Hi
I am running a couple of lvs kernel (2.4.20 with ipvs1.09used in a load
balancing setup up to now it is only to LVS-DR . As it is the kernel is
configurable as per requirements . But is there a conflict in functionality
.
Any feed back is appretiated .
Thanks
----- Original Message -----
From: <shorewall-users-request@lists.shorewall.net>
To: <shorewall-users@lists.shorewall.net>
Sent: Tuesday, August 05, 2003 5:02 PM
Subject: Shorewall-users Digest, Vol 9, Issue 15
> Send Shorewall-users mailing list submissions to
> shorewall-users@lists.shorewall.net
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://lists.shorewall.net/mailman/listinfo/shorewall-users
> or, via email, send a message with subject or body ''help''
to
> shorewall-users-request@lists.shorewall.net
>
> You can reach the person managing the list at
> shorewall-users-owner@lists.shorewall.net
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Shorewall-users digest..."
>
>
> Today''s Topics:
>
> 1. Shorewall 1.4.6b (Tom Eastep)
> 2. Re: Shorewall 1.4.6b (Joshua Banks)
> 3. Re: Shorewall 1.4.6b (Tom Eastep)
> 4. Re: Shorewall 1.4.6b (Homer Parker)
> 5. RE: DNAT Not quite working. (Dave B)
> 6. can''t establish vtun tunnel (joel fernandez)
> 7. can''t establish vtun tunnel (joel fernandez)
> 8. vtun on shorewall (joel fernandez)
> 9. RE: DNAT Not quite working. (Tom Eastep)
> 10. Re: vtun on shorewall (Tom Eastep)
> 11. Re: Shorewall 1.4.6b (Joshua Banks)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: 05 Aug 2003 12:48:00 -0700
> From: Tom Eastep <teastep@shorewall.net>
> Subject: [Shorewall-users] Shorewall 1.4.6b
> To: Shorewall Users <shorewall-users@lists.shorewall.net>, Shorewall
> Announcements <shorewall-announce@lists.shorewall.net>
> Message-ID: <1060112880.26500.12.camel@wookie.shorewall.net>
> Content-Type: text/plain
>
> This is a bug-fix roll-up.
>
> Problems corrected since 1.4.6:
>
> 1) Corrected problem in 1.4.6 where the MANGLE_ENABLED variable was
> being tested before it was set.
>
> 2) Corrected handling of MAC addresses in the SOURCE column of the
> tcrules file. Previously, these addresses resulted in an invalid
> iptables command.
>
> 3) The "shorewall stop" command is now disabled when
> /etc/shorewall/startup_disabled exists. This prevents people from
> shooting themselves in the foot prior to having configured
> Shorewall.
>
> 4) A change introduced in version 1.4.6 caused error messages during
> "shorewall [re]start" when ADD_IP_ALIASES=Yes and ip addresses
were
> being added to a PPP interface; the addresses were successfully
> added in spite of the messages.
>
> The firewall script has been modified to eliminate the error
> messages.
>
> -Tom
> --
> Tom Eastep \ Shorewall - iptables made easy
> Shoreline, \ http://shorewall.net
> Washington USA \ teastep@shorewall.net
>
>
> ------------------------------
>
> Message: 2
> Date: Tue, 5 Aug 2003 13:33:33 -0700 (PDT)
> From: Joshua Banks <l0f33t@yahoo.com>
> Subject: Re: [Shorewall-users] Shorewall 1.4.6b
> To: Tom Eastep <teastep@shorewall.net>, Shorewall Users
> <shorewall-users@lists.shorewall.net>, Shorewall Announcements
> <shorewall-announce@lists.shorewall.net>
> Message-ID: <20030805203333.55937.qmail@web42001.mail.yahoo.com>
> Content-Type: text/plain; charset=us-ascii
>
> Hello,
>
> I have Shorewall installed on Mandrake 9.0, kernel version 2.4.19-16mdk.
> Shorewall version 1.4.6a. I downloaded 1.4.6b.....stopped shorewall, and
tried to run the rpm.> This is what I got from the command line:
> [root@localhost Documents]# rpm -ivh --nodeps
shorewall-1.4.6b-1.noarch.rpm> Preparing... ###########################################
[100%]> file /usr/share/shorewall/firewall from install of shorewall-1.4.6b-1
conflicts with file from> package shorewall-1.4.6a-1
> file /usr/share/shorewall/version from install of shorewall-1.4.6b-1
conflicts with file from> package shorewall-1.4.6a-1
>
> This is the first time that I have run into this since running shorewall
version 1.4.2.>
> I''m a noob so maybe I''ve done something that I
don''t realize. Please help.
>
> JBanks
>
>
> __________________________________
> Do you Yahoo!?
> The New Yahoo! Search - Faster. Easier. Bingo.
> http://search.yahoo.com
>
> ------------------------------
>
> Message: 3
> Date: 05 Aug 2003 13:35:05 -0700
> From: Tom Eastep <teastep@shorewall.net>
> Subject: Re: [Shorewall-users] Shorewall 1.4.6b
> To: Joshua Banks <l0f33t@yahoo.com>
> Cc: Shorewall Announcements <shorewall-announce@lists.shorewall.net>,
> Shorewall Users <shorewall-users@lists.shorewall.net>
> Message-ID: <1060115704.26500.18.camel@wookie.shorewall.net>
> Content-Type: text/plain
>
> On Tue, 2003-08-05 at 13:33, Joshua Banks wrote:
> > Hello,
> >
> > I have Shorewall installed on Mandrake 9.0, kernel version
2.4.19-16mdk.
> > Shorewall version 1.4.6a. I downloaded 1.4.6b.....stopped shorewall,
and
tried to run the rpm.> > This is what I got from the command line:
> > [root@localhost Documents]# rpm -ivh --nodeps
shorewall-1.4.6b-1.noarch.rpm> > Preparing...
###########################################
[100%]> > file /usr/share/shorewall/firewall from install of shorewall-1.4.6b-1
conflicts with file from> > package shorewall-1.4.6a-1
> > file /usr/share/shorewall/version from install of shorewall-1.4.6b-1
conflicts with file from> > package shorewall-1.4.6a-1
> >
> > This is the first time that I have run into this since running
shorewall
version 1.4.2.> >
> > I''m a noob so maybe I''ve done something that I
don''t realize. Please
help.> >
>
> You should be using the ''U'' (Update) command to rpm
rather than the ''i''
> (install) command.
>
> -Tom
> --
> Tom Eastep \ Shorewall - iptables made easy
> Shoreline, \ http://shorewall.net
> Washington USA \ teastep@shorewall.net
>
>
> ------------------------------
>
> Message: 4
> Date: Tue, 5 Aug 2003 15:38:27 -0500
> From: Homer Parker <hparker@homershut.net>
> Subject: Re: [Shorewall-users] Shorewall 1.4.6b
> To: Joshua Banks <l0f33t@yahoo.com>
> Cc: shorewall-users@lists.shorewall.net
> Message-ID: <20030805153827.2420f562.hparker@homershut.net>
> Content-Type: text/plain; charset=US-ASCII
>
> On Tue, 5 Aug 2003 13:33:33 -0700 (PDT) Joshua Banks
<l0f33t@yahoo.com>
> wrote....
>
>
> > [root@localhost Documents]# rpm -ivh --nodeps
>
> rpm -Fvh shorewa..... Will give you what you want..
>
> ---
> Homer Parker /"\ ASCII Ribbon Campaign
> \ / No HTML/RTF in email
> http://www.homershut.net x No Word docs in email
> telnet://bbs.homershut.net / \ Respect for open standards
>
> "Bill Gates reports on security progress made and the challenges
ahead."
> -- Microsoft''s Homepage, on the day an SQL Server bug crippled
large
> sections of the Internet.
>
>
>
>
> ------------------------------
>
> Message: 5
> Date: Tue, 05 Aug 2003 20:44:23 +0000
> From: "Dave B" <dragin33@hotmail.com>
> Subject: RE: [Shorewall-users] DNAT Not quite working.
> To: shorewall-users@lists.shorewall.net
> Message-ID: <BAY2-F132ivjHLrvdIi00009b16@hotmail.com>
> Content-Type: text/plain; format=flowed
>
> >Hi i''ve been having some issues with shorewall lately. You
see, I''m
using> >DNAT to port forward some ports.. some for gaming are working great but
i
> >have a few port forwards that are acting strangely. First i had an
HTTP
> >server running on box 192.168.5.41 and port 8129. Now, when clients
> >requested the page from the outside they said it looked like they were
> >going to get it for a sec and then it failed.. they got nothing. This
was> >puzzling me so i installed ethereal. It seems that i got the packet
fine
> >on 192.168.5.41. I got a SYN packet from the internet client. My box
then> >sent back a SYN ACK... which the client does not recieve! (i had
ethereal
> >on there as well.) So then the client sends another SYN thinking that
> >something is wrong... and the process continues until time out.
Second,
i> >tried to do an FTP server on port 2121 (PASV) and now that''s
doing the
same> >thing!
>
> >I don''t understand this since my policy is
> >loc net ACCEPT.
> >in fact, it''s all based off the two-interface example posted
on
> >shorewall.net.
>
> >Shorewall Version: 1.4.2
> >IPs are eth0 192.168.1.3 (Net)
> >eth1 192.168.5.3 (Loc)
>
> >POLICY
> >loc net ACCEPT
> >net all DROP
> >all all REJECT
>
> >RULES
> >DNAT net loc:192.168.5.40 tcp 8129 -
> >DNAT net loc:192.168.5.40 tcp 2121:2131 -
>
> >INTERFACES
> >net eth0 192.168.1.255 routefilter
> >loc eth1 192.168.5.255
>
> >I think that''s all the info. Any Clues??
>
>
> Taking a closer look, i bypassed my router and my shorewall
> firewall/gateway and plugged the web/ftp server right into the modem. I
> tried having my internet clients connect and they were able to log into
the> ftp server and get the webpage on port 8129 perfectly.. now i know
it''s
not> the ISP blocking stuff. BUT WHAT''S WORNG?!
>
> _________________________________________________________________
> MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*.
> http://join.msn.com/?page=features/virus
>
>
> ------------------------------
>
> Message: 6
> Date: Sun, 03 Aug 2003 20:55:11 +0200
> From: joel fernandez <bascos@free.fr>
> Subject: [Shorewall-users] can''t establish vtun tunnel
> To: shorewall-users@lists.shorewall.net
> Message-ID: <3F2D5A8F.1070808@free.fr>
> Content-Type: text/plain; charset=us-ascii; format=flowed
>
> Hi all,
>
> sorry if you receive twice this mail but the first one seems to be in
> the cosmos. ;-)
>
> And thank for what you did (shorewall) and what you do (helping by this
> mailing list).
>
> I would like to create a tunnel based on vtun (protocol udp port 5000).
> To do so, i followed your "howto" about openvpn under shorewall,
which
> seems the same thing as vtun.
> BUT, If I create the same config files as you did, I can''t
establish the
> tunnel. Are there rules missing on your howto ?
> With your config, should I normally be able to access the other subnet
> via vtun ?
> To have it only establish (no ping available between the 2 subnets), I
> have to change for tcp protocol and add rules like that
> ACCEPT fw net 5000
> ACCEPT net fw 5000
>
> where is the problem ?
>
> What I can say is that if I open everything (ACCEPT for INPUT, OUTPUT
> FORWARD and MASQUERADE all but tun+), the connexion is up via vtun, ping
> is ok, and samba too. (with UDP and TCP).
>
> Could you explain me why ?
>
> What have I missed ?
>
>
> Thanks
> regards.
>
> JO
>
>
>
> ------------------------------
>
> Message: 7
> Date: Sun, 03 Aug 2003 18:51:42 +0200
> From: joel fernandez <bascos@free.fr>
> Subject: [Shorewall-users] can''t establish vtun tunnel
> To: shorewall-users@lists.shorewall.net
> Message-ID: <3F2D3D9E.8000402@free.fr>
> Content-Type: text/plain; charset=us-ascii; format=flowed
>
> Hi all,
>
> And thank for what you did (shorewall) and what you do (helping by this
> mailing list).
>
> I would like to create a tunnel based on vtun (protocol udp port 5000).
> To do so, i followed your "howto" about openvpn under shorewall,
which
> seems the same thing as vtun.
> BUT, If I create the same config files as you did, I can''t
establish the
> tunnel. Are there rules missing on your howto ?
> With your config, should I normally be able to access the other subnet
> via vtun ?
> To have it only establish (no ping available between the 2 subnets), I
> have to change for tcp protocol and add rules like that
> ACCEPT fw net 5000
> ACCEPT net fw 5000
>
> where is the problem ?
>
> What I can say is that if I open everything (ACCEPT for INPUT, OUTPUT
> FORWARD and MASQUERADE all but tun+), the connexion is up via vtun, ping
> is ok, and samba too. (with UDP and TCP).
>
> Could you explain me why ?
>
> What have I missed ?
>
>
> Thanks
> regards.
>
> JO
>
>
> ------------------------------
>
> Message: 8
> Date: Sun, 03 Aug 2003 10:27:01 +0200
> From: joel fernandez <bascos@free.fr>
> Subject: [Shorewall-users] vtun on shorewall
> To: shorewall-users@lists.shorewall.net
> Message-ID: <3F2CC755.40808@free.fr>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> Hi all,
>
> And thank you all for your job.
> I would like to have my vpn run but I can''t for the moment.
> I follow the guide lines on how to configure a vpn with openvpn, but I
> think something is missing in my configuration.
> I know that it''s normally the same protocol and the same port (UDP
5000)
> what I would like to have :
>
>
> subnet A (192.168.2.X)
> |
> |
> firewall A shorewall + vtun
> | |
> 192.168.0.1 |
> | |
> | |
> vtun ppp
> | |
> | |
> 192.168.0.2 |
> | |
> firewall B shorewall + vtun
> |
> |
> subnet B (192.168.33.X)
>
> According to your HOWTO, I only have to put :
> on firewall A & B:
> /etc/shorewall/zones:
> vpn VPN remote access
>
> /etc/shorewall/tunnels
> openvpn net 0/0
>
> on firewall A
> /etc/shorewall//interfaces:
> vpn tun+ 192.168.33.255
>
> on firewall B
> /etc/shorewall//interfaces:
> vpn tun+ 192.168.2.255
>
> on firewall A
> /etc/vtund.conf
> default {
> type tun;
> proto udp;
> encr yes;
> comp lzo:1;
> keepalive yes;
> }
>
> la {
> pass XXXX;
> up {
> ifconfig "%% 192.168.0.2 pointopoint 192.168.0.33";
> route "add -net 192.168.33.0 netmask 255.255.255.0 gw
192.168.0.33";
> };
>
> down {
> ifconfig "%% delete";
> };
> }
>
>
> on firewall B
> /etc/vtund.conf
> default {
> type tun;
> proto udp;
> encr yes;
> comp lzo:1;
> keepalive yes;
> }
>
> la {
> pass XXXX;
> up {
> ifconfig "%% 192.168.0.33 pointopoint 192.168.0.2";
> route "add -net 192.168.2.0 netmask 255.255.255.0 gw
192.168.0.2";
> };
>
> down {
> ifconfig "%% delete";
> };
> }
>
> Thanks for help, and sorry for this long text.
>
> Bye
>
> jo
>
>
> ------------------------------
>
> Message: 9
> Date: 05 Aug 2003 13:56:12 -0700
> From: Tom Eastep <teastep@shorewall.net>
> Subject: RE: [Shorewall-users] DNAT Not quite working.
> To: Dave B <dragin33@hotmail.com>
> Cc: shorewall-users@lists.shorewall.net
> Message-ID: <1060116972.26500.24.camel@wookie.shorewall.net>
> Content-Type: text/plain
>
> On Tue, 2003-08-05 at 13:44, Dave B wrote:
> > >Hi i''ve been having some issues with shorewall lately.
You see, I''m
using> > >DNAT to port forward some ports.. some for gaming are working
great but
i> > >have a few port forwards that are acting strangely. First i had
an
HTTP> > >server running on box 192.168.5.41 and port 8129. Now, when
clients
> > >requested the page from the outside they said it looked like they
were
> > >going to get it for a sec and then it failed.. they got nothing.
This
was> > >puzzling me so i installed ethereal. It seems that i got the
packet
fine> > >on 192.168.5.41. I got a SYN packet from the internet client. My
box
then> > >sent back a SYN ACK... which the client does not recieve! (i had
ethereal> > >on there as well.) So then the client sends another SYN thinking
that
> > >something is wrong... and the process continues until time out.
Second, i> > >tried to do an FTP server on port 2121 (PASV) and now
that''s doing the
same> > >thing!
> >
> > >I don''t understand this since my policy is
> > >loc net ACCEPT.
> > >in fact, it''s all based off the two-interface example
posted on
> > >shorewall.net.
> >
> > >Shorewall Version: 1.4.2
> > >IPs are eth0 192.168.1.3 (Net)
> > >eth1 192.168.5.3 (Loc)
> >
> > >POLICY
> > >loc net ACCEPT
> > >net all DROP
> > >all all REJECT
> >
> > >RULES
> > >DNAT net loc:192.168.5.40 tcp 8129 -
> > >DNAT net loc:192.168.5.40 tcp 2121:2131 -
> >
> > >INTERFACES
> > >net eth0 192.168.1.255 routefilter
> > >loc eth1 192.168.5.255
> >
> > >I think that''s all the info. Any Clues??
> >
> >
> > Taking a closer look, i bypassed my router and my shorewall
> > firewall/gateway and plugged the web/ftp server right into the modem.
I
> > tried having my internet clients connect and they were able to log
into
the> > ftp server and get the webpage on port 8129 perfectly.. now i know
it''s
not> > the ISP blocking stuff. BUT WHAT''S WORNG?!
>
> I SEE WE''RE NOW GOING TO YELL -- I ASKED YOU IN MY LAST POST IF
THE HTTP
> SERVER CAN PING YOUR ISP''S ROUTER AND YOU DIDN''T ANSWER.
>
> I WILL NOW ALSO ASK YOU IF THE HTTP SERVER''S DEFAULT ROUTE IS BACK
> THROUGH THE SHOREWALL SYSTEM OR IS IT THROUGH SOME OTHER GATEWAY?
>
> -Tom
> --
> Tom Eastep \ Shorewall - iptables made easy
> Shoreline, \ http://shorewall.net
> Washington USA \ teastep@shorewall.net
>
>
> ------------------------------
>
> Message: 10
> Date: 05 Aug 2003 13:59:24 -0700
> From: Tom Eastep <teastep@shorewall.net>
> Subject: Re: [Shorewall-users] vtun on shorewall
> To: joel fernandez <bascos@free.fr>
> Cc: shorewall-users@lists.shorewall.net
> Message-ID: <1060117164.26500.28.camel@wookie.shorewall.net>
> Content-Type: text/plain
>
> The reason that your posts have been going "into the ether" is
that your
> mail server presents itself with a DNS name that doesn''t resolve.
Since
> this is a common spammer trait, mail like that gets rejected here until
> I notice it and create an exception entry in a table.
>
> -Tom
> --
> Tom Eastep \ Shorewall - iptables made easy
> Shoreline, \ http://shorewall.net
> Washington USA \ teastep@shorewall.net
>
>
> ------------------------------
>
> Message: 11
> Date: Tue, 5 Aug 2003 13:53:28 -0700 (PDT)
> From: Joshua Banks <l0f33t@yahoo.com>
> Subject: Re: [Shorewall-users] Shorewall 1.4.6b
> To: Tom Eastep <teastep@shorewall.net>
> Cc: Shorewall Announcements <shorewall-announce@lists.shorewall.net>,
> Shorewall Users <shorewall-users@lists.shorewall.net>
> Message-ID: <20030805205328.87257.qmail@web42006.mail.yahoo.com>
> Content-Type: text/plain; charset=us-ascii
>
> Thanks Tom and Homer.
>
> JBanks
> --- Tom Eastep <teastep@shorewall.net> wrote:
> > On Tue, 2003-08-05 at 13:33, Joshua Banks wrote:
> > > Hello,
> > >
> > > I have Shorewall installed on Mandrake 9.0, kernel version
2.4.19-16mdk.> > > Shorewall version 1.4.6a. I downloaded 1.4.6b.....stopped
shorewall,
and tried to run the rpm.> > > This is what I got from the command line:
> > > [root@localhost Documents]# rpm -ivh --nodeps
shorewall-1.4.6b-1.noarch.rpm> > > Preparing...
########################################### [100%]> > > file /usr/share/shorewall/firewall from install of
shorewall-1.4.6b-1
conflicts with file from> > > package shorewall-1.4.6a-1
> > > file /usr/share/shorewall/version from install of
shorewall-1.4.6b-1
conflicts with file from> > > package shorewall-1.4.6a-1
> > >
> > > This is the first time that I have run into this since running
shorewall version 1.4.2.> > >
> > > I''m a noob so maybe I''ve done something that I
don''t realize. Please
help.> > >
> >
> > You should be using the ''U'' (Update) command to rpm
rather than the ''i''
> > (install) command.
> >
> > -Tom
> > --
> > Tom Eastep \ Shorewall - iptables made easy
> > Shoreline, \ http://shorewall.net
> > Washington USA \ teastep@shorewall.net
> >
>
> __________________________________
> Do you Yahoo!?
> The New Yahoo! Search - Faster. Easier. Bingo.
> http://search.yahoo.com
>
> ------------------------------
>
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
http://lists.shorewall.net/mailman/listinfo/shorewall-users> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
>
> End of Shorewall-users Digest, Vol 9, Issue 15
> **********************************************
>
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.506 / Virus Database: 303 - Release Date: 8/1/2003