search for: ursa

For those of you running SuSE 9.1, I do not recommend upgrading to 9.2 at this time. Refer to http://shorewall.net/myfiles.htm for information on my configuration: a) On Ursa: 1) After the upgrade, both of the NICs were recognized as "configured" in YAST yet neither of them would start; ifup claimed that no configuration could be found for either interface. Only got them running again by deleting and re-adding them. 2) The MAC address of eth0 appeared to c...

Hi, it seems not to be possible to add more than one host at once to a zone. So shorewall add br0:eth0:192.168.2.10,eth0:192.168.2.11 work fails, since "br0:eth0:192.168.2.10,eth0" is interpreted as one interface. --snip -- iptables v1.2.9: interface name `eth0:192.168.2.10,eth0'' must be shorter than IFNAMSIZ (15) Try `iptables -h'' or ''iptables

Hi, as per the shorewall MultiISP documentation ( http://www1.shorewall.net/MultiISP.html ), it says "Use of this feature requires that your kernel and iptables include CONNMARK target and connmark match support (Warning: Standard Debian™ and Ubuntu™ kernels are lacking that support!)." it means MultiISP wont work properly if i am using Ubuntu server. if yes whats the

I think it would be nice to be able to rate limit an action, too.. suppose I have an action named Accept_good_source : ACCEPT - - tcp - 1024:65535 ACCEPT - - udp - 1024:65535 and that i want to use it in an action called AllowCVS, i can''t limit the cvs usage, but only the general use of Accept_good_source... same goes for userset... as each rule will give one iptables command, I

Group, I am reading about tc (traffic control) and willing to get my feet wet. As requirement, there should be HTB compiled in the kernel. I grabbed a Mandrake 8.2 distro, and didn''t installed the kernel source. Anyone knows if the HTB is compiled in Mandrake 8.2, or point a way to find that out? I tried to read the /usr/src/kernel.xxxxx/.config file, but it doesn''t exists.

Hi I am looking at converting a Linux terminal server box to iptables using Shorewall 2.0. (At the moment it uses ipchains). The server currently has scripts which are called as each user logs in which run a series of "ipchains" commands to set the access rights for that user (and again to cancel them when the user logs out). My plan is to replace these scripts with ones that call

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 claas@rootdir.de wrote: > Hello, > > > I am trying to get ipsec with kernel 2.6.8.1 and shorewall 2.1.9 running, > but I still have a problem: > > Validating hosts file... > Error: Your kernel and/or iptables does not not support policy match: ipsec > > I had a look for netfilter patch-o-matic, but I did not find the

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Over the past weekend, I added SPF screening on the MTA at shorewall.net. SPF is a mechanism for a domain to use DNS to publish a list of those IP addresses that are used to send legitimate email from that domain. A receiving MTA can use that published information to determine if email from a domain is being sent through an MTA belonging to that

>From a diff of my current shorewall firewall script with the new one from the CVS today : $ diff -w /usr/share/shorewall/firewall /usr/src/shorewall/s/firewall [...] 673c910 < for network in $networks; do --- > for networks in $networks; do I don''t think that "for networks in $networks" works well. -- -IAN! Ian! D. Allen Ottawa, Ontario,

Given that a 4-day silence on this list is almost unprecedented, thought I had better send a test post. Apologies for the spam. ------------------------------------------------------------------------------ Check out the new SourceForge.net Marketplace. It is the best place to buy or sell services for just about anything Open Source. http://p.sf.net/sfu/Xq1LFB

Laurent Moix wrote: > Hi, > > I try to install shorewall 2.2 on suse 9.2. > > # rpm -ivh --nodeps /root/shorewall-2.2.1-1.noarch.rpm > Preparing... ########################################### [100%] > 1:shorewall ########################################### [100%] > shorewall: unknown service > shorewall: not a runlevel service > >

I''m re-reading the section on dns names in the shorewall docs: "I personally recommend strongly against using DNS names in Shorewall configuration files. If you use DNS names and you are called out of bed at 2:00AM because Shorewall won''t start as a result of DNS problems then don''t say that you were not forewarned." Having been stung by this a few times

I am forwarding this post to the Shorewall Users mailing list. The email address ''support@shorewall.net'' is reserved for sending large or confidential attachments to the Shorewall support team. See http://www.shorewall.net/support.htm -Tom -------- Original Message -------- Subject: Question Date: Mon, 20 Oct 2008 11:30:04 +0000 From: Raul <rfunez@polar.es> To:

...er route/gateway/nameserver configured (set to the fw IP). For example, when I try to ping 192.168.178.1 (one of the routers between fw and the evil net) from a loc machine and set up Shorewall to log everything this keeps popping up in /var/log/messages: Jan 28 23:05:27 nostromo kernel: Shorewall:ursa2all:ACCEPT:IN=xenbr0 OUT=xenbr0 PHYSIN=vif0.0 PHYSOUT=peth0 SRC=192.168.144.41 DST=192.168.178.1 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=59455 SEQ=1 Jan 28 23:05:27 nostromo kernel: Performing cross-bridge DNAT requires IP forwarding to be enabled I don''t know...

Hi I have recently reconfigured my system to a Bridge based architecture on the basis that I have an ADSL Modem/Router with a Public address on the Wan side and a Private address on the Lan side. I am running a Debian based system kernel 2.6.7 and the Bridging software is installed and working correctly, including startup etc. The problem that I have is in "shorewall start" The

As suggested here: http://lists.shorewall.net/pipermail/shorewall-users/2004-October/015097.html I''ve run: adam@shrike:~$ /sbin/iptables -m policy --help iptables v1.2.11 Usage: iptables -[AD] chain rule-specification [options] iptables -[RI] chain rulenum rule-specification [options] iptables -D chain rulenum [options] --snip-- And: adam@shrike:~$ sudo

Hi all, I needed to have a kind of MAC support for rule servers as I do DNAT to hosts that are served by a DHCP server. So I did the following : When Shorewall script find a MAC address as a server, it tries to get his IP thru the arp table and then "resolve" the ARP address to the IP address of the client. Of course the main limitation of this is that you''ll have to

...************************************** fw firewall #Domain 0 xen ipv4 #Domain 0 on the bridge dmz ipv4 #other domains net ipv4 *************************************************** /etc/shorewall/hosts: *************************************************** ursa xen-br0:vif0.0 dmz xen-br0:vif+ net xen-br0:peth0 *************************************************** So, the problem is that I don''t have peth0 (maybe because i''m using network-route). In fact, If I try to contact dom0 or any domU, in the log I see: Shorewall:FORWARD...

...encrypt passwords = Yes hosts allow = All log file = /var/log/samba/log.%m usershare max shares = 100 log level = 9 interfaces = eth3 172.31.201.186 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 [uploaded_files] comment = URSA design and renders directory inherit acls = Yes path = /srv/www/htdocs/public/uploaded_files/ write list = wwwrun, peter, robb, mike force user = wwwrun force group = www create mask = 0666 directory mask = 0666 I know it's not much to g...

Hi all, please forgive me for such a newbie question, but I thought it would best to tap the wealth of experience here. I''m a new Rails guy but I''m evaluating frameworks for use in an intranet at a back whose internal systems are Oracle on linux. For now all my data will be on a dedicated box but down the road I may need to make calls into other databases hosted on other