> OK, I'm seeing a very odd behavior here, but at least I can now easily
> reproduce the issue.
>
> I have a test host with IP address 192.168.215.200 pinging continously
> the Shorewall FW at 192.168.215.1.
> At first, I connect it to Switch Port with VLAN ID 11 Untagged (enp8s5
> on the FW is con
Hi,
I've just updated Shorewall from 5.2.7 to 5.2.8 and did a reload just to
see that the rules haven't been updated:
[root@abc ~]# shorewall reload
Reloading Shorewall
Initializing...
Processing /etc/shorewall/init ...
Setting net.netfilter.nf_conntrack_max = 1048576
Processing /etc/shore
> On 10/4/20 10:18 AM, Matt Darfeuille wrote:
>> On 10/4/2020 6:58 PM, Simon Matter wrote:
>>> Hi,
>>>
>>> I've just updated Shorewall from 5.2.7 to 5.2.8 and did a reload just
>>> to
>>> see that the rules haven't been updated
> On 10/4/20 10:18 AM, Matt Darfeuille wrote:
>> On 10/4/2020 6:58 PM, Simon Matter wrote:
>>> Hi,
>>>
>>> I've just updated Shorewall from 5.2.7 to 5.2.8 and did a reload just
>>> to
>>> see that the rules haven't been updated
> On Tue, Oct 06, 2020 at 03:59:06PM +0200, Simon Matter wrote:
>> >> Compilation will only happen when '/etc/shorewall' is modified.
>> >> So if I'm not mistaking, updating the firewall will not trigger a
>> >> recompilation.
>> >>
> On 10/6/20 8:50 AM, Matt Darfeuille wrote:
>> On 10/6/2020 5:11 PM, Tom Eastep wrote:
>>> On 10/6/20 7:33 AM, Simon Matter wrote:
>>>>> On Tue, Oct 06, 2020 at 03:59:06PM +0200, Simon Matter wrote:
>>>>>>>> Compilation will only happen
> Hi,
>
> If my rules allow HTTP and HTTPS access (ports 80, 443) with an ACCEPT
> rule such as the following
>
> ACCEPTlan1:10.215.144.0/23wantcp,udp80,443
>
> I'd like to know why I am seeing the following in the shorewall log
> when a user accesses a web page:
>
> kernel: Shorewa
> On Wed, Oct 7, 2020 at 1:31 PM Simon Matter
> wrote:
>>
>> > Hi,
>> >
>> > If my rules allow HTTP and HTTPS access (ports 80, 443) with an ACCEPT
>> > rule such as the following
>> >
>> > ACCEPTlan1:10.215.144.0/23wan
>> On 10/6/20 8:50 AM, Matt Darfeuille wrote:
>>> On 10/6/2020 5:11 PM, Tom Eastep wrote:
>>>> On 10/6/20 7:33 AM, Simon Matter wrote:
>>>>>> On Tue, Oct 06, 2020 at 03:59:06PM +0200, Simon Matter wrote:
>>>>>>>>> Compilation
> Hi,
>
> What does this message mean, and what should I look for to fix it?
>
> Error: Invalid prefix for given prefix length.
>ERROR: Command "ip -4 route replace 10.215.106.193/26 via
> 172.28.17.110 dev ibs table 254" Failed
>
> In my routes file I have:
>
> main10.215.106.0/26
> Hi,
>
> I configured dhcrelay so that clients in my "lan1" zone should get IP
> addr. leases from a server in my "ibs" zone.
>
> This is the command I run:
>
> /usr/sbin/dhcrelay -q -i lan.1 10.215.137.54
>
> BTW, a foreground run shows messages such as:
>
> Forwarded BOOTREQUEST for a4:bb:6d:03:
> Hi,
>
> I configured dhcrelay on my shorewall router to send DHCP requests to
> a remote DHCP server. I need to listen for DHCP requests on on one
> interface (say lan.1). However, this interface has multiple IP
> addresses/netmasks. The remote DHCP server has only one scope and only
> one of the
>
>> This assumes that the content of '/etc/shorewall' was not modified.
>
>> Please try this
>
>> $ tail -n 7 interfaces
>> ?FORMAT2
>> net wlp2s0 detect
>> net wlp0s20f0u1 detect
>> net enp0s31f6 detect
>> dock docker0 bridge
>> $ shorewall check && shorewall start
>
> The output is:
>
>
>
> [roo
>> Please check, it should probably be
>
>> ?FORMAT 2
>
>> Note the space!
>
> The output is:
>
>
> [root@franz-820 shorewall]# tail -n 7 interfaces
> ?FORMAT 2
> net wlp2s0 detect
> net wlp0s20f0u1 detect
> net enp0s31f6 detect
> dockdocker0 bridge
>
>
> [root@franz-8
> Hi
> I like to setup shorewall to accept connection from my IP from port 4442
> and shorewall will forwared that to port 22 ssh
> I tried this but doesn't work
> ACCEPTnet:192.168.0.203 fw tcp 22 4442
I'm quite sure you want to use a DNAT or REDIRECT rule here instead
> On Sun, 2022-02-06 at 10:58 -0500, Brian J. Murrell wrote:
>>
>>
>> Well, it is, in that shorewall is using obsoleted interfaces.
>
>
> There is now an MR at
> https://gitlab.com/shorewall/code/-/merge_requests/5 to migrate to
> newer, supported interfaces.
What's wrong with the other method you
Hi Vieri,
> Hi,
>
> I'm trying to solve some possible SIP issues in my LAN, and I'd like
> to temporarily disable SIP-related Linux kernel modules.
> It seems that shorewall loads the modules according to the content of
> /usr/share/shorewall/helpers. Instead of touching that file I'd rather
> set
> I'd say the problem is on the host that might not have all packages
> updated, namely the ca-certificates (or equivalent) package. At a first
> glance it doesn't seem like a firewall problem.
>
> @Vieri, please try to do a yum/apt (or equivalent depending on the
> machine OS package manager) upda
> Hello Matt,
>
> Thank you so much for your reply. Unfortunately when I perform the
> 'shorewall clear' command, I lose all access to the outside world
Maybe you have to enable ip forwarding once you disable shorewall?
Simon
> (internet) so I am unable to test.
>
> Thank you for your time.
>
>
> Il giorno ven, 01/04/2022 alle 14.44 -0400, Robert K Coffman Jr. -Info
> From Data Corp. ha scritto:
>> Do you have any traffic shaping configured?
> No, it is not configured
>
> cat /etc/shorewall/tc* | grep -v '^#'|wc -l
> 0
>
>> >
>> > Seem that the firewall pass through limited the traffic s
> Il giorno sab, 02/04/2022 alle 10.37 +0200, Simon Matter ha scritto:
>> I'd suggest to check with ethtool if all interfaces are really on
>> 1Gbps.
>> This sound like you have a 100Mbps somewhere.
>
> This is ethtool output[1]
>
> the only difference compare
> Il giorno sab, 02/04/2022 alle 18.18 +0200, Simon Matter ha scritto:
>> So, what speed do you get when you check on the firewall itself?
>
> I have install and run speedtest-cli, this is last check:
>
> Tes
> Hi,
>
> There are hosts in my LAN behind a Shorewall FW that need to keep
> Oracle connections alive (tcp 1521) with other hosts that are behind a
> remote Fortinet Fortiguard FW.
>
> The Fortinet admin has set the following in his FW:
>
> set protocol 6
> set timeout 2880
M Vieri Di Paola
> wrote:
>
>> On Wed, Nov 9, 2022 at 8:15 AM Simon Matter
>> wrote:
>> >
>> > > The Fortinet admin has set the following in his FW:
>> > >
>> > > set protocol 6
>> > > set timeout 28
Hi,
> I am trying to route traffic from LOC to a network I have configured in
> the routes file.
I may be wrong here but I think the routes file is used for special cases
when you have more than one internet connections and such things.
For your case, did you add a routing entry to the hosts rou
Hi Yassine,
> Hello All,
>
> Today,
> Something caught my attention while looking for errors in log files.
>
> [code]
> root@messagerie-principale[10.10.10.19] ~ # tail -f
> /var/log/apache2/roundcube.error /var/log/fail2ban.log
> /var/log/apache2/mail.radioalgerie.dz.error /var/log/dovecot.log
>
Hi Philip,
> This may be an underlying Linux problem but I first of all need to run
> it past you guys and gals here as few people on Linux forums will be
> familiar with Shorewall.
>
> We have a Shorewall firewall at the school where I volunteer, protecting
> the school network from a Raspberry P
Hi,
>
>> Some comments:
>> (1) It's recommended to use HTTP(ACCEPT) and HTTPS(ACCEPT) rather than
>> Web(ACCEPT) which just combines the two.
>
> I don't understand why Web exist so, if not recommanded to use it.
> I replaced Web by HTTP and HTTPS lines, and of course, nothing changed.
>
I guess
> Shorewall version 5.2.8 on RHEL 7 virtualized on Ovirt hypervisors,
> routing and filtering traffic between 5 networks full of VMs via VLANs
> in Ovirt.
> All virtual VM interfaces (including Shorewall VM), are on 10 Gbps.
>
> Effective speed between VMs on same network segment is full 10 Gbps.
>
> Robert Moskowitz wrote:
>> I have just downloaded the shorewall 4.2.4-4 shorewall, shorewal-perl,
>> and shell rpms from the invoca.ca site on to a Fedora 9 server.
>
> That site is run by Simon Matter who also builds the RedHat/Fedora RPMs,
> so we'll have to le
> Simon Matter wrote:
>>> Robert Moskowitz wrote:
>>>
>>>> I have just downloaded the shorewall 4.2.4-4 shorewall, shorewal-perl,
>>>> and shell rpms from the invoca.ca site on to a Fedora 9 server.
>>>>
>>> That site is run by Sim
Hi,
My question is not directly shorewall related but someone on the list
might know an answer.
I'd like to configure a proxyarped host using dhcp.
Gateway:
eth0 192.168.1.0/24
eth1 192.168.2.0/24
The host in question is attached to the eth1 LAN but should be configured
via dhcp to have a 192.1
> Hi,
>
> My question is not directly shorewall related but someone on the list
> might know an answer.
>
> I'd like to configure a proxyarped host using dhcp.
>
> Gateway:
> eth0 192.168.1.0/24
> eth1 192.168.2.0/24
>
> The host in question is attached to the eth1 LAN but should be configured
> vi
> The Shorewall team is pleased to announce the availability of Shorewall
> 4.4.0 Beta 1.
>
Hi Tom,
Thanks for the upcoming release!
While upgrading my RPMs I found two small issues:
1) IIRC the "continue" file was only used by shorewall-shell. At least
that was the case sometime in the past. I
> I don't think so.
>
> The requirement for the software I want to utilise dictates that the IP
> address of the system be the real world address.
>
> I have to be able to configure the virtual machine's eth0 as
> 203.xxx.xxx.xxx and not any of the IP's from a private subnet.
You may want to use p
> Thanks Simon and Simon :)
>
> Many thanks for this, was able to muddle my way through it and get it
> operating as I require. I have access to the IP externally, just one more
> hurdle.
>
> I cannot get to this IP from within my own network, and am not sure where
> in Shorewall I need to configu
> While watching dmesg connections, I see the following REJECT message
>
> Shorewall:FORWARD:REJECT:IN=eth1 OUT=eth1 SRC=192.168.0.x DST=203.xx.xx.xx
> LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=19417 DF PROTO=TCP SPT=63918 DPT=80
> WINDOW=8192 RES=0x00 SYN URGP=0
>
> As I put google to work, I see this
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> RC2 is now available for download.
Hi Tom,
You have removed some of the old last line comments which looked like this
#LAST LINE --
But you have not removed all, I'm not sure it's intentional or not?
If those lines can be removed safely wit
> On Aug 5, 2009, at 9:23 AM, Tom Eastep wrote:
>
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA1
>>
>> Simon Matter wrote:
>>>> -BEGIN PGP SIGNED MESSAGE-
>>>> Hash: SHA1
>>>>
>>>> RC2 is now available fo
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> The Shorewall team is pleased to announce the availability of Shorewall
> 4.4.0.
Hi Tom and team,
Thanks for the new release! I have already updated the RedHat/Fedora RPM's
in the usual place.
Regards,
Simon
> Hi,
>
> I did an update from Red Hat EL 5.3 to 5.4.
>
> Everything works so far. May be somewone would like to know
>
> iptables-ipv6-1.3.5-5.3.el5
> kernel-PAE-2.6.18-164.el5
> shorewall-4.2.10-3
> shorewall-perl-4.2.10-3
>
Hi,
I don't remember about 4.2.x but with 4.4 you may see this iss
> Simon Matter wrote:
>>>
>>> N E W F E A T U R E S I N 4 . 4 . 3
>>>
>>&g
> Brian J. Murrell wrote:
>> On Sat, 2009-12-05 at 22:14 -0800, Tom Eastep wrote:
>>> I'll fix these in the next 4.4 release; think I'll wait on 4.2.
>>
>> OK. I will patch OpenWRT's package then.
>>
>> Any thoughts on any (in-)compatibilities that might arise trying to load
>> a 4.4 shorewall[6]-
> On 6/14/10 3:46 PM, Mr Dash Four wrote:
>>
>> The shorewall starts and works perfectly well without this package,
>> though when I try to execute 'shorewall iprange' I get an error from a
>> library in /usr/share, which is caused by missing bc package. Once this
>> package is installed the proble
> The Shorewall team is pleased to announce the availability of Shorewall
> 4.4.13.
>
Hi Tom and all,
I've just updated some systems to 4.4.13 and I see a new log message on
RHEL4 (yes I know it's ancient):
MARK: can only be called from "mangle" table, not "filter"
Does it hurt? Do you know a so
> On 9/21/10 11:47 PM, Simon Matter wrote:
>
>> I've just updated some systems to 4.4.13 and I see a new log message on
>> RHEL4 (yes I know it's ancient):
>>
>> MARK: can only be called from "mangle" table, not "filter"
>> Does
> Does anyone have any suggestions for hardware requirements? Will a single
> core have the same throughput as a dual core? Amount of RAM? I will be
> using Ubuntu Server.
Do you want to push some Mbits/s or multi Gbits/s through your firewall
and do you plan to handle VPN connections terminate
> Shorewall 4.4.19 is now available for download.
>
Hi Tom,
Thanks for the new release and I hope you are doing fine!
The typo below has just showed up while rebuilding my RPMs.
Thanks,
Simon
--- shorewall-4.4.19/install.sh.orig2011-04-12 16:21:24.0 +0200
+++ shorewall-4.4.19/inst
>
> Thanks to teas...@shorewall.net and we are
> up and running.
>
> 1) After running restorecon, ls -lasZ still reports usr_t - so it looks
> like a Fedora/SELinux bug.
> 2) According to mr.dash.f...@googlemail.com the fc14 and SELinux folks
> are already aware of this, so I will not post a bug
> There has been some dissatisfaction expressed with my decision to merge
> manpage documentation into the configuration files by default. So I'm
> releasing 4.4.20.1 that switches the default to not include
> documentation. If you do want the documentation, supply the -a
> (annotate) option to the
> On 6/7/11 6:55 AM, Simon Matter wrote:
>>> There has been some dissatisfaction expressed with my decision to merge
>>> manpage documentation into the configuration files by default. So I'm
>>> releasing 4.4.20.1 that switches the default to not include
&g
> Shorewall 4.4.20.2 is now available for download.
>
> Problems Corrected:
>
> 3) The 'sfilter' interface option introduced in 4.4.20 was only
> applied to forwarded traffic. Now it is also applied to traffic
> addressed to the firewall itself.
Hi Tom and everbody,
I'm having issues wit
> On Tue, 2011-06-14 at 06:37 -0700, Tom Eastep wrote:
>> On Tue, 2011-06-14 at 10:10 +0200, Simon Matter wrote:
>>
>> >
>> > Could it be that the wildcard interface definition makes problems
>> here?
>> >
>>
>> I'll take a look.
> On Tue, 2011-06-14 at 07:12 -0700, Tom Eastep wrote:
>> On Tue, 2011-06-14 at 15:52 +0200, Simon Matter wrote:
>> > I understand that the wildcard "+" is catched here but how would a
>> > wildcard like "eth+" work in this case?
>>
>> It
>
> This thread on OpenVPN has made me wonder if I have this setup correctly.
> (I'm not exactly a shorewall-noobie,
> but I find much of the shorewall talk difficult to follow.)
>
> I have a VPN zone:
> --
> vpn ipv4
> --
> and a
> Possibly OT since this may or may not involve Shorewall - it largely
> depends on what I can get to work !
>
> I need to setup a router on an ASDL line where multiple IPs are
> provided by the ISP.
>
> Hardware wise, we'd probably use a Linksys WRT54GL running OpenWRT
> and a Draytek Vigor 120 mo
> Simon Matter wrote:
>
>>I'm afraid I don't really understand all details and also I don't have
>> any
>>experience with ADSL/PPPoE stuff. But I have something using Cable here
>>which looks a bit similar so maybe you could try like so:
>>
Hi,
I've just realized that something seems to be wrong with traffic shaping
on two systems which were running RHEL4 and are now running RHEL6. While
trying to find what is wrong I even simplified the config but it just
doesn't seem to work as it has with EL4. The test config looks like this
(eth2
> On Tue, 2011-10-11 at 06:50 -0700, Tom Eastep wrote:
>> On Tue, 2011-10-11 at 06:37 -0700, Tom Eastep wrote:
>>
>> >
>> > You might try this suggestion from the Shorewall TC HOWTO:
>> >
>> > Note
>> >
>> > For fast lines, the actually download speed may be well below
>> >
> On Tue, 2011-10-11 at 10:55 -0700, Tom Eastep wrote:
>> On Tue, 2011-10-11 at 19:33 +0200, Simon Matter wrote:
>>
>> > Thanks for your effort in the early morning :)
>> > I'll try what you suggested. The funny thing is that the RHEL4 boxes
>> with
> On Tue, 2011-10-11 at 06:50 -0700, Tom Eastep wrote:
>> On Tue, 2011-10-11 at 06:37 -0700, Tom Eastep wrote:
>>
>> >
>> > You might try this suggestion from the Shorewall TC HOWTO:
>> >
>> > Note
>> >
>> > For fast lines, the actually download speed may be well below
>> >
> On Wed, 2011-10-12 at 06:48 -0700, Tom Eastep wrote:
>
>> No, sorry - I've tried to reproduce this problem on Foobar6.1 which is
>> RHEL6-based and I'm seeing no problem.
>
> I've done a bit more testing. Foobar6.1 is running kernel
> 2.6.32-131.17.1 whereas my Centos6 installation is running
> 2
> On Wed, 2011-10-12 at 17:53 +0200, Simon Matter wrote:
>> > On Wed, 2011-10-12 at 06:48 -0700, Tom Eastep wrote:
>> >
>> >> No, sorry - I've tried to reproduce this problem on Foobar6.1 which
>> is
>> >> RHEL6-based and I'm seeing no
> On Wed, 2011-10-12 at 17:53 +0200, Simon Matter wrote:
>> > On Wed, 2011-10-12 at 06:48 -0700, Tom Eastep wrote:
>> >
>> >> No, sorry - I've tried to reproduce this problem on Foobar6.1 which
>> is
>> >> RHEL6-based and I'm seeing no
> On Thu, 2011-10-13 at 19:57 -0700, Tom Eastep wrote:
>> On Oct 13, 2011, at 7:27 PM, Tom Eastep wrote:
>> > On Oct 13, 2011, at 7:18 PM, Tom Eastep wrote:
>> >> On Oct 13, 2011, at 1:22 PM, Simon Matter wrote:
>> >>>
>> >>> Tom, did yo
>> On Thu, 2011-10-13 at 19:57 -0700, Tom Eastep wrote:
>>> On Oct 13, 2011, at 7:27 PM, Tom Eastep wrote:
>>> > On Oct 13, 2011, at 7:18 PM, Tom Eastep wrote:
>>> >> On Oct 13, 2011, at 1:22 PM, Simon Matter wrote:
>>> >>>
>>>
>>> On Thu, 2011-10-13 at 19:57 -0700, Tom Eastep wrote:
>>>> On Oct 13, 2011, at 7:27 PM, Tom Eastep wrote:
>>>> > On Oct 13, 2011, at 7:18 PM, Tom Eastep wrote:
>>>> >> On Oct 13, 2011, at 1:22 PM, Simon Matter wrote:
>>&g
>
> On Oct 14, 2011, at 8:45 AM, Simon Matter wrote:
>>>
>>> Finally, disabling generic-receive-offload fixes the whole mess :)
>>>
>
> For future reference, what type of NIC do you have that shows this
> behavior?
It's an intel adapter as
>
> On Oct 15, 2011, at 1:17 PM, Tom Eastep wrote:
>
>>
>> On Oct 14, 2011, at 8:45 AM, Simon Matter wrote:
>>>>
>>>> Finally, disabling generic-receive-offload fixes the whole mess :)
>>>>
>>
>> For future reference, what ty
> On Mon, 2011-10-17 at 13:14 +0200, Simon Matter wrote:
>
>>
>> Thanks, I quickly tested it on one of the existing systems with 4.4.24
>> but
>> it fails to compile - I guess I need 4.4.25beta for it.
>
> Just tested the attached version on 4.4.24.1.
T
> On Tue, 2011-10-18 at 07:25 +0200, Simon Matter wrote:
>
>> That's what I get:
>>
>> # shorewall check
>> Checking...
>> Global symbol "$rate" requires explicit package name at
>> /usr/libexec/shorewall/Shorewall/Tc.pm line 583.
>&
> The Shorewall team is pleased to announce the availability of Shorewall
> 4.4.25.
Hi,
While 4.4.25 works fine on our RHEL6 systems I just discovered that it
doesn't work on the old RHEL4 based systems. The problem is with traffic
shaping, with tcdevices:
eth1 5000kbit500kbit
> On Tue, 2011-11-01 at 08:06 +0100, Simon Matter wrote:
>
>> While 4.4.25 works fine on our RHEL6 systems I just discovered that it
>> doesn't work on the old RHEL4 based systems. The problem is with traffic
>> shaping, with tcdevices:
>>
>> eth1
> Hi list,
>
> Just wanted to throw out a heads up. I am not sure if it is just my
> setup or quite
> possibly a CentOS feature, but here goes.
>
> I upgraded my CentOS 6.1 to 6.2 yesterday and when I did some checking
> I had
> found out the upgrade disabled shorewall startup. It had even c
> The Shorewall Team is pleased to announce the availability of Shorewall
> 4.5.0.
Hi Tom and Team,
Thanks for the new release!
It looks like the LIBEXEC / PERLLIB handling is broken now :)
I hope attached patch fixes it.
Thanks,
Simon--- shorewall-4.5.0/install.sh.orig 2012-02-12 20:12:07.0
>Hello,
>During Shorewall/Shorewall6 installation the following files are
> installed:
>
> /etc/logrotate.d/shorewall:
>
> /var/log/shorewall-init.log {
> missingok
> notifempty
> create 0600 root root
> }
>
> /etc/logrotate.d/shorewall6:
>
> /var/log/shorewall6-init.log {
> missing
> On Mon, 8 Oct 2012, Tom Eastep wrote:
>
>> On 10/08/2012 04:44 AM, andre...@apf.it wrote:
>>> On Sun, 7 Oct 2012, Elio Tondo wrote:
>>>
On 07/10/2012 02:20, Tom Eastep ha wrote:
> On 10/6/12 7:57 AM, andre...@apf.it wrote:
>>
>> Are there some simple work around to use shore
> I've got a project coming up that requires me to protect hosts from each
> other within a network. Specifically, we've a class C subnet, and some
> addresses are assigned to customers (only a handful) we resell bandwidth
> to. At present they are just plugged into our frontend network - not as
>
Hi Tom and all,
I've just updated a box to 4.5.11.1 and it won't start with
Loading Modules...
ERROR: Invalid modules file entry /usr/share/shorewall/modules.xtables
(line 45)
from /usr/share/shorewall/modules (line 23)
Looks like this patch is wrong
--- shorewall-4.5.11/modules.xtables
> Hello to the list,
> I update a RedHat server from 6.3 to 6.4 and install the last shorewall
> rpm 4.5.13.0-1.el6, after this shorewall not start at boot and show the
> error ERROR: Your kernel/iptables do not include state match support. No
> version of Shorewall will run on this system, after
> Il 25/02/2013 12.28, Simon Matter ha scritto:
>>> Hello to the list,
>>> I update a RedHat server from 6.3 to 6.4 and install the last shorewall
>>> rpm 4.5.13.0-1.el6, after this shorewall not start at boot and show
>>> the
>>> error ERROR:
> Hi all:
>
> I'm running a public ntp server (member of the ntp.org pool) behind my
> Shorewall box.
>
> The ntp server is up and running and I see on my status page on ntp.org
> that all is well with my ntp server.
>
> However a few hosts are filling my firewall logs with packets that looks
> to
> On Saturday, August 03, 2013 04:25:46 PM johnny bowen wrote:
>> IP Forwarding is used when you need to send packets from one interface
> to
>> another. So if you're using Shorewall there's a good change you're doing
>> this if you're using it as a firewall for a LAN. By default it's turned
>> off
> It looks as problem in 4.5.20 folder only.
>
> http://canada.shorewall.net/pub/shorewall/4.5/shorewall-4.5.20/releasenotes.txt
> Forbidden
> You don't have permission to access
> /pub/shorewall/4.5/shorewall-4.5.20/releasenotes.txt
> on this server.
>
>
> Apache Server at canada.shorewall.net Por
Hi Tom and all,
I started to play a bit with the AutoBL action on a CentOS 6 box and ran
into the following problems:
1) The action.AutoBL doesn't work for me until I patch it like so:
--- /usr/share/shorewall/action.AutoBL.orig 2013-10-01
00:59:42.0 +0200
+++ /usr/share/shorewall/ac
> On 10/7/2013 6:18 AM, Simon Matter wrote:
>> Hi Tom and all,
>>
>> I started to play a bit with the AutoBL action on a CentOS 6 box and ran
>> into the following problems:
>>
>> 1) The action.AutoBL doesn't work for me until I patch it like so:
>&
>> On 10/7/2013 6:18 AM, Simon Matter wrote:
>>> Hi Tom and all,
>>>
>>> I started to play a bit with the AutoBL action on a CentOS 6 box and
>>> ran
>>> into the following problems:
>>>
>>> 1) The action.AutoBL doesn
> http://www.shorewall.net/VPNBasics.html#tunnels
>
> The /etc/shorewall/tunnels file provides no functionality that could not
> be
> implemented using entries in /etc/shorewall/rules and I have elimination
> of
> the /etc/shorewall/tunnels file as a long-term goal.
>
> Is this still the case? Is
> It's not.
>
> # ethtool -k eth1
> Offload parameters for eth1:
> rx-checksumming: on
> tx-checksumming: on
> scatter-gather: on
> tcp-segmentation-offload: off
> udp-fragmentation-offload: off
> generic-segmentation-offload: off
> generic-receive-offload: off
> large-receive-offload: off
> ntuple
> After poking around, I ran the following command: /sbin/mii-tool -v
> eth_wan
>
>
>
> and got these results:
>
>
>
> eth_wan: negotiated 100baseTx-FD flow-control, link ok
>
> product info: vendor 00:50:43, model 11 rev 1
>
> basic mode: autonegotiation enabled
>
> basic status: autonego
> The Shorewall team is pleased to announce the availability of Shorewall
> 4.6.0.
Hi Tom and all,
Thanks for the new release!
I found an issue I'm not sure how to solve, sorry for finding it only now
that the release is out.
I was having this in my tcrules file:
#
# fix udp checksums for dhcl
> On 5/16/2014 2:10 AM, Simon Matter wrote:
>>> The Shorewall team is pleased to announce the availability of Shorewall
>>> 4.6.0.
>>
>> Hi Tom and all,
>>
>> Thanks for the new release!
>>
>> I found an issue I'm not sure how to solv
> Thank you,
>
> On 11.12.2014 16:43, Eric Teeter wrote:
>
>> I have summited a few macros myself, one macro.ActiveDir which is vary
>> complicated.
>>
>> PARAM - - udp 655
>> PARAM - - tcp 655
>>
>
> I'll write a macro, with proper comments, ad I'll be happy to
>
> now i have recommeded it to a organistion where they gonna host a very
> high secure webserver for online transactions
>
I don't think you have to care too much about speed as long as the
firewall is on decent hardware.
If you want to increase security I recommend to add additional layers to
y
> Hey,
>
> I wrestled quite a bit with shorewall (version 3.0.4) lately to get
> something to work which I expected to be fairly trivial. Most likely
> it really is but I just can't figure it out..
>
> Consider the following scenario:
> All HTTP(S) Traffic from a local machine should be routed thro
> I'm pleased to announce that the current version of Webmin (1.300)
> includes support for Shorewall 3.x. I've played with it for a bit and it
> looks really good!
Indeed it looks very nice. While I'm only using vi to edit shorewall
configs, I understand that it's very good to have a webfrontend
> I was wondering if there could be a slight change to
> the Shorewall configuration files.
>
> It's a Gentoo-specific issue but some other
> distributions might find some interest in this.
>
> Basically, whenever a Gentoo user updates his/her
> shorewall from portage via
>
> # emerge shorewall
>
>
> Hang on, why are you specifying 'protocol 47' for your second line?
IP protocol 47 is GRE, which doesn't look so wrong.
> Shouldn't you be specifying TCP:
>
> ##
> #
> #ACTION SOURCE DESTPROTO DESTSOURCE ORI
> Thomas Debost wrote:
>> I am trying to apply the new :T flag in tcrules. the man page for this
>> file [1] sayas that if SOURCE is $FW then rules are applied in OUTPUT.
>>
>> this doesn't seem to work on my setup. I have in tcrules :
>>
> The change included in RC1 to fix INCLUDE errors is OK for the 3.2
> release but seems wrong in the long term. I have decided that
> /etc/shorewall/params should only be processed during the compile
> phase and that any shell variables required by extension scripts at
> run-time should be set in
1 - 100 of 146 matches
Mail list logo