Re: [Shorewall-users] Ipset with timeouts

Emiliano Marino Tue, 13 May 2014 14:58:31 -0700

Tom, I downloaded and tested it on 4.6 and it does the trick! GOOOD!

I'm trying to replace User(IP) authentication on Cisco ASA with a
Shorewall/Ipset timeout/LAMP + Radius OATH OTP that I wrote. I expect
finishing it some day :P


Thanks again.
I hope that this ipset timeout feature to be integrated in a future release.


---------- Forwarded message ----------
From: Emiliano Marino <emili...@ejmarino.com>
Date: 2014-05-13 18:21 GMT-03:00
Subject: Re: [Shorewall-users] Ipset with timeouts
To: shorewall-users@lists.sourceforge.net


Hi Tom, thanks for your answer.

I have a line on init script:

ipset -exist create plus hash:ip timeout 30

these are the last lines of 'shorewall start':

Initializing...
   WARNING: ipset plus does not exist; creating it as an hash:ip set
Processing /etc/shorewall/init ...
ipset v6.12.1: Set cannot be created: set with the same name already exists
Setting up Route Filtering...
Setting up Martian Logging...
Preparing iptables-restore input...
Running /sbin/iptables-restore...
done.

if you do an 'ipset --list" you have:

Name: plus
Type: hash:ip
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 16504
References: 4
Members:

No timeout configured.

i'm on debian wheezy with shorewall 4.5.21.9 taken from
this repo: "http://people.connexer.com/~roberto/debian/ wheezy main"

I will try 4.6 RC3 shorewall version. Thanks.



> From: Tom Eastep <teas...@shorewall.net>
> To: shorewall-users@lists.sourceforge.net
> Cc:
> Date: Sat, 10 May 2014 07:44:36 -0700
> Subject: Re: [Shorewall-users] Ipset with timeouts
> On 5/9/2014 7:01 PM, Bill Shirley wrote:
> >
> > On 5/5/2014 12:11 PM, Emiliano Marino wrote:
> >> Hi! This is my first email to the this mail list.
> >>
> >> I am playing with ipsets and shorewall and I'm failing to create (using
> shorewall) an ipset with a default timeout.
> >> When shorewall compiles it throws me a warning saying that the ipset
> does not exist (it is right), and when it starts
> >> at some stage of the init procedure it creates the ipset.
> >> I can't (or don't know how to) change shorewall command to create the
> ipset. even tried to use the "Init" script, but
> >> the ipset is already created when the script is executed.
> >>
> >> So, anybody has a suggestion?
> >> I know that if a make a script that create ipset before shorewall
> starts I do the thing, but I prefer to do it inside
> >> or with shorewall terms.
> >>
> >> Sorry my english :)
> >> Thanks in advance
> >>
> >>
> >>
> ------------------------------------------------------------------------------
> >> Is your legacy SCM system holding you back? Join Perforce May 7 to find
> out:
> >> &#149; 3 signs your SCM is hindering your productivity
> >> &#149; Requirements for releasing software faster
> >> &#149; Expert tips and advice for migrating your SCM now
> >> http://p.sf.net/sfu/perforce
> >>
> >>
> >> _______________________________________________
> >> Shorewall-users mailing list
> >> Shorewall-users@lists.sourceforge.net
> >> https://lists.sourceforge.net/lists/listinfo/shorewall-users
> >
> > I define my ipsets in /etc/shorewall/init:
> > modprobe ip_set
> > ipset -exist create fail2ban-IpPort hash:ip,port timeout 3600
> > ipset -exist create fail2ban-Ip hash:ip timeout 86400
> >
> > This is on Fedora 19 with SELinux.  SELinux will deny the 'ipset create'
> by default when run by systemctl.  I created a
> > policy to allow it:
> > module my_shorewall_ipset 1.0;
> >
> > require {
> >          type shorewall_t;
> >          type kernel_t;
> >          class system module_request;
> > }
> >
> > #============= shorewall_t ==============
> >
> > #!!!! This avc can be allowed using the boolean
> 'domain_kernel_load_modules'
> > allow shorewall_t kernel_t:system module_request;
>
> Additionally, in the just-uploaded 4.6.0-RC3, the 'init' user exit is
> executed prior to creation of the ipsets.
>
> -Tom
> --
> Tom Eastep        \ When I die, I want to go like my Grandfather who
> Shoreline,         \ died peacefully in his sleep. Not screaming like
> Washington, USA     \ all of the passengers in his car
> http://shorewall.net \________________________________________________
>
>

------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.
Get unparalleled scalability from the best Selenium testing platform available
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs

_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] Ipset with timeouts

Reply via email to