Rafal | 19 Feb 20:34 2016
Picon

Iptables chain to Shorewall - how to?

Hi!

Please help me how to add to Shorewall that Iptables Rule.

This rule works perfectly fine for Iptables and blocking port 25 for 
internal LAN connection to server.
Blocking unwanted virus\trojans etc. sending spam behind NAT.  (infection)

I add this manualy in terminal:

iptables -l loc2net -p tcp --dport 25 –jDROP

This rule show in loc2net chain and it is working perefecly good.

I have made some attempts in Shorewall but no one add rule to "loc2net 
chain" and
working partially or not working at all.

Please give me some advice.

Greetings.

Rafal

------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
(Continue reading)

Ob Noxious | 19 Feb 05:29 2016
Picon

SMB from "net" zone

Hi,

For a special use case, I need to give access to a CIFS service (445/tcp) from the WAN. I'm struggling quite hard to sort this out. After finding that Samba wasn't the culprit and tshark showed no traffic on the interface related to TCP port 445, I got back to basics :-)

I tried the simplest form of tests from another (unrelated) host on the internet :

"nc -z destination-host 446" and the logs showed the expected "DROP" hits. Fine! Trying "nc -z destination-host 445" showed nothing in the logs.

"shorewall show | less" and searching for "445" showed it was present in the in the "Drop" chain. So I copied /usr/share/shorewall/action.Drop to /etc/shorewall/action.Drop and commented there the "SMB( <at> 3)" line.

"shorewall reload" and try again "shorewall show | less". Now the SMB rules are in the "Reject" chain! Ok then... same drill with "action.Reject" and commented the "SMB( <at> 3)" line.

Again, "shorewall reload" and "shorewall show | less" does not show any "445" port info. This should be good but it's not! "nc -z destination-host 445" still does not produce any DROP log while with port 446 it does.

What am I missing here?

I'm using Shorewall 5.0.2.1

--
ObNox
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
Steve Wray | 16 Feb 23:23 2016
Picon

Translating from existing policy routing to Shorewall

Hi,
I have an existing, working example of policy routing and I'd like to see if its possible to implement this in Shorewall.

ip rule ls shows:

0:      from all lookup local
0:      from xxx.xxx.xxx.121 lookup eth2
0:      from all to xxx.xxx.xxx.121 lookup eth2
0:      from xxx.xxx.xxx.122 lookup eth2
0:      from all to xxx.xxx.xxx.122 lookup eth2
1:      from all fwmark 0x200/0x200 lookup TProxy
999:    from all lookup main
32765:  from all lookup balance
32767:  from all lookup default

I've been reading the Shorewall documentation on providers, rtrules etc and can't see how this fits together.

Thanks

------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
Zenny | 9 Feb 16:31 2016
Picon

ad blocking to all connections out from a LOC zone

Hi,

Usually I add restricted URLs from lists like adaway to /etc/hosts
file to a client computer.

But is there a way to implement all over a certain zone (usually LOC)
from the shorewall itself?

Thanks!

/z

------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
Benny Pedersen | 8 Feb 07:08 2016
Picon

shorewall6 snat

ip6tables -A POSTROUTING -p tcp -m tcp --dport 43 -j SNAT --to-source 
your_ipv6_address

how is this above done in shorewall ?

(slaac workaround)

------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
Brian J. Murrell | 2 Feb 19:33 2016
Picon

time-of-day routing

I have two providers, one is fast (with a bigger usage cap), one is
slow (with a smaller usage cap) so I generally default route through
the fast one as the dedicated primary route with the slow sitting back
as secondary (i.e. for just when the first one goes down, not round-
robin).

But the slow provider zero-rates (does not count usage) from 2am-8am.

What would be ideal would to be able to configure Shorewall with time-
of-day route rules.  I may (or may not) necessarily want to completely
move the dedicated default route to the slower connection but I might
like to configure a handful of routes (i.e. route-rules) as preferring
the slower connection, during 2-8am.

Given that I don't think the iproute package has any concept of time,
cron is probably the tool here.

Thoughts?

b.
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
Alex | 31 Jan 00:23 2016
Picon

Multiple networks on a single zone

Hi,
I'm using fedora22 with shorewall-4.6.11.1 which has been upgraded
from an ancient version of shorewall. It's working fine, but I haven't
really done much configuration so I'm not as familiar with
configuration as I once was.

We have a firewall with two interfaces - eth0 is a 10mbit link to the
Internet, and eth1 is a 1gbit local network with a handful of systems
on it.

We've just obtained another class C to go with the /28 we currently
have, and I'd like to add it to our DMZ.  Is it necessary to add a
network to a DMZ, or do I just refer to it as "dmz"? Here is my
config:

zones:
fw      firewall
vpn     ipsec
ext     ipv4
dmz     ipv4

interfaces:
ext     eth0            blacklist,tcpflags,norfc1918
dmz     eth1
vpn     ipsec0

hosts:
vpn     eth0:192.168.1.0/24,68.195.111.42       ipsec

policy:
vpn             dmz             ACCEPT
dmz             vpn             ACCEPT
dmz             dmz             ACCEPT
ext             ext             REJECT          info
ext             dmz             REJECT          info
all             all             REJECT          info

params has just a list of each host and the zone:

NOCMON=dmz:64.1.11.18
NS1=dmz:64.1.11.27
OLDDTI=ext:204.210.162.18
....

I'd also appreciate any tips on other configuration changes I should
make to improve the firewall.

Any ideas greatly appreciated.
Thanks,
Alex

------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
Iam7of9 Iam7of9 | 30 Jan 09:22 2016
Picon

Help with isolation

I have a two-interface shorewall setup.
I also have a dhcp server which gives a small range of ip address to unknown host, and allow them on the network. The rest are all fixed addresses assigned according to macs.
I want to isolate ( not being able to see the other users) and put certain restrictions on these unknown clients.

Can you suggest somewhere (url) for me to get this info?
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
Zenny | 29 Jan 20:08 2016
Picon

shorewall in edge router lite (ERL3)

Hi,

Since EdgeOS (vyos) does not have a zone based firewall by default in
addition to the cli based solutions as described here
(https://help.ubnt.com/hc/en-us/articles/204952154-EdgeMAX-Zone-Policy-CLI-Example)
is a PITA, has someone deployed shorewall to EdgeRouterLite3?

I searched around, but the replies*** seemed to be nowhere near
shorewall quality.

Appreciate if any successful implementation of shorewall in the Edge
Router Lite be shared here. Thanking you in anticipation.

/z

***https://community.ubnt.com/t5/EdgeMAX/Zone-based-firewall/td-p/816720

------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
Zenny | 29 Jan 19:58 2016
Picon

rule for allowing users in LOC zone to the websites running in DMZ zone

Hi,

I am using 3-interface shorewall and working very well. However, I
could not figure out how can the users in LOC zone access the websites
running in DMZ zone?

Appending:

Web(ACCEPT)  loc    dmz:192.168.10.111

to rules didn'd do as expected. Instead, trying to access the websites
running in DMZ zone opens the login page of the modem in bridge mode.
However, one can access the site outside of the Net.

Thanks for input.

/z

------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
Kade Hampson | 23 Jan 10:51 2016

Basic Static Routing

Good morning/afternoon,

 

I have been looking at this for the past two days without any success.

I run a layer 3 VPN with the gateway sitting on 192.168.0.254 but I cannot for the life of me get shorewall to forward packets for subnet 192.168.1.0/24 to the gateway…

 

Please help me, I am desperate!

 

If you need any more info please email me back

 

Regards

 

Kade Hampson

------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140

Gmane