TN Patriot | 25 Dec 02:48 2013
Face
Picon

A wishfer...


  Best wishes and a Merry Christmas/Happy Chanuka/happy holidays to all who work so
  hard on a great app. Thank you all very much.

  Stay safe, warm and happy this season,

    John B.

-- 
http://www.lawcollective.org/  Learn your rights through cartoons!

http://www.roadblock.org/rights/  Know your rights about and at roadblocks!

http://fija.org/  Learn about Jury Nullification! Take back your rights from the
over-reaching: police, justice system and government!

Why does the government want to ban assault weapons? Because you won’t get in 
the box car willingly.

------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT 
organizations don't have a clear picture of how application performance 
affects their revenue. With AppDynamics, you get 100% visibility into your 
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
_______________________________________________
Shorewall-users mailing list
Shorewall-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
(Continue reading)

Sassy Natan | 24 Dec 23:49 2013
Picon

NetFlow/Sflow in Shorewall

Hi Group,

I have using shorewall with NFLOG to log my traffic network.
IPTABLES is "capture" the traffic using NFLOG, which then sent to ULOG2 which then goes into a DB like MYSQL.

So far so good, cause everything is working fine.

However I have some questions in mind and I know it is not relevant to shorewall, but maybe someone could help me here, or even tell me what is the mail for the ulog group.


1. How does NFLOG works? Does it somehow related to PCAP?
What I understand is that NFLOG is working in non-promiscuous while using PCAP is running in promiscuous mode, but I still not sure if I'm right here. 

2. ULOG2 has support to work with pcap (http://rlworkman.net/howtos/ulogd.html) so I can generate log file which can then be analyse with tcpdump. 

3. I saw this http://sourceforge.net/projects/ipt-netflow/ and thishttps://www.mail-archive.com/shorewall-users <at> lists.sourceforge.net/msg08578.html since I want to have shorewall generate netflow format to netflow collector.

There is http://www.3open.org/d/voyage/setup_netflow_exporter  and http://sourceforge.net/projects/fprobe/ which seems can do that, but not sure if shorewall support it.

Can someone help me better understand the relation with 
NFLOG + PCAP + NETFLOW + SFLOW 


Thanks you 
Sassy

--
Regards,

Sassy Natan
972-(05)54-2203702
------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT 
organizations don't have a clear picture of how application performance 
affects their revenue. With AppDynamics, you get 100% visibility into your 
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT 
organizations don't have a clear picture of how application performance 
affects their revenue. With AppDynamics, you get 100% visibility into your 
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
CubeMail Flow | 21 Dec 10:27 2013
Picon

Shorewall ERROR: Invalid Rate (50mbit:200kb)

Dear Team,

I am facing the following error in shorewall complex configuration mode.

for simple everything is working fine for me:


Kindly find the error below.

ERROR: Invalid Rate (50mbit:200kb) /etc/shorewall/tcdevices (line 11)
Dec 20 12:39:16 Xadmin: ERROR:Shorewall restart failed


shorewall]# shorewall debug restart
Compiling...
Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf...
Loading Modules...
Compiling /etc/shorewall/zones...
Compiling /etc/shorewall/interfaces...
Determining Hosts in Zones...
WARNING: *** lan is an EMPTY ZONE ***
Locating Action Files...
Compiling /usr/share/shorewall/action.Drop for chain Drop...
Compiling /usr/share/shorewall/action.Broadcast for chain Broadcast...
Compiling /usr/share/shorewall/action.Invalid for chain Invalid...
Compiling /usr/share/shorewall/action.NotSyn for chain NotSyn...
Compiling /usr/share/shorewall/action.Reject for chain Reject...
Compiling /etc/shorewall/policy...
Compiling /etc/shorewall/notrack...
Running /etc/shorewall/initdone...
Compiling /etc/shorewall/blacklist...
Adding Anti-smurf Rules
Compiling TCP Flags filtering...
Compiling Kernel Route Filtering...
Compiling Martian Logging...
Compiling /etc/shorewall/tcdevices...
ERROR: Invalid Rate (50mbit:200kb) /etc/shorewall/tcdevices (line 11)


kindly help on this.

Thanking you,


CubeMail

------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT 
organizations don't have a clear picture of how application performance 
affects their revenue. With AppDynamics, you get 100% visibility into your 
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT 
organizations don't have a clear picture of how application performance 
affects their revenue. With AppDynamics, you get 100% visibility into your 
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
Tom Eastep | 19 Dec 19:02 2013
Picon

Shorewall 4.5.21.5

Shorewall 4.5.21.5 is now available for download.

Problems Corrected:

1)  A number of minor updates have been made to the documentation and
    manpages.

2)  The 'postcompile' extension script is now documented at
    http://www.shorewall.org/shorewall_extension_scripts.htm

3)  The 'add' command previously failed if 'IPSET=' appeared in the
    shorewall.conf file. This has been corrected.

Thank you for using Shorewall.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT 
organizations don't have a clear picture of how application performance 
affects their revenue. With AppDynamics, you get 100% visibility into your 
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT 
organizations don't have a clear picture of how application performance 
affects their revenue. With AppDynamics, you get 100% visibility into your 
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
shorewall | 17 Dec 23:09 2013

shorewall add fails with IPSET=

Hi all

I have a CentOS6 box with shorewall-4.5.21.
If I have IPSET= in shorewall.conf and I issue the command "shorewall add
ppp:192.168.33.3 ptp", I get the error:
/usr/share/shorewall/lib.cli: line 585: [: too many arguments
   ERROR: Zone ptp, interface ppp does not have a dynamic host list

The error is corrected setting the actual path to ipset in shorewall.conf,
or via the patch:
--- /usr/share/shorewall/lib.cli.orig   2013-12-17 22:52:13.000000000 +0100
+++ /usr/share/shorewall/lib.cli        2013-12-17 22:54:04.843146111 +0100
 <at>  <at>  -582,7 +582,7  <at>  <at> 
 determine_ipset_version() {
     local setname

-    if [ -z "$IPSET" -o $IPSET = ipset ]; then
+    if [ -z "$IPSET" -o "$IPSET" = "ipset" ]; then
        IPSET=$(mywhich ipset)
        [ -n "$IPSET" ] || fatal_error "The ipset utility cannot be located"
     fi

After applying it, the above command yelds:
# shorewall add ppp:192.168.33.3 ptp
Host ppp:192.168.33.3 added to zone ptp

Maybe the small patch could be included in some new version.

Thank you.
Luigi

------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT 
organizations don't have a clear picture of how application performance 
affects their revenue. With AppDynamics, you get 100% visibility into your 
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
jen142 | 17 Dec 18:56 2013

How to locally compile blrules with ipsets that exist only at runtime on the remote?

I've installed

	shorewall version
		4.5.21.4

Reading up

	 <at>  http://www.shorewall.net/upgrade_issues.htm#idp3157976

		"
		...
		Versions >= 4.5.0
		...
		The BLACKLIST section of the rules file has been
		eliminated. If you have entries in that file section,
		you must move them to the blrules file."
		...
		"

	 <at>  http://shorewall.net/blacklisting_support.htm#idp2730648

		"
		...
		Rule-based Blacklisting

		Beginning with Shorewall 4.4.25, the preferred method of
		blacklisting and whitelisting is to use the blrules file
		(shorewall-blrules (5)). There you have access to the
		DROP, ACCEPT, REJECT and WHITELIST actions, standard and
		custom macros as well as standard and custom actions.
		See shorewall-rules (5) for details.
		...
		"

	 <at>  http://shorewall.net/manpages/shorewall-rules.html

		"
		...
		SOURCE -
		{zone|zone-list[+]|{all|any}[+][-]}[:interface][:{address-or-range[,address-or-range]...[exclusion]|exclusion|+ipset|^countrycode-list}
		...
		If your kernel and iptables have ipset match support
		then you may give the name of an ipset prefaced by "+".
		...
		"

I configure one IPSET-containing blrule,

	cat blrules
		#ACTION  SOURCE             DEST
		DROP     +TEST_IPSET        all

The IPSET is a run-time defined IPSET.  I.e., it exists, pre-defined on
the remote, not locally on the admin

	 <at>  remote
		ipset -L | grep -i TEST_IPSET
			Name: TEST_IPSET

	 <at>  local admin
		ipset -L | grep -i TEST_IPSET

When I try to compile it for remote installation

	shorewall load test.gateway.int
		Compiling...
		Processing /home/jenl/shorewall/params ...
		Processing /home/jenl/shorewall/shorewall.conf...
		Shorewall has detected the following capabilities:
		...
		Compiling /home/jenl/shorewall/zones...
		Compiling /home/jenl/shorewall/interfaces...
		   Interface "net eth0
		   dhcp,tcpflags,logmartians,nosmurfs" Validated
		Determining Hosts in Zones...
		   fw (firewall)
		   net (ipv4)
		      eth0:0.0.0.0/0
		Locating Action Files...
		Compiling /home/jenl/shorewall/policy...
		   Policy for net to fw is DROP using chain net2all
		   Policy for fw to net is REJECT using chain all2all
		   Policy for net to fw is REJECT using chain all2all
		Running /home/jenl/shorewall/initdone...
		Adding Anti-smurf Rules
		Adding rules for DHCP
		Compiling TCP Flags filtering...
		Compiling Kernel Route Filtering...
		Compiling Martian Logging...
		Compiling MAC Filtration -- Phase 1...
		Compiling /home/jenl/shorewall/blrules...
		   ERROR: Unknown source zone (+TEST_IPSET)
		   /home/jenl/shorewall/blrules (line 2)

How do I get this to compile correctly to be 'run-time' aware, without
having to create each remote's IPSETs locally on the admin instance?

Is there a toggle/flag that can identify an IPSET as compile-time
(locally defined) vs run-time (defined at remote)?

------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT 
organizations don't have a clear picture of how application performance 
affects their revenue. With AppDynamics, you get 100% visibility into your 
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
Sassy Natan | 13 Dec 20:30 2013
Picon

Re: NFLOG

Hi Wanye

Thanks for the replay!

Was wonder if NFLOG support accounting module. 
At least shorewall support this according to http://www.shorewall.net/shorewall-accounting.html
but I didn't manage to make it working

Thanks
Sassy 


On Sat, Nov 2, 2013 at 1:34 AM, Wayne S <linux <at> zuik.net> wrote:
At 10/31/2013 08:56 AM, you wrote:
Hi Group,

Congratulation about shorewall.org !
No question shorewall is the best tool I know for playing with iptables rules!

Second I wonder if any one can help me with the following:

1. I'm trying to configure a rule with the NFLOG option.
I manage to make it work with ULOG withouy any problem, but making it with NFLOG doesn't seems to work :-(
My question is if the netfilter userspace log daemon (ULOG) knows how to capture NFLOG msg.
At the moment I'm using ULOG version 1.X.
Is this only supported via ULOG version 2.0?

I'm using ulog version 1 cause this is the native version my CentOS machine support, and install it from source requires me to update a lot of packages with I want to avoid.

2. What is the true different between ULOG to NFLOG?

3. I'm not sure I got it right from the documentation at http://www.shorewall.net/shorewall_logging.html

Where I configure the shorewall LEVEL?
It says is has the following:

debug,info,error, etc....

but I don't see where to change it under the shore-wall configuration

4. A rule like this
ACCEPT:info(tcp_options,ip_options,macdecode,tcp_sequence)      fw      all     all

Doesn't seems to work.
I'm getting Invalid log level (info(tcp_options,ip_options,macdecode,tcp_sequence)

Why? any idea?

5. Under ULOG, u have the option to configure nlgroup. the default is 1, but say I want to have nlgroup=2 and nlgroup=3, so nlgroup=1 will save logs to file 1.log nlgroup=2 to 2.log and 3=nlgroup. How can it be done? is this mean I need run 3 different ULOG process?
I didn't manage to find how to do it in ulog.conf


Thanks
Sassy

I'm running on Arch Linux, so I may be way out of touch with older
systems and the following may not match with your system.
I'm also a somewhat new with shorewall/iptables. I found
#shorewall check -r
to be very helpful when changing the shorewall files.

I believe you need ulogd2 and kernel > 2.6.14 for NFLOG

NFLOG is part of ulogd ( http://www.netfilter.org/projects/ulogd/index.html).
ULOG is entering end-of-life. NFLOG requires support to be compiled
into the kernel.

# zcat /proc/config.gz | grep NFLOG
CONFIG_NETFILTER_XT_TARGET_NFLOG=m
CONFIG_BRIDGE_EBT_NFLOG=m

Use NFLOG as your log level, and as with ULOG you can specify the
group NFLOG(1,0,1). NFLOG may default to group 0?

Make sure you have your NFLOG filter stack correct in /etc/ulogd.conf.
See /usr/share/doc/ulogd/ulogd.conf  for some example stacks.

Example rule I have:

SECTION NEW

# Drop blacklist ipset and log to ulogd.blacklist
DROP:NFLOG(4,0,1)    net:+blset     all

and /etc/ulogd.conf
~~~~~~~~~~~~
[global]
logfile="/var/log/ulogd.log"
loglevel=5
rmem=131071
bufsize=150000

plugin="/usr/lib/ulogd/ulogd_inppkt_NFLOG.so"
plugin="/usr/lib/ulogd/ulogd_raw2packet_BASE.so"
plugin="/usr/lib/ulogd/ulogd_filter_IFINDEX.so"
plugin="/usr/lib/ulogd/ulogd_filter_IP2STR.so"
plugin="/usr/lib/ulogd/ulogd_filter_PRINTPKT.so"
plugin="/usr/lib/ulogd/ulogd_output_LOGEMU.so"

# shorewall normal log packets group 1
stack=log1:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU

# shorewall log blacklist group 4
stack=log4:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu3:LOGEMU

[log1]
group=1
#sync=1

[log4]
group=4

[emu1]
file=/var/log/ulogd.syslogemu

[emu3]
file=/var/log/ulogd.blacklist
~~~~~~~

and add logrotate for the new log.

Wayne S


------------------------------------------------------------------------------
Android is increasing in popularity, but the open development platform that
developers love is also attractive to malware creators. Download this white
paper to learn more about secure code signing practices that can help keep
Android apps secure.
http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk
_______________________________________________
Shorewall-users mailing list
Shorewall-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users


------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT 
organizations don't have a clear picture of how application performance 
affects their revenue. With AppDynamics, you get 100% visibility into your 
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT 
organizations don't have a clear picture of how application performance 
affects their revenue. With AppDynamics, you get 100% visibility into your 
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
Davide Ferri | 13 Dec 16:53 2013
Picon

Shorewall and mode statistic

Hi all,
  I'm tring to convert some manually written iptables rules into a shorewall configuration but I'm facing some issue with mode statistic.
In our outgoing smtp we balance the source IP address of outgoing connections originating from the firewall between 4 alias configured on eth0 interface:

eth0 inet addr:xxx.xxx.xxx.18 Bcast:xxx.xxx.xxx.255 Mask:255.255.255.0
eth0:1 inet addr:xxx.xxx.xxx.19 Bcast:xxx.xxx.xxx.255 Mask:255.255.255.0
eth0:2 inet addr:xxx.xxx.xxx.28 Bcast:xxx.xxx.xxx.255 Mask:255.255.255.0
eth0:3 inet addr:xxx.xxx.xxx.29 Bcast:xxx.xxx.xxx.255 Mask:255.255.255.0

using iptables we just add the following rules:

iptables -A POSTROUTING -m statistic --mode random --probability 0.25 -t nat -o eth0 -p tcp --dport 25 -j SNAT --to xxx.xxx.xxx.19
iptables -A POSTROUTING -m statistic --mode random --probability 0.33 -t nat -o eth0 -p tcp --dport 25 -j SNAT --to xxx.xxx.xxx.28
iptables -A POSTROUTING -m statistic --mode random --probability 0.5 -t nat -o eth0 -p tcp --dport 25 -j SNAT --to xxx.xxx.xxx.29

how can we achieve this with shorewall ?

Thanks
Davide 

------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT 
organizations don't have a clear picture of how application performance 
affects their revenue. With AppDynamics, you get 100% visibility into your 
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT 
organizations don't have a clear picture of how application performance 
affects their revenue. With AppDynamics, you get 100% visibility into your 
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
Sassy Natan | 13 Dec 16:47 2013
Picon

Accounting

Hi Group,

I was wonder if it is possible to use shorewall-accounting with ULOG2 and NFLOG.

My Goal is as follow:

Say I have in rules something like this:

accept fw all all 
accept all fw tcp 80,443
drop    all all all

with the following in accounting:
        web             -       eth0    -               tcp             80
        web             -       -       eth0            tcp             -               80
        web             -       eth0    -               tcp             443
        web             -       -       eth0            tcp             -               443


        web        -       eth0    -               tcp             -    80
        web        -       -       eth0            tcp             80
        web        -       eth0    -               tcp             -      443
        web        -       -       eth0            tcp             443  -
        COUNT           web     eth0
        COUNT           web     -       eth0
        DONE            web


While I can easy check the account status for web traffic in and out, all other traffic go under different chain.
So My question is 
1 Can I define somehow an automatic way to update the accounting file for each time I creating /deleting rule from rules

So I I have something like
   accept all fw tcp 80,443,21

I will have a two chain one for web traffic and one for ftp(21) traffic ?

2. What I have some like this
 accept fw any all

Can I have accounting provide me not only the amount of traffic outbound , but also specified per  other ports?  say for DNS, SMTP traffic etc... or I would have to create them one time in the accounting file?


3. I saw the accounting support the NFLOG. Can someone please provide an example how to used it? what is the generated output from this? Does ULOG2 support this? 
I know about https://home.regit.org/2012/07/flow-accounting-with-netfilter-and-ulogd2/ but I not sure I can used nfacct due to kernel issues, and besides does accounting with ULOG2 is supported with mysql?

Thanks
Sassy 
 
------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT 
organizations don't have a clear picture of how application performance 
affects their revenue. With AppDynamics, you get 100% visibility into your 
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT 
organizations don't have a clear picture of how application performance 
affects their revenue. With AppDynamics, you get 100% visibility into your 
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
Fábio Rabelo | 10 Dec 14:41 2013
Picon

second VPN in bridge mode

Hi to all

I have a vpn server configured in bridge more working perfectly for
over a year .

I need to add a new bridge to it now, and I really not shore what I
amd doing wrong !

My /etc/openvpn contains 2 files :

/etc/openvpn/bridge.conf

remote 0.0.0.0
dev tap0
secret /etc/openvpn/bridge.key

/etc/openvpn/cajamar.conf

port 1195
remote 0.0.0.0
dev tap1
secret /etc/openvpn/cajamar.key

and my /etc/network/interfaces contains this :

# The loopback network interface
auto lo
iface lo inet loopback

# The internet network interface
auto eth1
iface eth1 inet static
    address 186.231.3.203
    netmask 255.255.255.248
    broadcast 186.231.3.207
    gateway 186.231.3.201

# The bridged vpn interface for Cenno
auto br0
iface br0 inet static
    pre-up /usr/sbin/openvpn --mktun --dev tap0
    pre-up /usr/sbin/brctl addbr br0
    address 172.16.0.4
    network 172.16.0.0
    broadcast 172.16.255.255
    netmask 255.255.0.0
    post-up /sbin/ip link set tap0 up
    post-up /usr/sbin/brctl addif br0 tap0
    post-up /sbin/ip link set eth0 up
    post-up /usr/sbin/brctl addif br0 eth0
    post-down /usr/sbin/brctl delbr br0
    post-down /usr/sbin/openvpn --rmtun tap0
    post-down /sbin/ip link set eth0 down

# The bridged vpn interface for Cajamar
auto br1
iface br1 inet manual
    pre-up /usr/sbin/openvpn --mktun --dev tap1
    pre-up /usr/sbin/brctl addbr br1
    post-up /sbin/ip link set tap1 up
    post-up /usr/sbin/brctl addif br1 tap1
    post-up /sbin/ip link set eth3 up
    post-up /usr/sbin/brctl addif br1 eth3
    post-down /usr/sbin/brctl delbr br1
    post-down /usr/sbin/openvpn --rmtun tap1
    post-down /sbin/ip link set eth3 down

There is no error msg in the log in any os 3 servers ...

The old one, ( refered just as "brigde"  ) still working fine, the new
one ( refered as "cajamar"  are not working ....

Any help will be welcome .... thanks in advance ...

Fábio Rabelo
Attachment (vpn.rar): application/rar, 19 KiB
------------------------------------------------------------------------------
Sponsored by Intel(R) XDK 
Develop, test and display web and hybrid apps with a single code base.
Download it for free now!
http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk
------------------------------------------------------------------------------
Sponsored by Intel(R) XDK 
Develop, test and display web and hybrid apps with a single code base.
Download it for free now!
http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk
Picon

Using 192.168.x.x on external NIC for testing.

Hi there.

I'm testing shorewall before production use on my home network. I've used shorewall before in production environment, but its long time ago.

Any help is appreciated. :-)

My setup:
- FW and client is running from VirtualBox.
- I'm using example files from /usr/share/doc/shorewall/examples/two-interfaces on debian 7.2.0.

Firewall
net: eth0: 192.168.1.175 (from local DHCP)
loc: eth1: 10.29.3.1

Client on the inside (loc)
IP: 10.29.3.2

What works
- FW can ping 8.8.8.8 and test client(10.29.3.2)
- Client can ping FW:eth0(192.168.1.175)
- Client can ping FW:eth1(10.29.3.1)
- SSH connection from outside to FW

What doesn't work
- Ping from client to 8.8.8.8
- w3m to google.com

Keep in mind that I'm using an RFC 1918 private IP address for "net"/eth0. Any ideas as to what I'm missing or doing wrong?

Thanks in advance.

Med venlig hilsen/Kind regards

Michael B. Arp Sørensen
------------------------------------------------------------------------------
Sponsored by Intel(R) XDK 
Develop, test and display web and hybrid apps with a single code base.
Download it for free now!
http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk
------------------------------------------------------------------------------
Sponsored by Intel(R) XDK 
Develop, test and display web and hybrid apps with a single code base.
Download it for free now!
http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk

Gmane