search for: run_ipt

[This email is either empty or too large to be displayed at this time]

...this file -- if you wish to change these rules, create # /etc/shorewall/common to replace it. It is suggested that you include # the command ". /etc/shorewall/common.def" in your # /etc/shorewall/common file so that you will continue to get the # advantage of new releases of this file. # run_iptables -A common -p icmp -j icmpdef ############################################################################ # Drop invalid state TCP packets # run_iptables -A common -m state -p tcp --state INVALID -j DROP ############################################################################ # NETBIOS cha...

Hi, I''ve attached a patch which fixes a logging problem with log_rule_limit in custom actions. E.g. this action: ,----[ Whitelist ] | if [ -n "$LEVEL" ]; then | run_iptables -N ${CHAIN}Add | log_rule_limit $LEVEL ${CHAIN}Add WhitelistAdd DROP "$LOG_LIMIT" $TAG | run_iptables -A ${CHAIN}Add -j DROP | run_iptables -N ${CHAIN}Del | log_rule_limit $LEVEL ${CHAIN}Del WhitelistDel DROP "$LOG_LIMIT" $TAG | run_iptables -A ${CHAIN}D...

Hello, I wonder if someone could use the TPROXY with Shorewall and transparent Squid  with using the routing rules on shorewall (tcrules) for hosts / networks (LAN) with multiples providers (WANs) directly from the internal network on port 80 (with TPROXY transparent squid or REDIRECT). On this issue, the routing rules is not work propertly because the source is the

Hello, First , thanks to Tom for it''s great job ! Netfilter is really easy and powerfull with shorewall. So, I have configured two firewalls whith shorewall using keepalived for the redundant VRRP stuff. FW-a is MASTER and FW-b is BACKUP. Everything works correctly and FW-b upgrade to MASTER when FW-a is down or disconnected. FW-b downgrade to BACKUP when FW-a comes back. But when I

...the http access does not redirect to squid but directly exit. what''s wrong? Thanks ------- Dario Lesca (d.lesca@ivrea.osra.it) -------------------------------------- @@@@@@@ this is my shorewall-1.2.13 config: #[/etc/shorewall/common.def]----------------------------------------------- run_iptables -A common -p icmp -j icmpdef run_iptables -A common -p tcp --tcp-flags ACK ACK -j ACCEPT run_iptables -A common -p tcp --tcp-flags RST RST -j ACCEPT run_iptables -A common -p udp --dport 137:139 -j REJECT run_iptables -A common -p udp --dport 445 -j REJECT run_iptables -A common -p...

...rce port. And I think ipsecnat won''t work at all with gw zone defined? I''m not sure about that because I didn''t have time to test. --- firewall~ 2002-12-28 11:27:57.000000000 +0200 +++ firewall 2003-01-07 00:58:08.000000000 +0200 @@ -1344,6 +1344,7 @@ run_iptables -A $inchain -p udp -s $1 --sport 500 --dport 500 $options else run_iptables -A $inchain -p udp -s $1 --dport 500 $options + run_iptables -A $inchain -p udp -s $1 --dport 4500 $options fi for z in `separate_list $3`; do -- Tuomo Soini &lt...

...the http access does not redirect to squid but directly exit. what''s wrong? Thanks ------- Dario Lesca (d.lesca@ivrea.osra.it) -------------------------------------- @@@@@@@ this is my shorewall-1.2.13 config: #[/etc/shorewall/common.def]----------------------------------------------- run_iptables -A common -p icmp -j icmpdef run_iptables -A common -p tcp --tcp-flags ACK ACK -j ACCEPT run_iptables -A common -p tcp --tcp-flags RST RST -j ACCEPT run_iptables -A common -p udp --dport 137:139 -j REJECT run_iptables -A common -p udp --dport 445 -j REJECT run_iptables -A common -p...

Hi! how can I mark ack packets with shorewall 2.x? (In 1.x I have done it with own rule in common file) TiA CU

The first Beta Version is available at: http://www.shorewall.net/pub/shorewall/Beta ftp://ftp.shorewall.net/pub/shorewall/Beta New features include: 1) "shorewall refresh" now reloads the traffic shaping rules (tcrules and tcstart). 2) "shorewall debug [re]start" now turns off debugging after an error occurs. This places the point of the failure near the end of the

...STNEWONLY=Yes MODULE_SUFFIX= DISABLE_IPV6=No BRIDGING=No DYNAMIC_ZONES=No PKTTYPE=Yes BLACKLIST_DISPOSITION=DROP MACLIST_DISPOSITION=REJECT TCP_FLAGS_DISPOSITION=DROP #LAST LINE -- DO NOT REMOVE START: ---------------------------------------------------------------------------- ------------------ run_iptables -I INPUT -i eth0 -j LOG --log-prefix BANDWIDTH_IN: --log-level debug run_iptables -I FORWARD -i eth0 -j LOG --log-prefix BANDWIDTH_IN: --log-level debug run_iptables -I FORWARD -o eth0 -j LOG --log-prefix BANDWIDTH_OUT: --log-level debug run_iptables -I OUTPUT -o eth0 -j LOG --log-prefix BANDW...

Sorry to barge in on an old thread. I''m having the same trouble as the gent who started this thread. I''ve tried the options described and can''t seem to get the tunnel to pass packets through it. I''m using the Netscreen Remote VPN client (Safenet derivative) on a windows machine, trying to connect to a Netscreen 5xp at the other end. The connection fires

The search capability at http://www.shorewall.net has been improved. - The quick search on the main page no longer includes the mailing list archives. - The extended search page (http://www.shorewall.net/htdig/search.html) allows you to search: a) the entire site (including the archives); b) the site excluding the archivesj; or, c) just the archives. - The mailing list information page

Hello, I''ve been doing some tests on a firewall system running Shorewall 1.4, and have been getting some unexpected behavior when enabling the "newnotsyn" option. In the test setup, I have: ---------------------------------------- /etc/shorewall/interfaces net eth0 detect routefilter,tcpflags,blacklist loc eth1 10.0.0.255 dhcp,tcpflags,newnotsyn

While I''m in temporary retirement, I''ve decided spend a little time experimenting with new things and making some updates to the web site. The biggest result of this effort to date has been: http://shorewall.sf.net/Shorewall_Squid_Usage.html This outlines how to use Squid as a transparent proxy running on the firewall, in the DMZ or in the local network. In the latter two

This article describes how to implement "Port Knocking" in Shorewall. http://shorewall.net/PortKnocking.html -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key

Hi everyone! First of all: Big thanks to Tom for this great work!! Now on to my qestion: I am using Shorewall among other machines on an new server where we need some kind of accounting. The script we would like to use for this is iam (http://intevation.de/iam/). The docs say: Alternatively you can use your own iptables script and only add the ''dump'' option, which should

I have a few IP addresses attached to an interface without problems. I also have some chrooted environments attached to these IP addresses. Is there a way to make connections (telnet) from these environments look like they are coming from the aliased IP''s rather than the main IP address? Thanks for any help Kevin.

...ciate it very much. I think it would be useful to have an option to generate a script of the commands Shorewall is about to issue, instead of issuing the commands directly. This script could then be used for revision, modification, and could also be used on another system. I thought about modifying run_iptables, run_ip, run_arp and run_tc to obtain this feature, but I think an option to /sbin/shorewall would be a cleaner and useful solution. Do anybody think this would be useful too? Thank you Luigi

..._OUT:IN=eth0 OUT=eth1 SRC=204.2.145.29 DST=192.168.31.1 LEN=1500 TOS=0x00 PREC=0x00 TTL=118 ID=2300 DF PROTO=TCP SPT=80 DPT=4697 WINDOW=32552 RES=0x00 ACK URGP=0 I think I have traced the "cause" of them to the file /etc/shorewall/start which contains the following four records; > run_iptables -I INPUT -i eth1 -j LOG --log-prefix BANDWIDTH_IN: --log-level debug > run_iptables -I FORWARD -i eth1 -j LOG --log-prefix BANDWIDTH_IN: --log-level debug > run_iptables -I FORWARD -o eth1 -j LOG --log-prefix BANDWIDTH_OUT: --log-level debug > run_iptables -I OUTPUT -o eth1 -j LOG --l...