I have a 3 nic setup with shorewall 1.4.8-1 running on redhat 9. My eth2 (dmz zone)has 7 secondary address attached to it. I can ping a machine in each subnet, dmz to net rules seem to be working fine on all machines.. I have my policy set as dmz to dmz accept. If I try to ping between subnets I get Nov 21 12:18:45 kbeewall kernel: Shorewall:FORWARD:REJECT:IN=eth2 OUT=eth2 SRC=172.17.0.2 DST=172.16.0.130 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=36553 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=7168 In http://lists.shorewall.net/pipermail/shorewall-users/2003-September/008978.h tml It says to add routeback as an option in interfaces, but I get the error Validating interfaces file... Warning: Invalid option (routeback) in record "dmz eth2 detect routeback" Eventually I would like to change the policy to REJECT and write rules for subnet connections in the DMZ. How can I set shorewall to forward these packets? Thanks for your time! Steve
On Fri, 2003-11-21 at 12:50, Steve Postma wrote:> I have a 3 nic setup with shorewall 1.4.8-1 running on redhat 9. My eth2 > (dmz zone)has 7 secondary address attached to it. I can ping a machine in > each subnet, dmz to net rules seem to be working fine on all machines.. I > have my policy set as dmz to dmz accept. If I try to ping between subnets I > get > > Nov 21 12:18:45 kbeewall kernel: Shorewall:FORWARD:REJECT:IN=eth2 OUT=eth2 > SRC=172.17.0.2 DST=172.16.0.130 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=36553 > PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=7168 > > > In > http://lists.shorewall.net/pipermail/shorewall-users/2003-September/008978.h > tml > It says to add routeback as an option in interfaces, but I get the error > Validating interfaces file... > Warning: Invalid option (routeback) in record "dmz eth2 detect routeback" > Eventually I would like to change the policy to REJECT and write rules for > subnet connections in the DMZ.Did you use Windoze to edit the file? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
No, linux -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: Friday, November 21, 2003 4:25 PM To: Shorewall Users Mailing List Subject: Re: [Shorewall-users] FORWARD:REJECT On Fri, 2003-11-21 at 12:50, Steve Postma wrote:> I have a 3 nic setup with shorewall 1.4.8-1 running on redhat 9. My eth2 > (dmz zone)has 7 secondary address attached to it. I can ping a machine in > each subnet, dmz to net rules seem to be working fine on all machines.. I > have my policy set as dmz to dmz accept. If I try to ping between subnetsI> get > > Nov 21 12:18:45 kbeewall kernel: Shorewall:FORWARD:REJECT:IN=eth2 OUT=eth2 > SRC=172.17.0.2 DST=172.16.0.130 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=36553 > PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=7168 > > > In >http://lists.shorewall.net/pipermail/shorewall-users/2003-September/008978.h> tml > It says to add routeback as an option in interfaces, but I get the error > Validating interfaces file... > Warning: Invalid option (routeback) in record "dmz eth2 detectrouteback"> Eventually I would like to change the policy to REJECT and write rules for > subnet connections in the DMZ.Did you use Windoze to edit the file? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
On Fri, 2003-11-21 at 13:29, Steve Postma wrote:> No, linuxWhat does "grep routeback /usr/share/shorewall/firewall" show? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Fri, 2003-11-21 at 13:34, Tom Eastep wrote:> On Fri, 2003-11-21 at 13:29, Steve Postma wrote: > > No, linux > > What does "grep routeback /usr/share/shorewall/firewall" show?At any rate, ''routeback'' is the correct option and works fine here (and apparently elsewhere since yours is the first report of this kind). If you can''t determine what''s wrong, then "shorewall debug check 2> /tmp/trace" and send me the trace as a text attachment. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Is it possibile to prevent ddos attaks with some rules ?
from another site to your site or the other way ? search for "integrating portsentry" in the documentation On Mon, 2003-11-24 at 14:42, Salvatore wrote:> Is it possibile to prevent ddos attaks with some rules ? > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm
On Mon, 2003-11-24 at 05:53, Holger Br?ckner wrote:> from another site to your site or the other way ? > > search for "integrating portsentry" in the documentation >Note of course that there are no measures that you can take to *prevent* external DOS attacks; using portsentry is a way of dealing with these attacks when they do occur. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Apparently Analagous Threads
- Reflecting internal connections to public IP back into network?
- problems configuring shorewall in proxmox pve (debian5)
- Problem with "routeback, blacklist, tcpflags" in Shorewall 4.2.4-2
- Shorewall 1.4.2
- shorewall Dom0 config using Xen's default setup -- correct?