search for: routefilt

Hi, Using shorewall for the first time (a woody .deb of version 1.2.12). After reading the docs, I still have a couple of questions regarding some parameters from the interfaces file. 1) Is rfc1918 not just a specific implementation of routefilter ? The sample file in two-interface.tgz uses them both, but they seem to at least overlap. Since my internal network will be 192.168.1.0/24, will routefilter add anything that norfc1918 doesn''t provide? 2) Given the two interface I''net/LAN firewall/gateway, will routestopped d...

...e. Today I uninstalled shorewall 2.0.8: rpm -e shorewall-2.0.8-1 I deleted the directory and all contents in this directory: /etc/shorewall Reinstalled shorewall: rpm -ivh shorewall-2.0.8-1.noarch.rpm Then setup a basic firewall with the following: /etc/shorewall/interfaces net eth0 detect routefilter,blacklist net eth1 detect routefilter,blacklist net eth2 detect routefilter,blacklist /etc/shorewall/policy fw net ACCEPT net all DROP info all all REJECT info /etc/shorewall/routestopped eth0 64.140.165.128/27 eth1 64.140.165.128/27 eth2 64.140.165.128/27 /etc/shorewall/rules A...

...o LAN & outside. 2. Failover between interfaces, so if one goes down the other one goes up. 3. Routing based on device model (VLAN10 gateway will be ppp0 and in a case of failover it will jump to ppp1 for example) post of my config files: interfaces: #NET net0 ppp0 detect tcpflags,dhcp,routefilter,nosmurfs net1 ppp1 detect tcpflags,dhcp,routefilter,nosmurfs net2 ppp2 detect tcpflags,dhcp,routefilter,nosmurfs net3 ppp3 detect tcpflags,dhcp,routefilter,nosmurfs #WAN wan0 eth0 detect tcpflags,routefilter,nosmurfs wan1 eth1 detect tcpflags,routefilter,nosmurfs wan2 eth2 detect tcpflags...

...k. FW (a) - w/ openVPN eth0 = 192.168.150.5/24 eth1 = 192.168.200.5/24 eth2 = public IP eth3 = 192.168.120.5/24 tun240 = 10.240.255.1 /etc/shorewall/zones all zones declared as ipv4 /etc/shorewall/interfaces #ZONE INTERFACE BROADCAST OPTIONS tlm eth0 detect routefilter,tcpflags,dhcp adm eth1 detect routefilter,tcpflags,dhcp net eth2 detect norfc1918,tcpflags,routefilter sis eth3 detect routefilter,tcpflags l240 tun240 - /etc/shorewall/tunnels #TYPE ZONE...

http://shorewall.net/pub/shorewall/Snapshots ftp://shorewall.net/pub/shorewall/Snapshots Problems Corrected since version 1.4.6: 1) Corrected problem in 1.4.6 where the MANGLE_ENABLED variable was being tested before it was set. 2) Corrected handling of MAC addresses in the SOURCE column of the tcrules file. Previously, these addresses resulted in an invalid iptables command.

...pppoe. The internet always comes on ppp0. I am trying to setup an L2TP/IPSEC VPN and i am reading http://www.shorewall.net/IPSEC-2.6.html#RW-L2TP I notice in the example the interfaces file is given as: #ZONE INTERFACE BROADCAST OPTIONS net eth0 detect routefilter loc eth1 192.168.1.255 l2tp ppp+ - #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE My current interface as currently used on my firewall is below: #ZONE INTERFACE BROADCAST OPTIONS net ppp0 - dhcp,tcpflag...

...35 64.140.165.128/27 dev eth2 scope link 64.140.165.128/27 dev eth1 proto kernel scope link src 64.140.165.133 64.140.165.128/27 dev eth2 proto kernel scope link src 64.140.165.134 127.0.0.0/8 dev lo scope link default via 64.140.165.129 dev eth0 /etc/shorewall/interfaces net eth0 detect routefilter,blacklist net eth1 detect routefilter,blacklist net eth2 detect routefilter,blacklist /etc/shorewall/policy fw all ACCEPT net all DROP err all all REJECT err /etc/shorewall/routestopped eth0 64.140.165.128/27 eth1 64.140.165.128/27 eth2 64.140.165.128/27 /etc/shorewall/rules ACC...

...le shorewall blocks the vpns. shorewall/hosts #ZONE HOST(S) OPTIONS loc eth1:192.168.25.0/24 loctw eth1:192.168.50.0/24 locsa eth1:192.168.75.0/24 vpntw ppp+:!192.168.50.0/24 vpnsa ppp+:!192.168.75.0/24 #vpn3 ppp+:!192.168.3.0/24 interfaces net eth0 detect routefilter,norfc1918,tcpflags - eth1 192.168.25.255,192.168.50.255,192.168.75.255 - ppp+ now if I comment out vpnsa in hosts and enter vpnsa in interfaces it works (meaning the tunnel can talk :). I can not figure out what the trouble is. Thanks Mike

...asq entries. I''ve examined the default 2.0.10 files compared with our 1.4 files, and can''t spot the problem. What am I missing? Here''s the revelant info (I think): zones: net Net Internet sls sls SLS network interfaces: sls eth0 detect routefilter net eth1 detect routefilter,tcpflags shorewall.conf: ADD_IP_ALIASES=Yes ADD_SNAT_ALIASES=No masq: eth1 10.2.200.0/24 - eth1 139.142.66.4/32 139.142.65.146 eth1 10.2.250.0/24 139.142.65.146 eth1 10.2.220.0/24 139.142.65.146 eth1 10.2.201.0/24 139.142.65.146 one of...

...bridge_ports lan0 #auto br-lan1 #iface br-lan1 inet static # address 10.0.1.254 # netmask 255.255.255.0 # network 10.0.1.0 # broadcast 10.0.1.255 # bridge_ports lan1 and my interfaces looks like this: wan wan0 detect dhcp,tcpflags,nosmurfs,routefilter users lan0 detect dhcp,tcpflags,routefilter games lan1 detect dhcp,tcpflags,routefilter and looked like this when not working: wan wan0 detect dhcp,tcpflags,nosmurfs,routefilter users br-lan0 detect dhcp,t...

...154:1570662154(0) win 5840 <mss 1460,sackOK,timestamp 150878578 0,nop,wscale 0> (DF) [tos 0x10] /etc/shorewall/interfaces ======================================================= [root@hn00dmz01 maint]# grep -v "^#" /etc/shorewall/interfaces net bond0 detect routefilter,norfc1918 /etc/shorewall/custom/rfc1918 ======================================================= [root@hn00dmz01 maint]# grep -v "^#" /etc/shorewall/custom/rfc1918 172.31.60.0/24 RETURN 172.20.173.0/24 RETURN 172.16.127.0/24 RETURN 192.168.175.0/24 RETUR...

...compatibly. Previously, the effective value was determined by the setting of net.ipv4.config.dev.proxy_arp logically ANDed with the setting of net.ipv4.config.all.proxy_arp. Beginning with kernel 2.6.31, the value is the arithmetic MAX of those two values. Additionally, a ''loose'' routefiltering facility is now enabled by setting the effective value of proxy_arp to 2. Given that Shorewall sets net.ipv4.config.all.proxy_arp to 1 if there are any interfaces specifying ''routefilter'', specifying ''routefilter'' on any interface has the effect of setting...

...o , The folllowing is the error problem: Validating interfaces file... ERROR: The ''norfc1918'' option may not be specified on an interface with an RFC 1918 address. Interface:eth2 The shorewall interface file: net eth2 detect tcpflags,routefilter,norfc1918,nosmurfs,logmartians P.S. I tried to remove norfc1918 from interface eth2 that can successfully startup shorewall. Thx --------------------------------- Yahoo! 網上安全攻略，教你如何防範黑客! 了解更多 ------------------------------------------------------------------------- This SF.net...

...t Any DROP info None Any Any REJECT info None The interface settings are : Interface Zone name Broadcast address Options eth0 net Automatic dhcp,routefilter,norfc1918,tcpflags eth1 loc Automatic tcpflags After I save and reboot my eth0 is down. I am not able to browse on my server. Why ? Thanks Varun

I''ve created a new document that discusses creating multiple zones accessed through a single firewall interface. See: http://shorewall.net/shorewall_quickstart_guide.htm Comments and corrections are welcome. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net

...firewall configuration. openvpn.conf: local <ip of ppp0> port 8881 dev tap0 secret key.txt persist-key persist-tun ping-timer-rem ping-restart 60 ping 10 comp-lzo user nobody group nobody shorewall interface: #ZONE INTERFACE BROADCAST OPTIONS net ppp0 - norfc1918,routefilter,tcpflags loc br0 detect tcpflags,dhcp vpn tap+ #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE shorewall zones: #ZONE DISPLAY COMMENTS net Net Internet loc Local Local Networks vpn VPN Remote subnet #LAST LINE --...

...tables/netfilter capabilities: NAT: Available Packet Mangling: Available Multi-port Match: Available Connection Tracking Match: Available Determining Zones... Zones: net loc dmz Validating interfaces file... Warning: Invalid option (rfc1918) in record "net eth0 detect rfc1918,routefilter" Error: Invalid Interface Name: eth0:1 Terminated The status.txt file is attached. The output of /sbin/shorewall show log is: Shorewall-2.0.8 Log at ns2.substantis.com - The the error message from the trace file (attached) is: + validate_zone net + list_search net net loc dmz fw + lo...

...: a DSL provider with 15Mbits/1Mbits. We use isp2 as the default outgoing provider. The isp1 provider is used for "critical" services (SSH...) and for incoming connections (VPN...). Our interfaces file : ======================== isp1 eth0 detect logmartians,nosmurfs,routefilter=0,tcpflags isp2 eth1 detect logmartians,nosmurfs,routefilter,tcpflags ======================== Here is our providers file: ======================== #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY isp1 1 0x100 -...

...nels established and the net pptp tunnel to share with the machines in my localnet successfully. But Tunnel two to four i''m not able to do 1:1 nat. What could be a solution ? Kind regards, Felix. interfaces: loc eth0 detect tcpflags modem eth1 detect dhcp,tcpflags,routefilter,nosmurfs,arp_filter net ppp0 - tcpflags,routefilter,nosmurfs,arp_filter pptp2 ppp1 - tcpflags,routefilter,nosmurfs,arp_filter pptp3 ppp2 - tcpflags,routefilter,nosmurfs,arp_filter pptp4 ppp3 - tcpflags,routefilter,nosmurfs,arp_filter zones: modem I...

...TIONS > fw firewall > net ipv4 > tlm ipv4 > adm ipv4 > > # /etc/shorewall/interfaces > ############################################################################### > #ZONE INTERFACE BROADCAST OPTIONS > tlm $TLM detect > routefilter,tcpflags,dhcp,routeback > adm $ADM detect > routefilter,tcpflags,dhcp,routeback > net $EXT detect tcpflags,routefilter,blacklist,nosmurfs > > # /etc/shorewall/masq > ############################################################################### &g...