Hervé Werner | 25 Mar 18:46 2014

Comment not binded to the right rule & accounting zone

Hello.

I discovered something wrong in comments generated by the rules file :
I had an issue with a software triggering INVALID packets (gnome-shell
weather extension), didn't manage to figure out why, so I just
configured Shorewall to DROP them all by adding lines in the INVALID
section of the rules file and it worked as expected :

?COMMENT Drop invalid packets generated by weather applet
Invalid(DROP)	$FW			net:98.137.200.255	tcp
Invalid(DROP)	net:98.137.200.255	$FW			tcp
?COMMENT

But the comment is binded to the rule matching all INVALID packets :

$ sudo shorewall show | grep applet
   51  2652 _fw-net    all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID /* Drop invalid packets generated by weather
applet */
    0     0 _net-fw    all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID /* Drop invalid packets generated by weather
applet */

and there isn't any comment next to the IP 98.137.200.255 :

$ sudo shorewall show | grep 98.137.200.255
   51  2652 DROP       tcp  --  *      *       0.0.0.0/0
98.137.200.255      
    0     0 DROP       tcp  --  *      *       98.137.200.255
0.0.0.0/0  

When adding a second rule below in the INVALID section embedded by a new
(Continue reading)

John Doe | 25 Mar 16:44 2014
Picon

Internal traffic shapping...

Hi,

I am trying to switch on internal traffic shaping and I am wondering 
if I set it up correctly...  I have clients behind a firewall connected 
to 3 providers.

I have 1 SDSL and 2 ADSL:

  tcdevices:
    eth1  4mbit  4mbit
    eth2  6mbit  796kbit
    eth3  6mbit  796kbit

I setup 4 classes for eth1, 3 for eth2 and 3 for eth3:

  tcclasses:
    eth1  1   full*20/100   full*95/100   1            # ping/ssh[/dns]
    eth1  2   full*60/100   full*95/100   2            # web
    eth1  3   full*10/100   full*95/100   3            # email
    eth1  4   full*10/100   full*95/100   3  default
    eth2  5   full*20/100   full*95/100   1            # ping/ssh[/dns]
    eth2  6   full*60/100   full*95/100   2            # web/email
    eth2  7   full*20/100   full*95/100   3  default
    eth3  8   full*20/100   full*95/100   1            # ping/ssh[/dns]
    eth3  9   full*60/100   full*95/100   2            # web/email
    eth3  10  full*20/100   full*95/100   3  default

For the rules:
1. ping, ssh and dns from the firewall are priority 1
2. forwarded clients traffic (192.168.16.0/20) is split as:
(Continue reading)

Axel Zöllich | 24 Mar 17:43 2014
Picon

Network via ipv4 AND ipsec

How can I declare the network 192.168.223.0/24 to be reachable via ipv4 and 
ipsec?
Some hosts via vlan eth0:223 amd some hosts via ipsec over interface eth4 
192.168.223.0/24?

At the moment I,ve got in zones:
pktgh   ipsec           mode=tunnel     mss=1024
and in hosts:
pktgh   eth4:192.168.223.0/24,212.117.77.202    ipsec
pktgh   eth4:192.168.3.0/24,212.117.77.202      ipsec

so the whole 192.168.223.0/24 is ipseced.

But I'ld like to have some host be attached to the lokal vlan  eth0:223.

Axel

--

-- 
Wir verwenden ausschließlich blaue Elektronen aus biologischem Anbau.

------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/13534_NeoTech
Hervé Werner | 21 Mar 16:19 2014

Question about smurf protection

Hello.

I'm was studying the smurf protection and was astonished to see that a
RETURN rule without any IP restriction is written first in the chain :
	-A smurfs -s 0.0.0.0/32 -j RETURN
	-A smurfs -m addrtype --src-type BROADCAST -g smurflog
	-A smurfs -s 224.0.0.0/4 -g smurflog

That mean that all packets will return and none will go into the
smurflog chain (and then be dropped), right ?

I tested the smurf attack to see how Shorewall would behave,
unfortunately current Linux kernel considers them to be martians and
thus prevent them from reaching Shorewall.

I'm also wondering why Shorewall is sometimes using "addrtype MULTICAST"
and other times as above "-s 224.0.0.0/4" ?

Information about my setup : Shorewall version 4.5.21.7 fetched from
Debian testing repository.

H. Werner

------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/13534_NeoTech
(Continue reading)

Zenny | 21 Mar 13:51 2014
Picon

Fwd: How to open a few IPs in loc behave like DMZ zone in 3-interface setting

Hi:

Shorewall has been working wornderfully for a few years without any problems (except some undefinable glitches which I tried to share with you earlier). Thanks for the great work.

BTW, I have a few servers running in LOC zone which need to be accessible from outside, too. The server is hosted in the LOC zone for some security reasons, including a mysql server.

I could not figure out excactly how a few specific private IPs in the LOC zone which are hosting those additional servers be made reachable from DMZ zone? I could not figure out exactly how it can be done with shorewall. Appreciate if you have any links or hints.

Thanking you in anticipation.

/z

PS: I happen to sent to Tom instead of the userlist. Applogy!

------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/13534_NeoTech
------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/13534_NeoTech
Hristo Benev | 21 Mar 13:34 2014
Picon

Shorewall 4.5.21.8 generic RPM warning

After updating from generic RPMs on CentOS 6 I received following warning.

  Updating   :
shorewall-init-4.5.21-8.noarch                                                                                                                    3/8
WARNING: /sbin/ifup-local and/or /sbin/ifdown-local already exist; ifup/ifdown events will not be handled

Should I worry about this warning?

Thank you,

Hristo

------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/13534_NeoTech
_______________________________________________
Shorewall-users mailing list
Shorewall-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
İlker Aktuna | 19 Mar 20:31 2014

multi ISP - port based routing

Hi,

 

I  am using Shorewall 4.4.26.1 on Ubuntu 12.04.3

My multi ISP configuration is running fine with 2 ppp interfaces.

 

Now I need to route a specific application through only  one of these ppp interfaces.

 

I follow the instructions in http://shorewall.net/MultiISP.html#Applications

 

So I add the following 2 lines to my tcrules file:

 

2:P         192.168.254.0/24             0.0.0.0/0              udp     5060

2             $FW                                      0.0.0.0/0              udp     5060

 

But the result does not change. The packets for this app are still being loadbalanced.

 

My providers file is like:

 

vdsl    1       1       -       ppp1    -       track,balance=4

adsl    2       2       -       ppp0    -       track,balance=1

 

What am I missing ? Is there another step I should take ?

 

Thanks.

 

Attachment (dump.txt.gz): application/octet-stream, 42 KiB
------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/13534_NeoTech
------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/13534_NeoTech
Tom Eastep | 19 Mar 20:09 2014
Picon

Shorewall 4.5.21.8

Shorewall 4.5.21.8 is now available for download.

Problems Corrected:

1)  If an rtrules entry duplicated a Shorewall-generated route rule but
    had a lower priority than the generated one has (20000), then a
    disable/enable sequence on the provider would result in duplicate
    rules with priority 20000.

2)  When 'shorewall[6] debug [re]start' was run, any error messages
    generated because of ip[6]tables command errors would not include
    '-t table'.

Thank you for using Shorewall.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/13534_NeoTech
------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/13534_NeoTech
Angela Williams | 17 Mar 13:15 2014
Picon

documentation "features" and a problem

Hi All!
when I used to train Burroughs/Unisys engineers I would always start 
with pointing out that the only stupid or foolish question is the one 
they would make them look a bit dof (dumb IOW). I always made the point 
about how their "dumb" question almost always helps others! My past 
experience anyway!

Okay on to the documentation "features"! The web page says 4.4 and 4.5 
yet when you look at the Multi ISP Connections on a single firewall and 
how to get a local service like smtp to use a specific provider the chat 
is all about the nice new mangle file! My Gentoo provided 4.5.18 does 
not have anything called mangle! I would assume the we non beta users 
would only come across it in 4.6! It really confused me! Why must I now 
put my rule in as MARK(xx) ... into my tcrules! You get used the 
filenames and it's only when digging a bit deeper by reading a bit 
deeper and more carefully the "mangle" pops up!

Which now leads me on to my problem!

I have a site that has just had a shiny new 5M fibre connection 
installed. I need to toss out my old script based firewall as it cannot 
handle multiple isp connections!

Because of the new connection being 5 time faster than the old leased 
line and the need to do some heavy traffic shaping I have opted to use
WIDE_TC_MARKS=Yes and HIGH_ROUTE_MARKS=Yes which I figured out that they 
need to be translated to the new config variables! Again the 
documentation is none to clear! A few errors on another site sorted that 
out! I decided that I need to give myself lots of room to play. My only 
other multi isp site turned into a dogs breakfast as the one ISP could 
not get their WiFi connection working and reliable!

So my providers file looks like this.
digi    1       0x10000    -       $DIGI_IF    x.x.x.x   loose,balance=1
adsl    2       0x20000    -       $ADSL_IF    10.10.117.254
fibre   3       0x30000    -       $FIBRE_IF   y.y.y.y   loose,balance=4

Now that dumb question!

I need to get smtp traffic from postfix on the firewall to only use the 
digi provider!
Here it comes!
What am I meant to put into tcrules to do it!
Do I use the provider number or MARK of 0x10000?

I have read and reread the docs on the website plus the good man pages 
but I either dof and don't see something I should or I'm just getting 
past this stuff! All a bit confusing really!

My tcrules snippet looks like this! Even ready for mangle!

# Send smtp out the Digi line
1       $FW             0.0.0.0/0       tcp     25
#We will use this in yhe new mangle file!
#MARK(2)         $FW             0.0.0.0/0       tcp     25

I managed last night to break the server good and proper like! Silly me 
forgot to put my usual last resort "at" bomb in place to init 6! I did 
do the other bits to stop shorewall and start the old firewall then I 
fiddled didn't I. Tried to get the customer to reboot it but the clowns 
did the wrong server! Fortunately that are just a short few Km's away!. 
Guess they need some good labels on all their servers!
Reading man shorewall-tcrules seems to indicate that it might just be 
the provider number and is is added in the OUTPUT chain which should 
push it out on the digi provider! My quick test with telnet seemed to 
use the fibre provider. I then used mail to send a mail to another 
customer server and once again it seemed to use the fibre provider! Then 
I fiddled and it just broke! Bit of an extra issue is the this customer 
works sort of 24/7 with a few little breaks and internet is pretty 
critical especially when chatting with headoffice States side!

Any thoughts and ideas are most welcome!

Ang

--

-- 
Angela Williams
angierfw at gmail dot com
Linux/Networking Hacker
Blog http://angierfw.wordpress.com

Smile! Yeshua Loves You!

------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/13534_NeoTech
Kilburn Abrahams | 17 Mar 13:08 2014
Picon

Shorewall not starting on kernel 3.13

Hi all

Rebuilt a server with kernel 3.13. Installed the same version of
shorewall 4.5.18 as a working server. Copied over shorewall configs.
Restarted shorewall and this happens. Googled and could not find
anything. Not sure how to solve this.

SBox shorewall # /etc/init.d/shorewall start
 * Caching service dependencies
...                                                                                              
[ ok ]
 * Starting shorewall ...
iptables-restore: line 23 failed
   ERROR: iptables-restore Failed. Input is in
/var/lib/shorewall/.iptables-restore-input
/usr/share/shorewall/lib.common: line 113: 10488 Terminated             
$SHOREWALL_SHELL $script $options $ <at>                      [ !! ]
 * ERROR: shorewall failed to start

/var/lib/shorewall/.iptables-restore-input does indicate where the
problem might lie.

I was wondering if this is a kernel issue and something else. I have
done this procedure many times and this is the first time I en-counted this.

Regards
Kilburn

------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/13534_NeoTech
Orlandinei Vujanski | 15 Mar 20:02 2014
Picon

Re: 2 ISP + 2 LAN

Tom, is attached the dump


2014-03-15 15:59 GMT-03:00 Orlandinei Vujanski <orlandinei <at> gmail.com>:
Tom, is attached the dump.






2014-03-15 15:06 GMT-03:00 Tom Eastep <teastep <at> shorewall.net>:

In your masq file, you need:

 

eth0  10.1.0.0/20

eth3  192.168.16.0/20

 

Tom

teastep <at> shorewall.net

http://www.shorewall.org

 

From: Orlandinei Vujanski [mailto:orlandinei <at> gmail.com]
Sent: Saturday, March 15, 2014 10:23 AM
To: Shorewall Users


Subject: Re: [Shorewall-users] 2 ISP + 2 LAN

 

Tom, can you help me? 

My network "eth1" 10.1.0.0/20 has to leave the default gateway "eth0" 177.135.78.241. 

My network "eth2" 192.168.16.0/20 have to leave the default gateway "eth3" 10.0.0.1. 

 

Follow my setup: 

 

/etc/shorewall/masq:

eth0    eth1

 

/etc/shorewall/tcrules:

1:P     192.168.16.0/20

 

/etc/shorewall/providers:

radio  1       1       main            eth3         10.0.0.1           track           -

 

But this not working. 

Tudol is leaving the default gateway 177.135.78.241. 

But I want to get off the 192.168.16.0/20 network 10.0.0.1 default gateway. 

 

How do I please!

 

 

 

 

2014-02-24 13:04 GMT-03:00 Tom Eastep <teastep <at> shorewall.net>:

On 2/24/2014 7:29 AM, Orlandinei Vujanski wrote:

> 2014-02-23 12:52 GMT-03:00 Tom Eastep <teastep <at> shorewall.net

> <mailto:teastep <at> shorewall.net>>:

>
>     On 2/23/2014 6:44 AM, Orlandinei Vujanski wrote:
>     > Tom,
>     > Good afternoon, all right?
>     > Can you help me?
>     >
>     > I have 2 ISP link on my firewall, with the gateway:
>     > eth0: 177.135.78.1
>     > eth1: 10.0.0.1
>     >
>     > I also have 2 local network, being:

>     > eth2: 192.168.16.0/24 <http://192.168.16.0/24>
>     > eth3: 10.1.0.0/20 <http://10.1.0.0/20>

>     >
>     > How do I do so that the network 192.168.16.0/24

>     <http://192.168.16.0/24>

>     > 177.135.78.1 and exit through the Internet gateway at 10.0.0.1

>     > 10.1.0.0/20 <http://10.1.0.0/20> skirt?
>     >
>     > Thank you
>
>     In /etc/shorewall/tcrules:
>
>             m:P     192.168.16.0/24 <http://192.168.16.0/24>

>
>     Where 'm' is the mark for the provider with gateway 10.0.0.1.

> Tom, good morning.
> From what I understand, I also need to configure the correct file
> /etc/shorewall/providers?
> Then I can work with virtual interface eth0:1 or must be physically?
>
>

You do not need to configure eth0 in the providers file. I assume that
you have already configured eth2 and eth3 in /etc/shorewall/providers?


-Tom

--
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________


------------------------------------------------------------------------------
Flow-based real-time traffic analytics software. Cisco certified tool.
Monitor traffic, SLAs, QoS, Medianet, WAAS etc. with NetFlow Analyzer
Customize your own dashboards, set traffic alerts and generate reports.
Network behavioral analysis & security monitoring. All-in-one tool.
http://pubads.g.doubleclick.net/gampad/clk?id=126839071&iu=/4140/ostg.clktrk
_______________________________________________
Shorewall-users mailing list
Shorewall-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

 


------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/13534_NeoTech

_______________________________________________
Shorewall-users mailing list
Shorewall-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users



Attachment (putty2.rar): application/rar, 23 KiB
------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/13534_NeoTech
------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/13534_NeoTech

Gmane