search for: schermer

Hi, I am confused about the tcrules syntax. When I try to shape a web server running on fw with this line: 4 fw 0.0.0.0/0 tcp - 80 it works but the "80" must be in CLIENT PORT, my logic says it should be in the "PORT" column (doesn''t work there) am I missing something or are the columns labeled wrong? thx Jan

I was wondering if anyone had implemented rules like this in shorewall: http://blog.andrew.net.au/tech I see tons of brute force attempts on the machines I administer, and I like the idea of limiting them without the need for extra daemons scanning for attacks. Thanks, Dale -- Dale E. Martin - dale@the-martins.org http://the-martins.org/~dmartin

Hi, I tried shorewall 2.2.0-rc4 and 2.2.0-rc5 on 3 different machines (just to be sure it''s not pebkac). The IPP2P support is broken, line like: DROP loc net ipp2p generates: iptables -A loc2net -j DROP that''s _wrong_ :) i have tried playing with debug to no avail, and I''m not that good at bashing... just to be complete, the suggested status.txt from one of the

...e ssh_config at the system level to disable ssh-rsa, and then overriding in my local .ssh/config file. probably the only way I'll get this to work and still technically follow Security team rules. Thanks for the information. --- Regards, Kevin Martin On Mon, Sep 9, 2024 at 10:41?AM Jan Schermer <jan at schermer.cz> wrote: > The crypto policies are system-wide to disallow any software (using system > crypto) from using unsafe/weak/unwanted algorithm, which is exactly what > you are trying to do. > > You?ll need to allow that system-wide by default, unfortunately. Luck...

Hello I am looking for a way to have snort to dynamically update my shorewall config. I have seen software out there but I would like to see if anyone had tried this first. Aslo I would like to know if there is a way clear the Netfilter tables when I do a shorewall restart. The reason being is that when I make a change to my firewall setting I want all connections to have to re-establish

The crypto policies are system-wide to disallow any software (using system crypto) from using unsafe/weak/unwanted algorithm, which is exactly what you are trying to do. You?ll need to allow that system-wide by default, unfortunately. Luckily you can then disallow ssh-rsa in ssh-config by default and only enable it for a few hosts. The correct solution is to throw whatever requires it to the

Hi, On Mon, Sep 09, 2024 at 05:41:42PM +0200, Jan Schermer wrote: > The correct solution is to throw whatever requires it to the garbage and never buy from that vendor again. As nice as this sounds, the selection of possible algorithms on the (usually "internal network only") management interface is waaaaay low on the priority list when shopp...

PKCS#11 support for ECC should have been integrated years ago. Let's not complicate it now, just integrate the existing patches so that people stuck with EC keys at least can use them somehow... Jan Sent from my iPhone > On 14 Aug 2018, at 17:04, Ben Lindstrom <mouring at offwriting.org> wrote: > > Wasn't there a proposal at one time to create something like

...nd then overriding in my local > .ssh/config file. probably the only way I'll get this to work and still > technically follow Security team rules. Thanks for the information. > > --- > > > Regards, > > Kevin Martin > > > On Mon, Sep 9, 2024 at 10:41?AM Jan Schermer <jan at schermer.cz> wrote: > >> The crypto policies are system-wide to disallow any software (using >> system crypto) from using unsafe/weak/unwanted algorithm, which is exactly >> what you are trying to do. >> >> You?ll need to allow that system-wide by defa...

Hi, I am trying to redirect my subnet thru squid and it seems to be working. However I decided tu exclude two hosts from the redirect (ie acces the net directly) and can''t manage to achieve that. I am using the following rule: REDIRECT loc:!192.168.13.48,!192.168.13.200 3128 tcp 80 - With this rule everything gets redirected thru squid. I also tried:

Hello, Is there a way to use a different ControlPath depending on command line options, or should there be one? To be specific, I don?t enable ForwardAgent by default for security reasons but only explicitely (-A) when I need to to e.g. copy files between servers. This and other options don?t play well with multiplexing because I usually already have few terminals open to the host. The most

If one wants to go this way, then I just discovered Tags it should work like this (I haven?t tested it and never used tags) Match tagged FA ForwardAgent yes ControlPath ~/.ssh/controlmaster-%r@%h-%p-forwardagent ControlMaster off ? and then to have a session with forwarding: ssh -P FA user at host But I still think we should be able to setup ssh to just do the right thing if the

...is only used when something isn't explicitly set in system wide crypto policies or the system /etc/ssh/ssh_config. --- Regards, Kevin Martin On Mon, Sep 9, 2024 at 12:14?PM Gert Doering <gert at greenie.muc.de> wrote: > Hi, > > On Mon, Sep 09, 2024 at 05:41:42PM +0200, Jan Schermer wrote: > > The correct solution is to throw whatever requires it to the garbage and > never buy from that vendor again. > > As nice as this sounds, the selection of possible algorithms on the > (usually "internal network only") management interface is waaaaay low > on...

version: 2.02f redhat linux: latest version Dear Shorewall, I love your product and am a windows programmer. I got into Linux just to run shorewall and protect my network. I have 2 questions and would really appreciate any help you can offer. #1) My firewall seems to limit traffic to 225 kb/s. Is this normal (running an old AMD K2 chip and 2 100 nics). I should have 900 kb/s and have had my

Hi, What I was trying to do (apart from toying with stuff) was to get a realiable, single, portable/importable credential that would be universally available whenever I need it but in normal operation would be either stored in or wrapped by Secure Enclave (this means EC keys), instead of provisioning 5 resident FIDO keys, one Secretive SE-wrapper key and a backup key. (I know, I could use