jonetsu@teksavvy.com | 8 Dec 23:34 2014

Sequence of packet processing

Hello,

  What would be the sequence of packet processing when having a
firewall with NAT ?  Are the rules processed first then the NAT ?

Thanks.

------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
Simon Hobson | 5 Dec 15:49 2014
Picon

Re: Unsubscribe

Matt Henderson <niall <at> makalumedia.com> wrote:

> Unsubscribe

It doesn't work like that !
See the bottom of this message ? Like all the messages from this list it has :

> https://lists.sourceforge.net/lists/listinfo/shorewall-users

Click that link and you'll find yourself on a page where you can click to unsubscribe - scroll to the bottom,
put your email address in the box next to "Unsubscribe or edit options", and bonk the button.

Alternatively, in the headers (though most mail clients hide them) there are these links :
> List-Id: Shorewall Users <shorewall-users.lists.sourceforge.net>
> List-Unsubscribe: <https://lists.sourceforge.net/lists/listinfo/shorewall-users>,  <mailto:shorewall-users-request <at> lists.sourceforge.net?subject=unsubscribe>
> List-Archive: <http://sourceforge.net/mailarchive/forum.php?forum_name=shorewall-users>
> List-Post: <mailto:shorewall-users <at> lists.sourceforge.net>
> List-Help: <mailto:shorewall-users-request <at> lists.sourceforge.net?subject=help>
> List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/shorewall-users>,  <mailto:shorewall-users-request <at> lists.sourceforge.net?subject=subscribe>

The second one down is what you want, send a message with the subject set to unsubscribe to
shorewall-users-request <at> lists.sourceforge.net which you will note is **NOT** the same as the address
for posting to the list.

These operations are common to most mailing lists, and certainly pretty well all powered by Mailman. You
will have received a welcome message when you joined the list with this information as well.

------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
(Continue reading)

Ibrahim Hamouda | 5 Dec 10:05 2014
Picon

fiver between 2 shower sites

Hi all

I am setting up two sites with shorewall.

The two sites are connected through a fiber.

On every firewall I have 3 interfaces, eth0 connected to internet, eth1 for internal network, eth2 cross connection between sites.

I setup the two firewalls in two-interfaces manner, then I added a zone “crx” on both firewalls for the cross connection.

I need to be able to route between the 2 sites through this fiber.

So in my policy file I setup 
crx  loc ACCEPT 
Loc crx ACCEPT

Assuming eth2 is 50.50.50.1, eth1 is 192.168.170.1 on one firewall, eth2 is 50.50.50.2, eth1 is 192.168.171.1 on the other.

How can I make 192.168.170.0 network see 192.168.171.0 network through the 50.50.50 interfaces?

Thank you in advance for your help

Ibrahim Hamouda

------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
Giuseppe Vitillaro | 1 Dec 11:45 2014

Dynamic Zone with shorewall-core 4.5.21.9.

I'm experimenting a problem using a dynamic zone

I defined long ago, and working without a problem

for months, with shorewall-core 4.5.21.9 under gentoo.

 

I'm using an "old style" dynamic zone defined by

 

ast:net ipv4

 

in the "zones" file and by

 

net net0 detect

 

in the "interfaces" file.

 

ipset, for what I can see, is correctly configured

at shorewall startup

 

Name: ast_net0

Type: hash:ip

Revision: 2

Header: family inet hashsize 1024 maxelem 65536

Size in memory: 16520

References: 12

 

 

But when I try to add any address to this zone, what

I get is "always" this error

 

shorewall add net0:x.y.w.z ast

ERROR: Zone ast, interface net0 does not have a dynamic host list

 

Remembering my configuration had been working for months I tried

to track down the problem in the shorewall scripts and I noticed

this "uncoditional sed command"

 

ipset=$(echo $ipset | sed 's/./_/g');

 

at line 1899, add_command() function, of the lib.cli shorewall-core 4.5.21.9 library.

 

Inserting just a couple of "echo debugging" lines

 

echo $ipset

ipset=$(echo $ipset | sed 's/./_/g');

echo $ipset

 

I had been able to get this output from the shorewall add command

 

shorewall add net0:x.y.w.z ast

ast

ast_net0

________

ERROR: Zone ast, interface net0 does not have a dynamic host list

 

where is easy to see the 'ipset' variable has been uncoditionally

translated from "ast_net0", apparently correct, to "underscores",

apparently plain wrong.

 

Commenting the "offending sed command line" what I got looks like

a correct execution of the "shorewall add command"

 

shorewall add net0:x.y.w.z ast

ast

ast_net0

ast_net0

x.y.w.z

Host net0:x.y.w.z added to zone ast

 

and the "x.y.w.z" address added to the correct ipset

 

Name: ast_net0

Type: hash:ip

Revision: 2

Header: family inet hashsize 1024 maxelem 65536

Size in memory: 16520

References: 12

Members:

x.y.w.z

 

and to my "ast" dynamic zone for the "net0" interface

 

shorewall show dynamic ast

net0:

x.y.w.z

 

working without a flaw with with my firewall rules.

 

This "sed command lines", there is another one in the

delete_command() function, line 1989, had been addeded

to shorewall-core lib.cli library between version

4.5.21.5 and 4.5.21.6, here a diff of the two lib.cli

files

 

---

1549c1549

< do_dump_command $ <at> | dump_filter

---

> do_dump_command | dump_filter

1899,1900d1898

< ipset=$(echo $ipset | sed 's/./_/g');

<

1989,1990d1986

< ipset=$(echo $ipset | sed 's/./_/g');

<

3422c3418

< echo " dump [ -x ] [ -l ] [ -m ]"

---

> echo " dump [ -x ]"

 

justifying the fact I remember my configuration

working for months, before obserbing this weird

problem.

 

Switching to a "dynamic_shared" zone

 

ast:net ipv4 dynamic_shared

 

solve the problem, but I'm still curious to

understand what is going on here.

 

What the matter? A mistake in my configuration?

A "bug" introuced in version 4.5.21.6?

 

Thanks, G. Vitillaro.

 

 

 

 

------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
jonetsu@teksavvy.com | 27 Nov 01:22 2014

QoS for GRE

Hello,

  Is there support within Shorewall for applying QoS to GRE ?  Looks
like a popular way of doing that is be the use of a so-called
pre-classify option.  Is there an equivalent in Linux or, any other way
to apply QoS to GRE ?

  I've read somewhere the following although I"m not sure what is the
practical meaning of it:

  "You can set up your queues on top of your physical Ethernet devices,
   then mark packets going through tunnels to go into particular
   queues."

Any suggestions/comments welcomed.

------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
I.S.C. William | 27 Nov 00:31 2014
Picon

repository for Ubuntu Server

A repository for Ubuntu Server and to install the updated version of Shorewall?


Thanks
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
Artur Uszyński | 26 Nov 14:32 2014
Picon

How to get rid of nf_conntrack_sip ?

Hello.

Shorewall 4.6.4.1
kernel 3.10.0
In shorewall.conf I have "DONT_LOAD=nf_conntrack_sip,nf_nat_sip"
In shorewall.conf I have "AUTOHELPERS=No", HELPERS is empty.
SIP section in /etc/shorewall/conntrack is commented out (checked - no sip entries in raw table after
shorewall start).
"ports=0" is specified in /etc/shorewall/helpers for appropriate *sip lines (or alternatively all *sip
lines commented out).
There are not any rules specifying port 5060 in /etc/shorewall/rules.

Despite doing the above steps, nf_conntrack_sip is being loaded during every restart of shorewall
(although nf_nat_sip obeys my disposition and never gets loaded).

Also, after doing "shorewall compile OUTPUT ." inside /etc/shorewall, nf_conntrack_sip module gets
automatically loaded (yes, after dry copilation of rules), although resulting OUTPUT file does not
contain anything which would load this module.

nf_conntrack_sip is always at the top of lsmod output, no other modules use it.

I ended up adding "rmmod nf_conntrack_sip" to /ec/shorewall/started.

The same happens for shorewall6.

Is there any way to properly skip loading of this module ?

Regards.
--
Artur

------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
Hesham Shakil Ahmed | 26 Nov 13:25 2014
Picon

Error when using mangle mark range

Shorewall doesn’t create the correct rule when using MARK(range) in mangle

Trying the following rule: 

MARK(0x100-0x200/0xff00)	10.0.0.0/8	0.0.0.0/0

fails with error:
Bad argument `0x100/0xff00'
Error occurred at line: 90
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
   ERROR: iptables-restore Failed. Input is in /var/lib/shorewall/.iptables-restore-input

The rule created is "-A tcpre -s 10.0.0.0/8 -m statistic --mode nth --every 2 --packet 0 -j MARK 0x100/0xff00”

Its missing —set-mark after -j MARK directive

Thanks,

Hesham
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
_______________________________________________
Shorewall-users mailing list
Shorewall-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
Tom Eastep | 22 Nov 16:44 2014
Picon

Shorewall 4.6.5.2

Shorewall 4.6.5.2 is available for download.

Problems Corrected:

4.6.5.2

1)  LOG_BACKEND=LOG failed at run-time for all but the most recent
    kernels.

4.6.5.1

1)  The generated script can now detect an gateway address assigned by
    later versions of that program (Alan Barrett).

2)  In 4.6.5, the bash-based configure script would issue the following
    diagnostic if SERVICEDIR was not specified in the shorewallrc
    file:

      ./configure: line 199: [SERVICEDIR]=: command not found

    This was compounded by the fact that all of the released
    shorewallrc files still specified SYSTEMDDIR rather than SERVICEDIR
    (Evangelos Foutras)

3)  The shorewallrc.archlinux file now reflects a change in SBINDIR
    that occurred in Arch Linux in mid 2013 (Evangelos Foutras).

Thank you for using Shorewall,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
Philip Le Riche | 18 Nov 10:12 2014
Picon

Shorewall not starting n boot - eth0 not up yet

I'm using Shorewall to protect a school network from a classroom network
of Raspberry Pis, which are operated headless from school network PCs using VNC or PuTTy.

All was working fine, starting up successfully on boot until I did the
following:
Installed isc-dhcp-server to serve dhcp to guest Pis
Installed Apache2 and a cgi script to report DHCP leases
Added 8 more fixed IP addresses to the school NIC and 8 more DNAT rules
(bringing it to 16) mapping them to classroom IP addresses
Installed OpenSSH for firewall maintenance
Added Shorewall ACCEPT rules with destination $FW for the above.

Now Shorewall doesn't start on boot, and neither does sshd, but both
start successfully if you log in and type shorewall start and service
sshd start. (Apache and dhcp-server start up ok.)

The problem seems to be that eth0 is still not up by the time the
Shorewall and sshd init scripts get run. In shorewall-init.log there are
messages "Can't determine the IP address of eth0" and in
/var/log/auth.log there are sshd messages "Cannot bind any address".

Shorewall is running under Linux Mint 16.

It may be arguable whether the Shorewall (and sshd) init scripts are at
fault or whether the fault lies with networking startup, but it must be
an issue other people round here have hit. Is there a recognised fix,
either to delay startup of Shorewall (and sshd), or to ensure networking
runs to completion before dependant init scripts are run? Googling for
the sshd half of the problem only seems to come up with sticking plaster
solutions.

Regards - Philip

------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
jonetsu@teksavvy.com | 18 Nov 00:09 2014

Re-ordering of UDP packets with QoS

Hello,

  UDP packets are re-ordered when using QoS.  QoS is using HTB although
as far as I understand it, the output of the HTB is given to SFQs and
there a re-ordering can happen.  This messes up multimedia streams.  Is
there a way to configure QoS in Shorewall so that no UDP packet
re-ordering is taking place ?

Thank you very much for comments and suggestions.

------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk

Gmane