Felipe Román | 18 Mar 17:25 2016
Picon

qos different speed on the same interface

Hello guys, this is my first message to this list.

to the point.
I have a "problem" with QoS, we have different speed in the network 
provider link, 100mbit download and 100mbit upload in the national 
connections, and 10mbit download and 10mbit upload on international 
connections.

I set the qos to work with 100/100mbit and it works perfectly, but this 
is ok with the national connections, but with international connections 
I still have my link satured.

so, can I set a different speed in the same interface based on geoip or 
something?

I thought in use 2 interfaces for the same provider, and make a masq 
rule for national destinations (with geoip) and the rest of the 
connection with a masq in other interface. this solves the different 
speed problem for the qos, but how can I route the same provider with 2 
interfaces using the same gateway.

any idea is welcome.

thank you very much.

------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
(Continue reading)

Tom Eastep | 18 Mar 16:29 2016
Picon

Shorewall 5.0.6.2

Shorewall 5.0.6.2 is now available for download.

Problems Corrected:

1)  In Shorewall 5.0.6 and 5.0.6.1, the 'check -r' command died with an
    assertion failure. That has been corrected.

2)  When DOCKER=Yes and Docker is started, a jump to the DOCKER chain
    is now placed in the OUTPUT chain.

3)  When a provider interface is optional and the GATEWAY column
    contains 'detect', the generated script now looks in the main
    routing table for a route to the interface in addition to in DHCP
    files and the provider table. This allows the route to be found
    when it was not previously.

Thank you for using Shorewall,
-Tom
--

-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
(Continue reading)

Eddie | 16 Mar 01:54 2016
Picon

Multiple Providers without Balance Rule

Hi,

Playing around with setting up two outgoing connections.  One being my 
normal ISP via a cable modem.  The other an outbound VPN.  The idea, 
eventually, is to route only certain packets, via Mangle rules out 
through the VPN.  After setting up the 2 entries in the Providers file, 
I see that the Routing rules ends with a table called "balance".

Is there a way to configure the Providers so that all packets, that 
aren't routed via a specific rtrule, to only use the ISP connection.  
Currently, I've added a catch-all rtrule that does this ahead of "balance".

I've tried various combinations of "track", "balance", and "loose" in 
the provider file, but I either end up with the "balance" Routing rule 
or I don't have the automatically generated rules that force any 
incoming traffic back down the interface it arrived on.

I'm guessing it's a fairly simple configuration that I've overlooked.

Cheers.

------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785231&iu=/4140
Göran Höglund | 15 Mar 13:18 2016
Picon

Per IP accounting and traffic intercepted by shorewall and squid

Hi,
I am trying ti use per ip accounting from lan (eth1) to net (eth0),
ACCOUNT(lan,192.168.1.0/24)    -       eth1    eth0
ACCOUNT(lan,192.168.1.0/24)    -       eth0    eth1

This works very well except for traffic redirected to squid used as 
transparent proxy.
How do I define a rule for the firewall itself?

Thanks Göran

------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785231&iu=/4140
Thomas D. | 13 Mar 16:10 2016
Picon
Gravatar

Extend PAGER support

Hi,

I like the new PAGER support added in v5.0.6.

However, as package maintainer, I am asking myself if I should set this
to something per default or leave it up to the user.

For example on Gentoo we have `eselect pager` which will set an
environment variable "$PAGER".

Debian/Ubuntu has something similar via `update-alternatives`.

What about having a special variable like "SYSTEMDEFAULT" which will use
whatever $PAGER is set to?

PAGER=              -- No pager
PAGER=SYSTEMDEFAULT -- Use any $PAGER (can be dynamic! Don't hard code
                       its current value into the compiled firewall
                       script)
PAGER=/usr/bin/less -- User specified a specific pager

-Thomas

------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
(Continue reading)

Csányi Pál | 13 Mar 09:32 2016
Picon
Gravatar

http://cspl.hu from my LAN

Hi,

my home network is like:

ISP
|
- Cable modem
__|-- headless server Bubba2, Gentoo linux ( firewall, router )
____|-- plug & play Switch
______|-- desktop machine, Gentoo linux
______|-- raspberry pi 2 RasPi, Gentoo linux ( webserver- nginx )

I have a registered FQDN: cspl.hu so I want to use it on RasPi's webserver.
RasPi's webserver is reachable from the Internet ( I think, because
I'm at home right now).
I can reach RasPi webserver from the LAN using it's LAN IP address:
http://192.168.50.200 .
It's IP address is always the same, because of dnsmasq's setup on Bubba2.
But, I can't reach it from LAN when use http://cspl.hu .

Rules are on Bubba2:
# allow local network users to reach my webserver
Web(ACCEPT)     loc             $FW
Web(ACCEPT)     loc     loc:192.168.50.200

# DNAT forwarding Web to RasPi
Web(DNAT)       net     loc:192.168.50.200

# To can reach cspl.hu from LAN
DNAT    loc             loc:192.168.50.200      tcp     80      -
(Continue reading)

PH | 12 Mar 03:34 2016
Picon

Automatically blacklist IP

Hi,

Using Shorewall 5.0.6.1

Is it possible for Shorewall to automatically blacklist an IP for a length of time, when a user has more than 3
failed ssh login attempts.

Thanks,
Patrick

------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785111&iu=/4140
Tom Eastep | 9 Mar 22:50 2016
Picon

Shorewall 5.0.6.1

Shorewall 5.0.6.1 is now available for download. This release is of
interest only to those users who set DOCKER=Yes.

Problem Corrected:

1)  Start/restart/reload failed under the following conditions:

    - DOCKER=Yes
    - The firewall had been started previously with Docker running.
    - The start, restart or reload command was executed with Docker not
      running.

    This failure is caused by a typo which resulted in the
    ${VARDIR}/.nat_OUTPUT file not being removed when Docker isn't
    running (${VARDIR} usually expands to
    /var/lib/shorewall[6][-lite]).

    Now, when these conditions are met, the generated script removes
    the .nat_OUTPUT file, thus avoiding the failure.

Thank you for using Shorewall,
-Tom
--

-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

(Continue reading)

Tom Eastep | 8 Mar 19:49 2016
Picon

Shorewall 5.0.6

The Shorewall Team is pleased to announce the availability of Shorewall
5.0.6.

Problems Corrected:

1)  This release includes defect repair through Shorewall 5.0.5.1.

2)  Previously, the generated function define_firewall() contained
    logic for handling the 'stop' and 'clear' commands. Beginning with
    this release, the function will no longer include that logic, since
    define_firewall() is not called when processing those commands.

3)  The 'persistent' option on a provider previously resulted in
    a duplicate routing rule was created each time that the provider
    was disabled. This has been corrected so that duplicate rules are
    not created.

New Features:

1)  The GATEWAY column in /etc/shorewall[6]/providers may now contain
    the keyword 'none'. This will create a routing table with no
    default route, to allow handling policy-routing senarios where a
    default route is not required.

2)  Previously, when both Shorewall and Docker were used on the same
    system, one of two approaches had to be followed:

    a)  Run docker with --iptables=false and use Shorewall to
        configure Netfilter.

(Continue reading)

Mario Vittorio Guenzi | 7 Mar 13:42 2016
Picon

postrouting rules

Goodmorning everyone,
at first sorry for my poor english, I have a situation like this in the
company,
2 machines debian 7.x make a gateway firewall each on a different line
(obviously).
The two machines have internal IP respectively
perseo 192.168.2.240
sangiorgio 192.168.2.237
LAN is obviously 192.168.2.0/24
EXTIF = eth0 WAN interface
INTIF = eth1 LAN interface
EXTIP = external static IP
INTIP = internal static IP
CHIMERA= 192.168.2.224
on the two gateway runs heartbeat that raises 192.168.2.241 which is the
gateway Company to the Internet, the Master machine is perseo, and
sangiorgio intervenes only if the other side there 'line.
We have a number of VPN entering / leaving and for convenience I have
decided that VPN traffic must pass all on sangiorgio (slave machine).
Until today I made the firewall script manually, but after years of
modifications and additions they have become real monsters.
I would like to move to shorewall and have a management a little more
"simple"

Currently I get the desired result with a "package" of rules
like this:

$IPT -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \
-p tcp --dport 775 -j ACCEPT
$IPT -t nat -A PREROUTING -p tcp -i $EXTIF -d $EXTIP --dport 775 -j DNAT
(Continue reading)

John Candlish | 7 Mar 10:50 2016
Picon

DNAT corruption with Multi-ISP: MSS related?

Hi shorewall-users

Looking further at this it seems to be related to differing MSS values
for the ppp0, eth3 physical interfaces, and also the virtual interface
of the webserver in the DMZ.

tcpdump files at the webserver and firewall interfaces show that the
packets are being split into smaller pieces going out the firewall,
and that retransmissions are triggered by webserver packets with big
payloads.

I suppose that this can be tuned via the MTU of the effected
interfaces or by the MSS parameter of the shorewall configuration.

What are the recommended best practices in this situation?

Links to relevant tcpdump files:
https://drive.google.com/file/d/0B-r0kOumKPg2TUJCZ1cxdS1zbms/view?usp=sharing
https://drive.google.com/file/d/0B-r0kOumKPg2M0s3cnN0Z3dDNUU/view?usp=sharing

Thanks
jCandlish

.

------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
(Continue reading)


Gmane