Shorewall Guy | 1 Jan 02:38 2009
Picon
Picon

Re: Problem with "routeback, blacklist, tcpflags" in Shorewall 4.2.4-2

Niedermeier Günter wrote:
> ...the patch works fine :-)
> 
> Thanks!

The good news:

	No more errors.

The bad news:

	The generated ruleset was wrong.

You probably want to install Shorewall-perl 4.2.4.4

------------------------------------------------------------------------------
Andreas Ferber | 1 Jan 05:20 2009
Picon

Re: shorewall6 problems in 4.2.4

On Wed, Dec 31, 2008 at 08:17:35AM -0800, Shorewall Guy wrote:
> > 
> > 1. "routestopped" doesn't work at all
> > -------------------------------------
> > 
> > It looks as if the perl compiler doesn't yet correctly support IPv6 in
> > the routestopped config file. I tried different syntaxes, with and
> > without "<>" around the address. In the case with "<>" it complains
> > about an invalid IPv6 address, in the other case it looks as if it
> > tries to resolve the first part of the address (up to the first ":")
> > as a hostname and complains that it can't find the host.
> > 
> > I didn't dig deeper into this problem since it isn't critical for me
> > at the moment.
> I can't reproduce this problem; routestopped works fine for me. Can you
> give us some examples of the failures that you are seeing?

Further testing reveals that this seems to only apply to lines that
have the "critical" option set.

The following line:

------------
eth3            2a00:f88:ffff:ffff::/64         critical
------------

yields this (last lines of "shorewall6 check"):

------------
Checking /etc/shorewall6/routestopped for critical hosts...
(Continue reading)

Shorewall Guy | 1 Jan 05:52 2009
Picon
Picon

Re: shorewall6 problems in 4.2.4

Andreas Ferber wrote:
>
> Further testing reveals that this seems to only apply to lines that
> have the "critical" option set.
> 

Please see if the attached patch corrects the problem.

Attachment (critical.patch): text/x-patch, 868 bytes
------------------------------------------------------------------------------
------------------------------------------------------------------------------
Niedermeier Günter | 1 Jan 13:18 2009
Picon
Picon

Re: Problem with "routeback, blacklist, tcpflags" in Shorewall 4.2.4-2

Also good news: the new version works, but I havn't verified the 
generated ruleset.

Shorewall Guy schrieb:
> Niedermeier Günter wrote:
>> ...the patch works fine :-)
>>
>> Thanks!
> 
> The good news:
> 
> 	No more errors.
> 
> The bad news:
> 
> 	The generated ruleset was wrong.
> 
> You probably want to install Shorewall-perl 4.2.4.4

------------------------------------------------------------------------------
Andreas Ferber | 1 Jan 16:08 2009
Picon

Re: shorewall6 problems in 4.2.4

Hi,

On Wed, Dec 31, 2008 at 08:52:54PM -0800, Shorewall Guy wrote:
> Andreas Ferber wrote:
> >
> > Further testing reveals that this seems to only apply to lines that
> > have the "critical" option set.
> Please see if the attached patch corrects the problem.

Yes, that does the trick.

Thanks for fixing problems so fast :-)

Andreas
--

-- 
Andreas Ferber           | MarcanT Internet-Services GmbH
Systemadministration     | Ravensberger Str. 10G, D-33602 Bielefeld
aferber <at> marcant.net      | Geschaeftsfuehrer: Thorsten Hojas
USt-ID Nr.: DE 190203238 | Handelsregister: Amtsgericht Bielefeld, HRB 35 827
___________________________________________________________
CONFIDENTIALITY NOTICE
The contents of this email are confidential to the ordinary user of the email
address to which it was addressed and may also be privileged. If you are not
the addressee of this email you may not copy, forward, disclose or otherwise
use it or any part of it in any form whatsoever. If you have received this
email in error please email the sender by replying to this message.
------------------------------------------------------------------------------
(Continue reading)

Shorewall Guy | 1 Jan 17:24 2009
Picon
Picon

Re: shorewall6 problems in 4.2.4

Andreas Ferber wrote:

> Thanks for fixing problems so fast :-)

You're welcome

------------------------------------------------------------------------------
Lars Erik Dangvard Jensen | 1 Jan 21:18 2009

Re: Proxy ARP'ing and NAT'ing on the same NICs

Shorewall Guy skrev:
> Zones are security objects. So there is no reason to have separate
> security zones for the two classes of servers. They would be useless
> anyway since once a server is successfully rooted, the attacker has full
> access to the other servers on the LAN segment without going through the
> firewall.
> 
> I will warn you that what you are trying to do can be a real PITA to get
> working if the NAT servers need to communicate with the Proxy ARPed
> servers or vice versa. In each server, you will need to configure direct
> routes to the servers of the other type. Split DNS is a must.

No problem using one zone, I just normally separate subnets/nics in 
different zones so had to adjust this :)

Thanks.

/Lars

------------------------------------------------------------------------------
HeCSa | 1 Jan 21:19 2009
Picon

HELP! Trying to masq some machines

Hello!
I'm trying to build some configuration with some troubles, maybe it's 
simple.
My network has a machine acting as a firewall / proxy server between 
internal and external zones.
Then, my machine has two interfaces, eth0 connected to Internet with a 
static IP address, and eth1, connected to the internal network, with a 
static IP address too.
Let's assume that external IP is 200.200.200.200. Internal IP addresses 
are (really) 192.9.201.0 based.
I'm using, as firewall / proxy, a machine with Ubuntu Server 8.04 LTS. 
Shorewall version is 4.0.6, squid is 2.6STABLE18, using squidguard and 
dansguardian to restrict access to some pages.
The proxy port I'm using is 8008.
The problem I have is that some machines need to use some internet based 
services, and then need to access directly the internet without using 
the proxy. Let's assume that the IP addess of one of this machines is 
192.9.201.100. All other machines in the 192.9.201.0 network are going 
to access the web via the squid/squidguard/dansguardian system.
Well...I don't really understand how to configure my shorewall to let 
this!!!
I''m copying my shorewall configuration files, located under 
/etc/shorewall. Please, can anybody help me with this, or guide me on 
the right direction? I'm really confused!!!
Following, my config files:

a) /etc/shorewall/zones:
fw firewall
lan ipv4
wan ipv4
(Continue reading)

Roberto C. Sánchez | 1 Jan 21:59 2009

Re: HELP! Trying to masq some machines

On Thu, Jan 01, 2009 at 06:19:25PM -0200, HeCSa wrote:
> Hello!
> I'm trying to build some configuration with some troubles, maybe it's 
> simple.
<SNIP>
> I'm using, as firewall / proxy, a machine with Ubuntu Server 8.04 LTS. 
> Shorewall version is 4.0.6, squid is 2.6STABLE18, using squidguard and 
> dansguardian to restrict access to some pages.
<SNIP>
> Well...I don't really understand how to configure my shorewall to let 
> this!!!

First, start by reading this page:

http://www.shorewall.net/Shorewall_Squid_Usage.html

Also, have a look at NONAT in the shorewall-rules man page, as it seems
you will need that.

> I''m copying my shorewall configuration files, located under 

Please don't do that.  We don't have time to go through your
configuration files.  Especially since they do not tell the whole story.
Please read the information at the above link.  If, after that, you
cannot make it work the way you think it should work, then please ask
your question in accordance with the guidelines located here:

http://www.shorewall.net/support.htm

Regards,
(Continue reading)

Nico Pagliaro | 2 Jan 01:47 2009
Picon

Re: OPENVPN - SHOREWALL

Great, i must compile it with that option? or is installed by default with ./configure?
 
Thanks

 
On 12/31/08, Jorge Armando Medina <jmedina <at> e-compugraf.com> wrote:
On Wednesday 31 December 2008 09:37:53 Nico Pagliaro wrote:
> i have 2.0.9, that doenst work in that version?
>

Multihome was introduced in 2.1.x


> On Wed, Dec 31, 2008 at 10:16 AM, Harry Lachanas <grharry <at> freemail.gr>wrote:
> > > HI, sorry about this mail, but perhaps somebody can help me. I know
> > > that is is shorewall list! :)
> > > I have in the same box shorewall + openvpn and everything works great,.
> > > I have 4 ISPs connected to my firewall and I want to know how can I
> > > configure my openvpn to listen on every ISP, beacuse If i configure
> > > one IP in my server.conf like
> > > local 200.xx.xx.xx only works on that IP, now if I left with a comment
> > > that line, in my netstat -an appears 0.0.0.0 1194, great so my openvpn
> > > listen on every IP but when I try to connect sometimes work for one IP
> > > but not for other IP.
> > > So, I try to find some openvpn forums but nothing!! and I know that
> > > this list is great and maybe someone knows how to do it,.
> >
> > A few posts down the list ( about a week ago ) you'll find my questions
> > and some ans.
> >
> > U better get openvpn 2.1_rcXX  and use
> > --multihome  option
> >
> > Cheers,
> >
> > Happy new year to all.
> >
> >
> >
> >
> > -------------------------------------------------------------------------
> >----- _______________________________________________
> > Shorewall-users mailing list
> > Shorewall-users <at> lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/shorewall-users



--
Jorge Armando Medina
Computación Gráfica de México
Web: www.e-compugraf.com
Tel: 55 51 40 72
email: jmedina <at> e-compugraf.com
GPG Key: 1024D/28E40632 2007-07-26
GPG Fingerprint: 59E2 0C7C F128 B550 B3A6  D3AF C574 8422 28E4 0632

------------------------------------------------------------------------------

_______________________________________________
Shorewall-users mailing list
Shorewall-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users



------------------------------------------------------------------------------
------------------------------------------------------------------------------

Gmane