Brian J. Murrell | 16 Jun 16:17 2014
Picon

multiple openvpn connections

Hi,

I'm using shorewall 4.5.21.5 (on F20, FWIW, but that probably doesn't
matter much).

I have OpenVPN on my shorewall-protected router with a number of remote
connections (that all connect to me as they are all effectively road
warriors with dynamic IPs).

I've added zone entries as such:

vpn1 ipv4
vpn2 ipv4
vpn3 ipv4
vpn4 ipv4
vpn5 ipv4
vpn6 ipv4
vpn7 ipv4

and then interfaces as such:

vpn1 tun0
vpn2 tun0
vpn3 tun0
vpn4 tun0
vpn5 tun0
vpn6 tun0
vpn7 tun0

That yields an error about duplicate interfaces (tun0) in the interfaces
(Continue reading)

Nuno Fernandes | 16 Jun 12:28 2014

Masq File

Hello,

Reading http://www.shorewall.net/manpages/shorewall-masq.html i can see that 
the SOURCE parameter is required. Nevertheless i have some firewalls where i 
don't put the source address and the shorewall doesn't report any error:

 Example:

root ~ # cat /etc/shorewall/masq
eth0
eth2
ebckp:1.2.3.4

root ~ # shorewall check /dev/shm
(...)
Shorewall configuration verified

root ~ # shorewall version
4.5.16.1

Which is correct?

Thanks,
Nuno Fernandes

------------------------------------------------------------------------------
HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
Find What Matters Most in Your Big Data with HPCC Systems
Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
Leverages Graph Analysis for Fast Processing & Easy Data Exploration
(Continue reading)

Lee Brown | 11 Jun 22:20 2014

Documentation out of date links

The useful links page has a few problems:

NIST guide http://csrc.nist.gov/publications/nistpubs/800-41-Rev1/sp800-41-rev1.pdf
PPPPPPPS - good
Netfilter site - good
LARTC - good
Clustering - good
Iproute - obsolete?
Iproute2 Downloads - https://www.kernel.org/pub/linux/utils/net/iproute2/
LEAF - good
Behring - good
iptables tutorial https://www.frozentux.net/documents/iptables-tutorial/
Debian sources - good
About the author - good
Toms presentations - good
Shorewall CIA tracker - *dead*

Regards -- lee

------------------------------------------------------------------------------
HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
Find What Matters Most in Your Big Data with HPCC Systems
Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
Leverages Graph Analysis for Fast Processing & Easy Data Exploration
http://p.sf.net/sfu/hpccsystems
Eric Koome | 8 Jun 01:04 2014
Picon

Shorewall Events - Port knock & DNAT

Hi all,

I'm trying to implement port knocking for SSH behind NAT using Shorewall Events based on
http://shorewall.net/Events.html, but no joy. The port seems to be always open. That is use of nmap  to
knock has no effect.

DNAT     net       $FW:pri.va.te.ip    		tcp 	22 		pu.bl.ic.ip
Knock    net       $FW 						tcp		1699:1701
Knock    net		$FW:pri.va.te.ip		tcp		22

Any ideas. Using 4.5.21.

Eric 
------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their 
applications. Written by three acclaimed leaders in the field, 
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/NeoTech
Tom Eastep | 7 Jun 16:14 2014
Picon

Shorewall 4.6.1

Shorewall 4.6.1 is now available for download. I decided to release it
to allow users access to some new macros.

----------------------------------------------------------------------------
  I.  P R O B L E M S   C O R R E C T E D   I N   T H I S  R E L E A S E
----------------------------------------------------------------------------

None.

Note: The release notes in the packages mention a fix for 'rpfilter'.
That defect was actually corrected in 4.5.6.9 with a slightly different
description in the release notes.

----------------------------------------------------------------------------
           I I.  K N O W N   P R O B L E M S   R E M A I N I N G
----------------------------------------------------------------------------

1)  On systems running Upstart, shorewall-init cannot reliably secure
    the firewall before interfaces are brought up.

----------------------------------------------------------------------------
      I I I.  N E W   F E A T U R E S   I N   T H I S  R E L E A S E
----------------------------------------------------------------------------

1)  Tuomo Soini has provided new macros for AMOP, MongoDB, Redis, Sieve
    and IPMI (RMCP).
	
Thank you for using Shorewall.

-Tom
(Continue reading)

pi-rho | 6 Jun 16:56 2014

[BUG] rpfilter and dynamic chain

Debian Package: 4.5.21.6-1
Shorewall Version: 4.5.21.6

Configuration: one-interface example configs

Problem Statement: If rpfilter is set on all interfaces in the
interfaces config, no references to the dynamic chain are created and
later in the startup, the dynamic chain gets eliminated.

Troubleshooting: I believe I've read all the relevant documentation
(blacklisting, interfaces, etc.) and if this is an intended feature I
don't see that it is documented. I've tried varying my config to make
sure that Optimization isn't the cause. I seem to be Doing The Right
Thing as far as blacklisting goes (DYNAMIC_BLACKLIST=Yes, BLACKLIST=ALL).

I believe I've found the cause and have attached a patch which corrects
the issue (usr/shorewall/Shorewall/Misc.pm).

Lastly, thanks for all of your time on a great product.

------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their 
applications. Written by three acclaimed leaders in the field, 
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/NeoTech
(Continue reading)

Øyvind Lode | 5 Jun 12:05 2014
Picon

Monitoring packet and byte count

Hi all:

I want to monitor how much traffic a rule generates.

I have a ntp server running behind shorewall and I want to know how much traffic it generates.

UDP 123 forwarded to 192.168.1.2 which is the ntp server.

Is it as simple as looking at the pkts and bytes columns like this:

munin:~# shorewall show net2loc | grep udp
3425K  260M ACCEPT     udp  --  *      *       0.0.0.0/0            192.168.1.2
udp dpt:123 /* NTP */
munin:~#

Does this include all traffic passing through the fw to the internal machine?
That is incoming and outgoing packets?

Or is shorewall-accounting required to get the accurate output of the actual packet and bytes count?

Shorewall 4.5.21.9.

My fw have two interfaces:

Eth0 is the external nic - connected to the Internet.
Eth1 is the loc zone where the ntp server is located.

Thanks,

-Øyvind
(Continue reading)

ricky gutierrez | 4 Jun 20:55 2014
Picon

routing multiple network

Hi list , I'm migrating SuSEfirewall2 to shorewall, routed me several
networks this coming from a router to my network lan and I can from my
network lan reach those networks,

something like:

Internet ====eth1 - LinuxBOX - eth0====LAN (192.168.1.254/24) ==switch-LAN

                                 =

                                 =

                                 =

                                ROUTER

                              Other networks

                               192.168.2.0/24

                             192.168.3.0/24

in SuSEfirewall2 ,I add these networks to a couple of options and it
works: FW_FORWARD="192.168.1.0/24,192.168.2.0/24
192.168.1.0/24,192.168.3.0/24 192.168.1.0/24,192.168.4.0/24
192.168.1.0/24,192.168.5.0/24 192.168.1.0/24,192.168.6.0/24 ,
FW_MASQ_NETS="192.168.1.0/24, 192.168.4.0/24, 192.168.2.0/24,
192.168.3.0/24, 192.168.5.0/24, , but shorewall've been testing this
tutorial http://shorewall.net/Multiple_Zones.html and it gives me
error:
(Continue reading)

Picon

Howto define bandwidthd in shorewall (based rules in tc)

The many years use shorewall, but simple, lan and wan way, but now I'm in big trouble, excessive users which crashes the modem (which is not a bridge adsl, but router adsl ), I decided using a script tc rules, it works, but I would use shorewall for this.

How do? I got confused with the policies tcclasses, tcdevices, tc** in shorewall. My wan is ADSL 50Mbps guaranteed only 40% download

CentOS release 6.5
Shorewall 4.5.4

### tcdevices (wan/internet)

###############################################################################
#NUMBER:        IN-BANDWITH     OUT-BANDWIDTH   OPTIONS         REDIRECTED
#INTERFACE                                                      INTERFACES
# adsl (it this is correct? The config below)
em1             2500kbit        200kbit
# network (internal)
p2p1            1000mbit        1000mbit

use this script limit for user, bad, but work.

#!/bin/bash
TC=/sbin/tc
IF=p2p1             # Interface
DNLD=1mbit          # DOWNLOAD Limit
UPLD=512kbit          # UPLOAD Limit
IP=192.168.1.95     # Host IP
U32="$TC filter add dev $IF protocol ip parent 1:0 prio 1 u32"

start() {

## what file config in shorewall?
## /etc/shorewall/tc???
    $TC qdisc add dev $IF root handle 1: htb default 30

## /etc/shorewall/tcclasses ???
    $TC class add dev $IF parent 1: classid 1:1 htb rate $DNLD
    $TC class add dev $IF parent 1: classid 1:2 htb rate $UPLD

## and this? /etc/shorewall/tcfilters ???
    $U32 match ip dst $IP/32 flowid 1:1
    $U32 match ip src $IP/32 flowid 1:2

}

...


------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their 
applications. Written by three acclaimed leaders in the field, 
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/NeoTech
------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their 
applications. Written by three acclaimed leaders in the field, 
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/NeoTech
Db Clinton | 2 Jun 17:00 2014
Picon

Running an FTP server via DNAT behind Shorewall

Hi,
I'm trying to accept FTP uploads (using VSFTP on Ubuntu 14.04) from within a Shorewall-managed LAN. nf_nat_ftp and nf_conntrack_ftp are both happily loaded on the Shorewall server and VSFTP is accepting clients from within the LAN. Here's the rule I've added to /etc/shorewall/rules:

DNAT            inet:eth1       lan:10.0.0.34:21        tcp     49034   -       xxx.xx.xx.xxx 

...where 10.0.0.34 is my internal DNAT address, 21, obviously, is the FTP port I want to open up, 49034 is the port I use for port-forwarding through the firewall to my PC, and xxx.xx.xx.xxx is my external IP. As you can no doubt guess, this isn't working. My external client is getting a
could not parse response code
error. 
Does anyone have any idea what I should be doing?
Thanks,

------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their 
applications. Written by three acclaimed leaders in the field, 
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/NeoTech
------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their 
applications. Written by three acclaimed leaders in the field, 
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/NeoTech
Göran Höglund | 2 Jun 14:26 2014
Picon

Instagram

Hi List!
Any one who has any suggestion how to block users from using Instagram??

/Göran

------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their 
applications. Written by three acclaimed leaders in the field, 
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/NeoTech

Gmane