search for: logunclean

Harald Welte just announced that the 2.6 Kernels will not support the ''unclean'' match extension except via Patch-O-Matic. Since I have a polciy of not supporting Netfilter features that are only available in P-O-M, I will be removing the ''logunclean'' and ''dropunclean'' interface options from Shorewall. In 1.4.7, a warning will be issued if these options are specified. In a later release, the warning will be replaced with an error and the code to create ''unclean'' match rules will be removed. -Tom...

http://shorewall.net/pub/shorewall/Snapshots ftp://shorewall.net/pub/shorewall/Snapshots Problems Corrected since version 1.4.6: 1) Corrected problem in 1.4.6 where the MANGLE_ENABLED variable was being tested before it was set. 2) Corrected handling of MAC addresses in the SOURCE column of the tcrules file. Previously, these addresses resulted in an invalid iptables command.

This is a minor release of Shorewall. WARNING: This release introduces incompatibilities with prior releases. See http://www.shorewall.net/upgrade_issues.htm. Changes are: a) There is now a new NONE policy specifiable in /etc/shorewall/policy. This policy will cause Shorewall to assume that there will never be any traffic between the source and destination zones. b) Shorewall no longer

...it so it logs on /var/log/ulog.log 2) I''ve modified each appearance of "info" to "ULOG" in my config st3:/etc/shorewall# grep ULOG * policy:net all REJECT ULOG policy:all all REJECT ULOG shorewall.conf:LOGUNCLEAN=ULOG What''s going on here? btw, when I run "shorewall check" I got a msg telling me that it''s deprecated. what should I use instead?

Hello, If I set my network interface to have "logunclean" along with "dhcp,norfc1918,routefilter,noping,tcpflags", then when I connect to http://welcome.hp.com/country/us/eng/support.htm and choose any of the product I get this. logpkt:LOG:IN=eth0 OUT= MAC=00:a0:cc:5b:09:5f:00:08:e2:32:34:70:08:00 SRC=192.151.11.205 DST=24.24.243.178 LEN=...

http://shorewall.net/pub/shorewall/Alpha/shorewall-2.0.0 ftp://shorewall.net/pub/shorewall/Alpha/shorewall-2.0.0 -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net

Rafa³ Dutko has just discovered a potentially serious bug in version 1.3.0 and 1.3.1. In both versions, where an interface option appears on multiple interfaces, the option may only be applied to the first interface on which it appears. A corrected firewall script for 1.3.1 is available at: http://www.shorewall.net/pub/shorewall/errata/1.3.1/firewall and

I am a new user of shorewall, and am having some difficulty getting it set up on a new Fedora Core 3 system. When I run the shorewall script in the /etc/init.d the following errror message is received. tarting shorewall: ./shorewall: line 26: 10555 Terminated $exec start >/dev/null 2>&1 [FAILED]

...39;' + do_initialize + export LC_ALL=C + LC_ALL=C + PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin + terminator=startup_error + version= + FW= + SUBSYSLOCK= + STATEDIR= + ALLOWRELATED=Yes + LOGRATE= + LOGBURST= + LOGPARMS= + ADD_IP_ALIASES= + ADD_SNAT_ALIASES= + TC_ENABLED= + LOGUNCLEAN= + BLACKLIST_DISPOSITION= + BLACKLIST_LOGLEVEL= + CLAMPMSS= + ROUTE_FILTER= + NAT_BEFORE_RULES= + DETECT_DNAT_IPADDRS= + MUTEX_TIMEOUT= + NEWNOTSYN= + LOGNEWNOTSYN= + FORWARDPING= + MACLIST_DISPOSITION= + MACLIST_LOG_LEVEL= + TCP_FLAGS_DISPOSITION= + TCP_FLAGS_LOG_LEVEL= + RFC1918_LOG_LEVEL= + MARK...

...y caused "shorewall start" to fail: ACCEPT loc $FW icmp 0,8,11,12 3) Previously, if the following error message was issued, Shorewall was left in an inconsistent state. Error: Unable to determine the routes routes through interface xxx 4) Handling of the LOGUNCLEAN option in shorewall.conf has been corrected. 5) In Shorewall 1.4.2, an optimization was added. This optimization involved creating a chain named "<zone>_frwd" for most zones defined using the /etc/shorewall/hosts file. It has since been discovered that in many cases th...

...r if neither of these two files exist and correctly removes the lock file. 4) The order of processing the various options has been changed such that blacklist entries now take precedence over the ''dhcp'' interface setting. 5) The log message generated from the ''logunclean'' interface option has been changed to reflect a disposition of LOG rather than DROP. 6) The RFC1918 file has been updated to reflect recent IANA allocations. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washingt...

...ile that reflects the resent allocation of 222.0.0.0/8 and 223.0.0.0/8. * The documentation for the routestopped file claimed that a comma-separated list could appear in the second column while the code only supported a single host or network address. * Log messages produced by ''logunclean'', ''dropunclean'' and ''LOGNEWNOTSYN'' were not rate-limited. * 802.11b devices with names of the form wlan<n> don''t support the ''maclist'' interface option. * Log messages generated by RFC 1918 filtering are not rat...

Another bug with similar symptoms to the last one has been found by Renato Tirol. The bug fixed by the earlier errata update affects the following options: dhcp dropunclean logunclean norfc1918 routefilter multi filterping noping The bug reported by Renato and fixed in the current errata update affects: routestopped The new update is available at: http://www.shorewall.net/pub/shorewall/errata/1.3.1/firewall ftp://ftp.shorewall.net/pub/shorewall/errata/1.3.1/firewall...

...ill ease the migration when the time comes. a) Shorewall 2.0 doesn''t allow you to specify rate limiting in the ACTION column (e.g., ACCEPT<10/sec:40>) so you will need to move all rate limiting specifications over to the RATE LIMIT column. b) The "dropunclean" and "logunclean" interface options are no longer supported on 2.0 so you should remove them from the OPTIONS column in /etc/shorewall/interfaces. c) The Default value for the ALL INTERFACES column in /etc/shorewall/nat switches from "Yes" to "No". So if that column is empty in any of y...

...neither of these two files exist and correctly removes the lock file. 16) The order of processing the various options has been changed such that blacklist entries now take precedence over the ''dhcp'' interface setting. 17) The log message generated from the ''logunclean'' interface option has been changed to reflect a disposition of LOG rather than DROP. 18) When a user name and/or a group name was specified in the USER SET column and the destination zone was qualified with a IP address, the user and/or group name was not being used to qualify...

...ACCEPT loc $FW icmp 0,8,11,12 3. Previously, if the following error message was issued, Shorewall was left in an inconsistent state. Error: Unable to determine the routes through interface xxx 4. Handling of the LOGUNCLEAN option in shorewall.conf has been corrected. 5. In Shorewall 1.4.2, an optimization was added. This optimization involved creating a chain named "<zone>_frwd" for most zones defined using the /etc/shorewall/hosts file. It has since been discovere...

...-------------------------------------- a) Shorewall 2.0 and 2.2 don''t allow you to specify rate limiting in the ACTION column (e.g., ACCEPT<10/sec:40>) so you will need to move all rate limiting specifications over to the RATE LIMIT column. b) The "dropunclean" and "logunclean" interface options are no longer supported on 2.0 and 2.2 so you should remove them from the OPTIONS column in /etc/shorewall/interfaces. c) The Default value for the ALL INTERFACES column in /etc/shorewall/nat switches from "Yes" to "No". So if that column is empty in...

Hi, I''m a long time shorewall user and I like it very much. There is only one thing were I''m not always happy with: the config files. There has been discussion on the list about the comments in the files. My concern is that I loose overview over my configuration because of the many config files. Of course there are advantages too but I thinking wether another config format would

...t previously caused "shorewall start" to fail: ACCEPT loc $FW icmp 0,8,11,12 3) Previously, if the following error message was issued, Shorewall was left in an inconsistent state. Error: Unable to determine the routes through interface xxx 4) Handling of the LOGUNCLEAN option in shorewall.conf has been corrected. 5) In Shorewall 1.4.2, an optimization was added. This optimization involved creating a chain named "<zone>_frwd" for most zones defined using the /etc/shorewall/hosts file. It has since been discovered that in many cases the...

...$FW net udp ntp #[/etc/shorewall/shorewall.conf]-------------------------------------------- --- FW=fw SUBSYSLOCK=/var/lock/subsys/shorewall STATEDIR=/var/lib/shorewall ALLOWRELATED="yes" MODULESDIR="" LOGRATE="1/minute" LOGBURST="5" LOGUNCLEAN=info LOGFILE="/var/log/messages" NAT_ENABLED="Yes" MANGLE_ENABLED="Yes" IP_FORWARDING="On" ADD_IP_ALIASES="Yes" ADD_SNAT_ALIASES="No" TC_ENABLED="No" BLACKLIST_DISPOSITION=DROP BLACKLIST_LOGLEVEL= CLAMPMSS="Yes" ROUTE_F...