search for: add_ip_aliases

There is a lingering level of anxiety regarding the way that Shorewall adds IP addresses for NAT under the ADD_IP_ALIASES="Yes" option. Up to now, Shorewall has added these ''aliases'' as single addresses (/32) without subnet or broadcast address. The current Beta ''firewall'' script adds these aliases using the same VLSM and Broadcast address as the primary IP address for t...

...ince =( >Exact error messages are helpful -- vague references to "...or >something..." are not helpful. Sorry about that.. I''m usually very good about posting correct errors messages but I was far from our server room at the time of the post >This sounds like you have ADD_IP_ALIASES=Yes in shorewall.conf. Yes, you are correct. I turned that off, and lo and behold the settings were now being accepted once again. Still not working, but I''m leaving the office now so no time to continue. >If you are configuring eth0:1 using a tool included with >Mandrake/Fedora/D...

So I am trying to get a firewall up at work using Shorewall 2.2 / Mandrake RC 1, where we have multi-ips assigned to a single machine.... Now at one point I had Shorewall and Mandrake configured and it was working... this was our setup essentially (I''ll use 192.0.0.x as out external IP addresses) In ifconfig: eth0 192.0.0.202 nmask 255.255.255.248 eth0:1 192.0.0.203 nmask

I recently implemented v2.0.9 using ''shorewall setup guide'' 2004-07-31. Starting with block everything not known to be in use and opening ports as complaints come in. This has led to a few rule changes. After a rule change I use shorewall restart to reload the rules. Seems to work OK... except for an outbound NAT SMTP connection from a mail server on .122 to postini.com. The

...h our 1.4 files, and can''t spot the problem. What am I missing? Here''s the revelant info (I think): zones: net Net Internet sls sls SLS network interfaces: sls eth0 detect routefilter net eth1 detect routefilter,tcpflags shorewall.conf: ADD_IP_ALIASES=Yes ADD_SNAT_ALIASES=No masq: eth1 10.2.200.0/24 - eth1 139.142.66.4/32 139.142.65.146 eth1 10.2.250.0/24 139.142.65.146 eth1 10.2.220.0/24 139.142.65.146 eth1 10.2.201.0/24 139.142.65.146 one of the relevant lines in rules: ACCEPT sls net tcp 110 - 139.14...

I am running version 3.0.7 of Shorewall on a Debian Sarge system, but when I start Shorewall I get this: /usr/share/shorewall/firewall: line 204: 4: command not found I looked there and found this: # Run ip and if an error occurs, stop the firewall and quit # run_ip() { if ! ip $@ ; then if [ -z "$STOPPING" ]; then error_message "ERROR: Command \"ip

Hi, im running shorewall 2.0.16 with centos 3 (iptables v1.2.8), everything is working fine for several days, i have configured a masq lan and all the outgoing traffic is ok, but now i want to redirect (port forward) the external web traffic to an internal machine, somethig like this INTERNET ---------> SHOREWALL -------------------> INTERNAL_MACHINE [public

...=start + ''['' 1 -ne 1 '']'' + do_initialize + export LC_ALL=C + LC_ALL=C + PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin + terminator=startup_error + version= + FW= + SUBSYSLOCK= + STATEDIR= + ALLOWRELATED=Yes + LOGRATE= + LOGBURST= + LOGPARMS= + ADD_IP_ALIASES= + ADD_SNAT_ALIASES= + TC_ENABLED= + LOGUNCLEAN= + BLACKLIST_DISPOSITION= + BLACKLIST_LOGLEVEL= + CLAMPMSS= + ROUTE_FILTER= + NAT_BEFORE_RULES= + DETECT_DNAT_IPADDRS= + MUTEX_TIMEOUT= + NEWNOTSYN= + LOGNEWNOTSYN= + FORWARDPING= + MACLIST_DISPOSITION= + MACLIST_LOG_LEVEL= + TCP_FLAGS_DISPOSITION= +...

...results. New Features: 1) To improve interoperability, tunnels of type ''OpenVPN'' ~ no longer enforce use of the specified port as the ~ source port as well as the destination port. 2) During "shorewall start", IP addresses to be added as a consequence ~ of ADD_IP_ALIASES=Yes and ADD_SNAT_ALIASES=Yes are quietly deleted ~ when /etc/shorewall/nat and /etc/shorewall/masq are processed then ~ the are re-added later. This is done to help ensure that the ~ addresses can be added with the specified labels but can have ~ the undesirable side effect of causing r...

In this release: 1. Whitelist support has been added. 2. Optional SYN Flood protection is now available. 3. Aliases added under ADD_IP_ALIASES and ADD_SNAT_ALIASES now use the VLSM and broadcast address of the interface''s primary address. 4. Port forwarding rules may now optionally override the contents of the /etc/shorewall/nat file. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.sh...

I forgot to include my masq file. It''s pretty straightforward: eth2 eth0 eth2 eth1 Cheers, Brian

...shorewall, ucarp and conntrackd in an active/backup way. ucarp just calls ifup/ifdown, all network configuration is maintained in /etc/network/interfaces (Debian), also starting/stopping ucarp/conntrackd/openvpn/etc. here is what i''ve needed to configure in shorewall: shorewall.conf ADD_IP_ALIASES=No # if yes, you kill all connections on restarting shorewall rules: # ucarp ACCEPT $FW net:224.0.0.22 igmp ACCEPT $FW net:224.0.0.18 vrrp # conntrackd ACCEPT $FW vl20:224.0.0.22 igmp ACCEPT $FW vl20:225.0.0.50...

...wall.conf is ignored and the ''noping'' and ''filterping'' options in /etc/shorewall/interfaces will generate an error. 2) It is now possible to direct Shorewall to create a "label" such as "eth0:0" for IP addresses that it creates under ADD_IP_ALIASES=Yes and ADD_SNAT_ALIASES=Yes. This is done by specifying the label instead of just the interface name: a) In the INTERFACE column of /etc/shorewall/masq b) In the INTERFACE column of /etc/shorewall/nat 3) When an interface name is entered in the SUBNET column of the /etc/shorewall/...

...l.conf is ignored and the ''noping'' and ''filterping'' options in /etc/shorewall/interfaces will generate an error. 2) It is now possible to direct Shorewall to create a "label" such as "eth0:0" for IP addresses that it creates under ADD_IP_ALIASES=Yes and ADD_SNAT_ALIASES=Yes. This is done by specifying the label instead of just the interface name: a) In the INTERFACE column of /etc/shorewall/masq b) In the INTERFACE column of /etc/shorewall/nat 3) The ability to name your VLAN interfaces using the $dev.$vid convention...

...all stop" command is now disabled when /etc/shorewall/startup_disabled exists. This prevents people from shooting themselves in the foot prior to having configured Shorewall. 4) A change introduced in version 1.4.6 caused error messages during "shorewall [re]start" when ADD_IP_ALIASES=Yes and ip addresses were being added to a PPP interface; the addresses were successfully added in spite of the messages. The firewall script has been modified to eliminate the error messages. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewal...

...all stop" command is now disabled when /etc/shorewall/startup_disabled exists. This prevents people from shooting themselves in the foot prior to having configured Shorewall. 4) A change introduced in version 1.4.6 caused error messages during "shorewall [re]start" when ADD_IP_ALIASES=Yes and ip addresses were being added to a PPP interface; the addresses were successfully added in spite of the messages. The firewall script has been modified to eliminate the error messages. Migration Issues: 1) Once you have installed this version of Shorewall, you must r...

Hello, I''m working on a Shorewall-1.2 setup on a _remote_ debian (woody) firewall with several live web and mail servers behind it. I know doing this remotely is a *really* bad idea, and I''d rather not be in this situation, but so it goes... Worst case scenario, I lock myself out and have to drive an hour to get physical access to the machine and restore service. Anyhow,

...ar/lock/subsys/shorewall STATEDIR=/var/lib/shorewall ALLOWRELATED="yes" MODULESDIR="" LOGRATE="1/minute" LOGBURST="5" LOGUNCLEAN=info LOGFILE="/var/log/messages" NAT_ENABLED="Yes" MANGLE_ENABLED="Yes" IP_FORWARDING="On" ADD_IP_ALIASES="Yes" ADD_SNAT_ALIASES="No" TC_ENABLED="No" BLACKLIST_DISPOSITION=DROP BLACKLIST_LOGLEVEL= CLAMPMSS="Yes" ROUTE_FILTER="Yes" NAT_BEFORE_RULES="Yes" #[/etc/shorewall/start]----------------------------------------------- run_iptables -I OUT...

..._LOG_LEVEL=info PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin SHOREWALL_SHELL=/bin/sh SUBSYSLOCK=/var/lock/subsys/shorewall STATEDIR=/var/lib/shorewall MODULESDIR= CONFIG_PATH=/etc/shorewall/action:/etc/shorewall/custom:/etc/shorewall:/usr/share/shorewall FW=fw IP_FORWARDING=Off ADD_IP_ALIASES=Yes ADD_SNAT_ALIASES=No TC_ENABLED=Yes CLEAR_TC=Yes MARK_IN_FORWARD_CHAIN=No CLAMPMSS=No ROUTE_FILTER=Yes DETECT_DNAT_IPADDRS=No MUTEX_TIMEOUT=60 NEWNOTSYN=Yes ADMINISABSENTMINDED=No BLACKLISTNEWONLY=No MODULE_SUFFIX= DISABLE_IPV6=No BRIDGING=No DYNAMIC_ZONES=No BLACKLIST_DISPOSITION=DROP MACLIST_D...

...ar/lock/subsys/shorewall STATEDIR=/var/lib/shorewall ALLOWRELATED="yes" MODULESDIR="" LOGRATE="1/minute" LOGBURST="5" LOGUNCLEAN=info LOGFILE="/var/log/messages" NAT_ENABLED="Yes" MANGLE_ENABLED="Yes" IP_FORWARDING="On" ADD_IP_ALIASES="Yes" ADD_SNAT_ALIASES="No" TC_ENABLED="No" BLACKLIST_DISPOSITION=DROP BLACKLIST_LOGLEVEL= CLAMPMSS="Yes" ROUTE_FILTER="Yes" NAT_BEFORE_RULES="Yes" #[/etc/shorewall/start]----------------------------------------------- run_iptables -I OUT...