.0/0   
 ADDRTYPE match dst-type MULTICAST
0 0 reject all  --  *  *   0.0.0.0/00.0.0.0/0   
[goto] 

Chain dbl_log (4 references)
 pkts bytes target prot opt in out source   destination 

   52 27913 SETall  --  *  *   0.0.0.0/00.0.0.0/0   
 add-set SW_DBL4 src exist timeout 600
   52 27913 DROP   all  --  *  *   0.0.0.0/00.0.0.0/0   


Chain fw-loc (1 references)
 pkts bytes target prot opt in out source   destination 

   50 27119 ACCEPT all  --  *  *   0.0.0.0/00.0.0.0/0   
 ctstate RELATED,ESTABLISHED
0 0 ACCEPT udp  --  *  *   0.0.0.0/00.0.0.0/0   
 udp spts:67:68 dpts:67:68 /* DHCPfwd */
0 0 ACCEPT tcp  --  *  *   0.0.0.0/00.0.0.0/0   
 tcp flags:0x04/0x04
0 0 ACCEPT tcp  --  *  *   0.0.0.0/00.0.0.0/0   
 tcp flags:0x11/0x11
0 0 ACCEPT udp  --  *  *   0.0.0.0/00.0.0.0/0   
 multiport dports 135,445 /* SMB */

Re: [Shorewall-users] Advice on shorewall-init and ipsets (fail2ban)

2019-10-31 Thread Nigel Aves 

Well, I thought I had this working, but no. So confused ( :) ) ..

Start Fail2Ban and do a list of ipsets

[root@apache-web-server ~]# ipset list
Name: SW_DBL4
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 65536 timeout 3600 counters
Size in memory: 384
References: 0
Members:

Name: BlackList
Type: hash:ip,port
Revision: 5
Header: family inet hashsize 1024 maxelem 65536 timeout 3600
Size in memory: 128
References: 0
Members:

[root@apache-web-server ~]#

Run a check of Shorewall setup

Checking configuration ..

Checking using Shorewall 5.1.10.2...
Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf...
Loading Modules...
Checking /etc/shorewall/zones...
Checking /etc/shorewall/interfaces...
Determining Hosts in Zones...
Locating Action Files...
Checking /etc/shorewall/policy...
Running /etc/shorewall/initdone...
Adding Anti-smurf Rules
Adding rules for DHCP
Checking TCP Flags filtering...
Checking Kernel Route Filtering...
Checking Martian Logging...
Checking /etc/shorewall/masq...
Checking MAC Filtration -- Phase 1...
Checking /etc/shorewall/rules...
Checking /usr/share/shorewall/deprecated/action.Drop for chain Drop...
   WARNING: "You are using the deprecated Drop default action. Please 
see http://www.shorewall.net/Actions.html /etc/shorewall/rules (line 117)

Checking /etc/shorewall/conntrack...
Checking MAC Filtration -- Phase 2...
Applying Policies...
Shorewall configuration verified

.. your firewall configuration looks OK.

Apart from not being able to figure out what's wrong with (a rule I was 
advised me to add! :) )


# Filter out noise
#
Drop net $FW   all

Check the ipsets and both are still there.

Now try to start Shorewall

Failed to start firewall :

Compiling using Shorewall 5.1.10.2...
Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf...
Loading Modules...
Compiling /etc/shorewall/zones...
Compiling /etc/shorewall/interfaces...
Determining Hosts in Zones...
Locating Action Files...
Compiling /etc/shorewall/policy...
Running /etc/shorewall/initdone...
Adding Anti-smurf Rules
Adding rules for DHCP
Compiling TCP Flags filtering...
Compiling Kernel Route Filtering...
Compiling Martian Logging...
Compiling /etc/shorewall/masq...
Compiling MAC Filtration -- Phase 1...
Compiling /etc/shorewall/rules...
Compiling /usr/share/shorewall/deprecated/action.Drop for chain Drop...
   WARNING: "You are using the deprecated Drop default action. Please 
see http://www.shorewall.net/Actions.html /etc/shorewall/rules (line 117)

Compiling /etc/shorewall/conntrack...
Compiling MAC Filtration -- Phase 2...
Applying Policies...
Generating Rule Matrix...
Optimizing Ruleset...
Creating iptables-restore input...
Shorewall configuration compiled to /var/lib/shorewall/.start
Starting Shorewall
Initializing...
Processing /etc/shorewall/init ...
Processing /etc/shorewall/tcclear ...
Setting up Route Filtering...
Setting up Martian Logging...
Setting up Proxy ARP...
Preparing iptables-restore input...
Running /sbin/iptables-restore --wait 60...
iptables-restore v1.4.21: Set BlackList doesn't exist.

Error occurred at line: 141
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
   ERROR: iptables-restore Failed. Input is in 
/var/lib/shorewall/.iptables-restore-input

Processing /etc/shorewall/stop ...
Processing /etc/shorewall/tcclear ...
Preparing iptables-restore input...
Running /sbin/iptables-restore --wait 60...
Processing /etc/shorewall/stopped ...
/usr/share/shorewall/lib.common: line 93: 15184 Terminated  
$SHOREWALL_SHELL $script $options $@



Now I list ipsets 


[root@apache-web-server ~]# ipset list
Name: SW_DBL4
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 65536 timeout 3600 counters
Size in memory: 384
References: 0
Members:

[root@apache-web-server ~]#

and "BlackList" has vanished.


shorewall/init

#
# Shorewall -- /etc/shorewall/init
#
# Add commands below that you want to be executed at the beginning of
# a "shorewall start", "shorewall-reload" or "shorewall restart" command.
#
# For additional information, see
# http://shorewall.net/shorewall_extension_scripts.htm
#
###
ipset create BlackList hash:ip,port  timeout 3600 -exist

shorewall/rules

#
# Shorewall -- /etc/shorewall/rules
#

?SECTION ALL
 DROP:info net:+BlackList  $FW
?SECTION ESTABLISHED
?SECTION RELATED
?SECTION INVALID
?SECTION UNTRACKED
?SECTION NEW

--- cut rules none of them related to ipsets.

# turn on ipset from fail2ban
#
DROP:info net:+BlackList  $FW
#  old >>DROP:info net:+f2b all
#
# Filter out noise
#
Drop net $FW all

#
# turn on ipset to stop testing ports from outside
#
ADD(SW_DBL4:src):info net $FW
#




Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users





___
Shorewall-users

[Shorewall-users] Advice on shorewall-init and ipsets (fail2ban)

2019-10-27 Thread Nigel Aves 
As a note, I'm a photographer who likes to run their own server for web 
sites / email server, but I am no sys-admin person. I have though been 
using Shorewall for a number of years now.


I've been building a new server to replace my aging server. Centos 7 / 
VirtualMin install for software / admin. BUT I have had to use Kernel 
4.x so that the Ryzen processor was recognized correctly.


I copied all the shorewall files across, checked configuration and 
shorewall started up OK. But I could never get shorewall to start at 
boot. Tried all hints I could find on internet to no avail.


Loaded Shorewall-init, set up the conf file. But now every-time I tried 
to start it would fail with an error about the ipset "f2b" (- from 
fail2ban). I took all references out of the conf files for Shorewall, 
did a "shorewall compile". This seems to have solved the error messages 
I was getting.


Questions.

1/  When using shorewall-init does shorewall itself have to be running, 
or is the compiled shorewall rules loaded directly into iptables?


2/ When using fail2ban should I still be trying to push the banned ip's 
into shorewall, or should I change the settings to push directly into 
iptables?


3/ Anything I might have missed ( )?

Kind  Regards - Nigel Aves.



___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] Warning Message on following rule ADD(SW_DBL4:src):info net $FW

2017-02-23 Thread Nigel Aves 

Thank you Vieri, I'll give it a go.


On 2/23/2017 9:04 AM, Vieri Di Paola wrote:




- Original Message -
From: Nigel Aves <ni...@twin-peaks-video.com>

Thanks for reply. I'm very uncertain what it should be changed too. Thom
E. published the setting in an email to help out on a problem I was
having getting IPv4 ipsets to work.


You can try:
LOGTAGONLY=Yes

and then in your rules file, add this to every action:
:info:mytag

where "mytag" can be anything you want. You can then grep it in the log.

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users





--

from the desk of Nigel

http://soft-focus-imagining.com
http://twin-peaks-video.com

<>--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] Warning Message on following rule ADD(SW_DBL4:src):info net $FW

2017-02-23 Thread Nigel Aves 

Bill,

Thanks for reply. I'm very uncertain what it should be changed too. Thom 
E. published the setting in an email to help out on a problem I was 
having getting IPv4 ipsets to work.


Nigel.

On 2/22/2017 7:41 PM, Bill Shirley wrote:

Look at the LOGTAGONLY section of this page:
http://www.shorewall.org/shorewall_logging.html

It has an example of using a more meaningful tag (IPv6 tunneling).

Bill


On 2/22/2017 7:56 PM, Nigel Aves wrote:

I recently implemented "blacklist if connection attempt on unused port" from 
Tom's help and one of the rules was the following:-

ADD(SW_DBL4:src):infonet$FW

When I do a configuration check I get the following warning

Checking /usr/share/shorewall/action.Drop for chain Drop... Checking 
/usr/share/shorewall/action.Broadcast for chain
Broadcast... *WARNING: Log Prefix shortened to "Shorewall:net-fw:ADD(SW_DBL4 " 
/etc/shorewall/rules (line 121)* Checking
/etc/shorewall/conntrack... Checking MAC Filtration -- Phase 2...
not sure if this is causing an issue or not, but thought I should pass it along.

Nigel Aves.
--

from the desk of Nigel

http://soft-focus-imagining.com
http://twin-peaks-video.com



--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot


___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users





--

from the desk of Nigel

http://soft-focus-imagining.com
http://twin-peaks-video.com

<>--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

[Shorewall-users] Warning Message on following rule ADD(SW_DBL4:src):info net $FW

2017-02-22 Thread Nigel Aves 
I recently implemented "blacklist if connection attempt on unused port" 
from Tom's help and one of the rules was the following:-


ADD(SW_DBL4:src):infonet$FW

When I do a configuration check I get the following warning

Checking /usr/share/shorewall/action.Drop for chain Drop... Checking 
/usr/share/shorewall/action.Broadcast for chain Broadcast... *WARNING: 
Log Prefix shortened to "Shorewall:net-fw:ADD(SW_DBL4 " 
/etc/shorewall/rules (line 121)* Checking /etc/shorewall/conntrack... 
Checking MAC Filtration -- Phase 2...


not sure if this is causing an issue or not, but thought I should pass 
it along.


Nigel Aves.

--

from the desk of Nigel

http://soft-focus-imagining.com
http://twin-peaks-video.com

<>--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

[Shorewall-users] Testing if ipsets are working.

2017-02-22 Thread Nigel Aves 

Is there a way of "knowing" that ipsets are working correctly?

I've looked through the dump file and that does not seem to contain the 
information I need. The reason I ask, is that I have changed fail2ban to 
use ipsets to pass the information across to shorewall. The reason I 
have done this is because the old method stopped working after 
implementing "blacklist if connection attempt on unused port"


2017-02-22 16:57:20,757 fail2ban.filter [5721]: INFO 
[postfix-sasl] Found 94.102.60.172
2017-02-22 16:57:33,148 fail2ban.filter [5721]: INFO 
[postfix-sasl] Found 89.248.171.234
2017-02-22 16:57:54,557 fail2ban.filter [5721]: INFO 
[postfix-sasl] Found 91.200.12.121
2017-02-22 17:03:52,523 fail2ban.filter [5721]: INFO 
[postfix-sasl] Found 185.29.9.175
2017-02-22 17:04:46,613 fail2ban.filter [5721]: INFO 
[postfix-sasl] Found 91.200.12.121
2017-02-22 17:04:47,222 fail2ban.actions[5721]: NOTICE 
[postfix-sasl] 91.200.12.121 already banned
2017-02-22 17:11:38,149 fail2ban.filter [5721]: INFO 
[postfix-sasl] Found 91.200.12.121
2017-02-22 17:18:33,651 fail2ban.filter [5721]: INFO 
[postfix-sasl] Found 91.200.12.121


I have tried two different methods in the rules file.

DROP:info net:+f2b $FW>> this was from a tutorial I discovered

and

ADD(f2b:src):infonet$FW  >> this is a modified version of Tom's 
"blacklist if connection "



I have created the ipset all OK and get IPs

# ipset list f2b
Name: f2b
Type: hash:ip
Revision: 1
Header: family inet hashsize 1024 maxelem 65536 timeout 300
Size in memory: 20048
References: 1
Members:
91.200.12.121 timeout 83162
95.211.209.158 timeout 83163
87.241.171.225 timeout 290
124.228.112.30 timeout 227
181.120.35.243 timeout 78
146.0.235.55 timeout 237

If anyone could point me in the right direct, it would really help. I'm 
loosing too much hair scratching my head!


Many Thanks,

Nigel.

--

from the desk of Nigel

http://soft-focus-imagining.com
http://twin-peaks-video.com

<>--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] blacklist if connection attempt on unused port

2017-01-18 Thread Nigel Aves 

Tom,

Just tested your fix. Everything seems to be working perfectly from the 
outside and the inside.


Many Thanks,

Nigel.

On 1/18/2017 10:12 AM, Tom Eastep wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On 01/18/2017 07:01 AM, Nigel Aves wrote:

I've become a little stuck on setting up ipset correctly.  I
followed the instructions from an email as follows:


DYNAMIC_BLACKLIST=ipset-only,timeout=3600::info

and in Rules at end

ADD(SW_DBL4:src)net$FW

and after some testing  everything seemed to be working all OK.
Using Shorewall  5.0.14.1

I have port 80 (web server) and 25 (Postfix server) open in my
Rules file. Internal network using 192.168.1.1 on eth1

But as soon as I tried using the browser on my local network
machine web sites, like Facebook, just stopped working.

I've tried to find a simple (I'm no IT specialist, just home
hobbyist) explanation as to what I have done wrong or missed,  and
seemed to have hit a brick wall.

If someone could point me in right direction I would be very
gratefully.

Kind Regards, Nigel Aves.


In case it helps, here is my rules file.

DHCPfwd/ACCEPTlocfw # # DHCPfwd/ACCEPT$FWloc # #
Accept for web -server ACCEPTnet$FWtcp80 # no
ssl #  ACCEPTnet$FW   tcp443 # # # Turn FTP off
when not transfering files from VideoKing # #  FTP/ACCEPTnet
fw-21 #  ACCEPTnet$FWtcp6000:6100 # ##
use Webmin while away, turn off when returned. Here is the setting
# Don't forget to turn on for trips. # # ACCEPTnet$FW
tcp1 # # SMTP/ACCEPTnet$FW-25 # DNS(ACCEPT)
$FWnet #Accept DNS connections from the firewall to the
network # SSH(ACCEPT)loc$FW # #Accept SSH
connections from the local network for administration #
Ping(ACCEPT)loc$FW # #Allow Ping from the local
network # # ## Internal accepts # #Cable TV forward DNATnet
loc:192.168.1.180udp27177 DNATnetloc:192.168.1.180
udp27178 DNATnetloc:192.168.1.180tcp27177 DNAT
netloc:192.168.1.180tcp27178 # ACCEPT loc
$FW  tcp ACCEPT loc$FW  udp #
DNS(ACCEPT)  loc$FW SMB(ACCEPT)  loc$FW
SMB(ACCEPT)  $FWloc # DNS(ACCEPT)  phone
$FW # # Drop Ping from the "bad" net zone.. and prevent your log
from being flooded.. # Ping(DROP)net$FW ACCEPT
$FWlocicmp ACCEPT$FWnet
icmp # ACCEPT$FWphoneicmp # # turn on ipset
to stop testing ports from outside # # ADD(SW_DBL4:src)net
$FW


I suspect that you are blacklisting the upstream DNS name servers.

Try this:

#
# Filter out noise
#
Dropnet $FW
#
# turn on ipset to stop testing ports from outside
#
ADD(SW_DBL4:src):info   net $FW

- -Tom
- -- 
Tom Eastep\ When I die, I want to go like my Grandfather who

Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \
-BEGIN PGP SIGNATURE-
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJYf6ITAAoJEJbms/JCOk0QBzcP+gKRcT1wkYJ3fGV0ETSvTW4T
uyR5b6JnAYOQcv6iXT9H3t5BPjX2oeuz9sARuOxLp0fPiD4l6WZyg6JC4pmRo1fm
uO4LNquBTmGimlJNS+HE86y8v19xTsubiofKumEekyYY4OVvxopogEVYA8B4k8tr
U2cXkYIAbCM4r1sfF+tfkfZRVnEfaYhGNRIntVZLfFIjNKHYMiCW0P1gFFf14EkQ
TuZ4I0v7Wn+p2ADeXi5xzcj1/1nxuLHWTIWxzrXcI6Kd1cRwbKLWvGY8zCuMBxSm
Fgp4dL03gQQPwQ2pb9BhKGvi3Bk0CBjiMAWFQ9zFUgOJ7I79iAg384xffpzqd9/b
a8gAtXDR7f01DU8nuAxJZxP78+2w23D8OOPSsoTNEY+44ghO7nElpP88UViaW2Yi
UA1JcVo/fA6UMCPYyI1Z65vNVtmPyF1f65QIZWTd9AscoG3UsRFsNhHGihjjiGJP
s/7Hh+RSE3UXq7b/LrvYFdEyNTyF+gUL1NzoiCaKZPEO1xiSPP71uoQ8IIufxDjt
Bq+QL8uzPza+cSVizGG3BeAyUPndZWvruaMGYK7UvXii0KIIJ2WKDruwOJznpxVH
OkRkQRyr21AEmgf5sqcA1xurDhYRK4owBGNreJ8hfcXxR1DO7ZkWgSHsQl8pdcIl
+sUjPxll2PfUOca4CW7m
=j8jw
-END PGP SIGNATURE-

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users





--

from the desk of Nigel

http://soft-focus-imagining.com
http://twin-peaks-video.com

<>--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] blacklist if connection attempt on unused port

2017-01-18 Thread Nigel Aves 
I've become a little stuck on setting up ipset correctly.  I followed 
the instructions from an email as follows:



DYNAMIC_BLACKLIST=ipset-only,timeout=3600::info

and in Rules at end

ADD(SW_DBL4:src)net$FW

and after some testing  everything seemed to be working all OK. Using 
Shorewall  5.0.14.1


I have port 80 (web server) and 25 (Postfix server) open in my Rules 
file. Internal network using 192.168.1.1 on eth1


But as soon as I tried using the browser on my local network machine web 
sites, like Facebook, just stopped working.


I've tried to find a simple (I'm no IT specialist, just home hobbyist) 
explanation as to what I have done wrong or missed,  and seemed to have 
hit a brick wall.


If someone could point me in right direction I would be very gratefully.

Kind Regards, Nigel Aves.


In case it helps, here is my rules file.

DHCPfwd/ACCEPTlocfw
#
#
DHCPfwd/ACCEPT$FWloc
#
# Accept for web -server
ACCEPTnet$FWtcp80
# no ssl
#  ACCEPTnet$FW   tcp443
#
#
# Turn FTP off when not transfering files from VideoKing
#
#  FTP/ACCEPTnetfw-21
#  ACCEPTnet$FWtcp6000:6100
#
##  use Webmin while away, turn off when returned. Here is the setting
# Don't forget to turn on for trips.
#
# ACCEPTnet$FW tcp1
#
#
SMTP/ACCEPTnet$FW-25
#
DNS(ACCEPT)$FWnet
#Accept DNS connections from the firewall to the network
#
SSH(ACCEPT)loc$FW
#
#Accept SSH connections from the local network for administration
#
Ping(ACCEPT)loc$FW
#
#Allow Ping from the local network
#
#
## Internal accepts
#
#Cable TV forward
DNATnetloc:192.168.1.180udp27177
DNATnetloc:192.168.1.180udp27178
DNATnetloc:192.168.1.180tcp27177
DNATnetloc:192.168.1.180tcp27178
#
ACCEPT loc$FW  tcp
ACCEPT loc$FW  udp
#
DNS(ACCEPT)  loc$FW
SMB(ACCEPT)  loc$FW
SMB(ACCEPT)  $FWloc
#
DNS(ACCEPT)  phone$FW
#
# Drop Ping from the "bad" net zone.. and prevent your log from being 
flooded..

#
Ping(DROP)net$FW
ACCEPT$FWlocicmp
ACCEPT$FWneticmp
#
ACCEPT$FWphoneicmp
#
# turn on ipset to stop testing ports from outside
#
# ADD(SW_DBL4:src)net$FW







<>--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] Yahoo mail connection issue

2017-01-05 Thread Nigel Aves 

Pete,

Do you have a AT or Bellsouth email address? If you do, or know 
someone who does, check out the email header.


I've found in the past that it is a good source for debugging.

Nigel.



email address?  If you do look at the header information.

On 1/5/2017 8:29 AM, pgeenhuizen wrote:

I'm not sure if this is a shorewall issue or not, but I hope that
someone can give me some pointers or ideas how to try to solve this issue

I'm running Shorewall 4.6.13 on Centos 6.8, and my own mail server.

I have this rule in place for my email
DNATnet loc:192.xxx.xxx.16  tcp
http,https,imap,imaps,smtp,smtps

My problem is that whenever someone using an AT phone or form
Bellsouth.net sends me email it fails and the email is returned to the
sender as failed with this error

"Mail server for "geenhuizen.net" unreachable for too long"

Apparently both AT and Bellsouth use yahoo mail service, however if
someone on Yahoo mail sends me an email it works just fine.

I've looked through /var/log/maillog but can't find the connection at
all, and I can't find any connection in the shorewall logs either.  I
must confess that I don't know what to specifically look for in the
shorewall logs.

So what to do?

Thanks
Pete




--

from the desk of Nigel

http://soft-focus-imagining.com
http://twin-peaks-video.com

<>--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] blacklist if connection attempt on unused port

2016-12-01 Thread Nigel Aves 

Vieri,

Thank you for your help. I'm running Shorewall 5.0.8.2-1.el7, so that 
explains it.


Typically I prefer to use the updates as they become "official" in the 
repositories. (I'm no Linux expert :) and I use Webmin / Virtualmin to 
help me keep the system running ). I'll hold off for the moment, though 
I did find all the required RPMs.


Kind Regards - Nigel.


On 12/1/2016 12:49 AM, Vieri Di Paola wrote:


- Original Message -----
From: Nigel Aves <ni...@twin-peaks-video.com>


But following this post, when I try and change "DYNAMIC_BLACKLIST" it always 
errors out. (Tried both
solutions in email)>
  ERROR: Invalid value (ipset-only,timeout=3600::info) for DYNAMIC_BLACKLIST

or

  ERROR: Invalid value (ipset-only,timeout=3600) for DYNAMIC_BLACKLIST

I had the same issue with an older Shorewall 5 version. Just upgrade. I'm using 
5.0.14.1 now.

Vieri

--
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users





--

from the desk of Nigel

http://soft-focus-imagining.com
http://twin-peaks-video.com

<>--
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] blacklist if connection attempt on unused port

2016-11-30 Thread Nigel Aves 

I was trying to implement this "ipset" solution and I keep hitting a brick 
wall. I'm no expert on this, so I was hoping for some guidance.
I have searched and searched trying to find the solution but to no avail.

In the Shorewall dump I have the following (which from some documentation seems 
to be correct, and what I need):-

   Ipset Match (IPSET_MATCH): Available
   Ipset Match Counters (IPSET_MATCH_COUNTERS): Available
   Ipset Match Nomatch (IPSET_MATCH_NOMATCH): Available
   ipset V5 (IPSET_V5): Available

But following this post, when I try and change "DYNAMIC_BLACKLIST" it always 
errors out. (Tried both solutions in email)

 ERROR: Invalid value (ipset-only,timeout=3600::info) for DYNAMIC_BLACKLIST

or

 ERROR: Invalid value (ipset-only,timeout=3600) for DYNAMIC_BLACKLIST

I'd be very grateful if someone could point me in the right direction as to 
what I am doing wrong.

Many Thanks - Nigel


On 11/28/2016 6:06 AM, Vieri Di Paola wrote:



From: Tom Eastep 

Configure ipset-based dynamic blacklisting:> > 
DYNAMIC_BLACKLIST=ipset-only,timeout=3600::info

then put this at the bottom of your rules:

ADD(SW_DBL4,src)net$FW


I believe the seperator is : instead of ,.

I have this now in rules:
ADD(SW_DBL4:src) net1 $FW
ADD(SW_DBL4:src) net2 $FW
ADD(SW_DBL4:src) net3 $FW

and this in shorewall.conf:
DYNAMIC_BLACKLIST=ipset-only,timeout=3600

ipset list SW_DBL4 shows that the set is growing fast...

I understand there's no special flag requirement for net "interfaces", not even 
"blacklist" as we're using ipsets here, not files.

Thanks,

Vieri

--
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users





--

from the desk of Nigel

http://soft-focus-imagining.com
http://twin-peaks-video.com

<>--
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

[Shorewall-users] Interface names

2015-10-07 Thread Nigel Aves 

Quick question on interface names.

I'm building a Centos 7 server and the interface names  are no longer 
eth* but (on this machine) are:-


enp2s0  - Outside world
enp8s0 -  Internal network
enp7s0 -  Internal network

I've tried checking the documentation but can not find a definitive answer.

Will Shorewall - Interfaces be OK with these new names, or should I try 
and revert back to the eth* naming schema.


(and it's a bit of a hit and miss getting those names back, but dead 
easy to loose all your networking! :) )


Nigel.
<>--
Full-scale, agent-less Infrastructure Monitoring from a single dashboard
Integrate with 40+ ManageEngine ITSM Solutions for complete visibility
Physical-Virtual-Cloud Infrastructure monitoring from one console
Real user monitoring with APM Insights and performance trend reports 
Learn More http://pubads.g.doubleclick.net/gampad/clk?id=247754911=/4140___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] Interface names

2015-10-07 Thread Nigel Aves 

Brian,

Looks like the answer is "yes" it will work ok with the new names. Thank 
you.


Mathew,

I followed a number of on-line helps. The problem I ran into was that if 
the core is updated, as soon as you re-boot it goes back to the newer 
naming convention and no interfaces are working anymore.


Thanks to both,

Nigel.

On 10/7/2015 6:11 PM, Brian Burch wrote:

On 08/10/15 00:44, Mathew Crane wrote:

Hi Nigel,

The new udev device naming schema is a bit daunting at first. I
recommend at least looking over Red Hat's own documentation in regards
to this:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Networking_Guide/ch-Consistent_Network_Device_Naming.html

If you want to revert to the old-style naming:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Networking_Guide/sec-Disabling_Consistent_Network_Device_Naming.html

Most modern distros are headed down the systemd-udevd path. I recommend
using the CentOS 7 defaults and renaming via
/etc/udev/rules.d/70-persistent-net.rules instead of disabling the
feature altogether.

Here's an example for yours. Replace ATTR{address}== with the MAC
addresses of your interfaces. Easiest way to get these to take effect is
to reboot.

/etc/udev/rules.d/70-persistent-net.rules:
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{dev_id}=="0x0",
ATTR{address}=="00:0e:b7:34:10:38", ATTR{type}=="1", KERNEL=="enp*",
NAME="eth0"
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{dev_id}=="0x0",
ATTR{address}=="00:0e:b7:34:10:39", ATTR{type}=="1", KERNEL=="enp*",
NAME="eth1"
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{dev_id}=="0x0",
ATTR{address}=="00:0e:b7:34:10:3a", ATTR{type}=="1", KERNEL=="enp*",
NAME="eth2"

You can get creative with the naming. For mine, I use 'wan0', 'lan0',
'wifi0', etc.

Hope this helps!
mateo

On Wed, Oct 7, 2015 at 7:03 PM, Nigel Aves <ni...@twin-peaks-video.com
<mailto:ni...@twin-peaks-video.com>> wrote:

 Quick question on interface names.

 I'm building a Centos 7 server and the interface names  are no
 longer eth* but (on this machine) are:-

 enp2s0  - Outside world
 enp8s0 -  Internal network
 enp7s0 -  Internal network

 I've tried checking the documentation but can not find a definitive
 answer.

 Will Shorewall - Interfaces be OK with these new names, or should I
 try and revert back to the eth* naming schema.

One of my ubuntu servers has its interfaces automatically names as p33p1
and p34p1.

I simply changed the old eth0/eth1 names to the new ones in these
shorewall files and it has been working fine for a couple of years:

* interfaces (obviously!)
* hosts (because I have multiple subnets on both interfaces)
* masq
* tcinterfaces

Why not just "grep -lir eth /etc/shorewall/ and edit the files?

HTH

Brian


 (and it's a bit of a hit and miss getting those names back, but dead
 easy to loose all your networking! :) )

 Nigel.

 
--
 Full-scale, agent-less Infrastructure Monitoring from a single dashboard
 Integrate with 40+ ManageEngine ITSM Solutions for complete visibility
 Physical-Virtual-Cloud Infrastructure monitoring from one console
 Real user monitoring with APM Insights and performance trend reports
 Learn More
 http://pubads.g.doubleclick.net/gampad/clk?id=247754911=/4140
 ___
 Shorewall-users mailing list
 Shorewall-users@lists.sourceforge.net
 <mailto:Shorewall-users@lists.sourceforge.net>
 https://lists.sourceforge.net/lists/listinfo/shorewall-users




--
Full-scale, agent-less Infrastructure Monitoring from a single dashboard
Integrate with 40+ ManageEngine ITSM Solutions for complete visibility
Physical-Virtual-Cloud Infrastructure monitoring from one console
Real user monitoring with APM Insights and performance trend reports
Learn More http://pubads.g.doubleclick.net/gampad/clk?id=247754911=/4140



___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users



--
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users





--

from the desk of Nigel

http://soft-focus-imagining.com
http://twin-peaks-video.com

<>--
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] Problem with traffic shaping

2010-08-23 Thread Nigel Aves 

 I am no expert on this but your tcrules file is missing.

You need to define those rules so shorewall knows what traffic to mark





On 8/23/2010 11:16, Jonh Jonh wrote:

Traffic Shaping

I try to limit bandwidth, but doesn't work. Don't limit bandwidth 
correctly . I'm using openwrt, shorewall 4.2.4, dasnguardian 2.10.0.3 
and squid 2.6.STABLE14. My configuration is:


shorewall version 4.2.4

Kernel

r...@localhost:/etc/shorewall# uname -r
2.6.25.20

r...@localhost:/etc/shorewall# cat zones
fw  firewall
loc ipv4
net ipv4

r...@localhost:/etc/shorewall# cat policy
fw  all ACCEPT  -   -
loc all ACCEPT  -   -
net all DROP-   -
all all REJECT  -   -

r...@localhost:/etc/shorewall# cat masq
eth0eth1

r...@localhost:/etc/shorewall# cat rules
ACCEPT  net fw  tcp 22-   -
REDIRECTloc 8080tcp 80  -   -   -   -
REDIRECTloc 16667   tcp 1863-   -   -   -

r...@localhost:/etc/shorewall# cat tcclasses
eth11   fullfull2   default
eth12   5kbit   5kbit   2

r...@localhost:/etc/shorewall# cat tcdevices
eth14000kbit600kbit

atte. Jonh


--
http://p.sf.net/sfu/intel-atom-d2d


___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users



--

from the desk of Nigel

http://soft-focus-imagining.com
http://twin-peaks-video.com

and for the skeptical side of you

http://rational-alchemy.com


attachment: nigel.vcf--
Sell apps to millions through the Intel(R) Atom(Tm) Developer Program
Be part of this innovative community and reach millions of netbook users 
worldwide. Take advantage of special opportunities to increase revenue and 
speed time-to-market. Join now, and jumpstart your future.
http://p.sf.net/sfu/intel-atom-d2d___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] Shorewall Development Schedule

2010-03-08 Thread Nigel Aves 
I agree with Trent.

Shorewall is a mature, well craft product that pretty well (if not does)
supports everything that a user would want a firewall to do.

I'm just not the person to do this (not being a programmer) but if there was
thing I would like to see enhanced and that's the plugin module for
Shorewall on Webmin and possibly some setup documentation for a dummy like
me!

Nigel.





-Original Message-
From: Trent O'Callaghan [mailto:trent.ocallag...@nearmap.com]
Sent: Monday, March 08, 2010 17:24
To: 'Shorewall Users'
Subject: Re: [Shorewall-users] Shorewall Development Schedule


Hi Tom,

I concur on Shorewall reaching maturity.

Thanks for your sustained efforts to respond to the need for a open source
firewall in the ever evolving linux world.

Kind regards,

Trent O'Callaghan
Network Manager
www.nearmap.com


-Original Message-
From: Tom Eastep [mailto:teas...@shorewall.net]
Sent: Tuesday, 9 March 2010 5:38 AM
To: Shorewall Users; Shorewall Development
Subject: [Shorewall-users] Shorewall Development Schedule

As Shorewall reaches maturity, it seems unlikely that the pace of
development typical of the past 9 years will be sustained. Over that time,
major releases have occurred approximately once per year; the last major
release (4.4) was in August 2009.

I do not currently have an active 4.5 development branch so it is very
unlikely that we will see a 4.6 release this year.

Going forward, I would expect a new minor release every 2-3 months.
These minor releases will be preceded by Beta and RC releases like we have
been having since 4.4.6.

-Tom
--
Tom Eastep\ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \




--
Download Intel#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users


--
Download Intel#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] Adding download control for interna l interface - qdisk errors out

2010-02-17 Thread Nigel Aves 
On Tue, 16 Feb 2010 22:52:45 -0800, Tom Eastep teas...@shorewall.net
wrote:
 Nigel Aves wrote:
 Thanks Tom, no hurry .
 
 I've been able to reproduce the problem here.
 
 -Tom


Sounds like we found a bug.

Thanks for your very prompt action on this - Nigel.


-- 
From the desk of Nigel 

http://soft-focus-imagining.com 
http://rational-alchemy.com
http://twin-peaks-video.com

--
SOLARIS 10 is the OS for Data Centers - provides features such as DTrace,
Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW
http://p.sf.net/sfu/solaris-dev2dev
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] Adding download control for internal interface - qdisk errors out

2010-02-17 Thread Nigel Aves 
Tom,

Patch worked perfectly ... Thank you.

Nigel.

-Original Message-
From: Tom Eastep [mailto:teas...@shorewall.net]
Sent: Wednesday, February 17, 2010 07:37
To: Shorewall Users
Subject: Re: [Shorewall-users] Adding download control for internal
interface - qdisk errors out


Tom Eastep wrote:
 Nigel Aves wrote:
 Thanks Tom, no hurry .
 
 I've been able to reproduce the problem here.

Here's a patch:

patch /usr/share/shorewall/Shorewall/Tc.pm  sfqclassnum.diff

Please let me know if it works for you.

-Tom
-- 
Tom Eastep\ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \


--
Download Intelreg; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs 
proactively, and fine-tune applications for parallel performance. 
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] Adding download control for internal interface - qdisk errors out

2010-02-16 Thread Nigel Aves 
Thanks Tom, no hurry .

-Original Message-
From: Tom Eastep [mailto:teas...@shorewall.net]
Sent: Tuesday, February 16, 2010 18:19
To: Shorewall Users
Subject: Re: [Shorewall-users] Adding download control for internal
interface - qdisk errors out


Nigel Aves wrote:
 Please find enclosed a zip of the dump file

I'll try to get to this in the next several days.

Thanks,
-Tom
--
Tom Eastep\ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \


--
SOLARIS 10 is the OS for Data Centers - provides features such as DTrace,
Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW
http://p.sf.net/sfu/solaris-dev2dev
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users


--
SOLARIS 10 is the OS for Data Centers - provides features such as DTrace,
Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW
http://p.sf.net/sfu/solaris-dev2dev
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

[Shorewall-users] Adding download control for internal interface - qdisk errors out

2010-02-15 Thread Nigel Aves 
Shorewall version 4.4.7

I have managed to configure Shorewall successfully for traffic shaping on
the upload and that all seems to be working ok.

Today I'm trying to control downloading as well, rather than using Squids
delay pools. I followed the on-line documentation but when I try to start
Shorewall the following message pops up.

Setting up Traffic Control...
RTNETLINK answers: File exists
   ERROR: Command tc qdisc add dev eth1 parent 2:2 handle 2: sfq quantum
1500 limit 127 perturb 10 Failed
Processing /etc/shorewall/stop ...


I have had a hunt around and can not find out what I have done wrong. (No
surprises there, I'm no sysadm type person).

Any help as to what I have done wrong will be gratefully received.

Nigel.

Here are the files (when just using the ppp0 everything works perfectly,
commented out the eth1 lines to get the firewall working)

tcdevices

ppp0   6200kbit 4400kbit
eth1  - 100mbits

tcclasses

ppp01   5*full/100   full1
tcp-ack,tos-minimize-delay
ppp02   47*full/100  full2
ppp03   10*full/100  full3
ppp04   5*full/100   full4
ppp05   29*full/100  full5
ppp06   4*full/100   full6 default
#eth11   5*full/100   full1 tcp-ack
#eth13   10*full/100  full2
#eth14   5*full/100   full3
#eth15   70*full/100  full4
#eth16   10*full/100  full5 default


I think it's the tcclasses it does not like because if I keep the tcrules
for just the ppp0 interface I still get the error message when I un-comment
eth1


tcrules

1:F0.0.0.0/00.0.0.0/0   icmpecho-request
1:F0.0.0.0/00.0.0.0/0   icmpecho-reply
2:T207.224.48.222   0.0.0.0/0   tcp -
80,443
3:T0.0.0.0/00.0.0.0/0   tcp 53
3:T0.0.0.0/00.0.0.0/0   udp 53
# 3:Fppp0 eth1  tcp -53
# 3:Fppp0 eth1  udp -53
4:T0.0.0.0/00.0.0.0/0   tcp 25
4:T0.0.0.0/00.0.0.0/0   udp 25
# 4:Fppp0 eth1  tcp -25
# 4:Fppp0 eth1  udp -25
5:T0.0.0.0/00.0.0.0/0   tcp 80,443
# 5:Fppp0 eth1  tcp -
80,443


I've also tried not using eth1 but 192.168.1.0/24











--
SOLARIS 10 is the OS for Data Centers - provides features such as DTrace,
Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW
http://p.sf.net/sfu/solaris-dev2dev
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users