search for: filterping

...fw ACCEPT net loc DROP info net fw DROP info all all REJECT info #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE interfaces net eth2 detect filterping loc eth0 detect filterping dmz eth1 detect and when I tried to go to the net the messages are: Jan 16 17:49:33 murowall kernel: Shorewall:loc2net:CONTINUE:IN=eth0 OUT=eth2 SRC =192.168.2.96 DST=80.25.233.57 LEN=48 TOS=0x00...

...net loc DROP info > net fw DROP info > all all REJECT info > #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE > > interfaces > > > net eth2 detect filterping > loc eth0 detect filterping > dmz eth1 detect > > > and when I tried to go to the net the messages are: > Jan 16 17:49:33 murowall kernel: Shorewall:loc2net:CONTINUE:IN=eth0 > OUT=eth2 SRC > =192.168.2.96 DST=80.25.233.57 LEN=48 TOS=0x...

How do I allow traceroute to reach my server? Pings work fine but traceroute stops at the last hop before my server. If I shut off the firewall it reaches it fine. PING danicar.net (24.222.246.120): 56 data bytes 64 bytes from 24.222.246.120: icmp_seq=0 ttl=237 time=104.0 ms 64 bytes from 24.222.246.120: icmp_seq=1 ttl=237 time=74.9 ms 64 bytes from 24.222.246.120: icmp_seq=2 ttl=237 time=90.6

...19 Dec 2002 20:14:10 -0000 1.146 +++ firewall 19 Dec 2002 21:14:14 -0000 @@ -597,7 +597,7 @@ eval ${interface}_zone="$z" eval ${interface}_options=\"$options\" - for option in `separate_list $options`; do + for option in $options; do case $option in dhcp|noping|filterping|routestopped|norfc1918|multi|tcpflags) ;; @@ -2160,8 +2160,8 @@ if [ "$loglevel" = ULOG ]; then run_iptables2 -A $chain $proto $multiport \ $state $cli $sports $serv $dports -j ULOG $LOGPARMS \ - --ulog-prefix "Shorewall:$chain:$logtarget:" \ -...

...orm <device>:<integer> in /etc/shorewall/interfaces now generate an error. 3. Shorewall 1.4 implements behavior consistent with OLD_PING_HANDLING=No. OLD_PING_HANDLING=Yes will generate an error at startup as will specification of the ''noping'' or ''filterping'' interface options. 4. The ''routestopped'' option in the /etc/shorewall/interfaces and /etc/shorewall/hosts files is no longer supported and will generate an error at startup if specified. 5. The Shorewall 1.2 syntax for DNAT and REDIRECT rules is no longer...

Another bug with similar symptoms to the last one has been found by Renato Tirol. The bug fixed by the earlier errata update affects the following options: dhcp dropunclean logunclean norfc1918 routefilter multi filterping noping The bug reported by Renato and fixed in the current errata update affects: routestopped The new update is available at: http://www.shorewall.net/pub/shorewall/errata/1.3.1/firewall ftp://ftp.shorewall.net/pub/shorewall/errata/1.3.1/firewall -Tom -- Tom Eastep \ Shorewall - iptabl...

...re zone A is a subzone of sone B. 4. The whitelist capability has been deimplemented. With recent changes to the firewall structure and change 3. above, white lists are now best implemented using zones as shown at: http://www.shorewall.net/whitelisting_under_shorewall.htm 5. A ''filterping'' interface option has been added to allow the rules and policy files to control the handling of ICMP echo-request (ping) requests that are addressed to the firewall. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ t...

...<device>:<integer> in /etc/shorewall/interfaces now generate an error. 3. Shorewall 1.4 implements behavior consistent with OLD_PING_HANDLING=No. OLD_PING_HANDLING=Yes will generate an error at startup as will specification of the ''noping'' or ''filterping'' interface options. 4. The ''routestopped'' option in the /etc/shorewall/interfaces and /etc/shorewall/hosts files is no longer supported and will generate an error at startup if specified. 5. The Shorewall 1.2 syntax for DNAT and REDIRECT rules is no longe...

...as it has always been (see http://www.shorewall.net/ping.html). When OLD_PING_HANDLING=No, icmp echo (ping) is handled via rules and policies just like any other connection request. The FORWARDPING option in shorewall.conf is ignored and the ''noping'' and ''filterping'' options in /etc/shorewall/interfaces will generate an error. 2) It is now possible to direct Shorewall to create a "label" such as "eth0:0" for IP addresses that it creates under ADD_IP_ALIASES=Yes and ADD_SNAT_ALIASES=Yes. This is done by specifying the labe...

...t has always been (see http://www.shorewall.net/ping.html). When OLD_PING_HANDLING=No, icmp echo (ping) is handled via rules and policies just like any other connection request. The FORWARDPING option in shorewall.conf is ignored and the ''noping'' and ''filterping'' options in /etc/shorewall/interfaces will generate an error. 2) It is now possible to direct Shorewall to create a "label" such as "eth0:0" for IP addresses that it creates under ADD_IP_ALIASES=Yes and ADD_SNAT_ALIASES=Yes. This is done by specifying the l...

...************************************************************************************* shorewall on the linux side ************************************************************************************* # Shorewall 1.3 -- Interfaces File # # /etc/shorewall/interfaces net ppp0 - dhcp,noping loc eth0 - filterping vpn ipsec0 - # _____________________________________________________________________________________ # Shorewall 1.3 -- Policy File # # /etc/shorewall/policy loc net ACCEPT fw net ACCEPT net all DROP info vpn loc ACCEPT - loc vpn ACCEPT - all all REJECT info ___________________________...

...e form <device>:<integer> in /etc/shorewall/interfaces now generate an error. 3) Shorewall 1.4 implements behavior consistent with OLD_PING_HANDLING=No. OLD_PING_HANDLING=Yes will generate an error at startup as will specification of the ''noping'' or ''filterping'' interface options. 4) The ''routestopped'' option in the /etc/shorewall/interfaces and /etc/shorewall/hosts files is no longer supported and will generate an error at startup if specified. 5) The Shorewall 1.2 syntax for DNAT and REDIRECT rules is no longer a...

The ''firewall'' script currently in the /Shorewall CVS project: a) Is approximately 15% faster starting/restarting on my configuration -- please report your experiences with it. b) Reloads Traffic Control/Shaping as part of "shorewall refresh" c) Turns off the shell trace after an error has occured (except when the command being traced is "stop" or

To rephrase the question, "Can I use masquerading and proxy ARP in the same zone simultaneously?" It''s not a stupid question--I couldn''t see any reason why it wouldn''t work, but I had actually try it out to convince myself that it did (which isn''t a bad thing to do before posting the question to the list, by the way). In any case, the answer is

...e form <device>:<integer> in /etc/shorewall/interfaces now generate an error. 4) Shorewall 1.4 implements behavior consistent with OLD_PING_HANDLING=No. OLD_PING_HANDLING=Yes will generate an error at startup as will specification of the ''noping'' or ''filterping'' interface options. 5) The ''routestopped'' option in the /etc/shorewall/interfaces and /etc/shorewall/hosts files is no longer supported and will generate an error at startup if specified. 6) The Shorewall 1.2 syntax for DNAT and REDIRECT rules is no longer a...