Shorewall users - Sep 2005 - filtering FORWARD packets

Hi everybody,

I''m dealing with a problem I can''t solve, but I''m
quite sure I''m missing
something obvious. (I checked all the faqs and documentation also)

I have a firewall that separates an internal segment of a big network,
doing only routing and filtering but not NAT (it is not directly
connected to a public interface).

I want clients of this segment to be able to access external ftp
servers, so I set up this rule:

# accept external ftp servers
ACCEPT	int	all     tcp     ftp

But I get this error logged:

Sep  1 18:22:35 fwmc kernel: Shorewall:FORWARD:DROP:IN=eth1 OUT=eth0
SRC=192.168.6.205 DST=83.103.72.227 LEN=48 TOS=0x00 PREC=0x00 TTL=127
ID=49053 DF PROTO=TCP SPT=2844 DPT=21 WINDOW=64240 RES=0x00 SYN URGP=0

I assume this is correct because the packet is going through the FORWARD
chain, not in the INPUT or OUTPUT.

So the question is: how can I set up rules on the FORWARD chain ? Do I
necessary have to mark packets as in the TC howto and then set up custom
rules for them, or there is some other way to set this up ?

Thank you for all your help.

maurizio



-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing
& QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf

Could you please include your configuration files as specified here :
http://www.shorewall.net/support.htm

Niko

2005/9/5, mizzio <mizzio@sinapto.net>:
> Hi everybody,
> 
> I''m dealing with a problem I can''t solve, but
I''m quite sure I''m missing
> something obvious. (I checked all the faqs and documentation also)
> 
> I have a firewall that separates an internal segment of a big network,
> doing only routing and filtering but not NAT (it is not directly
> connected to a public interface).
> 
> I want clients of this segment to be able to access external ftp
> servers, so I set up this rule:
> 
> # accept external ftp servers
> ACCEPT  int     all     tcp     ftp
> 
> But I get this error logged:
> 
> Sep  1 18:22:35 fwmc kernel: Shorewall:FORWARD:DROP:IN=eth1 OUT=eth0
> SRC=192.168.6.205 DST=83.103.72.227 LEN=48 TOS=0x00 PREC=0x00 TTL=127
> ID=49053 DF PROTO=TCP SPT=2844 DPT=21 WINDOW=64240 RES=0x00 SYN URGP=0
> 
> I assume this is correct because the packet is going through the FORWARD
> chain, not in the INPUT or OUTPUT.
> 
> So the question is: how can I set up rules on the FORWARD chain ? Do I
> necessary have to mark packets as in the TC howto and then set up custom
> rules for them, or there is some other way to set this up ?
> 
> Thank you for all your help.
> 
> maurizio
> 
> 
> 
> -------------------------------------------------------
> SF.Net email is Sponsored by the Better Software Conference & EXPO
> September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
> Agile & Plan-Driven Development * Managing Projects & Teams *
Testing & QA
> Security * Process Improvement & Measurement *
http://www.sqe.com/bsce5sf
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>

-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing
& QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf

mizzio wrote:
> ACCEPT	int	all     tcp     ftp
> 
> But I get this error logged:
> 
> Sep  1 18:22:35 fwmc kernel: Shorewall:FORWARD:DROP:IN=eth1 OUT=eth0
> SRC=192.168.6.205 DST=83.103.72.227 LEN=48 TOS=0x00 PREC=0x00 TTL=127
> ID=49053 DF PROTO=TCP SPT=2844 DPT=21 WINDOW=64240 RES=0x00 SYN URGP=0
> 
> I assume this is correct because the packet is going through the FORWARD
> chain, not in the INPUT or OUTPUT.
> 
Given that you have a zone called ''int'', it''s clear
that you failed to
use a QuickStart Guide to configure Shorewall (see
http://www.shorewall.net/shorewall_quickstart_guide.htm). As a
consequence, you have a very fundamental error in your configuration.
See Shorewall FAQ #17 (http://www.shorewall.net/FAQ.htm#faq17) for
information concerning packets being dropped in the FORWARD, INPUT or
OUTPUT chains.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

The zone is called "mc", I wrote int since I assumed this was not
important. Sorry for that.
Tom, did you write that I have a very fundamental error because you
checked the output of my "shorewall status" and you couldn''t
find any ?
I''m cheching again and again all the configuration.

thank you for your help !
maurizio


Il giorno lun, 05/09/2005 alle 07.48 -0700, Tom Eastep ha
scritto:
> mizzio wrote:
> 
> > ACCEPT	int	all     tcp     ftp
> > 
> > But I get this error logged:
> > 
> > Sep  1 18:22:35 fwmc kernel: Shorewall:FORWARD:DROP:IN=eth1 OUT=eth0
> > SRC=192.168.6.205 DST=83.103.72.227 LEN=48 TOS=0x00 PREC=0x00 TTL=127
> > ID=49053 DF PROTO=TCP SPT=2844 DPT=21 WINDOW=64240 RES=0x00 SYN URGP=0
> > 
> > I assume this is correct because the packet is going through the
FORWARD
> > chain, not in the INPUT or OUTPUT.
> > 
> 
> Given that you have a zone called ''int'', it''s
clear that you failed to
> use a QuickStart Guide to configure Shorewall (see
> http://www.shorewall.net/shorewall_quickstart_guide.htm). As a
> consequence, you have a very fundamental error in your configuration.
> See Shorewall FAQ #17 (http://www.shorewall.net/FAQ.htm#faq17) for
> information concerning packets being dropped in the FORWARD, INPUT or
> OUTPUT chains.
> 
> -Tom


-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing
& QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf

I post in compressed format the output of shorewall status.

Nevertheless, I think that the problem can be understood from my
previous post.

Thank you again for all your help.

Maurizio

Il giorno lun, 05/09/2005 alle 17.59 +0200, mizzio ha
scritto:
> The zone is called "mc", I wrote int since I assumed this was not
> important. Sorry for that.
> Tom, did you write that I have a very fundamental error because you
> checked the output of my "shorewall status" and you
couldn''t find any ?
> I''m cheching again and again all the configuration.
> 
> thank you for your help !
> maurizio
> 
> 
> Il giorno lun, 05/09/2005 alle 07.48 -0700, Tom Eastep ha scritto:
> > mizzio wrote:
> > 
> > > ACCEPT	int	all     tcp     ftp
> > > 
> > > But I get this error logged:
> > > 
> > > Sep  1 18:22:35 fwmc kernel: Shorewall:FORWARD:DROP:IN=eth1
OUT=eth0
> > > SRC=192.168.6.205 DST=83.103.72.227 LEN=48 TOS=0x00 PREC=0x00
TTL=127
> > > ID=49053 DF PROTO=TCP SPT=2844 DPT=21 WINDOW=64240 RES=0x00 SYN
URGP=0
> > > 
> > > I assume this is correct because the packet is going through the
FORWARD
> > > chain, not in the INPUT or OUTPUT.
> > > 
> > 
> > Given that you have a zone called ''int'',
it''s clear that you failed to
> > use a QuickStart Guide to configure Shorewall (see
> > http://www.shorewall.net/shorewall_quickstart_guide.htm). As a
> > consequence, you have a very fundamental error in your configuration.
> > See Shorewall FAQ #17 (http://www.shorewall.net/FAQ.htm#faq17) for
> > information concerning packets being dropped in the FORWARD, INPUT or
> > OUTPUT chains.
> > 
> > -Tom
> 
> 
> 
> -------------------------------------------------------
> SF.Net email is Sponsored by the Better Software Conference & EXPO
> September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
> Agile & Plan-Driven Development * Managing Projects & Teams *
Testing & QA
> Security * Process Improvement & Measurement *
http://www.sqe.com/bsce5sf
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>

mizzio wrote:
> I post in compressed format the output of shorewall status.
> 
> Nevertheless, I think that the problem can be understood from my
> previous post.
> 
PLEASE READ FAQ #17 -- IN PARTICULAR:
-------------------------------------------------------------------------
INPUT or FORWARD

    The packet has a source IP address that isn''t in any of your
defined
zones (“shorewall check” and look at the printed zone definitions) or
the chain is FORWARD and the destination IP isn''t in any of your
defined
zones. If the chain is FORWARD and the IN and OUT interfaces are the
same, then you probably need the routeback option on that interface in
/etc/shorewall/interfaces or you need the routeback option in the
relevant entry in /etc/shorewall/hosts .
--------------------------------------------------------------------------

In other words, YOUR ZONE DEFINITIONS ARE MESSED UP. You have defined
192.168.5.0/24 to eth0 yet traffic from that zone is coming into your
firewall on eth1.

There is another possibility; namely, that you have connected eth0 and
eth1 to the same HUB/switch. There are warnings about that all over the
Shorewall documentation (in the troubleshooting guide for example) and
what to do about it, at least in a test situation.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Sorry to bother all of you guys again (tom in particular), but I did
read very carefully the FAQ with no luck. I double checked my zone
definitions and they seem ok (you can find it below).
Also, the two interfaces are connected to different switches. 
Regarding the FAQ #17, the only case taht could affect me is this one:
> the chain is FORWARD and the destination IP isn''t in any of your
defined
> zones.
But how can I define the destination zone with this setup, if the
firewall is not directly connected to Internet ? I want the local
clients to access to ALL the public ftp servers.

Here you can find the details of my configuration in a short way:
----------------------------------------
root@fwmc /etc/shorewall# ifconfig eth0
eth0  inet addr:192.168.2.3  Bcast:192.168.2.0  Mask:255.255.255.0
----------------------------------------
root@fwmc /etc/shorewall# ifconfig eth1
eth1  inet addr:192.168.6.1  Bcast:192.168.2.0  Mask:255.255.255.0
----------------------------------------
/etc/shorewall/interfaces
#ZONE   INTERFACE       BROADCAST       OPTIONS                 GATEWAY
-       eth0            detect          routefilter,tcpflags,nosmurfs
mc      eth1            detect          routefilter,tcpflags,nosmurfs
----------------------------------------
/etc/shorewalll/zones
#ZONE                   DISPLAY                 COMMENTS
gmr                     Grafiche M. 		Grafiche M.
mc                      MC-Grafiche             MC Grafiche
mcgri                   MC-Grinetta             MC Grafiche Gri.
para                    Parabole                Parabole
----------------------------------------
/etc/shorewalll/hosts
#ZONE           HOST(S)                         OPTIONS
gmr             eth0:192.168.2.0/24             routeback
mcgri           eth0:192.168.5.0/24             routeback
para            eth0:192.168.7.0/24             routeback
----------------------------------------

And here there is the packet being dropped (unless I set ALL ALL Accept
in the policy file):

----------------------------------------
Sep  1 18:22:35 fwmc kernel: Shorewall:FORWARD:DROP:IN=eth1 OUT=eth0
SRC=192.168.6.205 DST=83.103.72.227 LEN=48 TOS=0x00 PREC=0x00 TTL=127
ID=49053 DF PROTO=TCP SPT=2844 DPT=21 WINDOW=64240 RES=0x00 SYN URGP=0
----------------------------------------

The 192.168.5.0/24 network is connected (not directly) to eth0, not
eth1. There is some traffic from 192.168.51.0/24 coming up on eth1 and
that is correctly dropped.

Thank you again and again,
maurizio

Il giorno mar, 06/09/2005 alle 06.48 -0700, Tom Eastep ha
scritto:
> mizzio wrote:
> > I post in compressed format the output of shorewall status.
> > 
> > Nevertheless, I think that the problem can be understood from my
> > previous post.
> > 
> 
> PLEASE READ FAQ #17 -- IN PARTICULAR:
> -------------------------------------------------------------------------
> INPUT or FORWARD
> 
>     The packet has a source IP address that isn''t in any of your
defined
> zones (“shorewall check” and look at the printed zone definitions) or
> the chain is FORWARD and the destination IP isn''t in any of your
defined
> zones. If the chain is FORWARD and the IN and OUT interfaces are the
> same, then you probably need the routeback option on that interface in
> /etc/shorewall/interfaces or you need the routeback option in the
> relevant entry in /etc/shorewall/hosts .
> --------------------------------------------------------------------------
> 
> In other words, YOUR ZONE DEFINITIONS ARE MESSED UP. You have defined
> 192.168.5.0/24 to eth0 yet traffic from that zone is coming into your
> firewall on eth1.
> 
> There is another possibility; namely, that you have connected eth0 and
> eth1 to the same HUB/switch. There are warnings about that all over the
> Shorewall documentation (in the troubleshooting guide for example) and
> what to do about it, at least in a test situation.
> 
> -Tom


-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing
& QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf

> 
> > the chain is FORWARD and the destination IP isn''t in any of
your defined
> > zones.
> 
> But how can I define the destination zone with this setup, if the
> firewall is not directly connected to Internet ? I want the local
> clients to access to ALL the public ftp servers.
> 
> Here you can find the details of my configuration in a short way:
> ----------------------------------------
> root@fwmc /etc/shorewall# ifconfig eth0
> eth0  inet addr:192.168.2.3  Bcast:192.168.2.0  Mask:255.255.255.0
> ----------------------------------------
> root@fwmc /etc/shorewall# ifconfig eth1
> eth1  inet addr:192.168.6.1  Bcast:192.168.2.0  Mask:255.255.255.0
> ----------------------------------------
> /etc/shorewall/interfaces
> #ZONE   INTERFACE       BROADCAST       OPTIONS                 GATEWAY
> -       eth0            detect          routefilter,tcpflags,nosmurfs
> mc      eth1            detect          routefilter,tcpflags,nosmurfs
> ----------------------------------------
> /etc/shorewalll/zones
> #ZONE                   DISPLAY                 COMMENTS
> gmr                     Grafiche M. Grafiche M.
> mc                      MC-Grafiche             MC Grafiche
> mcgri                   MC-Grinetta             MC Grafiche Gri.
> para                    Parabole                Parabole
> ----------------------------------------
> /etc/shorewalll/hosts
> #ZONE           HOST(S)                         OPTIONS
> gmr             eth0:192.168.2.0/24             routeback
> mcgri           eth0:192.168.5.0/24             routeback
> para            eth0:192.168.7.0/24             routeback
> ----------------------------------------
> 
> And here there is the packet being dropped (unless I set ALL ALL Accept
> in the policy file):
> 
> ----------------------------------------
> Sep  1 18:22:35 fwmc kernel: Shorewall:FORWARD:DROP:IN=eth1 OUT=eth0
> SRC=192.168.6.205 DST=83.103.72.227 LEN=48 TOS=0x00 PREC=0x00 TTL=127
> ID=49053 DF PROTO=TCP SPT=2844 DPT=21 WINDOW=64240 RES=0x00 SYN URGP=0
> ----------------------------------------
> 
The problem is that you missing the the rest of the internet on interface eth0,
you have only defined
your private lan and not the internet that is reachable on eth0. Try this:

/etc/shorewalll/hosts
#ZONE           HOST(S)                         OPTIONS
gmr             eth0:192.168.2.0/24             routeback
mcgri           eth0:192.168.5.0/24             routeback
para            eth0:192.168.7.0/24             routeback
net               eth0:0.0.0.0/0                        <your options>

/etc/shorewalll/zones
#ZONE                   DISPLAY                 COMMENTS
gmr                     Grafiche M. Grafiche M.
mc                      MC-Grafiche             MC Grafiche
mcgri                   MC-Grinetta             MC Grafiche Gri.
para                    Parabole                Parabole
net                      Internet                    big bad internet

Having clients on the same interface as the gateway is bad IMHO.
I''d add a nic just for the gateway to connect to. Just my 2 cents.

Jerry





-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing
& QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf

Jerry,

great ! it works ! Actually I tried something similar but I didn''t
manage to set it up correctly, probably because the order used to define
the networks in the hosts file _does_ matter.

I didn''t find any reference about defining the internet in this way
(0.0.0.0./0 in the hosts file) in the documentation, which is the only
way to set up the firewall correctly when you have a routing-only
internal firewall; I don''t think this is obvious, so I guess it could
be
an important thing to point out.

Regarding the "clients on the same interface" thing, the networks are
not fisically connected, but routed; this is a quite complex set-up with
4 shorewall server connecting 6 networks, acting as firewall/routers. If
anybody needs some more informations on this just let me know..

thank you __very__ much !
mizzio

Il giorno mar, 06/09/2005 alle 13.42 -0500, Jerry Vonau ha
scritto:
> > 
> > > the chain is FORWARD and the destination IP isn''t in any
of your defined
> > > zones.
> > 
> > But how can I define the destination zone with this setup, if the
> > firewall is not directly connected to Internet ? I want the local
> > clients to access to ALL the public ftp servers.
> > 
> > Here you can find the details of my configuration in a short way:
> > ----------------------------------------
> > root@fwmc /etc/shorewall# ifconfig eth0
> > eth0  inet addr:192.168.2.3  Bcast:192.168.2.0  Mask:255.255.255.0
> > ----------------------------------------
> > root@fwmc /etc/shorewall# ifconfig eth1
> > eth1  inet addr:192.168.6.1  Bcast:192.168.2.0  Mask:255.255.255.0
> > ----------------------------------------
> > /etc/shorewall/interfaces
> > #ZONE   INTERFACE       BROADCAST       OPTIONS                
GATEWAY
> > -       eth0            detect          routefilter,tcpflags,nosmurfs
> > mc      eth1            detect          routefilter,tcpflags,nosmurfs
> > ----------------------------------------
> > /etc/shorewalll/zones
> > #ZONE                   DISPLAY                 COMMENTS
> > gmr                     Grafiche M. Grafiche M.
> > mc                      MC-Grafiche             MC Grafiche
> > mcgri                   MC-Grinetta             MC Grafiche Gri.
> > para                    Parabole                Parabole
> > ----------------------------------------
> > /etc/shorewalll/hosts
> > #ZONE           HOST(S)                         OPTIONS
> > gmr             eth0:192.168.2.0/24             routeback
> > mcgri           eth0:192.168.5.0/24             routeback
> > para            eth0:192.168.7.0/24             routeback
> > ----------------------------------------
> > 
> > And here there is the packet being dropped (unless I set ALL ALL
Accept
> > in the policy file):
> > 
> > ----------------------------------------
> > Sep  1 18:22:35 fwmc kernel: Shorewall:FORWARD:DROP:IN=eth1 OUT=eth0
> > SRC=192.168.6.205 DST=83.103.72.227 LEN=48 TOS=0x00 PREC=0x00 TTL=127
> > ID=49053 DF PROTO=TCP SPT=2844 DPT=21 WINDOW=64240 RES=0x00 SYN URGP=0
> > ----------------------------------------
> > 
> The problem is that you missing the the rest of the internet on interface
eth0, you have only defined
> your private lan and not the internet that is reachable on eth0. Try this:
> 
> /etc/shorewalll/hosts
> #ZONE           HOST(S)                         OPTIONS
> gmr             eth0:192.168.2.0/24             routeback
> mcgri           eth0:192.168.5.0/24             routeback
> para            eth0:192.168.7.0/24             routeback
> net               eth0:0.0.0.0/0                        <your
options>
> 
> /etc/shorewalll/zones
> #ZONE                   DISPLAY                 COMMENTS
> gmr                     Grafiche M. Grafiche M.
> mc                      MC-Grafiche             MC Grafiche
> mcgri                   MC-Grinetta             MC Grafiche Gri.
> para                    Parabole                Parabole
> net                      Internet                    big bad internet
> 
> Having clients on the same interface as the gateway is bad IMHO.
> I''d add a nic just for the gateway to connect to. Just my 2 cents.
> 
> Jerry
> 
> 
> 
> 
> 
> -------------------------------------------------------
> SF.Net email is Sponsored by the Better Software Conference & EXPO
> September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
> Agile & Plan-Driven Development * Managing Projects & Teams *
Testing & QA
> Security * Process Improvement & Measurement *
http://www.sqe.com/bsce5sf
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
> 


-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing
& QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf

mizzio wrote:
> Jerry,
>
> great ! it works ! Actually I tried something similar but I didn''t
> manage to set it up correctly, probably because the order used to define
> the networks in the hosts file _does_ matter.
It does not.
>
> I didn''t find any reference about defining the internet in this
way
> (0.0.0.0./0 in the hosts file) in the documentation, which is the only
> way to set up the firewall correctly when you have a routing-only
> internal firewall; I don''t think this is obvious, so I guess it
could be
> an important thing to point out.
>
What Jerry recommended is equivalent to defining the ''net''
zone using
/etc/shorewall/interfaces. The key to correct operation is that
''net''
must appear *last* in /etc/shorewall/zones.

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

> It does not.
Ok.
> >
> > I didn''t find any reference about defining the internet in
this way
> > (0.0.0.0./0 in the hosts file) in the documentation, which is the only
> > way to set up the firewall correctly when you have a routing-only
> > internal firewall; I don''t think this is obvious, so I guess
it could be
> > an important thing to point out.
> >
> 
> What Jerry recommended is equivalent to defining the
''net'' zone using
> /etc/shorewall/interfaces. 
Even if I have multiple zones connected to same interface (my case) ?
In that case I guess I have to use the hosts file, because my interfaces
file looks like this:

#ZONE   INTERFACE       BROADCAST       OPTIONS                 GATEWAY
-       eth0            detect          routefilter,tcpflags,nosmurfs

I ask this question just to clarify everything, so next time I won''t
bother anyone :-)
> The key to correct operation is that ''net''
> must appear *last* in /etc/shorewall/zones.
Agreed.

Thank you very much again.
Maurizio

> -Tom
> --
> Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
> PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key


-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing
& QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf