I must have missed a memo somewhere. I use the svn for netflter.org to get the patch-o-matic-ng. I have an old June and July patch set as well. I am trying to patch a 2.4.31 kernel for CONNMARK and pptp. Iptables 1.3.3. CONNMARK is not in the July or current release? I blew passed it and Shorewall 2.4.5 dies looking to do a CONNMARK rule. I have a June release of patch-o-matic-ng that has CONNMARK but the pptp fails - something about not finding a LADD in the config.in file. I had to patch the CONNMARK from the June patch set and pptp from a July patch set. The current svn release fails on pptp -- lines missing? I must be missing some very important information about netfiler. It seems I get behind an 8 ball every few months with these guys. I gave up on a 2.6.x kernel. I''ll wait for Tom to get Shorewall and 2.6.14 working. --john -- This mail was scanned by AntiVir Milter. This product is licensed for non-commercial use. See www.antivir.de for details. ------------------------------------------------------- This SF.Net email is sponsored by the JBoss Inc. Get Certified Today * Register for a JBoss Training Course Free Certification Exam for All Training Attendees Through End of 2005 Visit http://www.jboss.com/services/certification for more information
On Wednesday 26 October 2005 08:33, John HIll wrote:> I must be missing some very important information about netfiler. It seems > I get behind an 8 ball every few months with these guys.I see Patch-O-Matic[-ng] as a failed experiment that deserves to be put out of it''s misery. It has served as a sandbox for the Netfilter developers to play in and little else. FWIW, the patch-o-matic Snapshot from 3/2/2005 applies the two patches you want to 2.4.31 and 1.3.3. I can''t tell you if they compile and/or work -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
I''ll get it and give it a try. Thanks --john> -----Original Message----- > From: shorewall-users-admin@lists.sourceforge.net > [mailto:shorewall-users-admin@lists.sourceforge.net] On > Behalf Of Tom Eastep > Sent: Wednesday, October 26, 2005 12:29 PM > To: shorewall-users@lists.sourceforge.net > Subject: Re: [Shorewall-users] Patch help > > On Wednesday 26 October 2005 08:33, John HIll wrote: > > > I must be missing some very important information about > netfiler. It seems > > I get behind an 8 ball every few months with these guys. > > I see Patch-O-Matic[-ng] as a failed experiment that deserves > to be put out of > it''s misery. It has served as a sandbox for the Netfilter > developers to play > in and little else. > > FWIW, the patch-o-matic Snapshot from 3/2/2005 applies the > two patches you > want to 2.4.31 and 1.3.3. I can''t tell you if they compile and/or work > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key >-- This mail was scanned by AntiVir Milter. This product is licensed for non-commercial use. See www.antivir.de for details. ------------------------------------------------------- This SF.Net email is sponsored by the JBoss Inc. Get Certified Today * Register for a JBoss Training Course Free Certification Exam for All Training Attendees Through End of 2005 Visit http://www.jboss.com/services/certification for more information
Hi I have version 2.4.5 And no NONAT don''t work I need one ip don''t use proxy REDIRECT lan 3328 tcp www - !xxx.xxx.xxx NONAT lan:yyy.yyy.yyy.yy wan tcp www Lan ip is full out Some idea? Or how to? ------------------------------------------------------- This SF.Net email is sponsored by the JBoss Inc. Get Certified Today * Register for a JBoss Training Course Free Certification Exam for All Training Attendees Through End of 2005 Visit http://www.jboss.com/services/certification for more information
On Wednesday 26 October 2005 12:43, Rodrigo Cortes Cano wrote:> Hi > > I have version 2.4.5 > > And no NONAT don''t work > > I need one ip don''t use proxy > > REDIRECT lan 3328 tcp www - !xxx.xxx.xxx > NONAT lan:yyy.yyy.yyy.yy wan tcp www > > > Lan ip is full out > > > Some idea? Or how to?The order of the rules needs to be reversed. NONAT excludes matching connections from *subsequent* NAT rules (that is, rules that COME AFTER THE NONAT RULE). Or, so long as you only need to exclude one client you could simply have one rule: REDIRECT lan:!yyy.yyy.yyy.yyy 3328 tcp www - !xxx.xxx.xxx.xxx -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Wow!!! This is more simple!!! Thx tom :) -----Mensaje original----- De: shorewall-users-admin@lists.sourceforge.net [mailto:shorewall-users-admin@lists.sourceforge.net] En nombre de Tom Eastep Enviado el: MiƩrcoles, 26 de Octubre de 2005 17:29 Para: shorewall-users@lists.sourceforge.net Asunto: Re: [Shorewall-users] Nonat problem On Wednesday 26 October 2005 12:43, Rodrigo Cortes Cano wrote:> Hi > > I have version 2.4.5 > > And no NONAT don''t work > > I need one ip don''t use proxy > > REDIRECT lan 3328 tcp www - !xxx.xxx.xxx > NONAT lan:yyy.yyy.yyy.yy wan tcp www > > > Lan ip is full out > > > Some idea? Or how to?The order of the rules needs to be reversed. NONAT excludes matching connections from *subsequent* NAT rules (that is, rules that COME AFTER THE NONAT RULE). Or, so long as you only need to exclude one client you could simply have one rule: REDIRECT lan:!yyy.yyy.yyy.yyy 3328 tcp www - !xxx.xxx.xxx.xxx -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------- This SF.Net email is sponsored by the JBoss Inc. Get Certified Today * Register for a JBoss Training Course Free Certification Exam for All Training Attendees Through End of 2005 Visit http://www.jboss.com/services/certification for more information
Tom Eastep wrote:> Or, so long as you only need to exclude one client you could simply have > one rule: > > REDIRECT lan:!yyy.yyy.yyy.yyy 3328 tcp www - > !xxx.xxx.xxx.xxx >And in Shorewall 3.0, you can have a list of excluded IP addresses: REDIRECT lan:!yyy.yyy.yyy.yyy,zzz.zzz.zzz.zzz,... -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep <teastep@shorewall.net> Sent by: shorewall-users-admin@lists.sourceforge.net 10/26/05 02:28 PM Please respond to shorewall-users@lists.sourceforge.net To shorewall-users@lists.sourceforge.net cc Subject Re: [Shorewall-users] Nonat problem Tom Eastep wrote:> Or, so long as you only need to exclude one client you could simply have > one rule: > > REDIRECT lan:!yyy.yyy.yyy.yyy 3328 tcp www - > !xxx.xxx.xxx.xxx >And in Shorewall 3.0, you can have a list of excluded IP addresses: REDIRECT lan:!yyy.yyy.yyy.yyy,zzz.zzz.zzz.zzz,... -Tom ================================= Is 3.0 "Productional/Stable" yet - or did I miss an announcement ? Also related - when we went from 1.x to 2.x there was a list of "preparation" items that we should attend to BEFORE attempting conversion...is there a similar list for 2.x to 3.x ? - Bill
On Wednesday 26 October 2005 14:44, Bill.Light@kp.org wrote:> > Is 3.0 "Productional/Stable" yet - or did I miss an announcement ? >3.0 is at RC2.> Also related - when we went from 1.x to 2.x there was a list of > "preparation" items that we should attend to BEFORE attempting > conversion...is there a similar list for 2.x to 3.x ?Not yet. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key