It's not clear what you're doing here. In several cases you have the output of
ls -Z, without entering the command?
Yes selinux is prohibiting from looking at {getattr}, creating {write}, or
deleting {unlink} the shorewall lockfile. The correct setting for the lockfile
(and the path down to
I have a VM which is the LAN router, and another VM in the LAN which is the
ipsec gateway. (strongswan)
I'm not fully understanding the guide here;
http://www.shorewall.net/IPSEC-2.6.html
- Does this still apply to kernel 4.*? There isn't a
I did not mention IPSEC SAs. The problem with trying to access the rest
> of the LAN is that response packets from other LAN systems aren't routed
> back through the IPEC endpoint. As I mentioned, you can force that to
> happen by using SNAT on the endpoint host, if you are willing to accept
>
> I'll look at what you say below Bill.
>
> But keep in mind that the attacks I'm concerned about are typically buffer
> overflows and other sideband attacks. Directness rarely succeeds in hacking
> these days. There are always unknown vulns.
>
> I'm suspicioning that the reason Tom says that
> DNAT { SOURCE=net, DEST=apps:172.20.2.44, PROTO=udp,
> DPORT=500,4500, ORIGDEST=$IPSEC_IP }
Tom, on this line, is IPSEC_IP something I must set?
If so, would this be the router's outside IP? Could I do a command
substitution like $(curl ipinfo.io/ip)
>> DNAT { SOURCE=net, DEST=apps:172.20.2.44, PROTO=udp,
>> DPORT=500,4500, ORIGDEST=$IPSEC_IP }
>
> Tom, on this line, is IPSEC_IP something I must set?
>
> If so, would this be the router's outside IP? Could I do a command
> substitution like $(curl ipinfo.io/ip) ?
PS - Here's what I've cooked
; To: shorewall-users@lists.sourceforge.net
>
> Il giorno dom, 17/12/2017 alle 13.10 -0500, Colony.three via Shorewall-
> users ha scritto:
>
>> It's not clear what you're doing here. In several cases you have the
>> output of ls -Z, without entering the command?
>>
>> N
> Original Message
> Subject: Re: [Shorewall-users] Setting Up a DMZ Fail
> Local Time: November 13, 2017 4:37 PM
> UTC Time: November 14, 2017 12:37 AM
> From: teas...@shorewall.net
> To: shorewall-users@lists.sourceforge.net
>
> On 11/13/2017 03
> I've given up on trying to set up a Private Virtual Network in virt-manager
> (KVM), as it does not work. (CentOS7.4 all 'round)
>
> So I've now assigned a hardware ethernet port to the DMZ VM and one to the
> router VM, just like all the other VMs. The DMZ and router have their own IP
>
Typical setup. All systems running CentOS7.4 on KVM. Shorewall 5.0.14.1.
Communication with DMZ by a virtual private bridge built in virt-manager, and
communication between LAN machines is by SRIOT ethernet hardware.
The router is a VM with 3 interfaces -- fiberoptic, LAN, DMZ. -- and I
> Typical setup. All systems running CentOS7.4 on KVM. Shorewall 5.0.14.1.
> Communication with DMZ by a virtual private bridge built in virt-manager, and
> communication between LAN machines is by SRIOT ethernet hardware.
>
> The router is a VM with 3 interfaces -- fiberoptic, LAN, DMZ. --
> On 11/20/2017 09:27 AM, Colony.three via Shorewall-users wrote:
>
>>> Are you sure this isn't working. I can connect to the firewall's
>>> external IP on port 80 and I get the Quantum Equities web site.
>>>
>>> -Tom
>>>
>>>
> Are you sure this isn't working. I can connect to the firewall's
> external IP on port 80 and I get the Quantum Equities web site.
>
> -Tom
>
> ___
Hm, that's odd. My remote OpenStack instance is CentOS Minimal so no GUI. I
have to use curl to
>> If necessary, can I somehow enter it here as a system variable?
>> You can use
>>
>> -Tom
Holy cow, this saves all kinds of scripted checks and saves!
Thanks for all your help Tom.--
Check out the vibrant tech
> Do you have firewall rules to allow that traffic through? Pretty much every
> time
> I can’t get something like this to work it turns out to be because it’s
> blocked by
> the firewall.
> -Les
Sure. That's the purpose of the NAT command isn't it?
Anyway, there are no error messages in
I've set ACCEPT rules for net to $FW and net to dmz (not sure which applies)
for http and https.
Going through the FAQ here: http://shorewall.net/FAQ.htm#faq1a
- I'm testing from a remote OpenStack VM (Internap) using:
# curl -v http://50.35.109.212
* About to connect() to 50.35.109.212 port 80
Hello, I can not get DNAT to work to save my life.
All machines are CentOS7 KVM virtual machines, one the internet-connected
router, and the other in the DMZ.
I've gone through the docs and there seem to be two methods of port-forwarding,
and neither works in the router:
DNAT net
I've given up on trying to set up a Private Virtual Network in virt-manager
(KVM), as it does not work. (CentOS7.4 all 'round)
So I've now assigned a hardware ethernet port to the DMZ VM and one to the
router VM, just like all the other VMs. The DMZ and router have their own IP
class C's
> We need to see the output of 'shorewall dump'. Please forward it as a
> compressed attachment; you can send it to me privately if you like.
>
> -Tom
It's a problem for me to get emails to you Tom, or I would have sent it. Spam
protections have eclipsed my one-horse hosting service (which has
> On 01/03/2018 12:55 PM, Colony.three via Shorewall-users wrote:
>
>> I have a router which is a KVM VM running CentOS7. Then I have a
>> LibreSwan gateway, which is another VM in the LAN, also running CentOS7.
>> There are 100,0 bots out there trying to get in to any
On 12/14/2017 02:55 PM, cac...@quantum-sci.com wrote:
>> On 12/14/2017 02:50 PM, Tom Eastep wrote:
>>
>>> On 12/14/2017 02:28 PM, Colony.three via Shorewall-users wrote:
>>>
>>>> I have a VM which is the LAN router, and another VM in the LAN which
>&g
I'm trying to change the listening port of Libreswan using these DNAT entries
in rules:
DNATnet local:192.168.1.16:500 udp - 5500
DNATnet local:192.168.1.16 udp ipsec-nat-t -
... but this results in the below DROPS. Rather than
> I'm trying to change the listening port of Libreswan using these DNAT entries
> in rules:
> DNATnet local:192.168.1.16:500 udp - 5500
> DNATnet local:192.168.1.16 udp ipsec-nat-t -
>
> ... but this results in the below DROPS. Rather
> On 01/05/2018 03:02 PM, Colony.three via Shorewall-users wrote:
>
>> On 01/05/2018 02:25 PM, Colony.three via Shorewall-users wrote:
>>
>>> I'm trying to change the listening port of Libreswan using these DNAT
>>> entries in rules:
>>> DNAT
I don't understand this:
[184624.505739] Shorewall:net-fw:DROP:IN=eth0 OUT=
MAC=52:54:00:c0:93:30:52:54:00:d7:db:bb:08:00 SRC=85.6.183.101
DST=192.168.111.16 LEN=408 TOS=0x00 PREC=0x00 TTL=115 ID=10959 PROTO=UDP
SPT=1024 DPT=500 LEN=388
[184627.506014] Shorewall:net-fw:DROP:IN=eth0 OUT=
> I saw something similar when I neglected to add a subjectAltName
> (gateway.shorewall.net) to the local endpoint's cert.
>
> FWIW, I've attached a log extract of a successful SA establishment.
>
> -Tom
Hm, interesting. I've consistently used scripts from SomeRandomDude on The
Internets, and
> Original Message
> Subject: Re: [Shorewall-users] UDP Getting Blocked When Unblocked (StrongSwan)
> Local Time: December 24, 2017 3:03 PM
> UTC Time: December 24, 2017 11:03 PM
> From: teas...@shorewall.net
> To: shorewall-users@lists.sourceforge.net
>
> On 12/24/2017 02:56 PM,
> IPSEC configuration issue. I previously posted Strongswan config files
> for my working DNAT setup.
>
> -Tom
True, and I'm basing my endpoint (IPSEC gateway) config on that:
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=3
keyexchange=ikev2
conn ipv4
left=192.168.111.16
On 12/24/2017 12:59 PM, Tom Eastep wrote:
> After a bit of a hassle with certs, I got it working.
>
> a) I used the StrongSwan Simple CA
> (https://wiki.strongswan.org/projects/strongswan/wiki/SimpleCA) to
> generate my certs, with a subjectAltName. The subjectAltName of the
> local endpoint is
> Just as a FYI: I have OpenVPN set up and working on my android phone.
>
> I generated a CA cert and then a cert for my phone using xca (GUI interface).
>
> Bill
Good to know. I'd originally decided on IPSec because it's universally used in
business, and is regarded to be the most secure, at
> I would think you would want:
> interfaces:
> -eth0routefilter=0,logmartians=1
> hosts:
> vpn eth0:172.58.43.0/24
> neteth0:0.0.0.0/0
>
> I'm assuming 172.58.43.0/24 is a private subnet (RFC1918).
>
> Bill
172. is from my phone on a national carrier, and
> Have you tried comparing the packets arriving from the net with those being
> sent to the IPSEC endpoint?
>
> -Tom
The following three monitors are recording the same attempt to connect. First,
on the LAN router, listening to the outside interface:
# tcpdump -vv -i eth0 'udp port 5500 and
> I don't know about Libreswan, but Strongswan has options to change the
>
> IKE and NAT-T ports (charon.port and charon.port_nat_5 respectively).
>
> -Tom
Libreswan does as well, although the devs (who are very helpful) assure me it
doesn't work. I'll try it anyway like the smartass I am.
We have LAN, made up of a number of KVM virtual machines, one of which is the
router for the WAN and another is the IPSec gateway. (Libreswan)
I have DNAT working fine from the (internal) IPSec gateway through the router
to my phone and back. A while ago Tom gave me an iptables command to
>> Libreswan does as well, although the devs (who are very helpful) assure
>> me it doesn't work.
>
> Bummer.
Indeed when putting in ipsec.conf, the config setup section (as called for in
man ipsec.conf):
ikeport = 5500
... and restarting, it merrily disobeys and stays on 500. And interfaces =
> On 01/06/2018 04:07 PM, Colony.three via Shorewall-users wrote:
>
>>> Original Message
>>> Subject: Re: [Shorewall-users] IPSec Tunneling
>>> Local Time: January 5, 2018 3:41 PM
>>> UTC Time: January 5, 2018 11:41 PM
>>> From:
On 01/05/2018 02:25 PM, Colony.three via Shorewall-users wrote:
>> I'm trying to change the listening port of Libreswan using these DNAT
>> entries in rules:
>> DNATnet local:192.168.1.16:500 udp - 5500
>> DNATnet
;
>> On 01/05/2018 03:02 PM, Colony.three via Shorewall-users wrote:
>>
>>> On 01/05/2018 02:25 PM, Colony.three via Shorewall-users wrote:
>>>
>>>> I'm trying to change the listening port of Libreswan using these DNAT
>>>> entries in rules:
>>&
I am at a complete loss. I know this is not the Strongswan forum, but they are
unresponsive with all methods of communication -- and now I see why. My
personal opinion is that Strongswan is only rumored to work, but actually works
in the sense that a puppet does.
Sure Tom says he got it to
Am 28.12.2017 um 22:51 schrieb Colony.three via Shorewall-users:
>> I am at a complete loss. I know this is not the Strongswan forum,
>
> Yes it is not and Tom in his incredible helpfulness tried to get you
> through shallows of networking.
>
> Now it appears that you had p
> As one of the Libreswan authors I'd note it's "Libreswan" - no capital
> letters in the middle of the name, please.
>
> When suggesting manual keying, please note it is horribly insecure and should
> not be used:
>
> https://tools.ietf.org/html/rfc8221#section-3
>
> Tuomo Soini t...@foobar.fi
ts.sourceforge.net
>
> On 12/24/2017 12:59 PM, Tom Eastep wrote:
>
>> On 12/24/2017 12:45 PM, Colony.three via Shorewall-users wrote:
>>
>>>> I saw something similar when I neglected to add a subjectAltName
>>>> (gateway.shorewall.net <http://gateway.shore
Simple CA is the procedure I've been using too.
>> Dec 27 14:29:54 zeta charon: 05[NET] received packet: from
>> 172.58.43.66[21321] to 192.168.111.16[500] (704 bytes)
>> Dec 27 14:29:54 zeta charon: 05[ENC] parsed IKE_SA_INIT request 0 [ SA KE No
>> N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP)
> The Cert isn't involved in the IKE_SA_INIT request. Verification of the
> cert occurs in the IKE_AUTH request. What are the messages generated
> when you start your local StrongSwan config?
>
> -Tom
I don't see anything abnormal... although I do not see it calling
; On 12/27/2017 03:27 PM, Colony.three via Shorewall-users wrote:
>
>> Dec 27 15:20:49 zeta charon: 00[CFG] loading secrets from
>> '/etc/strongswan/ipsec.secrets'
>> Dec 27 15:20:49 zeta charon: 00[LIB] opening
>> '/etc/strongswan/ipsec.d/private/quantumKey.pem' fail
; On 12/27/2017 03:46 PM, Colony.three via Shorewall-users wrote:
>
>>> Original Message
>>> Subject: Re: [Shorewall-users] UDP Getting Blocked When Unblocked
>>> (StrongSwan)
>>> Local Time: December 27, 2017 3:31 PM
>>&
> Hm, I am not seeing any evidence that the daemon is picking up my
> /etc/strongswan/strongswan.d/bills-strongswan.conf nor
> /etc/strongswan/ipdec.d/bills-ipsec.conf . But then, it's not noting yours
> either, assuming you have your own ipsec.conf and strongswan.conf .
>
> These are my main
I have a router which is a KVM VM running CentOS7. Then I have a LibreSwan
gateway, which is another VM in the LAN, also running CentOS7.
There are 100,0 bots out there trying to get in to any and all ports, ready
and armed with the right known vulns and 0-days for the normal ports, so I'd
‐‐‐ Original Message ‐‐‐
On April 6, 2018 11:58 AM, wrote:
>
>
> ‐‐‐ Original Message ‐‐‐
>
> On April 6, 2018 11:44 AM, Tom Eastep teas...@shorewall.net wrote:
>
> > > After shorewall6 clear, ping6 just hangs.
> > >
> > > ping6 google.com
> >
# ip address
7: he-ipv6@NONE: mtu 1480 qdisc noqueue state
UNKNOWN qlen 1
link/sit 50.47.100.167 peer 216.218.226.238
inet6 2001:470:a:c3::2/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::322f:64a7/64 scope link
‐‐‐ Original Message ‐‐‐
On April 6, 2018 11:18 AM, colony.three--- via Shorewall-users
<shorewall-users@lists.sourceforge.net> wrote:
> # ip address
> 7: he-ipv6@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1480 qdisc noqueue state
> UNKNOWN qlen 1
> lin
‐‐‐ Original Message ‐‐‐
On April 6, 2018 2:32 PM, Tom Eastep <teas...@shorewall.net> wrote:
>
>
> On 04/06/2018 01:22 PM, colony.three--- via Shorewall-users wrote:
>
> > ‐‐‐ Original Message ‐‐‐
> >
> > On April 6, 2018 11:58
‐‐‐ Original Message ‐‐‐
On April 16, 2018 10:42 AM, Tom Eastep <teas...@shorewall.net> wrote:
>
>
> On 04/16/2018 10:24 AM, colony.three--- via Shorewall-users wrote:
>
> > Anyone seen this?
> >
> > Nov 29 01:42:29 Compiling MAC Filtration --
‐‐‐ Original Message ‐‐‐
On April 16, 2018 10:56 AM, Tom Eastep <teas...@shorewall.net> wrote:
>
>
> On 04/16/2018 10:50 AM, colony.three--- via Shorewall-users wrote:
>
> > ‐‐‐ Original Message ‐‐‐
> >
> > On April 16, 2018 10:42
Anyone seen this?
Nov 29 01:42:29 Compiling MAC Filtration -- Phase 2...
Nov 29 01:42:29 Applying Policies...
Nov 29 01:42:29 Compiling /usr/share/shorewall/action.Broadcast for chain
Broadcast...
Nov 29 01:42:29ERROR: Invalid parameter (DROP),Multicast(DROP)
‐‐‐ Original Message ‐‐‐
On April 16, 2018 11:30 AM, Tom Eastep <teas...@shorewall.net> wrote:
>
>
> On 04/16/2018 11:03 AM, colony.three--- via Shorewall-users wrote:
>
> > ‐‐‐ Original Message ‐‐‐
> >
> > On April 16, 2018 10:56 AM, To
‐‐‐ Original Message ‐‐‐
On April 16, 2018 12:16 PM, <colony.th...@protonmail.ch> wrote:
>
>
> ‐‐‐ Original Message ‐‐‐
>
> On April 16, 2018 11:30 AM, Tom Eastep teas...@shorewall.net wrote:
>
> > On 04/16/2018 11:03 AM, colony.thre
Whups, reboot fixed it. Pardon the noise.
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
I don't understand why my ping through IPSec VPN is being rejected? When I
'shorewall clear', it pings.
[138450.833070] Shorewall:INPUT:REJECT:IN=eth0 OUT=
MAC=52:54:00:c0:93:30:52:54:00:d7:db:bb:08:00 SRC=192.168.1.114
DST=192.168.1.16 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=44281 DF PROTO=ICMP
‐‐‐ Original Message ‐‐‐
On March 29, 2018 4:08 PM, Tom Eastep <teas...@shorewall.net> wrote:
>
>
> On 03/29/2018 04:06 PM, colony.three--- via Shorewall-users wrote:
>
> > On March 29, 2018 1:17 PM, Tom Eastep teas...@shorewall.net wrote:
> >
On March 29, 2018 1:17 PM, Tom Eastep <teas...@shorewall.net> wrote:
>
>
> On 03/29/2018 11:59 AM, colony.three--- via Shorewall-users wrote:
>
> > I don't understand why my ping through IPSec VPN is being rejected?
> >
> > When I 'shorewall clear
On March 29, 2018 5:02 PM, Tom Eastep wrote:
> >
> > ... I believe this is right when unknown IPs can come in through VPN?
>
> You should be assigning the remote IP address via the sourceip
>
> (=right or left) setting in ipsec.conf.
I can't because the remote
I'm trying to convert to IPV6 but there's a little problem with the hosts file
on the IPSec gateway.
shorewall6 doesn't like any combination of IP ::0. As in:
vpn eth0:::0
I typed out all the zeroes, used all colons, but I could not decrypt what it
‐‐‐ Original Message ‐‐‐
On April 3, 2018 5:37 PM, Tom Eastep <teas...@shorewall.net> wrote:
>
>
> On 04/03/2018 05:29 PM, colony.three--- via Shorewall-users wrote:
>
> > I'm trying to convert to IPV6 but there's a little problem with the
> >
>
The remote phone's Strongswan app is not getting a port 4500 response back from
the IPSec gateway. It's trying and waiting for a response on port 4500.
‐‐‐ Original Message ‐‐‐
On March 21, 2018 9:35 AM, wrote:
> I have an IPSec gateway, which is just an
‐
On March 21, 2018 4:06 PM, Tom Eastep <teas...@shorewall.net> wrote:
>
>
> If you 'shorewall clear' on the IPSEC gateway, does that correct the
>
> problem?
>
> -Tom
>
> On 03/21/2018 02:28 PM, colony.three--- via Shorewall-users wrote:
>
> >
‐‐‐ Original Message ‐‐‐
On March 23, 2018 9:43 AM, Tom Eastep <teas...@shorewall.net> wrote:
>
>
> On 03/22/2018 10:03 AM, colony.three--- via Shorewall-users wrote:
>
> > No change in the symptom with 'shorewall clear' on the IPSEC gateway.
I have struggled for days to make this work but admit I am soundly defeated.
My goal is to dnat two cameras through an Odroid N2+. But I can't even get a
basic ACCEPT to work on ports 80 or 443. I can't understand what is wrong. Dump
is attached. Sure hope the boss is still around.
[Tue Jan 30
PM, colony.three--- via Shorewall-users wrote:
>
> > I have struggled for days to make this work but admit I am soundly defeated.
> > My goal is to dnat two cameras through an Odroid N2+. But I can't even get
> > a basic ACCEPT to work on ports 80 or 443. I can't understand
y, August 5, 2020 9:09 AM, Tom Eastep wrote:
> On 8/5/20 8:03 AM, colony.three--- via Shorewall-users wrote:
>
> > I have struggled for days to make this work but admit I am soundly defeated.
> > My goal is to dnat two cameras through an Odroid N2+. But I can't even
> > g
, beware: Automake=Yes is the default. Might should be No if you
consider port-forwarding.
‐‐‐ Original Message ‐‐‐
On Wednesday, August 5, 2020 10:18 AM, Tom Eastep wrote:
> On 8/5/20 9:30 AM, colony.three--- via Shorewall-users wrote:
>
> > Thank you Tom, but actually th
I see. Chrony is getting blocked.
All this setup is temporary because soon it will be going through a WireGuard
tunnel.
‐‐‐ Original Message ‐‐‐
On Wednesday, August 5, 2020 10:51 AM, Tom Eastep wrote:
> On 8/5/20 10:30 AM, colony.three--- via Shorewall-users wrote:
>
>
72 matches
Mail list logo