Hello list, recently, there was a bug[1] opened in Gentoo Bugzilla, where shorewall 3.0.4 startup broke for user, whose network interfaces were named unconventionally - ''inet'' and ''lan''. Quick code analysis found out that the problem lies in shorewall''s parsing (see comment #3 in that bug). User has also offered an alternative, potentially less error-prone way to parse given input (see comment #4 of the same bug). I thought it''s worth sharing it here, perhaps you, shorewall developers can use these ideas. 1. http://bugs.gentoo.org/show_bug.cgi?id=122829 Kind regards, -- Andrej "Ticho" Kacian <ticho at gentoo dot org> Gentoo Linux Developer - net-mail, antivirus, sound, x86
On Monday 20 February 2006 07:44, Andrej Kacian wrote:> Hello list, > > recently, there was a bug[1] opened in Gentoo Bugzilla, where shorewall > 3.0.4 startup broke for user, whose network interfaces were named > unconventionally - ''inet'' and ''lan''. > > Quick code analysis found out that the problem lies in shorewall''s parsing > (see comment #3 in that bug). User has also offered an alternative, > potentially less error-prone way to parse given input (see comment #4 of > the same bug). > > I thought it''s worth sharing it here, perhaps you, shorewall developers can > use these ideas. > > 1. http://bugs.gentoo.org/show_bug.cgi?id=122829 >Thanks, Andrej The solution suggested in the comment uses ''gawk'' -- ''gawk'' is typically not available on those embedded systems where Shorewall runs (awk in any form is often not available on those systems -- see the code in /sbin/shorewall that tests for the availablity of ''awk''). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
On Tuesday 21 February 2006 08:03, Tom Eastep wrote:> > > > I thought it''s worth sharing it here, perhaps you, shorewall developers > > can use these ideas. > > > > 1. http://bugs.gentoo.org/show_bug.cgi?id=122829 > > Thanks, Andrej > > The solution suggested in the comment uses ''gawk'' -- ''gawk'' is typically > not available on those embedded systems where Shorewall runs (awk in any > form is often not available on those systems -- see the code in > /sbin/shorewall that tests for the availablity of ''awk'').Which simply means that I will have to use the less elegant fix that retains the use of ''grep'' and ''head''. Thanks again, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
On Tue, 21 Feb 2006 08:39:41 -0800 Tom Eastep <teastep@shorewall.net> wrote:> On Tuesday 21 February 2006 08:03, Tom Eastep wrote: > > > > > > > I thought it''s worth sharing it here, perhaps you, shorewall developers > > > can use these ideas. > > > > > > 1. http://bugs.gentoo.org/show_bug.cgi?id=122829 > > > > Thanks, Andrej > > > > The solution suggested in the comment uses ''gawk'' -- ''gawk'' is typically > > not available on those embedded systems where Shorewall runs (awk in any > > form is often not available on those systems -- see the code in > > /sbin/shorewall that tests for the availablity of ''awk''). > > Which simply means that I will have to use the less elegant fix that retains > the use of ''grep'' and ''head''.Hello Tom, thanks for replying, I hope this was of some help. Kind regards, -- Andrej "Ticho" Kacian <ticho at gentoo dot org> Gentoo Linux Developer - net-mail, antivirus, sound, x86
Hi All I would like to know if it is possible to define three zones NET, LAN and another in the shorewall zone file and manage them. I have a big problem which can follow this one depending on the answer. I am dealing with P2P traffics control. Regards Roland Roland Mfondoum VAKIFLAR ISHANI C BLOCK KAT1 No 7-8 GIRNE KKTC MERSIN 10 TURKEY PHONE: +90-392-815-8905 FAX: +90-392-815-8904 --------------------------------- Yahoo! Mail Use Photomail to share photos without annoying attachments.
On Tuesday 21 February 2006 12:15, ngouyamsa roland wrote:> Hi All > I would like to know if it is possible to define three zones > NET, LAN and another in the shorewall zone file and > manage them. > I have a big problem which can follow this one depending > on the answer. I am dealing with P2P traffics control. >You really need to start with the basic Shorewall documentation: The QuickStart Guides for your version of Shorewall is the proper place to start. Go to www.shorewall.net and click on Documentation -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Tuesday 21 February 2006 12:21, Tom Eastep wrote:> On Tuesday 21 February 2006 12:15, ngouyamsa roland wrote: > > Hi All > > I would like to know if it is possible to define three zones > > NET, LAN and another in the shorewall zone file and > > manage them. > > I have a big problem which can follow this one depending > > on the answer. I am dealing with P2P traffics control. > > You really need to start with the basic Shorewall documentation: The > QuickStart Guides for your version of Shorewall is the proper place to > start. > > Go to www.shorewall.net and click on Documentation >But to answer your original question, there is no architectural limit to the number of zones that you can define. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
Hi Tom, Thank''s so much for your fast answer. I am sorry but as you can see I am not a shorewall guru. But I hope you will still accept to help me. I am reading the shorewall documentation a again and hope I will avoid to ask stupid questions the next time as about the number of zones I can create. Let us go straight to the problem I want you to help me to sort out. I have a problem with P2P traffics in the ISP network I administrate. I have a Fedora Core 4 server, with BIND, Squid and shorewall installed as my main server. Behin it I have a mail server. I all the time have problem of slow connexion when customers to much P2P applications as Kazaa, bitorrent .. I have two satellite connexions, one is the main and the second one is a backup. I am currently making a list of all the ports that applications use. As I know it is not really possible to block P2P, I would like to forward all the P2P traffic from my main satellite connexion > to the backup satellite connexion. This is what I plan to implement to issue it: On my main server:> Squid >Shorewall >3 Ethernet Cardseth0 IP1= 81.75.1.x > > > Main Satellite Connexion eth1 IP2 = 172.168.2.x > > >Internal Network eth2 IP3 = 82.75.3.x > > > Backup Satellite Shorewall Static NAT External Address External Interface Internal address All Interfaces Local 82.75.3.2 eth2 81.75.1.2 No Yes Masquerading Interface Subnet Eth0 Eth1 Zone File Net Internet Lan LAN P2PZ P2PZ Interfaces file Eth0 Net Eth1 Lan Eth2 P2PZ Firewall Rules ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL PORT PORT DEST DNAT LAN P2PZ:82.75.3.2 tcp (P2P ports) - Roland Mfondoum VAKIFLAR ISHANI C BLOCK KAT1 No 7-8 GIRNE KKTC MERSIN 10 TURKEY PHONE: +90-392-815-8905 FAX: +90-392-815-8904 --------------------------------- Yahoo! Mail Use Photomail to share photos without annoying attachments.
Please I just would like to know if the script in the firewall file can help transfering all the P2P traffics using the (P2P ports ) specified from my LAN to the backup satellite. thanks Hi Tom, Thank''s so much for your fast answer. I am sorry but as you can see I am not a shorewall guru. But I hope you will still accept to help me. I am reading the shorewall documentation a again and hope I will avoid to ask stupid questions the next time as about the number of zones I can create. Let us go straight to the problem I want you to help me to sort out. I have a problem with P2P traffics in the ISP network I administrate. I have a Fedora Core 4 server, with BIND, Squid and shorewall installed as my main server. Behin it I have a mail server. I all the time have problem of slow connexion when customers to much P2P applications as Kazaa, bitorrent .. I have two satellite connexions, one is the main and the second one is a backup. I am currently making a list of all the ports that applications use. As I know it is not really possible to block P2P, I would like to forward all the P2P traffic from my main satellite connexion > to the backu p satellite connexion. This is what I plan to implement to issue it: On my main server:> Squid >Shorewall >3 Ethernet Cardseth0 IP1= 81.75.1.x > > > Main Satellite Connexion eth1 IP2 = 172.168.2.x > > >Internal Network eth2 IP3 = 82.75.3.x > > > Backup Satellite Shorewall Static NAT External Address External Interface Internal address All Interfaces Local 82.75.3.2 eth2 81.75.1.2 No Yes Masquerading Interface Subnet Eth0 Eth1 Zone File Net Internet Lan LAN P2PZ P2PZ Interfaces file Eth0 Net Eth1 Lan Eth2 P2PZ Firewall Rules ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL PORT PORT DEST DNAT LAN P2PZ:82.75.3.2 tcp (P2P ports) - Roland Mfondoum VAKIFLAR ISHANI C BLOCK KAT1 No 7-8 GIRNE KKTC MERSIN 10 TURKEY PHONE: +90-392-815-8905 FAX: +90-392-815-8904 --------------------------------- Relax. Yahoo! Mail virus scanning helps detect nasty viruses!
On Tuesday 21 February 2006 13:46, ngouyamsa roland wrote:> Hi Tom, > Thank''s so much for your fast answer. I am sorry but as you can see I am > not a shorewall guru. But I hope you will still accept to help me. I am > reading the shorewall documentation a again and hope I will avoid to ask > stupid questions the next time as about the number of zones I can create. > Let us go straight to the problem I want you to help me to sort out. >Hopefully some of the folks experienced with Traffic shaping and two network interfaces can help you. I''m not an expert in either of those areas. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
Tom Eastep wrote:> ... > But to answer your original question, there is no architectural limit to the > number of zones that you can define.I was waxing lyrical about this on another mailing list just today:> Paul Gear wrote: >>> Jason Daw wrote: >>>>>... >>>>> I''m looking at a nice little distro at the moment called endian >>>>> firewall. www.efw.it >>>>> well worth a look >>> >>> Looks interesting - certainly seems to have a lot of features. Pity >>> about the whole "green, orange, red, blue" hangover from >>> Smoothwall... :-) > > If it wasn''t clear why i think this is a problem, let me explain. The > Smoothwall zones are: > green trusted > (IMO, you can''t call any host ''trusted'' if it''s connected to a network.) > orange DMZ > blue wireless > red Internet > My network has 13 different zones, and counting. I don''t think that''s > overcomplicated, just reflective of the real world, which is more > complicated than a 4 zones.This is one of the main reasons i love Shorewall. That, and the fact that host/zone mapping is arbitrary. Paul ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
ngouyamsa roland schrieb:> Hi Tom, > Thank''s so much for your fast answer. I am sorry but as you can see I > am not a shorewall guru. But I hope you will still accept to help me. > I am reading the shorewall documentation a again and hope I will avoid > to ask stupid questions the next time as about the number of zones I > can create. Let us go straight to the problem I want you to help me to > sort out. > > I have a problem with P2P traffics in the ISP network I administrate. > I have a Fedora Core 4 server, with BIND, Squid and shorewall installed as > my main server. Behin it I have a mail server. I all the time have > problem of > slow connexion when customers to much P2P applications as Kazaa, > bitorrent .. > I have two satellite connexions, one is the main and the second one is > a backup. > I am currently making a list of all the ports that applications use. > As I know it is not really possible to block P2P, I would like to > forward all the P2P traffic from my main satellite connexion > to the > backu p satellite connexion.Blocking (or redirecting or shaping) P2P is pretty well possible, you will have to use the ipp2p module: http://www.ipp2p.org/ Simple blocking (in /etc/shorewall/rules) SECTION ESTABLISHED REJECT Lan Net ipp2p:all ipp2p Of course this would be just the easiest and most radical solution. Redirecting the traffic via your backup connection or shaping down the traffic is also possible. For shaping read: http://www.shorewall.net/IPP2P.html and http://shorewall.net/traffic_shaping.htm Redirecting the traffic via your backup line *should* be possible, but I have no box to test a MultiISP setup now. If you use the shorewall solution for MultiISP setup you could detect the P2P traffic with ipp2p and give it a mark according to your mark entry in /etc/shorewall/providers. See the examples in the shaping/ipp2p and MultiISP documentation. IIRC the real challenge starts if you wanna use shaping and shorewalls MultiISP setup together. HTH ve iyi sanslar Alex> This is what I plan to implement to issue it: > > On my main server: > > Squid > >Shorewall > >3 Ethernet Cards > > eth0 IP1= 81.75.1.x > > > Main Satellite Connexion > eth1 IP2 = 172.168.2.x > > >Internal Network > eth2 IP3 = 82.75.3.x > > > Backup Satellite > > Shorewall Static NAT > > External Address External Interface Internal address All > Interfaces Local > 82.75.3.2 eth2 > 81.75.1.2 No Yes > > > Masquerading > > Interface Subnet > Eth0 Eth1 > > Zone File > > Net Internet > Lan LAN > P2PZ P2PZ > > Interfaces file > > Eth0 Net > Eth1 Lan > Eth2 P2PZ > > Firewall Rules > > ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL > > PORT PORT DEST > DNAT LAN P2PZ:82.75.3.2 tcp (P2P > ports) - > > > > > Roland Mfondoum > VAKIFLAR ISHANI > C BLOCK KAT1 > No 7-8 > GIRNE KKTC > MERSIN 10 TURKEY > PHONE: +90-392-815-8905 > FAX: +90-392-815-8904 > > ------------------------------------------------------------------------ > Yahoo! Mail > Use Photomail > <http://pa.yahoo.com/*http://us.rd.yahoo.com/evt=38867/*http://photomail.mail.yahoo.com> > to share photos without annoying attachments.------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
On Tuesday 21 February 2006 23:22, Alexander Wilms wrote:> > Redirecting the traffic via your backup line *should* be possible, but I > have no box to test a MultiISP setup now.This won''t work using the Shorewall MultiISP features because they assume that a given connection will always be routed out the same interface (with the same address translation). The ipp2p match feature snoops packets to detect P2P traffic -- by the time it determines that the connection is P2P, the routing (and address connection) of the connection is already determined. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
On Wednesday 22 February 2006 07:09, Tom Eastep wrote:> On Tuesday 21 February 2006 23:22, Alexander Wilms wrote: > > Redirecting the traffic via your backup line *should* be possible, but I > > have no box to test a MultiISP setup now. > > This won''t work using the Shorewall MultiISP features because they assume > that a given connection will always be routed out the same interface (with > the same address translation). The ipp2p match feature snoops packets to > detect P2P traffic -- by the time it determines that the connection is P2P, > the routing (and address connection) of the connection is alreadyShould have been "...the routing (and address *translation*) of the connection..." -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
On Wednesday 22 February 2006 17:56, Tom Eastep wrote:> On Wednesday 22 February 2006 07:09, Tom Eastep wrote: > > On Tuesday 21 February 2006 23:22, Alexander Wilms wrote: > > > Redirecting the traffic via your backup line *should* be possible, but > > > I have no box to test a MultiISP setup now. > > > > This won''t work using the Shorewall MultiISP features because they assume > > that a given connection will always be routed out the same interface > > (with the same address translation). The ipp2p match feature snoops > > packets to detect P2P traffic -- by the time it determines that the > > connection is P2P, the routing (and address connection) of the connection > > is already > > Should have been "...the routing (and address *translation*) of the > connection..."Hi Tom, thanks for the clarification, it was before my morning coffee and obviously before understanding fully the big picture of routing / netfilter. Alex ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642