Hello, Is it possible that shorewall can handle time restriciton? example I want this ip address only to access in internet this period of time (12:01pm - 1:00pm) thanks in advance. ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
I have just started setting up a new computer with shorewall. I am setting up the firewall for 2 ISPs and I am running into an error as soon as I create a /etc/shorewall/providers file. I have had this same error with 2 Shorewall versions and two kernel versions. The shorewall version is currently 3.4.6 and the kernel is 2.6.22-11 generic shipped with ubuntu gutsy. I also had this same error under Ubuntu Feisty server (2.6.20). My providers file gets ''compiled'' fine, but later, just after the providers are added, I get the following error: Adding Providers... Provider ESCH1 (1) Added Provider ESCH2 (2) Added Default route ''nexthop via a.b.c.d dev eth1 weight 1 nexthop via w.x.y.z dev eth2 weight 1'' Added iptables: No chain/target/match by that name ERROR: Command "/sbin/iptables -t mangle -A PREROUTING -m connmark ! --mark 0/0xFF -j CONNMARK --restore-mark --mask 0xFF" Failed Is this error due to a missing module? Or am I missing something else? If I remove the providers file, everything starts properly. Regards, John ____________________________________________________________________________________ Need a vacation? Get great deals to amazing places on Yahoo! Travel. http://travel.yahoo.com/ ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
J M wrote:> I have just started setting up a new computer with shorewall. I am > setting up the firewall for 2 ISPs and I am running into an error as > soon as I create a /etc/shorewall/providers file. > > I have had this same error with 2 Shorewall versions and two kernel > versions. The shorewall version is currently 3.4.6Be sure you install the multi-ISP fix -- see the Shorewall home page.> and the kernel is > 2.6.22-11 generic shipped with ubuntu gutsy. I also had this same error > under Ubuntu Feisty server (2.6.20). > > My providers file gets ''compiled'' fine, but later, just after the > providers are added, I get the following error: > > Adding Providers... > Provider ESCH1 (1) Added > Provider ESCH2 (2) Added > Default route ''nexthop via a.b.c.d dev eth1 weight 1 nexthop via w.x.y.z > dev eth2 weight 1'' Added > iptables: No chain/target/match by that name > ERROR: Command "/sbin/iptables -t mangle -A PREROUTING -m connmark ! > --mark 0/0xFF -j CONNMARK --restore-mark --mask 0xFF" Failed > > Is this error due to a missing module? Or am I missing something else?You are missing CONNMARK support.> > If I remove the providers file, everything starts properly.Ubuntu takes their cue from Debian and doesn''t include CONNMARK support in their kernels. Yet they include connmark match support! Go figure... -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Tom, Thanks for the quick reply. I have applied the multiISP patch, now do I need to download the kernel source and configure it for CONNMARK support? Regards, John ----- Original Message ---- From: Tom Eastep <teastep@shorewall.net> To: Shorewall Users <shorewall-users@lists.sourceforge.net> Sent: Wednesday, September 19, 2007 1:29:18 PM Subject: Re: [Shorewall-users] chain/rule problem with Shorewall J M wrote:> I have just started setting up a new computer with shorewall. I am > setting up the firewall for 2 ISPs and I am running into an error as > soon as I create a /etc/shorewall/providers file. > > I have had this same error with 2 Shorewall versions and two kernel > versions. The shorewall version is currently 3.4.6Be sure you install the multi-ISP fix -- see the Shorewall home page.> and the kernel is > 2.6.22-11 generic shipped with ubuntu gutsy. I also had this same error > under Ubuntu Feisty server (2.6.20). > > My providers file gets ''compiled'' fine, but later, just after the > providers are added, I get the following error: > > Adding Providers... > Provider ESCH1 (1) Added > Provider ESCH2 (2) Added > Default route ''nexthop via a.b.c.d dev eth1 weight 1 nexthop via w.x.y.z > dev eth2 weight 1'' Added > iptables: No chain/target/match by that name > ERROR: Command "/sbin/iptables -t mangle -A PREROUTING -m connmark ! > --mark 0/0xFF -j CONNMARK --restore-mark --mask 0xFF" Failed > > Is this error due to a missing module? Or am I missing something else?You are missing CONNMARK support.> > If I remove the providers file, everything starts properly.Ubuntu takes their cue from Debian and doesn''t include CONNMARK support in their kernels. Yet they include connmark match support! Go figure... -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ____________________________________________________________________________________ Need a vacation? Get great deals to amazing places on Yahoo! Travel. http://travel.yahoo.com/ ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
J M wrote:> Tom, > > Thanks for the quick reply. I have applied the multiISP patch, now do > I need to download the kernel source and configure it for CONNMARK support?Yes -- provided that you wish to use the ''track'' provider option. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Allan Parreno wrote:> Hello, > > Is it possible that shorewall can handle time restriciton? example I want > this ip address only to access in internet this period of time (12:01pm - > 1:00pm)Please check the list archives; this subject comes up regularly. The last time was 7/11/2007 under the subject "Restricting access by time of day in Shorewall?". -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/