search for: save_ipsets

After I''ve played with ipsets for several days, I''m beginning to become disenchanted with the way the SAVE_IPSETS=Yes works. I spent almost an hour configuring a bunch of ipsets to be just the way that I wanted them only to wipe them out with a "shorewall restart" :-( So, I think that I will change the implementation as follows: a) The ipset contents will only be restored from /var/lib/shorewall i...

This is the latest development release and may be found at: http://shorewall.net/pub/shorewall/2.3/shorewall-2.3.1 ftp://shorewall.net/pub/shorewall/2.3/shorewall-2.3.1 This release changes the way that SAVE_IPSETS=Yes works to try to make it harder to shoot yourself in the foot. Read the release notes carefully. In addition, there are two problems corrected: 1) A typo in the ''tunnel'' script has been corrected (thanks to Patrik Varmecký). 2) Previously, if "shorewall save" wa...

...Example 2: Allow SSH from all hosts in an ipset named "sshok: /etc/shorewall/rules #ACTION SOURCE DEST PROTO DEST PORT(S) ACCEPT +sshok fw tcp 22 Shorewall can automatically manage the contents of your ipsets for you. If you specify SAVE_IPSETS=Yes in /etc/shorewall/shorewall.conf then: A) "shorewall save" will save the contents of your ipsets. The file where the sets are saved is formed by taking the name where the Shorewall configuration is stored and appending "-ipsets". So if you enter the command &...

...main eth4 189.36.0.2 track,balance=10 #tcrules 2:T 172.16.11.33 0.0.0.0/0 tcp 80,443 2:P 172.16.11.33 0.0.0.0/0 tcp 80,443 2 $FW 0.0.0.0/0 tcp 80,443 #shorewall.conf RESTORE_DEFAULT_ROUTE=No ROUTE_FILTER=No SAVE_IPSETS=No TC_ENABLED=Internal TC_EXPERT=No TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2" TRACK_PROVIDERS=Yes USE_DEFAULT_RT=No WIDE_TC_MARKS=Yes Thanks in advance -- *Fabiano Stocco** **Sysadmin* Agro Industrial Parati Ltda - Averama 44-3672-8000 44-8444-6635** --------------------------...

...CLEAR_TC=Yes MARK_IN_FORWARD_CHAIN=No CLAMPMSS=No ROUTE_FILTER=Yes DETECT_DNAT_IPADDRS=No MUTEX_TIMEOUT=60 ADMINISABSENTMINDED=Yes BLACKLISTNEWONLY=Yes DELAYBLACKLISTLOAD=No MODULE_SUFFIX= DISABLE_IPV6=Yes BRIDGING=No DYNAMIC_ZONES=No PKTTYPE=Yes RFC1918_STRICT=No MACLIST_TABLE=filter MACLIST_TTL= SAVE_IPSETS=No MAPOLDACTIONS=No FASTACCEPT=No BLACKLIST_DISPOSITION=DROP MACLIST_DISPOSITION=REJECT TCP_FLAGS_DISPOSITION=DROP -- Matej -- ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done...

...CLEAR_TC=Yes MARK_IN_FORWARD_CHAIN=No CLAMPMSS=No ROUTE_FILTER=Yes DETECT_DNAT_IPADDRS=No MUTEX_TIMEOUT=60 ADMINISABSENTMINDED=Yes BLACKLISTNEWONLY=Yes DELAYBLACKLISTLOAD=No MODULE_SUFFIX= DISABLE_IPV6=Yes BRIDGING=No DYNAMIC_ZONES=No PKTTYPE=Yes RFC1918_STRICT=No MACLIST_TABLE=filter MACLIST_TTL= SAVE_IPSETS=No MAPOLDACTIONS=No FASTACCEPT=No IMPLICIT_CONTINUE=Yes HIGH_ROUTE_MARKS=No USE_ACTIONS=Yes OPTIMIZE=0 EXPORTPARAMS=Yes EXPAND_POLICIES=Yes KEEP_RT_TABLES=No DELETE_THEN_ADD=Yes MULTICAST=No DONT_LOAD= BLACKLIST_DISPOSITION=DROP MACLIST_DISPOSITION=REJECT TCP_FLAGS_DISPOSITION=DROP #LAST LINE -- DO...

Hi, I was reading document http://shorewall.net/MultiISP.html#idp3634200. Inspired by the document I was trying to establish the following changes: * one additional interface: COMA_IF * COM[A,B,C]_IF interfaces request IP address via DHCP * all non-RFC 1918 destined trafic is NATed from INT_IF to COMA_IF * all non-RFC 1918 destined trafic from GW is routed via COMB_IF by default * non-RFC 1918

..._iphash 5756 1 ip_set 9944 20 ip_set_setlist,ipt_set,ipt_SET,ip_set_nethash,ip_set_iptreemap,ip_set_iptree,ip_set_ipporthash,ip_set_portmap,ip_set_macipmap,ip_set_ipmap,ip_set_iphash ---------------------------------------------------------------------- 4. With "SAVE_IPSETS=Yes", Shorewall 4.4.10 even saves and restores my ipsets (while simultaneously claiming the capability to be absent and refusing to start if an ipset is present in the rules or blacklist): ---------------------------------------------------------------------- # ls -l /var/lib/shorewall total 4...

...LOAD_HELPERS_ONLY=No MACLIST_TABLE=filter MACLIST_TTL= MANGLE_ENABLED=Yes MAPOLDACTIONS=No MARK_IN_FORWARD_CHAIN=No MODULE_SUFFIX=ko MULTICAST=No MUTEX_TIMEOUT=60 NULL_ROUTE_RFC1918=No OPTIMIZE=0 OPTIMIZE_ACCOUNTING=No REQUIRE_INTERFACE=No RESTORE_DEFAULT_ROUTE=Yes RETAIN_ALIASES=No ROUTE_FILTER=No SAVE_IPSETS=No TC_ENABLED=No TC_EXPERT=No TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2" TRACK_PROVIDERS=No USE_DEFAULT_RT=No USE_PHYSICAL_NAMES=No ZONE2ZONE=2 BLACKLIST_DISPOSITION=DROP MACLIST_DISPOSITION=REJECT RELATED_DISPOSITION=ACCEPT SMURF_DISPOSITION=DROP SFILTER_DISPOSITION=DROP TCP_FLAGS_DISP...

...and OUTPUT rules were generated from entries in /etc/shorewall[6]/routestopped that specified the ''source'' option. Now only the INPUT rule is generated. 6) The ''iptables_raw'' module has been added to the modules.essential file. 7) Previously, when SAVE_IPSETS=No in shorewall[6].conf, using an ipset name in the HOSTS column of /etc/shorewall[6]/routestopped generated this error: ERROR: An ipset name (+test) is not allowed in this context The error is no longer generated and the correct rule matching the ipset is generated. 8) S...

...and OUTPUT rules were generated from entries in /etc/shorewall[6]/routestopped that specified the ''source'' option. Now only the INPUT rule is generated. 6) The ''iptables_raw'' module has been added to the modules.essential file. 7) Previously, when SAVE_IPSETS=No in shorewall[6].conf, using an ipset name in the HOSTS column of /etc/shorewall[6]/routestopped generated this error: ERROR: An ipset name (+test) is not allowed in this context The error is no longer generated and the correct rule matching the ipset is generated. 8) S...

...AT= + LOGRULENUMBERS= + ADMINISABSENTMINDED= + BLACKLISTNEWONLY= + MODULE_SUFFIX= + ACTIONS= + USEDACTIONS= + SMURF_LOG_LEVEL= + DISABLE_IPV6= + BRIDGING= + DYNAMIC_ZONES= + PKTTYPE= + RETAIN_ALIASES= + DELAYBLACKLISTLOAD= + LOGTAGONLY= + LOGALLNEW= + DROPINVALID= + RFC1918_STRICT= + MACLIST_TTL= + SAVE_IPSETS= + RESTOREFILE= + RESTOREBASE= + TMP_DIR= + CROSSBEAM= + CROSSBEAM_BACKBONE= + ALL_INTERFACES= + ROUTEMARK_INTERFACES= + ROUTEMARK=256 + PROVIDERS= + stopping= + have_mutex= + masq_seq=1 + nonat_seq=1 + aliases_to_add= + FUNCTIONS=/usr/share/shorewall/functions + ''['' -f /usr/share...