Hello All, I''ve tried goog ol Google, and ofcourse the documentation. (Back when I learned shorewall, I''ve printed it out completely and read it completely as well) But I can''t find how to clear the dynamic blacklist. One can add ip addresses to the dynamic blacklist with: shorewall [drop|reject] X.X.X.X And allow them again with: shorewall allow X.X.X.X But now, I''ve got hundreds in the dynamix blacklist and want to completely clear it. How would I do that? Thanks, Mark ------------------------------------------------------- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
Mark wrote:> > But now, I''ve got hundreds in the dynamix blacklist and want to > completely clear it. How would I do that? >iptables -F dynamic shorewall save -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:> Mark wrote: > >>But now, I''ve got hundreds in the dynamix blacklist and want to >>completely clear it. How would I do that? >> > > iptables -F dynamic > shorewall saveOr iptables -F dynamic shorewall forget Depending whether you want to end up with a saved config or not. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Hi! I have configured a shorewall as perimeter firewall between the internet and my local network and it is working fine and I am very satisfied. Now I''m trying to configure shorewall as an internal firewall between my servers and our corporate workstations. I''m having problems because the corporate workstations cannot see the servers. any suggestions on this setup? the servers and the workstations are on the same segment.. I am also using the two-interface configuration. thanks to all and more power..... ------------------------------------------------------- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
On Mon, Aug 01, 2005 at 01:00:20AM +0000, Heavy Arms wrote:> corporate workstations cannot see the servers. any suggestions on this > setup? the servers and the workstations are on the same segment.. I am alsoWhat is the network numbering like? If the IP addresses are on the same network, then the firewall won''t be consulted. However, there is little security to be gained by firewalling two networks that share the same ethernet segment, as anyone can do an ''add route'' on their workstation to bypass the firewall. -Jason Martin -- This message is PGP/MIME signed.
the segment for the servers and the workstations is on 172.16.16.0/24 network. I''m planning to place the shorewall in between the server''s switch and the workstation''s switch so that every packet sent to the servers will be intercepted first by shorewall...>From: Jason Martin <jhmartin@toger.us> >Reply-To: shorewall-users@lists.sourceforge.net >To: shorewall-users@lists.sourceforge.net >Subject: Re: [Shorewall-users] shorewall as internal firewall >Date: Sun, 31 Jul 2005 19:41:47 -0700 > >On Mon, Aug 01, 2005 at 01:00:20AM +0000, Heavy Arms wrote: > > corporate workstations cannot see the servers. any suggestions on this > > setup? the servers and the workstations are on the same segment.. I am >also >What is the network numbering like? If the IP addresses are on >the same network, then the firewall won''t be consulted. >However, there is little security to be gained by firewalling >two networks that share the same ethernet segment, as anyone can >do an ''add route'' on their workstation to bypass the firewall. > >-Jason Martin >-- >This message is PGP/MIME signed. ><< attach3 >>------------------------------------------------------- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
Heavy Arms wrote:> Hi! > > I have configured a shorewall as perimeter firewall between the internet > and my local network and it is working fine and I am very satisfied. > Now I''m trying to configure shorewall as an internal firewall between my > servers and our corporate workstations. I''m having problems because the > corporate workstations cannot see the servers. any suggestions on this > setup? the servers and the workstations are on the same segment.. I am > also using the two-interface configuration.What do you mean "the corporate workstations cannot see the servers"? Via ping? SMB? Physical line of sight? You need to provide more information. -- Paul <http://paulgear.webhop.net> -- Did you know? Using HTML email (or "Rich Text" email) rather than plain text is less efficient, and makes you more vulnerable to security flaws in your computer software. Learn more about securing your computer at <http://www.kb.cert.org/vuls/id/713878>.
The IP subnet can be the same, but the Ethernet segment must be separate. Shorewall has been setup as a bridge? On 8/1/05, Heavy Arms <chinito_eyes@hotmail.com> wrote:> the segment for the servers and the workstations is on 172.16.16.0/24 > network. I''m planning to place the shorewall in between the server''s switch > and the workstation''s switch so that every packet sent to the servers will > be intercepted first by shorewall... >-- Gerhard The sender address really contains .nospam. ------------------------------------------------------- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id492&op=click
via ping, and i also created a rule for ssh...>From: Paul Gear <paul@gear.dyndns.org> >Reply-To: shorewall-users@lists.sourceforge.net >To: shorewall-users@lists.sourceforge.net >Subject: [Shorewall-users] Re: shorewall as internal firewall >Date: Mon, 01 Aug 2005 19:24:48 +1000 > >Heavy Arms wrote: > > Hi! > > > > I have configured a shorewall as perimeter firewall between the internet > > and my local network and it is working fine and I am very satisfied. > > Now I''m trying to configure shorewall as an internal firewall between my > > servers and our corporate workstations. I''m having problems because the > > corporate workstations cannot see the servers. any suggestions on this > > setup? the servers and the workstations are on the same segment.. I am > > also using the two-interface configuration. > >What do you mean "the corporate workstations cannot see the servers"? >Via ping? SMB? Physical line of sight? You need to provide more >information. > >-- >Paul ><http://paulgear.webhop.net> >-- >Did you know? Using HTML email (or "Rich Text" email) rather than plain >text is less efficient, and makes you more vulnerable to security flaws >in your computer software. Learn more about securing your computer at ><http://www.kb.cert.org/vuls/id/713878>. ><< signature.asc >>------------------------------------------------------- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
i haven''t tried setting shorewall as a bridge, i''ll give it a try. what do you mean by ''the ethernet segment must be separate''?>From: Gerhard Olsson <gerhard.nospam@gmail.com> >Reply-To: shorewall-users@lists.sourceforge.net >To: shorewall-users@lists.sourceforge.net >Subject: Re: [Shorewall-users] shorewall as internal firewall >Date: Mon, 1 Aug 2005 12:05:14 +0200 > >The IP subnet can be the same, but the Ethernet segment must be separate. >Shorewall has been setup as a bridge? > >On 8/1/05, Heavy Arms <chinito_eyes@hotmail.com> wrote: > > the segment for the servers and the workstations is on 172.16.16.0/24 > > network. I''m planning to place the shorewall in between the server''s >switch > > and the workstation''s switch so that every packet sent to the servers >will > > be intercepted first by shorewall... > > >-- >Gerhard >The sender address really contains .nospam. > > >------------------------------------------------------- >SF.Net email is sponsored by: Discover Easy Linux Migration Strategies >from IBM. Find simple to follow Roadmaps, straightforward articles, >informative Webcasts and more! Get everything you need to get up to >speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id492&op=click >_______________________________________________ >Shorewall-users mailing list >Shorewall-users@lists.sourceforge.net >https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
Heavy Arms wrote:> via ping, and i also created a rule for ssh...Please have a look at the support guidelines at http://shorewall.net/support.htm and provide the relevant configuration and status information. We need to be able to understand what you''re doing better. -- Paul <http://paulgear.webhop.net> -- Did you know? Many viruses specifically target Microsoft Outlook and Outlook Express. You can help to keep your computer free of viruses by using one of the more secure alternatives from <http://mozilla.org>.
Heavy Arms wrote:> i haven''t tried setting shorewall as a bridge, i''ll give it a try.I wouldn''t recommend using shorewall as a bridge unless there''s a specific reason to. Routing is generally more well-understood and is simpler to troubleshoot.> what do you mean by ''the ethernet segment must be separate''?You can''t connect the two switches together. -- Paul <http://paulgear.webhop.net> -- Did you know? Email addresses can be forged easily. This message is signed with GNU Privacy Guard <http://www.gnupg.org> and Enigmail <http://enigmail.mozdev.org> so you can be sure it comes from me.
The bridge concept is more difficult to understand. Bridging is also not very well supported in most distros. For instance, you have to set up a virtual briding interface manually for the machine to get an IP to admin the machine. There are bridging hints and tips in the Shorewall documenation. Bridging can simplify if machines on the firewall interfaces are on the same IP interface as no routing is required. Routing may be more difficult to setup/configure than the bridge setup. (Another situation is IGMP routing to avoid masqing, as "IGMP proxies" are not available.) I do not know what to use in this situation. On 8/1/05, Paul Gear <paul@gear.dyndns.org> wrote:> Heavy Arms wrote: > > i haven''t tried setting shorewall as a bridge, i''ll give it a try. > > I wouldn''t recommend using shorewall as a bridge unless there''s a > specific reason to. Routing is generally more well-understood and is > simpler to troubleshoot. >-- Gerhard The sender address really contains .nospam. ------------------------------------------------------- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id492&op=click
Tom Eastep wrote:> Tom Eastep wrote: >>Mark wrote: >> >>>But now, I''ve got hundreds in the dynamix blacklist and want to >>>completely clear it. How would I do that? >>> >>iptables -F dynamic >>shorewall save > > Or > > iptables -F dynamic > shorewall forget > > Depending whether you want to end up with a saved config or not. >In reading the code today, I notices that "shorewall forget" does not delete /var/lib/shorewall/save so using "shorewall forget" can cause the old list to reappear after "shorewall [re]start". So the second method needs a separate step: iptables -F dynamic shorewall forget rm /var/lib/shorewall/save -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key