My mistake sorry, I got the networks wrong I need to add a static route for networks and hosts between 63.90.86.0~63.90.86.255 with gateway 10.5.198.238 would this be correct? route add 63.90.86.0 255.0.0.0 gw 10.5.198.238 Thanks Mike
On Sat, 15 Nov 2003, Mike Lander wrote:> My mistake sorry, I got the networks wrong > I need to add a static route for networks and hosts between > 63.90.86.0~63.90.86.255 with gateway 10.5.198.238 > would this be correct? > route add 63.90.86.0 255.0.0.0 gw 10.5.198.238 >No; your netmask is incorrect -- check http://www.shorewall.net/shorewall_setup_guide.htm#Addressing (it would be good to bookmark that one for future reference). -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Ok since the size of the subnet is 256 /24
would this be correct route add 63.90.86.0 255.255.255.0 gw 10.5.198.238???
I tried my Tcp/IP book and I always have trouble with alternate gateways
I can figure a new network and figure out how many and hosts
there are but routes confuse me sometimes. I was good in mathematics
in college but this stuff is always been hard to me. I can do it easier in
binary but I don''t use binary as much any more.
I use to program in machine language in the early 80''s
had to use and, or, Eor, and all that stuff
But I am rusty with this math anymore:<(
Sorry if I am a nuisance Tom.
Thank you,
Mike
----- Original Message -----
From: "Tom Eastep" <teastep@shorewall.net>
To: "Shorewall Users Mailing List"
<shorewall-users@lists.shorewall.net>
Sent: Saturday, November 15, 2003 3:08 PM
Subject: Re: [Shorewall-users] static route
> On Sat, 15 Nov 2003, Mike Lander wrote:
>
> > My mistake sorry, I got the networks wrong
> > I need to add a static route for networks and hosts between
> > 63.90.86.0~63.90.86.255 with gateway 10.5.198.238
> > would this be correct?
> > route add 63.90.86.0 255.0.0.0 gw 10.5.198.238
> >
>
> No; your netmask is incorrect -- check
> http://www.shorewall.net/shorewall_setup_guide.htm#Addressing
> (it would be good to bookmark that one for future reference).
>
> --
> Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
> Shoreline, \ http://shorewall.net
> Washington USA \ teastep@shorewall.net
>
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
>
On Sat, 15 Nov 2003, Mike Lander wrote:> Ok since the size of the subnet is 256 /24 > would this be correct route add 63.90.86.0 255.255.255.0 gw 10.5.198.238???Yes. Here''s another tip: [root@gateway root]# shorewall ipcalc 63.90.86.0/24 CIDR=63.90.86.0/24 NETMASK=255.255.255.0 NETWORK=63.90.86.0 BROADCAST=63.90.86.255 [root@gateway root]# -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
I tryed the new route, and I am singing in via pptp trying the new route dealer.toyota.com shorewall is blocking ? PS I am on my network vpn useing remote gateway What rule or policy would fix this? logs Mike Nov 15 15:43:12 ns2 kernel: Shorewall:all2all:REJECT:IN= OUT=eth1 SRC=10.5.198.254 DST=63.90.86.9 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=33596 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 Nov 15 15:43:12 ns2 kernel: Shorewall:all2all:REJECT:IN= OUT=eth1 SRC=10.5.198.254 DST=63.90.86.9 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=33597 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 ----- Original Message ----- From: "Tom Eastep" <teastep@shorewall.net> To: "Shorewall Users Mailing List" <shorewall-users@lists.shorewall.net> Sent: Saturday, November 15, 2003 3:34 PM Subject: Re: [Shorewall-users] static route> On Sat, 15 Nov 2003, Mike Lander wrote: > > > Ok since the size of the subnet is 256 /24 > > would this be correct route add 63.90.86.0 255.255.255.0 gw10.5.198.238???> > Yes. > > Here''s another tip: > > [root@gateway root]# shorewall ipcalc 63.90.86.0/24 > CIDR=63.90.86.0/24 > NETMASK=255.255.255.0 > NETWORK=63.90.86.0 > BROADCAST=63.90.86.255 > [root@gateway root]# > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe:https://lists.shorewall.net/mailman/listinfo/shorewall-users> Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >
On Sat, 15 Nov 2003, Mike Lander wrote:> I tryed the new route, and I am singing in > via pptp trying the new route dealer.toyota.com > shorewall is blocking ? > PS I am on my network vpn useing remote gateway > What rule or policy would fix this? > logs >Come on Mike -- IN is empty so the source zone is $FW. eth1 is the output interface; what zone is that? Clearly the protocol is tcp and the port is 80.> Mike > Nov 15 15:43:12 ns2 kernel: Shorewall:all2all:REJECT:IN= OUT=eth1 > SRC=10.5.198.254 DST=63.90.86.9 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF > PROTO=TCP SPT=33596 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 > Nov 15 15:43:12 ns2 kernel: Shorewall:all2all:REJECT:IN= OUT=eth1 > SRC=10.5.198.254 DST=63.90.86.9 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF > PROTO=TCP SPT=33597 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 > > FAQ: http://www.shorewall.net/FAQ.htm >-Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
eth1 is loc so I need a rule ACCEPT fw loc 80? Mike ----- Original Message ----- From: "Tom Eastep" <teastep@shorewall.net> To: "Shorewall Users Mailing List" <shorewall-users@lists.shorewall.net> Sent: Saturday, November 15, 2003 3:55 PM Subject: Re: [Shorewall-users] static route> On Sat, 15 Nov 2003, Mike Lander wrote: > > > I tryed the new route, and I am singing in > > via pptp trying the new route dealer.toyota.com > > shorewall is blocking ? > > PS I am on my network vpn useing remote gateway > > What rule or policy would fix this? > > logs > > > > Come on Mike -- IN is empty so the source zone is $FW. eth1 is the output > interface; what zone is that? Clearly the protocol is tcp and the port is > 80. > > > > Mike > > Nov 15 15:43:12 ns2 kernel: Shorewall:all2all:REJECT:IN= OUT=eth1 > > SRC=10.5.198.254 DST=63.90.86.9 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF > > PROTO=TCP SPT=33596 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 > > Nov 15 15:43:12 ns2 kernel: Shorewall:all2all:REJECT:IN= OUT=eth1 > > SRC=10.5.198.254 DST=63.90.86.9 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF > > PROTO=TCP SPT=33597 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 > > > FAQ: http://www.shorewall.net/FAQ.htm > > > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe:https://lists.shorewall.net/mailman/listinfo/shorewall-users> Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >
I feel like a beginner, I did not know emtpy IN meant fw:( Thanks, Mike ----- Original Message ----- From: "Tom Eastep" <teastep@shorewall.net> To: "Shorewall Users Mailing List" <shorewall-users@lists.shorewall.net> Sent: Saturday, November 15, 2003 3:55 PM Subject: Re: [Shorewall-users] static route> On Sat, 15 Nov 2003, Mike Lander wrote: > > > I tryed the new route, and I am singing in > > via pptp trying the new route dealer.toyota.com > > shorewall is blocking ? > > PS I am on my network vpn useing remote gateway > > What rule or policy would fix this? > > logs > > > > Come on Mike -- IN is empty so the source zone is $FW. eth1 is the output > interface; what zone is that? Clearly the protocol is tcp and the port is > 80. > > > > Mike > > Nov 15 15:43:12 ns2 kernel: Shorewall:all2all:REJECT:IN= OUT=eth1 > > SRC=10.5.198.254 DST=63.90.86.9 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF > > PROTO=TCP SPT=33596 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 > > Nov 15 15:43:12 ns2 kernel: Shorewall:all2all:REJECT:IN= OUT=eth1 > > SRC=10.5.198.254 DST=63.90.86.9 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF > > PROTO=TCP SPT=33597 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 > > > FAQ: http://www.shorewall.net/FAQ.htm > > > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe:https://lists.shorewall.net/mailman/listinfo/shorewall-users> Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >
On Sat, 15 Nov 2003, Mike Lander wrote:> eth1 is loc > so I need a rule ACCEPT fw loc 80? >You might want to specify the protocol. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Sat, 15 Nov 2003, Mike Lander wrote:> I feel like a beginner, > I did not know emtpy IN meant fw:( >You may want to bookmark FAQ 17 then as well. It tells you how to decode "Shorewall" log messages. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
It works, it works, it works! I love shorewall! Thanks Tom Mike ----- Original Message ----- From: "Tom Eastep" <teastep@shorewall.net> To: "Shorewall Users Mailing List" <shorewall-users@lists.shorewall.net> Sent: Saturday, November 15, 2003 3:55 PM Subject: Re: [Shorewall-users] static route> On Sat, 15 Nov 2003, Mike Lander wrote: > > > I tryed the new route, and I am singing in > > via pptp trying the new route dealer.toyota.com > > shorewall is blocking ? > > PS I am on my network vpn useing remote gateway > > What rule or policy would fix this? > > logs > > > > Come on Mike -- IN is empty so the source zone is $FW. eth1 is the output > interface; what zone is that? Clearly the protocol is tcp and the port is > 80. > > > > Mike > > Nov 15 15:43:12 ns2 kernel: Shorewall:all2all:REJECT:IN= OUT=eth1 > > SRC=10.5.198.254 DST=63.90.86.9 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF > > PROTO=TCP SPT=33596 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 > > Nov 15 15:43:12 ns2 kernel: Shorewall:all2all:REJECT:IN= OUT=eth1 > > SRC=10.5.198.254 DST=63.90.86.9 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF > > PROTO=TCP SPT=33597 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 > > > FAQ: http://www.shorewall.net/FAQ.htm > > > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe:https://lists.shorewall.net/mailman/listinfo/shorewall-users> Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >
For the life of me I can''t seem to get hosts.allow and hosts.deny to block ip ranges or domains sing Mandrake 9.1. So as a replacement technique I''d like to be able to use wild cards or ip ranges in shorewall''s blacklist file. Is this possible?
On Sun, 2003-11-16 at 07:50, Jim wrote:> For the life of me I can''t seem to get hosts.allow and hosts.deny to block > ip ranges or domains sing Mandrake 9.1. So as a replacement technique I''d > like to be able to use wild cards or ip ranges in shorewall''s blacklist > file. Is this possible?You can blacklist networks using CIDR notation (see http://shorweall.net/shorewall_setup_guide.htm#Addressing). To convert an arbitrary IP range in the form <first>-<last> to a list of one or more CIDR networks, use the "shorewall iprange" command. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net