Re: broken bridge config after upgrade to 3.0.x ?

Tom Eastep wrote:
> Sorry -- I should have looked at your original post. Unless your policies are 
> all ACCEPT and you have no firewall rules, you *ARE* controlling traffic 
> through the bridge. If your policies are all ACCEPT and you have no firewall 
> rules then there wouldn't be much point in running Shorewall on this 
> configuration (unless there's more to it than what you've shown us).
> 
> Possibly the confusion comes over the word "control" -- were you thinking 
> traffic shaping?

Yes, I see now that *any* firewall rules constitute "control".  I think
I actually tried making everything related to the bridge be ACCEPT and
it still died.  (I still had rules for the other non-bridge connection.)

Your documentation updates will help future people who stumble across
this.  Thanks!

--

-- 
-IAN!  Ian! D. Allen       Ottawa, Ontario, Canada - www.ottawa.ca
       EMail: idallen <at> idallen.ca   Home Page: http://www.idallen.com/
       College professor (Linux) via: http://teaching.idallen.com/
       Support free and open public digital rights:  http://eff.org/

-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click

Shorewall Traffic shaping with DSL

Dear List,

In the Documentation for Shorewall 3.X is the hint, that I've to restart
shorewall (by calling /sbin/shorewall restart), after my DSL Provider
terminates the connection (normally every 24 hours) because the
reconnection deletes all filters / qdiscs related to the dialup interface
(ppp0).

Now my quwestion:
Would a script calling /sbin/shorewall refresh work too ???
I've read the man page of shorewall and how I understand the man, the
refresh regenerates all tcrules etc.

Best Reguards
Alexander Loob

-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click

Shorewall and MRTG

Hi

There is a slight error with the scripts that are linked from the 
documentation on the shorewall site that enables shorewall and mrtg to 
work together nicely.  I have fixed them but I cannot contact the owner 
of the scripts.

The original scripts are available here:
http://www.nightbrawler.com/code/shorewall-stats/

My fix is here:
http://www.rjb.za.net/source-code

The only error is that accounting rules that show traffic under 1KB/s 
like NTP are considered as KB units and multiplied by 1024 by the script 
which then shows the incorrect information in the graphs.

Regards
Ray

--

-- 
Ray Booysen
rj_booysen <at> rjb.za.net

-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click

Re: Shorewall and MRTG

Re: Shorewall and MRTG

Not a problem! :)

Jan Mulders wrote:
> All I can say is, thanks a lot 
>
> I've been trying to get Shorewall to work with MRTG easily for ages, 
> and have been unable to find this handy little script. It's also handy 
> to have it bug-free... good job.
>
> Jan
>
> On 01/12/05, *Ray Booysen* <rj_booysen <at> rjb.za.net 
> <mailto:rj_booysen <at> rjb.za.net>> wrote:
>
>     Hi
>
>     There is a slight error with the scripts that are linked from the
>     documentation on the shorewall site that enables shorewall and mrtg to
>     work together nicely.  I have fixed them but I cannot contact the
>     owner
>     of the scripts.
>
>     The original scripts are available here:
>     http://www.nightbrawler.com/code/shorewall-stats/
>
>     My fix is here:
>     http://www.rjb.za.net/source-code
>
>     The only error is that accounting rules that show traffic under 1KB/s
>     like NTP are considered as KB units and multiplied by 1024 by the
>     script
>     which then shows the incorrect information in the graphs.
>
>     Regards
>     Ray
>
>     --
>     Ray Booysen
>     rj_booysen <at> rjb.za.net <mailto:rj_booysen <at> rjb.za.net>
>
>
>
>     -------------------------------------------------------
>     This SF.net email is sponsored by: Splunk Inc. Do you grep through
>     log files
>     for problems?  Stop!  Download the new AJAX search engine that makes
>     searching your log files as easy as surfing the  web.  DOWNLOAD
>     SPLUNK!
>     http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
>     <http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click>
>     _______________________________________________
>     Shorewall-users mailing list
>     Shorewall-users <at> lists.sourceforge.net
>     <mailto:Shorewall-users <at> lists.sourceforge.net>
>     https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>

--

-- 
Ray Booysen
rj_booysen <at> rjb.za.net

-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click

Re: Shorewall Traffic shaping with DSL

On Wednesday 30 November 2005 23:17, Alexander Loob wrote:
> Dear List,
>
> In the Documentation for Shorewall 3.X is the hint, that I've to restart
> shorewall (by calling /sbin/shorewall restart), after my DSL Provider
> terminates the connection (normally every 24 hours) because the
> reconnection deletes all filters / qdiscs related to the dialup interface
> (ppp0).
>
> Now my quwestion:
> Would a script calling /sbin/shorewall refresh work too ???
> I've read the man page of shorewall and how I understand the man, the
> refresh regenerates all tcrules etc.

Yes -- if traffic shaping is all that is wrong after a restart of the DSL 
connection, 'refresh' will correct it. If you have done a previous 'shorewall 
save', then 'shorewall restore' will also work.

-Tom
--

-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep <at> shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Re: broken bridge config after upgrade to 3.0.x ?

On Wednesday 30 November 2005 22:04, Ian! D. Allen wrote:
> Tom Eastep wrote:
> > Sorry -- I should have looked at your original post. Unless your policies
> > are all ACCEPT and you have no firewall rules, you *ARE* controlling
> > traffic through the bridge. If your policies are all ACCEPT and you have
> > no firewall rules then there wouldn't be much point in running Shorewall
> > on this configuration (unless there's more to it than what you've shown
> > us).
> >
> > Possibly the confusion comes over the word "control" -- were you thinking
> > traffic shaping?
>
> Yes, I see now that *any* firewall rules constitute "control".  I think
> I actually tried making everything related to the bridge be ACCEPT and
> it still died.  (I still had rules for the other non-bridge connection.)

The point is that you defined the 'net' and 'loc' zones so that it was 
*possible* to restrict connections between the two. As a consequence, 
Shorewall was trying to set up the appropriate framework to do that and 
establishing that framework required BRIDGING=Yes. There is another way to 
set up a bridge that doesn't require this framework. See 
http://www.shorewall.net/SimpleBridge.html (which is linked from the main 
Bridging article).

>
> Your documentation updates will help future people who stumble across
> this.  Thanks!

Thanks for bringing this to our attention.

-Tom
--

-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep <at> shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

End of support for Shorewall 2.0 and Shorewall 2.2

Support for 2.0 and 2.2 is now officially ended. As always, we'll try to help 
if we can but I personally will not spend time digging into the 2.0 and 2.2 
code trying to help with a problem.

-Tom
--

-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep <at> shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

providers (multilink)

Hi,

I would like to clarify a doubt on the configuration of the archive "providers" :

I have two DSL links both are dedicated :

Link1:  200.163.191.58   (ppp0)
Gw1:   200.180.128.228

Link2:  200.163.190.41   (ppp1)
Gw2:    200.180.128.228

(Yes both gateway are equal)

I don't do balance betwen the links.

My "/etc/shorewall/provider"  is like this :

LinkNAV        1       1       main    ppp0    200.180.128.228 track   -
LinkVPN        2       2       main    ppp1    200.180.128.228 track   -

When I try to start shorewall the folowing appears in the log and don't start :

Processing /etc/shorewall/providers...
RTNETLINK answers: File exists

If I change the config like this :

LinkNAV        1       1       -    ppp0    200.180.128.228 track   -
LinkVPN        2       2       -    ppp1    200.180.128.228 track   -

The shorewall start but some obscure things happen, certainly because routing
problems.

There's a hint to use the configurantion of multilink in shorewall (providers),
having 2  equal gateways ?

I already looked for in the FAQ's and the documentation :
http://www.shorewall.net/Shorewall_and_Routing.html
http://www.shorewall.net/MultiISP.html

without sucess....

Thanks a lot.

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Cleiton Peres Reis

Servidores Linux.

DoctorNet Redes e Conectividade Ltda

Rua General Osorio, 1092
Centro - CEP 96020-000 - Pelotas/RS
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_idv37&alloc_id865&op=click

Re: providers (multilink)

On Thursday 01 December 2005 12:04, Cleiton Peres Reis wrote:
> Hi,
>
> I would like to clarify a doubt on the configuration of the archive
> "providers" :
>
> I have two DSL links both are dedicated :
>
> Link1:  200.163.191.58   (ppp0)
> Gw1:   200.180.128.228
>
> Link2:  200.163.190.41   (ppp1)
> Gw2:    200.180.128.228
>
> (Yes both gateway are equal)
>
> I don't do balance betwen the links.

So if you are not going to balance, what *are* you going to do? Route 
everything out of one line? Specify where all traffic goes using entries 
in /etc/shorewall/tcrules? You can't just say "I don't do balance" without 
having a plan for *exactly* how you plan to assign packets to your two lines.

> The shorewall start but some obscure things happen, certainly because 
> routing problems.

"some obscure things happen" is not a problem report. Please submit the 
information requested at http://www.shorewall.net/support.htm (if you are 
running Shorewall 3.x) or http://www.shorewall.net/2.0/support.htm (if you 
are running Shorewall 2.x).

-Tom
--

-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep <at> shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key