search for: eth1_fwd

...all zones on this firewall. It seemed that creating a zone would allow for this to be done cleanly via a line in the policy file. I defined this special subnet as the "sys" zone. To test I''m sending traffic from "sys" to "pubsh". The pkt goes through chain eth1_fwd then goes to dmz2pubsh then goes to all2all where it is rejected by the default all2all reject policy. If the traffic fell out the bottom of dmz2pubsh and returned to eth1_fwd it would be caught by sys2all and be allowed. Is there some reordering I can do to achieve such a result? Hosts: ------ s...

...t change anything. So here is what I have done, I ran tcpdump to make sure packets are reaching server which they are. There is no shorewall items in logfile to show block. I then did shorewall dump, which shows the iptables counts. The thing that looks funny is the packets are going to net2loc and eth1_fwd, instead of net2fw and eth1_in. Attached is my shorewall dump. Thanks, Brian

...39;m v1.3.1). Only one line, again. root@servidor:/usr/src/ipp2p-0.8.0# iptables -L FORWARD Chain FORWARD (policy DROP) target prot opt source destination DROP !icmp -- anywhere anywhere state INVALID eth0_fwd all -- anywhere anywhere eth1_fwd all -- anywhere anywhere Reject all -- anywhere anywhere LOG all -- anywhere anywhere limit: avg 5/min burst 2 LOG level info prefix `Shorewall:FORWARD:REJECT:'' reject all -- anywhere anywhere I don'&...

...prot opt in out source destination 677K 448M eth0_fwd all -- eth0 any anywhere anywhere 417K 452M tun_fwd all -- tun+ any anywhere anywhere 294 34569 tun99_fwd all -- tun99 any anywhere anywhere 1600 696K eth1_fwd all -- eth1 any anywhere anywhere 244K 67M eth3_fwd all -- eth3 any anywhere anywhere 0 0 Reject all -- any any anywhere anywhere 0 0 LOG all -- any any anywhere anywhere L...

...-- * * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy DROP 2 packets, 96 bytes) pkts bytes target prot opt in out source destination 260 201K eth0_fwd all -- eth0 * 0.0.0.0/0 0.0.0.0/0 297 43893 eth1_fwd all -- eth1 * 0.0.0.0/0 0.0.0.0/0 0 0 tunl_fwd all -- tunl+ * 0.0.0.0/0 0.0.0.0/0 0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0...

Hi all, I have seen Shorewall places the state verification rules (-m state --state ESTABLISHED,RELATED) as the first rule in a zone2zone chain. This means that state checking is done after all the rules involving from this zone to this zone. As you could have a lot of them, wont be better to place them just after checking the state is not invalid? This will mean a lot of packages will be

...l -- * * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 14786 14M eth0_fwd all -- eth0 * 0.0.0.0/0 0.0.0.0/0 11823 1055K eth1_fwd all -- eth1 * 0.0.0.0/0 0.0.0.0/0 0 0 tunl_fwd all -- tunl+ * 0.0.0.0/0 0.0.0.0/0 0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0...

...0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy DROP 20 packets, 960 bytes) pkts bytes target prot opt in out source destination 0 0 DROP !icmp -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID 302K 170M eth1_fwd all -- eth1 * 0.0.0.0/0 0.0.0.0/0 1095K 409M eth0_fwd all -- eth0 * 0.0.0.0/0 0.0.0.0/0 752K 360M eth2_fwd all -- eth2 * 0.0.0.0/0 0.0.0.0/0 0 0 Drop all -- * * 0.0.0.0/0 0.0.0.0/0 0 0...

...ain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 DROP !icmp -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID 34 15323 eth0_fwd all -- eth0 * 0.0.0.0/0 0.0.0.0/0 56 13757 eth1_fwd all -- eth1 * 0.0.0.0/0 0.0.0.0/0 0 0 eth2_fwd all -- eth2 * 0.0.0.0/0 0.0.0.0/0 0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 l...

...0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy DROP 20 packets, 960 bytes) pkts bytes target prot opt in out source destination 0 0 DROP !icmp -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID 302K 170M eth1_fwd all -- eth1 * 0.0.0.0/0 0.0.0.0/0 1095K 409M eth0_fwd all -- eth0 * 0.0.0.0/0 0.0.0.0/0 752K 360M eth2_fwd all -- eth2 * 0.0.0.0/0 0.0.0.0/0 0 0 Drop all -- * * 0.0.0.0/0 0.0.0.0/0 0 0...

...l -- * * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 eth0_fwd all -- eth0 * 0.0.0.0/0 0.0.0.0/0 414 26802 eth1_fwd all -- eth1 * 0.0.0.0/0 0.0.0.0/0 0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:FORWARD:REJECT:'...

...mcbafw shorewall]# grep ''blacklst'' /tmp/iptables.save :blacklst - [0:0] [0:0] -A blacklst -m mac --mac-source 00:04:E2:83:7C:75 -j LOG --log-prefix "Shorewall:blacklst:DROP:" --log-level 7 [0:0] -A blacklst -m mac --mac-source 00:04:E2:83:7C:75 -j DROP [1260:97713] -A eth1_fwd -j blacklst [1086:255521] -A eth1_in -j blacklst the blacklst rull has not bee triggered but the log entries continue :( I thought I had a handle on this stuff but I guess that is what I get for thinking. There is obviously something I am missing here but I am stumped ohyeah, [root@fumcbafw...

hi all, shorewall claim that support stateful connection. But I read the document, I can''t found any configuration on it like in iptables e.g. -m -state NEW, ESTABLISHED something like like. Is shorewall by default is staeful connection for any connectione.g. web, http

Hi everybody I have a Problem with Masquerading from my local net (loc) to my VPN (loc2). I can reach every Service from loc2 in loc, but I can''t get reach any service from loc in loc2. Has somebody an Idea where my mistake is ? Without shorewall, it was working. Thanks for helping Lars Technical Information : Shorewall 2.0.13 Suse 9.0 *177.177.77.X The first 3 Counts are changed

.../0 Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 xenbr0_fwd all -- xenbr0 * 0.0.0.0/0 0.0.0.0/0 0 0 eth0_fwd all -- eth0 * 0.0.0.0/0 0.0.0.0/0 0 0 eth1_fwd all -- eth1 * 0.0.0.0/0 0.0.0.0/0 0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:FORWARD:REJECT:'' 0 0...

...0 bytes) pkts bytes target prot opt in out source destination 0 0 DROP !icmp -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID 618 85948 eth0_fwd all -- eth0 * 0.0.0.0/0 0.0.0.0/0 795 96621 eth1_fwd all -- eth1 * 0.0.0.0/0 0.0.0.0/0 0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:FORWARD:REJECT:'...

...0 bytes) pkts bytes target prot opt in out source destination 0 0 DROP !icmp -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID 0 0 eth0_fwd all -- eth0 * 0.0.0.0/0 0.0.0.0/0 0 0 eth1_fwd all -- eth1 * 0.0.0.0/0 0.0.0.0/0 0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:FORWARD:REJECT:'...

...* 0.0.0.0/0 0.0.0.0/0 state INVALID 0 0 TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU 26 1688 ppp0_fwd all -- ppp0 * 0.0.0.0/0 0.0.0.0/0 4 170 eth1_fwd all -- eth1 * 0.0.0.0/0 0.0.0.0/0 24 1592 eth2_fwd all -- eth2 * 0.0.0.0/0 0.0.0.0/0 0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0....

...0 0.0.0.0/0 Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 12 576 TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU 0 0 ppp0_fwd all -- ppp0 * 0.0.0.0/0 0.0.0.0/0 12 576 eth0_fwd all -- eth0 * 0.0.0.0/0 0.0.0.0/0 0 0 eth1_fwd all -- eth1 * 0.0.0.0/0 0.0.0.0/0 0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:FORWARD:REJECT:'' 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in o...

...DROP 1 packets, 76 bytes) pkts bytes target prot opt in out source destination 0 0 DROP !icmp -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID 42 2332 eth0_fwd all -- eth0 * 0.0.0.0/0 0.0.0.0/0 21 1384 eth1_fwd all -- eth1 * 0.0.0.0/0 0.0.0.0/0 6 384 eth2_fwd all -- eth2 * 0.0.0.0/0 0.0.0.0/0 0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0...