Tom Eastep | 1 Oct 01:07 2010
Picon

Re: CentOS 4.8/Shorewall Problem

On 9/30/10 3:59 PM, Simon Buckner wrote:
> Hi,
> 
> It is the multiple-ISP configuration.  Most traffic should route out
> the primary interface but certain traffic should route out the second
> interface. Specifically and traffic to an IP address should go down
> the second which is a private network.
> 

I'd be surprised if modern Shorewall Multi-ISP works at all on this
relic -- it doesn't even have CONNMARK support.

-Tom
--

-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing.
http://p.sf.net/sfu/novell-sfdev2dev
------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
(Continue reading)

Mr Dash Four | 1 Oct 01:21 2010

Re: Shorewall 4.4.14 Beta 3


> 1)  Shorewall now uses the 'conntrack' utility for 'show connections'
>     if that utility is installed. Going forward, the Netfilter team
>     will be enhancing this interface rather than the /proc interface.
>   
Is there any difference between 'shorewall show connections' when 
conntrack utility is used and when it is absent (and Shorewall uses 
/proc instead)?

------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing.
http://p.sf.net/sfu/novell-sfdev2dev
Tom Eastep | 1 Oct 01:42 2010
Picon

Re: [Shorewall-devel] Shorewall 4.4.14 Beta 3

On 9/30/10 4:21 PM, Mr Dash Four wrote:
> 
>> 1)  Shorewall now uses the 'conntrack' utility for 'show connections'
>>     if that utility is installed. Going forward, the Netfilter team
>>     will be enhancing this interface rather than the /proc interface.
>>   
> Is there any difference between 'shorewall show connections' when 
> conntrack utility is used and when it is absent (and Shorewall uses 
> /proc instead)?

There is currently no difference in the connection information.

-Tom
--

-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing.
http://p.sf.net/sfu/novell-sfdev2dev
------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
(Continue reading)

Brian J. Murrell | 1 Oct 22:36 2010
Picon

Re: UPnP Media Services between subnets?

On Thu, 2010-09-30 at 12:56 -0400, Mark D. Montgomery II wrote: 
> 
> Ok Thanks.
> That's kind of the impression I got, but I wasn't sure.
> It's not a big deal since I can just toss up a UPnP server on the  
> normal LAN somewhere and have it feed the media collection.  I just  
> wanted to take advantage of the one built into MythTV if it was  
> possible.

I think the problem here is that UPnP is a large spec which I won't even
begin to tell you I understand but it covers many services including
local LAN discovery of media services such as music and video (what OP
is using) as well as gateway access provisioning (i.e. the crazy idea
that networks on the LAN should tell the firewall what to let in and
out).

It's a easy confusion with such a wide ranging spec under a single
common term.

b.

------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing.
http://p.sf.net/sfu/novell-sfdev2dev
------------------------------------------------------------------------------
(Continue reading)

Brent McConnell | 1 Oct 22:45 2010
Picon

Transparent proxy to remote system

I would like to proxy all http requests from my internal network to an external proxy server that is outside my network.  Unfortunately, I'm having a bit of trouble figuring out the rule for doing that.  If I run the proxy on my firewall machine the following rules seem to work

ACCEPT          $FW             net             tcp     www
REDIRECT       loc             3128            tcp     www     -      

but I have not been able to get the rule right to redirect to an external system.  Is this doable?

thanks,
Brent

------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing.
http://p.sf.net/sfu/novell-sfdev2dev
------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing.
http://p.sf.net/sfu/novell-sfdev2dev
Simon Buckner | 1 Oct 23:32 2010
Picon

Re: Shorewall-users Digest, Vol 53, Issue 1

I did try installing the latest version of Ubuntu but that didn't work either. That didn't seem to support
CONNMARK either. Is  CONNMARK support the key?  If I install Ubuntu then recompile the kernel to support
CONNMARK then should that work?  Is there anything else that would need to be supported to get this working?

Thanks

Si'

Sent from my iPhone

On 1 Oct 2010, at 21:45, "shorewall-users-request <at> lists.sourceforge.net"
<shorewall-users-request <at> lists.sourceforge.net> wrote:

> Send Shorewall-users mailing list submissions to
>    shorewall-users <at> lists.sourceforge.net
> 
> To subscribe or unsubscribe via the World Wide Web, visit
>    https://lists.sourceforge.net/lists/listinfo/shorewall-users
> or, via email, send a message with subject or body 'help' to
>    shorewall-users-request <at> lists.sourceforge.net
> 
> You can reach the person managing the list at
>    shorewall-users-owner <at> lists.sourceforge.net
> 
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Shorewall-users digest..."
> <Today's Topics (6 messages)>
> Hi,
> 
> It is the multiple-ISP configuration.  Most traffic should route out the primary interface but certain
traffic should route out the second interface. Specifically and traffic to an IP address should go down
the second which is a private network. 
> 
> Simon 
> 
> Sent from my iPhone
> 
> On 30 Sep 2010, at 23:53, "shorewall-users-request <at> lists.sourceforge.net"
<shorewall-users-request <at> lists.sourceforge.net> wrote:
> 
>> Send Shorewall-users mailing list submissions to
>>   shorewall-users <at> lists.sourceforge.net
>> 
>> To subscribe or unsubscribe via the World Wide Web, visit
>>   https://lists.sourceforge.net/lists/listinfo/shorewall-users
>> or, via email, send a message with subject or body 'help' to
>>   shorewall-users-request <at> lists.sourceforge.net
>> 
>> You can reach the person managing the list at
>>   shorewall-users-owner <at> lists.sourceforge.net
>> 
>> When replying, please edit your Subject line so it is more specific
>> than "Re: Contents of Shorewall-users digest..."
>> <Today's Topics (7 messages)>
>> Beta 3 is now available for testing.
>> 
>> ---------------------------------------------------------------------------
>> I.  P R O B L E M S   C O R R E C T E D   I N   T H I S  R E L E A S E
>> ----------------------------------------------------------------------------
>> 
>> 1)  Previously, Shorewall6 produced an untidy sequence of error
>>   messages when an attempt was made to start it on a system running a
>>   kernel older than 2.6.24:
>> 
>>      [root <at> localhost shorewall6]# shorewall6 start
>>      Compiling...
>>      Processing /etc/shorewall6/shorewall6.conf...
>>      Loading Modules...
>>      Compiling /etc/shorewall6/zones...
>>      ...
>>      Shorewall configuration compiled to /var/lib/shorewall6/.start
>>         ERROR: Shorewall6 requires Linux kernel 2.6.24 or later
>>      /usr/share/shorewall6/lib.common: line 73:
>>            [: -lt: unary operator expected
>>         ERROR: Shorewall6 requires Linux kernel 2.6.24 or later
>>      [root <at> localhost shorewall6]#
>> 
>>   This has been corrected so that a single ERROR message is
>>   generated.
>> 
>> 2)  Previously, an ipset name appearing in the /etc/shorewall/hosts
>>   file could be qualified with a list of 'src' and/or 'dst' enclosed
>>   in quotes. This was virtually guaranteed not to work since the set
>>   must match when used to verify both a packet source and a
>>   packet destination. Now, the following error is raised:
>> 
>>          ERROR: ipset name qualification is disallowed in this file
>> 
>>   As part of this change, the ipset name is now verified to begin
>>   with a letter and be composed of letters, digits, underscores ("_")
>>   and hyphens ("-").
>> 
>> ----------------------------------------------------------------------------
>>          I I.  K N O W N   P R O B L E M S   R E M A I N I N G
>> ----------------------------------------------------------------------------
>> 
>> 1)  On systems running Upstart, shorewall-init cannot reliably secure
>>   the firewall before interfaces are brought up.
>> 
>> ----------------------------------------------------------------------------
>>     I I I.  N E W   F E A T U R E S   I N   T H I S  R E L E A S E
>> ----------------------------------------------------------------------------
>> 
>> 1)  Shorewall now uses the 'conntrack' utility for 'show connections'
>>   if that utility is installed. Going forward, the Netfilter team
>>   will be enhancing this interface rather than the /proc interface.
>> 
>> 2)  The CPU time required for optimization has been reduced by 2/3.
>> 
>> 
>> -- 
>> Tom Eastep        \ When I die, I want to go like my Grandfather who
>> Shoreline,         \ died peacefully in his sleep. Not screaming like
>> Washington, USA     \ all of the passengers in his car
>> http://shorewall.net \________________________________________________
>> 
>> 
>>> shorewall save
>>> shorewall restart
>>> 
>> That, to me, seems the best alternative and I amended my init.d script 
>> to replace the existing reload with the above two statements. It works 
>> and I like it.
>> 
>> 
>> 
>> 
>>> 1)  Shorewall now uses the 'conntrack' utility for 'show connections'
>>>   if that utility is installed. Going forward, the Netfilter team
>>>   will be enhancing this interface rather than the /proc interface.
>>> 
>> Erm, No!
>> 
>> The /proc interface will also be 'fixed' to include secctx field (i.e. 
>> secctx=system_u:object_r:packet_t:s0), which shows the correct SELinux 
>> context and the existing field secmark will be dropped.
>> 
>> 
>> 
>> Hi,
>> I'll be able to double check tomorrow but I think it's running kernel-0-2.6.9-89.
>> 
>> Simon
>> 
>> -----Original Message-----
>> From: Tom Eastep [mailto:teastep <at> shorewall.net] 
>> Sent: 30 September 2010 22:40
>> To: shorewall-users <at> lists.sourceforge.net
>> Subject: Re: [Shorewall-users] CentOS 4.8/Shorewall Problem
>> 
>> On 9/30/10 1:55 PM, Simon Buckner wrote:
>> 
>>> Please let me know what config details you want me to post and I'll 
>>> put them up?
>> 
>> What kernel version does CentOS 4.8 use?
>> 
>> -Tom
>> -- 
>> Tom Eastep        \ When I die, I want to go like my Grandfather who
>> Shoreline,         \ died peacefully in his sleep. Not screaming like
>> Washington, USA     \ all of the passengers in his car
>> http://shorewall.net \________________________________________________
>> 
>> 
>> 
>> On 9/30/10 3:20 PM, Mr Dash Four wrote:
>>> 
>>>> 1)  Shorewall now uses the 'conntrack' utility for 'show connections'
>>>>   if that utility is installed. Going forward, the Netfilter team
>>>>   will be enhancing this interface rather than the /proc interface.
>>>> 
>>> Erm, No!
>>> 
>>> The /proc interface will also be 'fixed' to include secctx field (i.e. 
>>> secctx=system_u:object_r:packet_t:s0), which shows the correct SELinux 
>>> context and the existing field secmark will be dropped.
>> 
>> Jan Engelhardt (who I see as a possible successor to Patrick McHardy) is
>> championing that general direction, irrespective of what happens with
>> the current set of secmark issues.
>> 
>> -Tom
>> -- 
>> Tom Eastep        \ When I die, I want to go like my Grandfather who
>> Shoreline,         \ died peacefully in his sleep. Not screaming like
>> Washington, USA     \ all of the passengers in his car
>> http://shorewall.net \________________________________________________
>> 
>> On 9/30/10 3:35 PM, Simon Buckner wrote:
>>> Hi,
>>> I'll be able to double check tomorrow but I think it's running kernel-0-2.6.9-89.
>> 
>> I just installed it and it seems to be 2.6.9-89 but I'm in the process
>> of doing a 'yum update' so that may change.
>> 
>> You said that you are having problems "getting traffic to route down the
>> second NIC". What does that mean, exactly? Is this a multi-ISP
>> configuration?
>> 
>> -Tom
>> -- 
>> Tom Eastep        \ When I die, I want to go like my Grandfather who
>> Shoreline,         \ died peacefully in his sleep. Not screaming like
>> Washington, USA     \ all of the passengers in his car
>> http://shorewall.net \________________________________________________
>> 
>> 
>>>>> 1)  Shorewall now uses the 'conntrack' utility for 'show connections'
>>>>>   if that utility is installed. Going forward, the Netfilter team
>>>>>   will be enhancing this interface rather than the /proc interface.
>>>>> 
>>>>> 
>>>> Erm, No!
>>>> 
>>>> The /proc interface will also be 'fixed' to include secctx field (i.e. 
>>>> secctx=system_u:object_r:packet_t:s0), which shows the correct SELinux 
>>>> context and the existing field secmark will be dropped.
>>>> 
>>> 
>>> Jan Engelhardt (who I see as a possible successor to Patrick McHardy) is
>>> championing that general direction, irrespective of what happens with
>>> the current set of secmark issues.
>>> 
>> I don't know what direction Jan is 'championing' with regards to the 
>> /proc interface, but the fact remains that, for the time being at least, 
>> the /proc interface will get the same treatment - as far as SELinux 
>> context is concerned - as the Netfilter interface (the point I've made 
>> in my previous reply). You know about these discussions - you've taken 
>> part in them on the netfilter mailing list.
>> 
>> 
>> ------------------------------------------------------------------------------
>> Start uncovering the many advantages of virtual appliances
>> and start using them to simplify application deployment and
>> accelerate your shift to cloud computing.
>> http://p.sf.net/sfu/novell-sfdev2dev
>> <Digest Footer>
> 
> 
> On 9/30/10 3:59 PM, Simon Buckner wrote:
>> Hi,
>> 
>> It is the multiple-ISP configuration.  Most traffic should route out
>> the primary interface but certain traffic should route out the second
>> interface. Specifically and traffic to an IP address should go down
>> the second which is a private network.
>> 
> 
> I'd be surprised if modern Shorewall Multi-ISP works at all on this
> relic -- it doesn't even have CONNMARK support.
> 
> -Tom
> -- 
> Tom Eastep        \ When I die, I want to go like my Grandfather who
> Shoreline,         \ died peacefully in his sleep. Not screaming like
> Washington, USA     \ all of the passengers in his car
> http://shorewall.net \________________________________________________
> 
> 
>> 1)  Shorewall now uses the 'conntrack' utility for 'show connections'
>>    if that utility is installed. Going forward, the Netfilter team
>>    will be enhancing this interface rather than the /proc interface.
>> 
> Is there any difference between 'shorewall show connections' when 
> conntrack utility is used and when it is absent (and Shorewall uses 
> /proc instead)?
> 
> 
> 
> On 9/30/10 4:21 PM, Mr Dash Four wrote:
>> 
>>> 1)  Shorewall now uses the 'conntrack' utility for 'show connections'
>>>    if that utility is installed. Going forward, the Netfilter team
>>>    will be enhancing this interface rather than the /proc interface.
>>> 
>> Is there any difference between 'shorewall show connections' when 
>> conntrack utility is used and when it is absent (and Shorewall uses 
>> /proc instead)?
> 
> There is currently no difference in the connection information.
> 
> -Tom
> -- 
> Tom Eastep        \ When I die, I want to go like my Grandfather who
> Shoreline,         \ died peacefully in his sleep. Not screaming like
> Washington, USA     \ all of the passengers in his car
> http://shorewall.net \________________________________________________
> 
> On Thu, 2010-09-30 at 12:56 -0400, Mark D. Montgomery II wrote: 
>> 
>> Ok Thanks.
>> That's kind of the impression I got, but I wasn't sure.
>> It's not a big deal since I can just toss up a UPnP server on the  
>> normal LAN somewhere and have it feed the media collection.  I just  
>> wanted to take advantage of the one built into MythTV if it was  
>> possible.
> 
> I think the problem here is that UPnP is a large spec which I won't even
> begin to tell you I understand but it covers many services including
> local LAN discovery of media services such as music and video (what OP
> is using) as well as gateway access provisioning (i.e. the crazy idea
> that networks on the LAN should tell the firewall what to let in and
> out).
> 
> It's a easy confusion with such a wide ranging spec under a single
> common term.
> 
> b.
> 
> I would like to proxy all http requests from my internal network to an external proxy server that is outside
my network.  Unfortunately, I'm having a bit of trouble figuring out the rule for doing that.  If I run the
proxy on my firewall machine the following rules seem to work
> 
> ACCEPT          $FW             net             tcp     www
> REDIRECT       loc             3128            tcp     www     -       
> 
> but I have not been able to get the rule right to redirect to an external system.  Is this doable?
> 
> thanks,
> Brent
> 
> ------------------------------------------------------------------------------
> Start uncovering the many advantages of virtual appliances
> and start using them to simplify application deployment and
> accelerate your shift to cloud computing.
> http://p.sf.net/sfu/novell-sfdev2dev
> <Digest Footer>

------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing.
http://p.sf.net/sfu/novell-sfdev2dev
Tom Eastep | 1 Oct 23:45 2010
Picon

Re: Transparent proxy to remote system

On 10/1/10 1:45 PM, Brent McConnell wrote:
> I would like to proxy all http requests from my internal network to an
> external proxy server that is outside my network.  Unfortunately, I'm
> having a bit of trouble figuring out the rule for doing that.  If I run
> the proxy on my firewall machine the following rules seem to work
> 
> ACCEPT          $FW             net             tcp     www
> REDIRECT       loc             3128            tcp     www     -      
> 
> but I have not been able to get the rule right to redirect to an
> external system.  Is this doable?

No different than when the proxy is running in a DMZ --
http://www.shorewall.net/Shorewall_Squid_Usage.html#DMZ (you need to
change the zone name and address, of course).

-Tom
--

-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing.
http://p.sf.net/sfu/novell-sfdev2dev
------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing.
http://p.sf.net/sfu/novell-sfdev2dev
Tom Eastep | 2 Oct 00:11 2010
Picon

Re: CentOS 4.8/Shorewall Problen

On 10/1/10 2:32 PM, Simon Buckner wrote:
> I did try installing the latest version of Ubuntu but that didn't
> work either. That didn't seem to support CONNMARK either. Is
> CONNMARK support the key?  If I install Ubuntu then recompile the
> kernel to support CONNMARK then should that work?  Is there anything
> else that would need to be supported to get this working?

Simon - it is poor Netiquette to respond to a Digest post and quote the
entire Digest. It's also annoying that you didn't change the Subject to
something meaningful for the problem you are posting about.

This is from a freshly-installed Ubuntu 10.4.1 Server:

root <at> ubserver:~# shorewall show capabilities
Shorewall has detected the following iptables/netfilter capabilities:
   NAT: Available
   Packet Mangling: Available
   ...
   CONNMARK Target: Available
   Extended CONNMARK Target: Available
   Connmark Match: Available
   Extended Connmark Match: Available
   ...
   fwmark route mask: Available
   Mark in any table: Available
root <at> ubserver:~#

Why do you believe that you lack COMMMARK support. CONNMARK support is a
requirement for 'track' providers and, in my view, multi-ISP doesn't
work too well without that capability.

But in reality, all you've told us so far is "It doesn't work" so we can
only guess at what the problem is. A Shorewall dump along with the
supporting information requested at http://www.shorewall.net/support.htm
would be a good start.

Thanks,
-Tom
--

-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing.
http://p.sf.net/sfu/novell-sfdev2dev
------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing.
http://p.sf.net/sfu/novell-sfdev2dev
Tom Eastep | 3 Oct 00:54 2010
Picon

Shorewall 4.4.13.2 and 4.4.13.3

I uploaded these two point releases in rapid succession. They correct
issues with the -lite packages.

4.4.13.3

1)  The log-reading commands (show log, logwatch and dump) always
    showed an empty log when using one of the -lite packages.

4.4.13.2

1)  The Debian init scripts for Shorewall-lite and Shorewall6-lite
    contained a syntax error.

2)  If the -v or -q option was passed to /sbin/shorewall-lite or
    /sbin/shorewall6-lite on a command that involved the compiled
    script, then the command would fail if the effective verbosity was
    > 2 or < -1.

-Tom
--

-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing.
http://p.sf.net/sfu/novell-sfdev2dev
------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing.
http://p.sf.net/sfu/novell-sfdev2dev
Alessandro Tufi | 3 Oct 21:33 2010
Picon

Bridging with Shorewall

Hi all,
  I'm not able to use shorewall for manage a bridge.
I get the following error:

ERROR: BRIDGING=Yes is not supported by Shorewall 4.4.13.3

Same error with version 4.4.11.4

I have read many documents, but I didnt find any solution.
I have test many configuration (managing hosts,interfaces,zones
files), but I get always the same error.

Have I to compile a new kernel? With which options?

I'm using debian squeeze, kernel 2.6.32-5-686

The bridge is very simple:
ifconfig:

br0       Link encap:Ethernet  HWaddr 00:06:7b:09:b9:4d
          inet addr:192.168.5.107  Bcast:192.168.5.255  Mask:255.255.255.0
...
eth0      Link encap:Ethernet  HWaddr 00:18:f3:71:3f:a3
          inet6 addr: fe80::218:f3ff:fe71:3fa3/64 Scope:Link
...
eth1      Link encap:Ethernet  HWaddr 00:06:7b:09:b9:4d
          inet6 addr: fe80::206:7bff:fe09:b94d/64 Scope:Link
..

brctl show
bridge name     bridge id               STP enabled     interfaces
br0             8000.00067b09b94d       no              eth0
                                                        eth1
pan0            8000.000000000000       no

Thanks
Alessandro

------------------------------------------------------------------------------
Virtualization is moving to the mainstream and overtaking non-virtualized
environment for deploying applications. Does it make network security 
easier or more difficult to achieve? Read this whitepaper to separate the 
two and get a better understanding.
http://p.sf.net/sfu/hp-phase2-d2d

Gmane