search for: add_snat_aliases

...d attempts to restart Shorewall using an alternate configuration and if that attempt fails, Shorewall is automatically started with the default configuration. This is useful for remote administration where a failed restart of Shorewall can leave you isolated from the firewall. 2. If ADD_SNAT_ALIASES=Yes, aliases for SNAT will now be automatically added. 3. A copyright has been added to all documentation. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net

I recently implemented v2.0.9 using ''shorewall setup guide'' 2004-07-31. Starting with block everything not known to be in use and opening ports as complaints come in. This has led to a few rule changes. After a rule change I use shorewall restart to reload the rules. Seems to work OK... except for an outbound NAT SMTP connection from a mail server on .122 to postini.com. The

I failed to save the changelog before creating the snapshot -- here it is: Changes since 1.4.5 1) Worked around RH7.3 "service" anomaly. 2) Implemented ''newnotsyn'' interface option. 3) Document range in masq ADDRESS column and suppress ADD_SNAT_ALIASES behavior in that case. 4) Enable ADD_SNAT_ALIASES=Yes for SNAT ranges. 5) Allow Shorewall to add aliases to other than the first subnet on an interface. 6) Add support for load-balancing. 7) Toned down the disclaimer for the ''check'' command. 8) Implemented support for t...

...sted to me that SNAT might perform better than MASQ in this respect. I edited my shorewall/masq file as such: eth0 eth1 12.34.56.78 or should it be? eth0 10.0.0.0/24 12.34.56.78 First, is this all that is necessary to properly start using SNAT? I was unsure whether I should use ADD_SNAT_ALIASES=yes also or instead or not. Second, if I have ETH0_IP=`find_interface_address eth0` in my params file, I can have eth0 eth1 $ETH0_IP in the masq file, correct? The commented help in the params file doesn''t name masq as one of "the other configuration files." Third, us...

...d can''t spot the problem. What am I missing? Here''s the revelant info (I think): zones: net Net Internet sls sls SLS network interfaces: sls eth0 detect routefilter net eth1 detect routefilter,tcpflags shorewall.conf: ADD_IP_ALIASES=Yes ADD_SNAT_ALIASES=No masq: eth1 10.2.200.0/24 - eth1 139.142.66.4/32 139.142.65.146 eth1 10.2.250.0/24 139.142.65.146 eth1 10.2.220.0/24 139.142.65.146 eth1 10.2.201.0/24 139.142.65.146 one of the relevant lines in rules: ACCEPT sls net tcp 110 - 139.142.65.146 is the ip of...

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The original post was over 300,000kb so I didn''t spam the list with it -TE. | | | Thank you for your quick and helpful response. | | I didn''t understand that the virtual interface eth0:1 doesn''t count as a separate instance from eth0. | I am sorry to ask for further assistance and would appreciate any help. The error

...erface option has been added. This option may be specified in /etc/shorewall/interfaces and overrides the setting NEWNOTSYN=No for packets arriving on the associated interface. 2) The means for specifying a range of IP addresses in /etc/shorewall/masq to use for SNAT is now documented. ADD_SNAT_ALIASES=Yes is enabled for address ranges. 3) Shorewall can now add IP addresses to subnets other than the first one on an interface. 4) DNAT[-] rules may now be used to load balance (round-robin) over a set of servers. Up to 256 servers may be specified in a range of addresses given as <firs...

I have allowed ALL of the local users to ping the internet but they currently get the following error and cannot access the internet ! I know it is something I have done wrong (I think it is a routing problem but just cannot find out what) The error is:- Reply from 212.219.13.74: destination host unreachable. My eth1 is 10.0.0.1 and the users can ping that OK My eth0 is 212.219.13.74 (connected

...;['' 1 -ne 1 '']'' + do_initialize + export LC_ALL=C + LC_ALL=C + PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin + terminator=startup_error + version= + FW= + SUBSYSLOCK= + STATEDIR= + ALLOWRELATED=Yes + LOGRATE= + LOGBURST= + LOGPARMS= + ADD_IP_ALIASES= + ADD_SNAT_ALIASES= + TC_ENABLED= + LOGUNCLEAN= + BLACKLIST_DISPOSITION= + BLACKLIST_LOGLEVEL= + CLAMPMSS= + ROUTE_FILTER= + NAT_BEFORE_RULES= + DETECT_DNAT_IPADDRS= + MUTEX_TIMEOUT= + NEWNOTSYN= + LOGNEWNOTSYN= + FORWARDPING= + MACLIST_DISPOSITION= + MACLIST_LOG_LEVEL= + TCP_FLAGS_DISPOSITION= + TCP_FLAGS_LOG_LEVEL=...

Hello, My server is on Mandrake 10.1 off. eth0 is WAN with static IP connected 512 DSL eth1 is LAN. My default shorewall settings are : Source zone Destination zone Policy Syslog level Traffic limit loc net ACCEPT None None fw net ACCEPT None None net Any

Hi! I''ve been searching the net for information about this topic, but I can''t find anything relevant to my problem or I don''t understand the answer completely. Please enlighten me... :-) I''m trying to replace a Cisco PIX firewall with a Linux Shorewall box. Today the users behind the Cisco FW is on a NAT-network and in the same network there are a couple of

...: 1) To improve interoperability, tunnels of type ''OpenVPN'' ~ no longer enforce use of the specified port as the ~ source port as well as the destination port. 2) During "shorewall start", IP addresses to be added as a consequence ~ of ADD_IP_ALIASES=Yes and ADD_SNAT_ALIASES=Yes are quietly deleted ~ when /etc/shorewall/nat and /etc/shorewall/masq are processed then ~ the are re-added later. This is done to help ensure that the ~ addresses can be added with the specified labels but can have ~ the undesirable side effect of causing routes to be quietly ~...

...1.0/24 and is connected to eth2 which has IP address 192.168.1.254. /etc/shorewall/masq has added: +eth0::192.168.1.1 0.0.0.0/0 192.168.1.254 The above rule uses the new features: The leading "+" causes the rule to be placed ahead of one-to-one NAT rules. The "::" prevents ADD_SNAT_ALIASES=Yes from trying to add 192.168.1.254 as an IP address on eth0. /etc/shorewall/proxyarp has added 192.168.1.1 eth0 eth2 yes /etc/network/interfaces (Debian-specific) has the last line below added: iface eth0 inet static address 206.124.146.176...

...any existing rules for the subject IP address before adding a new DROP or REJECT rule. Previously, there could be many rules for the same IP address in the dynamic chain so that multiple ''allow'' commands were required to re-enable traffic to/from the address. 2) When ADD_SNAT_ALIASES=Yes in shorewall.conf, the following entry in /etc/shorewall/masq resulted in a startup error: eth0 eth1 206.124.146.20-206.124.146.24 3) Shorewall previously choked over IPV6 addresses configured on interfaces in contexts where Shorewall needed to detect something about the int...

This fixes a problem discovered by Antonio Pallua. If ADD_SNAT_ALIASES=Yes, then the following entry in /etc/shorewall/masq generates a startup error: eth0 eth1 212.103.200.20-212.103.200.24 The problem also exists in 1.4.7 Beta 1 -- the ''firewall'' and ''functions'' scripts in CVS correct the problem in that version an...

...erface option has been added. This option may be specified in /etc/shorewall/interfaces and overrides the setting NEWNOTSYN=No for packets arriving on the associated interface. 2) The means for specifying a range of IP addresses in /etc/shorewall/masq to use for SNAT is now documented. ADD_SNAT_ALIASES=Yes is enabled for address ranges. 3) Shorewall can now add IP addresses to subnets on an interface other than the first one. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net

...erface option has been added. This option may be specified in /etc/shorewall/interfaces and overrides the setting NEWNOTSYN=No for packets arriving on the associated interface. 2) The means for specifying a range of IP addresses in /etc/shorewall/masq to use for SNAT is now documented. ADD_SNAT_ALIASES=Yes is enabled for address ranges. 3) Shorewall can now add IP addresses to subnets other than the first one on an interface. 4) DNAT[-] rules may now be used to round-robin over a set of servers. Up to 256 servers may be specified in a range of addresses given as <first address>-&...

In this release: 1. Whitelist support has been added. 2. Optional SYN Flood protection is now available. 3. Aliases added under ADD_IP_ALIASES and ADD_SNAT_ALIASES now use the VLSM and broadcast address of the interface''s primary address. 4. Port forwarding rules may now optionally override the contents of the /etc/shorewall/nat file. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #607...

...shell syntax error was reported when duplicate policies appeared in /etc/shorewall/policy. 4) The iptable_nat and iptable_mangle modules were previously omitted from /etc/shorewall/modules. 5) If you use SAME or SAME:nodst in the ADDRESS column of /etc/shorewall/masq and if you set ADD_SNAT_ALIASES=Yes in shorewall.conf, then "shorewall start" will fail with the error ''Error: an inet prefix is expected rather than "SAME".''. 6) Previously, the ''routeback'' option was ignored in an entry in the /etc/shorewall/hosts file that...

...39;' and made a few changes to Engardes setup. > Namely, in /etc/shorewall/interfaces I replaced the ''detect'' with the > actual IP addresses, in /etc/shorewall/masq I added the external IP > address to the 3rd column and in /etc/shorewall/shorewall.conf I set > ADD_SNAT_ALIASES=Yes. It appears that you are running a DNS server on your firewall yet you haven''t enabled DNS from the local net (int zone) to the firewall or from the firewall to the internet (ext zone). > > Made no difference. In /etc/shorewall/shorewall.conf I then set > CLAMPMSS=Yes....