search for: pkttype

https://bugzilla.netfilter.org/show_bug.cgi?id=1280 Bug ID: 1280 Summary: meta pkttype incompatible? with ingress Product: nftables Version: unspecified Hardware: x86_64 OS: other Status: NEW Severity: major Priority: P5 Component: nft Assignee: pablo at netfilter.org Reporter...

Hi Tom, Thank you for your quick reply. I aplied changes as you suppose, and now users can comunicate each with others. - thank you very much. I have just one aditional question regarding PKTTYPE=No variable. I didnt find it in shorewall.conf so I simply add it at the end of conf file (above #Last line :-) ) So question is it is standard feature of shorewall, and from which version it is available? >From your reply it seems that problem is somewere in iptables/netfilter. What do you su...

This will be my last 2.2 release. It contains a couple of small bug fixes that I had laying around. http://shorewall.net/pub/shorewall/2.2/shorewall-2.2.5 ftp://shorewall.net/pub/shorewall/2.2/shorewall-2.2.5 1) Previously, if PKTTYPE=No in shorewall.conf then pkttype match would still be used if the kernel supported it. 2) A typo in the ''tunnel'' script has been corrected (Thanks to Patrik Varmecký). 3) A warning is now generated if an invalid short zone name is used in /etc/shorewall/zones. -Tom --...

https://bugzilla.netfilter.org/show_bug.cgi?id=1141 Bug ID: 1141 Summary: trace aborts using pkttype on ingress Product: nftables Version: unspecified Hardware: x86_64 OS: other Status: NEW Severity: major Priority: P5 Component: kernel Assignee: pablo at netfilter.org Reporter: netfilter a...

hello Tom >Another very likely cause is that Shorewall-shell is generating a pkttype >test to identify multicast packets. This can be unreliable and can be >avoided by setting PKTTYPE=No in shorewall.conf. After using PKTTYPE=No in shorewall.conf , my syslog is clean now. Do you mean that adding the following line in /etc/shorewall/interfaces is suffiscient? dmz...

...stable release would only contain bug fixes. I''m modifying that slightly to allow for small low-risk enhancements; large and/or risky enhancements will still be restricted to the development release. We have seen this change at work already in the 2.0.6 release where I implemented the PKTTYPE option in shorewall.conf; in the upcoming 2.0.7 release, additional information will be displayed by "shorewall status". -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net

I have a firewall rule to drop packets from certain addresses: (email spam) my /etc/sysconfig/iptables begins as: # Generated by iptables-save v1.4.7 on Thu Jun 26 09:11:09 2014 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [1:148] -A INPUT -m pkttype --pkt-type multicast -j ACCEPT -A INPUT -s 223.255.229.0/24 -j DROP -A INPUT -s 218.96.0.0/24 -j DROP -A INPUT -s 216.227.128.0/24 -j DROP -A INPUT -s 216.156.135.0/24 -j DROP -A INPUT -s 213.251.189.0/24 -j DROP -A INPUT -s 213.239.219.0/24 -j DROP -A INPUT -s 213.205.32.0/24 -j DROP -A INPUT -s 2...

...o, I run Shorewall 2.0.3a backport on a debian woody box (with 2.4.18 homemade kernel). When I start shorewall I got the following errors. Oct 30 11:13:12 fwr modprobe: modprobe: Can''t locate module ipt_conntrack Oct 30 11:13:17 fwr modprobe: modprobe: Can''t locate module ipt_pkttype Oct 30 11:13:18 fwr modprobe: modprobe: Can''t locate module ipt_pkttype Oct 30 11:13:57 fwr last message repeated 2 times Oct 30 11:14:06 fwr root: Shorewall Restarted The "shorewall status" output seems complying with my rules set. Should I worry ? and is there any way to get r...

Hello Tom and others, At first I want to say THANK YOU, for neverending support and development Shorewall firewall. I just upgraded from 1.x version to 2.0.7. I have several networks defined on same interface. These are /30 networks, defined on ethernet interface where hw wifi access point is connected to. I used this configuration to be able to get accounting information about traffic between

...udp dpts:67:68 0 0 net2fw all -- * * 0.0.0.0/0 0.0.0.0/0 Chain dropBcast (2 references) pkts bytes target prot opt in out source destination 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = broadcast 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = multicast Chain dropInvalid (2 references) pkts bytes target prot opt in out source destination 0 0 DROP all -- * * 0.0.0.0/0...

Hello !! I ve just install shorewall-common and shorewall-shell I can''t defined a network using the CIDR format for my DMZ in /etc/shorewall/hosts fast eth2:172.17.0.0/16 epac eth2:172.18.0.0/16 fsa eth2:172.19.0.0/16 bu eth2:172.20.0.0/16 recto eth2:172.21.0.0/16 dmz eth1:81.91.225.224/27 I receive this error: ERROR: Invalid zone definition for

Hi all, I''m using Fedora Core 2, kernel 2.6.5. I''ve installed shorewall 2.1.9 from rpm package. It seems that there is a builtin action called "dropBcast" drops all broadcast packages on my ethernet interfaces base on package type "pkttype=broadcast". For a particular reason, I need all traffics of broadcast packages are allowed to pass my ethernet interfaces. I''ve searched for days on shorewall''s FAQ,troubleshooting information, errata and mailing list archives as well, but couldn''t find the answer....

...* 0.0.0.0/0 0.0.0.0/0 81 6198 dmz2all all -- * * 0.0.0.0/0 0.0.0.0/0 Chain dropBcast (2 references) pkts bytes target prot opt in out source destination 191K 39M DROP all -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = broadcast 480 15360 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = multicast Chain dropNonSyn (2 references) pkts bytes target prot opt in out source destination 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp f...

...* 0.0.0.0/0 0.0.0.0/0 81 6198 dmz2all all -- * * 0.0.0.0/0 0.0.0.0/0 Chain dropBcast (2 references) pkts bytes target prot opt in out source destination 191K 39M DROP all -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = broadcast 480 15360 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = multicast Chain dropNonSyn (2 references) pkts bytes target prot opt in out source destination 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp f...

Hi everybody I have a Problem with Masquerading from my local net (loc) to my VPN (loc2). I can reach every Service from loc2 in loc, but I can''t get reach any service from loc in loc2. Has somebody an Idea where my mistake is ? Without shorewall, it was working. Thanks for helping Lars Technical Information : Shorewall 2.0.13 Suse 9.0 *177.177.77.X The first 3 Counts are changed

...icmp type 8 0 0 all2all all -- * * 0.0.0.0/0 0.0.0.0/0 Chain dropBcast (2 references) pkts bytes target prot opt in out source destination 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = broadcast 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = multicast Chain dropInvalid (2 references) pkts bytes target prot opt in out source destination 0 0 DROP all -- * * 0.0.0.0/0...

...9; 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 Chain dropBcast (2 references) pkts bytes target prot opt in out source destination 20 6560 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = broadcast 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = multicast Chain dropInvalid (2 references) pkts bytes target prot opt in out source destination 0 0 DROP all -- * * 0.0.0.0/...

Dear List! I use a shorewall 2.0.8 on a Debian sarge system. I use a DSL connection to the Internet (ppp0 - eth1 to the modem) and a bridge to the local lan. The bridged config i''ve made with bridge.html from the shorewall site. The Bridge is between local net and a openvpn tap device. This works. I ccan make tunnels, and a can make a lot of things through the firewall. I can get a list

...w IP_FORWARDING=On ADD_IP_ALIASES=Yes ADD_SNAT_ALIASES=no TC_ENABLED=Yes CLEAR_TC=Yes MARK_IN_FORWARD_CHAIN=Yes CLAMPMSS=No ROUTE_FILTER=No DETECT_DNAT_IPADDRS=No MUTEX_TIMEOUT=60 NEWNOTSYN=Yes ADMINISABSENTMINDED=Yes BLACKLISTNEWONLY=Yes MODULE_SUFFIX= DISABLE_IPV6=Yes BRIDGING=No DYNAMIC_ZONES=No PKTTYPE=Yes BLACKLIST_DISPOSITION=DROP MACLIST_DISPOSITION=REJECT TCP_FLAGS_DISPOSITION=DROP ------------------------------------------------------ Where is the mistake ? JN

...et type match option in iptables/ Netfilter failing to match certain broadcast packets. The result is that the firewall log shows a lot of broadcast packets. Other users have complained of the following message when starting Shorewall: modprobe: cant locate module ipt_pkttype Users experiencing either of these problems can use PKTTYPE=No in shorewall.conf to cause Shorewall to use IP address filtering of broadcasts rather than packet type. 2) The shorewall.conf and zones file are no longer given execute permission by the installer script. 3) ICMP pack...