Shorewall users - May 2008 - Shorewall 4.2.0 Beta1

The Shorewall team is pleased to announce the availability of Shorewall 
4.2.0 Beta 1.

Release Highlights:

1) Support is included for multiple internet providers through the same
    ethernet interface.

2) Support for NFLOG has been added.

3) Enhanced operational logging.

4) The tarball installers now work under Cygwin.

5) Shorewall-perl now supports IFB devices which allow traffic shaping of
    incoming traffic.

6) Shorewall-perl supports definition of u32 traffic classification
    filters.

The release is available at 
http://www.shorewall.net/pub/shorewall/development/4.2/shorewall-4.2.0-Beta1

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Tom

I have been testing Shorewall-perl with ipsets and have come across a couple 
of problems.  

The ipsets documentation states that negative matches are allowed, however, 
Shorewall only allows this in the hosts file.

Message:
	
	ERROR: Invalid ipset name (!+sjsset) .......

is produced If any of the following negative matches are specified:

accounting file

	sjsx  -  !+sjsset[2]  !+sjsset2[dst,dst]  udp 53

blacklist file

	!+sjsset  -

maclist

	ACCEPT  br0  11:22:33:44:55:66  !+sjsset

rules

	ACCEPT  lan:!+sjsset[2]  brd:!+sjsset2[5]  tcp 22

tcrules

	32:CT  !+sjsset[1]  !+sjsset2[4]  tcp

tos
	
	!+sjsset[2]  !+sjsset2[3]  all  -  -  8

tunnels

	ipsec:noah  wan  !+sjsset[4]  lan,wan

###############################

If the following hosts file configuration is specified:

	loo  br0:+sjsset[2]  maclist

produces the following message:

	ERROR: Invalid ipset name (+sjsset[2]) ......

Note: an ipset of the above format is allowed in all other config files.


Steven.


-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It''s the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php

Tom,All,

Sorry if the post is not much relevant, but I just wanted to know the Cost of a
Professional Penetration Testing , as I know it is per IP.
So , How Much does it cost ? and if it is a big network (lots of IP) will be
there a discount

Regards
Samer

_________________________________________________________________
Enjoy 5 GB of free, password-protected online storage.
http://www.windowslive.com/skydrive/overview.html?ocid=TXT_TAGLM_WL_Refresh_skydrive_062008

-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It''s the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php

Steven Jan Springl wrote:
> Tom
> 
> I have been testing Shorewall-perl with ipsets and have come across a
couple
> of problems.  
> 
> The ipsets documentation states that negative matches are allowed, however,
> Shorewall only allows this in the hosts file.
> 
> Message:
> 	
> 	ERROR: Invalid ipset name (!+sjsset) .......
> 
> is produced If any of the following negative matches are specified:
> 
> accounting file
> 
> 	sjsx  -  !+sjsset[2]  !+sjsset2[dst,dst]  udp 53
> 
> blacklist file
> 
> 	!+sjsset  -
> 
> maclist
> 
> 	ACCEPT  br0  11:22:33:44:55:66  !+sjsset
> 
> rules
> 
> 	ACCEPT  lan:!+sjsset[2]  brd:!+sjsset2[5]  tcp 22
> 
> tcrules
> 
> 	32:CT  !+sjsset[1]  !+sjsset2[4]  tcp
> 
> tos
> 	
> 	!+sjsset[2]  !+sjsset2[3]  all  -  -  8
> 
> tunnels
> 
> 	ipsec:noah  wan  !+sjsset[4]  lan,wan
All of the above should be fixed in revision 8567.
> 
> ###############################
> 
> If the following hosts file configuration is specified:
> 
> 	loo  br0:+sjsset[2]  maclist
> 
> produces the following message:
> 
> 	ERROR: Invalid ipset name (+sjsset[2]) ......
> 
> Note: an ipset of the above format is allowed in all other config files.
But there is no requirement for it in that context that I can see. And it 
opens the door to totally broken entries like:

	loo br0:+tmeset[src,dst,src]

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It''s the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php

Samer Y. Azmy wrote:
> Tom,All,
> 
> Sorry if the post is not much relevant, but I just wanted to know the 
> Cost of a Professional Penetration Testing , as I know it is per IP.
> So , How Much does it cost ? and if it is a big network (lots of IP) 
> will be there a discount
How would I possibly know?

I make nothing from Shorewall. In fact it costs me $50US - $100US per month 
to provide you with Shorewall. So do you really think that I am so generous 
as to also pay for "Professional Penetration Testing" so I can tell
you how
much it costs?

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It''s the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php

Tom Eastep wrote:
> Samer Y. Azmy wrote:
>> Tom,All,
>>
>> Sorry if the post is not much relevant, but I just wanted to know the 
>> Cost of a Professional Penetration Testing , as I know it is per IP.
>> So , How Much does it cost ? and if it is a big network (lots of IP) 
>> will be there a discount
>
> How would I possibly know?
>
> I make nothing from Shorewall. In fact it costs me $50US - $100US per 
> month to provide you with Shorewall. So do you really think that I am 
> so generous as to also pay for "Professional Penetration Testing"
so I
> can tell you how much it costs?
>
> -Tom
    Tom,

    I could be wrong, but he might have been offering you a job.

    Respectfully,

--
Michael Cozzi
cozzi@cozziconsulting.com

-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It''s the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php

I agree with Micheal, it seemed to me as though Samer was looking to hire
someone, not for charity.

As to your question Samer, please message me off list, and I will give you a bit
of a cost breakdown based on my experiences.

Thanks!
Lee 


--- On Sat, 6/14/08, Michael Cozzi <cozzi@cozziconsulting.com> wrote:
> From: Michael Cozzi <cozzi@cozziconsulting.com>
> Subject: Re: [Shorewall-users] Penetration Testing Cost
> To: "Shorewall Users"
<shorewall-users@lists.sourceforge.net>
> Date: Saturday, June 14, 2008, 1:50 AM
> Tom Eastep wrote:
> > Samer Y. Azmy wrote:
> >> Tom,All,
> >>
> >> Sorry if the post is not much relevant, but I just
> wanted to know the 
> >> Cost of a Professional Penetration Testing , as I
> know it is per IP.
> >> So , How Much does it cost ? and if it is a big
> network (lots of IP) 
> >> will be there a discount
> >
> > How would I possibly know?
> >
> > I make nothing from Shorewall. In fact it costs me
> $50US - $100US per 
> > month to provide you with Shorewall. So do you really
> think that I am 
> > so generous as to also pay for "Professional
> Penetration Testing" so I 
> > can tell you how much it costs?
> >
> > -Tom
> 
>     Tom,
> 
>     I could be wrong, but he might have been offering you a
> job.
> 
>     Respectfully,
> 
> --
> Michael Cozzi
> cozzi@cozziconsulting.com
> 
> -------------------------------------------------------------------------
> Check out the new SourceForge.net Marketplace.
> It''s the best place to buy or sell services for
> just about anything Open Source.
> http://sourceforge.net/services/buy/index.php
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users

      

-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It''s the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php