Hi, I have a couple of questions which I know have no simple answer so if you could point me to the propper documentation I''d appreciate. :) 1) I have to ADSL lines coming into my shorewall 3.2.4 and I would like, not to balance the load but rather route certain ports through one or the other. I gather I should be working with all the files starting with "tc" but I''m a little lost. 2) Maybe a tad simple to answer... Can I say have a user connect to my FTP through ISP1 and that I route the packets out through ISP2? My guess is no ''cause the users box won''t accept packages comming from another source but hey, I''m no expert... Thanks a lot for your help. -Ed ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> > 1) I have to ADSL lines coming into my shorewall 3.2.4 and I would like, not > to balance the load but rather route certain ports through one or the other. > I gather I should be working with all the files starting with "tc" but I''m a > little lost.RTFM - http://www.shorewall.net/MultiISP.html> > 2) Maybe a tad simple to answer... Can I say have a user connect to my FTP > through ISP1 and that I route the packets out through ISP2? My guess is > no ''cause the users box won''t accept packages comming from another source but > hey, I''m no expert... >You guess correctly. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
1) You should set "track,balance" on your two lines in providers. Then in tcrules, mark the specific traffic you want going over interface 2 with 2, and mark everything else with 1. 2) Nope. Nail on the head with that one. The client hasn''t sent any packets to ISP2 to open a connection, so if you send back a response via that route it''ll get dropped by the client''s firewall. Will On 12/7/06, Ed <lists@precognet.com> wrote:> Hi, > I have a couple of questions which I know have no simple answer so if you > could point me to the propper documentation I''d appreciate. :) > > 1) I have to ADSL lines coming into my shorewall 3.2.4 and I would like, not > to balance the load but rather route certain ports through one or the other. > I gather I should be working with all the files starting with "tc" but I''m a > little lost. > > 2) Maybe a tad simple to answer... Can I say have a user connect to my FTP > through ISP1 and that I route the packets out through ISP2? My guess is > no ''cause the users box won''t accept packages comming from another source but > hey, I''m no expert... > > Thanks a lot for your help. > -Ed > > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net''s Techsay panel and you''ll get the chance to share your > opinions on IT & business topics through brief surveys - and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
On Thursday 07 December 2006 21:04, Will Murnane wrote:> 1) You should set "track,balance" on your two lines in providers. > Then in tcrules, mark the specific traffic you want going over > interface 2 with 2, and mark everything else with 1.Thanks Will and Tom, BTW, Tom, I wasn''t after a spoon fed answer as you say it so well on your website... I just needed links to get it done... now I do! :) -Ed ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Will Murnane wrote:> ... > 2) Nope. Nail on the head with that one. The client hasn''t sent any > packets to ISP2 to open a connection, so if you send back a response > via that route it''ll get dropped by the client''s firewall. > ... > On 12/7/06, Ed <lists@precognet.com> wrote: >> ... >> 2) Maybe a tad simple to answer... Can I say have a user connect to my FTP >> through ISP1 and that I route the packets out through ISP2? My guess is >> no ''cause the users box won''t accept packages comming from another source but >> hey, I''m no expert...A further note on this: it''s called asymmetric routing, and usually it isn''t recommended or supported by most ISPs. There are some circumstances when it is useful (or even required), mainly in deployments like one-way satellite where a modem is used as an uplink and the downstream is a much faster link. I''ve used Shorewall successfully in such configurations - if you need details please inquire on the mailing list and i''ll try to answer as best i can. Regards, Paul ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Hi Paul, I''m still reading the documentation but I doubt I''ll need this... I have two ADSL lines. Still, I''ll keep in in mind. Thanks for your reply and sorry for my late one ;) -Ed On Tuesday 12 December 2006 03:28, Paul Gear wrote:> Will Murnane wrote: > > ... > > 2) Nope. Nail on the head with that one. The client hasn''t sent any > > packets to ISP2 to open a connection, so if you send back a response > > via that route it''ll get dropped by the client''s firewall. > > ... > >------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Hi ---------------------------------------------------------------------------- -------------- Tom write: a) In the current development release (3.3.6), if you don''t define any ''ipsec'' zones or host entries>>>>>>>>>>>>>>>>>>>>>>>with "ipsec zone" checked!?<<<<<<<<<<<<<<<<<<<<<<<<<< then Shorewall will not use policy match. So with that version, you can use the http://www.shorewall.net/IPSEC.html instructions even if you have policy match support. b) You can disable policy match by renaming the iptables policy match module. The iptables modules are usually found in /lib/iptables/ or /usr/lib/iptables/. You can simply rename the libipt_policy.so file to libipt_foo.so. ---------------------------------------------------------------------------- ------- I thought that I had the choice between IPSEC.html and IPSEC-2.6.html !!!! but no Ok, i have tried your proposal b) and it''s all functionnal. You''re really effective Thanks VUILLET Damien ----- Original Message ----- From: "Tom Eastep" <teastep@shorewall.net> To: "Shorewall Users" <shorewall-users@lists.sourceforge.net> Sent: Monday, December 18, 2006 7:22 PM Subject: Re: [Shorewall-users] shorewall + ipsec openswan> ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net''s Techsay panel and you''ll get the chance to shareyour> opinions on IT & business topics through brief surveys - and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV---------------------------------------------------------------------------- ----> _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Hi, 191.168.0.0/16 (lan1)----Shorewall + IPSEC---192.168.0.1/24-----switch-----192.168.0.3/24--------MNF2-------10.71 .60.0/24 (lan2) The MNF2 is very functionnal and it''s not a problem. The ipsec tunnel is good established. eth5 is ipsec0 When the client-lan1 ping the client-lan2, shorewall say: wan2all:DROP:IN=eth5 OUT= SRC=192.168.2.3 DST=192.168.2.1 When the client-lan2 ping the client-lan1: same message: wan2all:DROP:IN=eth5 OUT= SRC=192.168.2.3 DST=192.168.2.1 But when i stop shorewall the ping is functionnal (throught the vpn of course) in two direction, proof that mnf2 is not in question. Thanks for your patience VUILLET Damien ----- Original Message ----- From: "Tom Eastep" <teastep@shorewall.net> To: "Shorewall Users" <shorewall-users@lists.sourceforge.net> Sent: Monday, December 18, 2006 7:22 PM Subject: Re: [Shorewall-users] shorewall + ipsec openswan> ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net''s Techsay panel and you''ll get the chance to shareyour> opinions on IT & business topics through brief surveys - and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV---------------------------------------------------------------------------- ----> _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Hi
FAQ #21 say:
<<Nov 25 18:58:52 linux kernel:
Shorewall:net2all:DROP:IN=eth1 OUT
MAC=00:60:1d:f0:a6:f9:00:60:1d:f6:35:50:08:00 SRC=206.124.146.179
DST=192.0.2.3 LEN=56 TOS=0x00 PREC=0x00 TTL=110 ID=18558 PROTO=ICMP
TYPE=3 CODE=3 [SRC=192.0.2.3 DST=172.16.1.10 LEN=128 TOS=0x00
PREC=0x00
TTL=47 ID=0 DF PROTO=UDP SPT=53 DPT=2857 LEN=108 ]Unfortunately, where
NAT is involved (including SNAT, DNAT and Masquerade), there are a lot of
broken implementations>>
why shorewall break my ipsec tunnel ?
I have tried with deactivate masquerade (on the both side) but always :
wan2all:DROP:IN=eth5 OUT= SRC=192.168.2.3 DST=192.168.2.1
I have established a ipsec tunnel between two fc6+shorewall+ipsec always the
same error:
wan2all:DROP:IN=eth5 OUT= SRC=192.168.2.3 DST=192.168.2.1 (but now on the
both side!)
What can I make now ?
VUILLET Damien
----- Original Message -----
From: "lpa du morvan" <lpadumorvan@free.fr>
To: "Shorewall Users" <shorewall-users@lists.sourceforge.net>
Sent: Tuesday, December 19, 2006 8:00 PM
Subject: Re: [Shorewall-users] shorewall + ipsec openswan
> Hi,
>
> 191.168.0.0/16 (lan1)----Shorewall +
>
IPSEC---192.168.0.1/24-----switch-----192.168.0.3/24--------MNF2-------10.71> .60.0/24 (lan2)
>
> The MNF2 is very functionnal and it''s not a problem.
> The ipsec tunnel is good established.
> eth5 is ipsec0
>
> When the client-lan1 ping the client-lan2, shorewall say:
> wan2all:DROP:IN=eth5 OUT= SRC=192.168.2.3 DST=192.168.2.1
>
> When the client-lan2 ping the client-lan1: same message:
> wan2all:DROP:IN=eth5 OUT= SRC=192.168.2.3 DST=192.168.2.1
>
> But when i stop shorewall the ping is functionnal (throught the vpn of
> course) in two direction, proof that mnf2 is not in question.
>
> Thanks for your patience
>
> VUILLET Damien
>
>
> ----- Original Message -----
> From: "Tom Eastep" <teastep@shorewall.net>
> To: "Shorewall Users"
<shorewall-users@lists.sourceforge.net>
> Sent: Monday, December 18, 2006 7:22 PM
> Subject: Re: [Shorewall-users] shorewall + ipsec openswan
>
>
>
> -------------------------------------------------------------------------
> > Take Surveys. Earn Cash. Influence the Future of IT
> > Join SourceForge.net''s Techsay panel and you''ll get
the chance to share
> your
> > opinions on IT & business topics through brief surveys - and earn
cash
> >
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV>
>
> --------------------------------------------------------------------------
--> ----
>
>
> > _______________________________________________
> > Shorewall-users mailing list
> > Shorewall-users@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/shorewall-users
> >
>
----------------------------------------------------------------------------
----
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net''s Techsay panel and you''ll get the
chance to share
your> opinions on IT & business topics through brief surveys - and earn cash
>
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
----------------------------------------------------------------------------
----
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Hi I have zone1(eth1) with asterisk and zone2(eth2) with a client softphone 1/ Without activating ip_conntrack_sip, I have the rules ACCEPT zone2 zone1 TCP 5060 ACCEPT zone2 zone1 UDP 5060 ACCEPT zone2 zone1 UDP 10000:20000 (without this rule no audio!) all work fine, shorewall is silencer b/ Now, I have loading ip_nat_sip and ip_conntrack_sip in /usr/share/shorewall/modules, I have the rules ACCEPT zone2 zone1 TCP 5060 ACCEPT zone2 zone1 UDP 5060 (I have deleting the rule ACCEPT zone2 zone1 UDP 10000:20000) all work fine but shorewall say: zone22all:REJECT:IN=eth2 OUT=eth1 SRC=ip_client DST=ip_asterisk PROTO=UDP SPT=ramdom DPT=between 10000 and 20000 shorewall can''t detect that ip_conntrack/nat_sip is functionnal !!!!!! but that does not prevent correct operation !!! only the log filled !!!! same remark with ip_conntrack/nat_h323, it''s very functionnal but shorewall is very talkative with rejection line......and always the log fills unnecessarily !!!! VUILLET Damien ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
lpa du morvan wrote:> Hi > > FAQ #21 say: > <<Nov 25 18:58:52 linux kernel: > Shorewall:net2all:DROP:IN=eth1 OUT> MAC=00:60:1d:f0:a6:f9:00:60:1d:f6:35:50:08:00 SRC=206.124.146.179 > DST=192.0.2.3 LEN=56 TOS=0x00 PREC=0x00 TTL=110 ID=18558 PROTO=ICMP > TYPE=3 CODE=3 [SRC=192.0.2.3 DST=172.16.1.10 LEN=128 TOS=0x00 > PREC=0x00 > TTL=47 ID=0 DF PROTO=UDP SPT=53 DPT=2857 LEN=108 ]Unfortunately, where > NAT is involved (including SNAT, DNAT and Masquerade), there are a lot of > broken implementations > > why shorewall break my ipsec tunnel ? > > I have tried with deactivate masquerade (on the both side) but always : > > wan2all:DROP:IN=eth5 OUT= SRC=192.168.2.3 DST=192.168.2.1 > > I have established a ipsec tunnel between two fc6+shorewall+ipsec always the > same error: > > wan2all:DROP:IN=eth5 OUT= SRC=192.168.2.3 DST=192.168.2.1 (but now on the > both side!)Did you disable policy match or change your configuration to use the method at http://www.shorewall.net/IPSEC-2.6.html? You must do one or the other. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
lpa du morvan wrote:> Hi > > I have zone1(eth1) with asterisk and zone2(eth2) with a client softphone > > 1/ Without activating ip_conntrack_sip, I have the rules > > ACCEPT zone2 zone1 TCP 5060 > ACCEPT zone2 zone1 UDP 5060 > ACCEPT zone2 zone1 UDP 10000:20000 (without this rule no audio!) > > all work fine, shorewall is silencerShorewall is *always* silent once "shorewall start" completes -- see below.> > b/ Now, I have loading ip_nat_sip and ip_conntrack_sip in > /usr/share/shorewall/modules, I have the rules > > ACCEPT zone2 zone1 TCP 5060 > ACCEPT zone2 zone1 UDP 5060 > (I have deleting the rule ACCEPT zone2 zone1 UDP 10000:20000) > > all work fine but shorewall say: > > zone22all:REJECT:IN=eth2 OUT=eth1 SRC=ip_client DST=ip_asterisk PROTO=UDP > SPT=ramdom DPT=between 10000 and 20000 > > shorewall can''t detect that ip_conntrack/nat_sip is functionnal !!!!!!It is not Shorewall that is generating those messages -- it is Netfilter running in your kernel. There is no Shorewall code running at all once "shorewall start" completes. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Tom Eastep wrote:> lpa du morvan wrote: >> Hi >> >> FAQ #21 say: >> <<Nov 25 18:58:52 linux kernel: >> Shorewall:net2all:DROP:IN=eth1 OUT>> MAC=00:60:1d:f0:a6:f9:00:60:1d:f6:35:50:08:00 SRC=206.124.146.179 >> DST=192.0.2.3 LEN=56 TOS=0x00 PREC=0x00 TTL=110 ID=18558 PROTO=ICMP >> TYPE=3 CODE=3 [SRC=192.0.2.3 DST=172.16.1.10 LEN=128 TOS=0x00 >> PREC=0x00 >> TTL=47 ID=0 DF PROTO=UDP SPT=53 DPT=2857 LEN=108 ]Unfortunately, where >> NAT is involved (including SNAT, DNAT and Masquerade), there are a lot of >> broken implementations >> >> why shorewall break my ipsec tunnel ? >> >> I have tried with deactivate masquerade (on the both side) but always : >> >> wan2all:DROP:IN=eth5 OUT= SRC=192.168.2.3 DST=192.168.2.1 >> >> I have established a ipsec tunnel between two fc6+shorewall+ipsec always the >> same error: >> >> wan2all:DROP:IN=eth5 OUT= SRC=192.168.2.3 DST=192.168.2.1 (but now on the >> both side!) > > Did you disable policy match or change your configuration to use the method at > http://www.shorewall.net/IPSEC-2.6.html? You must do one or the other. >Sorry -- found the dump of this problem on the gmane archive; as you know (hopefully), the shorewall.net mail server is down so I don''t have access to any mail locally except what has arrived very recently. Here are your wan->fw rules: Chain wan2fw (2 references) pkts bytes target prot opt in out source destination 14 1564 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:113 4 448 ACCEPT esp -- * * 192.168.2.3 0.0.0.0/0 0 0 ACCEPT ah -- * * 192.168.2.3 0.0.0.0/0 0 0 ACCEPT udp -- * * 192.168.2.3 0.0.0.0/0 udp dpt:500 state NEW 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1194 96 5178 wan2all all -- * * 0.0.0.0/0 0.0.0.0/0 Here is the log message that you are complaining about: Dec 19 19:53:26 wan2all:DROP:IN=eth5 OUT= SRC=192.168.2.3 DST=192.168.2.1 LEN=80 TOS=0x00 PREC=0x00 TTL=127 ID=12367 PROTO=4 That is PROTOCOL NUMBER 4 -- The only protocols that you are accepting from 192.168.2.3 are 50, 51 and 17!!!! Protocol 4 is IP encapculated in IP -- So it sounds like your tunnel is not pure IPSEC but is being further encapsulated in protocol 4. Or something.... At any rate, you obviously need another rule. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Tom Eastep wrote:> Or something.... > > At any rate, you obviously need another rule.Or, another entry in /etc/shorewall/tunnels: ipip net 192.168.2.3 -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Hi Tom Thanks for your help> > Or something....I want to add : "DROP !icmp" in the chain INPUT, FORWARD and OUTPUT In which file of the shorewall then I to add these policy ? Thanks again VUILLET Damien ----- Original Message ----- From: "Tom Eastep" <teastep@avvanta.com> To: "Shorewall Users" <shorewall-users@lists.sourceforge.net> Sent: Thursday, December 21, 2006 5:39 PM Subject: Re: [Shorewall-users] shorewall + ipsec openswan> Tom Eastep wrote: > > > Or something.... > > > > At any rate, you obviously need another rule. > > Or, another entry in /etc/shorewall/tunnels: > > ipip net 192.168.2.3 > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net''s Techsay panel and you''ll get the chance to shareyour> opinions on IT & business topics through brief surveys - and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
lpa du morvan wrote:> Hi Tom > > Thanks for your help > >>> Or something.... > > I want to add : "DROP !icmp" in the chain INPUT, FORWARD and OUTPUT > In which file of the shorewall then I to add these policy ? >See the documentation about "Default Actions" (http://www.shorewall.net/Actions.html#Default). The standard ''Drop'' action accepts the ICMP types that are important for correct operation. If you want to accept all ICMP types, you can create your own version of action.Drop in /etc/shorewall/ that does what you want. Then you can simply use DROP policies. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Hi I tested throught the ipsec tunnel a http connection and always the same error: wan2all:DROP:IN=eth5 OUT= SRC=192.168.2.3 DST=192.168.2.1 with always PROTO=4 !!!!!! it''s in this case a http connection and thus PROTO=6 but nothing with PROTO=6 in the error message. icmp is thus necessary to establish a flow througt a ipsec tunnel !? I want add iptables -A INPUT -p ! icmp -m state --state INVALID -j DROP also for OUTPUT and FORWARD chain, but shorewall does not take into account the manual changes with iptables command. Thanks VUILLET Damien ----- Original Message ----- From: "Tom Eastep" <teastep@avvanta.com> To: "Shorewall Users" <shorewall-users@lists.sourceforge.net> Sent: Friday, December 22, 2006 4:49 PM Subject: Re: [Shorewall-users] shorewall + ipsec openswan> lpa du morvan wrote: > > Hi Tom > > > > Thanks for your help > > > >>> Or something.... > > > > I want to add : "DROP !icmp" in the chain INPUT, FORWARD and OUTPUT > > In which file of the shorewall then I to add these policy ? > > > > See the documentation about "Default Actions" > (http://www.shorewall.net/Actions.html#Default). > > The standard ''Drop'' action accepts the ICMP types that are important forcorrect> operation. If you want to accept all ICMP types, you can create your ownversion> of action.Drop in /etc/shorewall/ that does what you want. Then you cansimply> use DROP policies. > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net''s Techsay panel and you''ll get the chance to shareyour> opinions on IT & business topics through brief surveys - and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
lpa du morvan wrote:> Hi > > I tested throught the ipsec tunnel a http connection and always the same > error: > > wan2all:DROP:IN=eth5 OUT= SRC=192.168.2.3 DST=192.168.2.1 with always > PROTO=4 !!!!!! it''s in this case a http connection and thus PROTO=6 but > nothing with PROTO=6 in the error message.If you are still getting these messages then you haven''t added the ipip tunnel entry that I recommended.> > icmp is thus necessary to establish a flow througt a ipsec tunnel !? > > I want add > > iptables -A INPUT -p ! icmp -m state --state INVALID -j DROP > also for OUTPUT and FORWARD chain, > > but shorewall does not take into account the manual changes with iptables > command. >I have no idea what problem you are reporting now. If you want my help, then please submit complete problem reports as described at http://www.shorewall.net/support.htm#Guidelines -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
----- Original Message ----- From: "Tom Eastep" <teastep@avvanta.com> To: "Shorewall Users" <shorewall-users@lists.sourceforge.net> Sent: Thursday, December 21, 2006 5:39 PM Subject: Re: [Shorewall-users] shorewall + ipsec openswan> Tom Eastep wrote:> ipip net 192.168.2.3sorry, i have not read this message, your proposal is excellent because it resoud my problem I am really a stupid french.... Thanks Tom VUILLET Damien> _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
----- Original Message ----- From: "Tom Eastep" <teastep@avvanta.com> To: "Shorewall Users" <shorewall-users@lists.sourceforge.net> Sent: Thursday, December 21, 2006 6:18 PM Subject: Re: [Shorewall-users] shorewall + ipsec openswan> a) In the current development release (3.3.6), if you don''t define any''ipsec'' zones or host entries then Shorewall will not use policy match. Hi Tom Is functionnal in shorewall 3.4.1 ? Thanks VUILLET Damien ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
lpa du morvan wrote:> ----- Original Message ----- > From: "Tom Eastep" <teastep@avvanta.com> > To: "Shorewall Users" <shorewall-users@lists.sourceforge.net> > Sent: Thursday, December 21, 2006 6:18 PM > Subject: Re: [Shorewall-users] shorewall + ipsec openswan > > >> a) In the current development release (3.3.6), if you don''t define any > ''ipsec'' > zones or host entries then Shorewall will not use policy match. > > Hi Tom > > Is functionnal in shorewall 3.4.1 ? >Yes. Cheers, Damien -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV