i am doing a clean install on fedora
core 2 using the shorewall rpm and the
Shorewall Setup Guide for multiple
IP''s using a stock configuration except
for AllowDNS and AllowWeb on the
firewall (so i can post this message).
my shorewall status file is attached.
my setup
69.17.65.105 = firewall
69.17.65.22 = dmz server 1
69.17.65.161 = dmz server 2
my local network is 192.168.0.0/24
using IP address (no name resolution) i am
unable to browse the servers in the DMZ
from the LOC network.
my files are:
/policy:
#SOURCE DEST POLICY LOG LIMIT:BURST
#
loc net ACCEPT
net all DROP info
#
# THE FOLLOWING POLICY MUST BE LAST
#
all all REJECT info
/masq
#INTERFACE SUBNET ADDRESS PROTO PORT(S)
eth0 192.168.0.0/24 69.17.65.105
/rules
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
RATE USER/
# PORT(S)
ACCEPT net dmz icmp echo-request
ACCEPT net loc icmp echo-request
ACCEPT dmz loc icmp echo-request
ACCEPT loc dmz icmp echo-request
#server 1
ACCEPT net dmz:69.17.65.22 tcp smtp #Mail from
#Internet
ACCEPT net dmz:69.17.65.22 tcp imap #imap from
#Internet
ACCEPT loc dmz:69.17.65.22 tcp smtp #Mail from local
#Network
ACCEPT loc dmz:69.17.65.22 tcp imap #Pop3 from local
#Network
ACCEPT fw dmz:69.17.65.22 tcp smtp #Mail from the
#Firewall
ACCEPT dmz:69.17.65.22 net tcp smtp #Mail to the
#Internet
ACCEPT net dmz:69.17.65.22 tcp http #WWW from
ACCEPT net dmz:69.17.65.22 tcp http #WWW from
#Internet
ACCEPT net dmz:69.17.65.22 tcp https #Secure WWW
#from Internet
ACCEPT loc dmz:69.17.65.22 tcp https #Secure WWW
#from local
#Network
ACCEPT net dmz:69.17.65.22 udp domain #UDP DNS from
#Internet
ACCEPT net dmz:69.17.65.22 tcp domain #TCP DNS from
#Internet
ACCEPT loc dmz:69.17.65.22 udp domain #UDP DNS from
#Local Network
ACCEPT loc dmz:69.17.65.22 tcp domain #TCP DNS from
#Local Network
ACCEPT fw dmz:69.17.65.22 udp domain #UDP DNS from
#the Firewall
ACCEPT fw dmz:69.17.65.22 tcp domain #TCP DNS from
#the Firewall
ACCEPT dmz:69.17.65.22 net udp domain #UDP DNS to
#the Internet
ACCEPT dmz:69.17.65.22 net tcp domain #TCPP DNS to
#the Internet
#the Internet
#server 2
ACCEPT net dmz:69.17.65.161 tcp smtp #Mail from
#Internet
ACCEPT net dmz:69.17.65.161 tcp imap #imap from
#Internet
ACCEPT loc dmz:69.17.65.161 tcp smtp #Mail from local
#Network
ACCEPT loc dmz:69.17.65.161 tcp imap #Pop3 from local
#Network
ACCEPT fw dmz:69.17.65.161 tcp smtp #Mail from the
#Firewall
ACCEPT dmz:69.17.65.161 net tcp smtp #Mail to the
#Internet
ACCEPT net dmz:69.17.65.161 tcp http #WWW from
#Internet
ACCEPT net dmz:69.17.65.161 tcp https #Secure WWW
#from Internet
ACCEPT loc dmz:69.17.65.161 tcp https #Secure WWW
#from local
#Network
ACCEPT net dmz:69.17.65.161 udp domain #UDP DNS from
ACCEPT net dmz:69.17.65.161 udp domain #UDP DNS from
#Internet
ACCEPT net dmz:69.17.65.161 tcp domain #TCP DNS from
#Internet
ACCEPT loc dmz:69.17.65.161 udp domain #UDP DNS from
#Local Network
ACCEPT loc dmz:69.17.65.161 tcp domain #TCP DNS from
#Local Network
ACCEPT fw dmz:69.17.65.161 udp domain #UDP DNS from
#the Firewall
ACCEPT fw dmz:69.17.65.161 tcp domain #TCP DNS from
#the Firewall
ACCEPT dmz:69.17.65.161 net udp domain #UDP DNS to
#the Internet
ACCEPT dmz:69.17.65.161 net tcp domain #TCPP DNS to
#the Internet
#
# Firewall
AllowWeb fw net
AllowDNS fw net
ACCEPT loc dmz tcp ssh #SSH to the DMZ
ACCEPT net fw tcp ssh #SSH to the
#Firewall
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 rioguia@speakeasy.net wrote:> > using IP address (no name resolution) i am > unable to browse the servers in the DMZ > from the LOC network.You have no rule allowing tcp 80 from the loc zone to the dmz zone! (hint: "shorewall show loc2dmz"). If I might make a suggestion. You have two servers in your DMZ which appear to both offer the same services and which require the same access to other zones. So, why clutter up your rules with separate rules for each server? I suggest that you start something like this: # # Ping # ACCEPT all all icmp echo-request # # Net to DMZ # ACCEPT net dmz tcp smtp,http,https,imap,domain ACCEPT net dmz udp domain # # Loc to DMZ # ACCEPT loc dmz tcp smtp,http,https,imap,domain,ssh ACCEPT loc dmz udp domain ... The above also has the advantage that it is more efficient -- it takes advantage of the Netfilter multiport match feature which allows a single Netfilter rule to match up to 15 ports. Once you have that working, you can then nail it down tighter: ... # # Net to DMZ # ACCEPT net dmz:$SERVERS tcp smtp,http,https,imap,domain ACCEPT net dmz:$SERVERS udp domain ... $SERVERS is defined in /etc/shorewall/params: SERVERS=69.17.65.161,69.17.65.22 This way, when you have a problem you are able to immediately see what connections are allowed -- with your rules file, it is very difficult (as you are finding out). And if you add another server, it''s a one-line change to /etc/shorewall/params. SERVERS=69.17.65.161,69.17.65.22,69.17.65.223 - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBZrImO/MAbZfjDLIRAv+VAKCbF1vNqzrWqecdsIxD7WrBlR4+XQCgv4A8 dJ0dgekgkZuIQ5I2vUejQKk=Su1P -----END PGP SIGNATURE-----
Thank you for your kind assistance. your suggestions did the trick. i have
been able to test and resolve all problems related to DNS and am able to name
resolve all local servers / services with one exception.
please refer to system diagram gif attached or see problem at:
http://www.substantis.com/modules.php?set_albumName=album88&id=substantis&op=modload&name=gallery&file=index&include=view_photo.php
my shorewall status file is attached.
PROBLEM:
my wife''s laptop is on a netgear wgr614 v.3 router (router /
192.168.0.1) attached to the shorewall loc / eth1 interface (192.168.0.100). My
wife''s laptop (susan 192.168.0.5) can''t access the name
servers (dig fails), nor browse to the webserver (http://69.17.65.22). She
can''t ping any interface accept the wi-fi router. In contrast, the
local pc (work 192.168.0.2) which is connected by cat 5 to the wi-fi (router /
192.168.0.1) works fine. Oddly enough, the laptop (susan 192.168.0.5) can
browse the internet if i point her to my ISP''s DNS servers.
I am not sure how to ask this question. I suspect that this is a nested zone
issue and that I need to add a zone (e.g. susan). Could someone point me in the
right direction? thanks.
my files are as follows:
/masq
#INTERFACE SUBNET ADDRESS PROTO PORT(S)
eth0 192.168.0.0/24 69.17.65.105
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
/params
SERVERS=69.17.65.161,69.17.65.22
SUSAN=192.168.0.5
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
/policy
#SOURCE DEST POLICY LOG LIMIT:BURST
# LEVEL
# susan loc ACCEPT
# susan net ACCEPT
loc net ACCEPT
net all DROP info
#
# THE FOLLOWING POLICY MUST BE LAST
#
all all REJECT info
#LAST LINE -- DO NOT REMOVE
/proxyarp
#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT
69.17.65.22 eth2 eth0 No
69.17.65.161 eth2 eth0 No
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
/rules
#
# Ping
#
ACCEPT all all icmp echo-request
#
# Net to DMZ
#
ACCEPT net dmz tcp smtp,http,https,imap,domain
ACCEPT net dmz udp domain
#
# Loc to DMZ
#
ACCEPT loc dmz tcp smtp,http,https,imap,domain,ssh
ACCEPT loc dmz udp domain
# ...
#
#Net to DMZ
#
ACCEPT net dmz:$SERVERS tcp smtp,http,https,imap,domain
ACCEPT net dmz:$SERVERS udp domain
#
# SERVERS=69.17.65.161,69.17.65.22,
#
# Firewall
AllowWeb fw net
AllowDNS fw net
AllowDNS fw loc
ACCEPT loc dmz tcp ssh #SSH to the DMZ
ACCEPT net fw tcp ssh #SSH to the
#Firewall
# Local web access
AllowWeb loc dmz
AllowDNS loc dmz
AllowWeb loc net
AllowDNS loc net
# PORT PORT(S) DEST
LIMIT GROUP
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
/zones
#ZONE DISPLAY COMMENTS
# susan Susan Laptop on WiFi on eth1
net Net Internet
loc Local Local networks
dmz DMZ Demilitarized zone
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
> -----Original Message-----
> From: Tom Eastep [mailto:teastep@shorewall.net]
> Sent: Friday, October 8, 2004 03:28 PM
> To: ''Mailing List for Shorewall Users''
> Subject: Re: [Shorewall-users] clean install with 3 ip addresses
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> rioguia@speakeasy.net wrote:
>
> >
> > using IP address (no name resolution) i am
> > unable to browse the servers in the DMZ
> > from the LOC network.
>
> You have no rule allowing tcp 80 from the loc zone to the dmz zone!
> (hint: "shorewall show loc2dmz").
>
> If I might make a suggestion.
>
> You have two servers in your DMZ which appear to both offer the same
> services and which require the same access to other zones. So, why
> clutter up your rules with separate rules for each server?
>
> I suggest that you start something like this:
>
> #
> # Ping
> #
> ACCEPT all all icmp echo-request
> #
> # Net to DMZ
> #
> ACCEPT net dmz tcp smtp,http,https,imap,domain
> ACCEPT net dmz udp domain
> #
> # Loc to DMZ
> #
> ACCEPT loc dmz tcp smtp,http,https,imap,domain,ssh
> ACCEPT loc dmz udp domain
> ...
>
> The above also has the advantage that it is more efficient -- it takes
> advantage of the Netfilter multiport match feature which allows a single
> Netfilter rule to match up to 15 ports.
>
> Once you have that working, you can then nail it down tighter:
>
> ...
> #
> # Net to DMZ
> #
> ACCEPT net dmz:$SERVERS tcp smtp,http,https,imap,domain
> ACCEPT net dmz:$SERVERS udp domain
> ...
>
> $SERVERS is defined in /etc/shorewall/params:
>
> SERVERS=69.17.65.161,69.17.65.22
>
> This way, when you have a problem you are able to immediately see what
> connections are allowed -- with your rules file, it is very difficult
> (as you are finding out). And if you add another server, it''s a
one-line
> change to /etc/shorewall/params.
>
> SERVERS=69.17.65.161,69.17.65.22,69.17.65.223
>
> - -Tom
> - --
> Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
> Shoreline, \ http://shorewall.net
> Washington USA \ teastep@shorewall.net
> PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFBZrImO/MAbZfjDLIRAv+VAKCbF1vNqzrWqecdsIxD7WrBlR4+XQCgv4A8
> dJ0dgekgkZuIQ5I2vUejQKk> =Su1P
> -----END PGP SIGNATURE-----
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
>
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 rioguia@speakeasy.net wrote:> Thank you for your kind assistance. your suggestions did the trick.i have been able to test and resolve all problems related to DNS and am able to name resolve all local servers / services with one exception.> > please refer to system diagram gif attached or see problem at: >http://www.substantis.com/modules.php?set_albumName=album88&id=substantis&op=modload&name=gallery&file=index&include=view_photo.php> > my shorewall status file is attached. > > PROBLEM: > my wife''s laptop is on a netgear wgr614 v.3 router (router /192.168.0.1) attached to the shorewall loc / eth1 interface (192.168.0.100). I assume that you are not using the WAN interface on that router?> My wife''s laptop (susan 192.168.0.5) can''t access the name servers(dig fails), nor browse to the webserver (http://69.17.65.22). She can''t ping any interface accept the wi-fi router. In contrast, the local pc (work 192.168.0.2) which is connected by cat 5 to the wi-fi (router / 192.168.0.1) works fine. Oddly enough, the laptop (susan 192.168.0.5) can browse the internet if i point her to my ISP''s DNS servers.> > I am not sure how to ask this question. I suspect that this is anested zone issue and that I need to add a zone (e.g. susan). How could it possibly be? from the point of view of the Shorewall box *there is absolutely no difference between your Wife''s system and yours other than they have different IP addresses*.> Could someone point me in the right direction? thanks.tcpdump and/or ethereal are your friends. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBav9AO/MAbZfjDLIRAjbrAJ9eV7QgVLtsg5z4SELRb1bxwHcS+gCfd1cM 4PZQMOf/fHEEBVLwadMmFTk=eFy7 -----END PGP SIGNATURE-----
On Mon, 2004-10-11 at 15:46, Tom Eastep wrote:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > rioguia@speakeasy.net wrote: > > Thank you for your kind assistance. your suggestions did the trick. > i have been able to test and resolve all problems related to DNS and am > able to name resolve all local servers / services with one exception. > > > > please refer to system diagram gif attached or see problem at: > > > > > > my shorewall status file is attached. > > > > PROBLEM: > > my wife''s laptop is on a netgear wgr614 v.3 router (router / > 192.168.0.1) attached to the shorewall loc / eth1 interface (192.168.0.100). > > I assume that you are not using the WAN interface on that router? >Also you may want to check the very basic settings. Also I agree with Tom run ethereal on the router and see what you can see. Another thing to check is the built in firewall blocking stuff. Do you have their child safe blocking feature in use? Some steps to start your troubleshooting from. _ /-\ ndrew
The laptop is using the wireless interface on the netgear router BUT the work pc is hardwired to the same router. i am confused. ethreal shows two different results for the two computers attached to the SAME netgear wireless router even though there is "absolutely no difference between the laptop and the work station other than that they have different IP addresses*." it shows that the pc that is hard wired to the router (named work at 192.168.0.2) can get DNS resolution and browse the local webservers using their domain names (See e.g. WORK ON SHOREWALL ETH2 below). But that the laptop (Susan 192.168.0.5) on the wireless connection gets timed out. Regarding Andrew Niemantsverdrie''s suggestions, I doubt that the router is the cause of the problem. The router allows the laptop (using the ISP''s DNS servers to browse the internet and resolve names (except for the local network). Furthermore, the laptop can''t even browse to the local servers using the server''s public IP address (although it can ping the server contrary to my prior report). The work station, which, unlike the laptop, is hardwired to the netgear router, has no trouble browsing the internet or the local servers and resolving their names. WORK 192.168.0.2 ON SHOREWALL ETH2 1100 Win=7756 Len=0 113404.385143 69.17.65.22 -> 192.168.0.2 TCP http > 33259 [FIN, ACK] Seq=31647 Ack=831 Win=7504 Len=0 113404.424774 192.168.0.2 -> 69.17.65.22 TCP 33259 > http [ACK] Seq=831 Ack=31648 Win=4194176 Len=0 113405.882194 192.168.0.5 -> 69.17.65.22 DNS Standard query AAAA www.substantis.com 113410.882475 192.168.0.5 -> 69.17.65.22 DNS Standard query AAAA www.substantis.com 113412.107570 69.17.65.22 -> 192.168.0.2 TCP http > 33260 [FIN, ACK] Seq=7450 Ack=898 Win=7504 Len=0 113412.147959 192.168.0.2 -> 69.17.65.22 TCP 33260 > http [ACK] Seq=898 Ack=7451 Win=2990080 Len=0 113415.883107 192.168.0.5 -> 69.17.65.22 DNS Standard query AAAA www.substantis.com 113416.139601 192.168.0.2 -> 69.17.65.22 TCP 33259 > http [FIN, ACK] Seq=831 Ack=31648 Win=4194176 Len=0 113416.139678 192.168.0.2 -> 69.17.65.22 TCP 33260 > http [FIN, ACK] Seq=898 Ack=7451 Win=2990080 Len=0 113416.139966 69.17.65.22 -> 192.168.0.2 TCP http > 33259 [ACK] Seq=31648 Ack=832 Win=7504 Len=0 113416.140047 69.17.65.22 -> 192.168.0.2 TCP http > 33260 [ACK] Seq=7451 Ack=899 Win=7504 Len=0 OUTPUT FOR SUSAN 192.168.0.5 ON SHOREWALL ETH2 113754.453068 192.168.0.5 -> 69.17.65.22 DNS Standard query AAAA substantis.com 113759.451413 ns2.substantis.com -> mail.substantis.com ARP Who has 69.17.65.22? Tell 192.168.202.1 113759.451673 mail.substantis.com -> ns2.substantis.com ARP 69.17.65.22 is at 00:50:04:22:41:1d 113759.453991 192.168.0.5 -> 69.17.65.22 DNS Standard query AAAA substantis.com 113764.454067 192.168.0.5 -> 69.17.65.22 DNS Standard query AAAA substantis.com 113769.454022 192.168.0.5 -> 69.17.65.22 DNS Standard query AAAA substantis.com 113774.454635 192.168.0.5 -> 69.17.65.22 DNS Standard query A substantis.com 113779.454976 192.168.0.5 -> 69.17.65.22 DNS Standard query A substantis.com 113784.455482 192.168.0.5 -> 69.17.65.22 DNS Standard query A substantis.com 113789.456616 192.168.0.5 -> 69.17.65.22 DNS Standard query A substantis.com 113794.456442 192.168.0.5 -> 69.17.65.22 DNS Standard query AAAA substantis.com 113799.457834 192.168.0.5 -> 69.17.65.22 DNS Standard query AAAA substantis.com> -----Original Message----- > From: Tom Eastep [mailto:teastep@shorewall.net] > Sent: Monday, October 11, 2004 09:46 PM > To: ''Mailing List for Shorewall Users'' > Subject: Re: [Shorewall-users] clean install with 3 ip addresses > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > rioguia@speakeasy.net wrote: > > Thank you for your kind assistance. your suggestions did the trick. > i have been able to test and resolve all problems related to DNS and am > able to name resolve all local servers / services with one exception. > > > > please refer to system diagram gif attached or see problem at: > > > http://www.substantis.com/modules.php?set_albumName=album88&id=substantis&op=modload&name=gallery&file=index&include=view_photo.php > > > > my shorewall status file is attached. > > > > PROBLEM: > > my wife''s laptop is on a netgear wgr614 v.3 router (router / > 192.168.0.1) attached to the shorewall loc / eth1 interface (192.168.0.100). > > I assume that you are not using the WAN interface on that router? > > > My wife''s laptop (susan 192.168.0.5) can''t access the name servers > (dig fails), nor browse to the webserver (http://69.17.65.22). She > can''t ping any interface accept the wi-fi router. In contrast, the > local pc (work 192.168.0.2) which is connected by cat 5 to the wi-fi > (router / 192.168.0.1) works fine. Oddly enough, the laptop (susan > 192.168.0.5) can browse the internet if i point her to my ISP''s DNS servers. > > > > I am not sure how to ask this question. I suspect that this is a > nested zone issue and that I need to add a zone (e.g. susan). > > How could it possibly be? from the point of view of the Shorewall box > *there is absolutely no difference between your Wife''s system and yours > other than they have different IP addresses*. > > > Could someone point me in the right direction? thanks. > > tcpdump and/or ethereal are your friends. > > - -Tom > - -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.6 (GNU/Linux) > Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org > > iD8DBQFBav9AO/MAbZfjDLIRAjbrAJ9eV7QgVLtsg5z4SELRb1bxwHcS+gCfd1cM > 4PZQMOf/fHEEBVLwadMmFTk> =eFy7 > -----END PGP SIGNATURE----- > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 rioguia@speakeasy.net wrote:> The laptop is using the wireless interface on the netgear router BUTthe work pc is hardwired to the same router.> > i am confused. ethreal shows two different results for the twocomputers attached to the SAME netgear wireless router even though there is "absolutely no difference between the laptop and the work station other than that they have different IP addresses*." it shows that the pc that is hard wired to the router (named work at 192.168.0.2) can get DNS resolution and browse the local webservers using their domain names (See e.g. WORK ON SHOREWALL ETH2 below). But that the laptop (Susan 192.168.0.5) on the wireless connection gets timed out.>Let''s see -- 192.168.0.5 sends a request to 69.17.65.22 and a response is returned. 192.168.0.2 sends a request to 69.17.65.22 and no response is returned. Now let''s think about where the problem might be........ Hint 1 -- named.conf on 69.17.65.22 Hint 2 -- routing table on 69.17.65.22 - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBay65O/MAbZfjDLIRAgwpAJ4k4d9D5WaQ9lqhYEiYD6merBEB5QCghFHD FXjHV+B2sBL/j23KOerGGho=/Lmd -----END PGP SIGNATURE-----