thr3ads.net - Shorewall devel - [Shorewall-devel] Plans for 2.4.0 [May 2005]

If this information is useful, please help other people find it:
Share via:

Paul Gear

2005-May-29 13:59 UTC

[Shorewall-devel] Plans for 2.4.0

Hi folks,

Has anyone tested the changes to multiple ISPs/load balancing or
routestopped in 2.4.0-RC1 yet?  We need to talk about what criteria we
will use for determining whether 2.4.0 is ready for release.

I''ve started configuring a firewall at work with the multiple ISPs
support, but its kernel doesn''t have connection marking support, so
it''s
going to be a couple of weeks before i can get the box upgraded to test
this.  I''ll be testing the changes to routestopped this week.

Any other feedback yet?

Jerry/Alexander: has there been any significant discussion about this
recently on shorewall-users?

-- 
Paul
<http://paulgear.webhop.net>
--
Did you know?  Microsoft Internet Explorer and Outlook have a poor track
record for security <http://www.kb.cert.org/vuls/id/713878>.  Why not
try one of the more secure alternatives from <http://mozilla.org>?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 256 bytes
Desc: OpenPGP digital signature
Url :
http://lists.shorewall.net/pipermail/shorewall-devel/attachments/20050530/a013ea8d/signature.bin

Alexander Wilms

2005-May-29 14:31 UTC

head link

[Shorewall-devel] Plans for 2.4.0

On Sunday 29 May 2005 22:59, Paul Gear wrote:> Hi folks,Hi Paul,
>
> Has anyone tested the changes to multiple ISPs/load balancing or
> routestopped in 2.4.0-RC1 yet?  .Tom and I tested the Multi-ISP support in a VMware testbed. Works very well 
after Tom fixed some parts of the routing code. Those changes are already in 
2.4.0-RC1.
IMHO I would call it as stable, but maybe we should ask Tom if considers it 
stable too.
>We need to talk about what criteria we will use for determining whether
2.4.0
> is ready for release
> I''ve started configuring a firewall at work with the multiple ISPs
> support, but its kernel doesn''t have connection marking support,
so it''s
> going to be a couple of weeks before i can get the box upgraded to test
> this.  I''ll be testing the changes to routestopped this week.Maybe tomorrow I will find the time to test it also.
>
> Any other feedback yet?
>
> Jerry/Alexander: has there been any significant discussion about this
> recently on shorewall-users?No, nothing about those features. Actually the list is very quiet.

Alex

Cristian Rodriguez

2005-May-29 14:50 UTC

head link

[Shorewall-devel] Plans for 2.4.0

2005/5/29, Paul Gear <paul@gear.dyndns.org>:> Hi folks,
> 
> Has anyone tested the changes to multiple ISPs/load balancing or
> routestopped in 2.4.0-RC1 yet? 
Actually a client of mine needs exactly that.
but saldy the second dsl line is down due the weather
conditions(storm) and (of course)
the negligence of the ISP.

I really don ''t know when the second line will be available to test it.
> We need to talk about what criteria we
> will use for determining whether 2.4.0 is ready for release.
I think Tom should decide it.
> I''ve started configuring a firewall at work with the multiple ISPs
> support, but its kernel doesn''t have connection marking support,
so it''s
> going to be a couple of weeks before i can get the box upgraded to test
> this.  I''ll be testing the changes to routestopped this week.
> 
> Any other feedback yet?
> 
> Jerry/Alexander: has there been any significant discussion about this
> recently on shorewall-users?
nope,none at this time.

Tom Eastep

2005-May-29 15:28 UTC

head link

[Shorewall-devel] Plans for 2.4.0

Alexander Wilms wrote:
> IMHO I would call it as stable, but maybe we should ask Tom if considers it
> stable too.
I also think that it is stable but I would like to see it get a little more
testing before we release it. I''m going to release RC2 today or
tomorrow. I
got delayed today by a HD failure on my laptop; I''ve spent most of the
day
recovering from that.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Eduardo Ferreira

2005-May-30 05:59 UTC

head link

[Shorewall-devel] Plans for 2.4.0

Tom Eastep wrote on 29/05/2005 19:28:09:
> Alexander Wilms wrote:
> 
> > IMHO I would call it as stable, but maybe we should ask Tom if 
considers it > > stable too.
> 
> I also think that it is stable but I would like to see it get a little 
more> testing before we release it. I''m going to release RC2 today or 
tomorrow. I> got delayed today by a HD failure on my laptop; I''ve spent most of
the
day> recovering from that.
> I think I could test it for final release.  what kind of tests would I 
need to do?  can someone coordinate me on them?  I''m very interested in
this two-ISP solution - I need to set this up in three sites I support.

I have two fixed IP lines both with 32-ip ranges.  I have two or three IPs 
availabe in each line.  I have a centos-based (red-hat enterprise clone) 
linux installed with three interfaces and am trying to understand the 
first little man page about cvs to bring the development version and 
install.

hope I can help somehow...

________________________
Eduardo Ferreira
Icatu Holding S.A.
Supervisor de TI
(5521) 3804-8606

Alexander Wilms

2005-May-30 06:19 UTC

head link

[Shorewall-devel] Plans for 2.4.0

On Monday 30 May 2005 14:59, Eduardo Ferreira wrote:>
> I think I could test it for final release.  what kind of tests would I
> need to do?Make it work in your environment ;-)
> can someone coordinate me on them?If you like, I can support your testing via ICQ or other IM. If you want my 
help, drop me a personal mail.
> I''m very interested in  
> this two-ISP solution - I need to set this up in three sites I support.
>
> I have two fixed IP lines both with 32-ip ranges.  I have two or three IPs
> availabe in each line.  I have a centos-based (red-hat enterprise clone)
> linux installed with three interfaces and am trying to understand the
> first little man page about cvs to bring the development version and
> install.You don''t need cvs, just download the 2.4.0-RC2 rpm, Multi-ISP support
is
included.


>
> hope I can help somehow...Yup, if you have 2 lines and are willingly to do this setup it is already a 
help.

Alex

Eduardo Ferreira

2005-May-30 12:16 UTC

head link

[Shorewall-devel] Tests for multi-ISP 2.4.0-RC2

Alexander Wilms wrote on 30/05/2005 10:18:39:
> On Monday 30 May 2005 14:59, Eduardo Ferreira wrote:
> >
> You don''t need cvs, just download the 2.4.0-RC2 rpm, Multi-ISP
support
is > included.
ok, done.> 
> 
> 
> >
> > hope I can help somehow...
> Yup, if you have 2 lines and are willingly to do this setup it is 
already a > help.ok, first tests.  Looks like the output I would like to see in ip route/ip 
rule commands.  I worked with the most simple configuration.  My main 
files and shorewall status output follows.  In this first round, I used no 
fwmark. 

I Installed squid in this box and was able to use it as my proxy.  The 
biggest problem I had was with my bank, with binds the session by IP and I 
had an IP change during a session (fwmark would solve this, though). 

In the shorewall.conf file, the only parameter I changed was the 
STARTUP_DISABLED. 

I pasted the output of shorewall show capabilities and, if you can wait 
1-2 days and this kernel is lacking ipset, route and other patches. I 
could do the patches in my kernel and test more things (I''m not a
kernel
guru, though, and many times my kernel compiles but doesn''t load ;-(

cheers,

________________________
Eduardo Ferreira
Icatu Holding S.A.
Supervisor de TI
(5521) 3804-8606 


shorewall/zones file:
#ZONE                   DISPLAY         COMMENTS
loc                     local           Local zone
net                     internet        Internet zone
shorewall/interfaces file:
#ZONE    INTERFACE      BROADCAST       OPTIONS                 GATEWAY
#
loc      eth1           detect          dhcp
net      eth0           detect          norfc1918,nobogons
net      eth2           detect          norfc1918,nobogons
shorewall/policy file:
#SOURCE         DEST            POLICY          LOG LIMIT:BURST
#                                               LEVEL
loc             net             ACCEPT
loc             fw              ACCEPT
fw              loc             ACCEPT
fw              net             ACCEPT
net             fw              DROP
all             all             REJECT
shorewall/masq file:
#INTERFACE              SUBNET          ADDRESS         PROTO   PORT(S) 
IPSEC
eth0                    eth1
eth2                    eth1
shorewall/providers file:
#NAME   NUMBER  MARK    DUPLICATE       INTERFACE       GATEWAY OPTIONS
att     1       1       att             eth0            200.173.215.94 
track,balance
intelig 2       2       intelig         eth2            200.157.40.129 
track,balance
shorewall status output:


shorewall show capabilities:
Loading /usr/share/shorewall/functions...
Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf...
Loading Modules...
Shorewall has detected the following iptables/netfilter capabilities:
   NAT: Available
   Packet Mangling: Available
   Multi-port Match: Available
   Extended Multi-port Match: Not available
   Connection Tracking Match: Available
   Packet Type Match: Available
   Policy Match: Not available
   Physdev Match: Available
   IP range Match: Available
   Recent Match: Available
   Owner Match: Available
   Ipset Match: Not available
   ROUTE Target: Not available
   Extended MARK Target: Not available
   CONNMARK Target: Available
   Connmark Match: Available

uname -a
Linux fwutaci.utaci.com.br 2.6.11-1.27_FC3 #1 Tue May 17 20:27:37 EDT 2005 
i686 i686 i386 GNU/Linux
-------------- next part --------------
Shorewall-2.4.0-RC2 Status at fwutaci.utaci.com.br - Mon May 30 15:58:58 BRT
2005

Counters reset Mon May 30 15:26:10 BRT 2005

Chain INPUT (policy DROP 18 packets, 2792 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
 3540  608K eth1_in    all  --  eth1   *       0.0.0.0/0            0.0.0.0/0
 3980 1062K eth0_in    all  --  eth0   *       0.0.0.0/0            0.0.0.0/0
 1259  661K eth2_in    all  --  eth2   *       0.0.0.0/0            0.0.0.0/0
    0     0 Reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 eth1_fwd   all  --  eth1   *       0.0.0.0/0            0.0.0.0/0
    0     0 eth0_fwd   all  --  eth0   *       0.0.0.0/0            0.0.0.0/0
    0     0 eth2_fwd   all  --  eth2   *       0.0.0.0/0            0.0.0.0/0
    0     0 Reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     udp  --  *      eth1    0.0.0.0/0            0.0.0.0/0   
udp dpts:67:68
 2788 1525K fw2loc     all  --  *      eth1    0.0.0.0/0            0.0.0.0/0
 2384  320K fw2net     all  --  *      eth0    0.0.0.0/0            0.0.0.0/0
  953  243K fw2net     all  --  *      eth2    0.0.0.0/0            0.0.0.0/0
    0     0 Reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain AllowICMPs (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0   
icmp type 3 code 4
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0   
icmp type 11

Chain AllowPing (6 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0   
icmp type 8

Chain Drop (1 references)
 pkts bytes target     prot opt in     out     source               destination
   93 22128 RejectAuth  all  --  *      *       0.0.0.0/0            0.0.0.0/0
   93 22128 dropBcast  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 AllowICMPs  icmp --  *      *       0.0.0.0/0            0.0.0.0/0
   17 14293 dropInvalid  all  --  *      *       0.0.0.0/0            0.0.0.0/0
   16 14253 DropSMB    all  --  *      *       0.0.0.0/0            0.0.0.0/0
   16 14253 DropUPnP   all  --  *      *       0.0.0.0/0            0.0.0.0/0
    9 11419 dropNotSyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0
    7  2834 DropDNSrep  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain DropDNSrep (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
udp spt:53

Chain DropSMB (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
udp dpt:135
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
udp dpts:137:139
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
udp dpt:445
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:135
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:139
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:445

Chain DropUPnP (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
udp dpt:1900

Chain Reject (4 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 RejectAuth  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 dropBcast  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 AllowICMPs  icmp --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 dropInvalid  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 RejectSMB  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 DropUPnP   all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 dropNotSyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 DropDNSrep  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain RejectAuth (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 reject     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:113

Chain RejectSMB (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 reject     udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
udp dpt:135
    0     0 reject     udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
udp dpts:137:139
    0     0 reject     udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
udp dpt:445
    0     0 reject     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:135
    0     0 reject     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:139
    0     0 reject     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:445

Chain all2all (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 Reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain bogons (30 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0   
LOG flags 0 level 6 prefix `Shorewall:bogons:DROP:''
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain dropBcast (2 references)
 pkts bytes target     prot opt in     out     source               destination
   76  7835 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0   
PKTTYPE = broadcast
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0   
PKTTYPE = multicast

Chain dropInvalid (2 references)
 pkts bytes target     prot opt in     out     source               destination
    1    40 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state INVALID

Chain dropNotSyn (2 references)
 pkts bytes target     prot opt in     out     source               destination
    9 11419 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp flags:!0x16/0x02

Chain dynamic (6 references)
 pkts bytes target     prot opt in     out     source               destination

Chain eth0_fwd (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state INVALID,NEW
    0     0 norfc1918  all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW
    0     0 nobogons   all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW
    0     0 net2loc    all  --  *      eth1    0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  *      eth2    0.0.0.0/0            0.0.0.0/0

Chain eth0_in (1 references)
 pkts bytes target     prot opt in     out     source               destination
   81  8821 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state INVALID,NEW
   81  8821 norfc1918  all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW
   81  8821 nobogons   all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW
 3980 1062K net2fw     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain eth1_fwd (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state INVALID,NEW
    0     0 loc2net    all  --  *      eth0    0.0.0.0/0            0.0.0.0/0
    0     0 loc2net    all  --  *      eth2    0.0.0.0/0            0.0.0.0/0

Chain eth1_in (1 references)
 pkts bytes target     prot opt in     out     source               destination
 1879  224K dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state INVALID,NEW
    6  1998 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
udp dpts:67:68
 3534  606K loc2fw     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain eth2_fwd (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state INVALID,NEW
    0     0 norfc1918  all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW
    0     0 nobogons   all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW
    0     0 net2loc    all  --  *      eth1    0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  *      eth0    0.0.0.0/0            0.0.0.0/0

Chain eth2_in (1 references)
 pkts bytes target     prot opt in     out     source               destination
   14 13403 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state INVALID,NEW
   13 13363 norfc1918  all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW
   13 13363 nobogons   all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW
 1259  661K net2fw     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain fw2loc (1 references)
 pkts bytes target     prot opt in     out     source               destination
 2785 1525K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    3   208 AllowPing  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    3   208 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain fw2net (2 references)
 pkts bytes target     prot opt in     out     source               destination
 3199  555K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
  138  8280 AllowPing  all  --  *      *       0.0.0.0/0            0.0.0.0/0
  138  8280 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain loc2fw (1 references)
 pkts bytes target     prot opt in     out     source               destination
 1661  383K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
 1873  222K AllowPing  all  --  *      *       0.0.0.0/0            0.0.0.0/0
 1873  222K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain loc2net (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 AllowPing  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain net2fw (2 references)
 pkts bytes target     prot opt in     out     source               destination
 5144 1701K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
   95 22224 AllowPing  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    2    96 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:9322
   93 22128 Drop       all  --  *      *       0.0.0.0/0            0.0.0.0/0
    7  2834 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain net2loc (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 AllowPing  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 all2all    all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain nobogons (4 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 RETURN     all  --  *      *       0.0.0.0              0.0.0.0/0
    0     0 RETURN     all  --  *      *       255.255.255.255      0.0.0.0/0
    0     0 DROP       all  --  *      *       169.254.0.0/16       0.0.0.0/0
    0     0 bogons     all  --  *      *       192.0.2.0/24         0.0.0.0/0
    0     0 bogons     all  --  *      *       0.0.0.0/7            0.0.0.0/0
    0     0 bogons     all  --  *      *       2.0.0.0/8            0.0.0.0/0
    0     0 bogons     all  --  *      *       5.0.0.0/8            0.0.0.0/0
    0     0 bogons     all  --  *      *       7.0.0.0/8            0.0.0.0/0
    0     0 bogons     all  --  *      *       23.0.0.0/8           0.0.0.0/0
    0     0 bogons     all  --  *      *       27.0.0.0/8           0.0.0.0/0
    0     0 bogons     all  --  *      *       31.0.0.0/8           0.0.0.0/0
    0     0 bogons     all  --  *      *       36.0.0.0/7           0.0.0.0/0
    0     0 bogons     all  --  *      *       39.0.0.0/8           0.0.0.0/0
    0     0 bogons     all  --  *      *       42.0.0.0/8           0.0.0.0/0
    0     0 bogons     all  --  *      *       49.0.0.0/8           0.0.0.0/0
    0     0 bogons     all  --  *      *       50.0.0.0/8           0.0.0.0/0
    0     0 bogons     all  --  *      *       74.0.0.0/7           0.0.0.0/0
    0     0 bogons     all  --  *      *       76.0.0.0/6           0.0.0.0/0
    0     0 bogons     all  --  *      *       89.0.0.0/8           0.0.0.0/0
    0     0 bogons     all  --  *      *       90.0.0.0/7           0.0.0.0/0
    0     0 bogons     all  --  *      *       92.0.0.0/6           0.0.0.0/0
    0     0 bogons     all  --  *      *       96.0.0.0/3           0.0.0.0/0
    0     0 bogons     all  --  *      *       127.0.0.0/8          0.0.0.0/0
    0     0 bogons     all  --  *      *       173.0.0.0/8          0.0.0.0/0
    0     0 bogons     all  --  *      *       174.0.0.0/7          0.0.0.0/0
    0     0 bogons     all  --  *      *       176.0.0.0/5          0.0.0.0/0
    0     0 bogons     all  --  *      *       184.0.0.0/6          0.0.0.0/0
    0     0 bogons     all  --  *      *       189.0.0.0/8          0.0.0.0/0
    0     0 bogons     all  --  *      *       190.0.0.0/8          0.0.0.0/0
    0     0 bogons     all  --  *      *       197.0.0.0/8          0.0.0.0/0
    0     0 bogons     all  --  *      *       198.18.0.0/15        0.0.0.0/0
    0     0 bogons     all  --  *      *       223.0.0.0/8          0.0.0.0/0
    0     0 bogons     all  --  *      *       240.0.0.0/4          0.0.0.0/0

Chain norfc1918 (4 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 rfc1918    all  --  *      *       172.16.0.0/12        0.0.0.0/0
    0     0 rfc1918    all  --  *      *       0.0.0.0/0            0.0.0.0/0   
ctorigdst 172.16.0.0/12
    0     0 rfc1918    all  --  *      *       192.168.0.0/16       0.0.0.0/0
    0     0 rfc1918    all  --  *      *       0.0.0.0/0            0.0.0.0/0   
ctorigdst 192.168.0.0/16
    0     0 rfc1918    all  --  *      *       10.0.0.0/8           0.0.0.0/0
    0     0 rfc1918    all  --  *      *       0.0.0.0/0            0.0.0.0/0   
ctorigdst 10.0.0.0/8

Chain reject (11 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0   
PKTTYPE = broadcast
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0   
PKTTYPE = multicast
    0     0 DROP       all  --  *      *       10.1.31.255          0.0.0.0/0
    0     0 DROP       all  --  *      *       200.173.215.95       0.0.0.0/0
    0     0 DROP       all  --  *      *       200.157.40.159       0.0.0.0/0
    0     0 DROP       all  --  *      *       255.255.255.255      0.0.0.0/0
    0     0 DROP       all  --  *      *       224.0.0.0/4          0.0.0.0/0
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
reject-with tcp-reset
    0     0 REJECT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
reject-with icmp-port-unreachable
    0     0 REJECT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0   
reject-with icmp-host-unreachable
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
reject-with icmp-host-prohibited

Chain rfc1918 (6 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0   
LOG flags 0 level 6 prefix `Shorewall:rfc1918:DROP:''
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain shorewall (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain smurfs (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 LOG        all  --  *      *       10.1.31.255          0.0.0.0/0   
LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:''
    0     0 DROP       all  --  *      *       10.1.31.255          0.0.0.0/0
    0     0 LOG        all  --  *      *       200.173.215.95       0.0.0.0/0   
LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:''
    0     0 DROP       all  --  *      *       200.173.215.95       0.0.0.0/0
    0     0 LOG        all  --  *      *       200.157.40.159       0.0.0.0/0   
LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:''
    0     0 DROP       all  --  *      *       200.157.40.159       0.0.0.0/0
    0     0 LOG        all  --  *      *       255.255.255.255      0.0.0.0/0   
LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:''
    0     0 DROP       all  --  *      *       255.255.255.255      0.0.0.0/0
    0     0 LOG        all  --  *      *       224.0.0.0/4          0.0.0.0/0   
LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:''
    0     0 DROP       all  --  *      *       224.0.0.0/4          0.0.0.0/0


NAT Table

Chain PREROUTING (policy ACCEPT 1696 packets, 261K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 178 packets, 11488 bytes)
 pkts bytes target     prot opt in     out     source               destination
   65  3900 eth0_masq  all  --  *      eth0    0.0.0.0/0            0.0.0.0/0
   73  4380 eth2_masq  all  --  *      eth2    0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 178 packets, 11488 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain eth0_masq (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 MASQUERADE  all  --  *      *       10.1.16.0/20         0.0.0.0/0

Chain eth2_masq (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 MASQUERADE  all  --  *      *       10.1.16.0/20         0.0.0.0/0

Mangle Table

Chain PREROUTING (policy ACCEPT 10022 packets, 2482K bytes)
 pkts bytes target     prot opt in     out     source               destination
 5006 1693K CONNMARK   all  --  *      *       0.0.0.0/0            0.0.0.0/0   
CONNMARK match !0x0 CONNMARK restore
  149 13666 routemark  all  --  eth0   *       0.0.0.0/0            0.0.0.0/0   
MARK match 0x0
   87 17875 routemark  all  --  eth2   *       0.0.0.0/0            0.0.0.0/0   
MARK match 0x0

Chain INPUT (policy ACCEPT 9962 packets, 2480K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 routefwd   all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 6265 packets, 2116K bytes)
 pkts bytes target     prot opt in     out     source               destination
 6125 2088K routeout   all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain POSTROUTING (policy ACCEPT 6265 packets, 2116K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain routefwd (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain routemark (2 references)
 pkts bytes target     prot opt in     out     source               destination
  149 13666 MARK       all  --  eth0   *       0.0.0.0/0            0.0.0.0/0   
MARK set 0x1
   87 17875 MARK       all  --  eth2   *       0.0.0.0/0            0.0.0.0/0   
MARK set 0x2
  236 31541 CONNMARK   all  --  *      *       0.0.0.0/0            0.0.0.0/0   
MARK match !0x0 CONNMARK save

Chain routeout (1 references)
 pkts bytes target     prot opt in     out     source               destination

udp      17 7 src=10.1.26.130 dst=10.1.31.255 sport=138 dport=138 packets=1
bytes=247 [UNREPLIED] src=10.1.31.255 dst=10.1.26.130 sport=138 dport=138
packets=0 bytes=0 mark=0 use=1
tcp      6 431609 ESTABLISHED src=200.173.215.82 dst=200.212.135.228 sport=32851
dport=443 packets=27 bytes=2216 src=200.212.135.228 dst=200.173.215.82 sport=443
dport=32851 packets=43 bytes=20717 [ASSURED] mark=1 use=1
tcp      6 427651 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=6009 dport=40928
packets=180 bytes=10704 src=127.0.0.1 dst=127.0.0.1 sport=40928 dport=6009
packets=157 bytes=560004 [ASSURED] mark=0 use=1
udp      17 10 src=10.1.16.41 dst=10.1.31.255 sport=138 dport=138 packets=1
bytes=229 [UNREPLIED] src=10.1.31.255 dst=10.1.16.41 sport=138 dport=138
packets=0 bytes=0 mark=0 use=1
udp      17 16 src=10.1.26.135 dst=10.1.31.255 sport=137 dport=137 packets=3
bytes=234 [UNREPLIED] src=10.1.31.255 dst=10.1.26.135 sport=137 dport=137
packets=0 bytes=0 mark=0 use=1
unknown  2 529 src=10.1.20.100 dst=224.0.0.1 packets=30 bytes=840 [UNREPLIED]
src=224.0.0.1 dst=10.1.20.100 packets=0 bytes=0 mark=0 use=1
udp      17 28 src=10.1.26.125 dst=10.1.31.255 sport=137 dport=137 packets=3
bytes=234 [UNREPLIED] src=10.1.31.255 dst=10.1.26.125 sport=137 dport=137
packets=0 bytes=0 mark=0 use=1
udp      17 18 src=10.1.26.85 dst=10.1.31.255 sport=137 dport=137 packets=3
bytes=234 [UNREPLIED] src=10.1.31.255 dst=10.1.26.85 sport=137 dport=137
packets=0 bytes=0 mark=0 use=1
udp      17 29 src=10.1.26.41 dst=10.1.31.255 sport=138 dport=138 packets=1
bytes=241 [UNREPLIED] src=10.1.31.255 dst=10.1.26.41 sport=138 dport=138
packets=0 bytes=0 mark=0 use=1
tcp      6 431720 ESTABLISHED src=200.173.215.82 dst=200.212.135.228 sport=32892
dport=443 packets=17 bytes=2568 src=200.212.135.228 dst=200.173.215.82 sport=443
dport=32892 packets=16 bytes=5961 [ASSURED] mark=1 use=1
tcp      6 431609 ESTABLISHED src=10.1.20.1 dst=10.1.26.32 sport=1971 dport=3128
packets=26 bytes=2045 src=10.1.26.32 dst=10.1.20.1 sport=3128 dport=1971
packets=46 bytes=20356 [ASSURED] mark=0 use=1
tcp      6 431720 ESTABLISHED src=10.1.20.1 dst=10.1.26.32 sport=2015 dport=3128
packets=12 bytes=2369 src=10.1.26.32 dst=10.1.20.1 sport=3128 dport=2015
packets=18 bytes=5884 [ASSURED] mark=0 use=1
udp      17 6 src=10.1.26.52 dst=10.1.31.255 sport=138 dport=138 packets=1
bytes=261 [UNREPLIED] src=10.1.31.255 dst=10.1.26.52 sport=138 dport=138
packets=0 bytes=0 mark=0 use=1
tcp      6 431998 ESTABLISHED src=200.173.215.90 dst=200.173.215.82 sport=1568
dport=9322 packets=1197 bytes=81037 src=200.173.215.82 dst=200.173.215.90
sport=9322 dport=1568 packets=1078 bytes=115355 [ASSURED] mark=1 use=1
udp      17 17 src=10.1.26.68 dst=10.1.31.255 sport=138 dport=138 packets=1
bytes=240 [UNREPLIED] src=10.1.31.255 dst=10.1.26.68 sport=138 dport=138
packets=0 bytes=0 mark=0 use=1

IP Configuration

1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:10:4b:94:95:ba brd ff:ff:ff:ff:ff:ff
    inet 200.173.215.82/27 brd 200.173.215.95 scope global eth0
    inet6 fe80::210:4bff:fe94:95ba/64 scope link 
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:10:4b:c5:3b:66 brd ff:ff:ff:ff:ff:ff
    inet 10.1.26.32/20 brd 10.1.31.255 scope global eth1
    inet6 fe80::210:4bff:fec5:3b66/64 scope link 
       valid_lft forever preferred_lft forever
4: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:10:4b:94:95:8f brd ff:ff:ff:ff:ff:ff
    inet 200.157.40.131/27 brd 200.157.40.159 scope global eth2
    inet6 fe80::210:4bff:fe94:958f/64 scope link 
       valid_lft forever preferred_lft forever
5: sit0: <NOARP> mtu 1480 qdisc noop 
    link/sit 0.0.0.0 brd 0.0.0.0

IP Stats

1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    RX: bytes  packets  errors  dropped overrun mcast   
    2709720    2142     0       0       0       0      
    TX: bytes  packets  errors  dropped carrier collsns 
    2709720    2142     0       0       0       0      
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:10:4b:94:95:ba brd ff:ff:ff:ff:ff:ff
    RX: bytes  packets  errors  dropped overrun mcast   
    2424998    8023     0       0       0       0      
    TX: bytes  packets  errors  dropped carrier collsns 
    367392     2534     0       0       0       1      
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:10:4b:c5:3b:66 brd ff:ff:ff:ff:ff:ff
    RX: bytes  packets  errors  dropped overrun mcast   
    3616521    36789    0       0       0       0      
    TX: bytes  packets  errors  dropped carrier collsns 
    1601339    2971     0       0       0       0      
4: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:10:4b:94:95:8f brd ff:ff:ff:ff:ff:ff
    RX: bytes  packets  errors  dropped overrun mcast   
    703678     1379     0       0       0       0      
    TX: bytes  packets  errors  dropped carrier collsns 
    260975     992      0       0       0       2      
5: sit0: <NOARP> mtu 1480 qdisc noop 
    link/sit 0.0.0.0 brd 0.0.0.0
    RX: bytes  packets  errors  dropped overrun mcast   
    0          0        0       0       0       0      
    TX: bytes  packets  errors  dropped carrier collsns 
    0          0        0       0       0       0      

/proc

   /proc/sys/net/ipv4/ip_forward = 1
   /proc/sys/net/ipv4/icmp_echo_ignore_all = 0
   /proc/sys/net/ipv4/conf/all/proxy_arp = 0
   /proc/sys/net/ipv4/conf/all/arp_filter = 0
   /proc/sys/net/ipv4/conf/all/rp_filter = 0
   /proc/sys/net/ipv4/conf/all/log_martians = 0
   /proc/sys/net/ipv4/conf/default/proxy_arp = 0
   /proc/sys/net/ipv4/conf/default/arp_filter = 0
   /proc/sys/net/ipv4/conf/default/rp_filter = 1
   /proc/sys/net/ipv4/conf/default/log_martians = 0
   /proc/sys/net/ipv4/conf/eth0/proxy_arp = 0
   /proc/sys/net/ipv4/conf/eth0/arp_filter = 0
   /proc/sys/net/ipv4/conf/eth0/rp_filter = 1
   /proc/sys/net/ipv4/conf/eth0/log_martians = 0
   /proc/sys/net/ipv4/conf/eth1/proxy_arp = 0
   /proc/sys/net/ipv4/conf/eth1/arp_filter = 0
   /proc/sys/net/ipv4/conf/eth1/rp_filter = 1
   /proc/sys/net/ipv4/conf/eth1/log_martians = 0
   /proc/sys/net/ipv4/conf/eth2/proxy_arp = 0
   /proc/sys/net/ipv4/conf/eth2/arp_filter = 0
   /proc/sys/net/ipv4/conf/eth2/rp_filter = 1
   /proc/sys/net/ipv4/conf/eth2/log_martians = 0
   /proc/sys/net/ipv4/conf/lo/proxy_arp = 0
   /proc/sys/net/ipv4/conf/lo/arp_filter = 0
   /proc/sys/net/ipv4/conf/lo/rp_filter = 1
   /proc/sys/net/ipv4/conf/lo/log_martians = 0

Routing Rules

0:	from all lookup local 
32748:	from 200.157.40.131 lookup intelig 
32749:	from all fwmark 0x2 lookup intelig 
32750:	from 200.173.215.82 lookup att 
32751:	from all fwmark 0x1 lookup att 
32766:	from all lookup main 
32767:	from all lookup default 

Table local:

broadcast 10.1.31.255 dev eth1  proto kernel  scope link  src 10.1.26.32 
local 10.1.26.32 dev eth1  proto kernel  scope host  src 10.1.26.32 
broadcast 127.255.255.255 dev lo  proto kernel  scope link  src 127.0.0.1 
broadcast 10.1.16.0 dev eth1  proto kernel  scope link  src 10.1.26.32 
broadcast 200.157.40.159 dev eth2  proto kernel  scope link  src 200.157.40.131 
broadcast 200.173.215.95 dev eth0  proto kernel  scope link  src 200.173.215.82 
local 200.157.40.131 dev eth2  proto kernel  scope host  src 200.157.40.131 
broadcast 200.173.215.64 dev eth0  proto kernel  scope link  src 200.173.215.82 
broadcast 200.157.40.128 dev eth2  proto kernel  scope link  src 200.157.40.131 
local 200.173.215.82 dev eth0  proto kernel  scope host  src 200.173.215.82 
broadcast 127.0.0.0 dev lo  proto kernel  scope link  src 127.0.0.1 
local 127.0.0.1 dev lo  proto kernel  scope host  src 127.0.0.1 
local 127.0.0.0/8 dev lo  proto kernel  scope host  src 127.0.0.1 

Table intelig:

default via 200.157.40.129 dev eth2 

Table intelig:

default via 200.157.40.129 dev eth2 

Table att:

default via 200.173.215.94 dev eth0 

Table att:

default via 200.173.215.94 dev eth0 

Table main:

200.173.215.64/27 dev eth0  proto kernel  scope link  src 200.173.215.82 
200.157.40.128/27 dev eth2  proto kernel  scope link  src 200.157.40.131 
10.1.16.0/20 dev eth1  proto kernel  scope link  src 10.1.26.32 
default 
	nexthop via 200.173.215.94  dev eth0 weight 1
	nexthop via 200.157.40.129  dev eth2 weight 1

Table default:


ARP

? (200.173.215.90) at 00:10:5A:17:4C:30 [ether] on eth0
? (10.1.20.1) at 00:0F:1F:AD:E4:36 [ether] on eth1
? (200.173.215.94) at 00:D0:BA:E0:2E:89 [ether] on eth0

Modules

ipt_MASQUERADE          3265  2 
ipt_MARK                2369  2 
ipt_mark                1601  3 
ipt_CONNMARK            2113  2 
ipt_connmark            1729  1 
ipt_owner               5313  0 
ipt_recent             15181  0 
ipt_iprange             1729  0 
ipt_physdev             2129  0 
ipt_multiport           2497  0 
ipt_REJECT              7105  4 
ipt_conntrack           2497  3 
ipt_pkttype             1601  4 
ipt_LOG                 7489  7 
ipt_state               1857  22 
ip_nat_irc              2369  0 
ip_nat_tftp             1985  0 
ip_nat_ftp              3009  0 
ip_conntrack_irc       72401  1 ip_nat_irc
ip_conntrack_tftp       4177  1 ip_nat_tftp
ip_conntrack_ftp       73169  1 ip_nat_ftp
ip_conntrack           40601  10
ipt_MASQUERADE,ipt_conntrack,ipt_state,ip_nat_irc,ip_nat_tftp,ip_nat_ftp,iptable_nat,ip_conntrack_irc,ip_conntrack_tftp,ip_conntrack_ftp
ip_tables              19777  18
ipt_MASQUERADE,ipt_MARK,ipt_mark,ipt_CONNMARK,ipt_connmark,ipt_owner,ipt_recent,ipt_iprange,ipt_physdev,ipt_multiport,ipt_REJECT,ipt_conntrack,ipt_pkttype,ipt_LOG,ipt_state,iptable_mangle,iptable_nat,iptable_filter

Cristian Rodriguez

2005-May-30 12:27 UTC

head link

[Shorewall-devel] Tests for multi-ISP 2.4.0-RC2

2005/5/30, Eduardo Ferreira <duda@icatu.com.br>:
> shorewall/policy file:
> #SOURCE         DEST            POLICY          LOG LIMIT:BURST
> #                                               LEVEL
> loc             net             ACCEPT
> loc             fw              ACCEPT
> fw              loc             ACCEPT
> fw              net             ACCEPT
> net             fw              DROP
> all             all             REJECT
net              net             DROP
at the beggining of the file.

Eduardo Ferreira

2005-May-30 12:31 UTC

head link

[Shorewall-devel] Tests for multi-ISP 2.4.0-RC2

Cristian Rodriguez wrote on 30/05/2005 16:27:50:
> 2005/5/30, Eduardo Ferreira <duda@icatu.com.br>:
> 
> > shorewall/policy file:
> > #SOURCE         DEST            POLICY          LOG LIMIT:BURST
> > #                                               LEVEL
> > loc             net             ACCEPT
> > loc             fw              ACCEPT
> > fw              loc             ACCEPT
> > fw              net             ACCEPT
> > net             fw              DROP
> > all             all             REJECT
> 
> net              net             DROP
> at the beggining of the file.I''ll do it, but why?

cheers,


________________________
Eduardo Ferreira
Icatu Holding S.A.
Supervisor de TI
(5521) 3804-8606

Tom Eastep

2005-May-30 12:40 UTC

head link

[Shorewall-devel] Tests for multi-ISP 2.4.0-RC2

Eduardo Ferreira wrote:
> shorewall/providers file:
> #NAME   NUMBER  MARK    DUPLICATE       INTERFACE       GATEWAY OPTIONS
> att     1       1       att             eth0            200.173.215.94 
> track,balance
> intelig 2       2       intelig         eth2            200.157.40.129 
> track,balance
If you start marking traffic, I think you''ll be happier with
''main'' in the
DUPLICATE column.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Tom Eastep

2005-May-30 12:42 UTC

head link

[Shorewall-devel] Tests for multi-ISP 2.4.0-RC2

Eduardo Ferreira wrote:> Cristian Rodriguez wrote on 30/05/2005 16:27:50:
> 
>>2005/5/30, Eduardo Ferreira <duda@icatu.com.br>:
>>
>>>shorewall/policy file:
>>>#SOURCE         DEST            POLICY          LOG LIMIT:BURST
>>>#                                               LEVEL
>>>loc             net             ACCEPT
>>>loc             fw              ACCEPT
>>>fw              loc             ACCEPT
>>>fw              net             ACCEPT
>>>net             fw              DROP
>>>all             all             REJECT
>>net              net             DROP
>>at the beggining of the file.
> I''ll do it, but why?
ISPs usually don''t like their private networks being joined by customer
routers.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Tom Eastep

2005-May-30 12:43 UTC

head link

[Shorewall-devel] Tests for multi-ISP 2.4.0-RC2

Eduardo Ferreira wrote:
> 
> I Installed squid in this box and was able to use it as my proxy.  The 
> biggest problem I had was with my bank, with binds the session by IP and I 
> had an IP change during a session (fwmark would solve this, though). 
Your bank''s application must open multiple connections from the client
to
the server, correct?

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Eduardo Ferreira

2005-May-30 12:45 UTC

head link

[Shorewall-devel] Tests for multi-ISP 2.4.0-RC2

Tom Eastep wrote on 30/05/2005 16:41:59:
> Eduardo Ferreira wrote:
> > Cristian Rodriguez wrote on 30/05/2005 16:27:50:
> > 
> >>2005/5/30, Eduardo Ferreira <duda@icatu.com.br>:
> >>
> >>>shorewall/policy file:
> >>>#SOURCE         DEST            POLICY          LOG LIMIT:BURST
> >>>#                                               LEVEL
> >>>loc             net             ACCEPT
> >>>loc             fw              ACCEPT
> >>>fw              loc             ACCEPT
> >>>fw              net             ACCEPT
> >>>net             fw              DROP
> >>>all             all             REJECT
> >>net              net             DROP
> >>at the beggining of the file.
> > I''ll do it, but why?
> 
> ISPs usually don''t like their private networks being joined by
customer
routers.> makes sense... ;-)

Eduardo Ferreira

2005-May-30 12:59 UTC

head link

[Shorewall-devel] Tests for multi-ISP 2.4.0-RC2

Tom Eastep wrote on 30/05/2005 16:42:59:
> Eduardo Ferreira wrote:
> 
> > 
> > I Installed squid in this box and was able to use it as my proxy.  The
> > biggest problem I had was with my bank, with binds the session by IP 
and I > > had an IP change during a session (fwmark would solve this, though). 
> 
> Your bank''s application must open multiple connections from the
client
to> the server, correct?
> looks like.  here is the squid access.log from the start of a session to 
the moment I got the wrong-ip error:
[... snip ...]
1117482998.474   1106 10.1.20.1 TCP_MISS/200 44018 GET 
http://www.bradesco.com.br/br/home/home.shtm - DIRECT/200.155.100.225 
text/html
1117482998.521    456 10.1.20.1 TCP_MISS/304 176 GET 
http://www.bradesco.com.br/inc/TVPF_NOVA/textos.txt - 
DIRECT/200.155.100.225 -
1117482998.577    384 10.1.20.1 TCP_MISS/304 176 GET 
http://www.bradesco.com.br/img/selo_pagtoboleto.gif - 
DIRECT/200.155.100.225 -
1117483003.893   1263 10.1.20.1 TCP_MISS/200 42804 CONNECT 
wwwss.bradesco.com.br:443 - DIRECT/200.212.135.228 -
1117483022.613   1513 10.1.20.1 TCP_MISS/200 38425 CONNECT 
wwwss.bradesco.com.br:443 - DIRECT/200.212.135.228 -
1117483023.093  10121 10.1.20.1 TCP_MISS/200 16400 CONNECT 
wwwss.bradesco.com.br:443 - DIRECT/200.212.135.228 -
1117483023.093  10119 10.1.20.1 TCP_MISS/200 801 CONNECT 
wwwss.bradesco.com.br:443 - DIRECT/200.212.135.228 -


________________________
Eduardo Ferreira
Icatu Holding S.A.
Supervisor de TI
(5521) 3804-8606

Paul Gear

2005-May-30 13:50 UTC

head link

[Shorewall-devel] Plans for 2.4.0

Tom Eastep wrote:> Alexander Wilms wrote:
> 
> 
>>IMHO I would call it as stable, but maybe we should ask Tom if considers
it
>>stable too.
> 
> 
> I also think that it is stable but I would like to see it get a little more
> testing before we release it. I''m going to release RC2 today or
tomorrow.
Is it worth delaying 2.4 a bit to include Tom''s proposed dynamic
zone->ipset rewrite?  It seems to me that is a reasonably significant
change that people would not want introduced in the middle of a stable
version.

-- 
Paul
<http://paulgear.webhop.net>
--
Did you know?  Using Microsoft Internet Explorer can make your computer
less secure.  Find out more at <http://browsehappy.com>.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 256 bytes
Desc: OpenPGP digital signature
Url :
http://lists.shorewall.net/pipermail/shorewall-devel/attachments/20050531/3f20d93a/signature.bin

Tom Eastep

2005-May-30 13:54 UTC

head link

[Shorewall-devel] Plans for 2.4.0

Paul Gear wrote:> Tom Eastep wrote:
>>Alexander Wilms wrote:
>>
>>
>>>IMHO I would call it as stable, but maybe we should ask Tom if
considers it
>>>stable too.
>>
>>I also think that it is stable but I would like to see it get a little
more
>>testing before we release it. I''m going to release RC2 today or
tomorrow.
> 
> Is it worth delaying 2.4 a bit to include Tom''s proposed dynamic
> zone->ipset rewrite?  It seems to me that is a reasonably significant
> change that people would not want introduced in the middle of a stable
> version.
>
It''s already there, Paul -- it just hasn''t been documented or
tested.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Tom Eastep

2005-May-30 14:14 UTC

head link

[Shorewall-devel] Plans for 2.4.0

Tom Eastep wrote:> Paul Gear wrote:
>>Is it worth delaying 2.4 a bit to include Tom''s proposed
dynamic
>>zone->ipset rewrite?  It seems to me that is a reasonably significant
>>change that people would not want introduced in the middle of a stable
>>version.
> 
> It''s already there, Paul -- it just hasn''t been
documented or tested.
> 
And I wouldn''t think that we would want to remove the old dynamic zone
code
since ipsets require a kernel and iptables patch.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Tom Eastep

2005-May-30 16:38 UTC

head link

[Shorewall-devel] Plans for 2.4.0

Tom Eastep wrote:> Paul Gear wrote:
>>Tom Eastep wrote:
>>>Alexander Wilms wrote:
>>>
>>>
>>>>IMHO I would call it as stable, but maybe we should ask Tom if
considers it
>>>>stable too.
>>>I also think that it is stable but I would like to see it get a
little more
>>>testing before we release it. I''m going to release RC2
today or tomorrow.
>>Is it worth delaying 2.4 a bit to include Tom''s proposed
dynamic
>>zone->ipset rewrite?  It seems to me that is a reasonably significant
>>change that people would not want introduced in the middle of a stable
>>version.
>>
> 
> It''s already there, Paul -- it just hasn''t been
documented or tested.
Let me clarify -- I have confirmed that Shorewall starts ok with a zone
defined in the way that I suggested in my earlier post and the generated
rules look correct. I just haven''t confirmed that the end result is
correct
(not much that could go wrong though).

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Apparently Analagous Threads

Search for more reasonably related threads

Shorewall devel - May 2005 - Plans for 2.4.0

[Shorewall-devel] Plans for 2.4.0

[Shorewall-devel] Plans for 2.4.0

[Shorewall-devel] Plans for 2.4.0

[Shorewall-devel] Plans for 2.4.0

[Shorewall-devel] Plans for 2.4.0

[Shorewall-devel] Plans for 2.4.0

[Shorewall-devel] Tests for multi-ISP 2.4.0-RC2

[Shorewall-devel] Tests for multi-ISP 2.4.0-RC2

[Shorewall-devel] Tests for multi-ISP 2.4.0-RC2

[Shorewall-devel] Tests for multi-ISP 2.4.0-RC2

[Shorewall-devel] Tests for multi-ISP 2.4.0-RC2

[Shorewall-devel] Tests for multi-ISP 2.4.0-RC2

[Shorewall-devel] Tests for multi-ISP 2.4.0-RC2

[Shorewall-devel] Tests for multi-ISP 2.4.0-RC2

[Shorewall-devel] Plans for 2.4.0

[Shorewall-devel] Plans for 2.4.0

[Shorewall-devel] Plans for 2.4.0

[Shorewall-devel] Plans for 2.4.0

Apparently Analagous Threads