Ibrahim Hamouda | 18 Dec 12:44 2014
Picon

on-2-one nat

Hi all
I have a working configuration in an older version as follows:

/etc/shorewall/nat

<ExternalIP>  eth0  192.168.7.201 no no

/etc/shorewall/rules

ACCEPT net loc:192.168.7.201 tcp 20,21,80,443 - <ExternalIP>

Now in version 4.5.21.6 on debian wheezy

The same configuration is not working.
I see the address added when I do ip addr

Is there any changes I need to do somewhere else, or in shorewall.conf?

Thanks in advance for the help

Ibrahim
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
jonetsu@teksavvy.com | 18 Dec 01:52 2014

tunnels and DSCP

Hello,

  To DSCP-mark the packets of a tunnel (not the packets inside) then
the egress interface by which the tunnel is going would be added to TC
as a device, a default TC class created, then a single rule with
whichever DSCP value configured, basically.  Does this sound OK ?  Is
there any catch with working with tunnels ?

  About tcrules and DSCP, what is the planned life of DSCP inside
tcrules before it gets obsoleted in favor of the mangle config file ?

Thanks !

------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
Tom Eastep | 17 Dec 20:06 2014
Picon

Shorewall 4.6.5.3

Shorewall 4.6.5.3 is now available for download.

Problems Corrected:

1)  The Shorewall-init scripts were using the incorrect
    variable to set the state directory. Correction provided by Roberto
    Sanchez.

2)  For normal dynamic zones, the 'add' command failed with a
    diagnostic such as:

      ERROR: Zone ast, interface net0 does not have a dynamic host list

3)  When a mark range was used in the marks (tcrules) file, a run-time
    error occurred while attempting to load the generated ruleset.

Thank you for using Shorewall,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
Gary Phillips | 16 Dec 10:45 2014

FW: DNAT Protocol 47


 I have used various versions of shorewall on older Linux servers with great success.
 I have recently replaced one of our old servers with CentOS 6.6 and installed Shorewall 4.5.4 from the epel repo.
 Please find attached the Shorewall dump file as requested on your support page

When I try and use a DNAT rule to forward pptp traffic to a Microsoft ras server (which was working in a
previous version) The client connects and authenticates on port 1723 and a VPN session is established but
no protocol 47 traffic is recorded by Shorewall  and I am unable to communicate with any computers on the
local network.

Client source ip (in the dump) 85.255.233.8

Shorewall server eth0 (net) 157.228.196.187
Shorewall server eth1 (loc) 10.1.0.6

Microsoft RAS server 10.1.0.10

I have also opened the L2TP ports but the same happens, I connect and authenticate but no traffic is send over
protocol 50

Any help would be greatly appreciated
 Gary
Attachment (shorewall_dump.txt.gz): application/x-gzip, 13 KiB
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
MBB | 12 Dec 20:57 2014
Picon

Multi ISP: How to set a permanent route for a disabled provider

 

Hi shorewall user group!

 

I have a Multi-ISP setup with 2 providers.

 

/etc/shorewall/providers:

 

############################################################################################

#NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY

KTV 1 1 - web0 1.1.1.1 balance=1

SURF 2 2 - web1 172.16.1.254 balance=2

 

Note that KTV has a public IP but SURF a private IP because it is behind router.

 

I monitor these two providers with monit and monit executes automatically

"/sbin/shorewall disable ${PROVIDER}" when it can't reach a certain host. When the host is available again it runs "/sbin/shorewall enable ${PROVIDER}".

 

For provider SURF I made an entry in rtrules to ensure that the pings to host 2.2.2.2, which I use to monitor SURF, always use IF web1.

 

/etc/shorewall/rtrules:

 

####################################################################################

#SOURCE DEST PROVIDER PRIORITY MASK

lo 2.2.2.2 SURF 1000

 

For provider KTV this is not necessary because monit pings the gateway 1.1.1.1, and therefor is always a route in table main.

 

This is how the rules look like when both providers are enabled:

 

# ip ru show

0: from all lookup local

999: from all lookup main

1000: from all to 2.2.2.2 iif lo lookup SURF

10000: from all fwmark 0x1/0xff lookup KTV

10001: from all fwmark 0x2/0xff lookup SURF

20000: from 172.16.1.1 lookup SURF

20000: from 1.1.1.99 lookup KTV

32765: from all lookup balance

32767: from all lookup default

 

And now the rules after "/sbin/shorewall disable SURF":

 

# ip ru show

0: from all lookup local

999: from all lookup main

10000: from all fwmark 0x1/0xff lookup KTV

20000: from 195.62.84.41 lookup KTV

32765: from all lookup balance

32767: from all lookup default

 

Shorewall removed all rules for provider SURF, also the one for host 2.2.2.2 which I need to to monitor SURF.

Now I have the problem that all pings to 2.2.2.2 would go through IF web0, to KTV, and no longer through web1.

 

Is it possible to configure shorewall that it adds a permanent route to host 2.2.2.2 in table main, that even when provider SURF is disabled the pings to host 2.2.2.2 go through IF web1?

 

I'd appreciate any hint to solve this riddle.

 

Cheers

Norbert

 

------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
Răzvan Sandu | 11 Dec 15:15 2014
Picon

Please add support for tinc VPN in Shorewall

Hello,

Would you please help adding support for tinc VPN in shorewall?

As stated in Fedora EPEL bug #1161116 
(https://bugzilla.redhat.com/show_bug.cgi?id=1161116):

Tinc (http://www.tinc-vpn.org/) is a popular, cross-distro VPN solution 
that allows MESH networks. For RedHat family, it is available in Fedora 
EPEL.

According to documentation, tinc uses port 655 for its VPN interface 
(http://tinc-vpn.org/documentation/Example-configuration.html), probably 
both TCP and UDP

In order to allow its speedy usage on a larger number of systems, 
including production ones, please:

- add a specific, predefined macro for it under /usr/share/shorewall/

- specify, in shorewall's documentation, what type of VPN should be used 
for tinc's /dev/tun or /dev/tap interfaces, in /etc/shorewall/tunnels file

Thanks a lot,
Răzvan

Attachment (razvan_sandu.vcf): text/x-vcard, 507 bytes
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
Marco Scholl | 11 Dec 13:20 2014
Picon

Problem with Conntrack

Hi

we have a big problem with hosts based zoning. in the past we have use "interfaces" for route traffic in zones. now we have some interfaces that have more than 1 zone and we have use "hosts".
Since we use "hosts" instead "interfaces" for map zones, the conntrack doesn't work correct and all packets will be logged instead only the first one (NEW).

here some system infos and partials out of config:

shorewall version
first 4.5.21.9 and now 4.6.5.2

kernel version
Linux 2.6.32-504.1.3.el6.x86_64 #1 SMP Tue Nov 11 17:57:25 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux

distri version
Centos 6

/etc/shorewall/policy
all all ACCEPT debug

/etc/shorewall/interfaces
- bnteth
- bond0.2
gst bond0.4

/etc/shorewall/hosts
bebnt bnteth:10.254.1.0/24
pub bnteth:0.0.0.0/0 # pub is in zones at last position!
mgt bond0.2:10.200.254.0/24

Chain FORWARD (policy DROP)
bnteth_fwd  all  --  0.0.0.0/0            0.0.0.0/0

Chain bnteth_fwd (1 references)
bebnt_frwd  all  --  10.254.1.0/24        0.0.0.0/0

Chain bebnt_frwd (6 references)
bebnt2mgt  all  --  0.0.0.0/0            10.200.254.0/24

Chain bebnt2mgt (7 references)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           ctstate RELATED,ESTABLISHED /* i think this line will be ignored because the state ist not established */
LOG        all  --  0.0.0.0/0            0.0.0.0/0    LOG flags 0 level 7 prefix `FW:bebnt2mgt:ACCEPT:'
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0

Log during start one ssh connection
Dec 11 11:18:01 be-fw01 kernel: FW:bebnt2mgt:ACCEPT:IN=bnteth OUT=bond0.2 SRC=10.254.1.212 DST=10.200.254.252 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=56140 DF PROTO=TCP SPT=47114 DPT=22 WINDOW=14600 RES=0x00 SYN URGP=0
Dec 11 11:18:01 be-fw01 kernel: FW:bebnt2mgt:ACCEPT:IN=bnteth OUT=bond0.2 SRC=10.254.1.212 DST=10.200.254.252 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=56141 DF PROTO=TCP SPT=47114 DPT=22 WINDOW=229 RES=0x00 ACK URGP=0
Dec 11 11:18:01 be-fw01 kernel: FW:bebnt2mgt:ACCEPT:IN=bnteth OUT=bond0.2 SRC=10.254.1.212 DST=10.200.254.252 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=56142 DF PROTO=TCP SPT=47114 DPT=22 WINDOW=229 RES=0x00 ACK URGP=0
Dec 11 11:18:01 be-fw01 kernel: FW:bebnt2mgt:ACCEPT:IN=bnteth OUT=bond0.2 SRC=10.254.1.212 DST=10.200.254.252 LEN=93 TOS=0x00 PREC=0x00 TTL=63 ID=56143 DF PROTO=TCP SPT=47114 DPT=22 WINDOW=229 RES=0x00 ACK PSH URGP=0
Dec 11 11:18:01 be-fw01 kernel: FW:bebnt2mgt:ACCEPT:IN=bnteth OUT=bond0.2 SRC=10.254.1.212 DST=10.200.254.252 LEN=1324 TOS=0x00 PREC=0x00 TTL=63 ID=56144 DF PROTO=TCP SPT=47114 DPT=22 WINDOW=229 RES=0x00 ACK PSH URGP=0
...

Conntrack
tcp      6 4 SYN_SENT src=10.254.1.212 dst=10.200.254.252 sport=47114 dport=22 [UNREPLIED] src=10.200.254.252 dst=10.254.1.212 sport=22 dport=47114 mark=1 secmark=0 use=2
after some seconds
tcp      6 298 ESTABLISHED src=10.254.1.212 dst=10.200.254.252 sport=47114 dport=22 [UNREPLIED] src=10.200.254.252 dst=10.254.1.212 sport=22 dport=47114 mark=1 secmark=0 use=2

I don't understand why the connection is [UNREPLIED].

I hope anybody have an idea.

greets





------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
PGNd | 9 Dec 00:20 2014
Picon

function called in '/start' compiles OK; same function in '/initdone' FAILs to compile w/ "... Bareword "xx" not allowed while "strict subs" in use ...". Why?

I run

	shorewall version
		4.6.5.2

on linux/64.

I've added a script in a function

	/lib.private
		...
		setup_intfc_external_loc030() {
		  /bin/sh /usr/local/etc/shorewall/scripts/eth-setup "eth0"
		}
		...

if I add that script to

	/started
		...
		setup_intfc_external_loc030
		...

it compiles and execs without error.

if OTOH I mv that script to

	/initdone
		...
14		setup_intfc_external_loc030
		...

and compile, I get an error

	...
	Compiling...
	Processing /usr/local/etc/shorewall/params ...
	Processing /usr/local/etc/shorewall/shorewall.conf...
	Compiling /usr/local/etc/shorewall/zones...
	Compiling /usr/local/etc/shorewall/interfaces...
	Compiling /usr/local/etc/shorewall/hosts...
	Determining Hosts in Zones...
	Locating Action Files...
	Compiling /usr/local/etc/shorewall/policy...
	Running /usr/local/etc/shorewall/initdone...
	   ERROR: Couldn't parse /usr/local/etc/shorewall/initdone: Bareword
"setup_intfc_external_loc030" not allowed while "strict subs" in use at
/usr/local/etc/shorewall/initdone line 14.
	...

why is that function OK in 'start', but not in 'initdone'?

bug, or something else?

------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
jonetsu@teksavvy.com | 8 Dec 23:34 2014

Sequence of packet processing

Hello,

  What would be the sequence of packet processing when having a
firewall with NAT ?  Are the rules processed first then the NAT ?

Thanks.

------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
Simon Hobson | 5 Dec 15:49 2014
Picon

Re: Unsubscribe

Matt Henderson <niall <at> makalumedia.com> wrote:

> Unsubscribe

It doesn't work like that !
See the bottom of this message ? Like all the messages from this list it has :

> https://lists.sourceforge.net/lists/listinfo/shorewall-users

Click that link and you'll find yourself on a page where you can click to unsubscribe - scroll to the bottom,
put your email address in the box next to "Unsubscribe or edit options", and bonk the button.

Alternatively, in the headers (though most mail clients hide them) there are these links :
> List-Id: Shorewall Users <shorewall-users.lists.sourceforge.net>
> List-Unsubscribe: <https://lists.sourceforge.net/lists/listinfo/shorewall-users>,  <mailto:shorewall-users-request <at> lists.sourceforge.net?subject=unsubscribe>
> List-Archive: <http://sourceforge.net/mailarchive/forum.php?forum_name=shorewall-users>
> List-Post: <mailto:shorewall-users <at> lists.sourceforge.net>
> List-Help: <mailto:shorewall-users-request <at> lists.sourceforge.net?subject=help>
> List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/shorewall-users>,  <mailto:shorewall-users-request <at> lists.sourceforge.net?subject=subscribe>

The second one down is what you want, send a message with the subject set to unsubscribe to
shorewall-users-request <at> lists.sourceforge.net which you will note is **NOT** the same as the address
for posting to the list.

These operations are common to most mailing lists, and certainly pretty well all powered by Mailman. You
will have received a welcome message when you joined the list with this information as well.

------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
Ibrahim Hamouda | 5 Dec 10:05 2014
Picon

fiver between 2 shower sites

Hi all

I am setting up two sites with shorewall.

The two sites are connected through a fiber.

On every firewall I have 3 interfaces, eth0 connected to internet, eth1 for internal network, eth2 cross connection between sites.

I setup the two firewalls in two-interfaces manner, then I added a zone “crx” on both firewalls for the cross connection.

I need to be able to route between the 2 sites through this fiber.

So in my policy file I setup 
crx  loc ACCEPT 
Loc crx ACCEPT

Assuming eth2 is 50.50.50.1, eth1 is 192.168.170.1 on one firewall, eth2 is 50.50.50.2, eth1 is 192.168.171.1 on the other.

How can I make 192.168.170.0 network see 192.168.171.0 network through the 50.50.50 interfaces?

Thank you in advance for your help

Ibrahim Hamouda

------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk

Gmane