Re: [Shorewall-users] HFSC traffic shaping

2006-09-25 Thread Tom Eastep
Ian wrote: Does Shorewall really not support HFSC Yes -- the traffic shaper built into Shorewall really does not support HFSC. -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key

Re: [Shorewall-users] Qos into SHorewall for Asterisk

2006-09-25 Thread Tom Eastep
certain to be in the wrong order. -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key signature.asc Description: OpenPGP digital

Re: [Shorewall-users] DNAT failing with no error

2006-09-25 Thread Tom Eastep
DST=192.168.5.254 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=207 DF PROTO=TCP SPT=44706 DPT=1970 WINDOW=5840 RES=0x00 SYN URGP=0 Do you set TC_EXPERT=Yes in shorewall.conf? -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA

Re: [Shorewall-users] DNAT failing with no error

2006-09-25 Thread Tom Eastep
Christophe Zwecker wrote: Tom Eastep wrote: Christophe Zwecker wrote: Hi, attached is my shorewall dump. when connecting from outside to my ip from 2nd isp (87.139.112.239) I see this in the log: Sep 25 15:44:02 gate kernel: Shorewall:net_dnat:DNAT:IN=eth0.5 OUT= MAC=00:0e:0c:84:16:42:00

Re: [Shorewall-users] dnat question

2006-09-25 Thread Tom Eastep
to a server running on the Shorewall box. It sounds like you want to redirect to a server on a remote system on the net -- DNATloc:192.168.1.2 net:ip of server:81 tcp 80 -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington

Re: [Shorewall-users] shorewall not doing SNAT for proto GRE ?

2006-09-26 Thread Tom Eastep
Tom Eastep wrote: It is working exactly as you *should* expect. The problem is that the server is sending GRE packets before the client. Normally, that is not a problem because all outbound traffic is SNATed through the same IP address. In your case, you want it to get a different source IP

Re: [Shorewall-users] VPN and traffic shaping: check of understanding

2006-09-27 Thread Tom Eastep
all traffic. I would just set rate=1kbit - because VPN traffic goes over the same physical interface as eth0, presumably we have to limit eth0 traffic as well, otherwise excessive non-VPN traffic could adversely affect VoIP VPN traffic? Yes. -Tom -- Tom Eastep\ Nothing is foolproof

[Shorewall-users] Shorewall 3.2.4

2006-09-28 Thread Tom Eastep
ip_conntrack_tftp loadmodule ip_nat_amanda loadmodule ip_nat_ftp loadmodule ip_nat_irc loadmodule ip_nat_pptp loadmodule ip_nat_snmp_basic loadmodule ip_nat_tftp -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline

Re: [Shorewall-users] Bug? Packets dropped but they shouldn't

2006-09-30 Thread Tom Eastep
, troubleshooting guide, ...). -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key signature.asc Description: OpenPGP digital signature

Re: [Shorewall-users] Error after update

2006-10-02 Thread Tom Eastep
Tom Eastep wrote: Elio Tondo wrote: and in the masq file: #INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC eth0 eth1!192.158.10.5,192.158.10.60 (masquerading for all machines in loc except for the two with static NAT). It used to work

Re: [Shorewall-users] Bug in shorewall 3.2.4 errata compiler

2006-10-03 Thread Tom Eastep
Craig, Ooops -- please try the one at: ftp://ftp1.shorewall.net/pub/shorewall/3.2/shorewall-3.2.4/errata/Shorewall/ Sorry for the screwup, -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP

Re: [Shorewall-users] Bug in shorewall 3.2.4 errata compiler

2006-10-05 Thread Tom Eastep
Tom Eastep wrote: Sorry for the screwup, I had uploaded the 3.3 compiler by mistake. -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net

Re: [Shorewall-users] Problem with multiple IP addresses

2006-10-05 Thread Tom Eastep
the additional ACCEPT rules. -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key signature.asc Description: OpenPGP digital signature

[Shorewall-users] Sourceforge Mailing List Problem Resolved

2006-10-05 Thread Tom Eastep
Sourceforge has been experiencing mailing list issues since 10/3 -- the problem was resolved this morning and the mail backlog is clearing. Apologies to those of you who have been waiting for a response to your question or problem report. -Tom -- Tom Eastep\ Nothing is foolproof

Re: [Shorewall-users] Newbie question

2006-10-05 Thread Tom Eastep
to include a trace file. See http://www.shorewall.net/support.htm#Guidelines -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key

Re: [Shorewall-users] Bug in shorewall 3.2.4 errata compiler

2006-10-05 Thread Tom Eastep
Tom Eastep wrote: Craig M. Nicholson wrote: Hi Tom, I've already applied the patch file against /usr/share/shorewall/compiler and it works. However I did a quick diff against compiler file you put in the errata and it's different, so which one is the right one? Both fix the problem

Re: [Shorewall-users] Help with connection problem

2006-10-05 Thread Tom Eastep
Tom Eastep wrote: Fernando Galvan wrote: I'm trying to set-up the firewall so that most of the users on my network can only access the net through a proxy and most ports are closed. But I need certain machines to be able to access all ports both inbound and outbound. I've tried all sorts

Re: [Shorewall-users] multiple uplinks - questions

2006-10-05 Thread Tom Eastep
-- but it is what we have currently so until 3.4, we must live with it. -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key signature.asc

Re: [Shorewall-users] Problem getting ProxyARP and loc to play together

2006-10-07 Thread Tom Eastep
hacked, please do not blame Shorewall. -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key signature.asc Description: OpenPGP digital

Re: [Shorewall-users] Problem with routing

2006-10-09 Thread Tom Eastep
But for that packets to go to 192.168.241.65 the source must be also rewritten to 196.44.33.118. Any ideas? In Shorewall, all source address rewriting is accomplished using entries in /etc/shorewall/masq. -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http

Re: [Shorewall-users] FW: Problem with routing

2006-10-09 Thread Tom Eastep
? DNAT is applied before SNAT. And if you have more problems, please include a dump (see http://www.shorewall.net/support.htm#Guidelines). -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP

Re: [Shorewall-users] FW: Problem with routing

2006-10-09 Thread Tom Eastep
). -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key signature.asc Description: OpenPGP digital signature

Re: [Shorewall-users] FW: Problem with routing

2006-10-09 Thread Tom Eastep
Tom Eastep wrote: Jan van der Vyver wrote: I am trying to ssh from a machine (192.168.10.198) behind machine A (192.168.10.200) to 192.168.20.33. Between machine A and machine B there is a ipsec vpn. Config for this vpn: conn in2one-to-adept type=tunnel connaddrfamily

Re: [Shorewall-users] Locked out

2006-10-10 Thread Tom Eastep
out in the HOWTOs that I just referred you to. To restore full (wide open) operation, use /sbin/shorewall clear. -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https

Re: [Shorewall-users] Multi ISP - possible bug in incoming connections

2006-10-10 Thread Tom Eastep
Tom Eastep wrote: Craig M. Nicholson wrote: Surely if the connection is tracked and marked then the reply packets should go out of the interface that the request came in on? Any ideas anyone? Craig, Sorry -- I can't comment without seeing a 'shorewall dump' collected as described

Re: [Shorewall-users] HIGH_ROUTE_MARKS mask and compiler skript

2006-10-10 Thread Tom Eastep
to mention that connection marking rules also use a mask of 0xFF. I will change the code, however, to only specify the mask when HIGH_ROUTE_MASK=Yes is used; that way, users who don't have Extended CONNMARK SUPPORT can still use connection marks with HIGH_ROUTE_MASK=No. -Tom -- Tom Eastep

Re: [Shorewall-users] eth0_mac before Drop?

2006-10-12 Thread Tom Eastep
Tom Eastep wrote: Tom Eastep wrote: Brian J. Murrell wrote: On Thu, 2006-12-10 at 07:41 -0700, Tom Eastep wrote: The 'Drop' chain is generated by the Drop action which gets called because it is the default action for DROP policies (http://www.shorewall.net/Actions.html#id2500209). Indeed

Re: [Shorewall-users] eth0_mac before Drop?

2006-10-12 Thread Tom Eastep
Brian J. Murrell wrote: On Thu, 2006-12-10 at 13:59 -0700, Tom Eastep wrote: I wonder if that's the right thing to do though. I'd think letting people define what traffic they don't want to log using the existing macros even if they want, would not be better. I'll await your patch

Re: [Shorewall-users] eth0_mac before Drop?

2006-10-13 Thread Tom Eastep
Brian J. Murrell wrote: On Fri, 2006-13-10 at 08:57 -0700, Tom Eastep wrote: One change -- the user exit will be called maclog rather than maclist (since that file name is already taken). Great. Can you point me at the commit when you make it? Or just point me at your browse_cvs and I can

Re: [Shorewall-users] Tc rules Help with multiISP+ squid squidguard...

2006-10-13 Thread Tom Eastep
=3323 dport=80 packets=6 bytes=916 src=84.96.219.201 dst=90.1.80.88 sport=80 dport=3323 packets=4 bytes=408 [ASSURED] mark=201 use=1 So I guess that I'm back to my original suggestion -- see what is happening using tcpdump or Ethereal. -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently

Re: [Shorewall-users] Question about content in log

2006-10-15 Thread Tom Eastep
'pkttype' implementation is not matching that packet as multi-cast. -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key signature.asc

[Shorewall-users] Shorewall 3.2.4 Debian Package

2006-10-15 Thread Tom Eastep
There is a Shorewall 3.2.4 .deb available at http://idea.sec.dico.unimi.it/~lorenzo/shorewall/ -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net

Re: [Shorewall-users] How to add forward rules

2006-10-16 Thread Tom Eastep
Tom Eastep wrote: Pompon wrote: Thank you Tom for you help, however I can't reach to make it work. I defined a new zone 'rad' for defining rules for C address. and I try to open this traffic for any address on the net : so in rules file I have : ACCEPT rad:Cnet all

Re: [Shorewall-users] Shorewall 3.2.4 Debian Package

2006-10-16 Thread Tom Eastep
Zachary Palmer wrote: Tom Eastep wrote: Zachary Palmer wrote: Excellent! If I may ask, is there a particular reason of which you are aware that Shorewall 3.0.7 is the most recent version in the official Debian repositories? Yes, there is. Ah. Anywhere I could find

Re: [Shorewall-users] Forwarding

2006-10-16 Thread Tom Eastep
-- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key signature.asc Description: OpenPGP digital signature

Re: [Shorewall-users] Adding a wireless card

2006-10-16 Thread Tom Eastep
network, linux wireless router howto and much much more, but sofar i have been getting nothin that i can use. Do i need to buy a wireless router and skip my whole shorewall setup just to get a working wlan? http://oob.freeshell.org/nzwireless/LWAP-HOWTO.html -Tom -- Tom Eastep\ Nothing

[Shorewall-users] New Shorewall Debian Packages

2006-10-16 Thread Tom Eastep
package. Thanks. -- lorenzo -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key signature.asc Description: OpenPGP digital signature

Re: [Shorewall-users] Tc rules Help with multiISP + squid squidguard...

2006-10-17 Thread Tom Eastep
you sent, it looks like many SYN packets are being sent on ppp0 and never replied to. So you need to confirm that they are actually being sent on ppp0 and not on eth0. Does ppp0 work if you configure it as your only Internet connection? -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently

Re: [Shorewall-users] Multiple Isp Traffic Shaping

2006-10-17 Thread Tom Eastep
with the tcrules I have currently. Hi Mike, Your CLASSIFY rules are wrong. The minor class of Shorewall-generated TC classes is (100 + mark value) (e.g., 1:110, 1:120, etc.) whereas you are specifying 1:10, 1:20, ... -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline

Re: [Shorewall-users] Tc rules Help with multiISP+ squid squidguard...

2006-10-17 Thread Tom Eastep
, will generate brand new packets to send to the net -- these packets currently have no mark. -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net

Re: [Shorewall-users] route all p2p traffic with another link

2006-10-18 Thread Tom Eastep
go through ISP2 -- traffic from i.j.k.l to a.b.c.d will continue to be handled by ISP1. -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net

Re: [Shorewall-users] DNAT

2006-10-18 Thread Tom Eastep
of the way. The IPTables rule are going too if somebody feel like want to see. Have you followed the DNAT debugging tips in Shorewall FAQs 1a and 1b? -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL

[Shorewall-users] Webmin 1.300 Supports Shorewall 3.x!!!

2006-10-19 Thread Tom Eastep
I'm pleased to announce that the current version of Webmin (1.300) includes support for Shorewall 3.x. I've played with it for a bit and it looks really good! -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA

Re: [Shorewall-users] OT: Routing problem

2006-10-20 Thread Tom Eastep
like the only way to discover the root cause of the problem. -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key signature.asc

Re: [Shorewall-users] OT: Routing problem

2006-10-20 Thread Tom Eastep
List Receiver wrote: Tom Eastep wrote: Have you used a packet sniffer to try to understand what is happening? Seems like the only way to discover the root cause of the problem. -Tom No, not yet. I don't consider myself proficient at tcpdump to make that part of my normal

Re: [Shorewall-users] OT: Routing problem

2006-10-20 Thread Tom Eastep
a Windows version now... You can capture a trace with tcpdump (using -w) then analyze it on another system with Ethereal. -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https

Re: [Shorewall-users] Problem with virtual interface

2006-10-21 Thread Tom Eastep
firewall in a vserver -- only on the host (rootserver). See the Vserver FAQ. -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key

Re: [Shorewall-users] SSH service in two firewall environment

2006-10-21 Thread Tom Eastep
to the internal ip 192.168.1.200. So, it will be necessary to do some thing from Shorewall side to make this work? You want to connect to SSHD on the Shorewall Firewall? If so, just add this rule: ACCEPT net $FW tcp 22 -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently

Re: [Shorewall-users] SSH service in two firewall environment

2006-10-21 Thread Tom Eastep
Paulo Almeida wrote: By the way, I want to give my recognition for the excelent work that has been made throughtout the last years for Shorewall. Thanks, Paulo! -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA

Re: [Shorewall-users] redirect from one nete to another

2006-10-23 Thread Tom Eastep
zone rather than the loc zone. And the same kludgy hack is required to make it work (you must make all redirected requests look as if they came from 1.1.1.11 (or 1.1.1.254). Without seeing your /etc/shorewall/masq file, I can't tell you the best way to do that. -Tom -- Tom Eastep\ Nothing

Re: [Shorewall-users] redirect from one nete to another

2006-10-23 Thread Tom Eastep
Roberto Tagliaferri wrote: Tom Eastep ha scritto: Without seeing your /etc/shorewall/masq file, I can't tell you the best way to do that. -Tom I leave masw file empty :-( Now it's ok: #INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC eth0eth0:1

Re: [Shorewall-users] redirect from one nete to another

2006-10-23 Thread Tom Eastep
Roberto Tagliaferri wrote: Tom Eastep ha scritto: Roberto Tagliaferri wrote: Tom Eastep ha scritto: Without seeing your /etc/shorewall/masq file, I can't tell you the best way to do that. -Tom I leave masw file empty :-( Now it's ok: #INTERFACE

Re: [Shorewall-users] another ip

2006-10-24 Thread Tom Eastep
Kiss Gábor wrote: Tom Eastep írta: Kiss Gábor wrote: Helo, I am running version 3.0.4 on Ubuntu Server. My firewall has a public ip ( x.y.z.24 ). I want another public ip (x.y.z.56) and want to redirect to all of traffic that come to it from the internet, to a local ip address

Re: [Shorewall-users] Shorewall will not start without a 'shorewall restore standard'

2006-10-25 Thread Tom Eastep
before Shorewall will start. There are several ways to do that a) /etc/shorewall/ipsets. b) An init script that runs before Shorewall starts. c) Code in /etc/shorewall/init d) ... So which mechanism do you believe that you are using? -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently

Re: [Shorewall-users] what is the best way to copy config to another machine?

2006-10-25 Thread Tom Eastep
after installing the normal shorewall package? I would just copy /etc/shorewall/ -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key

Re: [Shorewall-users] how do I allow SMB with a macro, overriding the default?

2006-10-25 Thread Tom Eastep
machines in the LAN. This isn't a problem report -- see http://www.shorewall.net/support.htm#Guidelines -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https

Re: [Shorewall-users] how do I allow SMB with a macro, overriding the default?

2006-10-25 Thread Tom Eastep
machines in the LAN. As noted at http://www.shorewall.net/samba.htm, you must use SMB/ACCEPT in both directions: SMB/ACCEPT net $FW SMB/ACCEPT $FW net -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA

Re: [Shorewall-users] Redirect proxy request from 8080 to port 80

2006-10-26 Thread Tom Eastep
/ # PORTPORT(S) DESTLIMIT GROUP REDIRECTloc 80 tcp - 8080 192.168.1.1 It doesn't work. You have the 8080 in the wrong column. -Tom -- Tom Eastep\ Nothing is foolproof

Re: [Shorewall-users] PPTPD on single interface

2006-10-26 Thread Tom Eastep
Shorewall totally is not going to be any more insecure than the silly configuration above. Thirdly, if you determine that the problem only occurs with Shorewall started, then please follow the problem reporting guidelines (http://www.shorewall.net/support.htm). -Tom -- Tom Eastep\ Nothing

Re: [Shorewall-users] Saprouter forwarding from shorewall firewall to an internal saprouter server

2006-10-26 Thread Tom Eastep
are going to the correct box. -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key signature.asc Description: OpenPGP digital signature

Re: [Shorewall-users] configuration files

2006-10-26 Thread Tom Eastep
themselves in the foot each time that they upgrade. -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key signature.asc Description

Re: [Shorewall-users] configuration files

2006-10-26 Thread Tom Eastep
Vieri Di Paola wrote: --- Tom Eastep [EMAIL PROTECTED] wrote: Simon Matter wrote: The issue is not Gentoo specific. With rpm based distributions, rpm doesn't even try to merge configs. I have my own script to do that so I always have the original header after an upgrade. Your idea

Re: [Shorewall-users] Redirect proxy request from 8080 to port 80

2006-10-27 Thread Tom Eastep
themselves need to be configured to bypass the proxy when accessing your local web server. -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net

[Shorewall-users] Shorewall 3.2.5

2006-10-28 Thread Tom Eastep
Shorewall 3.2.5 is now available. Beginning with this release, there will be a single set of Release Notes and a single changelog; these release documents are included in both the Shorewall and Shorewall Lite packeges. The Release Notes are attached. -Tom -- Tom Eastep\ Nothing

Re: [Shorewall-users] ERROR: Command /sbin/iptables -A Drop -p tcp -j dropNotSyn Failed

2006-10-29 Thread Tom Eastep
(most iptables problems with Debian concern an incompatibility of Debian iptables 1.3.5 with the Debian 2.6.16 and later kernels). -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key

Re: [Shorewall-users] ERROR: Command /sbin/iptables -A Drop -p tcp -j dropNotSyn Failed

2006-10-29 Thread Tom Eastep
source you use but rather that the kernel source used to build iptables should match the kernel you are running. -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https

Re: [Shorewall-users] Routing via gateway

2006-10-29 Thread Tom Eastep
: Destination host unreachable. Does anyone have any ideas? Do I need to NAT the traffic or add another route command? There are very detailed instructions for handling this configuration at http://www.shorewall.net/Multiple_Zones.html -Tom -- Tom Eastep\ Nothing is foolproof

Re: [Shorewall-users] Multi-isp and QoS woes

2006-10-30 Thread Tom Eastep
and remember that 'track' sets the connection mark which then gets copied to the packet mark. So by default, connections out of eth0 have mark = 1 and those out of eth1 have mark = 2. So unless your FORWARD marking rules overwrite those marks, they are used for traffic classification. -Tom -- Tom Eastep

Re: [Shorewall-users] REPOST: Routing via gateway

2006-10-30 Thread Tom Eastep
Any ideas would be great. You are going to have to describe the problem more completely than that if you want my help. From what you have written, I cannot even guess what problem you are trying to solve. Hint: http://www.shorewall.net/support.htm#Guidelines -Tom -- Tom Eastep\ Nothing

Re: [Shorewall-users] Shorewall 3.2.4 tcrules: SCP/SSH distinction stopped working

2006-11-02 Thread Tom Eastep
tcp - 22 - - - 8 Those last two rules have way too many columns. -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https

Re: [Shorewall-users] Shorewall 3.2.4 tcrules: SCP/SSH distinction stopped working

2006-11-02 Thread Tom Eastep
Tom Eastep wrote: Zachary Palmer wrote: # SSH (with lower priority SCP) 3 0.0.0.0/0 0.0.0.0/0 tcp 22 3 0.0.0.0/0 0.0.0.0/0 tcp - 22 4 0.0.0.0/0 0.0.0.0/0 tcp 22 - - - - 8 4 0.0.0.0/0

Re: [Shorewall-users] Shorewall 3.2.4 tcrules: SCP/SSH distinction stopped working

2006-11-02 Thread Tom Eastep
value: - Terminated Attached is a patch for /usr/share/shorewall/compiler that should correct the problem. The patch is against 3.2.5 but applies to 3.2.4 with an offset. -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington

Re: [Shorewall-users] Shorewall 3.2.4 tcrules: SCP/SSH distinction stopped working

2006-11-02 Thread Tom Eastep
: Invalid Mark or Mask value: - Terminated Attached is a patch for /usr/share/shorewall/compiler that should correct the problem. The patch is against 3.2.5 but applies to 3.2.4 with an offset. -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http

[Shorewall-users] Known Problems and Fixes for 3.2.5

2006-11-02 Thread Tom Eastep
from the errata/patches directory. -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key signature.asc Description: OpenPGP digital

Re: [Shorewall-users] Please help me.

2006-11-02 Thread Tom Eastep
# === node1 ipv4 node2 ipv4 If you have further problems, please submit the information requested at http://www.shorewall.net/support.htm#Guidelines. -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http

Re: [Shorewall-users] Please help me.

2006-11-02 Thread Tom Eastep
Tom Eastep wrote: sada wrote: 1) I can not log-in shorewall router from eth0 (I can log in from node 1 or 2 ) Since you did not include your rules, we can't comment on that. How are you trying to log in? SSH? Sorry -- I meant to delete that. I assume that you are trying to log in from

Re: [Shorewall-users] Problem configuring shorewall

2006-11-02 Thread Tom Eastep
Peter Haijen wrote: Very puzzled as to what is wrong here thx for any help you may offer! Check the Shorewall Xen documentation and look for ethtool. Sounds like you have the common checksum problem. -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline

Re: [Shorewall-users] Shorewall 3.2.4 tcrules: SCP/SSH distinction stopped working

2006-11-03 Thread Tom Eastep
Zachary Palmer wrote: I just have no clue how I got this to work before... and honestly, I did... even tested the shaping ability several times. I don't either -- the bug was introduced in Shorewall 3.2.3 and you were the first to bring it to my attention. -Tom -- Tom Eastep\ Nothing

Re: [Shorewall-users] Fail over with Shorewall

2006-11-03 Thread Tom Eastep
setting a net-net DROP policy. -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key signature.asc Description: OpenPGP digital signature

Re: [Shorewall-users] Fail over with Shorewall

2006-11-03 Thread Tom Eastep
Hristo Benev wrote: Tom Eastep wrote: Hristo Benev wrote: Hi, I've read the documentation and I'm aware that automatic FOver is not possible. So for me will be preferable to create a script checking i-net and changing default route. But will this break Shorewall? I'm using v

Re: [Shorewall-users] exception to netmap?

2006-11-06 Thread Tom Eastep
. I know I could use an extension script to put RETURN jumps in netmap_in and netmap_out chains in the nat table, but I was wondering if there was a more straight way to do it... Not currently. -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http

Re: [Shorewall-users] dnat of gre (47)

2006-11-07 Thread Tom Eastep
John Hill wrote: Dnat of gre packets seems to have stopped today. Shorewall version 3.25 was working yesterday. Any ideas with this little info? Afraid not -- are you saying that it stopped working when you upgraded to 3.25? -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently

Re: [Shorewall-users] dnat of gre (47)

2006-11-07 Thread Tom Eastep
John Hill wrote: Tom Eastep wrote: John Hill wrote: Dnat of gre packets seems to have stopped today. Shorewall version 3.25 was working yesterday. Any ideas with this little info? Afraid not -- are you saying that it stopped working when you upgraded to 3.25? -Tom

Re: [Shorewall-users] dnat of gre (47)

2006-11-07 Thread Tom Eastep
Tom Eastep wrote: John Hill wrote: Tom Eastep wrote: John Hill wrote: Dnat of gre packets seems to have stopped today. Shorewall version 3.25 was working yesterday. Any ideas with this little info? Afraid not -- are you saying that it stopped working when you upgraded to 3.25

[Shorewall-users] LOGFORMAT Problem in Shorewall 3.2.*

2006-11-07 Thread Tom Eastep
' files from the errata/Shorewall/ sub-directory. b) Patch /usr/share/shorewall/compiler and /usr/share/shorewall/functions with the patch-3.2.5-3.diff patch from the errata/patches directory. -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline

Re: [Shorewall-users] bug - \ at eol extends comments

2006-11-07 Thread Tom Eastep
turned the entire rule into a comment: #DNAT net:x.x.x.x,y.y.y.y \ DNATnet:x.x.x.x \ internal:10.0.0.123 tcp 3306- z.z.z.z This is a function of the shell -- Shorewall has no control over it. -Tom -- Tom Eastep\ Nothing is foolproof

Re: [Shorewall-users] bug - \ at eol extends comments

2006-11-07 Thread Tom Eastep
with this limitation now that I know about it. I'm glad, since I don't believe that there is anything I can do about it. Kudos for your hard work on Shorewall! Thanks! -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA

Re: [Shorewall-users] Mulit-Isp with Ipsec

2006-11-08 Thread Tom Eastep
this working. Any ideas? Mike, We'll need to see the output of shorewall dump captured when IPSEC is not working. -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https

Re: [Shorewall-users] Mulit-Isp with Ipsec

2006-11-08 Thread Tom Eastep
, but it looks like pings are going out eth0 66.224.62.182 coming back into eth1 67.183.187.44 Which address is specified as the local end of the IPSEC tunnel-mode SP? -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL

Re: [Shorewall-users] Mulit-Isp with Ipsec

2006-11-08 Thread Tom Eastep
is it for? 1000: from all to 172.30.0.0/24 lookup main I'd like to see the output of ip route ls cache when this is failing. You can send it to me directly as it won't be of much interest to anyone else. Thanks, -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool

Re: [Shorewall-users] Mulit-Isp with Ipsec

2006-11-08 Thread Tom Eastep
Tom Eastep wrote: Mike Lander wrote: Which address is specified as the local end of the IPSEC tunnel-mode SP? -Tom conn arkonaIPsec type = tunnel left =66.224.62.118 leftnexthop= 66.224.62.97 right = 65.203.186.182 leftsubnet = 10.194.79.0/255.255.255.0 rightsubnet = 172.30.0.0

Re: [Shorewall-users] Mulit-Isp with Ipsec

2006-11-08 Thread Tom Eastep
Tom Eastep wrote: Tom Eastep wrote: Mike Lander wrote: Which address is specified as the local end of the IPSEC tunnel-mode SP? -Tom conn arkonaIPsec type = tunnel left =66.224.62.118 leftnexthop= 66.224.62.97 right = 65.203.186.182 leftsubnet = 10.194.79.0/255.255.255.0

Re: [Shorewall-users] Mulit-Isp with Ipsec

2006-11-08 Thread Tom Eastep
Mike Lander wrote: IT WORKS!!!. Great! -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key signature.asc Description

Re: [Shorewall-users] shorecap/shorewall load

2006-11-09 Thread Tom Eastep
, and it would be one less detail to remember. The capabilities will only change if you upgrade the kernel or iptables on the remote host so it seems silly to re-capture them on every [re]load. But I suppose that I could offer an option to the '[re]load' command that would do that. -Tom -- Tom

Re: [Shorewall-users] QoS - Slow Downloads

2006-11-10 Thread Tom Eastep
, overlimits 0 requeues 0) When your download speed is restricted, is the dropped counter non-zero? -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net

Re: [Shorewall-users] Two Shorewall 3.2 Issues

2006-11-10 Thread Tom Eastep
Farkas Levente wrote: why don't you release 3.2.6? Note that the second problem listed turned out to be a non-issue. It's not that 3.2.5 is unusually buggy; I've just started announcing known problems when they are discovered. -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently

Re: [Shorewall-users] DNAT Question

2006-11-10 Thread Tom Eastep
and active should work -- see http://www.shorewall.net/FTP.html -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key signature.asc

Re: [Shorewall-users] QoS - Slow Downloads

2006-11-10 Thread Tom Eastep
of commands: tc -s -d qdisc show dev $device tc -s -d class show dev $device for each device in /etc/shorewall/tcdevices. But on input, the only thing that could slow your downloads is dropped packets in the ingress qdisc. -Tom -- Tom Eastep\ Nothing is foolproof

Re: [Shorewall-users] QoS - Slow Downloads

2006-11-10 Thread Tom Eastep
shaping instructions tell you to tune your IN-BADNWIDTH. -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key signature.asc

Re: [Shorewall-users] Ingress policing

2006-11-10 Thread Tom Eastep
Andrew Suffield wrote: On Fri, Nov 10, 2006 at 10:11:04AM -0800, Tom Eastep wrote: Helder Gaspar Rodrigues wrote: Yes that are packet being dropped: qdisc ingress : Sent 22676402 bytes 39464 pkt (dropped 244, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p

  1   2   3   4   5   6   7   8   9   10   >