Re: [Shorewall-users] shorewall VLANs and network ranges

> OK, I'm seeing a very odd behavior here, but at least I can now easily > reproduce the issue. > > I have a test host with IP address 192.168.215.200 pinging continously > the Shorewall FW at 192.168.215.1. > At first, I connect it to Switch Port with VLAN ID 11 Untagged (enp8s5 > on the FW is con

[Shorewall-users] Shorewall reload doesn't reload?

Hi, I've just updated Shorewall from 5.2.7 to 5.2.8 and did a reload just to see that the rules haven't been updated: [root@abc ~]# shorewall reload Reloading Shorewall Initializing... Processing /etc/shorewall/init ... Setting net.netfilter.nf_conntrack_max = 1048576 Processing /etc/shore

Re: [Shorewall-users] Shorewall reload doesn't reload?

> On 10/4/20 10:18 AM, Matt Darfeuille wrote: >> On 10/4/2020 6:58 PM, Simon Matter wrote: >>> Hi, >>> >>> I've just updated Shorewall from 5.2.7 to 5.2.8 and did a reload just >>> to >>> see that the rules haven't been updated

Re: [Shorewall-users] Shorewall reload doesn't reload?

> On 10/4/20 10:18 AM, Matt Darfeuille wrote: >> On 10/4/2020 6:58 PM, Simon Matter wrote: >>> Hi, >>> >>> I've just updated Shorewall from 5.2.7 to 5.2.8 and did a reload just >>> to >>> see that the rules haven't been updated

Re: [Shorewall-users] Shorewall reload doesn't reload?

> On Tue, Oct 06, 2020 at 03:59:06PM +0200, Simon Matter wrote: >> >> Compilation will only happen when '/etc/shorewall' is modified. >> >> So if I'm not mistaking, updating the firewall will not trigger a >> >> recompilation. >> >>

Re: [Shorewall-users] Shorewall reload doesn't reload?

> On 10/6/20 8:50 AM, Matt Darfeuille wrote: >> On 10/6/2020 5:11 PM, Tom Eastep wrote: >>> On 10/6/20 7:33 AM, Simon Matter wrote: >>>>> On Tue, Oct 06, 2020 at 03:59:06PM +0200, Simon Matter wrote: >>>>>>>> Compilation will only happen

Re: [Shorewall-users] accept HTTP request / drop HTTP reply

> Hi, > > If my rules allow HTTP and HTTPS access (ports 80, 443) with an ACCEPT > rule such as the following > > ACCEPTlan1:10.215.144.0/23wantcp,udp80,443 > > I'd like to know why I am seeing the following in the shorewall log > when a user accesses a web page: > > kernel: Shorewa

Re: [Shorewall-users] accept HTTP request / drop HTTP reply

> On Wed, Oct 7, 2020 at 1:31 PM Simon Matter > wrote: >> >> > Hi, >> > >> > If my rules allow HTTP and HTTPS access (ports 80, 443) with an ACCEPT >> > rule such as the following >> > >> > ACCEPTlan1:10.215.144.0/23wan

Re: [Shorewall-users] Shorewall reload doesn't reload?

>> On 10/6/20 8:50 AM, Matt Darfeuille wrote: >>> On 10/6/2020 5:11 PM, Tom Eastep wrote: >>>> On 10/6/20 7:33 AM, Simon Matter wrote: >>>>>> On Tue, Oct 06, 2020 at 03:59:06PM +0200, Simon Matter wrote: >>>>>>>>> Compilation

Re: [Shorewall-users] routing error when reloading shorewall

> Hi, > > What does this message mean, and what should I look for to fix it? > > Error: Invalid prefix for given prefix length. >ERROR: Command "ip -4 route replace 10.215.106.193/26 via > 172.28.17.110 dev ibs table 254" Failed > > In my routes file I have: > > main10.215.106.0/26

Re: [Shorewall-users] dhcrelay

> Hi, > > I configured dhcrelay so that clients in my "lan1" zone should get IP > addr. leases from a server in my "ibs" zone. > > This is the command I run: > > /usr/sbin/dhcrelay -q -i lan.1 10.215.137.54 > > BTW, a foreground run shows messages such as: > > Forwarded BOOTREQUEST for a4:bb:6d:03:

Re: [Shorewall-users] dhcp relay agent

> Hi, > > I configured dhcrelay on my shorewall router to send DHCP requests to > a remote DHCP server. I need to listen for DHCP requests on on one > interface (say lan.1). However, this interface has multiple IP > addresses/netmasks. The remote DHCP server has only one scope and only > one of the

Re: [Shorewall-users] Shorewalll blocks Docker url

> >> This assumes that the content of '/etc/shorewall' was not modified. > >> Please try this > >> $ tail -n 7 interfaces >> ?FORMAT2 >> net wlp2s0 detect >> net wlp0s20f0u1 detect >> net enp0s31f6 detect >> dock docker0 bridge >> $ shorewall check && shorewall start > > The output is: > > > > [roo

Re: [Shorewall-users] Shorewalll blocks Docker url

>> Please check, it should probably be > >> ?FORMAT 2 > >> Note the space! > > The output is: > > > [root@franz-820 shorewall]# tail -n 7 interfaces > ?FORMAT 2 > net wlp2s0 detect > net wlp0s20f0u1 detect > net enp0s31f6 detect > dockdocker0 bridge > > > [root@franz-8

Re: [Shorewall-users] Shorewall 5.2.3.2 - Port forwarding

> Hi > I like to setup shorewall to accept connection from my IP from port 4442 > and shorewall will forwared that to port 22 ssh > I tried this but doesn't work > ACCEPTnet:192.168.0.203 fw tcp 22 4442 I'm quite sure you want to use a DNAT or REDIRECT rule here instead

Re: [Shorewall-users] Socket6::gethostbyname2 not implemented on this architecture

> On Sun, 2022-02-06 at 10:58 -0500, Brian J. Murrell wrote: >> >> >> Well, it is, in that shorewall is using obsoleted interfaces. > > > There is now an MR at > https://gitlab.com/shorewall/code/-/merge_requests/5 to migrate to > newer, supported interfaces. What's wrong with the other method you

Re: [Shorewall-users] Do not load specific Linux kernel modules

Hi Vieri, > Hi, > > I'm trying to solve some possible SIP issues in my LAN, and I'd like > to temporarily disable SIP-related Linux kernel modules. > It seems that shorewall loads the modules according to the content of > /usr/share/shorewall/helpers. Instead of touching that file I'd rather > set

Re: [Shorewall-users] Unable to connect to an HTTPS service

> I'd say the problem is on the host that might not have all packages > updated, namely the ca-certificates (or equivalent) package. At a first > glance it doesn't seem like a firewall problem. > > @Vieri, please try to do a yum/apt (or equivalent depending on the > machine OS package manager) upda

Re: [Shorewall-users] Google Classroom Video not making it through firewall

> Hello Matt, > > Thank you so much for your reply. Unfortunately when I perform the > 'shorewall clear' command, I lose all access to the outside world Maybe you have to enable ip forwarding once you disable shorewall? Simon > (internet) so I am unable to test. > > Thank you for your time. > >

Re: [Shorewall-users] Slow firewall pass through network LAN speed ( <99 Mbit/s) after change ISP to 900 Mbit/s ADSL line

> Il giorno ven, 01/04/2022 alle 14.44 -0400, Robert K Coffman Jr. -Info > From Data Corp. ha scritto: >> Do you have any traffic shaping configured? > No, it is not configured > > cat /etc/shorewall/tc* | grep -v '^#'|wc -l > 0 > >> > >> > Seem that the firewall pass through limited the traffic s

Re: [Shorewall-users] Slow firewall pass through network LAN speed ( <99 Mbit/s) after change ISP to 900 Mbit/s ADSL line

> Il giorno sab, 02/04/2022 alle 10.37 +0200, Simon Matter ha scritto: >> I'd suggest to check with ethtool if all interfaces are really on >> 1Gbps. >> This sound like you have a 100Mbps somewhere. > > This is ethtool output[1] > > the only difference compare

Re: [Shorewall-users] Slow firewall pass through network LAN speed ( <99 Mbit/s) after change ISP to 900 Mbit/s ADSL line

> Il giorno sab, 02/04/2022 alle 18.18 +0200, Simon Matter ha scritto: >> So, what speed do you get when you check on the firewall itself? > > I have install and run speedtest-cli, this is last check: > > Tes

Re: [Shorewall-users] TTL on Oracle connections

> Hi, > > There are hosts in my LAN behind a Shorewall FW that need to keep > Oracle connections alive (tcp 1521) with other hosts that are behind a > remote Fortinet Fortiguard FW. > > The Fortinet admin has set the following in his FW: > > set protocol 6 > set timeout 2880

Re: [Shorewall-users] TTL on Oracle connections

M Vieri Di Paola > wrote: > >> On Wed, Nov 9, 2022 at 8:15 AM Simon Matter >> wrote: >> > >> > > The Fortinet admin has set the following in his FW: >> > > >> > > set protocol 6 >> > > set timeout 28

Re: [Shorewall-users] ROUTES file and routing traffic

Hi, > I am trying to route traffic from LOC to a network I have configured in > the routes file. I may be wrong here but I think the routes file is used for special cases when you have more than one internet connections and such things. For your case, did you add a routing entry to the hosts rou

Re: [Shorewall-users] ineffective shorewall ban

Hi Yassine, > Hello All, > > Today, > Something caught my attention while looking for errors in log files. > > [code] > root@messagerie-principale[10.10.10.19] ~ # tail -f > /var/log/apache2/roundcube.error /var/log/fail2ban.log > /var/log/apache2/mail.radioalgerie.dz.error /var/log/dovecot.log >

Re: [Shorewall-users] IP address change not surviving reboot

Hi Philip, > This may be an underlying Linux problem but I first of all need to run > it past you guys and gals here as few people on Linux forums will be > familiar with Shorewall. > > We have a Shorewall firewall at the school where I volunteer, protecting > the school network from a Raspberry P

Re: [Shorewall-users] why do I have requests from inside apache server with source ports 80 and 443

Hi, > >> Some comments: >> (1) It's recommended to use HTTP(ACCEPT) and HTTPS(ACCEPT) rather than >> Web(ACCEPT) which just combines the two. > > I don't understand why Web exist so, if not recommanded to use it. > I replaced Web by HTTP and HTTPS lines, and of course, nothing changed. > I guess

Re: [Shorewall-users] Throughput problem

> Shorewall version 5.2.8 on RHEL 7 virtualized on Ovirt hypervisors, > routing and filtering traffic between 5 networks full of VMs via VLANs > in Ovirt. > All virtual VM interfaces (including Shorewall VM), are on 10 Gbps. > > Effective speed between VMs on same network segment is full 10 Gbps. >

Re: [Shorewall-users] Where IS shorewall6?

> Robert Moskowitz wrote: >> I have just downloaded the shorewall 4.2.4-4 shorewall, shorewal-perl, >> and shell rpms from the invoca.ca site on to a Fedora 9 server. > > That site is run by Simon Matter who also builds the RedHat/Fedora RPMs, > so we'll have to le

Re: [Shorewall-users] Where IS shorewall6?

> Simon Matter wrote: >>> Robert Moskowitz wrote: >>> >>>> I have just downloaded the shorewall 4.2.4-4 shorewall, shorewal-perl, >>>> and shell rpms from the invoca.ca site on to a Fedora 9 server. >>>> >>> That site is run by Sim

[Shorewall-users] Howto dhcp on proxyarped host?

Hi, My question is not directly shorewall related but someone on the list might know an answer. I'd like to configure a proxyarped host using dhcp. Gateway: eth0 192.168.1.0/24 eth1 192.168.2.0/24 The host in question is attached to the eth1 LAN but should be configured via dhcp to have a 192.1

Re: [Shorewall-users] Howto dhcp on proxyarped host?

> Hi, > > My question is not directly shorewall related but someone on the list > might know an answer. > > I'd like to configure a proxyarped host using dhcp. > > Gateway: > eth0 192.168.1.0/24 > eth1 192.168.2.0/24 > > The host in question is attached to the eth1 LAN but should be configured > vi

Re: [Shorewall-users] Shorewall 4.4.0 Beta 1

> The Shorewall team is pleased to announce the availability of Shorewall > 4.4.0 Beta 1. > Hi Tom, Thanks for the upcoming release! While upgrading my RPMs I found two small issues: 1) IIRC the "continue" file was only used by shorewall-shell. At least that was the case sometime in the past. I

Re: [Shorewall-users] DNAT / Live IP Translation

> I don't think so. > > The requirement for the software I want to utilise dictates that the IP > address of the system be the real world address. > > I have to be able to configure the virtual machine's eth0 as > 203.xxx.xxx.xxx and not any of the IP's from a private subnet. You may want to use p

Re: [Shorewall-users] DNAT / Live IP Translation

> Thanks Simon and Simon :) > > Many thanks for this, was able to muddle my way through it and get it > operating as I require. I have access to the IP externally, just one more > hurdle. > > I cannot get to this IP from within my own network, and am not sure where > in Shorewall I need to configu

Re: [Shorewall-users] DNAT / Live IP Translation

> While watching dmesg connections, I see the following REJECT message > > Shorewall:FORWARD:REJECT:IN=eth1 OUT=eth1 SRC=192.168.0.x DST=203.xx.xx.xx > LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=19417 DF PROTO=TCP SPT=63918 DPT=80 > WINDOW=8192 RES=0x00 SYN URGP=0 > > As I put google to work, I see this

Re: [Shorewall-users] [Shorewall-announce] Shorewall 4.4.0 RC2

> -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > RC2 is now available for download. Hi Tom, You have removed some of the old last line comments which looked like this #LAST LINE -- But you have not removed all, I'm not sure it's intentional or not? If those lines can be removed safely wit

Re: [Shorewall-users] [Shorewall-announce] Shorewall 4.4.0 RC2

> On Aug 5, 2009, at 9:23 AM, Tom Eastep wrote: > >> -BEGIN PGP SIGNED MESSAGE- >> Hash: SHA1 >> >> Simon Matter wrote: >>>> -BEGIN PGP SIGNED MESSAGE- >>>> Hash: SHA1 >>>> >>>> RC2 is now available fo

Re: [Shorewall-users] [Shorewall-announce] Shorewall 4.4.0

> -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > The Shorewall team is pleased to announce the availability of Shorewall > 4.4.0. Hi Tom and team, Thanks for the new release! I have already updated the RedHat/Fedora RPM's in the usual place. Regards, Simon

Re: [Shorewall-users] Upgrade RH EL 5.3 -> 5.4 works - shorewall 4.2.10

> Hi, > > I did an update from Red Hat EL 5.3 to 5.4. > > Everything works so far. May be somewone would like to know > > iptables-ipv6-1.3.5-5.3.el5 > kernel-PAE-2.6.18-164.el5 > shorewall-4.2.10-3 > shorewall-perl-4.2.10-3 > Hi, I don't remember about 4.2.x but with 4.4 you may see this iss

Re: [Shorewall-users] Shorewall 4.4.3

> Simon Matter wrote: >>> >>> N E W F E A T U R E S I N 4 . 4 . 3 >>> >>&g

Re: [Shorewall-users] shorewall6-lite's shorecap sourcing /usr/share/shorewall-lite/lib.base?

> Brian J. Murrell wrote: >> On Sat, 2009-12-05 at 22:14 -0800, Tom Eastep wrote: >>> I'll fix these in the next 4.4 release; think I'll wait on 4.2. >> >> OK. I will patch OpenWRT's package then. >> >> Any thoughts on any (in-)compatibilities that might arise trying to load >> a 4.4 shorewall[6]-

Re: [Shorewall-users] [BUG]: bc package dependency not included in shorewall rpm (version 4.4.8)

> On 6/14/10 3:46 PM, Mr Dash Four wrote: >> >> The shorewall starts and works perfectly well without this package, >> though when I try to execute 'shorewall iprange' I get an error from a >> library in /usr/share, which is caused by missing bc package. Once this >> package is installed the proble

Re: [Shorewall-users] Shorewall 4.4.13

> The Shorewall team is pleased to announce the availability of Shorewall > 4.4.13. > Hi Tom and all, I've just updated some systems to 4.4.13 and I see a new log message on RHEL4 (yes I know it's ancient): MARK: can only be called from "mangle" table, not "filter" Does it hurt? Do you know a so

Re: [Shorewall-users] Shorewall 4.4.13

> On 9/21/10 11:47 PM, Simon Matter wrote: > >> I've just updated some systems to 4.4.13 and I see a new log message on >> RHEL4 (yes I know it's ancient): >> >> MARK: can only be called from "mangle" table, not "filter" >> Does

Re: [Shorewall-users] Hardware requirements

> Does anyone have any suggestions for hardware requirements? Will a single > core have the same throughput as a dual core? Amount of RAM? I will be > using Ubuntu Server. Do you want to push some Mbits/s or multi Gbits/s through your firewall and do you plan to handle VPN connections terminate

Re: [Shorewall-users] Shorewall 4.4.19

> Shorewall 4.4.19 is now available for download. > Hi Tom, Thanks for the new release and I hope you are doing fine! The typo below has just showed up while rebuilding my RPMs. Thanks, Simon --- shorewall-4.4.19/install.sh.orig2011-04-12 16:21:24.0 +0200 +++ shorewall-4.4.19/inst

Re: [Shorewall-users] Summary: shorewall not auto starting on fedora 14 on vmware

> > Thanks to teas...@shorewall.net and we are > up and running. > > 1) After running restorecon, ls -lasZ still reports usr_t - so it looks > like a Fedora/SELinux bug. > 2) According to mr.dash.f...@googlemail.com the fc14 and SELinux folks > are already aware of this, so I will not post a bug

Re: [Shorewall-users] Shorewall 4.4.20.1

> There has been some dissatisfaction expressed with my decision to merge > manpage documentation into the configuration files by default. So I'm > releasing 4.4.20.1 that switches the default to not include > documentation. If you do want the documentation, supply the -a > (annotate) option to the

Re: [Shorewall-users] Shorewall 4.4.20.1

> On 6/7/11 6:55 AM, Simon Matter wrote: >>> There has been some dissatisfaction expressed with my decision to merge >>> manpage documentation into the configuration files by default. So I'm >>> releasing 4.4.20.1 that switches the default to not include &g

Re: [Shorewall-users] [Shorewall-announce] Shorewall 4.4.20.2

> Shorewall 4.4.20.2 is now available for download. > > Problems Corrected: > > 3) The 'sfilter' interface option introduced in 4.4.20 was only > applied to forwarded traffic. Now it is also applied to traffic > addressed to the firewall itself. Hi Tom and everbody, I'm having issues wit

Re: [Shorewall-users] [Shorewall-announce] Shorewall 4.4.20.2

> On Tue, 2011-06-14 at 06:37 -0700, Tom Eastep wrote: >> On Tue, 2011-06-14 at 10:10 +0200, Simon Matter wrote: >> >> > >> > Could it be that the wildcard interface definition makes problems >> here? >> > >> >> I'll take a look.

Re: [Shorewall-users] [Shorewall-announce] Shorewall 4.4.20.2

> On Tue, 2011-06-14 at 07:12 -0700, Tom Eastep wrote: >> On Tue, 2011-06-14 at 15:52 +0200, Simon Matter wrote: >> > I understand that the wildcard "+" is catched here but how would a >> > wildcard like "eth+" work in this case? >> >> It

Re: [Shorewall-users] Problem With OpenVPN Connectivity

> > This thread on OpenVPN has made me wonder if I have this setup correctly. > (I'm not exactly a shorewall-noobie, > but I find much of the shorewall talk difficult to follow.) > > I have a VPN zone: > -- > vpn ipv4 > -- > and a

Re: [Shorewall-users] Multiple public IPs, same IP in LAN and PPPoE client ?

> Possibly OT since this may or may not involve Shorewall - it largely > depends on what I can get to work ! > > I need to setup a router on an ASDL line where multiple IPs are > provided by the ISP. > > Hardware wise, we'd probably use a Linksys WRT54GL running OpenWRT > and a Draytek Vigor 120 mo

Re: [Shorewall-users] Multiple public IPs, same IP in LAN and PPPoE client ?

> Simon Matter wrote: > >>I'm afraid I don't really understand all details and also I don't have >> any >>experience with ADSL/PPPoE stuff. But I have something using Cable here >>which looks a bit similar so maybe you could try like so: >>

[Shorewall-users] TC issues after updating from RHEL4 to RHEL6

Hi, I've just realized that something seems to be wrong with traffic shaping on two systems which were running RHEL4 and are now running RHEL6. While trying to find what is wrong I even simplified the config but it just doesn't seem to work as it has with EL4. The test config looks like this (eth2

Re: [Shorewall-users] TC issues after updating from RHEL4 to RHEL6

> On Tue, 2011-10-11 at 06:50 -0700, Tom Eastep wrote: >> On Tue, 2011-10-11 at 06:37 -0700, Tom Eastep wrote: >> >> > >> > You might try this suggestion from the Shorewall TC HOWTO: >> > >> > Note >> > >> > For fast lines, the actually download speed may be well below >> >

Re: [Shorewall-users] TC issues after updating from RHEL4 to RHEL6

> On Tue, 2011-10-11 at 10:55 -0700, Tom Eastep wrote: >> On Tue, 2011-10-11 at 19:33 +0200, Simon Matter wrote: >> >> > Thanks for your effort in the early morning :) >> > I'll try what you suggested. The funny thing is that the RHEL4 boxes >> with

Re: [Shorewall-users] TC issues after updating from RHEL4 to RHEL6

> On Tue, 2011-10-11 at 06:50 -0700, Tom Eastep wrote: >> On Tue, 2011-10-11 at 06:37 -0700, Tom Eastep wrote: >> >> > >> > You might try this suggestion from the Shorewall TC HOWTO: >> > >> > Note >> > >> > For fast lines, the actually download speed may be well below >> >

Re: [Shorewall-users] TC issues after updating from RHEL4 to RHEL6

> On Wed, 2011-10-12 at 06:48 -0700, Tom Eastep wrote: > >> No, sorry - I've tried to reproduce this problem on Foobar6.1 which is >> RHEL6-based and I'm seeing no problem. > > I've done a bit more testing. Foobar6.1 is running kernel > 2.6.32-131.17.1 whereas my Centos6 installation is running > 2

Re: [Shorewall-users] TC issues after updating from RHEL4 to RHEL6

> On Wed, 2011-10-12 at 17:53 +0200, Simon Matter wrote: >> > On Wed, 2011-10-12 at 06:48 -0700, Tom Eastep wrote: >> > >> >> No, sorry - I've tried to reproduce this problem on Foobar6.1 which >> is >> >> RHEL6-based and I'm seeing no

Re: [Shorewall-users] TC issues after updating from RHEL4 to RHEL6

> On Wed, 2011-10-12 at 17:53 +0200, Simon Matter wrote: >> > On Wed, 2011-10-12 at 06:48 -0700, Tom Eastep wrote: >> > >> >> No, sorry - I've tried to reproduce this problem on Foobar6.1 which >> is >> >> RHEL6-based and I'm seeing no

Re: [Shorewall-users] TC issues after updating from RHEL4 to RHEL6

> On Thu, 2011-10-13 at 19:57 -0700, Tom Eastep wrote: >> On Oct 13, 2011, at 7:27 PM, Tom Eastep wrote: >> > On Oct 13, 2011, at 7:18 PM, Tom Eastep wrote: >> >> On Oct 13, 2011, at 1:22 PM, Simon Matter wrote: >> >>> >> >>> Tom, did yo

Re: [Shorewall-users] TC issues after updating from RHEL4 to RHEL6

>> On Thu, 2011-10-13 at 19:57 -0700, Tom Eastep wrote: >>> On Oct 13, 2011, at 7:27 PM, Tom Eastep wrote: >>> > On Oct 13, 2011, at 7:18 PM, Tom Eastep wrote: >>> >> On Oct 13, 2011, at 1:22 PM, Simon Matter wrote: >>> >>> >>>

Re: [Shorewall-users] TC issues after updating from RHEL4 to RHEL6

>>> On Thu, 2011-10-13 at 19:57 -0700, Tom Eastep wrote: >>>> On Oct 13, 2011, at 7:27 PM, Tom Eastep wrote: >>>> > On Oct 13, 2011, at 7:18 PM, Tom Eastep wrote: >>>> >> On Oct 13, 2011, at 1:22 PM, Simon Matter wrote: >>&g

Re: [Shorewall-users] TC issues after updating from RHEL4 to RHEL6

> > On Oct 14, 2011, at 8:45 AM, Simon Matter wrote: >>> >>> Finally, disabling generic-receive-offload fixes the whole mess :) >>> > > For future reference, what type of NIC do you have that shows this > behavior? It's an intel adapter as

Re: [Shorewall-users] TC issues after updating from RHEL4 to RHEL6

> > On Oct 15, 2011, at 1:17 PM, Tom Eastep wrote: > >> >> On Oct 14, 2011, at 8:45 AM, Simon Matter wrote: >>>> >>>> Finally, disabling generic-receive-offload fixes the whole mess :) >>>> >> >> For future reference, what ty

Re: [Shorewall-users] TC issues after updating from RHEL4 to RHEL6

> On Mon, 2011-10-17 at 13:14 +0200, Simon Matter wrote: > >> >> Thanks, I quickly tested it on one of the existing systems with 4.4.24 >> but >> it fails to compile - I guess I need 4.4.25beta for it. > > Just tested the attached version on 4.4.24.1. T

Re: [Shorewall-users] TC issues after updating from RHEL4 to RHEL6

> On Tue, 2011-10-18 at 07:25 +0200, Simon Matter wrote: > >> That's what I get: >> >> # shorewall check >> Checking... >> Global symbol "$rate" requires explicit package name at >> /usr/libexec/shorewall/Shorewall/Tc.pm line 583. >&

Re: [Shorewall-users] [Shorewall-devel] Shorewall 4.4.25

> The Shorewall team is pleased to announce the availability of Shorewall > 4.4.25. Hi, While 4.4.25 works fine on our RHEL6 systems I just discovered that it doesn't work on the old RHEL4 based systems. The problem is with traffic shaping, with tcdevices: eth1 5000kbit500kbit

Re: [Shorewall-users] [Shorewall-devel] Shorewall 4.4.25

> On Tue, 2011-11-01 at 08:06 +0100, Simon Matter wrote: > >> While 4.4.25 works fine on our RHEL6 systems I just discovered that it >> doesn't work on the old RHEL4 based systems. The problem is with traffic >> shaping, with tcdevices: >> >> eth1

Re: [Shorewall-users] CentOS 6.1 to 6.2 upgrade FYI

> Hi list, > > Just wanted to throw out a heads up. I am not sure if it is just my > setup or quite > possibly a CentOS feature, but here goes. > > I upgraded my CentOS 6.1 to 6.2 yesterday and when I did some checking > I had > found out the upgrade disabled shorewall startup. It had even c

Re: [Shorewall-users] [Shorewall-announce] Shorewall 4.5.0

> The Shorewall Team is pleased to announce the availability of Shorewall > 4.5.0. Hi Tom and Team, Thanks for the new release! It looks like the LIBEXEC / PERLLIB handling is broken now :) I hope attached patch fixes it. Thanks, Simon--- shorewall-4.5.0/install.sh.orig 2012-02-12 20:12:07.0

Re: [Shorewall-users] logrotate configs for Shorewall

>Hello, >During Shorewall/Shorewall6 installation the following files are > installed: > > /etc/logrotate.d/shorewall: > > /var/log/shorewall-init.log { > missingok > notifempty > create 0600 root root > } > > /etc/logrotate.d/shorewall6: > > /var/log/shorewall6-init.log { > missing

Re: [Shorewall-users] selinux

> On Mon, 8 Oct 2012, Tom Eastep wrote: > >> On 10/08/2012 04:44 AM, andre...@apf.it wrote: >>> On Sun, 7 Oct 2012, Elio Tondo wrote: >>> On 07/10/2012 02:20, Tom Eastep ha wrote: > On 10/6/12 7:57 AM, andre...@apf.it wrote: >> >> Are there some simple work around to use shore

Re: [Shorewall-users] Protecting hosts from each other

> I've got a project coming up that requires me to protect hosts from each > other within a network. Specifically, we've a class C subnet, and some > addresses are assigned to customers (only a handful) we resell bandwidth > to. At present they are just plugged into our frontend network - not as >

[Shorewall-users] Typos in 4.5.11.1?

Hi Tom and all, I've just updated a box to 4.5.11.1 and it won't start with Loading Modules... ERROR: Invalid modules file entry /usr/share/shorewall/modules.xtables (line 45) from /usr/share/shorewall/modules (line 23) Looks like this patch is wrong --- shorewall-4.5.11/modules.xtables

Re: [Shorewall-users] RedHat 6.4 - ERROR: Your kernel/iptables do not include state match support. No version of Shorewall will run on this system

> Hello to the list, > I update a RedHat server from 6.3 to 6.4 and install the last shorewall > rpm 4.5.13.0-1.el6, after this shorewall not start at boot and show the > error ERROR: Your kernel/iptables do not include state match support. No > version of Shorewall will run on this system, after

Re: [Shorewall-users] RESOLVED: Re: RedHat 6.4 - ERROR: Your kernel/iptables do not include state match support. No version of Shorewall will run on this system

> Il 25/02/2013 12.28, Simon Matter ha scritto: >>> Hello to the list, >>> I update a RedHat server from 6.3 to 6.4 and install the last shorewall >>> rpm 4.5.13.0-1.el6, after this shorewall not start at boot and show >>> the >>> error ERROR:

Re: [Shorewall-users] NTP attack?

> Hi all: > > I'm running a public ntp server (member of the ntp.org pool) behind my > Shorewall box. > > The ntp server is up and running and I see on my status page on ntp.org > that all is well with my ntp server. > > However a few hosts are filling my firewall logs with packets that looks > to

Re: [Shorewall-users] IP forwarding

> On Saturday, August 03, 2013 04:25:46 PM johnny bowen wrote: >> IP Forwarding is used when you need to send packets from one interface > to >> another. So if you're using Shorewall there's a good change you're doing >> this if you're using it as a firewall for a LAN. By default it's turned >> off

Re: [Shorewall-users] hShorewall 4.5.20

> It looks as problem in 4.5.20 folder only. > > http://canada.shorewall.net/pub/shorewall/4.5/shorewall-4.5.20/releasenotes.txt > Forbidden > You don't have permission to access > /pub/shorewall/4.5/shorewall-4.5.20/releasenotes.txt > on this server. > > > Apache Server at canada.shorewall.net Por

[Shorewall-users] AutoBL issues on CentOS 6

Hi Tom and all, I started to play a bit with the AutoBL action on a CentOS 6 box and ran into the following problems: 1) The action.AutoBL doesn't work for me until I patch it like so: --- /usr/share/shorewall/action.AutoBL.orig 2013-10-01 00:59:42.0 +0200 +++ /usr/share/shorewall/ac

Re: [Shorewall-users] AutoBL issues on CentOS 6

> On 10/7/2013 6:18 AM, Simon Matter wrote: >> Hi Tom and all, >> >> I started to play a bit with the AutoBL action on a CentOS 6 box and ran >> into the following problems: >> >> 1) The action.AutoBL doesn't work for me until I patch it like so: >&

Re: [Shorewall-users] AutoBL issues on CentOS 6

>> On 10/7/2013 6:18 AM, Simon Matter wrote: >>> Hi Tom and all, >>> >>> I started to play a bit with the AutoBL action on a CentOS 6 box and >>> ran >>> into the following problems: >>> >>> 1) The action.AutoBL doesn

Re: [Shorewall-users] Is /etc/shorewall/tunnels still on the way out?

> http://www.shorewall.net/VPNBasics.html#tunnels > > The /etc/shorewall/tunnels file provides no functionality that could not > be > implemented using entries in /etc/shorewall/rules and I have elimination > of > the /etc/shorewall/tunnels file as a long-term goal. > > Is this still the case? Is

Re: [Shorewall-users] Multiple ISP + traffic shapping = poor download speed

> It's not. > > # ethtool -k eth1 > Offload parameters for eth1: > rx-checksumming: on > tx-checksumming: on > scatter-gather: on > tcp-segmentation-offload: off > udp-fragmentation-offload: off > generic-segmentation-offload: off > generic-receive-offload: off > large-receive-offload: off > ntuple

Re: [Shorewall-users] new to shorewall > need help with incorrect eth_wan link negotiation

> After poking around, I ran the following command: /sbin/mii-tool -v > eth_wan > > > > and got these results: > > > > eth_wan: negotiated 100baseTx-FD flow-control, link ok > > product info: vendor 00:50:43, model 11 rev 1 > > basic mode: autonegotiation enabled > > basic status: autonego

Re: [Shorewall-users] [Shorewall-announce] Shorewall 4.6.0

> The Shorewall team is pleased to announce the availability of Shorewall > 4.6.0. Hi Tom and all, Thanks for the new release! I found an issue I'm not sure how to solve, sorry for finding it only now that the release is out. I was having this in my tcrules file: # # fix udp checksums for dhcl

Re: [Shorewall-users] [Shorewall-announce] Shorewall 4.6.0

> On 5/16/2014 2:10 AM, Simon Matter wrote: >>> The Shorewall team is pleased to announce the availability of Shorewall >>> 4.6.0. >> >> Hi Tom and all, >> >> Thanks for the new release! >> >> I found an issue I'm not sure how to solv

Re: [Shorewall-users] Please add support for tinc VPN in Shorewall

> Thank you, > > On 11.12.2014 16:43, Eric Teeter wrote: > >> I have summited a few macros myself, one macro.ActiveDir which is vary >> complicated. >> >> PARAM - - udp 655 >> PARAM - - tcp 655 >> > > I'll write a macro, with proper comments, ad I'll be happy to

Re: [Shorewall-users] query on shorewall

> > now i have recommeded it to a organistion where they gonna host a very > high secure webserver for online transactions > I don't think you have to care too much about speed as long as the firewall is on decent hardware. If you want to increase security I recommend to add additional layers to y

Re: [Shorewall-users] Transparent remote Proxy via SSH-Tunnel (should be trivial?)

> Hey, > > I wrestled quite a bit with shorewall (version 3.0.4) lately to get > something to work which I expected to be fairly trivial. Most likely > it really is but I just can't figure it out.. > > Consider the following scenario: > All HTTP(S) Traffic from a local machine should be routed thro

Re: [Shorewall-users] [Shorewall-devel] Webmin 1.300 Supports Shorewall 3.x!!!

> I'm pleased to announce that the current version of Webmin (1.300) > includes support for Shorewall 3.x. I've played with it for a bit and it > looks really good! Indeed it looks very nice. While I'm only using vi to edit shorewall configs, I understand that it's very good to have a webfrontend

Re: [Shorewall-users] configuration files

> I was wondering if there could be a slight change to > the Shorewall configuration files. > > It's a Gentoo-specific issue but some other > distributions might find some interest in this. > > Basically, whenever a Gentoo user updates his/her > shorewall from portage via > > # emerge shorewall > >

Re: [Shorewall-users] My macro is flawed?

> Hang on, why are you specifying 'protocol 47' for your second line? IP protocol 47 is GRE, which doesn't look so wrong. > Shouldn't you be specifying TCP: > > ## > # > #ACTION SOURCE DESTPROTO DESTSOURCE ORI

Re: [Shorewall-users] ":T" flags in 3.4.0-RC1

> Thomas Debost wrote: >> I am trying to apply the new :T flag in tcrules. the man page for this >> file [1] sayas that if SOURCE is $FW then rules are applied in OUTPUT. >> >> this doesn't seem to work on my setup. I have in tcrules : >>

Re: [Shorewall-users] [Shorewall-announce] Update to 3.4.0 RC1

> The change included in RC1 to fix INCLUDE errors is OK for the 3.2 > release but seems wrong in the long term. I have decided that > /etc/shorewall/params should only be processed during the compile > phase and that any shell variables required by extension scripts at > run-time should be set in

  1   2   >