Re: [Shorewall-users] Using Shorewall to change TTL

2006-09-18 Thread Tom Eastep
Tom Eastep wrote: Fitzpatrick, Andrew wrote: I've searched and searched but couldn't find any info on actually how to do it. I basically want to do this: _http://www.faqs.org/docs/iptables/targets.html#TTLTARGET_ Is there a way I can get shorewall to do it for me No -- you have to do

Re: [Shorewall-users] Multiple ISP Issues

2006-09-20 Thread Tom Eastep
Tom Eastep wrote: ...you haven't shown those two us... I sure hope that those of you for whom English is a second language don't copy the grammar and spelling in my posts :-) Should have been: ...you haven't shown those *to* us... -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently

Re: [Shorewall-users] Multiple ISP Issues

2006-09-20 Thread Tom Eastep
. Consequently the answer to FAQ 58 specifically says that you must put the default mark first! (and I would leave off the protocol). -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key

Re: [Shorewall-users] DEST load balance - hash instead of round-robin

2006-09-21 Thread Tom Eastep
another in cycle) load balancing takes place between these addresses. -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net

Re: [Shorewall-users] fragmented udp packet or vpn problem

2006-09-22 Thread Tom Eastep
with fragmented packets? Anyway, if anybody will have this problem try without traffic shaping. Is your kernel fully patched? IIRC, there was a problem with fragments and bridges at one point (don't recall which kernel version). -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented

Re: [Shorewall-users] DNAT failing with no error

2006-09-22 Thread Tom Eastep
. The Ports which I try to forward to the Server dont work and I dont see an error. Please follow the DNAT debugging tips in Shorewall FAQs 1a and 1b. Here my files: If you don't find a solution, then please provide the information requested at http://www.shorewall.net/support.htm. -Tom -- Tom

Re: [Shorewall-users] Multiple ISPs

2006-09-23 Thread Tom Eastep
for obtaining Shorewall support. -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key signature.asc Description: OpenPGP digital signature

Re: [Shorewall-users] Multiple ISPs

2006-09-23 Thread Tom Eastep
, they would never go away. This doesn't seem right to me. Please read the large WARNING in the section of the Multi-ISP documentation entitled What an entry in the Providers File Does -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net

Re: [Shorewall-users] Shorewall and UDP port 500

2006-09-24 Thread Tom Eastep
no connections from the net. If you didn't do that, then there is no way for us to know what your configuration looks like. Please see http://www.shorewall.net/support.htm#Guidelines if you want us to evaluate your situation further. -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented

Re: [Shorewall-users] Shorewall and UDP port 500

2006-09-24 Thread Tom Eastep
that it should be... -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key signature.asc Description: OpenPGP digital signature

Re: [Shorewall-users] HFSC traffic shaping

2006-09-25 Thread Tom Eastep
Ian wrote: Does Shorewall really not support HFSC Yes -- the traffic shaper built into Shorewall really does not support HFSC. -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key

Re: [Shorewall-users] Qos into SHorewall for Asterisk

2006-09-25 Thread Tom Eastep
certain to be in the wrong order. -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key signature.asc Description: OpenPGP digital

Re: [Shorewall-users] DNAT failing with no error

2006-09-25 Thread Tom Eastep
DST=192.168.5.254 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=207 DF PROTO=TCP SPT=44706 DPT=1970 WINDOW=5840 RES=0x00 SYN URGP=0 Do you set TC_EXPERT=Yes in shorewall.conf? -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA

Re: [Shorewall-users] DNAT failing with no error

2006-09-25 Thread Tom Eastep
Christophe Zwecker wrote: Tom Eastep wrote: Christophe Zwecker wrote: Hi, attached is my shorewall dump. when connecting from outside to my ip from 2nd isp (87.139.112.239) I see this in the log: Sep 25 15:44:02 gate kernel: Shorewall:net_dnat:DNAT:IN=eth0.5 OUT= MAC=00:0e:0c:84:16:42:00

Re: [Shorewall-users] dnat question

2006-09-25 Thread Tom Eastep
to a server running on the Shorewall box. It sounds like you want to redirect to a server on a remote system on the net -- DNATloc:192.168.1.2 net:ip of server:81 tcp 80 -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington

Re: [Shorewall-users] shorewall not doing SNAT for proto GRE ?

2006-09-26 Thread Tom Eastep
Tom Eastep wrote: It is working exactly as you *should* expect. The problem is that the server is sending GRE packets before the client. Normally, that is not a problem because all outbound traffic is SNATed through the same IP address. In your case, you want it to get a different source IP

Re: [Shorewall-users] Shorewall and UDP port 500

2006-09-26 Thread Tom Eastep
' output to a different file 5. diff the files That should give you at least some indication as to where the packets are being seen. If you can't solve it that way, send us both files and we'll see what we can see. -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool

Re: [Shorewall-users] VPN and traffic shaping: check of understanding

2006-09-27 Thread Tom Eastep
all traffic. I would just set rate=1kbit - because VPN traffic goes over the same physical interface as eth0, presumably we have to limit eth0 traffic as well, otherwise excessive non-VPN traffic could adversely affect VoIP VPN traffic? Yes. -Tom -- Tom Eastep\ Nothing is foolproof

[Shorewall-users] Shorewall 3.2.4

2006-09-28 Thread Tom Eastep
ip_conntrack_tftp loadmodule ip_nat_amanda loadmodule ip_nat_ftp loadmodule ip_nat_irc loadmodule ip_nat_pptp loadmodule ip_nat_snmp_basic loadmodule ip_nat_tftp -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline

Re: [Shorewall-users] Bug? Packets dropped but they shouldn't

2006-09-30 Thread Tom Eastep
, troubleshooting guide, ...). -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key signature.asc Description: OpenPGP digital signature

Re: [Shorewall-users] Error after update

2006-10-02 Thread Tom Eastep
Tom Eastep wrote: Elio Tondo wrote: and in the masq file: #INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC eth0 eth1!192.158.10.5,192.158.10.60 (masquerading for all machines in loc except for the two with static NAT). It used to work

Re: [Shorewall-users] Error after update

2006-10-02 Thread Tom Eastep
Tom Eastep wrote: Tom Eastep wrote: Elio Tondo wrote: and in the masq file: #INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC eth0 eth1!192.158.10.5,192.158.10.60 (masquerading for all machines in loc except for the two with static NAT

Re: [Shorewall-users] Bug in shorewall 3.2.4 errata compiler

2006-10-03 Thread Tom Eastep
Craig, Ooops -- please try the one at: ftp://ftp1.shorewall.net/pub/shorewall/3.2/shorewall-3.2.4/errata/Shorewall/ Sorry for the screwup, -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP

Re: [Shorewall-users] Bug in shorewall 3.2.4 errata compiler

2006-10-05 Thread Tom Eastep
Tom Eastep wrote: Sorry for the screwup, I had uploaded the 3.3 compiler by mistake. -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net

Re: [Shorewall-users] Problem with multiple IP addresses

2006-10-05 Thread Tom Eastep
the additional ACCEPT rules. -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key signature.asc Description: OpenPGP digital signature

[Shorewall-users] Sourceforge Mailing List Problem Resolved

2006-10-05 Thread Tom Eastep
Sourceforge has been experiencing mailing list issues since 10/3 -- the problem was resolved this morning and the mail backlog is clearing. Apologies to those of you who have been waiting for a response to your question or problem report. -Tom -- Tom Eastep\ Nothing is foolproof

Re: [Shorewall-users] Newbie question

2006-10-05 Thread Tom Eastep
to include a trace file. See http://www.shorewall.net/support.htm#Guidelines -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key

Re: [Shorewall-users] Help with redirecting ports (25, 3389) from static IP to another internal server

2006-10-05 Thread Tom Eastep
DNAT or relay the mail? Use DNAT. -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key signature.asc Description: OpenPGP digital

Re: [Shorewall-users] VoIP traffic shaping

2006-10-05 Thread Tom Eastep
in the documentation? -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key signature.asc Description: OpenPGP digital signature

Re: [Shorewall-users] Bug in shorewall 3.2.4 errata compiler

2006-10-05 Thread Tom Eastep
Tom Eastep wrote: Craig M. Nicholson wrote: Hi Tom, I've already applied the patch file against /usr/share/shorewall/compiler and it works. However I did a quick diff against compiler file you put in the errata and it's different, so which one is the right one? Both fix the problem

Re: [Shorewall-users] Help with connection problem

2006-10-05 Thread Tom Eastep
Tom Eastep wrote: Fernando Galvan wrote: I'm trying to set-up the firewall so that most of the users on my network can only access the net through a proxy and most ports are closed. But I need certain machines to be able to access all ports both inbound and outbound. I've tried all sorts

Re: [Shorewall-users] multiple uplinks - questions

2006-10-05 Thread Tom Eastep
-- but it is what we have currently so until 3.4, we must live with it. -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key signature.asc

[Shorewall-users] Shorewall 3.0.9

2006-10-06 Thread Tom Eastep
is $FW[:address] in which case the rule is processed out of the OUTPUT chain. -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key

Re: [Shorewall-users] Problem getting ProxyARP and loc to play together

2006-10-07 Thread Tom Eastep
hacked, please do not blame Shorewall. -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key signature.asc Description: OpenPGP digital

Re: [Shorewall-users] multiple uplinks - questions

2006-10-08 Thread Tom Eastep
Tom Eastep wrote: All routes in the main table (or whatever table is mentioned in the DUPLICATE column) have an associated interface. The way that Shorewall builds the provider-specific routing tables is to copy entries from the table specified in the DUPLICATE column. The COPY column

Re: [Shorewall-users] Problem with routing

2006-10-09 Thread Tom Eastep
But for that packets to go to 192.168.241.65 the source must be also rewritten to 196.44.33.118. Any ideas? In Shorewall, all source address rewriting is accomplished using entries in /etc/shorewall/masq. -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http

Re: [Shorewall-users] FW: Problem with routing

2006-10-09 Thread Tom Eastep
? DNAT is applied before SNAT. And if you have more problems, please include a dump (see http://www.shorewall.net/support.htm#Guidelines). -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP

Re: [Shorewall-users] FW: Problem with routing

2006-10-09 Thread Tom Eastep
). -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key signature.asc Description: OpenPGP digital signature

Re: [Shorewall-users] FW: Problem with routing

2006-10-09 Thread Tom Eastep
://www.shorewall.net/IPSEC-2.6.html. Without policy match, SNAT rules are not applied until after the traffic is encrypted and encapsulated; by that time, it is too late to change the original SOURCE IP address. -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline

Re: [Shorewall-users] FW: Problem with routing

2006-10-09 Thread Tom Eastep
Tom Eastep wrote: Jan van der Vyver wrote: I am trying to ssh from a machine (192.168.10.198) behind machine A (192.168.10.200) to 192.168.20.33. Between machine A and machine B there is a ipsec vpn. Config for this vpn: conn in2one-to-adept type=tunnel connaddrfamily

Re: [Shorewall-users] Locked out

2006-10-10 Thread Tom Eastep
out in the HOWTOs that I just referred you to. To restore full (wide open) operation, use /sbin/shorewall clear. -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https

Re: [Shorewall-users] Multi ISP - possible bug in incoming connections

2006-10-10 Thread Tom Eastep
Tom Eastep wrote: Craig M. Nicholson wrote: Surely if the connection is tracked and marked then the reply packets should go out of the interface that the request came in on? Any ideas anyone? Craig, Sorry -- I can't comment without seeing a 'shorewall dump' collected as described

Re: [Shorewall-users] HIGH_ROUTE_MARKS mask and compiler skript

2006-10-10 Thread Tom Eastep
providers. However if I want to set connection marks in tcrules to manually influence routing between the providers, shorewall throws an error You do NOT set connection marks in tcrules to manually influence routing. You set packet marks! -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently

Re: [Shorewall-users] HIGH_ROUTE_MARKS mask and compiler skript

2006-10-10 Thread Tom Eastep
to mention that connection marking rules also use a mask of 0xFF. I will change the code, however, to only specify the mask when HIGH_ROUTE_MASK=Yes is used; that way, users who don't have Extended CONNMARK SUPPORT can still use connection marks with HIGH_ROUTE_MASK=No. -Tom -- Tom Eastep

Re: [Shorewall-users] HIGH_ROUTE_MARKS mask and compiler skript

2006-10-10 Thread Tom Eastep
to use: 0x0200:P +PPPROUTING 0.0.0.0/0 0x0200:P 0.0.0.0/0 +PPPROUTING b) You use low marks in the FORWARD chains for traffic shaping: 1:F 0.0.0.0/0 0.0.0.0/0 tcp 22 -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http

Re: [Shorewall-users] eth0_mac before Drop?

2006-10-12 Thread Tom Eastep
Tom Eastep wrote: Tom Eastep wrote: Brian J. Murrell wrote: On Thu, 2006-12-10 at 07:41 -0700, Tom Eastep wrote: The 'Drop' chain is generated by the Drop action which gets called because it is the default action for DROP policies (http://www.shorewall.net/Actions.html#id2500209). Indeed

Re: [Shorewall-users] eth0_mac before Drop?

2006-10-12 Thread Tom Eastep
Brian J. Murrell wrote: On Thu, 2006-12-10 at 13:59 -0700, Tom Eastep wrote: I wonder if that's the right thing to do though. I'd think letting people define what traffic they don't want to log using the existing macros even if they want, would not be better. I'll await your patch

Re: [Shorewall-users] eth0_mac before Drop?

2006-10-13 Thread Tom Eastep
Brian J. Murrell wrote: On Fri, 2006-13-10 at 08:57 -0700, Tom Eastep wrote: One change -- the user exit will be called maclog rather than maclist (since that file name is already taken). Great. Can you point me at the commit when you make it? Or just point me at your browse_cvs and I can

Re: [Shorewall-users] Tc rules Help with multiISP+ squid squidguard...

2006-10-13 Thread Tom Eastep
=3323 dport=80 packets=6 bytes=916 src=84.96.219.201 dst=90.1.80.88 sport=80 dport=3323 packets=4 bytes=408 [ASSURED] mark=201 use=1 So I guess that I'm back to my original suggestion -- see what is happening using tcpdump or Ethereal. -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently

Re: [Shorewall-users] Question about content in log

2006-10-15 Thread Tom Eastep
the IN and OUT interfaces are missing from what you sent. b) Understand the physical topology of the network. c) Understand the definitions of the zones involved (do you really have both 'net' and 'inet' zones?). d) Understand your routing. Sorry, -Tom -- Tom Eastep\ Nothing is foolproof

Re: [Shorewall-users] Question about content in log

2006-10-15 Thread Tom Eastep
'pkttype' implementation is not matching that packet as multi-cast. -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key signature.asc

[Shorewall-users] Shorewall 3.2.4 Debian Package

2006-10-15 Thread Tom Eastep
There is a Shorewall 3.2.4 .deb available at http://idea.sec.dico.unimi.it/~lorenzo/shorewall/ -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net

Re: [Shorewall-users] How to add forward rules

2006-10-16 Thread Tom Eastep
Tom Eastep wrote: Pompon wrote: Thank you Tom for you help, however I can't reach to make it work. I defined a new zone 'rad' for defining rules for C address. and I try to open this traffic for any address on the net : so in rules file I have : ACCEPT rad:Cnet all

Re: [Shorewall-users] Shorewall 3.2.4 Debian Package

2006-10-16 Thread Tom Eastep
Zachary Palmer wrote: Tom Eastep wrote: Zachary Palmer wrote: Excellent! If I may ask, is there a particular reason of which you are aware that Shorewall 3.0.7 is the most recent version in the official Debian repositories? Yes, there is. Ah. Anywhere I could find

Re: [Shorewall-users] Forwarding

2006-10-16 Thread Tom Eastep
-- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key signature.asc Description: OpenPGP digital signature

Re: [Shorewall-users] Adding a wireless card

2006-10-16 Thread Tom Eastep
network, linux wireless router howto and much much more, but sofar i have been getting nothin that i can use. Do i need to buy a wireless router and skip my whole shorewall setup just to get a working wlan? http://oob.freeshell.org/nzwireless/LWAP-HOWTO.html -Tom -- Tom Eastep\ Nothing

[Shorewall-users] New Shorewall Debian Packages

2006-10-16 Thread Tom Eastep
package. Thanks. -- lorenzo -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key signature.asc Description: OpenPGP digital signature

Re: [Shorewall-users] Tc rules Help with multiISP + squid squidguard...

2006-10-17 Thread Tom Eastep
you sent, it looks like many SYN packets are being sent on ppp0 and never replied to. So you need to confirm that they are actually being sent on ppp0 and not on eth0. Does ppp0 work if you configure it as your only Internet connection? -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently

Re: [Shorewall-users] Multiple Isp Traffic Shaping

2006-10-17 Thread Tom Eastep
with the tcrules I have currently. Hi Mike, Your CLASSIFY rules are wrong. The minor class of Shorewall-generated TC classes is (100 + mark value) (e.g., 1:110, 1:120, etc.) whereas you are specifying 1:10, 1:20, ... -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline

Re: [Shorewall-users] Tc rules Help with multiISP+ squid squidguard...

2006-10-17 Thread Tom Eastep
, will generate brand new packets to send to the net -- these packets currently have no mark. -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net

Re: [Shorewall-users] route all p2p traffic with another link

2006-10-18 Thread Tom Eastep
go through ISP2 -- traffic from i.j.k.l to a.b.c.d will continue to be handled by ISP1. -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net

Re: [Shorewall-users] DNAT

2006-10-18 Thread Tom Eastep
of the way. The IPTables rule are going too if somebody feel like want to see. Have you followed the DNAT debugging tips in Shorewall FAQs 1a and 1b? -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL

[Shorewall-users] Webmin 1.300 Supports Shorewall 3.x!!!

2006-10-19 Thread Tom Eastep
I'm pleased to announce that the current version of Webmin (1.300) includes support for Shorewall 3.x. I've played with it for a bit and it looks really good! -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA

Re: [Shorewall-users] OT: Routing problem

2006-10-20 Thread Tom Eastep
like the only way to discover the root cause of the problem. -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key signature.asc

Re: [Shorewall-users] OT: Routing problem

2006-10-20 Thread Tom Eastep
List Receiver wrote: Tom Eastep wrote: Have you used a packet sniffer to try to understand what is happening? Seems like the only way to discover the root cause of the problem. -Tom No, not yet. I don't consider myself proficient at tcpdump to make that part of my normal

Re: [Shorewall-users] OT: Routing problem

2006-10-20 Thread Tom Eastep
a Windows version now... You can capture a trace with tcpdump (using -w) then analyze it on another system with Ethereal. -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https

Re: [Shorewall-users] Problem with virtual interface

2006-10-21 Thread Tom Eastep
firewall in a vserver -- only on the host (rootserver). See the Vserver FAQ. -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key

Re: [Shorewall-users] SSH service in two firewall environment

2006-10-21 Thread Tom Eastep
to the internal ip 192.168.1.200. So, it will be necessary to do some thing from Shorewall side to make this work? You want to connect to SSHD on the Shorewall Firewall? If so, just add this rule: ACCEPT net $FW tcp 22 -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently

Re: [Shorewall-users] SSH service in two firewall environment

2006-10-21 Thread Tom Eastep
Paulo Almeida wrote: By the way, I want to give my recognition for the excelent work that has been made throughtout the last years for Shorewall. Thanks, Paulo! -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA

Re: [Shorewall-users] redirect from one nete to another

2006-10-23 Thread Tom Eastep
zone rather than the loc zone. And the same kludgy hack is required to make it work (you must make all redirected requests look as if they came from 1.1.1.11 (or 1.1.1.254). Without seeing your /etc/shorewall/masq file, I can't tell you the best way to do that. -Tom -- Tom Eastep\ Nothing

Re: [Shorewall-users] redirect from one nete to another

2006-10-23 Thread Tom Eastep
Roberto Tagliaferri wrote: Tom Eastep ha scritto: Without seeing your /etc/shorewall/masq file, I can't tell you the best way to do that. -Tom I leave masw file empty :-( Now it's ok: #INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC eth0eth0:1

Re: [Shorewall-users] redirect from one nete to another

2006-10-23 Thread Tom Eastep
Roberto Tagliaferri wrote: Tom Eastep ha scritto: Roberto Tagliaferri wrote: Tom Eastep ha scritto: Without seeing your /etc/shorewall/masq file, I can't tell you the best way to do that. -Tom I leave masw file empty :-( Now it's ok: #INTERFACE

Re: [Shorewall-users] another ip

2006-10-24 Thread Tom Eastep
Kiss Gábor wrote: Tom Eastep írta: Kiss Gábor wrote: Helo, I am running version 3.0.4 on Ubuntu Server. My firewall has a public ip ( x.y.z.24 ). I want another public ip (x.y.z.56) and want to redirect to all of traffic that come to it from the internet, to a local ip address

Re: [Shorewall-users] Shorewall will not start without a 'shorewall restore standard'

2006-10-25 Thread Tom Eastep
before Shorewall will start. There are several ways to do that a) /etc/shorewall/ipsets. b) An init script that runs before Shorewall starts. c) Code in /etc/shorewall/init d) ... So which mechanism do you believe that you are using? -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently

Re: [Shorewall-users] Shorewall will not start without a 'shorewall restore standard'

2006-10-25 Thread Tom Eastep
Pollywog wrote: On Wednesday 25 October 2006 23:50, Tom Eastep wrote: Pollywog wrote: I don't know what I did, but I can no longer start Shorewall after a reboot until I have done a restore of the ipsets. Is the only solution a removal and reinstallation of Shorewall? Without knowing what

Re: [Shorewall-users] what is the best way to copy config to another machine?

2006-10-25 Thread Tom Eastep
after installing the normal shorewall package? I would just copy /etc/shorewall/ -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key

Re: [Shorewall-users] how do I allow SMB with a macro, overriding the default?

2006-10-25 Thread Tom Eastep
machines in the LAN. This isn't a problem report -- see http://www.shorewall.net/support.htm#Guidelines -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https

Re: [Shorewall-users] how do I allow SMB with a macro, overriding the default?

2006-10-25 Thread Tom Eastep
machines in the LAN. As noted at http://www.shorewall.net/samba.htm, you must use SMB/ACCEPT in both directions: SMB/ACCEPT net $FW SMB/ACCEPT $FW net -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA

Re: [Shorewall-users] Redirect proxy request from 8080 to port 80

2006-10-26 Thread Tom Eastep
/ # PORTPORT(S) DESTLIMIT GROUP REDIRECTloc 80 tcp - 8080 192.168.1.1 It doesn't work. You have the 8080 in the wrong column. -Tom -- Tom Eastep\ Nothing is foolproof

Re: [Shorewall-users] PPTPD on single interface

2006-10-26 Thread Tom Eastep
Shorewall totally is not going to be any more insecure than the silly configuration above. Thirdly, if you determine that the problem only occurs with Shorewall started, then please follow the problem reporting guidelines (http://www.shorewall.net/support.htm). -Tom -- Tom Eastep\ Nothing

Re: [Shorewall-users] Saprouter forwarding from shorewall firewall to an internal saprouter server

2006-10-26 Thread Tom Eastep
are going to the correct box. -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key signature.asc Description: OpenPGP digital signature

Re: [Shorewall-users] configuration files

2006-10-26 Thread Tom Eastep
script (or a flavor of that script) in the product and allow users to generate configuration files that have documentation in them. -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key

Re: [Shorewall-users] configuration files

2006-10-26 Thread Tom Eastep
themselves in the foot each time that they upgrade. -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key signature.asc Description

Re: [Shorewall-users] configuration files

2006-10-26 Thread Tom Eastep
Vieri Di Paola wrote: --- Tom Eastep [EMAIL PROTECTED] wrote: Simon Matter wrote: The issue is not Gentoo specific. With rpm based distributions, rpm doesn't even try to merge configs. I have my own script to do that so I always have the original header after an upgrade. Your idea

Re: [Shorewall-users] Redirect proxy request from 8080 to port 80

2006-10-27 Thread Tom Eastep
themselves need to be configured to bypass the proxy when accessing your local web server. -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net

[Shorewall-users] Shorewall 3.2.5

2006-10-28 Thread Tom Eastep
Shorewall 3.2.5 is now available. Beginning with this release, there will be a single set of Release Notes and a single changelog; these release documents are included in both the Shorewall and Shorewall Lite packeges. The Release Notes are attached. -Tom -- Tom Eastep\ Nothing

Re: [Shorewall-users] ERROR: Command /sbin/iptables -A Drop -p tcp -j dropNotSyn Failed

2006-10-29 Thread Tom Eastep
(most iptables problems with Debian concern an incompatibility of Debian iptables 1.3.5 with the Debian 2.6.16 and later kernels). -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key

Re: [Shorewall-users] ERROR: Command /sbin/iptables -A Drop -p tcp -j dropNotSyn Failed

2006-10-29 Thread Tom Eastep
source you use but rather that the kernel source used to build iptables should match the kernel you are running. -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https

Re: [Shorewall-users] Routing via gateway

2006-10-29 Thread Tom Eastep
: Destination host unreachable. Does anyone have any ideas? Do I need to NAT the traffic or add another route command? There are very detailed instructions for handling this configuration at http://www.shorewall.net/Multiple_Zones.html -Tom -- Tom Eastep\ Nothing is foolproof

Re: [Shorewall-users] Multi-isp and QoS woes

2006-10-30 Thread Tom Eastep
and remember that 'track' sets the connection mark which then gets copied to the packet mark. So by default, connections out of eth0 have mark = 1 and those out of eth1 have mark = 2. So unless your FORWARD marking rules overwrite those marks, they are used for traffic classification. -Tom -- Tom Eastep

Re: [Shorewall-users] REPOST: Routing via gateway

2006-10-30 Thread Tom Eastep
Any ideas would be great. You are going to have to describe the problem more completely than that if you want my help. From what you have written, I cannot even guess what problem you are trying to solve. Hint: http://www.shorewall.net/support.htm#Guidelines -Tom -- Tom Eastep\ Nothing

Re: [Shorewall-users] Shorewall 3.2.4 tcrules: SCP/SSH distinction stopped working

2006-11-02 Thread Tom Eastep
tcp - 22 - - - 8 Those last two rules have way too many columns. -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https

Re: [Shorewall-users] Shorewall 3.2.4 tcrules: SCP/SSH distinction stopped working

2006-11-02 Thread Tom Eastep
Tom Eastep wrote: Zachary Palmer wrote: # SSH (with lower priority SCP) 3 0.0.0.0/0 0.0.0.0/0 tcp 22 3 0.0.0.0/0 0.0.0.0/0 tcp - 22 4 0.0.0.0/0 0.0.0.0/0 tcp 22 - - - - 8 4 0.0.0.0/0

Re: [Shorewall-users] Shorewall 3.2.4 tcrules: SCP/SSH distinction stopped working

2006-11-02 Thread Tom Eastep
value: - Terminated Attached is a patch for /usr/share/shorewall/compiler that should correct the problem. The patch is against 3.2.5 but applies to 3.2.4 with an offset. -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington

Re: [Shorewall-users] Shorewall 3.2.4 tcrules: SCP/SSH distinction stopped working

2006-11-02 Thread Tom Eastep
: Invalid Mark or Mask value: - Terminated Attached is a patch for /usr/share/shorewall/compiler that should correct the problem. The patch is against 3.2.5 but applies to 3.2.4 with an offset. -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http

[Shorewall-users] Known Problems and Fixes for 3.2.5

2006-11-02 Thread Tom Eastep
from the errata/patches directory. -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key signature.asc Description: OpenPGP digital

Re: [Shorewall-users] Please help me.

2006-11-02 Thread Tom Eastep
# === node1 ipv4 node2 ipv4 If you have further problems, please submit the information requested at http://www.shorewall.net/support.htm#Guidelines. -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http

Re: [Shorewall-users] Please help me.

2006-11-02 Thread Tom Eastep
Tom Eastep wrote: sada wrote: 1) I can not log-in shorewall router from eth0 (I can log in from node 1 or 2 ) Since you did not include your rules, we can't comment on that. How are you trying to log in? SSH? Sorry -- I meant to delete that. I assume that you are trying to log in from

Re: [Shorewall-users] Problem configuring shorewall

2006-11-02 Thread Tom Eastep
Peter Haijen wrote: Very puzzled as to what is wrong here thx for any help you may offer! Check the Shorewall Xen documentation and look for ethtool. Sounds like you have the common checksum problem. -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline

Re: [Shorewall-users] Shorewall 3.2.4 tcrules: SCP/SSH distinction stopped working

2006-11-03 Thread Tom Eastep
Zachary Palmer wrote: I just have no clue how I got this to work before... and honestly, I did... even tested the shaping ability several times. I don't either -- the bug was introduced in Shorewall 3.2.3 and you were the first to bring it to my attention. -Tom -- Tom Eastep\ Nothing

  1   2   3   4   5   6   7   8   9   10   >