search for: norfc1918

...n't answer on my previouse letter, i forget to set subject. I fix this in current. And now about my question. I ask you before about method of stopping RFC1918 traffic on external interface and you advised me follow rule: REJECT! all net:$RFC1918_NETS Can i replace this rule by 'norfc1918' option in 'interfaces' file for this interface? Alex --------- ОАО 'Белгазпромбанк' предоставляет экспресс-кредиты в наличной форме без залога до 15 000 долларов США http://www.belgazprombank.by/6788242.html --------------------------------------------...

Hello , The folllowing is the error problem: Validating interfaces file... ERROR: The ''norfc1918'' option may not be specified on an interface with an RFC 1918 address. Interface:eth2 The shorewall interface file: net eth2 detect tcpflags,routefilter,norfc1918,nosmurfs,logmartians P.S. I tried to remove norfc1918 from interface eth2 that can successf...

...ombinations in the interface and host files: interface: - eth0 - (variante 1) - eth0 192.168.0.255,255,255,255,255 (variante 2) - eth0 192.168.0.255,!192.168.0.255 (variante 3) hosts: dmz eth0:192.168.0.0/24 maclist net eth0:0.0.0.0/0 norfc1918 (variante 1) net eth0:!192.168.0.0/24 norfc1918 (variante 2) net !eth0:192.168.0.0/24 norfc1918 (variante 3) the documentation say that its possible to build the composition of an interface (!eth0), a network !(192.168.0.0) and ... if i use the variante 1 and 2 from interfa...

Hi I had this problem that shorewall blocks all traffic from net when norfc1918 rule is given to my eth0 (net ethernet card). I''ve added: run_iptables -I rfc1918 -s 192.168.7.10 -j ACCEPT To start file but that didn''t help. My configuration: ADSL modem has static 10.***.***.*** ip address to net (ISP does NAT conversion) and my modem does Nat conversion an...

...54(0) win 5840 <mss 1460,sackOK,timestamp 150878578 0,nop,wscale 0> (DF) [tos 0x10] /etc/shorewall/interfaces ======================================================= [root@hn00dmz01 maint]# grep -v "^#" /etc/shorewall/interfaces net bond0 detect routefilter,norfc1918 /etc/shorewall/custom/rfc1918 ======================================================= [root@hn00dmz01 maint]# grep -v "^#" /etc/shorewall/custom/rfc1918 172.31.60.0/24 RETURN 172.20.173.0/24 RETURN 172.16.127.0/24 RETURN 192.168.175.0/24 RETURN 192.168.25...

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I''ve a problem on the broadcast it is adding some additional route to the router which caused me some problem... Below is my /etc/shorewall/interface swtmng1 eth0.1 202.73.10.127 norfc1918 apmng1 eth0.10 202.73.8.7 norfc1918 dist1 eth0.1000 202.73.11.255 norfc1918,nobogons idc1 eth2.50 202.73.10.255 norfc1918 net eth3 203.115.208.143 norfc1918,blacklist,nobogons dmz eth4.4000 202.73.10.63 norfc1918 loc eth...

...tions regarding some parameters from the interfaces file. 1) Is rfc1918 not just a specific implementation of routefilter ? The sample file in two-interface.tgz uses them both, but they seem to at least overlap. Since my internal network will be 192.168.1.0/24, will routefilter add anything that norfc1918 doesn''t provide? 2) Given the two interface I''net/LAN firewall/gateway, will routestopped do anything for me? If the firewall is stopped, the local machines should still be able to talk even without the routestopped in the /etc/shorewall/interfaces file, no? I just subscribed...

Hi There, Due to shortage computer, I need to install Apache to my Shorewall box (192.168.1.1) But the real web server is on another box (192.168.1.2) I tried to put rule: DNAT net loc:192.168.168.1 tcp 80 But everytime www connection coming in, it will hit my shorewall Any solution? Cheer Access Yahoo!7 Mail on your mobile. Anytime. Anywhere. Show me how:

...IN=eth0 OUT= SRC=192.168.174.242 DST=192.168.174.244 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=45825 DF PROTO=TCP SPT=1050 DPT=21 WINDOW=65535 RES=0x00 SYN URGP=0 What is it that I am not understanding ?? A second related question: did I interpret correctly the fact that if I want to reinstate the norfc1918 option on my eth0 network and still be able to accept packets from my home LAN I need to list all the lines as computed by the wonderful shorewall iprange in the /etc/shorewall/norfc1918 file ? Thank you very much Bob t40:/etc/shorewall# shorewall iprange 192.168.0.0-192.168.174.239 192.168.0....

...dresses on multiple subnets then list the # broadcast # addresses as a comma-separated list. But when I leave the collumn blank starting shorewall ends with errors. #ZONE INTERFACE BROADCAST OPTIONS net vpnlink norfc1918,routefilter,dhcp,tcpflags vpn eth0 lll.mmm.nnn.ooo norfc1918,routefilter,dhcp,tcpflags /etc/init.d/shorewall restart * Restarting firewall ... iptables v1.2.11: host/network `norfc1918'' not found Try `iptables -h'' or ''iptables --help'' for more...

...blocks the vpns. shorewall/hosts #ZONE HOST(S) OPTIONS loc eth1:192.168.25.0/24 loctw eth1:192.168.50.0/24 locsa eth1:192.168.75.0/24 vpntw ppp+:!192.168.50.0/24 vpnsa ppp+:!192.168.75.0/24 #vpn3 ppp+:!192.168.3.0/24 interfaces net eth0 detect routefilter,norfc1918,tcpflags - eth1 192.168.25.255,192.168.50.255,192.168.75.255 - ppp+ now if I comment out vpnsa in hosts and enter vpnsa in interfaces it works (meaning the tunnel can talk :). I can not figure out what the trouble is. Thanks Mike

I have defined a Home zone and placed it before the Net zone. Defined a host 192.168.174.242 as a trusted host. Now if I ping from 242 to my fw it works just fine (also tweaked the norfc1918 file). Thing I do not understand is why if I try pinging or FTPing from FW to 242 I hit the all2all reject rule ! I tried reading the rules and from the INPUT chain I see a eth0_in chain which in turn refers to the home2fw chain accepting all protocols with source 242 ... What am I doing wron...

...have come up with the following config for dom0 xen with bridging. The aim is to protect the Dom0 and the domUs from within dom0. This is for a box where all virtual machines have public ips including dom0 as it is in a data-center but can also be used for a server sitting in a DMZ except for the norfc1918 option. Thanks zones ===== fw firewall xen ipv4 dmz ipv4 net ipv4 interfaces =========== - xenbr0 - net eth0 detect norfc1918 hosts ====== xen xenbr0:vif0.0 dmz xenbr0:vif+ routeback net xenbr0:peth0 policy ======= fw...

...appreciated. Hi there. I am running 2.0.8 on a linux 2.6 kernel with ipsec (i.e. no ipsec<n> interfaces). Since ipsec traffic comes in on the same interface as "net" traffic, I have been looking at the rules for "eth0_in" on my ipsec gateway/firewall. I see that "norfc1918" is before "vpn2fw". Since it is common to route rfc1918 addresses over vpn tunnels, would it not make more sense to reverse the order of those two rules? That would eliminate the need to alter the rfc1918 rules file. Thots? b.

...Any DROP info None Any Any REJECT info None The interface settings are : Interface Zone name Broadcast address Options eth0 net Automatic dhcp,routefilter,norfc1918,tcpflags eth1 loc Automatic tcpflags After I save and reboot my eth0 is down. I am not able to browse on my server. Why ? Thanks Varun

Whilst configuring another shorewall firewall router for another site, I must have made some totally newbie error.... While directly on the cable modem, it works great. But when placed on the LAN side of my existing Shorewall box, the NEW shorwall box could not ping, or look up dns or anything else. If I shutdown shorewall (clear) in the NEW box then it could surf the net and ping etc. When

...envpn and firewall configuration. openvpn.conf: local <ip of ppp0> port 8881 dev tap0 secret key.txt persist-key persist-tun ping-timer-rem ping-restart 60 ping 10 comp-lzo user nobody group nobody shorewall interface: #ZONE INTERFACE BROADCAST OPTIONS net ppp0 - norfc1918,routefilter,tcpflags loc br0 detect tcpflags,dhcp vpn tap+ #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE shorewall zones: #ZONE DISPLAY COMMENTS net Net Internet loc Local Local Networks vpn VPN Remote subnet #LA...

...more than once zone in my lan, for example my lan es 192.168.0.0/24 and I want to have one zone for servers, other for admin Pcs. etc here is my conf: Interfaces: -------------- #ZONE INTERFACE BROADCAST OPTIONS - eth3 detect net eth1 detect norfc1918 net eth0 detect norfc1918 net eth2 detect norfc1918 vpn tun0 detect hosts: --------- #ZONE HOST(S) OPTIONS tec eth3:$TECNICA p2p eth3:$MUSICA1,$MUSICA2 loc eth3:192.168.0.0/24 params: -...

...es: NAT: Available Packet Mangling: Available Multi-port Match: Available Connection Tracking Match: Available Verifying Configuration... If this extension is available, the ruleset generated by Shorewall is changed in the following ways: a) To handle ''norfc1918'' filtering, Shorewall will not create chains in the mangle table but will rather do all ''norfc1918'' filtering in the filter table (rfc1918 chain). b) Recall that Shorewall DNAT rules generate two netfilter rules; one in the nat table and one in the f...

...drake system with no trouble. But attempting to access the SuSE 9.1 system from the Mandrake system caused a bunch of rfc1918 errors on eth1. The traffic was showing up as coming FROM my local 192.168.xxx.xxx subnet on the Mandrake side with a target of a 192.168.yyy.yyy on the SuSE side. I put the norfc1918 option in both the interface definition for eth1 and in the hosts definition for the vpn but this did not stop the rfc1918 rejections. I ended up having to add a RETURN entry to a local copy of the rfc1918 file for the local subnet on the SuSE side. So my questions are (1) was there some other pla...