h15234 | 22 Mar 20:52 2015

testing 'uninstall', doesn't uninstall from DESTDIR=

starting with

	cd    ./SW-BUILD
	ls -1d *
		shorewall-core-4.6.7/
		shorewall-init-4.6.7/
		shorewall-lite-4.6.7/

defining

	export PKGS="\
	 shorewall-core \
	 shorewall-lite \
	 shorewall-init \
	"

installing

	THIS="/work/SW-PKG"
	for P in ${PKGS}
	do
	 pushd .
	 cd ./${P}-4.6.7
	 DESTDIR=${THIS} ./install.sh shorewallrc.debian
	 popd
	done

populates the DESTDIR tree

	find ${THIS} -type d | wc
(Continue reading)

h15234 | 22 Mar 05:45 2015

request for 'generic' host install option

i'm now managing shorewall centrally on a bunch of different machines.

I want to control the version I install so I can have a consistent version, with its capabilities, across all platforms.

Can't depend on the different pkgs for this -- they're different versions.  Building rpms & debs etc is a PITA.

My goal is a single tarball install that I will deploy into /opt/shorewall.

I found the build & install docs about the shorewallrc 'method'.

I created a 'shorewallrc.generic' for each of the packages and setup the locations like i need them.

Since I want a 'generic' build, I chose HOST=linux -- it's one of the options, and you can't set your own if
it's not listed.  The install fails.

With HOST=linux all the installs are OK -- except for shorewall-init.

It fails with

	ERROR: Shorewall-init is not supported on this system

That's because of

cat  ./shorewall-init-4.6.7/install.sh
	...
	case "$HOST" in
	...
>>>	    linux)
>>>	        echo "ERROR: Shorewall-init is not supported on this system" >&2
>>>	        exit 1
(Continue reading)

Martin Kasztantowicz | 17 Mar 17:47 2015
Picon

Unable to set up inter-vpn-traffic rules

Hi,

I have a server running shorewall which (hub) which does masquerading to a local lan via a second nic and has lan-to-lan-connections to 3 different locations (spokes) via strongswan ipsec. tunnels. Everything works as expected but I can't find out how to tell shorewall to allow traffic between the spokes via the hub. I have already added routeback options on all interfaces and zone hosts but to no avail.

This is my topology:

Hub Server (OpenSuse 13.2, StrongSwan 5.1.3,  Shorewall 4.6.7)
s142-router.geotek.de
NAT to local LAN 10.40.22.0/24

connected via IPcec to:
Remote LAN1: 10.119.50.0/24
Remote LAN2: 192.168.10.0/24
Remote LAN3: 192.168.10.0/24

I can reach the local hub lan from any remote location and vice versa but I can't reach LAN2 from LAN1 as an example. Trying to ping between these locations shows up on the shorewall log as:

Mar 17 13:53:28 s142-router kernel: Shorewall:mangle:PREROUTING:IN=ens160 OUT= MAC=00:50:56:00:44:8c:64:64:9b:6a:7a:cf:08:00 SRC=10.119.50.34 DST=192.168.10.10 LEN=60 TOS=0x00 PREC=0x00 TTL=254 ID=8754 PROTO=ICMP TYPE=8 CODE=0 ID=3 SEQ=35637
Mar 17 13:53:28 s142-router kernel: Shorewall:nat:PREROUTING:IN=ens160 OUT= MAC=00:50:56:00:44:8c:64:64:9b:6a:7a:cf:08:00 SRC=10.119.50.34 DST=192.168.10.10 LEN=60 TOS=0x00 PREC=0x00 TTL=254 ID=8754 PROTO=ICMP TYPE=8 CODE=0 ID=3 SEQ=35637

A shorewall dump is enclosed.

It is clear that I have to tell shorewall how to handle inter-vpn-traffic but I have no idea how to do this. Could hou please give me a hint?

Best Regards,

Martin


Attachment (shorewall_dump.zip): application/x-zip-compressed, 13 KiB
------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
Brian J. Murrell | 17 Mar 04:24 2015
Picon

proactively (manually) saving ipsets?

So, I have "SAVE_IPSETS=Yes" in /etc/shorewall.conf but my understanding
is that that only saves the ipsets when shorewall is being shut down.

But that doesn't account for a router "reboot" (i.e. power outage, etc.)
and what changes were made to the ipset since the stop and the
unexpected router death.  What would though would be periodically (even
after every ipset change if one was really paranoid) saving the ipsets
while shorewall is running.

Is there a manual "save ipsets" command in shorewall[-lite]?  Something
along the lines of:

# shorewall[-lite] saveipsets

FWIW, I did notice 

COMMAND="$1"

case "$COMMAND" in
...
    savesets)
	if [ $# -eq 2 ]; then
	    save_ipsets $2
	else
	    usage 2
	fi
	;;

In the generated "firewall" script but could not work out how that could
get called.  It seems like I ought need to specify where I want them
saved either.  It should just save them in ${VARDIR}/ipsets.save like it
does in stop_firewall().

Cheers,
b.

------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
Rich Wales | 12 Mar 21:52 2015

DNAT inbound traffic to a VPN doesn't work, connection times out

I'm having a Shorewall problem on a brand-new virtual server I'm setting up.

(Shorewall version = 4.5.21.6; OS = Ubuntu 14.04.2 LTS; kernel =
3.13.0-46-generic, 64-bit.)

I want to forward inbound IMAP connections to another server, accessible
via a VPN (OpenVPN 2.3.2).

When I try to do this, however, the connection attempt sits for several
minutes before eventually timing out.

The attached Shorewall dump shows what happened when I tried to do
"telnet 192.163.200.166 imap" on the host 68.65.164.12. 
(192.163.200.166 is the IP address of my virtual server.)

If I try to connect manually to the IMAP service I'm trying to DNAT to
("telnet 10.0.227.2 imap" on the virtual server), it connects just fine.

Any suggestions would be welcomed.  Please let me know if more info is
needed or would help.  Thanks.

Rich Wales
richw <at> richw.org
Attachment (dump.txt.gz): application/gzip, 9 KiB
------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
Tom Eastep | 12 Mar 15:41 2015
Picon

Shorewall 4.6.7

Shorewall 4.6.7 is now available for download.

Problems Corrected:

1)  This release includes defect repair from Shorewall 4.6.6.2 and
    earlier releases.

New Features:

1)  The 'tunnels' file now supports 'tinc' tunnels.

2)  Previously, the SAME action in the mangle file had a fixed timeout
    of 300 seconds (5 minutes). That action now allows specification of
    a different timeout.

3)  It is now possible to add or delete addresses from an ipset with
    entries in the mangle file. The ADD and DEL actions have the same
    behavior in the mangle file as they do in the rules file.

Thank you for using Shorewall.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
Marcello Giordano | 9 Mar 17:07 2015
Picon

Packet mangling stops after restarting vpn

Hi all,

I have a multi-isp in which one provider is my regular connection (on 
eth0) and the other is a vpn connection (using openvpn on tun0).

I wrote a rule in the mangle file to mark all packets from a specific 
user to be routed automatically through the vpn, while the rest of the 
traffic goes through eth0.

Everything works fine, until the vpn connection is restarted (after an 
inactivity timeout for example). The packets for the specific vpn user 
are still being marked, but they are not routed through the correct tun0 
interface anymore.

Dump file attached,
anything i am doing wrong?

Regards,
MG

--

-- 
Marcello Giordano
giordanom <at> ftml.net
Attachment (dump.tar.gz): application/x-gzip, 10 KiB
------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
Hristo Benev | 5 Mar 17:54 2015
Picon

Shorewall canada mirror

Hi,

Canada mirror http://canada.shorewall.net is switched from apache to ngnix.

Please, let me know in case of issues.

Many thanks to Tom for his help.

Hristo

------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
Brian J. Murrell | 27 Feb 17:08 2015
Picon

Multi-ISP: [controlling] source address in ipv6

Hi,

I know in Shorewall for IPv4 there are rules to ensure that the correct
source address is being used for each of the interfaces in a Multi-ISP
configuration.

Does such a thing exist for IPv6?  Maybe Shorewall is the wrong tool?

I have a problem where my router seems to be using an address from a
different interface when sending ICMP6 packets out.  To clarify, I have
two IPv6 providers with two different IP addresses for them on my end.
At some point on interface A, the (Linux, Shorewall) router will need to
send an ICMP6 "packet too big" packet to a remote.  The problem is that
when it does this it is sending it from the IP address on interface B.

Can I solve this with Shorewall6?

Cheers,
b.

------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
Eduardo Diaz - Gmail | 24 Feb 10:48 2015
Picon

Can use shorewall to DROP 25 port using DNSBL

Hi to all I am fight with a DDOS based in smtp mail.

I am using Debian 7.7 x86 and Shorewall-4.5.5.3

I am getting errors to my domain trying to send mail every second or more.

2015-02-24 10:25:21 H=([58.187.161.220]) [58.187.161.220] sender verify fail for <cikevek106 <at> adycoaduanas.com>: Unrouteable address
2015-02-24 10:25:21 H=([58.187.161.220]) [58.187.161.220] F=<cikevek106 <at> adycoaduanas.com> rejected RCPT <cikevek106 <at> adycoaduanas.com>: Sender verify failed
2015-02-24 10:25:21 unexpected disconnection while reading SMTP command from ([58.187.161.220]) [58.187.161.220] (error: Connection reset by peer)


At the begining use fail2ban to ban the concurrent conexion but the bad people learn to not make the same conexion more than one. :-(

All the ipaddres are listed in DNSbl and I can use a simple script to test if this conexion is listed in DNSBL (using a internal program to cache every ip).

My intencion are:

Every conexion that is made shorewall launch the script or the rule if is listed in DNSBL-Drop if not allow to connect to the mailserver.

Shorewall has this funcionalty? because I search in the documentation and I don't find any similar only the blacklist funcionality.

Regards and thanks for the responses.

------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
Donald S. Doyle | 20 Feb 08:26 2015

IP Info in Shorewall vs. Info in Spiceworks

Hello,

 

I am using Shorewall and Spiceworks.  They are on two different servers.  Spiceworks will send me a message that the router or a server on the network is communicating with a sus[icious IP address which I have blacklisted in Shorewall.  I asked Spiceworks about this and they sent to http://community.spiceworks.com/how_to/86147-how-to-investigate-alienvault-threat-alerts-in-spiceworks to explain how Spiceworks/AlienVault works.  Beyond that, they offered no other info as they do not know anything about Shorewall.

 

Can anyone shine any light on this?  It does not make sense to me.

 

Thanks for your time and have a great day,

 

Don

------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk

Gmane