Re: zone usa?

Cristian Rodriguez wrote:
> Tom Eastep escribió:
>> Chuck Kollars wrote:
>>> How can I define a "zone" of all systems with non-country domain names, i.e. *.com, *.org, *.net?
>>>
>> That's not practical with Shorewall.
>>
> 
> and is also generally an awful idea.

I can add that there is a "geoip match" patch for Netfilter/iptables available
on the net. It was recently removed from patch-o-matic-ng because the netfilter
team were unable to identify a maintainer for it. Shorewall has no in-built
support for geoip match and won't have such support unless and until geoip
becomes part of the standard Netfilter/iptables distribution. I hope that will
never happen because the main use of geoip match seems to be for filtering
traffic based on the country of origin. Many people (including myself) find that
practice to be offensive.

-Tom
--

-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep <at> shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier

Re: zone usa?

On Friday 30 June 2006 16:05, Tom Eastep wrote:
> Cristian Rodriguez wrote:
> > Tom Eastep escribió:
> >> Chuck Kollars wrote:
> >>> How can I define a "zone" of all systems with non-country domain names,
> >>> i.e. *.com, *.org, *.net?
> >>
> >> That's not practical with Shorewall.
> >
> > and is also generally an awful idea.
>
> I can add that there is a "geoip match" patch for Netfilter/iptables
> available on the net. It was recently removed from patch-o-matic-ng because
> the netfilter team were unable to identify a maintainer for it. Shorewall
> has no in-built support for geoip match and won't have such support unless
> and until geoip becomes part of the standard Netfilter/iptables
> distribution. I hope that will never happen because the main use of geoip
> match seems to be for filtering traffic based on the country of origin.
> Many people (including myself) find that practice to be offensive.

I hope it does:  Most of my spam comes specifically from California and it's 
not like that state's ever been a good neighbor to Oregon and Washington...

--

-- 
Paul Johnson
Email and IM (XMPP & Google Talk): baloo <at> ursine.ca
Jabber: Because it's time to move forward  http://ursine.ca/Ursine:Jabber

Using Tomcat but need to do more? Need to support web services, security?

Re: zone usa?

Paul Johnson wrote:

> 
> I hope it does:  Most of my spam comes specifically from California and it's 
> not like that state's ever been a good neighbor to Oregon and Washington...
> 

And once you block email from California, you won't be able to read this
mailing list any more since it is hosted in Menlo Park.

And since the list administrator has a thing against Oregon, he blocks
all posts from state (especially from Gresham) so you won't be able to
find out why you aren't getting any mail from the list.

See why I think this whole idea is silly?

-Tom
--

-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep <at> shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

Re: zone usa?

Paul Johnson escribió:

> I hope it does:  Most of my spam comes specifically from California and it's 
> not like that state's ever been a good neighbor to Oregon and Washington...
> 

that was another awful idea, really... you have to be crazy to implement
such a silly thing.

Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

Shorewall 3.2.0-RC6

http://www.shorewall.net/pub/shorewall/development/3.2/shorewall-3.2.0-RC6/
ftp://ftp.shorewall.net/pub/shorewall/development/3.2/shorewall-3.2.0-RC6/

Problems Corrected in 3.2.0 RC 6

1)  When 'balance' is specified in more than one provider, only the
    last such provider appears in the default route.

2)  The permission settings of /etc/shorewall/params and of several
    files in /usr/share/shorewall/configfiles were incorrect.

Other changes in 3.2.0 RC 6

1)  This change will be in 3.0.9 so I'm slipping it into this RC for
    compatibility.

    It is now possible to use the special value 'detect' in the ADDRESS
    column of /etc/shorewall/masq. This allows you to specify SNAT (as
    opposed to MASQUERADE) without having to know the ip address of the
    external interface. Shorewall must be restarted each time that the
    external address (the address of the interface named in the
    INTERFACE column) changes. Note that if you have done a 'shorewall
    save' then it is sufficient to "shorewall restore" since the
    restore script will re-detect the interface's IP address(es).

-Tom
--

-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep <at> shorewall.net

Installing Shorewall 3.2 under Cygwin

With Shorewall 3.2, you can compile Shorewall scripts on one system and then run
them under Shorewall Lite on another system.

The system where you do the compilations and maintain all of the configurations
may be a Windows system running Cygwin!

Here's how to do it using RC6. From a bash prompt under Cygwin:

a) mkdir /sbin         #Cygwin doesn't have /sbin
b) mkdir /etc/init.d   #Nor does it have /etc/init.d
c) tar -zxf shorewall-3.2.0-RC6.tgz
d) cd shorewall-3.2.0-RC6
e) OWNER="<your user id>" GROUP="None" ./install.sh
f) ln -s /sbin/shorewall /usr/bin/shorewall

That's it! You can now create configuration directories for you Shorewall Lite
firewalls and compile them.

-Tom
--

-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep <at> shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo

Re: Installing Shorewall 3.2 under Cygwin

Tom Eastep wrote:

> 
> That's it! You can now create configuration directories for you Shorewall Lite
> firewalls and compile them.

I should add thought that, as always, Cygwin isn't Unix so you will see some
anomalies. The most common problem is that Cygwin doesn't allow the removal of
open files (because Windows XP doesn't allow it) so the temporary directories
created by Shorewall in /tmp will often remain and you will see error messages
out of 'rm' saying that /tmp/shorewall.xxxx/compiler_state couldn't be removed.

You'll have to just live with that and occasionally "rm -rf /tmp/shorewall*".

-Tom
--

-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep <at> shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

Using Tomcat but need to do more? Need to support web services, security?

Re: Installing Shorewall 3.2 under Cygwin

Tom Eastep escribió:
> With Shorewall 3.2, you can compile Shorewall scripts on one system and then run
> them under Shorewall Lite on another system.
> 
> The system where you do the compilations and maintain all of the configurations
> may be a Windows system running Cygwin!
> 
> Here's how to do it using RC6. From a bash prompt under Cygwin:
> 
> a) mkdir /sbin         #Cygwin doesn't have /sbin
> b) mkdir /etc/init.d   #Nor does it have /etc/init.d
> c) tar -zxf shorewall-3.2.0-RC6.tgz
> d) cd shorewall-3.2.0-RC6
> e) OWNER="<your user id>" GROUP="None" ./install.sh
> f) ln -s /sbin/shorewall /usr/bin/shorewall
> 
> That's it! You can now create configuration directories for you Shorewall Lite
> firewalls and compile them.
> 

nice Tom :)

IM marking this email with a "red flag" as a reminder to include this
information on the documentation. ;)

Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo

Shorewall on laptop

Hi

I am trying to configure shorewall on laptop which has following interface:

eth0    - wired
wlan0   - wireless
ppp0    - modem/verizon-evdo dialup

What is the best way to configure shorewall so that shorewall can 
protect all 3 interface.
While I am in office I am on wlan0 or eth0 or both, while at client side 
I am on eth0 and while
traveling I am using modem/verzion-evdo dialup.

Is it possible to configure shorewall in a manner so it can detect which 
interface(s) is up and
accordingly change act on it.

Thanks
YS

Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

Re: Shorewall on laptop

Yogesh Sharma wrote:

> 
> Is it possible to configure shorewall in a manner so it can detect which 
> interface(s) is up and
> accordingly change act on it.

The easiest way is this:

/etc/shorewall/interfaces:

net	eth0	detect	<options>
net	ath0	detect	<options>
net	ppp0	-	<options>

Note that some <option>s like 'routefilter' will generate a warning during
startup for each interface that isn't available. That is normal and can be
safely ignored.

Since you won't need to route traffic from one 'net' interface to another, you
can place this in /etc/shorewall/policy:

net	net	NONE

-Tom
--

-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep <at> shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key