Re: maclist berfore "noise" rules?

Brian J. Murrell wrote:
> There are a class of rules that drop "noise" (i.e. SMB broadcasts),
> which I do like.   It seems though that those are evaluated after the
> maclist rules.
> 
> Without having looked at the complications such a suggestion might
> entail  I wonder if maclist should not be done only after dropping
> noise?

The 'rules that drop "noise"' are called 'default actions' and are
described at http://www.shorewall.net/Actions.html#Default. These
"rules" (really actions) are associated with individual policies and are
applied when no other rule or restriction matches a packet. It follows
that, by definition, these actions must be applied last.

-Tom
--

-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep <at> shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

Re: maclist berfore "noise" rules?

On Wed, Feb 28, 2007 at 07:11:52PM -0800, Tom Eastep wrote:
> Brian J. Murrell wrote:
> > There are a class of rules that drop "noise" (i.e. SMB broadcasts),
> > which I do like.   It seems though that those are evaluated after the
> > maclist rules.
> > 
> > Without having looked at the complications such a suggestion might
> > entail  I wonder if maclist should not be done only after dropping
> > noise?
> 
> The 'rules that drop "noise"' are called 'default actions' and are
> described at http://www.shorewall.net/Actions.html#Default. These
> "rules" (really actions) are associated with individual policies and are
> applied when no other rule or restriction matches a packet. It follows
> that, by definition, these actions must be applied last.

Then perhaps what he wants is to run the default actions over stuff
matched by the maclist. That would make sense.

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

Re: Trafic control - simple config, need help

Is it a stupid question, or is it to hard to answer anything??
i admit i haven't found much on internet about this, but, still, is nobody using
this function?

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

Re: Trafic control - simple config, need help

Undertaker wrote:
> Is it a stupid question, or is it to hard to answer anything??
> i admit i haven't found much on internet about this, but, still, is nobody using
> this function?
>   

    Just as a note,

    Using traffic shaping in Shorewall isn't for the inexperienced. The 
Shorewall site has a number of articles published or linked on the subject.

    I'd suggest digging deep and learning.

    http://www.shorewall.net/traffic_shaping.htm

Michael Cozzi
cozzi <at> cozziconsulting.com

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

Re: Trafic control - simple config, need help

On Thu, 2007-03-01 at 06:15 -0500, Michael Cozzi wrote:
> Undertaker wrote:
> > Is it a stupid question, or is it to hard to answer anything??
> > i admit i haven't found much on internet about this, but, still, is nobody using
> > this function?
> >   
> 

A lot of usefull scripts, can be used to traffic control
with htb,cbq,wondershaper, imq ... etc
as 3rd party like 

http://luxik.cdi.cz/~devik/qos/htb/
http://www.mastershaper.org
http://htb-tools.arny.ro

or use shorewall with tc

please see shorewall doc to do 

------------------------------------------------------
Wratmoko Hadi HSW
GSM : +62.8157115488 
CDMA : +62.22.91175530 
E-Mail : wra_eng <at> bdg.pacific.net.id
System & Network Dev 
Pacific Telematika Indonesia 
Phone : +62.22.7308600 
Fax : +62.22.7308601 
Bandung - Indonesia 

Ideas? Bridging.

    Hi all,

    Thanks in advance for comments...

    I recently moved my office and changed ISPs. My old connection I had 
control over my own routing, with the new connection I specified that 
the ISP handle the upstream routing. My plan was to simply bridge my DMZ 
and control it in that manner.

    I'm having a problem with connection rate throttling across the 
bridge, and I'm wondering if I'm missing something.

    I have this in the hosts file:

    DMZIN             br0:eth2
    DMZEX             br0:eth3

    And a rule like this seems to not work:

    ACCEPT:info    DMZEX    DMZIN    tcp    
3389,3390,3391,3392,3393,3394    -    -    1/min:2

    shorewall.conf is set: BRIDGING=Yes

    And the box is running RHE4 (CentOS).

--
Michael Cozzi
cozzi <at> cozziconsulting.com

Re: Ideas? Bridging.

Michael Cozzi wrote:

> 
>     I'm having a problem with connection rate throttling across the 
> bridge, and I'm wondering if I'm missing something.
> 
>     I have this in the hosts file:
> 
>     DMZIN             br0:eth2
>     DMZEX             br0:eth3

Which will cease working when you install kernel 2.6.20 -- you have been warned.

> 
>     And a rule like this seems to not work:

"seems to not work"... Does that mean:

a) Shorewall fails to start?
b) Shorewall starts and your firewall immediately bursts into flames?
c) Shorewall starts but the rule passes no traffic?
d) Shorewall starts and passes all traffic?
e) Shorewall starts but the rule allows 1.5 connections per minute?
...

> 
>     ACCEPT:info    DMZEX    DMZIN    tcp    
> 3389,3390,3391,3392,3393,3394    -    -    1/min:2
> 
>     shorewall.conf is set: BRIDGING=Yes

Re: Ideas? Bridging.

>>     I'm having a problem with connection rate throttling across the 
>> bridge, and I'm wondering if I'm missing something.
>> 
>>     I have this in the hosts file:
>> 
>>     DMZIN             br0:eth2
>>     DMZEX             br0:eth3
>
>Which will cease working when you install kernel 2.6.20 -- you have been
>warned.

I don't mean to hijack this thread, but is that because of dropping physdev
support?

-Russel

--

-- 
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.446 / Virus Database: 268.18.4/705 - Release Date: 2/27/2007
3:24 PM

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

Re: Ideas? Bridging.

Russel wrote:
>>>     I'm having a problem with connection rate throttling across the 
>>> bridge, and I'm wondering if I'm missing something.
>>>
>>>     I have this in the hosts file:
>>>
>>>     DMZIN             br0:eth2
>>>     DMZEX             br0:eth3
>> Which will cease working when you install kernel 2.6.20 -- you have been
>> warned.
> 
> I don't mean to hijack this thread, but is that because of dropping physdev
> support?

Yes. It isn't being completely dropped but it is being reduced to the point
that it can no longer support Shorewall zone definition.

-Tom
--

-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep <at> shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash

stupid beginners question

Hi all,
may stupid, but how can i open port 80 (www) for my server staying
in the dmz zone ?
My config is as follows:

------------------modem adsl (ppp0)---------
                        |            |
	       		|	router/shorewall	
                 server in dmz       |
		 	   	    LAN

as explained in :
http://www.shorewall.net/three-interface_fr.html				    
				    
There is no firewall or proxy running on the server.
The router runs shorewall/proxy(squid) on a debian system.

What can i do giving access from the net to my server ?
Thanks for the help.
best regards
mess-mate                               
--

-- 

There is no distinctly native American criminal class except Congress.
		-- Mark Twain

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash