Jan Lühr | 9 Jan 22:42 2015
Picon

Why is shorewall6 blocking ICMPv6 NS?

Hello folks,

I'm lost. For some reason, shorewall6 is blocking ICMPv6 Neighbor
Solicitation.

Shorewall6 itself is running on one VM host, connecting different
LXC-Containers using a bridge (br-guests).
NS between guests is blocked :-/.

Details:
https://gist.github.com/anonymous/a39bf4d5f6c71fa9bb02

Do you get what's wrong? I'm starring at the log without seeing anything
useful.

Thanks in advance,
yanosz

------------------------------------------------------------------------------
Dive into the World of Parallel Programming! The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net
Artur Uszyński | 9 Jan 14:00 2015
Picon

"shell" string in configuration files.

Hello.

	When I add an ipv4 zone named "shell" (lowercase) I'm getting the following error:

Compiling /etc/shorewall/zones...
/bin/sh: ipv4: command not found
    ERROR: SHELL Script failed /etc/shorewall/zones (line 25)

It was not happening in previous (very old) versions of Shorewall. Is it a bug or a new feature ?

Regards.
--
Artur

------------------------------------------------------------------------------
Dive into the World of Parallel Programming! The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net
heriyanto shell | 6 Jan 09:21 2015
Picon

Providers with same gateway different interface and IP

Hi All,

I get mulitple public IP from my ISP, so far i'am just using one,
so i just put one eth in providers file.
Last night i added new network interface I assign another IP that i get from my ISP
then i try to modify/add config in providers file, then i get this error:

[root <at> www2 shorewall]# /etc/init.d/shorewall restart
Restarting shorewall: WARNING: There are interfaces or zones with the 'blacklist' option but the 'blacklist' file is empty
RTNETLINK answers: File exists
ERROR: Command "ip -4 route add table 1 211.111.51.20/28 dev eth2 proto kernel scope link src 211.111.51.93" Failed
/usr/share/shorewall/lib.common: line 112: 16563 Terminated $SHOREWALL_SHELL $script $options $ <at>

This is my providers file configuration
Otong  1       1       main        eth1        211.111.51.81 track,balance
Otong2  2      2       main         eth2        211.111.51.81 track,balance    

eth1 ip: 211.111.51.91 and
eth2 ip: 211.111.51.93

So its different eth but with same gateway. Its that any solution to fix this. Appreciate with any help.

Regards,

Heriyanto
------------------------------------------------------------------------------
Dive into the World of Parallel Programming! The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net
------------------------------------------------------------------------------
Dive into the World of Parallel Programming! The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net
Marcelo Bello | 2 Jan 03:03 2015
Picon

Questions regarding the "optional" interface option

Hi,
 
     Happy 2015 to all!

     I am setting up tinc VPN on a firewall (shorewall setup) that is also the network gateway.

     The standard tinc setup has the tincd daemon create and remove the necessary VPN interface (tun0 in my case). The problem is that when tincd is not running, the tun0 interface is not just down, it actually is removed from the system (the command ifconfig tun0 returns "device not found"). 

     The first test I did was to check if the "optional" interface option would work with an interface that could not be found (I initially assumed it would work only on an interface that is down) but shorewall did start just fine. I also ran iptables -L and saw rules associated to the zone linked to the tun0 interface.

     However I am worried that such firewall rules may not for some reason work reliably. I do not have a deep understanding of how iptables work but can I assume that once the tun0 interface is brought up that the firewall will be working just like I configured shorewall to treat it (without restarting shorewall)? Is shorewall able to add all necessary firewall rules even when the interface does not exist in the system? Any reason for concern?


Best regards,

Marcelo
------------------------------------------------------------------------------
Dive into the World of Parallel Programming! The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net
------------------------------------------------------------------------------
Dive into the World of Parallel Programming! The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net
Alex Aminoff | 31 Dec 03:54 2014
Picon

whitelist from dynamic drop?


I was able to set up shorewall in combination with a few perl scripts to 
let me easily drop and allow my daughters' machines from accessing the 
internet (they are 7 and 10 years old). I used "shorewall drop/allow 
dynamic". However, now I want their machines to be able to still connect 
to the household firewall itself, even when they are on the dynamic 
blacklist. I tried adding to the blrules file

WHITELIST       loc:10.0.0.0/24    $FW

but that does not appear to work. I read the documentation about 
blacklisting/whitelisting that I could find but could not see an obvious 
solution.

I was able to get it to work by manually running iptables -I commands, 
but that only works until shorewall restarts.

Thanks,
  - Alex

------------------------------------------------------------------------------
Dive into the World of Parallel Programming! The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net
Ibrahim Hamouda | 18 Dec 12:44 2014
Picon

on-2-one nat

Hi all
I have a working configuration in an older version as follows:

/etc/shorewall/nat

<ExternalIP>  eth0  192.168.7.201 no no

/etc/shorewall/rules

ACCEPT net loc:192.168.7.201 tcp 20,21,80,443 - <ExternalIP>

Now in version 4.5.21.6 on debian wheezy

The same configuration is not working.
I see the address added when I do ip addr

Is there any changes I need to do somewhere else, or in shorewall.conf?

Thanks in advance for the help

Ibrahim
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
jonetsu@teksavvy.com | 18 Dec 01:52 2014

tunnels and DSCP

Hello,

  To DSCP-mark the packets of a tunnel (not the packets inside) then
the egress interface by which the tunnel is going would be added to TC
as a device, a default TC class created, then a single rule with
whichever DSCP value configured, basically.  Does this sound OK ?  Is
there any catch with working with tunnels ?

  About tcrules and DSCP, what is the planned life of DSCP inside
tcrules before it gets obsoleted in favor of the mangle config file ?

Thanks !

------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
Tom Eastep | 17 Dec 20:06 2014
Picon

Shorewall 4.6.5.3

Shorewall 4.6.5.3 is now available for download.

Problems Corrected:

1)  The Shorewall-init scripts were using the incorrect
    variable to set the state directory. Correction provided by Roberto
    Sanchez.

2)  For normal dynamic zones, the 'add' command failed with a
    diagnostic such as:

      ERROR: Zone ast, interface net0 does not have a dynamic host list

3)  When a mark range was used in the marks (tcrules) file, a run-time
    error occurred while attempting to load the generated ruleset.

Thank you for using Shorewall,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
Gary Phillips | 16 Dec 10:45 2014

FW: DNAT Protocol 47


 I have used various versions of shorewall on older Linux servers with great success.
 I have recently replaced one of our old servers with CentOS 6.6 and installed Shorewall 4.5.4 from the epel repo.
 Please find attached the Shorewall dump file as requested on your support page

When I try and use a DNAT rule to forward pptp traffic to a Microsoft ras server (which was working in a
previous version) The client connects and authenticates on port 1723 and a VPN session is established but
no protocol 47 traffic is recorded by Shorewall  and I am unable to communicate with any computers on the
local network.

Client source ip (in the dump) 85.255.233.8

Shorewall server eth0 (net) 157.228.196.187
Shorewall server eth1 (loc) 10.1.0.6

Microsoft RAS server 10.1.0.10

I have also opened the L2TP ports but the same happens, I connect and authenticate but no traffic is send over
protocol 50

Any help would be greatly appreciated
 Gary
Attachment (shorewall_dump.txt.gz): application/x-gzip, 13 KiB
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
MBB | 12 Dec 20:57 2014
Picon

Multi ISP: How to set a permanent route for a disabled provider

 

Hi shorewall user group!

 

I have a Multi-ISP setup with 2 providers.

 

/etc/shorewall/providers:

 

############################################################################################

#NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY

KTV 1 1 - web0 1.1.1.1 balance=1

SURF 2 2 - web1 172.16.1.254 balance=2

 

Note that KTV has a public IP but SURF a private IP because it is behind router.

 

I monitor these two providers with monit and monit executes automatically

"/sbin/shorewall disable ${PROVIDER}" when it can't reach a certain host. When the host is available again it runs "/sbin/shorewall enable ${PROVIDER}".

 

For provider SURF I made an entry in rtrules to ensure that the pings to host 2.2.2.2, which I use to monitor SURF, always use IF web1.

 

/etc/shorewall/rtrules:

 

####################################################################################

#SOURCE DEST PROVIDER PRIORITY MASK

lo 2.2.2.2 SURF 1000

 

For provider KTV this is not necessary because monit pings the gateway 1.1.1.1, and therefor is always a route in table main.

 

This is how the rules look like when both providers are enabled:

 

# ip ru show

0: from all lookup local

999: from all lookup main

1000: from all to 2.2.2.2 iif lo lookup SURF

10000: from all fwmark 0x1/0xff lookup KTV

10001: from all fwmark 0x2/0xff lookup SURF

20000: from 172.16.1.1 lookup SURF

20000: from 1.1.1.99 lookup KTV

32765: from all lookup balance

32767: from all lookup default

 

And now the rules after "/sbin/shorewall disable SURF":

 

# ip ru show

0: from all lookup local

999: from all lookup main

10000: from all fwmark 0x1/0xff lookup KTV

20000: from 195.62.84.41 lookup KTV

32765: from all lookup balance

32767: from all lookup default

 

Shorewall removed all rules for provider SURF, also the one for host 2.2.2.2 which I need to to monitor SURF.

Now I have the problem that all pings to 2.2.2.2 would go through IF web0, to KTV, and no longer through web1.

 

Is it possible to configure shorewall that it adds a permanent route to host 2.2.2.2 in table main, that even when provider SURF is disabled the pings to host 2.2.2.2 go through IF web1?

 

I'd appreciate any hint to solve this riddle.

 

Cheers

Norbert

 

------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
Răzvan Sandu | 11 Dec 15:15 2014
Picon

Please add support for tinc VPN in Shorewall

Hello,

Would you please help adding support for tinc VPN in shorewall?

As stated in Fedora EPEL bug #1161116 
(https://bugzilla.redhat.com/show_bug.cgi?id=1161116):

Tinc (http://www.tinc-vpn.org/) is a popular, cross-distro VPN solution 
that allows MESH networks. For RedHat family, it is available in Fedora 
EPEL.

According to documentation, tinc uses port 655 for its VPN interface 
(http://tinc-vpn.org/documentation/Example-configuration.html), probably 
both TCP and UDP

In order to allow its speedy usage on a larger number of systems, 
including production ones, please:

- add a specific, predefined macro for it under /usr/share/shorewall/

- specify, in shorewall's documentation, what type of VPN should be used 
for tinc's /dev/tun or /dev/tap interfaces, in /etc/shorewall/tunnels file

Thanks a lot,
Răzvan

Attachment (razvan_sandu.vcf): text/x-vcard, 507 bytes
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk

Gmane