Norman Henderson | 13 Apr 05:27 2016
Picon

Issue with /etc/shorewall/routes

Shorewall 4.5.21.6 on Ubuntu 14.04.1 kernel 3.16.0-51.

For the last month I have had the following entries (and a few more) working fine:
main            10.1.13.0/24    10.1.15.3
main            10.1.8.0/21     10.1.15.1

I am halfway into implementing LSM. I am not yet allowing it to change shorewall states, but I do have IFUPDOWN=0 in /etc/default/shorewall-init. Therefore, I also have "shorewall restart" in a couple of openvpn up/down scripts.

What I am seeing when shorewall attempts to restart:

Adding Providers...
RTNETLINK answers: File exists
   ERROR: Command "ip -4 route add 10.1.13.0/24 via 10.1.15.3 table 254" Failed
...and shorewall ends up Stopped. 

There have been some other recent config changes but I haven't been able to pinpoint one that "caused" this, and it may be that it happened right from the time the routes file was created and I didn't notice the issue.

If I reboot then it comes up clean as expected. Or, if I temporarily rename /etc/shorewall/routes then shorewall starts OK.

Is this a bug? Shouldn't the startup sequence be doing a route replace rather than route add? Or potentially, deleting the routes as part of stopping Shorewall?
------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
Thomas Schneider | 12 Apr 19:43 2016
Picon

Multiple ISP: Issues running apt update - routing rules issue?

Hello!

I get this error when starting apt update:
W: Fehlschlag beim Holen von http://repo.saltstack.com/apt/debian/8/amd64/latest/dists/jessie/Release.gpg  Verbindung mit repo.saltstack.com:80 kann nicht aufgebaut werden (2604:a880:400:d0::2:e001). - connect (101: Das Netzwerk ist nicht erreichbar) [IP: 2604:a880:400:d0::2:e001 80]

This error is reproducible and  is reported for different URLs defined in /etc/apt/sources.list.

In my configuration I have 2 ISP and 2 networks: loc and dmz
I want to ensure that all traffic from loc / dmz is routed to ISP #1 and traffic of another subnet 192.168.178.0/24 is routed to ISP #2.

With this configuration the error is reproducible:
root <at> pc4-svp:/etc/shorewall# cat interfaces
#ZONE   INTERFACE       BROADCAST       OPTIONS
net     UMB_IF          -               optional,sourceroute=0,routefilter=0,arp_ignore=1,proxyarp=0,physical=$UMB_IF,upnp,nosmurfs,tcpflags,dhcp
net     UMP_IF          -               optional,sourceroute=0,routefilter=0,arp_ignore=1,proxyarp=0,physical=$UMP_IF,upnp,nosmurfs,tcpflags
loc     INT_IF          -               dhcp,physical=$INT_IF,ignore=1,wait=5,routefilter,nets=10.0.0.0/24,routeback
vpn     TUN_IF+         -               physical=tun+,ignore=1
dmz     DMZ_IF          -               dhcp,physical=$DMZ_IF,ignore=1,wait=5,routefilter,nets=10.1.0.0/24,routeback

root <at> pc4-svp:/etc/shorewall# cat rtrules
#SOURCE         DEST    PROVIDER        PRIORITY
&UMB_IF         -       um_business     1000
&UMP_IF         -       um_private      1000
&DMZ_IF         -       um_business     11000

#NAME           NUMBER  MARK    DUPLICATE       INTERFACE       GATEWAY         OPTIONS         COPY
um_business     1       0x10000 -               UMB_IF          detect          track,balance
um_private      2       0x20000 -               UMP_IF          192.168.1.1     track,balance

root <at> pc4-svp:/etc/shorewall# cat zones
#ZONE   TYPE    OPTIONS
fw      firewall
net     ipv4            #Internet
fb:net  ipv4            #Fritz!Box6490 192.168.178.0/24
loc     ipv4            #Local Zone
vpn     ipv4            #OpenVPN Clients
dmz     ipv4            #LXC Containers

root <at> pc4-svp:/etc/shorewall# ip rule ls
0:      from all lookup local
999:    from all lookup main
1000:   from 217.8.50.86 lookup um_business
1000:   from 192.168.178.14 lookup um_private
10000:  from all fwmark 0x10000/0x30000 lookup um_business
10001:  from all fwmark 0x20000/0x30000 lookup um_private
11000:  from 10.1.0.1 lookup um_business
20000:  from 217.8.50.86 lookup um_business
20000:  from 192.168.178.14 lookup um_private
32765:  from all lookup balance
32767:  from all lookup default


With this configuration there are no issues with apt update, though.
But I'm not sure if traffic is routed to ISP #2.
root <at> pc4-svp:/etc/shorewall# cat providers
#NAME           NUMBER  MARK    DUPLICATE       INTERFACE       GATEWAY        OPTIONS          COPY
um_business     1       0x10000 -               UMB_IF          detect         loose
um_private      2       0x20000 -               UMP_IF          192.168.178.1  loose

root <at> pc4-svp:/etc/shorewall# ip rule ls
0:      from all lookup local
999:    from all lookup main
1000:   from 217.8.50.86 lookup um_business
1000:   from 192.168.178.14 lookup um_private
10000:  from all fwmark 0x10000/0x30000 lookup um_business
10001:  from all fwmark 0x20000/0x30000 lookup um_private
11000:  from 10.1.0.1 lookup um_business
32765:  from all lookup balance
32767:  from all lookup default

There's obviously a difference with routing affecting these lines:
20000:  from 217.8.50.86 lookup um_business
20000:  from 192.168.178.14 lookup um_private


Please advise for the correct configuration providers, rtrules, interfaces.
I have attached dump file for erroneous configuration.

THX
Shorewall 5.0.7.2 Dump at pc4-svp - Di 12. Apr 19:42:21 CEST 2016

Shorewall is running
State:Started (Di 12. Apr 19:38:18 CEST 2016) from /etc/shorewall/ (/var/lib/shorewall/firewall compiled by Shorewall version 5.0.7.2)

Counters reset Di 12. Apr 19:38:22 CEST 2016

Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  848 45628 UMP_IF_in  all  --  vmbr2  *       0.0.0.0/0            0.0.0.0/0           
  403  143K UMB_IF_in  all  --  eth0   *       0.0.0.0/0            0.0.0.0/0           
  513 94184 INT_IF_in  all  --  vmbr0  *       0.0.0.0/0            0.0.0.0/0           
    0     0 vpn-fw     all  --  tun+   *       0.0.0.0/0            0.0.0.0/0           
    4   304 DMZ_IF_in  all  --  vmbr1  *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    0     0 Reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            LOG flags 0 level 6 prefix "Shorewall:INPUT:REJECT:"
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0           [goto] 

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 UMP_IF_fwd  all  --  vmbr2  *       0.0.0.0/0            0.0.0.0/0           
  209  312K UMB_IF_fwd  all  --  eth0   *       0.0.0.0/0            0.0.0.0/0           
  271 22111 INT_IF_fwd  all  --  vmbr0  *       0.0.0.0/0            0.0.0.0/0           
    0     0 vpn_frwd   all  --  tun+   *       0.0.0.0/0            0.0.0.0/0           
    0     0 DMZ_IF_fwd  all  --  vmbr1  *       0.0.0.0/0            0.0.0.0/0           
    0     0 Reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            LOG flags 0 level 6 prefix "Shorewall:FORWARD:REJECT:"
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0           [goto] 

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  839  512K ACCEPT     all  --  *      vmbr2   0.0.0.0/0            0.0.0.0/0           
    5   350 ACCEPT     all  --  *      eth0    0.0.0.0/0            0.0.0.0/0           
  514 26900 INT_IF_out  all  --  *      vmbr0   0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  *      tun+    0.0.0.0/0            0.0.0.0/0           
    4   304 DMZ_IF_out  all  --  *      vmbr1   0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain Broadcast (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    8   783 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type BROADCAST
    2    72 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type MULTICAST
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type ANYCAST

Chain DMZ_IF_fwd (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID,NEW,UNTRACKED
    0     0 tcpflags   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 dmz_frwd   all  --  *      *       10.1.0.0/24          0.0.0.0/0           

Chain DMZ_IF_in (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    4   304 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID,NEW,UNTRACKED
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpts:67:68
    0     0 tcpflags   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     udp  --  *      *       0.0.0.0              0.0.0.0/0            udp dpts:67:68
    4   304 dmz-fw     all  --  *      *       10.1.0.0/24          0.0.0.0/0           

Chain DMZ_IF_out (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpts:67:68
    4   304 ACCEPT     all  --  *      *       0.0.0.0/0            10.1.0.0/24         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            255.255.255.255     
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            224.0.0.0/4         

Chain Drop (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0            all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 Broadcast  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 3 code 4 /* Needed ICMP types */
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 11 /* Needed ICMP types */
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 135,445 /* SMB */
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpts:137:139 /* SMB */
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp spt:137 dpts:1024:65535 /* SMB */
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 135,139,445 /* SMB */
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:1900 /* UPnP */
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:!0x17/0x02
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp spt:53 /* Late DNS Replies */

Chain INT_IF_fwd (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  127  7612 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID,NEW,UNTRACKED
  179 16429 tcpflags   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
  271 22111 loc_frwd   all  --  *      *       10.0.0.0/24          0.0.0.0/0           

Chain INT_IF_in (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    3   228 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID,NEW,UNTRACKED
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpts:67:68
  510 93956 tcpflags   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     udp  --  *      *       0.0.0.0              0.0.0.0/0            udp dpts:67:68
  513 94184 ~comb1     all  --  *      *       10.0.0.0/24          0.0.0.0/0           

Chain INT_IF_out (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpts:67:68
  514 26900 ACCEPT     all  --  *      *       0.0.0.0/0            10.0.0.0/24         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            255.255.255.255     
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            224.0.0.0/4         

Chain Reject (10 references)
 pkts bytes target     prot opt in     out     source               destination         
   10   855            all  --  *      *       0.0.0.0/0            0.0.0.0/0           
   10   855 Broadcast  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 3 code 4 /* Needed ICMP types */
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 11 /* Needed ICMP types */
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
    0     0 reject     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 135,445 /* SMB */
    0     0 reject     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpts:137:139 /* SMB */
    0     0 reject     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp spt:137 dpts:1024:65535 /* SMB */
    0     0 reject     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 135,139,445 /* SMB */
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:1900 /* UPnP */
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:!0x17/0x02
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp spt:53 /* Late DNS Replies */

Chain UMB_IF_fwd (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 sfilter    all  --  *      eth0    0.0.0.0/0            0.0.0.0/0           [goto] 
    0     0 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID,NEW,UNTRACKED
    0     0 smurfs     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID,NEW,UNTRACKED
  186  310K tcpflags   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
  209  312K net_frwd   all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain UMB_IF_in (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  398  142K dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID,NEW,UNTRACKED
  398  142K smurfs     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID,NEW,UNTRACKED
  398  142K ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpts:67:68
    0     0 tcpflags   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
    5   715 net-fw     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain UMP_IF_fwd (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID,NEW,UNTRACKED
    0     0 smurfs     all  --  *      *       192.168.178.0/24       0.0.0.0/0            ctstate INVALID,NEW,UNTRACKED
    0     0 smurfs     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID,NEW,UNTRACKED
    0     0 tcpflags   tcp  --  *      *       192.168.178.0/24       0.0.0.0/0           
    0     0 tcpflags   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 fb_frwd    all  --  *      *       192.168.178.0/24       0.0.0.0/0           
    0     0 net_frwd   all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain UMP_IF_in (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    3   323 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID,NEW,UNTRACKED
    3   323 smurfs     all  --  *      *       192.168.178.0/24       0.0.0.0/0            ctstate INVALID,NEW,UNTRACKED
    3   323 smurfs     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID,NEW,UNTRACKED
  842 44876 tcpflags   tcp  --  *      *       192.168.178.0/24       0.0.0.0/0           
  842 44876 tcpflags   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
  845 45199 ~comb1     all  --  *      *       192.168.178.0/24       0.0.0.0/0           
    3   429 net-fw     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain all-all (7 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    6   551 Reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            LOG flags 0 level 6 prefix "Shorewall:all-all:REJECT:"
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0           [goto] 

Chain dmz-all (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 Reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0           [goto] 

Chain dmz-fw (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 reject     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 4505,4506
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    4   304 Reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0           [goto] 

Chain dmz-loc (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            10.0.0.3             tcp dpt:3306
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 Reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0           [goto] 

Chain dmz-net (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:53 /* DNS */
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53 /* DNS */
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            130.89.148.12        tcp dpt:80
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            195.20.242.89        tcp dpt:80
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            87.230.23.19         tcp dpt:80
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            198.199.77.106       tcp dpt:80
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            134.109.228.1        tcp dpt:80
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            212.211.132.250      tcp dpt:80
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            129.143.116.113      tcp dpt:80
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 Reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0           [goto] 

Chain dmz_frwd (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 dmz-all    all  --  *      vmbr2   0.0.0.0/0            192.168.178.0/24      
    0     0 dmz-net    all  --  *      eth0    0.0.0.0/0            0.0.0.0/0           
    0     0 dmz-net    all  --  *      vmbr2   0.0.0.0/0            0.0.0.0/0           
    0     0 dmz-loc    all  --  *      vmbr0   0.0.0.0/0            10.0.0.0/24         
    0     0 dmz-loc    all  --  *      vmbr0   0.0.0.0/0            224.0.0.0/4         
    0     0 dmz-all    all  --  *      tun+    0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  *      vmbr1   0.0.0.0/0            10.1.0.0/24         

Chain dynamic (10 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain fb-net (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 80,443 /* HTTP, HTTPS */
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     tcp  --  *      *       192.168.178.121        0.0.0.0/0            tcp dpt:5938
    0     0 ACCEPT     tcp  --  *      *       192.168.178.48         0.0.0.0/0            tcp dpt:5938
    0     0 Reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0           [goto] 

Chain fb_frwd (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 fb-net     all  --  *      eth0    0.0.0.0/0            0.0.0.0/0           
    0     0 fb-net     all  --  *      vmbr2   0.0.0.0/0            0.0.0.0/0           
    0     0 all-all    all  --  *      tun+    0.0.0.0/0            0.0.0.0/0           
    0     0 ~comb0     all  --  *      vmbr1   0.0.0.0/0            10.1.0.0/24         
    0     0 ~comb0     all  --  *      vmbr1   0.0.0.0/0            224.0.0.0/4         

Chain loc-net (2 references)
 pkts bytes target     prot opt in     out     source               destination         
  144 14499 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
   41  2316 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 80,443,143 /* HTTP, HTTPS, IMAP */
   86  5296 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:53 /* DNS */
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53 /* DNS */
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 Reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0           [goto] 

Chain loc_frwd (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  206 18199 loc-net    all  --  *      eth0    0.0.0.0/0            0.0.0.0/0           
   65  3912 loc-net    all  --  *      vmbr2   0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  *      vmbr0   0.0.0.0/0            10.0.0.0/24         
    0     0 all-all    all  --  *      tun+    0.0.0.0/0            0.0.0.0/0           
    0     0 ~comb0     all  --  *      vmbr1   0.0.0.0/0            10.1.0.0/24         
    0     0 ~comb0     all  --  *      vmbr1   0.0.0.0/0            224.0.0.0/4         

Chain logdrop (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain logflags (7 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            LOG flags 4 level 6 prefix "Shorewall:logflags:DROP:"
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain logreject (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain net-all (4 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 Drop       all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            LOG flags 0 level 6 prefix "Shorewall:net-all:DROP:"
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain net-dmz (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 143,25,80,443,465,587,993
    0     0 DROP       icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8 /* Ping */
    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            10.1.0.4             tcp dpt:25 limit: avg 5/sec burst 10
    0     0 net-all    all  --  *      *       0.0.0.0/0            0.0.0.0/0           [goto] 

Chain net-fw (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    8  1144 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
    0     0 reject     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22
    0     0 DROP       icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8 /* Ping */
    0     0 net-all    all  --  *      *       0.0.0.0/0            0.0.0.0/0           [goto] 

Chain net-loc (2 references)
 pkts bytes target     prot opt in     out     source               destination         
  209  312K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
    0     0 DROP       icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8 /* Ping */
    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            10.0.0.2             multiport dports 80,443 limit: avg 5/sec burst 10
    0     0 net-all    all  --  *      *       0.0.0.0/0            0.0.0.0/0           [goto] 

Chain net_frwd (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ~comb2     all  --  *      vmbr2   0.0.0.0/0            192.168.178.0/24      
    0     0 ACCEPT     all  --  *      eth0    0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  *      vmbr2   0.0.0.0/0            0.0.0.0/0           
  209  312K net-loc    all  --  *      vmbr0   0.0.0.0/0            10.0.0.0/24         
    0     0 net-loc    all  --  *      vmbr0   0.0.0.0/0            224.0.0.0/4         
    0     0 ~comb2     all  --  *      tun+    0.0.0.0/0            0.0.0.0/0           
    0     0 net-dmz    all  --  *      vmbr1   0.0.0.0/0            10.1.0.0/24         
    0     0 net-dmz    all  --  *      vmbr1   0.0.0.0/0            224.0.0.0/4         

Chain reject (19 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match src-type BROADCAST
    0     0 DROP       all  --  *      *       224.0.0.0/4          0.0.0.0/0           
    0     0 DROP       2    --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with tcp-reset
    0     0 REJECT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-unreachable
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain sfilter (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            LOG flags 0 level 6 prefix "Shorewall:sfilter:DROP:"
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain sha-lh-84e08b4e577470aa2970 (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain sha-rh-1a7812a8b4ea32446117 (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain shorewall (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0            all  --  *      *       0.0.0.0/0            0.0.0.0/0            recent: SET name: %CURRENTTIME side: source mask: 255.255.255.255

Chain smurflog (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            LOG flags 0 level 6 prefix "Shorewall:smurfs:DROP:"
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain smurfs (6 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     all  --  *      *       0.0.0.0              0.0.0.0/0           
    0     0 smurflog   all  --  *      *       0.0.0.0/0            0.0.0.0/0           [goto]  ADDRTYPE match src-type BROADCAST
    0     0 smurflog   all  --  *      *       224.0.0.0/4          0.0.0.0/0           [goto] 

Chain tcpflags (12 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 logflags   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           [goto]  tcp flags:0x3F/0x29
    0     0 logflags   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           [goto]  tcp flags:0x3F/0x00
    0     0 logflags   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           [goto]  tcp flags:0x06/0x06
    0     0 logflags   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           [goto]  tcp flags:0x05/0x05
    0     0 logflags   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           [goto]  tcp flags:0x03/0x03
    0     0 logflags   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           [goto]  tcp flags:0x19/0x09
    0     0 logflags   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           [goto]  tcp spt:0 flags:0x17/0x02

Chain vpn-dmz (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 143,25,80,443,465,587,993
    0     0 all-all    all  --  *      *       0.0.0.0/0            0.0.0.0/0           [goto] 

Chain vpn-fw (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID,NEW,UNTRACKED
    0     0 tcpflags   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 reject     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22
    0     0 all-all    all  --  *      *       0.0.0.0/0            0.0.0.0/0           [goto] 

Chain vpn_frwd (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 sfilter    all  --  *      tun+    0.0.0.0/0            0.0.0.0/0           [goto] 
    0     0 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID,NEW,UNTRACKED
    0     0 tcpflags   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 all-all    all  --  *      vmbr0   0.0.0.0/0            10.0.0.0/24         
    0     0 all-all    all  --  *      vmbr0   0.0.0.0/0            224.0.0.0/4         
    0     0 vpn-dmz    all  --  *      vmbr1   0.0.0.0/0            10.1.0.0/24         
    0     0 vpn-dmz    all  --  *      vmbr1   0.0.0.0/0            224.0.0.0/4         

Chain ~comb0 (4 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 143,25,80,443,465,587,993
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpts:2200:2299
    0     0 Reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0           [goto] 

Chain ~comb1 (2 references)
 pkts bytes target     prot opt in     out     source               destination         
 1352  139K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:2214
    0     0 reject     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8006
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 443,5900:5999
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8 /* Ping */
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 4505,4506
    6   551 all-all    all  --  *      *       0.0.0.0/0            0.0.0.0/0           [goto] 

Chain ~comb2 (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
    0     0 DROP       icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8 /* Ping */
    0     0 net-all    all  --  *      *       0.0.0.0/0            0.0.0.0/0           [goto] 

Log (/var/log/messages)

Apr 12 17:56:40 net-all:DROP:IN=eth0 OUT= SRC=79.77.31.179 DST=217.8.50.86 LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=8148 DF PROTO=TCP SPT=33355 DPT=23 WINDOW=5840 RES=0x00 SYN URGP=0 MARK=0x10000 
Apr 12 17:56:41 net-all:DROP:IN=eth0 OUT= SRC=79.77.31.179 DST=217.8.50.86 LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=8149 DF PROTO=TCP SPT=33355 DPT=23 WINDOW=5840 RES=0x00 SYN URGP=0 MARK=0x10000 
Apr 12 17:59:10 net-all:DROP:IN=eth0 OUT= SRC=189.205.45.66 DST=217.8.50.86 LEN=52 TOS=0x00 PREC=0x00 TTL=45 ID=52484 DF PROTO=TCP SPT=53154 DPT=23 WINDOW=14600 RES=0x00 SYN URGP=0 MARK=0x10000 
Apr 12 17:59:13 net-all:DROP:IN=eth0 OUT= SRC=189.205.45.66 DST=217.8.50.86 LEN=52 TOS=0x00 PREC=0x00 TTL=45 ID=52485 DF PROTO=TCP SPT=53154 DPT=23 WINDOW=14600 RES=0x00 SYN URGP=0 MARK=0x10000 
Apr 12 18:00:07 net-all:DROP:IN=eth0 OUT= SRC=124.113.226.94 DST=217.8.50.86 LEN=48 TOS=0x00 PREC=0x00 TTL=47 ID=28697 DF PROTO=TCP SPT=39284 DPT=23 WINDOW=14600 RES=0x00 SYN URGP=0 MARK=0x10000 
Apr 12 18:00:08 net-all:DROP:IN=eth0 OUT= SRC=124.113.226.94 DST=217.8.50.86 LEN=48 TOS=0x00 PREC=0x00 TTL=47 ID=28698 DF PROTO=TCP SPT=39284 DPT=23 WINDOW=14600 RES=0x00 SYN URGP=0 MARK=0x10000 
Apr 12 18:00:10 net-all:DROP:IN=eth0 OUT= SRC=124.113.226.94 DST=217.8.50.86 LEN=48 TOS=0x00 PREC=0x00 TTL=47 ID=28699 DF PROTO=TCP SPT=39284 DPT=23 WINDOW=14600 RES=0x00 SYN URGP=0 MARK=0x10000 
Apr 12 18:00:15 net-all:DROP:IN=eth0 OUT= SRC=124.107.125.208 DST=217.8.50.86 LEN=60 TOS=0x00 PREC=0x00 TTL=49 ID=30172 DF PROTO=TCP SPT=37415 DPT=23 WINDOW=5808 RES=0x00 SYN URGP=0 MARK=0x10000 
Apr 12 18:00:21 net-all:DROP:IN=eth0 OUT= SRC=124.107.125.208 DST=217.8.50.86 LEN=60 TOS=0x00 PREC=0x00 TTL=49 ID=30173 DF PROTO=TCP SPT=37415 DPT=23 WINDOW=5808 RES=0x00 SYN URGP=0 MARK=0x10000 
Apr 12 18:21:30 net-all:DROP:IN=eth0 OUT= SRC=104.171.122.176 DST=217.8.50.86 LEN=44 TOS=0x00 PREC=0x00 TTL=29 ID=19790 PROTO=TCP SPT=58143 DPT=3389 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x10000 
Apr 12 18:26:15 net-all:DROP:IN=eth0 OUT= SRC=192.96.201.142 DST=217.8.50.86 LEN=439 TOS=0x00 PREC=0x00 TTL=49 ID=0 DF PROTO=UDP SPT=5126 DPT=5060 LEN=419 MARK=0x10000 
Apr 12 18:26:51 net-all:DROP:IN=eth0 OUT= SRC=82.81.29.7 DST=217.8.50.86 LEN=52 TOS=0x00 PREC=0x00 TTL=50 ID=4663 DF PROTO=TCP SPT=57315 DPT=23 WINDOW=14600 RES=0x00 SYN URGP=0 MARK=0x10000 
Apr 12 18:26:54 net-all:DROP:IN=eth0 OUT= SRC=82.81.29.7 DST=217.8.50.86 LEN=52 TOS=0x00 PREC=0x00 TTL=50 ID=4664 DF PROTO=TCP SPT=57315 DPT=23 WINDOW=14600 RES=0x00 SYN URGP=0 MARK=0x10000 
Apr 12 18:50:19 net-all:DROP:IN=eth0 OUT= SRC=180.140.191.206 DST=217.8.50.86 LEN=40 TOS=0x00 PREC=0x00 TTL=235 ID=54321 PROTO=TCP SPT=52129 DPT=8080 WINDOW=65535 RES=0x00 SYN URGP=0 
Apr 12 19:07:59 all-all:REJECT:IN=vmbr2 OUT= SRC=192.168.178.48 DST=192.168.178.14 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=58814 DF PROTO=TCP SPT=58074 DPT=9000 WINDOW=29200 RES=0x00 SYN URGP=0 MARK=0x20000 
Apr 12 19:11:32 net-all:DROP:IN=eth0 OUT= SRC=114.31.6.250 DST=217.8.50.86 LEN=60 TOS=0x00 PREC=0x00 TTL=45 ID=16188 DF PROTO=TCP SPT=48039 DPT=23 WINDOW=5840 RES=0x00 SYN URGP=0 MARK=0x10000 
Apr 12 19:11:33 net-all:DROP:IN=eth0 OUT= SRC=114.31.6.250 DST=217.8.50.86 LEN=60 TOS=0x00 PREC=0x00 TTL=45 ID=16189 DF PROTO=TCP SPT=48039 DPT=23 WINDOW=5840 RES=0x00 SYN URGP=0 MARK=0x10000 
Apr 12 19:11:34 net-all:DROP:IN=eth0 OUT= SRC=114.31.6.250 DST=217.8.50.86 LEN=60 TOS=0x00 PREC=0x00 TTL=45 ID=16190 DF PROTO=TCP SPT=48039 DPT=23 WINDOW=5840 RES=0x00 SYN URGP=0 MARK=0x10000 
Apr 12 19:13:11 net-all:DROP:IN=eth0 OUT= SRC=141.212.122.121 DST=217.8.50.86 LEN=40 TOS=0x00 PREC=0x00 TTL=241 ID=54321 PROTO=TCP SPT=44472 DPT=995 WINDOW=65535 RES=0x00 SYN URGP=0 MARK=0x10000 
Apr 12 19:13:11 net-all:DROP:IN=eth0 OUT= SRC=141.212.122.120 DST=217.8.50.86 LEN=40 TOS=0x00 PREC=0x00 TTL=242 ID=54321 PROTO=TCP SPT=49644 DPT=995 WINDOW=65535 RES=0x00 SYN URGP=0 MARK=0x10000 

NAT Table

Chain PREROUTING (policy ACCEPT 53 packets, 3130 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 UPnP       all  --  eth0   *       0.0.0.0/0            0.0.0.0/0           
   11   684 UPnP       all  --  vmbr2  *       0.0.0.0/0            0.0.0.0/0           
   11   684 RETURN     all  --  vmbr2  *       192.168.178.0/24       0.0.0.0/0           
    0     0 net_dnat   all  --  eth0   *       0.0.0.0/0            0.0.0.0/0           
    0     0 net_dnat   all  --  vmbr2  *       0.0.0.0/0            0.0.0.0/0           

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 15 packets, 1092 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 40 packets, 2602 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   22  1286 UMB_IF_masq  all  --  *      eth0    0.0.0.0/0            0.0.0.0/0           

Chain UMB_IF_masq (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   17   936 SNAT       all  --  *      *       10.0.0.0/24          0.0.0.0/0            to:217.8.50.86
    0     0 SNAT       all  --  *      *       10.1.0.0/24          0.0.0.0/0            to:217.8.50.86

Chain UPnP (2 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain net_dnat (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DNAT       tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            multiport dports 80,443 to:10.0.0.2
    0     0 DNAT       tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:25 to:10.1.0.4

Mangle Table

Chain PREROUTING (policy ACCEPT 2256 packets, 618K bytes)
 pkts bytes target     prot opt in     out     source               destination         
 2256  618K CONNMARK   all  --  *      *       0.0.0.0/0            0.0.0.0/0            CONNMARK restore mask 0x30000
   22  2620 routemark  all  --  eth0   *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0x30000
   14  1113 routemark  all  --  vmbr2  *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0x30000

Chain INPUT (policy ACCEPT 1768 packets, 283K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 480 packets, 334K bytes)
 pkts bytes target     prot opt in     out     source               destination         
  480  334K MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0            MARK and 0xfffcffff

Chain OUTPUT (policy ACCEPT 1362 packets, 539K bytes)
 pkts bytes target     prot opt in     out     source               destination         
 1362  539K CONNMARK   all  --  *      *       0.0.0.0/0            0.0.0.0/0            CONNMARK restore mask 0x30000

Chain POSTROUTING (policy ACCEPT 1849 packets, 874K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain routemark (2 references)
 pkts bytes target     prot opt in     out     source               destination         
   22  2620 MARK       all  --  eth0   *       0.0.0.0/0            0.0.0.0/0            MARK xset 0x10000/0x30000
   14  1113 MARK       all  --  vmbr2  *       0.0.0.0/0            0.0.0.0/0            MARK xset 0x20000/0x30000
   36  3733 CONNMARK   all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match ! 0x0/0x30000 CONNMARK save mask 0x30000

Raw Table

Chain PREROUTING (policy ACCEPT 2304 packets, 623K bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 CT         udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:10080 CT helper amanda
    0     0 CT         tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:21 CT helper ftp
    0     0 CT         udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:1719 CT helper RAS
    0     0 CT         tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:1720 CT helper Q.931
    0     0 CT         tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:6667 CT helper irc
    0     0 CT         udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:137 CT helper netbios-ns
    0     0 CT         tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:1723 CT helper pptp
    0     0 CT         tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:6566 CT helper sane
    0     0 CT         udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:5060 CT helper sip
    0     0 CT         udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:161 CT helper snmp
    0     0 CT         udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:69 CT helper tftp

Chain OUTPUT (policy ACCEPT 1384 packets, 553K bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 CT         udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:10080 CT helper amanda
    0     0 CT         tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:21 CT helper ftp
    0     0 CT         udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:1719 CT helper RAS
    0     0 CT         tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:1720 CT helper Q.931
    0     0 CT         tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:6667 CT helper irc
    0     0 CT         udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:137 CT helper netbios-ns
    0     0 CT         tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:1723 CT helper pptp
    0     0 CT         tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:6566 CT helper sane
    0     0 CT         udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:5060 CT helper sip
    0     0 CT         udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:161 CT helper snmp
    0     0 CT         udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:69 CT helper tftp

Conntrack Table (12 out of 262144)

tcp      6 431999 ESTABLISHED src=192.168.178.48 dst=192.168.178.14 sport=35368 dport=2214 src=192.168.178.14 dst=192.168.178.48 sport=2214 dport=35368 [ASSURED] mark=131072 use=1
udp      17 29 src=10.120.192.1 dst=255.255.255.255 sport=67 dport=68 [UNREPLIED] src=255.255.255.255 dst=10.120.192.1 sport=68 dport=67 mark=65536 use=1
tcp      6 16 SYN_SENT src=10.0.0.2 dst=107.191.106.50 sport=36678 dport=80 [UNREPLIED] src=107.191.106.50 dst=10.0.0.2 sport=80 dport=36678 mark=0 use=1
udp      17 16 src=192.168.178.14 dst=78.42.43.41 sport=47533 dport=53 src=78.42.43.41 dst=192.168.178.14 sport=53 dport=47533 mark=131072 use=1
tcp      6 427269 ESTABLISHED src=10.0.0.1 dst=10.0.0.2 sport=44614 dport=2200 src=10.0.0.2 dst=10.0.0.1 sport=2200 dport=44614 [ASSURED] mark=0 use=1
udp      17 18 src=10.0.0.2 dst=78.42.43.41 sport=56874 dport=53 [UNREPLIED] src=78.42.43.41 dst=10.0.0.2 sport=53 dport=56874 mark=0 use=1
udp      17 18 src=10.0.0.2 dst=78.42.43.41 sport=60875 dport=53 src=78.42.43.41 dst=217.8.50.86 sport=53 dport=60875 mark=65536 use=1
udp      17 13 src=10.0.0.2 dst=82.212.62.41 sport=46404 dport=53 src=82.212.62.41 dst=217.8.50.86 sport=53 dport=46404 [ASSURED] mark=65536 use=1
tcp      6 431956 ESTABLISHED src=10.0.0.1 dst=10.0.0.2 sport=44370 dport=2200 src=10.0.0.2 dst=10.0.0.1 sport=2200 dport=44370 [ASSURED] mark=0 use=1
udp      17 0 src=10.1.0.1 dst=10.1.0.255 sport=123 dport=123 [UNREPLIED] src=10.1.0.255 dst=10.1.0.1 sport=123 dport=123 mark=0 use=1
udp      17 16 src=217.8.50.86 dst=78.42.43.41 sport=43099 dport=53 src=78.42.43.41 dst=217.8.50.86 sport=53 dport=43099 mark=65536 use=1
udp      17 8 src=10.0.0.2 dst=78.42.43.41 sport=39152 dport=53 src=78.42.43.41 dst=217.8.50.86 sport=53 dport=39152 [ASSURED] mark=65536 use=1

IP Configuration

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default 
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    inet 217.8.50.86/26 brd 255.255.255.255 scope global eth0
       valid_lft forever preferred_lft forever
5: vmbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    inet 10.0.0.1/24 brd 10.0.0.255 scope global vmbr0
       valid_lft forever preferred_lft forever
6: vmbr1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    inet 10.1.0.1/24 brd 10.0.0.255 scope global vmbr1
       valid_lft forever preferred_lft forever
7: vmbr2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    inet 192.168.178.14/24 brd 192.168.178.255 scope global vmbr2
       valid_lft forever preferred_lft forever

IP Stats

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    RX: bytes  packets  errors  dropped overrun mcast   
    107464032  112463   0       0       0       0       
    TX: bytes  packets  errors  dropped carrier collsns 
    107464032  112463   0       0       0       0       
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
    link/ether 74:d4:35:1a:f6:0f brd ff:ff:ff:ff:ff:ff
    RX: bytes  packets  errors  dropped overrun mcast   
    1515383842 15540239 0       0       0       0       
    TX: bytes  packets  errors  dropped carrier collsns 
    8955434    113552   0       0       0       0       
3: eth1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast master vmbr1 state DOWN mode DEFAULT group default qlen 1000
    link/ether 00:15:17:91:9c:b8 brd ff:ff:ff:ff:ff:ff
    RX: bytes  packets  errors  dropped overrun mcast   
    0          0        0       0       0       0       
    TX: bytes  packets  errors  dropped carrier collsns 
    0          0        0       0       0       0       
4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master vmbr2 state UP mode DEFAULT group default qlen 1000
    link/ether 00:15:17:91:9c:b9 brd ff:ff:ff:ff:ff:ff
    RX: bytes  packets  errors  dropped overrun mcast   
    296192291  1296313  0       0       0       158902  
    TX: bytes  packets  errors  dropped carrier collsns 
    570411952  1128834  0       0       0       0       
5: vmbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default 
    link/ether fe:07:04:d6:d7:6a brd ff:ff:ff:ff:ff:ff
    RX: bytes  packets  errors  dropped overrun mcast   
    11313589   140440   0       0       0       0       
    TX: bytes  packets  errors  dropped carrier collsns 
    239101298  194781   0       0       0       0       
6: vmbr1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default 
    link/ether 00:15:17:91:9c:b8 brd ff:ff:ff:ff:ff:ff
    RX: bytes  packets  errors  dropped overrun mcast   
    0          0        0       0       0       0       
    TX: bytes  packets  errors  dropped carrier collsns 
    0          0        0       0       0       0       
7: vmbr2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default 
    link/ether 00:15:17:91:9c:b9 brd ff:ff:ff:ff:ff:ff
    RX: bytes  packets  errors  dropped overrun mcast   
    168977735  1119930  0       291276  0       0       
    TX: bytes  packets  errors  dropped carrier collsns 
    199453233  292637   0       0       0       0       
10: tap121i0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master vmbr2 state UNKNOWN mode DEFAULT group default qlen 500
    link/ether de:fc:9f:35:8c:05 brd ff:ff:ff:ff:ff:ff
    RX: bytes  packets  errors  dropped overrun mcast   
    361304333  769532   0       0       0       0       
    TX: bytes  packets  errors  dropped carrier collsns 
    185144022  871114   0       0       0       0       
20: veth100i0 <at> if19: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master vmbr0 state UP mode DEFAULT group default qlen 1000
    link/ether fe:07:04:d6:d7:6a brd ff:ff:ff:ff:ff:ff link-netnsid 0
    RX: bytes  packets  errors  dropped overrun mcast   
    8484386    91852    0       0       0       0       
    TX: bytes  packets  errors  dropped carrier collsns 
    140680379  116576   0       0       0       0       

Bridges

bridge name	bridge id		STP enabled	interfaces
vmbr0		8000.fe0704d6d76a	no		veth100i0
vmbr1		8000.001517919cb8	no		eth1
vmbr2		8000.001517919cb9	no		eth2
							tap121i0

Routing Rules

0:	from all lookup local 
999:	from all lookup main 
1000:	from 217.8.50.86 lookup um_business 
1000:	from 192.168.178.14 lookup um_private 
10000:	from all fwmark 0x10000/0x30000 lookup um_business 
10001:	from all fwmark 0x20000/0x30000 lookup um_private 
11000:	from 10.1.0.1 lookup um_business 
20000:	from 217.8.50.86 lookup um_business 
20000:	from 192.168.178.14 lookup um_private 
32765:	from all lookup balance 
32767:	from all lookup default 

Table balance:

default nexthop via 217.8.50.65 dev eth0 weight 1 nexthop via 192.168.178.1 dev vmbr2 weight 1

Table default:


Table local:

local 217.8.50.86 dev eth0 proto kernel scope host src 217.8.50.86
local 192.168.178.14 dev vmbr2 proto kernel scope host src 192.168.178.14
local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1
local 10.1.0.1 dev vmbr1 proto kernel scope host src 10.1.0.1
local 10.0.0.1 dev vmbr0 proto kernel scope host src 10.0.0.1
broadcast 217.8.50.64 dev eth0 proto kernel scope link src 217.8.50.86
broadcast 217.8.50.127 dev eth0 proto kernel scope link src 217.8.50.86
broadcast 192.168.178.255 dev vmbr2 proto kernel scope link src 192.168.178.14
broadcast 192.168.178.0 dev vmbr2 proto kernel scope link src 192.168.178.14
broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1
broadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1
broadcast 10.1.0.255 dev vmbr1 proto kernel scope link src 10.1.0.1 linkdown
broadcast 10.1.0.0 dev vmbr1 proto kernel scope link src 10.1.0.1 linkdown
broadcast 10.0.0.255 dev vmbr1 proto kernel scope link src 10.1.0.1 linkdown
broadcast 10.0.0.255 dev vmbr0 proto kernel scope link src 10.0.0.1
broadcast 10.0.0.0 dev vmbr0 proto kernel scope link src 10.0.0.1
local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1

Table main:

217.8.50.65 dev eth0 scope link src 217.8.50.86
192.168.178.1 dev vmbr2 scope link src 192.168.178.14
217.8.50.64/26 dev eth0 proto kernel scope link src 217.8.50.86
192.168.178.0/24 dev vmbr2 proto kernel scope link src 192.168.178.14
10.1.0.0/24 dev vmbr1 proto kernel scope link src 10.1.0.1 linkdown
10.0.0.0/24 dev vmbr0 proto kernel scope link src 10.0.0.1
blackhole 192.168.0.0/16
blackhole 172.16.0.0/12
blackhole 10.0.0.0/8

Table um_business:

217.8.50.65 dev eth0 scope link src 217.8.50.86
default via 217.8.50.65 dev eth0 src 217.8.50.86

Table um_private:

192.168.178.1 dev vmbr2 scope link src 192.168.178.14
default via 192.168.178.1 dev vmbr2 src 192.168.178.14

Per-IP Counters

   iptaccount is not installed

NF Accounting



Events


/proc

   /proc/version = Linux version 4.2.8-1-pve (root <at> elsa) (gcc version 4.9.2 (Debian 4.9.2-10) ) #1 SMP Sat Mar 19 10:44:29 CET 2016
   /proc/sys/net/ipv4/ip_forward = 1
   /proc/sys/net/ipv4/icmp_echo_ignore_all = 0
   /proc/sys/net/ipv4/conf/all/proxy_arp = 0
   /proc/sys/net/ipv4/conf/all/arp_filter = 0
   /proc/sys/net/ipv4/conf/all/arp_ignore = 0
   /proc/sys/net/ipv4/conf/all/rp_filter = 0
   /proc/sys/net/ipv4/conf/all/log_martians = 0
   /proc/sys/net/ipv4/conf/default/proxy_arp = 0
   /proc/sys/net/ipv4/conf/default/arp_filter = 0
   /proc/sys/net/ipv4/conf/default/arp_ignore = 0
   /proc/sys/net/ipv4/conf/default/rp_filter = 0
   /proc/sys/net/ipv4/conf/default/log_martians = 1
   /proc/sys/net/ipv4/conf/eth0/proxy_arp = 0
   /proc/sys/net/ipv4/conf/eth0/arp_filter = 0
   /proc/sys/net/ipv4/conf/eth0/arp_ignore = 1
   /proc/sys/net/ipv4/conf/eth0/rp_filter = 0
   /proc/sys/net/ipv4/conf/eth0/log_martians = 1
   /proc/sys/net/ipv4/conf/eth1/proxy_arp = 0
   /proc/sys/net/ipv4/conf/eth1/arp_filter = 0
   /proc/sys/net/ipv4/conf/eth1/arp_ignore = 0
   /proc/sys/net/ipv4/conf/eth1/rp_filter = 0
   /proc/sys/net/ipv4/conf/eth1/log_martians = 1
   /proc/sys/net/ipv4/conf/eth2/proxy_arp = 0
   /proc/sys/net/ipv4/conf/eth2/arp_filter = 0
   /proc/sys/net/ipv4/conf/eth2/arp_ignore = 0
   /proc/sys/net/ipv4/conf/eth2/rp_filter = 0
   /proc/sys/net/ipv4/conf/eth2/log_martians = 1
   /proc/sys/net/ipv4/conf/lo/proxy_arp = 0
   /proc/sys/net/ipv4/conf/lo/arp_filter = 0
   /proc/sys/net/ipv4/conf/lo/arp_ignore = 0
   /proc/sys/net/ipv4/conf/lo/rp_filter = 0
   /proc/sys/net/ipv4/conf/lo/log_martians = 1
   /proc/sys/net/ipv4/conf/tap121i0/proxy_arp = 0
   /proc/sys/net/ipv4/conf/tap121i0/arp_filter = 0
   /proc/sys/net/ipv4/conf/tap121i0/arp_ignore = 0
   /proc/sys/net/ipv4/conf/tap121i0/rp_filter = 0
   /proc/sys/net/ipv4/conf/tap121i0/log_martians = 1
   /proc/sys/net/ipv4/conf/veth100i0/proxy_arp = 0
   /proc/sys/net/ipv4/conf/veth100i0/arp_filter = 0
   /proc/sys/net/ipv4/conf/veth100i0/arp_ignore = 0
   /proc/sys/net/ipv4/conf/veth100i0/rp_filter = 0
   /proc/sys/net/ipv4/conf/veth100i0/log_martians = 1
   /proc/sys/net/ipv4/conf/vmbr0/proxy_arp = 0
   /proc/sys/net/ipv4/conf/vmbr0/arp_filter = 0
   /proc/sys/net/ipv4/conf/vmbr0/arp_ignore = 0
   /proc/sys/net/ipv4/conf/vmbr0/rp_filter = 1
   /proc/sys/net/ipv4/conf/vmbr0/log_martians = 1
   /proc/sys/net/ipv4/conf/vmbr1/proxy_arp = 0
   /proc/sys/net/ipv4/conf/vmbr1/arp_filter = 0
   /proc/sys/net/ipv4/conf/vmbr1/arp_ignore = 0
   /proc/sys/net/ipv4/conf/vmbr1/rp_filter = 1
   /proc/sys/net/ipv4/conf/vmbr1/log_martians = 1
   /proc/sys/net/ipv4/conf/vmbr2/proxy_arp = 0
   /proc/sys/net/ipv4/conf/vmbr2/arp_filter = 0
   /proc/sys/net/ipv4/conf/vmbr2/arp_ignore = 1
   /proc/sys/net/ipv4/conf/vmbr2/rp_filter = 0
   /proc/sys/net/ipv4/conf/vmbr2/log_martians = 1

ARP

? (192.168.178.1) auf c8:0e:14:de:97:70 [ether] auf vmbr2
? (192.168.178.44) auf <unvollständig> auf vmbr2
? (192.168.178.53) auf <unvollständig> auf vmbr2
? (217.8.50.65) auf 00:01:5c:23:8e:01 [ether] auf eth0
? (10.1.0.4) auf <unvollständig> auf vmbr1
? (10.0.0.2) auf 66:37:62:61:62:62 [ether] auf vmbr0
? (192.168.178.48) auf 58:94:6b:a4:2a:cc [ether] auf vmbr2

Modules

ip_set                 45056  2 ip_set_hash_ip,xt_set
ip_set_hash_ip         32768  0 
iptable_filter         16384  1 
iptable_mangle         16384  1 
iptable_nat            16384  1 
iptable_raw            16384  1 
ip_tables              28672  4 iptable_filter,iptable_mangle,iptable_nat,iptable_raw
ipt_MASQUERADE         16384  0 
ipt_REJECT             16384  4 
ipt_rpfilter           16384  0 
nf_conntrack          106496  32 nf_nat_ftp,nf_nat_irc,nf_nat_sip,nf_nat_amanda,xt_CT,nf_nat_snmp_basic,nf_conntrack_netbios_ns,nf_conntrack_proto_gre,xt_helper,nf_conntrack_proto_udplite,nf_nat,xt_connlimit,nf_nat_h323,nf_nat_ipv4,nf_nat_pptp,nf_nat_tftp,xt_conntrack,nf_conntrack_amanda,nf_nat_masquerade_ipv4,nf_conntrack_proto_sctp,nf_conntrack_netlink,nf_conntrack_broadcast,xt_connmark,nf_conntrack_ftp,nf_conntrack_irc,nf_conntrack_sip,nf_conntrack_h323,nf_conntrack_ipv4,nf_conntrack_pptp,nf_conntrack_sane,nf_conntrack_snmp,nf_conntrack_tftp
nf_conntrack_amanda    16384  3 nf_nat_amanda
nf_conntrack_broadcast    16384  2 nf_conntrack_netbios_ns,nf_conntrack_snmp
nf_conntrack_ftp       20480  3 nf_nat_ftp
nf_conntrack_h323      77824  5 nf_nat_h323
nf_conntrack_ipv4      20480  67 
nf_conntrack_irc       16384  3 nf_nat_irc
nf_conntrack_netbios_ns    16384  2 
nf_conntrack_netlink    36864  0 
nf_conntrack_pptp      20480  3 nf_nat_pptp
nf_conntrack_proto_gre    16384  1 nf_conntrack_pptp
nf_conntrack_proto_sctp    20480  0 
nf_conntrack_proto_udplite    16384  0 
nf_conntrack_sane      16384  2 
nf_conntrack_sip       28672  3 nf_nat_sip
nf_conntrack_snmp      16384  3 nf_nat_snmp_basic
nf_conntrack_tftp      16384  3 nf_nat_tftp
nf_defrag_ipv4         16384  2 xt_TPROXY,nf_conntrack_ipv4
nf_defrag_ipv6         36864  1 xt_TPROXY
nf_log_common          16384  1 nf_log_ipv4
nf_log_ipv4            16384  7 
nf_nat                 24576  11 nf_nat_ftp,nf_nat_irc,nf_nat_sip,nf_nat_amanda,nf_nat_proto_gre,nf_nat_h323,nf_nat_ipv4,nf_nat_pptp,nf_nat_tftp,xt_nat,nf_nat_masquerade_ipv4
nf_nat_amanda          16384  0 
nf_nat_ftp             16384  0 
nf_nat_h323            20480  0 
nf_nat_ipv4            16384  1 iptable_nat
nf_nat_irc             16384  0 
nf_nat_masquerade_ipv4    16384  1 ipt_MASQUERADE
nf_nat_pptp            16384  0 
nf_nat_proto_gre       16384  1 nf_nat_pptp
nf_nat_sip             20480  0 
nf_nat_snmp_basic      20480  0 
nf_nat_tftp            16384  0 
nf_reject_ipv4         16384  1 ipt_REJECT
xt_addrtype            16384  5 
xt_AUDIT               16384  0 
xt_CHECKSUM            16384  0 
xt_CLASSIFY            16384  0 
xt_comment             16384  27 
xt_connlimit           16384  0 
xt_connmark            16384  3 
xt_conntrack           16384  41 
xt_CT                  16384  22 
xt_dscp                16384  0 
xt_DSCP                16384  0 
xt_hashlimit           20480  0 
xt_helper              16384  0 
xt_iprange             16384  0 
xt_length              16384  0 
xt_limit               16384  2 
xt_LOG                 16384  7 
xt_mark                16384  6 
xt_multiport           16384  14 
xt_nat                 16384  4 
xt_nfacct              16384  0 
xt_NFLOG               16384  0 
xt_NFQUEUE             16384  0 
xt_owner               16384  0 
xt_physdev             16384  0 
xt_pkttype             16384  0 
xt_policy              16384  0 
xt_realm               16384  0 
xt_recent              20480  1 
xt_set                 16384  0 
xt_statistic           16384  0 
xt_tcpmss              16384  0 
xt_TCPMSS              16384  0 
xt_tcpudp              16384  69 
xt_time                16384  0 
xt_TPROXY              20480  0 

Shorewall has detected the following iptables/netfilter capabilities:
   ACCOUNT Target (ACCOUNT_TARGET): Not available
   Address Type Match (ADDRTYPE): Available
   Amanda Helper: Available
   Arptables JF (ARPTABLESJF): Not available
   AUDIT Target (AUDIT_TARGET): Available
   Basic Ematch (BASIC_EMATCH): Available
   Basic Filter (BASIC_FILTER): Available
   Capabilities Version (CAPVERSION): 50004
   Checksum Target (CHECKSUM_TARGET): Available
   CLASSIFY Target (CLASSIFY_TARGET): Available
   Comments (COMMENTS): Available
   Condition Match (CONDITION_MATCH): Not available
   Connection Tracking Match (CONNTRACK_MATCH): Available
   Connlimit Match (CONNLIMIT_MATCH): Available
   Connmark Match (CONNMARK_MATCH): Available
   CONNMARK Target (CONNMARK): Available
   CT Target (CT_TARGET): Available
   DSCP Match (DSCP_MATCH): Available
   DSCP Target (DSCP_TARGET): Available
   Enhanced Multi-port Match (EMULIPORT): Available
   Extended Connection Tracking Match Support (NEW_CONNTRACK_MATCH): Available
   Extended Connmark Match (XCONNMARK_MATCH): Available
   Extended CONNMARK Target (XCONNMARK): Available
   Extended MARK Target 2 (EXMARK): Available
   Extended MARK Target (XMARK): Available
   Extended Multi-port Match (XMULIPORT): Available
   Extended REJECT (ENHANCED_REJECT): Available
   FLOW Classifier (FLOW_FILTER): Available
   FTP-0 Helper: Not available
   FTP Helper: Available
   fwmark route mask (FWMARK_RT_MASK): Available
   Geo IP Match (GEOIP_MATCH): Not available
   Goto Support (GOTO_TARGET): Available
   H323 Helper: Available
   Hashlimit Match (HASHLIMIT_MATCH): Available
   Header Match (HEADER_MATCH): Not available
   Helper Match (HELPER_MATCH): Available
   Iface Match (IFACE_MATCH): Not available
   IMQ Target (IMQ_TARGET): Not available
   IPMARK Target (IPMARK_TARGET): Not available
   IPP2P Match (IPP2P_MATCH): Not available
   IP range Match(IPRANGE_MATCH): Available
   Ipset Match Counters (IPSET_MATCH_COUNTERS): Available
   Ipset Match (IPSET_MATCH): Available
   Ipset Match Nomatch (IPSET_MATCH_NOMATCH): Available
   ipset V5 (IPSET_V5): Available
   iptables -S (IPTABLES_S): Available
   iptables --wait option (WAIT_OPTION): Available
   IRC-0 Helper: Not available
   IRC Helper: Available
   Kernel Version (KERNELVERSION): 40208
   LOGMARK Target (LOGMARK_TARGET): Not available
   LOG Target (LOG_TARGET): Available
   Mangle FORWARD Chain (MANGLE_FORWARD): Available
   Mark in the filter table (MARK_ANYWHERE): Available
   MARK Target (MARK): Available
   MASQUERADE Target (MASQUERADE_TGT): Available
   Multi-port Match (MULTIPORT): Available
   NAT (NAT_ENABLED): Available
   Netbios_ns Helper: Available
   New tos Match (NEW_TOS_MATCH): Available
   NFAcct Match: Available
   NFLOG Target (NFLOG_TARGET): Available
   NFQUEUE Target (NFQUEUE_TARGET): Available
   Owner Match (OWNER_MATCH): Available
   Owner Name Match (OWNER_NAME_MATCH): Available
   Packet length Match (LENGTH_MATCH): Available
   Packet Mangling (MANGLE_ENABLED): Available
   Packet Type Match (USEPKTTYPE): Available
   Persistent SNAT (PERSISTENT_SNAT): Available
   Physdev-is-bridged Support (PHYSDEV_BRIDGE): Available
   Physdev Match (PHYSDEV_MATCH): Available
   Policy Match (POLICY_MATCH): Available
   PPTP Helper: Available
   Rawpost Table (RAWPOST_TABLE): Not available
   Raw Table (RAW_TABLE): Available
   Realm Match (REALM_MATCH): Available
   Recent Match "--reap" option (REAP_OPTION): Available
   Recent Match (RECENT_MATCH): Available
   Repeat match (KLUDGEFREE): Available
   RPFilter Match (RPFILTER_MATCH): Available
   SANE-0 Helper: Not available
   SANE Helper: Available
   SIP-0 Helper: Not available
   SIP Helper: Available
   SNMP Helper: Available
   Statistic Match (STATISTIC_MATCH): Available
   TARPIT Target (TARPIT_TARGET): Not available
   TCPMSS Match (TCPMSS_MATCH): Available
   TCPMSS Target (TCPMSS_TARGET): Available
   TFTP-0 Helper: Not available
   TFTP Helper: Available
   Time Match (TIME_MATCH): Available
   TPROXY Target (TPROXY_TARGET): Available
   UDPLITE Port Redirection (UDPLITEREDIRECT): Not available
   ULOG Target (ULOG_TARGET): Not available

Netid  State      Recv-Q Send-Q Local Address:Port               Peer Address:Port              
udp    UNCONN     0      0         *:799                   *:*                   users:(("rpcbind",pid=1059,fd=7))
udp    UNCONN     0      0      127.0.0.1:895                   *:*                   users:(("rpc.statd",pid=1143,fd=5))
udp    UNCONN     0      0         *:46241                 *:*                   users:(("rpc.statd",pid=1143,fd=8))
udp    UNCONN     0      0         *:60489                 *:*                   users:(("systemd-timesyn",pid=494,fd=13))
udp    UNCONN     0      0         *:23852                 *:*                   users:(("dhclient",pid=552,fd=20))
udp    UNCONN     0      0         *:68                    *:*                   users:(("dhclient",pid=552,fd=6))
udp    UNCONN     0      0         *:111                   *:*                   users:(("rpcbind",pid=1059,fd=6))
udp    UNCONN     0      0      192.168.178.14:123                   *:*                   users:(("ntpd",pid=4032,fd=22))
udp    UNCONN     0      0      10.1.0.1:123                   *:*                   users:(("ntpd",pid=4032,fd=21))
udp    UNCONN     0      0      10.0.0.1:123                   *:*                   users:(("ntpd",pid=4032,fd=20))
udp    UNCONN     0      0      217.8.50.86:123                   *:*                   users:(("ntpd",pid=4032,fd=19))
udp    UNCONN     0      0      127.0.0.1:123                   *:*                   users:(("ntpd",pid=4032,fd=18))
udp    UNCONN     0      0         *:123                   *:*                   users:(("ntpd",pid=4032,fd=16))
tcp    LISTEN     0      128       *:3128                  *:*                   users:(("spiceproxy work",pid=8821,fd=6),("spiceproxy",pid=8820,fd=6))
tcp    LISTEN     0      100    10.0.0.1:4505                  *:*                   users:(("salt-master",pid=1828,fd=14))
tcp    LISTEN     0      100    127.0.0.1:25                    *:*                   users:(("master",pid=1595,fd=12))
tcp    LISTEN     0      100    10.0.0.1:4506                  *:*                   users:(("salt-master",pid=1836,fd=22))
tcp    LISTEN     0      128       *:57244                 *:*                   users:(("rpc.statd",pid=1143,fd=9))
tcp    LISTEN     0      128       *:8006                  *:*                   users:(("pveproxy worker",pid=27451,fd=6),("pveproxy worker",pid=24041,fd=6),("pveproxy worker",pid=21022,fd=6),("pveproxy",pid=8805,fd=6))
tcp    LISTEN     0      128       *:2214                  *:*                   users:(("sshd",pid=1229,fd=3))
tcp    LISTEN     0      128       *:111                   *:*                   users:(("rpcbind",pid=1059,fd=8))
tcp    LISTEN     0      5      127.0.0.1:7634                  *:*                   users:(("hddtemp",pid=1398,fd=0))
tcp    LISTEN     0      128    127.0.0.1:85                    *:*                   users:(("pvedaemon worke",pid=18579,fd=6),("pvedaemon worke",pid=11267,fd=6),("pvedaemon worke",pid=7405,fd=6),("pvedaemon",pid=1807,fd=6))
tcp    ESTAB      0      0      10.0.0.1:44614              10.0.0.2:2200                users:(("ssh",pid=10089,fd=3))
tcp    ESTAB      0      0      192.168.178.14:2214               192.168.178.48:35368               users:(("sshd",pid=25823,fd=3),("sshd",pid=25816,fd=3))
tcp    ESTAB      0      0      10.0.0.1:44370              10.0.0.2:2200                users:(("ssh",pid=22258,fd=3))

Traffic Control

Device eth0:
qdisc pfifo_fast 0: root refcnt 2 bands 3 priomap  1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1
 Sent 8484390 bytes 113552 pkt (dropped 0, overlimits 0 requeues 0) 
 backlog 0b 0p requeues 0 


Device eth1:
qdisc pfifo_fast 0: root refcnt 2 bands 3 priomap  1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1
 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) 
 backlog 0b 0p requeues 0 


Device eth2:
qdisc pfifo_fast 0: root refcnt 2 bands 3 priomap  1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1
 Sent 565101576 bytes 1128834 pkt (dropped 0, overlimits 0 requeues 45) 
 backlog 0b 0p requeues 45 


Device tap121i0:
qdisc pfifo_fast 0: root refcnt 2 bands 3 priomap  1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1
 Sent 185144022 bytes 871114 pkt (dropped 0, overlimits 0 requeues 0) 
 backlog 0b 0p requeues 0 


Device veth100i0:
qdisc pfifo_fast 0: root refcnt 2 bands 3 priomap  1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1
 Sent 142175741 bytes 139233 pkt (dropped 0, overlimits 0 requeues 0) 
 backlog 0b 0p requeues 0 



TC Filters

Device eth0:

Device eth1:

Device eth2:

Device tap121i0:

Device veth100i0:

------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
Farkas Levente | 12 Apr 18:13 2016

shorewall reload no longer works

hi,
i'm just upgrade my setup from 4.6.13-5 to 5.0.7-2. I've got a
shorewall-lite setup where all servers config located on my workstation
and all servers only have shorewall-lite. now as i upgrade the config
files to i'd like to reload it into the first server. until now i used
to do it with:

/sbin/shorewall reload -s -c -T server.name

but it's no longer works since i've got a :

ERROR: Ordinary users may not reload the /etc/shorewall configuration

so what is the current recommened way to populate the new configs onto
the servers?
thanks.
regards.

--

-- 
  Levente                               "Si vis pacem para bellum!"

------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
Farkas Levente | 12 Apr 18:36 2016

docker rules

hi,
i see now shorewall supports docker and i read the docs:
http://shorewall.net/Docker.html
after i install it and compare the generated iptable rules and the
differences:
- shorewall create more rules then what docker itself add does really
all rules required?

- after i stop docker use the shorewall generated rules and start again
docker it's add one more rule (so probably others are enough to use
docker). but this rule shouldn't have to be added by shorewall?
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

- whithout really try to understand all rules the main difference that
shorewall accept and masquarade all 80 and 443 connection to the docker
network. is it by design? since by default docker do not create such rules.

regards.

--

-- 
  Levente                               "Si vis pacem para bellum!"

------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
matt darfeuille | 10 Apr 16:10 2016
Picon

questions

Hi,

I have some questions/requests!:

Could it be possible to specify a tag(logger -t <tag> -p ...) to 
logger?:
That way it would be easier to identify in the log when for example 
shorewall lite was started by shorewall init(the 'logger -t'  default 
value(current user) wouldn't be used)!

Is there any reason why shorewall-lite does not support for example 
the refresh command?:
The reason I'm asking is that in  the dhcp article on shorewall.org 
the refresh command need to be executed when the dhcp client is 
bound.
What I use  now is a function in lib.private:
refresh_private(){ ${VARDIR}/firewall refresh; }

Or is there a better way to refresh shorewall-lite?

I have a variable in my params file that if set will enable some 
rules in the rules file using if..endif and I'd like to be reminded 
that those rules are enabled when shorewall start, restart...
Could an '?INFO' and a '?WARNING' directive be created/used or is 
there already such a way to print an arbitrary message and could that 
message optionally be logged?

I build shorewall from git on cygwin and also used cygwin as an 
administrative system on Windows which is case-insensitive.
Could an .deprecated extension be used when the case of a file is 
changed(I understand that would also require modifying shorewall to 
look for a .deprecated extension if a macro with the given name is 
not found)?
EG: 
macro.SNMPTrap to macro.SNMPTrap.deprecated
action.A_rEJECT to action.A_rEJECT.deprecated

In other words could a naming convention be used that is 
cross-platform?

Out of curiosity, is there any reason why build50 couldn't be used to 
build none-5.0 version of shorewall(assuming that build50 would be 
slightly modified to allow built of none-5.0 version)?

I suggest adding some improvements to build50:
- Remove *.bak and *.diff even if -t is not given.
- Remove bashism.
- Use plumbing git command instead of porcelain one!
- Use git show-ref instead of accessing files under the .git 
directory.
- Modify the usage function and the comments usage.
- Allow build of tag ending in -[bB]ase.

Attached as build50-4.patch

The format specifier for the date command needs to be change from %d 
to %e in the timestamp variable in function startup_error in the 
compiled firewall script!

The gpg key used to sign git tags/commits has expired!

-Matt

-------------- Enclosure number 1 ----------------
 * This message contains the file 'build50-4.patch', which has been
 * uuencoded. If you are using Pegasus Mail, then you can use
 * the browser's eXtract function to lift the original contents
 * out to a file, otherwise you will have to extract the message
 * and uudecode it manually.

begin 660 build50-4.patch
M1G)O;2`W93<P86$S93 <at> Y,64P-F)E,SAA93(Q83DT96-C-6)F.#DQ8V,P.&1E
M($UO;B!397` <at> ,3< <at> ,#`Z,#`Z,#` <at> ,C`P,0I&<F]M.B!-871T($1A<F9E=6EL
M;&4 <at> /&UA=&1A<F9`9VUA:6PN8V]M/ <at> I$871E.B!4=64L(#4 <at> 07!R(#(P,38 <at> 
M,3<Z,#0Z,#< <at> *S`R,#`*4W5B:F5C=#H <at> 6U!!5$-((#$O.%T <at> 06QL;W< <at> 8G5I
M;&0 <at> 9G)O;2!T86< <at> 96YD:6YG(&EN("U;8D)=87-E(&)U:6QD-3`*"E-I9VYE
M9"UO9F8M8GDZ($UA='0 <at> 1&%R9F5U:6QL92`\;6%T9&%R9D!G;6%I;"YC;VT^
M"BTM+0H <at> 8G5I;&0O8G5I;&0U,"!\(#(V("LK*RLK*RLK*RLK*RLK*RLK*RLK
M*RLK*RLM"B`Q(&9I;&4 <at> 8VAA;F=E9"P <at> ,C4 <at> :6YS97)T:6]N<R <at> K*2P <at> ,2!D
M96QE=&EO;B <at> M*0H*9&EF9B`M+6=I="!A+V)U:6QD+V)U:6QD-3` <at> 8B]B=6EL
M9"]B=6EL9#4P"FEN9&5X(&0V,S`X834N+C <at> P,#(X93$ <at> ,3`P-S4U"BTM+2!A
M+V)U:6QD+V)U:6QD-3`**RLK(&(O8G5I;&0O8G5I;&0U,`I`0"`M.3DL-B`K
M.3DL-R!`0"!"4D%.0TA.04U%/0H <at> 5D524TE/3CT*($)!4T5615)324]./0H <at> 
M3TQ$5D524TE/3CT**U1!1U9%4E-)3TX]"B!32$]215=!3$Q$25(]"B!#3U)%
M1$E2/0H <at> 4TA/4D5704Q,3$E4141)4CT*0$` <at> +3(R-RPV("LR,C <at> L.2!`0"!D
M;U]E>'!O<G0H*0H <at> ("` <at> (&EF(%L <at> +6X <at> (B1"4D%.0TA.04U%(B!=("8F(&=I
M="`M+6=I="UD:7(])$=)5"\N9VET('-H;W<M<F5F("TM<75I970 <at> +2UV97)I
M9GD <at> +2T <at> (G)E9G,O:&5A9',O)$)204Y#2$Y!344B(#(^+V1E=B]N=6QL.R!T
M:&5N"B`)8G)A;F-H/2(D0E)!3D-(3D%-12(*(`EP<F]G<F5S<U]M97-S86=E
M(")%>'!O<G1I;F< <at> )#$ <at> 9G)O;2!':70 <at> 8G)A;F-H("1B<F%N8V <at> N+BXB("8F
M(&1O7V]R7V1I92`B9VET("TM9VET+61I<CTD1TE4+RYG:70 <at> 87)C:&EV92`M
M+69O<FUA=#UT87( <at> )&)R86YC:"`D,2!\('1A<B`M>&8 <at> +2`^/B`D3$]'1DE,
M12`R/B8Q( <at> HK96QI9B!G:70 <at> +2UG:70M9&ER/21'250O+F=I="!S:&]W+7)E
M9B`M+7%U:65T("TM=F5R:69Y("TM(")R969S+W1A9W,O)%1!1U9%4E-)3TXB
M(#XO9&5V+VYU;&P[('1H96X**PET86<])%1!1U9%4E-)3TX**PEP<F]G<F5S
M<U]M97-S86=E(")%>'!O<G1I;F< <at> )#$ <at> 9G)O;2!':70 <at> =&%G("1T86<N+BXB
M("8F(&1O7V]R7V1I92`B9VET("TM9VET+61I<CTD1TE4+RYG:70 <at> 87)C:&EV
M92`M+69O<FUA=#UT87( <at> )'1A9R`D,2!\('1A<B`M>&8 <at> +2`^/B`D3$]'1DE,
M12`R/B8Q( <at> H <at> ("` <at> (&5L:68 <at> 6R`M;B`B)"AG:70 <at> +2UG:70M9&ER/21'250O
M+F=I="!T86< <at> +6P <at> )%9%4E-)3TX <at> ,CXO9&5V+VYU;&PI(B!=.R!T:&5N"B`)
M=&%G/21615)324]."B`)<')O9W)E<W-?;65S<V%G92`B17AP;W)T:6YG("0Q
M(&9R;VT <at> 1VET('1A9R`D=&%G+BXN(B`F)B!D;U]O<E]D:64 <at> (F=I="`M+6=I
M="UD:7(])$=)5"\N9VET(&%R8VAI=F4 <at> +2UF;W)M870]=&%R("1T86< <at> )#$ <at> 
M?"!T87( <at> +7AF("T <at> /CX <at> )$Q/1T9)3$4 <at> ,CXF,2(*0$` <at> +30X,RPQ,"`K-# <at> W
M+#(U($!`(%9%4E-)3TX])#$*($)!4T5615)324]./20Q"B`*($Q/1T9)3$4]
M)$Q/1T1)4B]S:&]R97=A;&Q?8G5I;&1?)'M615)324].?2YL;V<*+3X <at> )$Q/
M1T9)3$4**V5C:&\ <at> (D%R9W5M96YT<R!A<F4 <at> )"HB(#X <at> )$Q/1T9)3$4*('!R
M;V=R97-S7VUE<W-A9V4 <at> (D)U:6QD(&]F(%-H;W)E=V%L;"`D5D524TE/3B!O
M;B`D*&1A=&4I( <at> H <at> "B!C87-E("1615)324].(&EN"BLJ6V)"76%S92HI"BM4
M04=615)324]./21615)324]."BM615)324]./21[5D524TE/3B4M*GT**PHK
M8V%S92`D1$E2(&EN"BLJ6V)"76%S92HI"BM$25(])'M$25(E+2I]"BL[.PHK
M97-A8PHK"BL[.PHK97-A8PHK"BL**V-A<V4 <at> )%9%4E-)3TX <at> :6X*("` <at> ("`U
M+ELP72XJ+BHI"B`)6$U,4%)/2CTB9&]C<RTU+C`B"B`)4$%40TA214Q%05-%
M/5EE<PI`0"`M-C0Y+#8 <at> *S8V."PY($!`(&EF(%L <at> +6X <at> (B1[0E5)3$1#3U)%
M?21[0E5)3$0V?21[0E5)3$1)3DE4?21[0E5)3$1,251%?21[0E5)3$0V3$E4
M17TD>T)524Q$4U1$?2(*("` <at> ("!I9B!;("UN("(D0E)!3D-(3D%-12( <at> 72`F
M)B!G:70 <at> +2UG:70M9&ER/21'251214Q%05-%1$E2+RYG:70 <at> <VAO=RUR968 <at> 
M+2UQ=6EE="`M+79E<FEF>2`M+2`B<F5F<R]H96%D<R\D0E)!3D-(3D%-12( <at> 
M,CXO9&5V+VYU;&P[('1H96X*(`E"4D%.0T <at> ])$)204Y#2$Y!344*(`EP<F]G
M<F5S<U]M97-S86=E(")%>'!O<G1I;F< <at> <F5L96%S92!F:6QE<R!F<F]M($=I
M="!B<F%N8V <at>  <at> )$)204Y#2"XN+B( <at> )B8 <at> 9&]?;W)?9&EE(")G:70 <at> +2UG:70M
M9&ER/21'251214Q%05-%1$E2+RYG:70 <at> 87)C:&EV92`M+69O<FUA=#UT87( <at> 
M)$)204Y#2"!\('1A<B`M>&8 <at> +2`^/B`D3$]'1DE,12`R/B8Q( <at> HK("` <at> (&5L
M:68 <at> 9VET("TM9VET+61I<CTD1TE44D5,14%3141)4B\N9VET('-H;W<M<F5F
M("TM<75I970 <at> +2UV97)I9GD <at> +2T <at> (G)E9G,O=&%G<R\D5$%'5D524TE/3B( <at> 
M,CXO9&5V+VYU;&P[('1H96X**PET86<])%1!1U9%4E-)3TX**PEP<F]G<F5S
M<U]M97-S86=E(")%>'!O<G1I;F< <at> <F5L96%S92!F<F]M($=I="!T86< <at> )'1A
M9RXN+B( <at> )B8 <at> 9&]?;W)?9&EE(")G:70 <at> +2UG:70M9&ER/21'251214Q%05-%
M1$E2+RYG:70 <at> 87)C:&EV92`M+69O<FUA=#UT87( <at> )'1A9R!\('1A<B`M>&8 <at> 
M+2`^/B`D3$]'1DE,12`R/B8Q( <at> H <at> ("` <at> (&5L:68 <at> 6R`M;B`B)"AG:70 <at> +2UG
M:70M9&ER/21'251214Q%05-%1$E2+RYG:70 <at> =&%G("UL("1615)324].(#(^
M+V1E=B]N=6QL*2( <at> 73L <at> =&AE; <at> H <at> "71A9STD5D524TE/3 <at> H <at> "7!R;V=R97-S
M7VUE<W-A9V4 <at> (D5X<&]R=&EN9R!R96QE87-E(&9R;VT <at> 1VET('1A9R`D=&%G
M+BXN(B`F)B!D;U]O<E]D:64 <at> (F=I="`M+6=I="UD:7(])$=)5%)%3$5!4T5$
M25(O+F=I="!A<F-H:79E("TM9F]R;6%T/71A<B`D=&%G('P <at> =&%R("UX9B`M
M(#X^("1,3T=&24Q%(#(^)C$B"D!`("TQ,30T+#0 <at> *S$Q-C8L-B!`0"!I9B!;
M("UN("(D3TQ$5D524TE/3B( <at> 73L <at> =&AE; <at> H <at> ("` <at> (&9I"B!F:0H <at> "BM;("UN
M("(D5$%'5D524TE/3B( <at> 72`F)B!615)324]./21404=615)324]."BL*('!R
M;V=R97-S7VUE<W-A9V4 <at> (E-H;W)E=V%L;"`D5D524TE/3B!"=6EL9"!C;VUP
M;&5T92`M("0H9&%T92DB"BTM(`HR+C8N, <at> H*"D9R;VT <at> -V9B.69D.3`Q86(W
M83DY-6,V,V$V9F(W-C(R93 <at> Q9C)B960T,F,U.2!-;VX <at> 4V5P(#$W(#`P.C`P
M.C`P(#(P,#$*1G)O;3H <at> 36%T="!$87)F975I;&QE(#QM871D87)F0&=M86EL
M+F-O;3X*1&%T93H <at> 5'5E+"`U($%P<B`R,#$V(#(P.C0S.C(R("LP,C`P"E-U
M8FIE8W0Z(%M0051#2"`R+SA=(%)E;6]V92`J+F)A:R`J+F1I9F8 <at> 979E;B!I
M9B`M="!I<R!N;W0 <at> 9VEV96X <at> 8G5I;&0U,`H*4VEG;F5D+6]F9BUB>3H <at> 36%T
M="!$87)F975I;&QE(#QM871D87)F0&=M86EL+F-O;3X*+2TM"B!B=6EL9"]B
M=6EL9#4P('P <at> -3, <at> *RLK*RLK*RLK*RLK*RLK*RLK*RLK*RLK*RLK*RLK*RLK
M*RLM+2TM+2TM+2TM+2TM+2TM+2T*(#$ <at> 9FEL92!C:&%N9V5D+"`S-2!I;G-E
M<G1I;VYS*"LI+"`Q."!D96QE=&EO;G,H+2D*"F1I9F8 <at> +2UG:70 <at> 82]B=6EL
M9"]B=6EL9#4P(&(O8G5I;&0O8G5I;&0U,`II;F1E>"`X,#`R.&4Q+BXS-&9E
M9&$S(#$P,#<U-0HM+2T <at> 82]B=6EL9"]B=6EL9#4P"BLK*R!B+V)U:6QD+V)U
M:6QD-3`*0$` <at> +3 <at> S,BPU."`K.#,R+#<U($!`(&EF(%L <at> +6X <at> (B1[0E5)3$1#
M3U)%?21[0E5)3$0V?21[0E5)3$1)3DE4?21[0E5)3$1,251%?21[0E5)3$0V
M3$E417TD>T)524Q$4U1$?2(*(`EC9"`D1$E2(`H <at> ("` <at> (&9I"0H <at> "BT <at> ("` <at> 
M6R`M;B`B)$)524Q$0T]212( <at> 72` <at> ("8F(&1O7V]R7V1I92`B<FT <at> +7)F("1#
M3U)%1$E2+V1E8FEA;B(*+2` <at> ("!;("UN("(D0E5)3$135$0B(%T <at> ("` <at> )B8 <at> 
M9&]?;W)?9&EE(")R;2`M<F8 <at> )%-(3U)%5T%,3$1)4B]D96)I86XB"BT <at> ("` <at> 
M6R`M;B`B)$)524Q$-B( <at> 72` <at> ("` <at> ("8F(&1O7V]R7V1I92`B<FT <at> +7)F("13
M2$]215=!3$PV1$E2+V1E8FEA;B(*+2` <at> ("!;("UN("(D0E5)3$1,251%(B!=
M("` <at> )B8 <at> 9&]?;W)?9&EE(")R;2`M<F8 <at> )%-(3U)%5T%,3$Q)5$5$25(O9&5B
M:6%N( <at> HM("` <at> (%L <at> +6X <at> (B1"54E,1$E.250B(%T <at> ("`F)B!D;U]O<E]D:64 <at> 
M(G)M("UR9B`D4TA/4D5704Q,24Y)5$1)4B]D96)I86XB"BT <at> ("` <at> 6R`M;B`B
M)$)524Q$-DQ)5$4B(%T <at> ("8F(&1O7V]R7V1I92`B<FT <at> +7)F("1,251%-D1)
M4B]D96)I86XB"BL <at> ("` <at> :68 <at> 6R`M;B`B)$)524Q$0T]212( <at> 73L <at> =&AE; <at> HK
M9&]?;W)?9&EE(")R;2`M<F8 <at> )$-/4D5$25(O9&5B:6%N( <at> HK"2` <at> ("!R;2`M
M9B`D0T]2141)4B\J+F1I9F8**PD <at> ("` <at> <FT <at> +68 <at> )$-/4D5$25(O*BYB86L*
M*V9I"BL**R` <at> ("!I9B!;("UN("(D0E5)3$135$0B(%T[('1H96X**V1O7V]R
M7V1I92`B<FT <at> +7)F("132$]215=!3$Q$25(O9&5B:6%N( <at> HK"2` <at> ("!R;2`M
M9B`D4TA/4D5704Q,1$E2+RHN9&EF9 <at> HK"2` <at> ("!R;2`M9B`D4TA/4D5704Q,
M1$E2+RHN8F%K"BMF:0HK"BL <at> ("` <at> :68 <at> 6R`M;B`B)$)524Q$-B( <at> 73L <at> =&AE
M; <at> HK(&1O7V]R7V1I92`B<FT <at> +7)F("132$]215=!3$PV1$E2+V1E8FEA;B(*
M*PD <at> ("` <at> <FT <at> +68 <at> )%-(3U)%5T%,3#9$25(O*BYD:69F"BL)("` <at> (')M("UF
M("132$]215=!3$PV1$E2+RHN8F%K"BMF:0HK"BL <at> ("` <at> :68 <at> 6R`M;B`B)$)5
M24Q$3$E412( <at> 73L <at> =&AE; <at> HK(&1O7V]R7V1I92`B<FT <at> +7)F("132$]215=!
M3$Q,251%1$E2+V1E8FEA;B(**PD <at> ("` <at> <FT <at> +68 <at> )%-(3U)%5T%,3$Q)5$5$
M25(O*BYD:69F"BL)("` <at> (')M("UF("132$]215=!3$Q,251%1$E2+RHN8F%K
M"BMF:0HK"BL <at> ("` <at> :68 <at> 6R`M;B`B)$)524Q$24Y)5"( <at> 73L <at> =&AE; <at> HK9&]?
M;W)?9&EE(")R;2`M<F8 <at> )%-(3U)%5T%,3$E.251$25(O9&5B:6%N( <at> HK"2` <at> 
M("!R;2`M9B`D4TA/4D5704Q,24Y)5$1)4B\J+F1I9F8**PD <at> ("` <at> <FT <at> +68 <at> 
M)%-(3U)%5T%,3$E.251$25(O*BYB86L**V9I"BL**R` <at> ("!I9B!;("UN("(D
M0E5)3$0V3$E412( <at> 73L <at> =&AE; <at> HK9&]?;W)?9&EE(")R;2`M<F8 <at> )$Q)5$4V
M1$E2+V1E8FEA;B(**PD <at> ("` <at> <FT <at> +68 <at> )$Q)5$4V1$E2+RHN9&EF9 <at> HK"2` <at> 
M("!R;2`M9B`D3$E4139$25(O*BYB86L**V9I"B`*("` <at> ("!I9B!;("UN("(D
M0E5)3$1405)"04Q,(B!=.R!T:&5N"B`):68 <at> 6R`M;B`B)$)524Q$0T]212( <at> 
M73L <at> =&AE; <at> D*(`D <at> ("` <at> <')O9W)E<W-?;65S<V%G92`B0W)E871I;F< <at> )$1)
M4B\D0T]214)!3$PN+BXB"BT)("` <at> (')M("UF("1#3U)%1$E2+RHN9&EF9 <at> HM
M"2` <at> ("!R;2`M9B`D0T]2141)4B\J+F)A:PH <at> "2` <at> ("!D;U]O<E]D:64 <at> (G1A
M<B`M+6]W;F5R/3` <at> +2UG<F]U<#TP("UZ8W9F("1#3U)%0D%,3"`D0T]2141)
M4B`^/B`D3$]'1DE,12`R/B8Q( <at> H <at> "2` <at> ("!D;U]O<E]D:64 <at> (G1A<B`M+6]W
M;F5R/3` <at> +2UG<F]U<#TP("UJ8W9F('-H;W)E=V%L;"UC;W)E+21[5D524TE/
M3GTN=&%R+F)Z,B`D0T]2141)4B`^/B`D3$]'1DE,12`R/B8Q( <at> H <at> "69I"B`*
M(`EI9B!;("UN("(D0E5)3$135$0B(%T[('1H96X)"B`)("` <at> ('!R;V=R97-S
M7VUE<W-A9V4 <at> (D-R96%T:6YG("1$25(O)%1!4D)!3$PN+BXB"BT)("` <at> (')M
M("UF("132$]215=!3$Q$25(O*BYD:69F"BT)("` <at> (')M("UF("132$]215=!
M3$Q$25(O*BYB86L*(`D <at> ("` <at> 9&]?;W)?9&EE(")T87( <at> +2UO=VYE<CTP("TM
M9W)O=7`],"`M>F-V9B`D5$%20D%,3"`D4TA/4D5704Q,1$E2(#X^("1,3T=&
M24Q%(#(^)C$B"B`)("` <at> (&1O7V]R7V1I92`B=&%R("TM;W=N97(],"`M+6=R
M;W5P/3` <at> +6IC=F8 <at> <VAO<F5W86QL+21[5D524TE/3GTN=&%R+F)Z,B`D4TA/
M4D5704Q,1$E2(#X^("1,3T=&24Q%(#(^)C$B"B`)9FD*(`H <at> "6EF(%L <at> +6X <at> 
M(B1"54E,1#8B(%T[('1H96X)"B`)("` <at> ('!R;V=R97-S7VUE<W-A9V4 <at> (D-R
M96%T:6YG("1$25(O)%1!4D)!3$PV+BXN( <at> HM"2` <at> ("!R;2`M9B`D4TA/4D57
M04Q,-D1)4B\J+F1I9F8*+0D <at> ("` <at> <FT <at> +68 <at> )%-(3U)%5T%,3#9$25(O*BYB
M86L*(`D <at> ("` <at> 9&]?;W)?9&EE(")T87( <at> +2UO=VYE<CTP("TM9W)O=7`],"`M
M>F-V9B`D5$%20D%,3#8 <at> )%-(3U)%5T%,3#9$25( <at> /CX <at> )$Q/1T9)3$4 <at> ,CXF
M,2(*(`D <at> ("` <at> 9&]?;W)?9&EE(")T87( <at> +2UO=VYE<CTP("TM9W)O=7`],"`M
M:F-V9B!S:&]R97=A;&PV+21[5D524TE/3GTN=&%R+F)Z,B`D4TA/4D5704Q,
M-D1)4B`^/B`D3$]'1DE,12`R/B8Q( <at> H <at> "69I"B`*(`EI9B!;("UN("(D0E5)
M3$1,251%(B!=.R!T:&5N"0H <at> "2` <at> ("!P<F]G<F5S<U]M97-S86=E(")#<F5A
M=&EN9R`D1$E2+R1,251%5$%20D%,3"XN+B(*+0D <at> ("` <at> <FT <at> +68 <at> )%-(3U)%
M5T%,3$Q)5$5$25(O*BYD:69F"BT)("` <at> (')M("UF("132$]215=!3$Q,251%
M1$E2+RHN8F%K"B`)("` <at> (&1O7V]R7V1I92`B=&%R("TM;W=N97(],"`M+6=R
M;W5P/3` <at> +7IC=F8 <at> )$Q)5$5405)"04Q,("132$]215=!3$Q,251%1$E2(#X^
M("1,3T=&24Q%(#(^)C$B"B`)("` <at> (&1O7V]R7V1I92`B=&%R("TM;W=N97(]
M,"`M+6=R;W5P/3` <at> +6IC=F8 <at> <VAO<F5W86QL+6QI=&4M)'M615)324].?2YT
M87(N8GHR("132$]215=!3$Q,251%1$E2(#X^("1,3T=&24Q%(#(^)C$B"B`)
M9FD*("` <at> ("`)"B`):68 <at> 6R`M;B`B)$)524Q$24Y)5"( <at> 73L <at> =&AE; <at> D*(`D <at> 
M("` <at> <')O9W)E<W-?;65S<V%G92`B0W)E871I;F< <at> )$1)4B\D24Y)5%1!4D)!
M3$PN+BXB"BT)("` <at> (')M("UF("132$]215=!3$Q)3DE41$E2+RHN9&EF9 <at> HM
M"2` <at> ("!R;2`M9B`D4TA/4D5704Q,24Y)5$1)4B\J+F)A:PH <at> "2` <at> ("!D;U]O
M<E]D:64 <at> (G1A<B`M+6]W;F5R/3` <at> +2UG<F]U<#TP("UZ8W9F("1)3DE45$%2
M0D%,3"`D4TA/4D5704Q,24Y)5$1)4B`^/B`D3$]'1DE,12`R/B8Q( <at> H <at> "2` <at> 
M("!D;U]O<E]D:64 <at> (G1A<B`M+6]W;F5R/3` <at> +2UG<F]U<#TP("UJ8W9F('-H
M;W)E=V%L;"UI;FET+21[5D524TE/3GTN=&%R+F)Z,B`D4TA/4D5704Q,24Y)
M5$1)4B`^/B`D3$]'1DE,12`R/B8Q( <at> H <at> "69I"B` <at> ("` <at> "0H <at> "6EF(%L <at> +6X <at> 
M(B1"54E,1#9,251%(B!=.R!T:&5N"0H <at> "2` <at> ("!P<F]G<F5S<U]M97-S86=E
M(")#<F5A=&EN9R`D1$E2+R1,251%-E1!4D)!3$PN+BXB"BT)("` <at> (')M("UF
M("1,251%-D1)4B\J+F1I9F8*+0D <at> ("` <at> <FT <at> +68 <at> )$Q)5$4V1$E2+RHN8F%K
M"B`)("` <at> (&1O7V]R7V1I92`B=&%R("TM;W=N97(],"`M+6=R;W5P/3` <at> +7IC
M=F8 <at> )$Q)5$4V5$%20D%,3"`D3$E4139$25( <at> /CX <at> )$Q/1T9)3$4 <at> ,CXF,2(*
M(`D <at> ("` <at> 9&]?;W)?9&EE(")T87( <at> +2UO=VYE<CTP("TM9W)O=7`],"`M:F-V
M9B!S:&]R97=A;&PV+6QI=&4M)'M615)324].?2YT87(N8GHR("1,251%-D1)
M4B`^/B`D3$]'1DE,12`R/B8Q( <at> H <at> "69I("` <at> (`D*+2T <at> "C(N-BXR" <at> H*1G)O
M;2`W83$P-60Q,V5B-&5F.3DR961C835B9C,P,S1F,&,V-V4R9#(P,C-B($UO
M;B!397` <at> ,3< <at> ,#`Z,#`Z,#` <at> ,C`P,0I&<F]M.B!-871T($1A<F9E=6EL;&4 <at> 
M/&UA=&1A<F9`9VUA:6PN8V]M/ <at> I$871E.B!7960L(#8 <at> 07!R(#(P,38 <at> ,30Z
M,#8Z,3` <at> *S`R,#`*4W5B:F5C=#H <at> 6U!!5$-((#,O.%T <at> 4F5M;W9E(&)A<VAI
M<VT <at> 8G5I;&0U,`H*4VEG;F5D+6]F9BUB>3H <at> 36%T="!$87)F975I;&QE(#QM
M871D87)F0&=M86EL+F-O;3X*+2TM"B!B=6EL9"]B=6EL9#4P('P <at> ,B`K+0H <at> 
M,2!F:6QE(&-H86YG960L(#$ <at> :6YS97)T:6]N*"LI+"`Q(&1E;&5T:6]N*"TI
M" <at> ID:69F("TM9VET(&$O8G5I;&0O8G5I;&0U,"!B+V)U:6QD+V)U:6QD-3`*
M:6YD97 <at>  <at> ,S1F961A,RXN,F)A8V0X8R`Q,#`W-34*+2TM(&$O8G5I;&0O8G5I
M;&0U,`HK*RL <at> 8B]B=6EL9"]B=6EL9#4P"D!`("TY,3 <at> L-R`K.3$X+#< <at> 0$` <at> 
M9FD*(&9I"B`*(&EF(%L <at> +6X <at> (B1)3E-404Q,(B!=.R!T:&5N"BT <at> ("` <at> :68 <at> 
M=VAI8V <at>  <at> <W5D;R`F/B`O9&5V+VYU;&P[('1H96X**R` <at> ("!I9B!W:&EC:"!S
M=61O(#X <at> +V1E=B]N=6QL(#(^)C$[('1H96X*(`E;("UN("(D0E5)3$1#3U)%
M(B!=("` <at> )B8 <at> <W5D;R`D0T]2141)4B]I;G-T86QL+G-H"B`)6R`M;B`B)$)5
M24Q$4U1$(B!=("` <at> ("8F('-U9&\ <at> )%-(3U)%5T%,3$1)4B]I;G-T86QL+G-H
M"B`)6R`M;B`B)$)524Q$-B( <at> 72` <at> ("` <at> ("8F('-U9&\ <at> )%-(3U)%5T%,3#9$
M25(O:6YS=&%L;"YS:`HM+2`*,BXV+C(*" <at> I&<F]M(# <at> Y-3`V860U8CAC8S4X
M,#0V934S-F0P,&,S9CDT-SEF8S!F9C8X8S <at>  <at> 36]N(%-E<"`Q-R`P,#HP,#HP
M,"`R,#`Q"D9R;VTZ($UA='0 <at> 1&%R9F5U:6QL92`\;6%T9&%R9D!G;6%I;"YC
M;VT^"D1A=&4Z(%=E9"P <at> -B!!<'( <at> ,C`Q-B`Q-CHR-SHR,R`K,#(P,`I3=6)J
M96-T.B!;4$%40T <at>  <at> -"\X72!#:&%N9V4 <at> <&]R8V5L86EN('1O('!L=6UB:6YG
M(&=I="!C;60 <at> 8G5I;&0U,`H*4VEG;F5D+6]F9BUB>3H <at> 36%T="!$87)F975I
M;&QE(#QM871D87)F0&=M86EL+F-O;3X*+2TM"B!B=6EL9"]B=6EL9#4P('P <at> 
M-"`K*RTM"B`Q(&9I;&4 <at> 8VAA;F=E9"P <at> ,B!I;G-E<G1I;VYS*"LI+"`R(&1E
M;&5T:6]N<R <at> M*0H*9&EF9B`M+6=I="!A+V)U:6QD+V)U:6QD-3` <at> 8B]B=6EL
M9"]B=6EL9#4P"FEN9&5X(#)B86-D.&,N+F,P.&,T.#4 <at> ,3`P-S4U"BTM+2!A
M+V)U:6QD+V)U:6QD-3`**RLK(&(O8G5I;&0O8G5I;&0U,`I`0"`M,C,Q+#< <at> 
M*S(S,2PW($!`(&1O7V5X<&]R=" <at> I"B!E;&EF(&=I="`M+6=I="UD:7(])$=)
M5"\N9VET('-H;W<M<F5F("TM<75I970 <at> +2UV97)I9GD <at> +2T <at> (G)E9G,O=&%G
M<R\D5$%'5D524TE/3B( <at> /B]D978O;G5L;#L <at> =&AE; <at> H <at> "71A9STD5$%'5D52
M4TE/3 <at> H <at> "7!R;V=R97-S7VUE<W-A9V4 <at> (D5X<&]R=&EN9R`D,2!F<F]M($=I
M="!T86< <at> )'1A9RXN+B( <at> )B8 <at> 9&]?;W)?9&EE(")G:70 <at> +2UG:70M9&ER/21'
M250O+F=I="!A<F-H:79E("TM9F]R;6%T/71A<B`D=&%G("0Q('P <at> =&%R("UX
M9B`M(#X^("1,3T=&24Q%(#(^)C$B"BT <at> ("` <at> 96QI9B!;("UN("(D*&=I="`M
M+6=I="UD:7(])$=)5"\N9VET('1A9R`M;"`D5D524TE/3B`R/B]D978O;G5L
M;"DB(%T[('1H96X**R` <at> ("!E;&EF(&=I="`M+6=I="UD:7(])$=)5"\N9VET
M('-H;W<M<F5F("TM<75I970 <at> +2UV97)I9GD <at> +2T <at> (G)E9G,O=&%G<R\D5D52
M4TE/3B( <at> ,CXO9&5V+VYU;&P[('1H96X*(`ET86<])%9%4E-)3TX*(`EP<F]G
M<F5S<U]M97-S86=E(")%>'!O<G1I;F< <at> )#$ <at> 9G)O;2!':70 <at> =&%G("1T86<N
M+BXB("8F(&1O7V]R7V1I92`B9VET("TM9VET+61I<CTD1TE4+RYG:70 <at> 87)C
M:&EV92`M+69O<FUA=#UT87( <at> )'1A9R`D,2!\('1A<B`M>&8 <at> +2`^/B`D3$]'
M1DE,12`R/B8Q( <at> H <at> ("` <at> (&5L<V4*0$` <at> +38W,2PW("LV-S$L-R!`0"!I9B!;
M("UN("(D>T)524Q$0T]217TD>T)524Q$-GTD>T)524Q$24Y)5'TD>T)524Q$
M3$E417TD>T)524Q$-DQ)5$5])'M"54E,1%-41'TB"B` <at> ("` <at> 96QI9B!G:70 <at> 
M+2UG:70M9&ER/21'251214Q%05-%1$E2+RYG:70 <at> <VAO=RUR968 <at> +2UQ=6EE
M="`M+79E<FEF>2`M+2`B<F5F<R]T86=S+R1404=615)324].(B`R/B]D978O
M;G5L;#L <at> =&AE; <at> H <at> "71A9STD5$%'5D524TE/3 <at> H <at> "7!R;V=R97-S7VUE<W-A
M9V4 <at> (D5X<&]R=&EN9R!R96QE87-E(&9R;VT <at> 1VET('1A9R`D=&%G+BXN(B`F
M)B!D;U]O<E]D:64 <at> (F=I="`M+6=I="UD:7(])$=)5%)%3$5!4T5$25(O+F=I
M="!A<F-H:79E("TM9F]R;6%T/71A<B`D=&%G('P <at> =&%R("UX9B`M(#X^("1,
M3T=&24Q%(#(^)C$B"BT <at> ("` <at> 96QI9B!;("UN("(D*&=I="`M+6=I="UD:7(]
M)$=)5%)%3$5!4T5$25(O+F=I="!T86< <at> +6P <at> )%9%4E-)3TX <at> ,CXO9&5V+VYU
M;&PI(B!=.R!T:&5N"BL <at> ("` <at> 96QI9B!G:70 <at> +2UG:70M9&ER/21'251214Q%
M05-%1$E2+RYG:70 <at> <VAO=RUR968 <at> +2UQ=6EE="`M+79E<FEF>2`M+2`B<F5F
M<R]T86=S+R1615)324].(B`R/B]D978O;G5L;#L <at> =&AE; <at> H <at> "71A9STD5D52
M4TE/3 <at> H <at> "7!R;V=R97-S7VUE<W-A9V4 <at> (D5X<&]R=&EN9R!R96QE87-E(&9R
M;VT <at> 1VET('1A9R`D=&%G+BXN(B`F)B!D;U]O<E]D:64 <at> (F=I="`M+6=I="UD
M:7(])$=)5%)%3$5!4T5$25(O+F=I="!A<F-H:79E("TM9F]R;6%T/71A<B`D
M=&%G('P <at> =&%R("UX9B`M(#X^("1,3T=&24Q%(#(^)C$B"B` <at> ("` <at> 96QS90HM
M+2`*,BXV+C(*" <at> I&<F]M(#EE8S1B-6(T,S(Y.6-A-C<R8F4V-S)E,3DU-#DX
M9&0Y,S`X8S<T9#$ <at> 36]N(%-E<"`Q-R`P,#HP,#HP,"`R,#`Q"D9R;VTZ($UA
M='0 <at> 1&%R9F5U:6QL92`\;6%T9&%R9D!G;6%I;"YC;VT^"D1A=&4Z(%=E9"P <at> 
M-B!!<'( <at> ,C`Q-B`Q.#HS,SHR-R`K,#(P,`I3=6)J96-T.B!;4$%40T <at>  <at> -2\X
M72!5<V4 <at> 9VET(&-M9"!A;F0 <at> 9&]N)W0 <at> 86-C97-S(&9I;&5S('5N9&5R("YG
M:70 <at> 9&ER(&)U:6QD-3`*"E-I9VYE9"UO9F8M8GDZ($UA='0 <at> 1&%R9F5U:6QL
M92`\;6%T9&%R9D!G;6%I;"YC;VT^"BTM+0H <at> 8G5I;&0O8G5I;&0U,"!\(#$R
M("LK*RLK*RLK*RTM+0H <at> ,2!F:6QE(&-H86YG960L(#D <at> :6YS97)T:6]N<R <at> K
M*2P <at> ,R!D96QE=&EO;G,H+2D*"F1I9F8 <at> +2UG:70 <at> 82]B=6EL9"]B=6EL9#4P
M(&(O8G5I;&0O8G5I;&0U,`II;F1E>"!C,#AC-# <at> U+BYA,#DP-#8T(#$P,#<U
M-0HM+2T <at> 82]B=6EL9"]B=6EL9#4P"BLK*R!B+V)U:6QD+V)U:6QD-3`*0$` <at> 
M+3(S-"PX("LR,S0L,3$ <at> 0$` <at> 96QI9B!G:70 <at> +2UG:70M9&ER/21'250O+F=I
M="!S:&]W+7)E9B`M+7%U:65T("TM=F5R:69Y("TM(")R969S+W1A9W,O)%1!
M1U9%4E-)3TX*("` <at> ("!E;&EF(&=I="`M+6=I="UD:7(])$=)5"\N9VET('-H
M;W<M<F5F("TM<75I970 <at> +2UV97)I9GD <at> +2T <at> (G)E9G,O=&%G<R\D5D524TE/
M3B( <at> ,CXO9&5V+VYU;&P[('1H96X*(`ET86<])%9%4E-)3TX*(`EP<F]G<F5S
M<U]M97-S86=E(")%>'!O<G1I;F< <at> )#$ <at> 9G)O;2!':70 <at> =&%G("1T86<N+BXB
M("8F(&1O7V]R7V1I92`B9VET("TM9VET+61I<CTD1TE4+RYG:70 <at> 87)C:&EV
M92`M+69O<FUA=#UT87( <at> )'1A9R`D,2!\('1A<B`M>&8 <at> +2`^/B`D3$]'1DE,
M12`R/B8Q( <at> HK96QI9B!G:70 <at> +2UG:70M9&ER/21'250O+F=I="!S:&]W+7)E
M9B`M+7%U:65T("TM=F5R:69Y("TM(")R969S+VAE861S+R1"05-%5D524TE/
M3B( <at> ,CXO9&5V+VYU;&P[('1H96X**R!B<F%N8V <at> ])'M"05-%5D524TE/3GT <at> 
M"BL)<')O9W)E<W-?;65S<V%G92`B17AP;W)T:6YG("0Q(&9R;VT <at> 1VET(&)R
M86YC:"`D8G)A;F-H+BXN(B`F)B!D;U]O<E]D:64 <at> (F=I="`M+6=I="UD:7(]
M)$=)5"\N9VET(&%R8VAI=F4 <at> +2UF;W)M870]=&%R("1B<F%N8V <at>  <at> )#$ <at> ?"!T
M87( <at> +7AF("T <at> /CX <at> )$Q/1T9)3$4 <at> ,CXF,2(*("` <at> ("!E;'-E"BT)6R`M9B`D
M1TE4+RYG:70O<F5F<R]H96%D<R\D0D%3159%4E-)3TX <at> 72`F)B!B<F%N8V <at> ]
M)'M"05-%5D524TE/3GT <at> ?'P <at> 8G)A;F-H/6UA<W1E< <at> HK8G)A;F-H/6UA<W1E
M< <at> H <at> "7!R;V=R97-S7VUE<W-A9V4 <at> (D5X<&]R=&EN9R`D,2!F<F]M($=I="!B
M<F%N8V <at>  <at> )&)R86YC:"XN+B( <at> )B8 <at> 9&]?;W)?9&EE(")G:70 <at> +2UG:70M9&ER
M/21'250O+F=I="!A<F-H:79E("TM9F]R;6%T/71A<B`D8G)A;F-H("0Q('P <at> 
M=&%R("UX9B`M(#X^("1,3T=&24Q%(#(^)C$B"B` <at> ("` <at> 9FD*(`I`0"`M-C<T
M+#D <at> *S8W-RPQ,B!`0"!I9B!;("UN("(D>T)524Q$0T]217TD>T)524Q$-GTD
M>T)524Q$24Y)5'TD>T)524Q$3$E417TD>T)524Q$-DQ)5$5])'M"54E,1%-4
M1'TB"B` <at> ("` <at> 96QI9B!G:70 <at> +2UG:70M9&ER/21'251214Q%05-%1$E2+RYG
M:70 <at> <VAO=RUR968 <at> +2UQ=6EE="`M+79E<FEF>2`M+2`B<F5F<R]T86=S+R16
M15)324].(B`R/B]D978O;G5L;#L <at> =&AE; <at> H <at> "71A9STD5D524TE/3 <at> H <at> "7!R
M;V=R97-S7VUE<W-A9V4 <at> (D5X<&]R=&EN9R!R96QE87-E(&9R;VT <at> 1VET('1A
M9R`D=&%G+BXN(B`F)B!D;U]O<E]D:64 <at> (F=I="`M+6=I="UD:7(])$=)5%)%
M3$5!4T5$25(O+F=I="!A<F-H:79E("TM9F]R;6%T/71A<B`D=&%G('P <at> =&%R
M("UX9B`M(#X^("1,3T=&24Q%(#(^)C$B"BME;&EF(&=I="`M+6=I="UD:7(]
M)$=)5%)%3$5!4T5$25(O+F=I="!S:&]W+7)E9B`M+7%U:65T("TM=F5R:69Y
M("TM(")R969S+VAE861S+R1"05-%5D524TE/3B( <at> ,CXO9&5V+VYU;&P[('1H
M96X**R!"4D%.0T <at> ])$)!4T5615)324].(`HK('!R;V=R97-S7VUE<W-A9V4 <at> 
M(D5X<&]R=&EN9R!R96QE87-E(&9I;&5S(&9R;VT <at> 1VET(&)R86YC:"`D0E)!
M3D-(+BXN(B`F)B!D;U]O<E]D:64 <at> (F=I="`M+6=I="UD:7(])$=)5%)%3$5!
M4T5$25(O+F=I="!A<F-H:79E("TM9F]R;6%T/71A<B`D0E)!3D-(('P <at> =&%R
M("UX9B`M(#X^("1,3T=&24Q%(#(^)C$B"B` <at> ("` <at> 96QS90HM"5L <at> +68 <at> )$=)
M5%)%3$5!4T5$25(O+F=I="]R969S+VAE861S+R1"05-%5D524TE/3B!=("8F
M($)204Y#2#TD0D%3159%4E-)3TX <at> ?'P <at> 0E)!3D-(/6UA<W1E< <at> HM"7!R;V=R
M97-S7VUE<W-A9V4 <at> (D5X<&]R=&EN9R!R96QE87-E(&9I;&5S(&9R;VT <at> 1VET
M(&)R86YC:"`D0E)!3D-(+BXN(B`F)B!D;U]O<E]D:64 <at> (F=I="`M+6=I="UD
M:7(])$=)5%)%3$5!4T5$25(O+F=I="!A<F-H:79E("TM9F]R;6%T/71A<B`D
M0E)!3D-(('P <at> =&%R("UX9B`M(#X^("1,3T=&24Q%(#(^)C$B"BM"4D%.0T <at> ]
M;6%S=&5R"BL <at> <')O9W)E<W-?;65S<V%G92`B17AP;W)T:6YG(')E;&5A<V4 <at> 
M9FEL97, <at> 9G)O;2!':70 <at> 8G)A;F-H("1"4D%.0T <at> N+BXB("8F(&1O7V]R7V1I
M92`B9VET("TM9VET+61I<CTD1TE44D5,14%3141)4B\N9VET(&%R8VAI=F4 <at> 
M+2UF;W)M870]=&%R("1"4D%.0T <at>  <at> ?"!T87( <at> +7AF("T <at> /CX <at> )$Q/1T9)3$4 <at> 
M,CXF,2(*("` <at> ("!F:0H <at> "B` <at> ("` <at> 8V0 <at> +BX*+2T <at> "C(N-BXR" <at> H*1G)O;2!A
M86%C.65A.6,X-CAA8S<T,S5F.&,X,&0R-V4Q,C4S.38W.#,Y,V(X($UO;B!3
M97` <at> ,3< <at> ,#`Z,#`Z,#` <at> ,C`P,0I&<F]M.B!-871T($1A<F9E=6EL;&4 <at> /&UA
M=&1A<F9`9VUA:6PN8V]M/ <at> I$871E.B!&<FDL(# <at>  <at> 07!R(#(P,38 <at> ,3 <at> Z,#0Z
M-#8 <at> *S`R,#`*4W5B:F5C=#H <at> 6U!!5$-((#8O.%T <at> 26UP<F]V92!C;VUM96YT
M<R!U<V%G92!B=6EL9#4P" <at> I3:6=N960M;V9F+6)Y.B!-871T($1A<F9E=6EL
M;&4 <at> /&UA=&1A<F9`9VUA:6PN8V]M/ <at> HM+2T*(&)U:6QD+V)U:6QD-3` <at> ?"`Q
M,"`K*RLK*RLM+2TM"B`Q(&9I;&4 <at> 8VAA;F=E9"P <at> -B!I;G-E<G1I;VYS*"LI
M+"`T(&1E;&5T:6]N<R <at> M*0H*9&EF9B`M+6=I="!A+V)U:6QD+V)U:6QD-3` <at> 
M8B]B=6EL9"]B=6EL9#4P"FEN9&5X(&$P.3`T-C0N+CAC,V4W,3< <at> ,3`P-S4U
M"BTM+2!A+V)U:6QD+V)U:6QD-3`**RLK(&(O8G5I;&0O8G5I;&0U,`I`0"`M
M,C,L-R`K,C,L-R!`0`H <at> (PH <at> (R!5<V%G93H*(",*+2, <at> ("!M86ME<VAO<F5W
M86QL(%L <at> +71R:'AC;'!S4R!=(#QV97)S:6]N/B!;(#QP<F5V:6]U<R!V97)S
M:6]N/B!="BLC("` <at> 8G5I;&0U,"!;("UT<F-S;$PV:6AX25, <at> 72`\=F5R<VEO
M;CX <at> 6R`\;VQD+79E<G-I;VX^(%T*(",*(", <at> ("` <at> ("`M="` <at> ("` <at> ($)U:6QD
M('1A<F)A;&P*(", <at> ("` <at> ("`M<B` <at> ("` <at> ($)U:6QD(%)030I`0"`M,S8L,3( <at> 
M*S,V+#$T($!`"B`C("` <at> ("` <at> +6 <at>  <at> ("` <at> ("!"=6EL9"!(5$U,(&1O8W5M96YT
M871I;VX*(", <at> ("` <at> ("`M>"` <at> ("` <at> ($)U:6QD(%A-3"!D;V-U;65N=&%T:6]N
M"B`C("` <at> ("` <at> +4D <at> ("` <at> ("!);G-T86QL"BLC("` <at> ("` <at> +5, <at> ("` <at> ("!"=6EL
M9"!':6%N="!3;W5R8V4 <at> 4&%C:V%G90H <at> (PHM(R!)9B!N;R!O<'1I;VYS(&%R
M92!G:79E;BP <at> 86QL(&]P=&EO;G, <at> 87)E(&%S<W5M960N"BLC($EF(&YO(&]P
M=&EO;G, <at> 87)E(&=I=F5N+"!A;&P <at> ;W!T:6]N<R!A<F4 <at> 87-S=6UE9`HK(R!W
M:71H('1H92!E>&-E<'1I;VX <at> ;V8 <at> +4D <at> 86YD("U3+ <at> H <at> (PHM(R!)9B`\<')E
M=FEO=7, <at> =F5R<VEO;CX <at> :7, <at> 9VEV96XL('!A=&-H(&9I;&5S(')E9FQE8W1I
M;F< <at> =&AE(&1I9F9E<F5N8V5S"BLC($EF(#QO;&0M=F5R<VEO;CX <at> :7, <at> 9VEV
M96XL('!A=&-H(&9I;&5S(')E9FQE8W1I;F< <at> =&AE(&1I9F9E<F5N8V5S"B`C
M(&)E='=E96X <at> =&AA="!V97)S:6]N(&%N9"!T:&4 <at> 8W5R<F5N="!V97)S:6]N
M(" <at>  <at> /'9E<G-I;VX^("D <at> 87)E(&=E;F5R871E9"X*+2, <at> 5&AE(&1I<F5C=&]R
M>2`N+W-H;W)E=V%L;"T\<')E=FEO=7, <at> =F5R<VEO;CX <at> ;75S="!E>&ES="!A
M;F0 <at> 8V]N=&%I;B!T:&4**R, <at> 5&AE(&1I<F5C=&]R>2`N+W-H;W)E=V%L;"T\
M;VQD+79E<G-I;VX^(&UU<W0 <at> 97AI<W0 <at> 86YD(&-O;G1A:6X <at> =&AE"B`C('9E
M<G-I;VX <at> 86=A:6YS="!W:&EC:"!T:&4 <at> <&%T8V <at>  <at> :7, <at> 9V5N97)A=&5D+ <at> H <at> 
M(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C
M(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,*(", <at> ("` <at> ("` <at> 
M("` <at> ("` <at> ("` <at> ("` <at> ("` <at> ("` <at> ($, <at> 3R!.($8 <at> 22!'(%4 <at> 4B!!(%0 <at> 22!/($X*
M+2T <at> "C(N-BXR" <at> H*1G)O;2!E.#<U,61C,F9B-#DX.#)C-#<W8C9C.#$R,&8P
M,&9A9&8T,3-A8V,W($UO;B!397` <at> ,3< <at> ,#`Z,#`Z,#` <at> ,C`P,0I&<F]M.B!-
M871T($1A<F9E=6EL;&4 <at> /&UA=&1A<F9`9VUA:6PN8V]M/ <at> I$871E.B!&<FDL
M(# <at>  <at> 07!R(#(P,38 <at> ,3 <at> Z,S$Z,S$ <at> *S`R,#`*4W5B:F5C=#H <at> 6U!!5$-((#<O
M.%T <at> 26UP<F]V92!A;F0 <at> <F5O<F1E<B!U<V%G92!F=6YC=&EO;B!B=6EL9#4P
M" <at> I3:6=N960M;V9F+6)Y.B!-871T($1A<F9E=6EL;&4 <at> /&UA=&1A<F9`9VUA
M:6PN8V]M/ <at> HM+2T*(&)U:6QD+V)U:6QD-3` <at> ?"`Q,B`K*RLK*RLM+2TM+2T*
M(#$ <at> 9FEL92!C:&%N9V5D+"`V(&EN<V5R=&EO;G,H*RDL(#8 <at> 9&5L971I;VYS
M*"TI" <at> ID:69F("TM9VET(&$O8G5I;&0O8G5I;&0U,"!B+V)U:6QD+V)U:6QD
M-3`*:6YD97 <at>  <at> .&,S93<Q-RXN,60T83 <at> U-"`Q,#`W-34*+2TM(&$O8G5I;&0O
M8G5I;&0U,`HK*RL <at> 8B]B=6EL9"]B=6EL9#4P"D!`("TQ-C,L-B`K,38S+#$R
M($!`($Q)5$4V5$%20D%,3#T*(",C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C
M(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C
M(R,C(R,C(R,C"B`C("` <at> ("` <at> ("` <at> ("` <at> ("` <at> ("` <at> ("` <at> ("` <at> ("` <at> ("` <at> ($8 <at> 
M52!.($, <at> 5"!)($\ <at> 3B!3"B`C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C
M(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C
M(R,C(R,C(PHK=7-A9V4H*0HK>PHK("` <at> (&5C:&\ <at> (E5S86=E.B`D*&)A<V5N
M86UE("0P*2!;("UT<F-S;$PV:6AX25, <at> 72`\=F5R<VEO;CX <at> 6R`\;VQD+79E
M<G-I;VX^(%TB"BL <at> ("` <at> 97AI="`R"BM]"BL*('!R;V=R97-S7VUE<W-A9V4H
M*0H <at> >PH <at> ("` <at> (&5C:&\ <at> ("` <at> ("` <at> ("`^/B` <at> ("`D3$]'1DE,10I`0"`M,C$U
M+#$R("LR,C$L-B!`0"!D;U]B=6EL9&%N<G!M*"D <at> >PH <at> ("` <at> (&1O7V]R7V1I
M92!C<"`M82`D4E!-1$E2+U)035,O;F]A<F-H+R1[,7T <at> + <at> H <at> ?0H <at> "BUU<V%G
M92 <at> I"BU["BT <at> ("` <at> 96-H;R`B=7-A9V4Z("0H8F%S96YA;64 <at> )#`I(%L <at> +71R
M:'AC<VPV3%T <at> /'9E<G-I;VX^(%L <at> /&]L9"UV97)S:6]N/B!=( <at> HM("` <at> (&5X
M:70 <at> , <at> HM?0HM"B!D;U]E>'!O<G0H*0H <at> >PH <at> ("` <at> (&QO8V%L(&)R86YC:`HM
M+2`*,BXV+C(*" <at> I&<F]M(#5E830T-#=D9C8U8F-F93)D9C=C,F0Y-61C83AB
M8V9C9C8X-S,U-F4 <at> 36]N(%-E<"`Q-R`P,#HP,#HP,"`R,#`Q"D9R;VTZ($UA
M='0 <at> 1&%R9F5U:6QL92`\;6%T9&%R9D!G;6%I;"YC;VT^"D1A=&4Z(%-A="P <at> 
M.2!!<'( <at> ,C`Q-B`Q-3HS-CHP,R`K,#(P,`I3=6)J96-T.B!;4$%40T <at>  <at> ."\X
M72!!9&0 <at> ;6EN;W( <at> 8V]R<F5C=&EO;G, <at> =&\ <at> 8G5I;&0U,`H*+2!#;W)R96-T
M('9A<FEA8FQE(&5X<&%N<VEO; <at> HM($-O<G)E8W0 <at> =F%R:6%B;&4 <at> <75O=&%T
M:6]N"BT <at> 22]/(')E9&ER96-T:6]N(&YO="!N965D960 <at> =VAE;B!Q=6EE="!O
M<'1I;VX <at> :7, <at> =7-E9"!W:71H("=G:70 <at> <VAO=RUR968G" <at> I3:6=N960M;V9F
M+6)Y.B!-871T($1A<F9E=6EL;&4 <at> /&UA=&1A<F9`9VUA:6PN8V]M/ <at> HM+2T*
M(&)U:6QD+V)U:6QD-3` <at> ?"`R,R`K*RLK*RLK*RLK*RTM+2TM+2TM+2TM+0H <at> 
M,2!F:6QE(&-H86YG960L(#$Q(&EN<V5R=&EO;G,H*RDL(#$R(&1E;&5T:6]N
M<R <at> M*0H*9&EF9B`M+6=I="!A+V)U:6QD+V)U:6QD-3` <at> 8B]B=6EL9"]B=6EL
M9#4P"FEN9&5X(#%D-&$X-30N+C8R-6$R,C8 <at> ,3`P-S4U"BTM+2!A+V)U:6QD
M+V)U:6QD-3`**RLK(&(O8G5I;&0O8G5I;&0U,`I`0"`M,C(W+#(T("LR,C<L
M,C, <at> 0$` <at> 9&]?97AP;W)T*"D*("` <at> ("!L;V-A;"!F:6QE"B` <at> ("` <at> ;&]C86P <at> 
M=&%G"B`*+2` <at> ("!I9B!;("UN("(D0E)!3D-(3D%-12( <at> 72`F)B!G:70 <at> +2UG
M:70M9&ER/21'250O+F=I="!S:&]W+7)E9B`M+7%U:65T("TM=F5R:69Y("TM
M(")R969S+VAE861S+R1"4D%.0TA.04U%(B`R/B]D978O;G5L;#L <at> =&AE; <at> HM
M"6)R86YC:#TB)$)204Y#2$Y!344B"BL <at> ("` <at> :68 <at> 6R`M;B`B)$)204Y#2$Y!
M344B(%T <at> )B8 <at> 9VET("TM9VET+61I<CTD1TE4+RYG:70 <at> <VAO=RUR968 <at> +2UQ
M=6EE="`M+79E<FEF>2`M+2`B<F5F<R]H96%D<R\D0E)!3D-(3D%-12([('1H
M96X**PEB<F%N8V <at> ])$)204Y#2$Y!344*(`EP<F]G<F5S<U]M97-S86=E(")%
M>'!O<G1I;F< <at> )#$ <at> 9G)O;2!':70 <at> 8G)A;F-H("1B<F%N8V <at> N+BXB("8F(&1O
M7V]R7V1I92`B9VET("TM9VET+61I<CTD1TE4+RYG:70 <at> 87)C:&EV92`M+69O
M<FUA=#UT87( <at> )&)R86YC:"`D,2!\('1A<B`M>&8 <at> +2`^/B`D3$]'1DE,12`R
M/B8Q( <at> HM96QI9B!G:70 <at> +2UG:70M9&ER/21'250O+F=I="!S:&]W+7)E9B`M
M+7%U:65T("TM=F5R:69Y("TM(")R969S+W1A9W,O)%1!1U9%4E-)3TXB(#XO
M9&5V+VYU;&P[('1H96X**V5L:68 <at> 9VET("TM9VET+61I<CTD1TE4+RYG:70 <at> 
M<VAO=RUR968 <at> +2UQ=6EE="`M+79E<FEF>2`M+2`B<F5F<R]T86=S+R1404=6
M15)324].(CL <at> =&AE; <at> H <at> "71A9STD5$%'5D524TE/3 <at> H <at> "7!R;V=R97-S7VUE
M<W-A9V4 <at> (D5X<&]R=&EN9R`D,2!F<F]M($=I="!T86< <at> )'1A9RXN+B( <at> )B8 <at> 
M9&]?;W)?9&EE(")G:70 <at> +2UG:70M9&ER/21'250O+F=I="!A<F-H:79E("TM
M9F]R;6%T/71A<B`D=&%G("0Q('P <at> =&%R("UX9B`M(#X^("1,3T=&24Q%(#(^
M)C$B"BT <at> ("` <at> 96QI9B!G:70 <at> +2UG:70M9&ER/21'250O+F=I="!S:&]W+7)E
M9B`M+7%U:65T("TM=F5R:69Y("TM(")R969S+W1A9W,O)%9%4E-)3TXB(#(^
M+V1E=B]N=6QL.R!T:&5N"BL <at> ("` <at> 96QI9B!G:70 <at> +2UG:70M9&ER/21'250O
M+F=I="!S:&]W+7)E9B`M+7%U:65T("TM=F5R:69Y("TM(")R969S+W1A9W,O
M)%9%4E-)3TXB.R!T:&5N"B`)=&%G/21615)324]."B`)<')O9W)E<W-?;65S
M<V%G92`B17AP;W)T:6YG("0Q(&9R;VT <at> 1VET('1A9R`D=&%G+BXN(B`F)B!D
M;U]O<E]D:64 <at> (F=I="`M+6=I="UD:7(])$=)5"\N9VET(&%R8VAI=F4 <at> +2UF
M;W)M870]=&%R("1T86< <at> )#$ <at> ?"!T87( <at> +7AF("T <at> /CX <at> )$Q/1T9)3$4 <at> ,CXF
M,2(*+65L:68 <at> 9VET("TM9VET+61I<CTD1TE4+RYG:70 <at> <VAO=RUR968 <at> +2UQ
M=6EE="`M+79E<FEF>2`M+2`B<F5F<R]H96%D<R\D0D%3159%4E-)3TXB(#(^
M+V1E=B]N=6QL.R!T:&5N"BT <at> 8G)A;F-H/21[0D%3159%4E-)3TY](`HK96QI
M9B!G:70 <at> +2UG:70M9&ER/21'250O+F=I="!S:&]W+7)E9B`M+7%U:65T("TM
M=F5R:69Y("TM(")R969S+VAE861S+R1"05-%5D524TE/3B([('1H96X**R!B
M<F%N8V <at> ])$)!4T5615)324]."B`)<')O9W)E<W-?;65S<V%G92`B17AP;W)T
M:6YG("0Q(&9R;VT <at> 1VET(&)R86YC:"`D8G)A;F-H+BXN(B`F)B!D;U]O<E]D
M:64 <at> (F=I="`M+6=I="UD:7(])$=)5"\N9VET(&%R8VAI=F4 <at> +2UF;W)M870]
M=&%R("1B<F%N8V <at>  <at> )#$ <at> ?"!T87( <at> +7AF("T <at> /CX <at> )$Q/1T9)3$4 <at> ,CXF,2(*
M("` <at> ("!E;'-E"B!B<F%N8V <at> ];6%S=&5R"B`)<')O9W)E<W-?;65S<V%G92`B
M17AP;W)T:6YG("0Q(&9R;VT <at> 1VET(&)R86YC:"`D8G)A;F-H+BXN(B`F)B!D
M;U]O<E]D:64 <at> (F=I="`M+6=I="UD:7(])$=)5"\N9VET(&%R8VAI=F4 <at> +2UF
M;W)M870]=&%R("1B<F%N8V <at>  <at> )#$ <at> ?"!T87( <at> +7AF("T <at> /CX <at> )$Q/1T9)3$4 <at> 
M,CXF,2(*("` <at> ("!F:0H <at> "BT*("` <at> ("!I9B!;("0Q("$]("0R(%T[('1H96X*
M(`ED;U]O<E]D:64 <at> (FUV("UF("0Q("0R(#X^("1,3T=&24Q%(#(^)C$B"B`*
M0$` <at> +38W,"PQ-R`K-C8Y+#$W($!`(&EF(%L <at> +6X <at> (B1[0E5)3$1#3U)%?21[
M0E5)3$0V?21[0E5)3$1)3DE4?21[0E5)3$1,251%?21[0E5)3$0V3$E417TD
M>T)524Q$4U1$?2(*("` <at> ("!M:V1I<B`M<"`D4D5,14%3141)4 <at> H <at> ("` <at> (&-D
M("1214Q%05-%1$E2"B`*+2` <at> ("!I9B!;("UN("(D0E)!3D-(3D%-12( <at> 72`F
M)B!G:70 <at> +2UG:70M9&ER/21'251214Q%05-%1$E2+RYG:70 <at> <VAO=RUR968 <at> 
M+2UQ=6EE="`M+79E<FEF>2`M+2`B<F5F<R]H96%D<R\D0E)!3D-(3D%-12( <at> 
M,CXO9&5V+VYU;&P[('1H96X**R` <at> ("!I9B!;("UN("(D0E)!3D-(3D%-12( <at> 
M72`F)B!G:70 <at> +2UG:70M9&ER/21'251214Q%05-%1$E2+RYG:70 <at> <VAO=RUR
M968 <at> +2UQ=6EE="`M+79E<FEF>2`M+2`B<F5F<R]H96%D<R\D0E)!3D-(3D%-
M12([('1H96X*(`E"4D%.0T <at> ])$)204Y#2$Y!344*(`EP<F]G<F5S<U]M97-S
M86=E(")%>'!O<G1I;F< <at> <F5L96%S92!F:6QE<R!F<F]M($=I="!B<F%N8V <at>  <at> 
M)$)204Y#2"XN+B( <at> )B8 <at> 9&]?;W)?9&EE(")G:70 <at> +2UG:70M9&ER/21'2512
M14Q%05-%1$E2+RYG:70 <at> 87)C:&EV92`M+69O<FUA=#UT87( <at> )$)204Y#2"!\
M('1A<B`M>&8 <at> +2`^/B`D3$]'1DE,12`R/B8Q( <at> HM("` <at> (&5L:68 <at> 9VET("TM
M9VET+61I<CTD1TE44D5,14%3141)4B\N9VET('-H;W<M<F5F("TM<75I970 <at> 
M+2UV97)I9GD <at> +2T <at> (G)E9G,O=&%G<R\D5$%'5D524TE/3B( <at> ,CXO9&5V+VYU
M;&P[('1H96X**R` <at> ("!E;&EF(&=I="`M+6=I="UD:7(])$=)5%)%3$5!4T5$
M25(O+F=I="!S:&]W+7)E9B`M+7%U:65T("TM=F5R:69Y("TM(")R969S+W1A
M9W,O)%1!1U9%4E-)3TXB.R!T:&5N"B`)=&%G/21404=615)324]."B`)<')O
M9W)E<W-?;65S<V%G92`B17AP;W)T:6YG(')E;&5A<V4 <at> 9G)O;2!':70 <at> =&%G
M("1T86<N+BXB("8F(&1O7V]R7V1I92`B9VET("TM9VET+61I<CTD1TE44D5,
M14%3141)4B\N9VET(&%R8VAI=F4 <at> +2UF;W)M870]=&%R("1T86< <at> ?"!T87( <at> 
M+7AF("T <at> /CX <at> )$Q/1T9)3$4 <at> ,CXF,2(*+2` <at> ("!E;&EF(&=I="`M+6=I="UD
M:7(])$=)5%)%3$5!4T5$25(O+F=I="!S:&]W+7)E9B`M+7%U:65T("TM=F5R
M:69Y("TM(")R969S+W1A9W,O)%9%4E-)3TXB(#(^+V1E=B]N=6QL.R!T:&5N
M"BL <at> ("` <at> 96QI9B!G:70 <at> +2UG:70M9&ER/21'251214Q%05-%1$E2+RYG:70 <at> 
M<VAO=RUR968 <at> +2UQ=6EE="`M+79E<FEF>2`M+2`B<F5F<R]T86=S+R1615)3
M24].(CL <at> =&AE; <at> H <at> "71A9STD5D524TE/3 <at> H <at> "7!R;V=R97-S7VUE<W-A9V4 <at> 
M(D5X<&]R=&EN9R!R96QE87-E(&9R;VT <at> 1VET('1A9R`D=&%G+BXN(B`F)B!D
M;U]O<E]D:64 <at> (F=I="`M+6=I="UD:7(])$=)5%)%3$5!4T5$25(O+F=I="!A
M<F-H:79E("TM9F]R;6%T/71A<B`D=&%G('P <at> =&%R("UX9B`M(#X^("1,3T=&
M24Q%(#(^)C$B"BUE;&EF(&=I="`M+6=I="UD:7(])$=)5%)%3$5!4T5$25(O
M+F=I="!S:&]W+7)E9B`M+7%U:65T("TM=F5R:69Y("TM(")R969S+VAE861S
M+R1"05-%5D524TE/3B( <at> ,CXO9&5V+VYU;&P[('1H96X*+2!"4D%.0T <at> ])$)!
M4T5615)324].(`HK96QI9B!G:70 <at> +2UG:70M9&ER/21'251214Q%05-%1$E2
M+RYG:70 <at> <VAO=RUR968 <at> +2UQ=6EE="`M+79E<FEF>2`M+2`B<F5F<R]H96%D
M<R\D0D%3159%4E-)3TXB.R!T:&5N"BL <at> 0E)!3D-(/21"05-%5D524TE/3 <at> H <at> 
M('!R;V=R97-S7VUE<W-A9V4 <at> (D5X<&]R=&EN9R!R96QE87-E(&9I;&5S(&9R
M;VT <at> 1VET(&)R86YC:"`D0E)!3D-(+BXN(B`F)B!D;U]O<E]D:64 <at> (F=I="`M
M+6=I="UD:7(])$=)5%)%3$5!4T5$25(O+F=I="!A<F-H:79E("TM9F]R;6%T
M/71A<B`D0E)!3D-(('P <at> =&%R("UX9B`M(#X^("1,3T=&24Q%(#(^)C$B"B` <at> 
B("` <at> 96QS90H <at> 0E)!3D-(/6UA<W1E< <at> HM+2`*,BXV+C(*"DQ%
`
end

------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial! http://pubads.g.doubleclick.net/
gampad/clk?id=1444514301&iu=/ca-pub-7940484522588532
jasonsu | 9 Apr 20:07 2016

where can I get v5 rpms?

I want to keep up to date with the 'Stable' Shorewall release.

According to

	http://shorewall.net/

That's

	v5.0.7.2

My distro is Opensuse Leap 42.  It only has version 4 rpms.  That's what I currently use.

I want to upgrade to v5.0.7.2

The link

	Read about the Shorewall 5.0 release here! Get it from the download sites
	http://shorewall.net/download.htm

Says

  Distribution-specific Download Sites

	If you run OpenSuSE starting with the 12.1 version of openSUSE shorewall is included in the distro. For the
up to date RPMs of shorewall the following repositories are available:

	    http://download.opensuse.org/repositories/security:/netfilter/openSUSE_11.4
	    http://download.opensuse.org/repositories/security:/netfilter/openSUSE_12.1
	    http://download.opensuse.org/repositories/security:/netfilter/openSUSE_Factory

That's not an option for SW v5 or for current release version of Opensuse.

Also

	If you run a SuSE, Linux PPC, Trustix or TurboLinux distribution with a 2.4 or 2.6 kernel, you can use the
standard RPM version (note: the RPM should also work with other distributions that store init scripts in
/etc/init.d and that include chkconfig or insserv). If you find that it works in other cases, let me know so
that I can mention them here (Note: the standard RPM is known to work on Redhat, Fedora and Mandriva with
issues ranging from trivial (Redhat and Fedora) to moderate (Mandriva)). See the Installation
Instructions if you have problems installing the RPM.

I run Opensuse, not SuSE.  My kernel is v4.5.0-7.

Is Opensuse with modern kernel supported for SW v5?

Are there v5 RPMS for Opensuse anywhere?

Jason

------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial! http://pubads.g.doubleclick.net/
gampad/clk?id=1444514301&iu=/ca-pub-7940484522588532
jasonsu | 8 Apr 03:42 2016

current fail2ban action for using Shorewall Dynamic Blacklisting?


I figure I'm most likely to bump into a fail2ban-using-shorewall user than a shorewall-using fail2ban
user, so thought I'd ask about this here .

I'm getting started running

	shorewall-lite version
		4.6.13.4
	iptables -V
		iptables v1.6.0
	ipset -V
		ipset v6.29, protocol version: 6

on linux.  I'd use version 5, but 4.6.13.4 looks like the last version my distro provides. (Not sure what to do
about that yet.)

Anyway, I'm working on getting fail2ban dynamic firewalling setup for use with my Postfix server.

The latest version of fail2ban

	fail2ban-server -V
		Fail2Ban v0.9.4.dev0

includes a "shorewall-ipset-proto6" action that monitors shorewall logs and writes entries to an ipset (IIUC).

The 'action' is a bit old.  It still references BLACKLISTNEWONLY= instead of the newer BLACKLIST= config in SW.

The actions' commands are

	actionstart = if ! ipset -quiet -name list f2b-<name> >/dev/null;
	              then ipset -quiet -exist create f2b-<name> hash:ip timeout <bantime>;
	              fi
	actionstop = ipset flush f2b-<name>
	actionban = ipset add f2b-<name> <ip> timeout <bantime> -exist
	actionunban = ipset del f2b-<name> <ip> -exist

While reading the SW docs to figure out how to update the action

	http://shorewall.net/blacklisting_support.htm

I discovered SW's "Dynamic Blacklisting".  Which seems afwully convenient.

Is there any reason NOT to replace those 'raw' ipset commands with equivalents that use SW's DYNAMIC BLACKLISTING?

Better yet, is anyone here aware of an existing modern/current Fail2Ban 'action' for using SW's Dynamic BL'ing?

Jason

------------------------------------------------------------------------------
Sven Kirmess | 7 Apr 19:58 2016
Picon

macro.AllowICMPs: Is fragmentation-needed and time-exceeded not allowed by RELATED?

The macro.AllowICMPs allows fragmentation-needed and time-exceeded. Is that still needed or an artifact of the past?

I tried to google around and I think Netfilter treats ICMPs as RELATED, which means those should be accepted by the default RELATED rule. Or is there anything special with these two?
------------------------------------------------------------------------------
------------------------------------------------------------------------------
Simon Hobson | 5 Apr 12:39 2016
Picon

Re: IPv6 issues (Was: Configuration - appropriate configuration with 2 default gateways)


On 5 Apr 2016, at 06:42, Thomas Schneider <c.monty <at> web.de> wrote:

> This is the output:
> root <at> vm103-db:~# ip -f inet6 addr show
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536
>     inet6 ::1/128 scope host
>        valid_lft forever preferred_lft forever
> 9: eth0 <at> if10: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000
>     inet6 fe80::3065:65ff:fe39:3035/64 scope link
>        valid_lft forever preferred_lft forever
> root <at> vm103-db:~# ip -f inet6 route show
> fe80::/64 dev eth0  proto kernel  metric 256 
> root <at> vm103-db:~# ip -f inet6 neigh show
> root <at> vm103-db:~# 

Indeed it does.
I think you may be seeing a known bug (that's 3 1/2 years old) :
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=684407

It's off topic for this list, I suggest you go and enquire of the maintainers since apt is definitely not
acting correctly here.

There is a message there that apt will try the first address, and if a connection fails then it'll try the
other addresses in turn. This would explain why it downloads some packages (connects OK via IPv4) but then
fails - if a connection fails over IPv4 then it'll cycle round and try an IPv6 address - and then it reports a
misleading error* when that fails. It should not, IMO, be trying IPv6 addresses if the system isn't
configured with routable addresses.

* The error should really be "couldn't connect to any address" rather than "couldn't connect to ${last_address_tried}".

------------------------------------------------------------------------------
Thomas Schneider | 5 Apr 08:04 2016
Picon

APT switches to IPv6 and

Hello,

I have configured 2 zones: loc and dmz

When I start apt upgrade on client in loc, this fails with connection error:

Holen: 195 http://ftp.tu-chemnitz.de/pub/linux/debian/debian/ unstable/main isc-dhcp-client amd64 4.3.3-9 [314 kB] 
Holen: 196 http://ftp.tu-chemnitz.de/pub/linux/debian/debian/ unstable/main isc-dhcp-common amd64 4.3.3-9 [131 kB] 
Holen: 197 http://ftp.tu-chemnitz.de/pub/linux/debian/debian/ testing/main kmod amd64 22-1 [86,6 kB]               
Holen: 198 http://ftp.tu-chemnitz.de/pub/linux/debian/debian/ testing/main libkmod2 amd64 22-1 [47,8 kB]           
Holen: 199 http://ftp.tu-chemnitz.de/pub/linux/debian/debian/ unstable/main libboost-iostreams1.55.0 amd64 1.55.0+dfsg-4 [48,8 kB]
Holen: 200 http://ftp.tu-chemnitz.de/pub/linux/debian/debian/ testing/main libboost-iostreams1.58.0 amd64 1.58.0+dfsg-5+b1 [51,1 kB]
Holen: 201 http://ftp.tu-chemnitz.de/pub/linux/debian/debian/ testing/main liblogging-stdlog0 amd64 1.0.5-2 [12,4 kB]
Holen: 202 http://ftp.tu-chemnitz.de/pub/linux/debian/debian/ testing/main libnewt0.52 amd64 0.52.18-3 [72,6 kB]   
Fehl http://ftp.tu-chemnitz.de/pub/linux/debian/debian/ unstable/main libssl1.0.0 amd64 1.0.2d-1                   
  Verbindung mit ftp.tu-chemnitz.de:80 kann nicht aufgebaut werden (2001:638:911:b0e:134:109:228:1). - connect (101: Das Netzwerk ist nicht erreichbar) [IP: 2001:638:911:b0e:134:109:228:1 80]
Fehl http://ftp.tu-chemnitz.de/pub/linux/debian/debian/ unstable/main vim amd64 2:7.4.1689-1
  Verbindung mit ftp.tu-chemnitz.de:80 kann nicht aufgebaut werden (2001:638:911:b0e:134:109:228:1). - connect (101: Das Netzwerk ist nicht erreichbar) [IP: 2001:638:911:b0e:134:109:228:1 80]
Fehl http://ftp.tu-chemnitz.de/pub/linux/debian/debian/ unstable/main vim-tiny amd64 2:7.4.1689-1
  Verbindung mit ftp.tu-chemnitz.de:80 kann nicht aufgebaut werden (2001:638:911:b0e:134:109:228:1). - connect (101: Das Netzwerk ist nicht erreichbar) [IP: 2001:638:911:b0e:134:109:228:1 80]

The output shows that APT fetches ~200 packages, and then fails after switching to IPv6.
First, I wonder why APT switches to IPv6.
Is this normal?
Second, does it make sense to disable IPv6?

Regards,
Thomas
------------------------------------------------------------------------------
------------------------------------------------------------------------------
Marc Mertes | 4 Apr 12:12 2016
Picon

masquerading exception

Hi Folks,
hi Tom,
after a few years of useing shorewall now, I run into a "special case" 
of a new masquerading need, and I´m not sure if this is possible.
I´ve already browsed through the mail archive - but there is not exactly 
my case discussed, just some where close to - or I didn´t understand one 
of them correctly,
or wasn´t able adapt it to my case.

Shorewall Version 4.6.4.3 on debian jessie
This is my masq config now: I masq everything to the external Iface ip:
#INTERFACE:DEST         SOURCE          ADDRESS         PROTO PORT(S) 
IPSEC   MARK    USER/   SWITCH  ORIGINAL
eth3 131.xxx.xxx.0/24

What I now want to do is:
Keep the masq as it is - with one exception.
All traffic to our mailserver should not be masq.
I mean it like "masq everything outgoing on eth3 EXCEPT outgoing 
traffic  to emailserver on eth3"

The background is, that our mailserver is in the external zone and 
blocks the ip after to many failed logins.
This means, our masq ip is blocked and no one can use the mailserver 
anymore.
For this case it would be good not to masq, that each ip here is 
"visible" for the mailserver.

Thanks and best regards
Marc

------------------------------------------------------------------------------
_______________________________________________
Shorewall-users mailing list
Shorewall-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Gmane