Re: Problem with "routeback, blacklist, tcpflags" in Shorewall 4.2.4-2

Niedermeier Günter wrote:
> ...the patch works fine 
> 
> Thanks!

The good news:

	No more errors.

The bad news:

	The generated ruleset was wrong.

You probably want to install Shorewall-perl 4.2.4.4

------------------------------------------------------------------------------

Re: shorewall6 problems in 4.2.4

On Wed, Dec 31, 2008 at 08:17:35AM -0800, Shorewall Guy wrote:
> > 
> > 1. "routestopped" doesn't work at all
> > -------------------------------------
> > 
> > It looks as if the perl compiler doesn't yet correctly support IPv6 in
> > the routestopped config file. I tried different syntaxes, with and
> > without "<>" around the address. In the case with "<>" it complains
> > about an invalid IPv6 address, in the other case it looks as if it
> > tries to resolve the first part of the address (up to the first ":")
> > as a hostname and complains that it can't find the host.
> > 
> > I didn't dig deeper into this problem since it isn't critical for me
> > at the moment.
> I can't reproduce this problem; routestopped works fine for me. Can you
> give us some examples of the failures that you are seeing?

Further testing reveals that this seems to only apply to lines that
have the "critical" option set.

The following line:

------------
eth3            2a00:f88:ffff:ffff::/64         critical
------------

yields this (last lines of "shorewall6 check"):

------------
Checking /etc/shorewall6/routestopped for critical hosts...

Re: shorewall6 problems in 4.2.4

Andreas Ferber wrote:
>
> Further testing reveals that this seems to only apply to lines that
> have the "critical" option set.
> 

Please see if the attached patch corrects the problem.

------------------------------------------------------------------------------

------------------------------------------------------------------------------

Re: Problem with "routeback, blacklist, tcpflags" in Shorewall 4.2.4-2

Also good news: the new version works, but I havn't verified the 
generated ruleset.

Shorewall Guy schrieb:
> Niedermeier Günter wrote:
>> ...the patch works fine 
>>
>> Thanks!
> 
> The good news:
> 
> 	No more errors.
> 
> The bad news:
> 
> 	The generated ruleset was wrong.
> 
> You probably want to install Shorewall-perl 4.2.4.4

------------------------------------------------------------------------------

Re: shorewall6 problems in 4.2.4

Hi,

On Wed, Dec 31, 2008 at 08:52:54PM -0800, Shorewall Guy wrote:
> Andreas Ferber wrote:
> >
> > Further testing reveals that this seems to only apply to lines that
> > have the "critical" option set.
> Please see if the attached patch corrects the problem.

Yes, that does the trick.

Thanks for fixing problems so fast 

Andreas
--

-- 
Andreas Ferber           | MarcanT Internet-Services GmbH
Systemadministration     | Ravensberger Str. 10G, D-33602 Bielefeld
aferber <at> marcant.net      | Geschaeftsfuehrer: Thorsten Hojas
USt-ID Nr.: DE 190203238 | Handelsregister: Amtsgericht Bielefeld, HRB 35 827
___________________________________________________________
CONFIDENTIALITY NOTICE
The contents of this email are confidential to the ordinary user of the email
address to which it was addressed and may also be privileged. If you are not
the addressee of this email you may not copy, forward, disclose or otherwise
use it or any part of it in any form whatsoever. If you have received this
email in error please email the sender by replying to this message.

------------------------------------------------------------------------------

Re: shorewall6 problems in 4.2.4

Andreas Ferber wrote:

> Thanks for fixing problems so fast 

You're welcome

------------------------------------------------------------------------------

Re: Proxy ARP'ing and NAT'ing on the same NICs

Shorewall Guy skrev:
> Zones are security objects. So there is no reason to have separate
> security zones for the two classes of servers. They would be useless
> anyway since once a server is successfully rooted, the attacker has full
> access to the other servers on the LAN segment without going through the
> firewall.
> 
> I will warn you that what you are trying to do can be a real PITA to get
> working if the NAT servers need to communicate with the Proxy ARPed
> servers or vice versa. In each server, you will need to configure direct
> routes to the servers of the other type. Split DNS is a must.

No problem using one zone, I just normally separate subnets/nics in 
different zones so had to adjust this :)

Thanks.

/Lars

------------------------------------------------------------------------------

HELP! Trying to masq some machines

Hello!
I'm trying to build some configuration with some troubles, maybe it's 
simple.
My network has a machine acting as a firewall / proxy server between 
internal and external zones.
Then, my machine has two interfaces, eth0 connected to Internet with a 
static IP address, and eth1, connected to the internal network, with a 
static IP address too.
Let's assume that external IP is 200.200.200.200. Internal IP addresses 
are (really) 192.9.201.0 based.
I'm using, as firewall / proxy, a machine with Ubuntu Server 8.04 LTS. 
Shorewall version is 4.0.6, squid is 2.6STABLE18, using squidguard and 
dansguardian to restrict access to some pages.
The proxy port I'm using is 8008.
The problem I have is that some machines need to use some internet based 
services, and then need to access directly the internet without using 
the proxy. Let's assume that the IP addess of one of this machines is 
192.9.201.100. All other machines in the 192.9.201.0 network are going 
to access the web via the squid/squidguard/dansguardian system.
Well...I don't really understand how to configure my shorewall to let 
this!!!
I''m copying my shorewall configuration files, located under 
/etc/shorewall. Please, can anybody help me with this, or guide me on 
the right direction? I'm really confused!!!
Following, my config files:

a) /etc/shorewall/zones:
fw firewall
lan ipv4
wan ipv4

Re: HELP! Trying to masq some machines

On Thu, Jan 01, 2009 at 06:19:25PM -0200, HeCSa wrote:
> Hello!
> I'm trying to build some configuration with some troubles, maybe it's 
> simple.
<SNIP>
> I'm using, as firewall / proxy, a machine with Ubuntu Server 8.04 LTS. 
> Shorewall version is 4.0.6, squid is 2.6STABLE18, using squidguard and 
> dansguardian to restrict access to some pages.
<SNIP>
> Well...I don't really understand how to configure my shorewall to let 
> this!!!

First, start by reading this page:

http://www.shorewall.net/Shorewall_Squid_Usage.html

Also, have a look at NONAT in the shorewall-rules man page, as it seems
you will need that.

> I''m copying my shorewall configuration files, located under 

Please don't do that.  We don't have time to go through your
configuration files.  Especially since they do not tell the whole story.
Please read the information at the above link.  If, after that, you
cannot make it work the way you think it should work, then please ask
your question in accordance with the guidelines located here:

http://www.shorewall.net/support.htm

Regards,

Re: OPENVPN - SHOREWALL

------------------------------------------------------------------------------

------------------------------------------------------------------------------