Ricardo Rios | 1 Jul 01:14 2011
Picon

Re: Fwd: Re: tproxy problem

El 30/06/11 10:51, Tom Eastep escribió:
On Thu, 2011-06-30 at 10:40 -0300, Ricardo Rios - Shorewall List wrote:
Well, i set the rule for allow lan to fw port 80, now there is nothing show on /var/log/firewall. But navigation is not working, and when i check squid logs shows : http://pastebin.com/b0j3rjhH
That's a Squid configuration issue. You need to configure your Squid acls to accept your traffic. -Tom ------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2 _______________________________________________ Shorewall-users mailing list Shorewall-users <at> lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Tom, just let you know i am trying to fix the problem with squid, because i am sure i have the ACLs right but still not working, i let you know when i get this working using the exact configuration you recommend here http://www.shorewall.net/Shorewall_Squid_Usage.html#TPROXY

Regards
------------------------------------------------------------------------------
All of the data generated in your IT infrastructure is seriously valuable.
Why? It contains a definitive record of application performance, security 
threats, fraudulent activity, and more. Splunk takes this data and makes 
sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-d2d-c2
------------------------------------------------------------------------------
All of the data generated in your IT infrastructure is seriously valuable.
Why? It contains a definitive record of application performance, security 
threats, fraudulent activity, and more. Splunk takes this data and makes 
sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-d2d-c2
Tom Eastep | 1 Jul 01:34 2011
Picon

Re: Fwd: Re: tproxy problem


On Jun 30, 2011, at 4:14 PM, Ricardo Rios wrote:
Tom, just let you know i am trying to fix the problem with squid, because i am sure i have the ACLs right but still not working, i let you know when i get this working using the exact configuration you recommend here http://www.shorewall.net/Shorewall_Squid_Usage.html#TPROXY

What are you seeing now in the Squid logs?

-Tom

Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________


------------------------------------------------------------------------------
All of the data generated in your IT infrastructure is seriously valuable.
Why? It contains a definitive record of application performance, security 
threats, fraudulent activity, and more. Splunk takes this data and makes 
sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-d2d-c2
------------------------------------------------------------------------------
All of the data generated in your IT infrastructure is seriously valuable.
Why? It contains a definitive record of application performance, security 
threats, fraudulent activity, and more. Splunk takes this data and makes 
sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-d2d-c2
Picon

Re: Fwd: Re: tproxy problem

What are you seeing now in the Squid logs?
-Tom

Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

squid logs keep saying the same, i send a email to squid-users list with my squid config but i am waiting for some response.

Squid-Users mail i send :
Hello people, i am trying to setup a squid-2.7.STABLE9 + squid-2.7s9-tproxy-4.patch + COSS cache the problem is the tproxy, is not working, i know maybe i am asking in the wrong place but maybe someone knows what i have wrong. Error : http://pastebin.com/b0j3rjhH My squid setup is : http://pastebin.com/imx88CNJ and i have this : OpenSuSE 11.4 iptables v1.4.11 kernel 2.6.37.6-0.5 Shorewall-4.4.20.3 Compiled Opcions: --enable-async-io --with-maxfd=16384 --enable-storeio=coss --with-large-files --disable-ssl --enable-coss-aio-ops --enable-linux-tproxy

 

------------------------------------------------------------------------------
All of the data generated in your IT infrastructure is seriously valuable.
Why? It contains a definitive record of application performance, security 
threats, fraudulent activity, and more. Splunk takes this data and makes 
sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-d2d-c2
------------------------------------------------------------------------------
All of the data generated in your IT infrastructure is seriously valuable.
Why? It contains a definitive record of application performance, security 
threats, fraudulent activity, and more. Splunk takes this data and makes 
sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-d2d-c2
Reid Taylor | 1 Jul 20:35 2011

RDP through the firewall

I am having a problem getting to my desktop machines using rdp through the
firewall.  I have a server running w2k that I can reach ok using rdp.   I
have setup the rules and nats in the firewall ( I am natting one of my
outside addresses to my desktop).  Is there something that I missed that
allows the server to do this but not the desktops?  Thanks in advance for
any help.

Reid 

------------------------------------------------------------------------------
All of the data generated in your IT infrastructure is seriously valuable.
Why? It contains a definitive record of application performance, security 
threats, fraudulent activity, and more. Splunk takes this data and makes 
sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-d2d-c2
Fábio Rabelo | 1 Jul 21:11 2011
Picon

Re: RDP through the firewall

Hellows ...

You need a DNAT rule in the "rules" file, something like this :

DNAT    net    loc:192.168.1.51    tcp    3389

DNAT = Destination NAT

Fábio Rabelo



2011/7/1 Reid Taylor <rtaylor <at> grayflex.com>
I am having a problem getting to my desktop machines using rdp through the
firewall.  I have a server running w2k that I can reach ok using rdp.   I
have setup the rules and nats in the firewall ( I am natting one of my
outside addresses to my desktop).  Is there something that I missed that
allows the server to do this but not the desktops?  Thanks in advance for
any help.


Reid



------------------------------------------------------------------------------
All of the data generated in your IT infrastructure is seriously valuable.
Why? It contains a definitive record of application performance, security
threats, fraudulent activity, and more. Splunk takes this data and makes
sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-d2d-c2
_______________________________________________
Shorewall-users mailing list
Shorewall-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

------------------------------------------------------------------------------
All of the data generated in your IT infrastructure is seriously valuable.
Why? It contains a definitive record of application performance, security 
threats, fraudulent activity, and more. Splunk takes this data and makes 
sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-d2d-c2
------------------------------------------------------------------------------
All of the data generated in your IT infrastructure is seriously valuable.
Why? It contains a definitive record of application performance, security 
threats, fraudulent activity, and more. Splunk takes this data and makes 
sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-d2d-c2
Tom Eastep | 1 Jul 21:43 2011
Picon

Re: RDP through the firewall

On Fri, 2011-07-01 at 16:11 -0300, Fábio Rabelo wrote:
You need a DNAT rule in the "rules" file, something like this :

DNAT    net    loc:192.168.1.51    tcp    3389

DNAT = Destination NAT

2011/7/1 Reid Taylor <rtaylor <at> grayflex.com>
I am having a problem getting to my desktop machines using rdp through the
firewall.  I have a server running w2k that I can reach ok using rdp.   I
have setup the rules and nats in the firewall ( I am natting one of my
outside addresses to my desktop).  Is there something that I missed that
allows the server to do this but not the desktops?  Thanks in advance for
any help.

Fábio - please don't top-post.
Reid - when you attempt to connect to rdp, do the packet and byte counts for the relevant net->loc ACCEPT rule increment? Do you see any firewall DROP or REJECT messages in the log when you try to connect? Is the firewall on your desktop allowing incoming RDP connections from remote networks?

-Tom
-- Tom Eastep        \ When I die, I want to go like my Grandfather who Shoreline,         \ died peacefully in his sleep. Not screaming like Washington, USA     \ all of the passengers in his car http://shorewall.net \________________________________________________
------------------------------------------------------------------------------
All of the data generated in your IT infrastructure is seriously valuable.
Why? It contains a definitive record of application performance, security 
threats, fraudulent activity, and more. Splunk takes this data and makes 
sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-d2d-c2
------------------------------------------------------------------------------
All of the data generated in your IT infrastructure is seriously valuable.
Why? It contains a definitive record of application performance, security 
threats, fraudulent activity, and more. Splunk takes this data and makes 
sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-d2d-c2
Tyler Walters | 3 Jul 07:28 2011

Multi-ISP from fw only using OpenVPN tun0 as second ISP for one user

Hello,

I have a server with 5 public facing ips, and one OpenVPN tun
connection. The 5 ips are all from the same provider and face the same
gateway. I would eventually like to route all of one user's traffic to
and from the VPN while leaving the rest of the server's traffic
untouched. There is no local lan, and the firewall is also the server
-- everything resides on $FW.

I have tried this from a number of angles, so I setup a VMWare machine
to run a limited test before migrating it to the full scale server. I
am testing using "ping -I tun0 google.ca" and "ping google.ca", where
the first one should route to and from tun0 only, and the second to
and from eth0 only (by default). tun0 will always be assigned the
static ip of 10.88.0.6 and eth0 always 192.168.217.128. The tunnel has
been sucessfully tested and monitored using tshark on both ends of the
tunnel, and on all interfaces (both tun* and eth* at each side). Below
is version information, the commands that successfully work WITHOUT
shorewall being installed at all, and attached is a dump of all config
files as well as a "shorewall dump". Thanks for your help, hopefully
this is easier than I find it to be thus far.

Version information!
     root <at> ubuntu ~ # shorewall version
     4.4.20.3
     root <at> ubuntu ~ # uname -a
     Linux ubuntu 2.6.38-8-generic #42-Ubuntu SMP Mon Apr 11 03:31:24
UTC 2011 x86_64 x86_64 x86_64 GNU/Linux
     root <at> ubuntu ~ # cat /etc/issue
     Ubuntu 11.04

---------------

Now then, the following commands make this work, but I do not know how
to integrate this into shorewall. This is what I suppose my real
question is! I am wrong to assume that this can be carefully put into
shorewall's config files? As follows...
     ip route add 192.168.217.0/24 dev eth0 src 192.168.217.128 table ISP
     ip route add default via 192.168.217.2 table ISP
     ip route add 10.88.0.0/24 dev tun0 src 10.88.0.6 table VPN
     ip route add default via 10.88.0.5 table VPN
     ip route add 192.168.217.0/24 dev eth0 src 192.168.217.128
     ip route add 10.88.0.0/24 dev tun0 src 10.88.0.6
     ip route add default via 192.168.217.2
     ip rule add from 192.168.217.128 table ISP
     ip rule add from 10.88.0.6 table VPN

In addition, the following has been added to /etc/iproute2/rt_tables,
although ISP is unused...
     1       ISP
     2       VPN

This yeilds the following...
     root <at> ubuntu ~ # shorewall show routing
     Shorewall 4.4.20.3 Routing at ubuntu - Sat Jul  2 21:21:03 PDT 2011

     Routing Rules

     0:      from all lookup local
     32764:  from 10.88.0.6 lookup VPN
     32765:  from 192.168.217.128 lookup ISP
     32766:  from all lookup main
     32767:  from all lookup default

     Table default:

     Table ISP:

     192.168.217.0/24 dev eth0  scope link  src 192.168.217.128
     default via 192.168.217.2 dev eth0

     Table local:

     broadcast 127.255.255.255 dev lo  proto kernel  scope link  src 127.0.0.1
     local 192.168.217.128 dev eth0  proto kernel  scope host  src
192.168.217.128
     local 10.88.0.6 dev tun0  proto kernel  scope host  src 10.88.0.6
     broadcast 192.168.217.0 dev eth0  proto kernel  scope link  src
192.168.217.128
     broadcast 192.168.217.255 dev eth0  proto kernel  scope link  src
192.168.217.128
     broadcast 127.0.0.0 dev lo  proto kernel  scope link  src 127.0.0.1
     local 127.0.0.1 dev lo  proto kernel  scope host  src 127.0.0.1
     local 127.0.0.0/8 dev lo  proto kernel  scope host  src 127.0.0.1

     Table main:

     10.88.0.1 via 10.88.0.5 dev tun0
     10.88.0.5 dev tun0  proto kernel  scope link  src 10.88.0.6
     192.168.217.0/24 dev eth0  proto kernel  scope link  src 192.168.217.128
     10.88.0.0/24 dev tun0  scope link  src 10.88.0.6
     default via 192.168.217.2 dev eth0
     default via 192.168.217.2 dev eth0  metric 100

     Table VPN:

     10.88.0.0/24 dev tun0  scope link  src 10.88.0.6
     default via 10.88.0.5 dev tun0

Best Regards,
Tyler
Attachment (dump.tar.gz): application/x-gzip, 7237 bytes
------------------------------------------------------------------------------
All of the data generated in your IT infrastructure is seriously valuable.
Why? It contains a definitive record of application performance, security 
threats, fraudulent activity, and more. Splunk takes this data and makes 
sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-d2d-c2
------------------------------------------------------------------------------
All of the data generated in your IT infrastructure is seriously valuable.
Why? It contains a definitive record of application performance, security 
threats, fraudulent activity, and more. Splunk takes this data and makes 
sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-d2d-c2
Tom Eastep | 3 Jul 19:31 2011
Picon

Re: Multi-ISP from fw only using OpenVPN tun0 as second ISP for one user


On Jul 2, 2011, at 10:28 PM, Tyler Walters wrote:

> Hello,
> 
> I have a server with 5 public facing ips, and one OpenVPN tun
> connection. The 5 ips are all from the same provider and face the same
> gateway. I would eventually like to route all of one user's traffic to
> and from the VPN while leaving the rest of the server's traffic
> untouched. There is no local lan, and the firewall is also the server
> -- everything resides on $FW.
> 
> I have tried this from a number of angles, so I setup a VMWare machine
> to run a limited test before migrating it to the full scale server. I
> am testing using "ping -I tun0 google.ca" and "ping google.ca", where
> the first one should route to and from tun0 only, and the second to
> and from eth0 only (by default). tun0 will always be assigned the
> static ip of 10.88.0.6 and eth0 always 192.168.217.128. The tunnel has
> been sucessfully tested and monitored using tshark on both ends of the
> tunnel, and on all interfaces (both tun* and eth* at each side). Below
> is version information, the commands that successfully work WITHOUT
> shorewall being installed at all, and attached is a dump of all config
> files as well as a "shorewall dump". Thanks for your help, hopefully
> this is easier than I find it to be thus far.

Don't use either the route_rules or routes file and simply put this in your /etc/shorewall/providers:

#PROVIDER     NUMBER    MARK    DUPLICATE   INTERFACE     GATEWAY         OPTIONS       COPY
ISP		1	-	main        eth0          192.168.217.2   track,balance none
VPN             2       -       main        tun0          10.88.0.5       -             none

That's it!

-Tom
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
All of the data generated in your IT infrastructure is seriously valuable.
Why? It contains a definitive record of application performance, security 
threats, fraudulent activity, and more. Splunk takes this data and makes 
sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-d2d-c2
------------------------------------------------------------------------------
All of the data generated in your IT infrastructure is seriously valuable.
Why? It contains a definitive record of application performance, security 
threats, fraudulent activity, and more. Splunk takes this data and makes 
sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-d2d-c2
Tom Eastep | 3 Jul 19:41 2011
Picon

Re: Multi-ISP from fw only using OpenVPN tun0 as second ISP for one user


On Jul 3, 2011, at 10:31 AM, Tom Eastep wrote:

> 
> On Jul 2, 2011, at 10:28 PM, Tyler Walters wrote:
> 
>> Hello,
>> 
>> I have a server with 5 public facing ips, and one OpenVPN tun
>> connection. The 5 ips are all from the same provider and face the same
>> gateway. I would eventually like to route all of one user's traffic to
>> and from the VPN while leaving the rest of the server's traffic
>> untouched. There is no local lan, and the firewall is also the server
>> -- everything resides on $FW.
>> 
>> I have tried this from a number of angles, so I setup a VMWare machine
>> to run a limited test before migrating it to the full scale server. I
>> am testing using "ping -I tun0 google.ca" and "ping google.ca", where
>> the first one should route to and from tun0 only, and the second to
>> and from eth0 only (by default). tun0 will always be assigned the
>> static ip of 10.88.0.6 and eth0 always 192.168.217.128. The tunnel has
>> been sucessfully tested and monitored using tshark on both ends of the
>> tunnel, and on all interfaces (both tun* and eth* at each side). Below
>> is version information, the commands that successfully work WITHOUT
>> shorewall being installed at all, and attached is a dump of all config
>> files as well as a "shorewall dump". Thanks for your help, hopefully
>> this is easier than I find it to be thus far.
> 
> 
> Don't use either the route_rules or routes file and simply put this in your /etc/shorewall/providers:
> 
> #PROVIDER     NUMBER    MARK    DUPLICATE   INTERFACE     GATEWAY         OPTIONS       COPY
> ISP		1	-	main        eth0          192.168.217.2   track,balance none
> VPN             2       -       main        tun0          10.88.0.5       -             none
> 

You probably want 'track' on VPN as well -- sorry for the omission.

-Tom

Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
All of the data generated in your IT infrastructure is seriously valuable.
Why? It contains a definitive record of application performance, security 
threats, fraudulent activity, and more. Splunk takes this data and makes 
sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-d2d-c2
------------------------------------------------------------------------------
All of the data generated in your IT infrastructure is seriously valuable.
Why? It contains a definitive record of application performance, security 
threats, fraudulent activity, and more. Splunk takes this data and makes 
sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-d2d-c2
Tyler Walters | 3 Jul 19:43 2011

Re: Multi-ISP from fw only using OpenVPN tun0 as second ISP for one user

Amazing, and here I though I had missed something and needed more
config files to make this happen -- thanks a million! It works with
the ping test no problem.

Now, for the last part. I would like to have all traffic from the user
"deluge" to be routed over OpenVPN via tun0, but all other traffic
over the ISP via eth0. I have this in my tcrules file:
#MARK   SOURCE          DEST            PROTO   DEST    SOURCE  USER
 TEST    LENGTH  TOS   CONNBYTES         HELPER
#                                               PORT(S) PORT(S)
0x200:T $FW             0.0.0.0/0       -       -       -       deluge

But, it appears that it does not re-route packets as required.

Best Regards,
Tyler

On 3 July 2011 13:31, Tom Eastep <teastep <at> shorewall.net> wrote:
>
> On Jul 2, 2011, at 10:28 PM, Tyler Walters wrote:
>
>> Hello,
>>
>> I have a server with 5 public facing ips, and one OpenVPN tun
>> connection. The 5 ips are all from the same provider and face the same
>> gateway. I would eventually like to route all of one user's traffic to
>> and from the VPN while leaving the rest of the server's traffic
>> untouched. There is no local lan, and the firewall is also the server
>> -- everything resides on $FW.
>>
>> I have tried this from a number of angles, so I setup a VMWare machine
>> to run a limited test before migrating it to the full scale server. I
>> am testing using "ping -I tun0 google.ca" and "ping google.ca", where
>> the first one should route to and from tun0 only, and the second to
>> and from eth0 only (by default). tun0 will always be assigned the
>> static ip of 10.88.0.6 and eth0 always 192.168.217.128. The tunnel has
>> been sucessfully tested and monitored using tshark on both ends of the
>> tunnel, and on all interfaces (both tun* and eth* at each side). Below
>> is version information, the commands that successfully work WITHOUT
>> shorewall being installed at all, and attached is a dump of all config
>> files as well as a "shorewall dump". Thanks for your help, hopefully
>> this is easier than I find it to be thus far.
>
>
> Don't use either the route_rules or routes file and simply put this in your /etc/shorewall/providers:
>
> #PROVIDER     NUMBER    MARK    DUPLICATE   INTERFACE     GATEWAY         OPTIONS       COPY
> ISP             1       -       main        eth0          192.168.217.2   track,balance none
> VPN             2       -       main        tun0          10.88.0.5       -             none
>
> That's it!
>
> -Tom
> Tom Eastep        \ When I die, I want to go like my Grandfather who
> Shoreline,         \ died peacefully in his sleep. Not screaming like
> Washington, USA     \ all of the passengers in his car
> http://shorewall.net \________________________________________________
>
>
>
> ------------------------------------------------------------------------------
> All of the data generated in your IT infrastructure is seriously valuable.
> Why? It contains a definitive record of application performance, security
> threats, fraudulent activity, and more. Splunk takes this data and makes
> sense of it. IT sense. And common sense.
> http://p.sf.net/sfu/splunk-d2d-c2
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users <at> lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>

------------------------------------------------------------------------------
All of the data generated in your IT infrastructure is seriously valuable.
Why? It contains a definitive record of application performance, security 
threats, fraudulent activity, and more. Splunk takes this data and makes 
sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-d2d-c2

Gmane