search for: route_filter

...ule generated by the entry. It is now applied to all entries. 7. An incorrect comment concerning Debian''s use of the SYBSYSLOCK option has been removed from shorewall.conf. 8. Previously, neither the ''routefilter'' interface option nor the ROUTE_FILTER parameter were working properly. This has been corrected (thanks to Eric Bowles for his analysis and patch). The definition of the ROUTE_FILTER option has changed however. Previously, ROUTE_FILTER=Yes was documented as enabling route filtering on all interfaces (whic...

...lt;zone>_frwd" chain to have too few rules. That has been corrected (twice). 8) An incorrect comment concerning Debian''s use of the SYBSYSLOCK option has been removed from shorewall.conf. 9) Previously, neither the ''routefilter'' interface option nor the ROUTE_FILTER parameter were working properly. This has been corrected (thanks to Eric Bowles for his patch). The definition of the ROUTE_FILTER option has changed however. Previously, ROUTE_FILTER=Yes was documented as enabling route filtering on all interfaces (which didn''t work). Beginnin...

...be restarted after the new configuration has been running for that length of time. This prevents a remote admin from being locked out of the firewall in the case where the new configuration starts but prevents access. 2. Kernel route filtering may now be enabled globally using the new ROUTE_FILTER parameter in /etc/shorewall/shorewall.conf. 3. Individual IP source addresses and/or subnets may now be excluded from masquerading/SNAT. 4. Simple "Yes/No" and "On/Off" values are now case-insensitive in /etc/shorewall/shorewall.conf. -Tom -- Tom Eastep \ Shorewall -...

...ntw 2 - main eth4 189.36.0.2 track,balance=10 #tcrules 2:T 172.16.11.33 0.0.0.0/0 tcp 80,443 2:P 172.16.11.33 0.0.0.0/0 tcp 80,443 2 $FW 0.0.0.0/0 tcp 80,443 #shorewall.conf RESTORE_DEFAULT_ROUTE=No ROUTE_FILTER=No SAVE_IPSETS=No TC_ENABLED=Internal TC_EXPERT=No TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2" TRACK_PROVIDERS=Yes USE_DEFAULT_RT=No WIDE_TC_MARKS=Yes Thanks in advance -- *Fabiano Stocco** **Sysadmin* Agro Industrial Parati Ltda - Averama 44-3672-8000 44-8444-6635** -----------...

Has anybody on this managed to get ChilliSpot and Shorewall to work together? I have managed to get it to work with the supplied firewall script but if I wanted to do my firewall like that I would not be using Shorewall. At any rate, I am having all kinds of trouble translating the supplied rules to something that Shorewall would understand. If anybody has already done it I would love to see the

...usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin + terminator=startup_error + version= + FW= + SUBSYSLOCK= + STATEDIR= + ALLOWRELATED=Yes + LOGRATE= + LOGBURST= + LOGPARMS= + ADD_IP_ALIASES= + ADD_SNAT_ALIASES= + TC_ENABLED= + LOGUNCLEAN= + BLACKLIST_DISPOSITION= + BLACKLIST_LOGLEVEL= + CLAMPMSS= + ROUTE_FILTER= + NAT_BEFORE_RULES= + DETECT_DNAT_IPADDRS= + MUTEX_TIMEOUT= + NEWNOTSYN= + LOGNEWNOTSYN= + FORWARDPING= + MACLIST_DISPOSITION= + MACLIST_LOG_LEVEL= + TCP_FLAGS_DISPOSITION= + TCP_FLAGS_LOG_LEVEL= + RFC1918_LOG_LEVEL= + MARK_IN_FORWARD_CHAIN= + SHARED_DIR=/usr/share/shorewall + FUNCTIONS= + VERSION...

...d not complete or connection refused... yes, I set 25 port for smtp in shorewall! Also, now WHM can`t get news from cPanel server! Also, now I can`t resolve IP addresses with PHP scripts, I can`t get who is host, only numbers.... POP3 work fine.... In shorewall.conf I have: IP_FORWARDING=Off ROUTE_FILTER=Yes In "/etc/shorewall/interfaces": net eth0 detect norfc1918,nobogons,blacklist,nosmurfs In "/etc/shorewall/rules": ACCEPT net fw icmp 8 ACCEPT net fw tcp 20 ACCEPT net fw tcp 21 ACCEPT net fw tcp 22 ACCEPT net fw tcp 25 ACCEPT net fw tcp 53 ACCEPT net fw udp 53 ACCEPT net fw...

Beta 1 is now availablew for testing. Problems Corrected: 1) Previously, the Shorewall and Shorewall6 install.sh scripts did two things wrong with respect to the /etc/shorewall[6]/routes file: - The existing file was unconditionally removed. - A skeleton file was not installed when SPARSE was not set in the shorewallrc file. Additionally, the installer would remove

Beta 1 is now availablew for testing. Problems Corrected: 1) Previously, the Shorewall and Shorewall6 install.sh scripts did two things wrong with respect to the /etc/shorewall[6]/routes file: - The existing file was unconditionally removed. - A skeleton file was not installed when SPARSE was not set in the shorewallrc file. Additionally, the installer would remove

...UNCLEAN=info LOGFILE="/var/log/messages" NAT_ENABLED="Yes" MANGLE_ENABLED="Yes" IP_FORWARDING="On" ADD_IP_ALIASES="Yes" ADD_SNAT_ALIASES="No" TC_ENABLED="No" BLACKLIST_DISPOSITION=DROP BLACKLIST_LOGLEVEL= CLAMPMSS="Yes" ROUTE_FILTER="Yes" NAT_BEFORE_RULES="Yes" #[/etc/shorewall/start]----------------------------------------------- run_iptables -I OUTPUT 2 -m state -p icmp --state INVALID -j DROP #[/etc/shorewall/zones]----------------------------------------------- net Net Internet Blixer...

...h SUBSYSLOCK=/var/lock/subsys/shorewall STATEDIR=/var/lib/shorewall MODULESDIR= CONFIG_PATH=/etc/shorewall/action:/etc/shorewall/custom:/etc/shorewall:/usr/share/shorewall FW=fw IP_FORWARDING=Off ADD_IP_ALIASES=Yes ADD_SNAT_ALIASES=No TC_ENABLED=Yes CLEAR_TC=Yes MARK_IN_FORWARD_CHAIN=No CLAMPMSS=No ROUTE_FILTER=Yes DETECT_DNAT_IPADDRS=No MUTEX_TIMEOUT=60 NEWNOTSYN=Yes ADMINISABSENTMINDED=No BLACKLISTNEWONLY=No MODULE_SUFFIX= DISABLE_IPV6=No BRIDGING=No DYNAMIC_ZONES=No BLACKLIST_DISPOSITION=DROP MACLIST_DISPOSITION=REJECT TCP_FLAGS_DISPOSITION=DROP [root@hn00dmz01 root]# ip addr show 1: lo: <LOOPBACK,...

...UNCLEAN=info LOGFILE="/var/log/messages" NAT_ENABLED="Yes" MANGLE_ENABLED="Yes" IP_FORWARDING="On" ADD_IP_ALIASES="Yes" ADD_SNAT_ALIASES="No" TC_ENABLED="No" BLACKLIST_DISPOSITION=DROP BLACKLIST_LOGLEVEL= CLAMPMSS="Yes" ROUTE_FILTER="Yes" NAT_BEFORE_RULES="Yes" #[/etc/shorewall/start]----------------------------------------------- run_iptables -I OUTPUT 2 -m state -p icmp --state INVALID -j DROP #[/etc/shorewall/zones]----------------------------------------------- net Net Internet Blixer...

...r/local/sbin SHOREWALL_SHELL=/bin/sh SUBSYSLOCK="" MODULESDIR= CONFIG_PATH=/etc/shorewall:/usr/share/shorewall RESTOREFILE= IPSECFILE=zones FW= IP_FORWARDING=Keep ADD_IP_ALIASES=Yes ADD_SNAT_ALIASES=No RETAIN_ALIASES=No TC_ENABLED=Internal CLEAR_TC=Yes MARK_IN_FORWARD_CHAIN=No CLAMPMSS=No ROUTE_FILTER=Yes DETECT_DNAT_IPADDRS=No MUTEX_TIMEOUT=60 ADMINISABSENTMINDED=Yes BLACKLISTNEWONLY=Yes DELAYBLACKLISTLOAD=No MODULE_SUFFIX= DISABLE_IPV6=Yes BRIDGING=No DYNAMIC_ZONES=No PKTTYPE=Yes RFC1918_STRICT=No MACLIST_TABLE=filter MACLIST_TTL= SAVE_IPSETS=No MAPOLDACTIONS=No FASTACCEPT=No BLACKLIST_DISPOSI...

...l/sbin SHOREWALL_SHELL=/bin/sh SUBSYSLOCK="" STATEDIR=/var/lib/shorewall MODULESDIR= CONFIG_PATH=/etc/shorewall:/usr/share/shorewall RESTOREFILE= FW=fw IP_FORWARDING=On ADD_IP_ALIASES=Yes ADD_SNAT_ALIASES=No RETAIN_ALIASES=No TC_ENABLED=No CLEAR_TC=Yes MARK_IN_FORWARD_CHAIN=No CLAMPMSS=No ROUTE_FILTER=Yes DETECT_DNAT_IPADDRS=No MUTEX_TIMEOUT=60 NEWNOTSYN=Yes ADMINISABSENTMINDED=Yes BLACKLISTNEWONLY=Yes DELAYBLACKLISTLOAD=No MODULE_SUFFIX= DISABLE_IPV6=No BRIDGING=No DYNAMIC_ZONES=No PKTTYPE=Yes DROPINVALID=Yes RFC1918_STRICT=No MACLIST_TTL= BLACKLIST_DISPOSITION=DROP MACLIST_DISPOSITION=REJECT T...

...ocal/sbin SHOREWALL_SHELL=/bin/sh SUBSYSLOCK=/var/lock/subsys/shorewall STATEDIR=/var/lib/shorewall MODULESDIR= CONFIG_PATH=/etc/shorewall:/usr/share/shorewall RESTOREFILE= FW=fw IP_FORWARDING=On ADD_IP_ALIASES=Yes ADD_SNAT_ALIASES=No TC_ENABLED=No CLEAR_TC=Yes MARK_IN_FORWARD_CHAIN=No CLAMPMSS=yes ROUTE_FILTER=Yes DETECT_DNAT_IPADDRS=No MUTEX_TIMEOUT=60 NEWNOTSYN=Yes ADMINISABSENTMINDED=Yes BLACKLISTNEWONLY=Yes MODULE_SUFFIX= DISABLE_IPV6=No BRIDGING=No DYNAMIC_ZONES=No PKTTYPE=Yes BLACKLIST_DISPOSITION=DROP MACLIST_DISPOSITION=REJECT TCP_FLAGS_DISPOSITION=DROP #LAST LINE -- DO NOT REMOVE START: ------...

...RSH_COMMAND=''ssh ${root}@${system} ${command}'' RCP_COMMAND=''scp ${files} ${root}@${system}:${destination}'' IP_FORWARDING=On ADD_IP_ALIASES=Yes ADD_SNAT_ALIASES=No RETAIN_ALIASES=No TC_ENABLED=Internal TC_EXPERT=No CLEAR_TC=Yes MARK_IN_FORWARD_CHAIN=No CLAMPMSS=No ROUTE_FILTER=Yes DETECT_DNAT_IPADDRS=No MUTEX_TIMEOUT=60 ADMINISABSENTMINDED=Yes BLACKLISTNEWONLY=Yes DELAYBLACKLISTLOAD=No MODULE_SUFFIX= DISABLE_IPV6=Yes BRIDGING=No DYNAMIC_ZONES=No PKTTYPE=Yes RFC1918_STRICT=No MACLIST_TABLE=filter MACLIST_TTL= SAVE_IPSETS=No MAPOLDACTIONS=No FASTACCEPT=No IMPLICIT_CONTINUE...

Hi, I was reading document http://shorewall.net/MultiISP.html#idp3634200. Inspired by the document I was trying to establish the following changes: * one additional interface: COMA_IF * COM[A,B,C]_IF interfaces request IP address via DHCP * all non-RFC 1918 destined trafic is NATed from INT_IF to COMA_IF * all non-RFC 1918 destined trafic from GW is routed via COMB_IF by default * non-RFC 1918

Hi Tom, After two weeks of nightmares I decided ask You (and anyone reading this mail). Context is as follows: I try to update system on my central router from kernel 2.6.29.6 and Shorewall 4.2.6 (old) to kernel 2.6.31.6 and Shorewall 4.4.4.2 (new). This is LiveCD image boot (Devil-Linux distribution compiled by me), so config is this same. I have established ten OpenVPN tunnels and two

...al/bin:/usr/local/sbin SHOREWALL_SHELL=/bin/sh SUBSYSLOCK="" STATEDIR=/var/lib/shorewall MODULESDIR= CONFIG_PATH=/etc/shorewall:/usr/share/shorewall RESTOREFILE= FW=fw IP_FORWARDING=Keep ADD_IP_ALIASES=Yes ADD_SNAT_ALIASES=No TC_ENABLED=No CLEAR_TC=Yes MARK_IN_FORWARD_CHAIN=No CLAMPMSS=No ROUTE_FILTER=Yes DETECT_DNAT_IPADDRS=No MUTEX_TIMEOUT=60 NEWNOTSYN=No ADMINISABSENTMINDED=Yes BLACKLISTNEWONLY=Yes MODULE_SUFFIX= DISABLE_IPV6=No BRIDGING=No DYNAMIC_ZONES=No PKTTYPE=Yes BLACKLIST_DISPOSITION=DROP MACLIST_DISPOSITION=REJECT TCP_FLAGS_DISPOSITION=DROP As you can see I have "info" set...

...Y_FASTSTART=Yes LOAD_HELPERS_ONLY=No MACLIST_TABLE=filter MACLIST_TTL= MANGLE_ENABLED=Yes MAPOLDACTIONS=No MARK_IN_FORWARD_CHAIN=No MODULE_SUFFIX=ko MULTICAST=No MUTEX_TIMEOUT=60 NULL_ROUTE_RFC1918=No OPTIMIZE=0 OPTIMIZE_ACCOUNTING=No REQUIRE_INTERFACE=No RESTORE_DEFAULT_ROUTE=Yes RETAIN_ALIASES=No ROUTE_FILTER=No SAVE_IPSETS=No TC_ENABLED=No TC_EXPERT=No TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2" TRACK_PROVIDERS=No USE_DEFAULT_RT=No USE_PHYSICAL_NAMES=No ZONE2ZONE=2 BLACKLIST_DISPOSITION=DROP MACLIST_DISPOSITION=REJECT RELATED_DISPOSITION=ACCEPT SMURF_DISPOSITION=DROP SFILTER_DISPOSITION=DROP...