Farkas Levente | 12 Feb 20:14 2014

bad permission on /etc/shorewall/notrack

hi,
in the rpm packages 4.5.21-6 the file /etc/shorewall/notrack has 600
permission which should have to be 644.
regards.

--
  Levente                               "Si vis pacem para bellum!"

------------------------------------------------------------------------------
Android apps run on BlackBerry 10
Introducing the new BlackBerry 10.2.1 Runtime for Android apps.
Now with support for Jelly Bean, Bluetooth, Mapview and more.
Get your Android app in front of a whole new audience.  Start now.
http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk
Göran Höglund | 12 Feb 13:23 2014
Picon

Routing issue

Hi List
I have a setup with multi isp and LSM this works very well.
I am using one isp as backup and and the other as main, no balancing.

When the ordinary Interface is down I would like to be able to reach the 
modem on port 80 on the ordinary IF.

My problem is sorting out a dnat rule to get this working in a way that 
i can reach the isp2 modem through
isp1 with dnat in the FW. Port fwd in isp1 modem is OK and I can see the 
traffic going out towards isp2 modem.

I assume this has to do with def gw in the modem and masq in the FW or 
is it something else I miss?

isp1 modem --------------- FW ----------------isp2 modem

I am using shorewall 4.5.16.1 the log complains about sfilter?
Thanks /GH

------------------------------------------------------------------------------
Android apps run on BlackBerry 10
Introducing the new BlackBerry 10.2.1 Runtime for Android apps.
Now with support for Jelly Bean, Bluetooth, Mapview and more.
Get your Android app in front of a whole new audience.  Start now.
http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk
Farkas Levente | 11 Feb 15:35 2014

bug in the docs

hi,
in the docs http://shorewall.net/MultiISP.html in the example
/etc/lsm/script file at the and you call the /sbin/shorewall script even
if only shorewall-lite installed. at the beginning there "if-else" for
shorewall-lite but the shoreall script is not if-ed.
regards.

--

-- 
  Levente                               "Si vis pacem para bellum!"

------------------------------------------------------------------------------
Android apps run on BlackBerry 10
Introducing the new BlackBerry 10.2.1 Runtime for Android apps.
Now with support for Jelly Bean, Bluetooth, Mapview and more.
Get your Android app in front of a whole new audience.  Start now.
http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk

redirect https traffic from gateway to a box in loc

Hello,

I’m using shorewall for years with this configuration : gateway (debian wheezy) with pppoe dsl
connection (213.41.184.2), loc in 192.168.0.0/24.
The versioning system is on 192.168.0.50 and is visible from inside and outside.
This configuration worked on debian squeeze, problems appeared after upgrade, so I suspect a bad config
param I introduced...

What I’m trying to do : access to https: on  213.41.184.2
from 88.172.230.130
I’d expect to have traffic redirected to 192.168.0.50.
But it works only "sometimes" : this box has nothing in logs, traffic seems blocked on shorewall.

After reading http://shorewall.net/FAQ.htm#faq1b I suspected routing. Here is the route table of the
gateway box :
# route -n
Table de routage IP du noyau
Destination     Passerelle      Genmask         Indic Metric Ref    Use Iface
0.0.0.0         213.41.184.2    0.0.0.0         UG    0      0        0 ppp0
178.132.16.234  0.0.0.0         255.255.255.255 UH    0      0        0 ppp0
192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1

Attached is status.txt as required on http://shorewall.net/support.htm.

Thanks for your help.
Attachment (status.txt.gz): application/x-gzip, 22 KiB
------------------------------------------------------------------------------
Android apps run on BlackBerry 10
(Continue reading)

Rodrigo Cortes | 10 Feb 15:27 2014
Picon

incoming block connections

HI!

i have a centos 6.5 x64 with latest shorewall stable.  All is ok until use dnat to permit incoming smtp/https
to Exchange. For some reason some time de incoming conecctions tu smtp/https to Exchange is block, the
port dont response.

some idea for this error?!

Thx..

pd:sorry for my english...
------------------------------------------------------------------------------
Managing the Performance of Cloud-Based Applications
Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
Read the Whitepaper.
http://pubads.g.doubleclick.net/gampad/clk?id=121051231&iu=/4140/ostg.clktrk
Tom Eastep | 10 Feb 01:27 2014
Picon

Re: Fw: Rate limit not stopping icmp

On 2/9/2014 2:22 PM, Andrew wrote:
>   Dear Tom,
> Sorry to bother You, I am new to this list and I have the feeling that
> my very first message sent to shorewall-users <at> lists.sourceforge.net in
> both plain & html format bounces back unread. I get:
> - Results:
>    Ignoring non-text/plain MIME parts
> - Unprocessed:
> - - - - - - - -  - -
> 
> If the message has been received and repeated, please ignore this
> repetition.
>    Andrew
> 
> 
> 
> 
> Hi!
> 
> I have been using Shorewall for several years and it has been working
> without a glitch.
> 
> Last week I tried to introduce RateLimit, Shorewall starts and everything
> seems working fine, but when I test with ping, the RateLimit seems not
> limiting anything. I have this in rules:
> 
> ACCEPT  net   $FW icmp -  - - s:icmp:5/min:5
> 
> and I ping intensely the WAN interface from several other machines - ping
> response goes on and on. I expected it to stop after 5 consequent
(Continue reading)

Tony Middleton | 9 Feb 17:39 2014
Picon

DNAT rules do not seem to be actioned

I have a small network with a firewall running Debian 7.4.  I have a set
of rules as follows

DNAT            net     loc:192.168.1.10        tcp     6881
DNAT            net     loc:192.168.1.10        udp     6881
DNAT            net     loc:192.168.1.10        tcp     7881
DNAT            net     loc:192.168.1.10        udp     7881
DNAT            net     loc:192.168.1.10        tcp     8881
DNAT            net     loc:192.168.1.10        udp     8881

However, the log appears to show that packets are being processed in the
input chain and thus dropped. Examples:

Feb  9 11:04:35 hawthorn kernel: [   33.755144]
Shorewall:net2fw:DROP:IN=eth1 OUT=
MAC=00:05:5d:df:2b:c0:00:30:b8:d1:dd:34:08:00 SRC=84.236.104.54
DST=86.16.18.41 LEN=58 TOS=0x00 PREC=0x00 TTL=114 ID=16849 PROTO=UDP
SPT=43226 DPT=6881 LEN=38

Feb  9 16:24:13 hawthorn kernel: [13732.666341]
Shorewall:net2fw:DROP:IN=eth1 OUT=
MAC=00:05:5d:df:2b:c0:00:30:b8:d1:dd:34:08:00 SRC=105.237.76.28
DST=86.16.18.41 LEN=129 TOS=0x00 PREC=0x00 TTL=111 ID=16779 PROTO=UDP
SPT=55180 DPT=7881 LEN=109

I've probably done something stupid but can't find it.  While I can find
a number of examples of this in my logs,  the problem came to light as,
over the past few days, I am receiving a constant stream of packets and
the messages blew my /var/logs

(Continue reading)

Donald S. Doyle | 8 Feb 01:34 2014

Blacklist/Block Apps

Hello,

 

It appears that apps are getting installed on the router without my knowing.  Supposedly, Citrix, Teamviewer & ZOHO have been installed although I cannot find any evidence of it.  Is there a way to blacklist/block apps from being installed?

 

Have a great day,

 

Don

------------------------------------------------------------------------------
Managing the Performance of Cloud-Based Applications
Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
Read the Whitepaper.
http://pubads.g.doubleclick.net/gampad/clk?id=121051231&iu=/4140/ostg.clktrk
------------------------------------------------------------------------------
Managing the Performance of Cloud-Based Applications
Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
Read the Whitepaper.
http://pubads.g.doubleclick.net/gampad/clk?id=121051231&iu=/4140/ostg.clktrk
Donald S. Doyle | 7 Feb 23:31 2014

Blocking IP addresses

Hello,

 

Is there a way to be proactive and block questionable IP addresses before they attempt to communicate with my router?

 

Have a great day,

 

Don

------------------------------------------------------------------------------
Managing the Performance of Cloud-Based Applications
Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
Read the Whitepaper.
http://pubads.g.doubleclick.net/gampad/clk?id=121051231&iu=/4140/ostg.clktrk
------------------------------------------------------------------------------
Managing the Performance of Cloud-Based Applications
Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
Read the Whitepaper.
http://pubads.g.doubleclick.net/gampad/clk?id=121051231&iu=/4140/ostg.clktrk
Jan Hoersch | 6 Feb 12:06 2014
Picon

new vif on bridge after restarting vm

Hi there,

We ran in a problem regarding shorewall after upgrading servers from
debian squeeze to wheezy.

We are currently running a bridged interface on a host running debian
wheezy with several virtual machines connected to it.

The shorewall starts just fine and everything is firewalled.
If we restart a VM without restarting shorewall after, the restarted VM
is unprotected.
For example, on host 10.1.2.191 on host2 the port 3306 should only be
accessible by 10.1.3.153.
After we restart the VM without restarting shorewall, the port can be
accessed by everybody.

During restart of the VM the vif gets removed and newly assigned to the
bridge. It seems something changed in enumerating the vif and the
iptable rules don't match up with the new vif.

We tried troubleshooting it by downgrading the shorewall to a version,
which comes shipped with debian squeeze, but no luck.

Anybody else experiencing this problem at the moment?
Or does anybody has any idea we could try?

Regards,
Jan

Attachment:
host1.txt - a working machine with debian squeeze
host2.working.txt - dump taken after shorewall was started
host2.notworking.txt - dump after vm restarted without shorewall restart

Attachment (shorewall.dumps.zip): application/zip, 56 KiB
------------------------------------------------------------------------------
Managing the Performance of Cloud-Based Applications
Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
Read the Whitepaper.
http://pubads.g.doubleclick.net/gampad/clk?id=121051231&iu=/4140/ostg.clktrk
------------------------------------------------------------------------------
Managing the Performance of Cloud-Based Applications
Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
Read the Whitepaper.
http://pubads.g.doubleclick.net/gampad/clk?id=121051231&iu=/4140/ostg.clktrk
Simon Hobson | 6 Feb 11:40 2014
Picon

Package for collection only ?

Just lately I've been configuring some data collection on a number of machines (all Debian). All of these
scripts do nothing more than "collect some data, use rrdtool ... --daemon ..." to send it to a central point
where it's stored and graphed. None of these remote machines do any storage or graphing themselves.

I was wondering (before I go and put a feature request in the Debian bug tracker) how hard it would be to make a
package which omitted all the storage, consolidation, and graphing code - and hence dropped the
dependencies on the font and graphing tools/libraries ?
I assume it would be easier if the upstream source includes a config/compile time option for it ?

As a side effect, a couple of the machine I would like to add it to are running older versions (as far back as
Lenny). I assume I might stand a slight chance of manually installing later packages if there were less dependencies.

------------------------------------------------------------------------------
Managing the Performance of Cloud-Based Applications
Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
Read the Whitepaper.
http://pubads.g.doubleclick.net/gampad/clk?id=121051231&iu=/4140/ostg.clktrk

Gmane