Re: DMZ or no DMZ?

Michael Andersson wrote:
> I have just bought 
> a voip box that either needs to be in front of my existing 
> router(shorewall), or behind it in a dmz, or behind it if my router 
> supports symmetric nat. The second option is what i would prefer. I dont 
> even know what the third option is.

It only applies if you have more than one public IP address.

> However, looking at the 
> documentation it will only explain a solution when i have a separate nic 
> for the dmz.

When the documentation for consumer-grade products talks about a DMZ, it
bears little or no resemblance to a DMZ as described in the Shorewall
documentation. But in both cases, a DMZ involves a separate NIC.

> The voip must have at least 128kb/s in both directions for a satisfying 
> sound quality over the phone, but the traffic shaping/control page 
> doesn't mention if the is possible to achieve with a dmz, or i might not 
> understand it completely.

Only your ISP can guarantee a level of service for inbound traffic.
Shorewall traffic shaping can ensure that your voip traffic gets 128kbs
outbound, with or without a DMZ.

> My local network is in the 192.168.0.0 subnet and the voip box will be 
> on 192.168.1.0 subnet, will this cause any trouble?

Depends on how you configure your IP network. Without adding another

Re: Timeouts?

Jan Johansson wrote:

> 
> So, is there any session time-outs that I might have forgotten to set, or is
> this something else?
> 

/proc/sys/net/ipv4/tcp_keep* ?

-Tom
--

-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep <at> shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

Re: Timeouts?

>/proc/sys/net/ipv4/tcp_keep* ?
>
>-Tom

Thanks for the answer, but the problem was elsewhere I realized at 3am :).
It was actually the router at the remote site. I must have changed the
settings in that one when I installed the first boxes, and then forgot about
it.

Yes, I probably _Should_ have changed the settings for the entire subnet,
and not just the IP's I was using at the time. 

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

http://www.shorewall.net/FAQ.htm#faq4d

Looks like its up now.

Regards
Fog_Watch.

Begin forwarded message:

Date: Wed, 27 Sep 2006 12:33:12 +1000
From: Ian <db5 <at> hermes.net.au>
To: shorewall-users <at> lists.sourceforge.net
Subject: http://www.shorewall.net/FAQ.htm#faq4d

I am interested in Shorewall and Snort-inline.  The link
(http://www.catherders.com/tiki-view_blog_post.php?blogId=1&postId=71) documenting this in
the FAQ seems dead.  Does anyone have a copy?

Regards

Fog_Watch.

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

http://www.shorewall.net/FAQ.htm#faq4d

Sorry about that - I foolishly assumed Verizon would get things
working when they were supposed to.  We're back now.

Mike-
(Chief CatHerder)

On Sun, 1 Oct 2006 19:51:18 +1000, you wrote:

>Looks like its up now.
>
>Regards
>Fog_Watch.
>
>Begin forwarded message:
>
>Date: Wed, 27 Sep 2006 12:33:12 +1000
>From: Ian <db5 <at> hermes.net.au>
>To: shorewall-users <at> lists.sourceforge.net
>Subject: http://www.shorewall.net/FAQ.htm#faq4d
>
>
>I am interested in Shorewall and Snort-inline.  The link
(http://www.catherders.com/tiki-view_blog_post.php?blogId=1&postId=71) documenting this in
the FAQ seems dead.  Does anyone have a copy?
>
>Regards
>
>Fog_Watch.
>
>-------------------------------------------------------------------------

Re: Shorewall and UDP port 500

Thanks, Tom, for taking the time to clear this up for
me.  I really appreciate the help.

Chad

--- Tom Eastep <teastep <at> shorewall.net> wrote:

> C. Albers wrote:
> > Hi Tom,
> > 
> > The problem isn't so much that I have made a
> > connection
> > from loc->net on UDP port 500 (and 10000), but the
> > other way around, net->loc.  If I understanding
> your
> > firewall correctly, the rules in the rules config
> file
> > are exceptions to a net->loc DROP policy.  For
> > example,
> > as an exception, I have opened port 22 to allow
> > incoming ssh connection.  However, I have not
> opened
> > UDP port 500 (and 10000) for returning VPN
> traffic.  
> > In theory, then, I shouldn't be able to connect to
> my
> > VPN at all, because a response from my VPN server 
> > would be blocked by the firewall and never reach
> my 
> > VPN client.

Error after update

On two firewalls I have errors after a Shorewall update; no changes
have been done on the configuration files.

Current situation on one of the two installations (the other one is similar):

- Fedora Core 4
- shorewall-3.2.4-1.fc4
- iptables-1.3.0-2

I have two machines in the loc zone with a static NAT:

#EXTERNAL       INTERFACE       INTERNAL        ALL             LOCAL
#                                               INTERFACES
xxx.xxx.xxx.254  eth0            192.168.10.5     No                      No
xxx.xxx.xxx.247  eth0            192.168.10.60   No                      No

and in the masq file:

#INTERFACE              SUBNET          ADDRESS         PROTO   PORT(S) IPSEC
eth0                   eth1!192.158.10.5,192.158.10.60

(masquerading for all machines in loc except for the two with static NAT).

It used to work with no problems with Shorewall 3.0 and also with earlier
3.2 releases; now with 3.2.4 it fails during startup with this error:

Setting up Masquerading/SNAT...
iptables v1.3.0: Unknown arg `--sport'
Try `iptables -h' or 'iptables --help' for more information.
   ERROR: Command "/sbin/iptables -t nat -A eth0_masq -s 192.168.12.0/24 -d 

Re: Error after update

Elio Tondo wrote:

> 
> and in the masq file:
> 
> #INTERFACE              SUBNET          ADDRESS         PROTO   PORT(S) IPSEC
> eth0                   eth1!192.158.10.5,192.158.10.60
> 
> (masquerading for all machines in loc except for the two with static NAT).
> 
> It used to work with no problems with Shorewall 3.0 and also with earlier
> 3.2 releases

I need to know which earlier 3.2 release(s).

; now with 3.2.4 it fails during startup with this error:
> 
> Setting up Masquerading/SNAT...
> iptables v1.3.0: Unknown arg `--sport'
> Try `iptables -h' or 'iptables --help' for more information.
>    ERROR: Command "/sbin/iptables -t nat -A eth0_masq -s 192.168.12.0/24 -d 
> 0.0.0.0/0 --sport 53 -j" Failed
> 

If you wish to report problems with startup, you must send a trace. Taking a
command out of context and saying "look, this didn't work" will get you sympathy
but no help.

-Tom
--

-- 

Re: Error after update

Elio Tondo wrote:
> 
> I have two machines in the loc zone with a static NAT:
> 
> #EXTERNAL       INTERFACE       INTERNAL        ALL             LOCAL
> #                                               INTERFACES
> xxx.xxx.xxx.254  eth0            192.168.10.5     No                      No
> xxx.xxx.xxx.247  eth0            192.168.10.60   No                      No
> 
> and in the masq file:
> 
> #INTERFACE              SUBNET          ADDRESS         PROTO   PORT(S) IPSEC
> eth0                   eth1!192.158.10.5,192.158.10.60
> 
> (masquerading for all machines in loc except for the two with static NAT).

Which is totally unnecessary -- static nat is applied before masquerade.

-Tom
--

-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep <at> shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your

Re: Error after update

Tom Eastep wrote:
> Elio Tondo wrote:
> 
>> and in the masq file:
>>
>> #INTERFACE              SUBNET          ADDRESS         PROTO   PORT(S) IPSEC
>> eth0                   eth1!192.158.10.5,192.158.10.60
>>
>> (masquerading for all machines in loc except for the two with static NAT).
>>
>> It used to work with no problems with Shorewall 3.0 and also with earlier
>> 3.2 releases
> 
> I need to know which earlier 3.2 release(s).

I found a bug that may explain this problem. But it is a "day-1" 3.2 bug so I
don't know if the attached patch to /usr/share/shorewall/compiler will correct
your problem or not.

At any rate, what you were doing (exclusing the static nat addresses from
masquerade) is unnecessary.

-Tom
--

-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep <at> shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key