headers
Eric Teeter | 9 Jan 2013 23:17
Favicon

tcrules

Dear Tom:

I am trying to use tcrules to give TOS to my phone system.

The following does not give me any error but is there improvements that can be made?

/etc/shorewall/tcrules

#ACTION       SOURCE        DEST              PROTO      PORT(S)       SOURCE  USER   TEST    LENGTH     TOS CONNBYTES HELPER
   1               0.0.0.0/0         192.168.1.249    udp       10000:20000          -             -            -           -             16
   1              192.168.1.249   0.0.0.0/0           udp       10000:20000          -             -            -           -             16

Eric 

------------------------------------------------------------------------------
Master Java SE, Java EE, Eclipse, Spring, Hibernate, JavaScript, jQuery
and much more. Keep your Java skills current with LearnJavaNow -
200+ hours of step-by-step video tutorials by Java experts.
SALE $49.99 this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122612 
------------------------------------------------------------------------------
Master Java SE, Java EE, Eclipse, Spring, Hibernate, JavaScript, jQuery
and much more. Keep your Java skills current with LearnJavaNow -
200+ hours of step-by-step video tutorials by Java experts.
SALE $49.99 this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122612
Permalink | Reply | 3 comments |
headers
Ernesto Domato | 8 Jan 2013 18:29
Picon

missing options on manpage for shorewall.conf

Hi all, I was reading the manpage for shorewall.conf to understand all
the options that appear on the shorewall.conf sample for a standalone
configuration (as described on the documentation) and didn't found the
information for this four options:

DELAYBLACKLISTLOAD
BRIDGING
DYNAMIC_ZONES
PKTTYPE

Thanks for all.
Ernesto

------------------------------------------------------------------------------
Master SQL Server Development, Administration, T-SQL, SSAS, SSIS, SSRS
and more. Get SQL Server skills now (including 2012) with LearnDevNow -
200+ hours of step-by-step video tutorials by Microsoft MVPs and experts.
SALE $99.99 this month only - learn more at:
http://p.sf.net/sfu/learnmore_122512
Permalink | Reply | 3 comments |
headers
Fred Maillou | 8 Jan 2013 16:32
Picon
Favicon

TC config not removed from system

Hello,

  Using recent Shorewall versions (4.5.11 and 4.5.3) it seems
that an active TC config is not removed when using 'restart' with
a config that does not have any TC parameters.  Version 4.5.2
does remove a TC config. 

 Here's how the test is made.

 1) state: no firewall config applied.  iptables returns all
    ACCEPT. tc returns no information when queried about the
    interface that will receive TC config in the next steps.
    shorewall.conf has: 'TC_ENABLED=Internal'.

 2) The following simple config is applied by changing to the
    directory where the config files are located and issuing:
    using 'shorewall restart .'

zones

fw    firewall
net    ipv4

interfaces

net    switch.0001

policy

all    all    ACCEPT

tcdevices

switch.0001    0    75mbit

tcclasses

switch.0001    1    full*1/10     full*9/10     1   
switch.0001    2    full*3/10     full*7/10     1    default

tcrules

1    172.30.159.102    0.0.0.0/0    all


 3) state: iptables returns FW config.  tc returns proper class
 information: 'tc -s -d class show dev switch.0001'

 4) The tc* files are moved away from the config directory

 5) 'shorewall restart .' is executed

 6) state: the tc command still returns the class information.  With
 Shorewall 4.5.2 and the same test the TC config is wiped from the
 system.


Thanks.

------------------------------------------------------------------------------
Master SQL Server Development, Administration, T-SQL, SSAS, SSIS, SSRS
and more. Get SQL Server skills now (including 2012) with LearnDevNow -
200+ hours of step-by-step video tutorials by Microsoft MVPs and experts.
SALE $99.99 this month only - learn more at:
http://p.sf.net/sfu/learnmore_122512
------------------------------------------------------------------------------
Master SQL Server Development, Administration, T-SQL, SSAS, SSIS, SSRS
and more. Get SQL Server skills now (including 2012) with LearnDevNow -
200+ hours of step-by-step video tutorials by Microsoft MVPs and experts.
SALE $99.99 this month only - learn more at:
http://p.sf.net/sfu/learnmore_122512
Permalink | Reply | 4 comments |
headers
Costantino | 8 Jan 2013 12:02
Picon
Favicon

constraint port access to specific application

Following the discovery of an http scanning attempt on a port on my firewall that I intended dedicated to ssh access use, I've come to realise that I didn't know how to use Shorewall to constraint port access to specific application of my choice.

A quick search on the Internet did not provide me with hints enough to let me be self reliant in my learning, hence my request for help in order to plug the hole as soon as possible.

 

First of all (a) is there such a feature in Shorewall and (b) if yes, is there a manual that teach how to use it?

Alternatively, what other options are left to me?

 

Thanks for advising me.

 

Costa

------------------------------------------------------------------------------
Master SQL Server Development, Administration, T-SQL, SSAS, SSIS, SSRS
and more. Get SQL Server skills now (including 2012) with LearnDevNow -
200+ hours of step-by-step video tutorials by Microsoft MVPs and experts.
SALE $99.99 this month only - learn more at:
http://p.sf.net/sfu/learnmore_122512
------------------------------------------------------------------------------
Master SQL Server Development, Administration, T-SQL, SSAS, SSIS, SSRS
and more. Get SQL Server skills now (including 2012) with LearnDevNow -
200+ hours of step-by-step video tutorials by Microsoft MVPs and experts.
SALE $99.99 this month only - learn more at:
http://p.sf.net/sfu/learnmore_122512
Permalink | Reply | 5 comments |
headers
Fred Maillou | 7 Jan 2013 17:10
Picon
Favicon

Shorewall and SIP phones

Hello,

  Are there general guidelines around on how to configure Shorewall for use with SIP phones ?  Especially regarding (some?) Cisco SIP phones which are expecting a reply at port 5060 while sending from an arbitrary high port.

Thanks !
------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. SALE $99.99 this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122412
------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. SALE $99.99 this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122412
Permalink | Reply | 4 comments |
headers
Tom Eastep | 6 Jan 2013 04:10
Favicon

Re: Routing network traffic via VPN

On 01/05/2013 06:55 PM, f q wrote:
> Excellent!  Removing the rule causes the firewall to behave as I except.
> 
> "What do you expect?"
> 
> I was using this as an example and the line:
> 
> http://www.shorewall.net/MultiISP.html#USE_DEFAULT_RT
> 
> "Although 'balance' is automatically assumed when USE_DEFAULT_RT=Yes,
> you can easily cause all traffic to use one provider except when you
> explicitly direct it to use the other provider via shorewall-rtrules
> (5) or shorewall-tcrules  (5)."
> 
> I see now, that this should include "rules" as well, as we had just found.
> 
> Previous experimentation with "USE_DEFAULT_RT=Yes" with the outdated
> version prior to upgrade, did not result in any discernible
> difference, oddly.  I was focused on using the files listed here to
> create the behavior I was looking for, as this appeared to be your
> recommendation.

You're welcome

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________


------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. ON SALE this month only -- learn more at:
http://p.sf.net/sfu/learnmore_123012
------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. ON SALE this month only -- learn more at:
http://p.sf.net/sfu/learnmore_123012
Permalink | Reply | 0 comments |
headers
Tom Eastep | 6 Jan 2013 02:53
Favicon

Re: Routing network traffic via VPN

On 01/05/2013 04:13 PM, f q wrote:
> Apologies, I test my connections by doing a "ping 8.8.8.8" (Google DNS); So:
> 
> source IP -> 192.168.0.38 (my VPN would be down at this point, after step 7)
> dest IP -> 8.8.8.8
> protocol -> ICMP
> port -> NA

You have this rule in your rules file:

ACCEPT	$FW	net	icmp

What do you expect?

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________


------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. ON SALE this month only -- learn more at:
http://p.sf.net/sfu/learnmore_123012
------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. ON SALE this month only -- learn more at:
http://p.sf.net/sfu/learnmore_123012
Permalink | Reply | 2 comments |
headers
Tom Eastep | 5 Jan 2013 23:56
Favicon

Re: Routing network traffic via VPN

On 01/05/2013 02:40 PM, f q wrote:
> Also, I think you want USE_DEFAULT_RT=Yes. I don't see how
> USE_DEFAULT_RT=No can possiblly work here, since you have to be able to
> route between the interfaces and both are provider interfaces.
> 
> 1) I made the changes as you requested, and set "USE_DEFAULT_RT=Yes",
> in /etc/shorewall/shorewall.conf.
> 2) I issued a /sbin/shorewall restart to re-read the configuration
> file (I'm not sure this is entirely required, but I wanted to be sure
> the new changes were being reflected in the current running
> configuration)
> 3) Applied the configuration for the firewall, normal warnings:
> Adding Providers...
>    WARNING: Interface tun0 is not usable -- Provider iPredator (2) not Started
>    WARNING: No Default route added (all 'balance' providers are down)
>    NOTICE: Default route restored
> 4) Connected to OpenVPN
> 5) Attempted to re-apply the firewall configuration, as before (no errors)
> 6) Attempted pings to verify connection (they traversed the VPN correctly)
> 7) Disconnected from the VPN, traffic then traversed my default
> connection incorrectly.

Come on -- you have to be specific. Exactly what connection did you
attempt that worked when you didn't believe that it should? Give the
source iP address, the destination IP address, protocol and port (if
appropriate).

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________


------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. SALE $99.99 this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122912
------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. SALE $99.99 this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122912
Permalink | Reply | 2 comments |
headers
Tom Eastep | 5 Jan 2013 16:33
Favicon

Re: How could I open Port 1701 for VPN l2tp/ipsec

On 01/05/2013 01:46 AM, tony.blue.mailinglist <at> gmx.de wrote:
> Am 04.01.2013 22:14, schrieb Tom Eastep:
>> A new problem has emerged: After the entry in the /etc/shorewall/masq
>> shorewall does not work when the device ppp1is not created. If I want to
>> start shorewall I have to make a VPN connection.
>>
>> Is there a way to start shorewall with no VPN connection(no ppp1 ipsec
>> tunnel)?
>> why don't you just do what I shoed you above?
>>
>> -Tom
>>
> 
> Hi Tom,
> 
> please excuse. I was not sure if I post in the shorewall/dump on the
> public list of published data that make my firewall insecure.
> 
> Therefore, I send you the shorewall/dump personaly via email. I hope
> this is okay.
> 
> The structure is like this:
> 
>                                                    +-------- eth2 (dmz
> webserver)
>                                                    |
> Internet --- (dynamic IP) --- ppp0 ---- eth0 (local network)
> |
> +-------- eth3 (wlan)
> |
> +-------- tun0 (open-vpn)
> |
> +-------- ppp1 (vpn ipsec/l2tp)
> 

This single entry will work:

ppp0	192.168.0.0/16

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________


------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. SALE $99.99 this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122912
------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. SALE $99.99 this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122912
Permalink | Reply | 0 comments |
headers
emilianovazquez | 3 Jan 2013 01:34
Picon

How to get failover with 2 providers

HI guys!

I'm working with shoreall 4.5.11 from sources on Ubuntu 12.10 64bits

I have two wan's and using /etc/shorewall/providers to create both routes to internet, this is working,
balancing lines ok.  
I found a problem when one wan link is down, the route still available and the packets send trhougt this route
never arrive to destiny.

If i delete the provider from /etc/shorewall/providers and restart shorewall everything goes up using
the other provider.

Is there any hint to solve this?

Best regards!

Emiliano 

Emiliano Vazquez  |  PcCentro S.R.L.        
Office: +54 (11) 4635-7764 ext. 4
Celular: 15.6253.7165
Mail: emilianovazquez <at> gmail.com
Web: http://www.pccentro.com.ar

------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. ON SALE this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122712
Permalink | Reply | 2 comments |
headers
Simon Matter | 31 Dec 2012 13:10
Picon

Typos in 4.5.11.1?

Hi Tom and all,

I've just updated a box to 4.5.11.1 and it won't start with
Loading Modules...
   ERROR: Invalid modules file entry /usr/share/shorewall/modules.xtables
(line 45)
      from /usr/share/shorewall/modules (line 23)

Looks like this patch is wrong

--- shorewall-4.5.11/modules.xtables	2012-12-26 07:43:06.000000000 -0800
+++ shorewall-4.5.11.1/modules.xtables	2012-12-30 08:59:20.000000000 -0800
 <at>  <at>  -39,3 +39,12  <at>  <at> 
 loadmodule xt_tcpmss
 loadmodule xt_IPMARK
 loadmodule xt_TPROXY
+#
+# From xtables-addons
+#
+xt_condition
+xt_geoip
+xt_ipp2p
+xt_LOGMARK
+xt_RAWNAT
+

I guess it should be

--- shorewall-4.5.11/modules.xtables	2012-12-26 07:43:06.000000000 -0800
+++ shorewall-4.5.11.1/modules.xtables	2012-12-30 08:59:20.000000000 -0800
 <at>  <at>  -39,3 +39,12  <at>  <at> 
 loadmodule xt_tcpmss
 loadmodule xt_IPMARK
 loadmodule xt_TPROXY
+#
+# From xtables-addons
+#
+loadmodule xt_condition
+loadmodule xt_geoip
+loadmodule xt_ipp2p
+loadmodule xt_LOGMARK
+loadmodule xt_RAWNAT
+

Thanks and a good 2013 to everyone,
Simon

------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. SALE $99.99 this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122412
Permalink | Reply | 1 comment |

Gmane