Hi list, thank you for Shorewall :) I''m trying to get a simple config to work but i can''t seem to work out how to gain access via ssh to the protected remote machine. But that doesn''t surprise me really as i have just spend well over an hour to find how to limit the lograte AND fill in the logburst in shorewall.conf. I have specified a logfile (not messages) in shorewall.conf, but somehow it isn''t picked up when i try to debug restart shorewall. Also i can''t get ssh login when shorewall is running, although i have specified in rules: SSH/ACCEPT loc $FW with ''loc'' in hosts specified as 192.168.0.150/32 If i specify a debug loglevel i see no change. How can i debug shorewall? What am i missing? ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev
On Fri, Mar 19, 2010 at 08:25:58PM +0100, felis nigripes wrote:> > SSH/ACCEPT loc $FW > > with ''loc'' in hosts specified as [1]192.168.0.150/32 > > If i specify a debug loglevel i see no change. How can i debug shorewall? > What am i missing? >shorewall-hosts(5) says this: "This file is used to define zones in terms of subnets and/or individual IP addresses. Most simple setups dont need to (should not) place anything in this file." I am guessing that your setup is simple, so you should remove that entry from the hosts file, restart Shorewall and try again. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev
felis nigripes wrote:> Hi list, > > thank you for Shorewall :) > > I''m trying to get a simple config to work but i can''t seem to work out > how to gain access via ssh to the protected remote machine. But that > doesn''t surprise me really as i have just spend well over an hour to > find how to limit the lograte AND fill in the logburst in shorewall.conf. > > I have specified a logfile (not messages) in shorewall.conf, but somehow > it isn''t picked up when i try to debug restart shorewall. > > Also i can''t get ssh login when shorewall is running, although i have > specified in rules: > > SSH/ACCEPT loc $FW > > with ''loc'' in hosts specified as 192.168.0.150/32 <http://192.168.0.150/32> > > If i specify a debug loglevel i see no change. How can i debug shorewall? > What am i missing?You seem to have missed to introductory documentation that is available for Shorewall: http://www.shorewall.net/GettingStarted.html There you will find ''cookbook'' HOWTOs for the most popular simple configurations. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev
Hi Roberto, thank you for your speedy reply! ''k will follow your advice, but still wonder about what i''m doing wrong. I have a server in a local network, with a gateway. The local network needs more access, f.i. ssh, the Net only web. Simple i agree, i bet it''s easy in shorewall too, just have to find out how :) kind regards 2010/3/19 Roberto C. Sánchez <roberto@connexer.com>> On Fri, Mar 19, 2010 at 08:25:58PM +0100, felis nigripes wrote: > > > > SSH/ACCEPT loc $FW > > > > with ''loc'' in hosts specified as [1]192.168.0.150/32 > > > > If i specify a debug loglevel i see no change. How can i debug > shorewall? > > What am i missing? > > > shorewall-hosts(5) says this: > > "This file is used to define zones in terms of subnets and/or individual > IP addresses. Most simple setups don´t need to (should not) place > anything in this file." > > I am guessing that your setup is simple, so you should remove that entry > from the hosts file, restart Shorewall and try again. > > Regards, > > -Roberto > > -- > Roberto C. Sánchez > http://people.connexer.com/~roberto<http://people.connexer.com/%7Eroberto> > http://www.connexer.com > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (GNU/Linux) > > iEYEARECAAYFAkuj0bIACgkQ5SXWIKfIlGQzpQCdFXR7zt5JYLaBk3YAjyEHK+Ue > nR8AnRnjbk53u9VOOv72Na91I2IxhmUm > =fJNT > -----END PGP SIGNATURE----- > > > ------------------------------------------------------------------------------ > Download Intel® Parallel Studio Eval > Try the new software tools for yourself. Speed compiling, find bugs > proactively, and fine-tune applications for parallel performance. > See why Intel Parallel Studio got high marks during beta. > http://p.sf.net/sfu/intel-sw-dev > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > >------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev
Thanks Tom, Roberto, apparently i''m way too stupid to get a simple cookbook config to run in a reasonable time. I spend a lot of time looking for ways to get the config''s notation right - commented examples in the config files would probably help me better than a lot of documentation and might be a nice idea for noobs like me - f.i. in shorewall.conf: # lograte example: 15/minute, if you use this option also fill in the logburst number LOGRATE Anyway, thank you for the software, pity i can''t get it to do what i need it to do cheers 2010/3/19 felis nigripes <f.nigripes@gmail.com>> Hi Roberto, > > thank you for your speedy reply! > ''k will follow your advice, but still wonder about what i''m doing wrong. > I have a server in a local network, with a gateway. The local network needs > more access, f.i. ssh, the Net only web. Simple i agree, i bet it''s easy in > shorewall too, just have to find out how :) > > kind regards > > 2010/3/19 Roberto C. Sánchez <roberto@connexer.com> > >> On Fri, Mar 19, 2010 at 08:25:58PM +0100, felis nigripes wrote: >> > >> > SSH/ACCEPT loc $FW >> > >> > with ''loc'' in hosts specified as [1]192.168.0.150/32 >> > >> > If i specify a debug loglevel i see no change. How can i debug >> shorewall? >> > What am i missing? >> > >> shorewall-hosts(5) says this: >> >> "This file is used to define zones in terms of subnets and/or individual >> IP addresses. Most simple setups don´t need to (should not) place >> anything in this file." >> >> I am guessing that your setup is simple, so you should remove that entry >> from the hosts file, restart Shorewall and try again. >> >> Regards, >> >> -Roberto >> >> -- >> Roberto C. Sánchez >> http://people.connexer.com/~roberto<http://people.connexer.com/%7Eroberto> >> http://www.connexer.com >> >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG v1.4.9 (GNU/Linux) >> >> iEYEARECAAYFAkuj0bIACgkQ5SXWIKfIlGQzpQCdFXR7zt5JYLaBk3YAjyEHK+Ue >> nR8AnRnjbk53u9VOOv72Na91I2IxhmUm >> =fJNT >> -----END PGP SIGNATURE----- >> >> >> ------------------------------------------------------------------------------ >> Download Intel® Parallel Studio Eval >> Try the new software tools for yourself. Speed compiling, find bugs >> proactively, and fine-tune applications for parallel performance. >> See why Intel Parallel Studio got high marks during beta. >> http://p.sf.net/sfu/intel-sw-dev >> _______________________________________________ >> Shorewall-users mailing list >> Shorewall-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/shorewall-users >> >> >------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev
felis nigripes wrote:> Thanks Tom, Roberto, > > apparently i''m way too stupid to get a simple cookbook config to run in > a reasonable time. > I spend a lot of time looking for ways to get the config''s notation > right - commented examples in the config files would probably help me > better than a lot of documentation and might be a nice idea for noobs > like me - > f.i. in shorewall.conf: > > # lograte example: 15/minute, if you use this option also fill in the > logburst number > LOGRATE> > Anyway, thank you for the software, pity i can''t get it to do what i > need it to do >We had those for years -- we got rid of them when we added man pages so that we wouldn''t have to maintain the same information in two places. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev
Maybe you should try giving away more info first ? OS, shorewall version etc. I have used shorewall in very complex setups ( 2 or more providers with loadbalancing, failover + 5 or more internal network + up to 10 OpenVPN tunnels + bridged KVM''s on both internal, external interfaces AND their own virtual network ) and i have had no trouble in making things just work. ----- "felis nigripes" <f.nigripes@gmail.com> wrote: Thanks Tom, Roberto, apparently i''m way too stupid to get a simple cookbook config to run in a reasonable time. I spend a lot of time looking for ways to get the config''s notation right - commented examples in the config files would probably help me better than a lot of documentation and might be a nice idea for noobs like me - f.i. in shorewall.conf: # lograte example: 15/minute, if you use this option also fill in the logburst number LOGRATE= Anyway, thank you for the software, pity i can''t get it to do what i need it to do cheers 2010/3/19 felis nigripes < f.nigripes@gmail.com > Hi Roberto, thank you for your speedy reply! ''k will follow your advice, but still wonder about what i''m doing wrong. I have a server in a local network, with a gateway. The local network needs more access, f.i. ssh, the Net only web. Simple i agree, i bet it''s easy in shorewall too, just have to find out how :) kind regards 2010/3/19 Roberto C. Sánchez < roberto@connexer.com > On Fri, Mar 19, 2010 at 08:25:58PM +0100, felis nigripes wrote:> > SSH/ACCEPT loc $FW > > with ''loc'' in hosts specified as [1] 192.168.0.150/32> > If i specify a debug loglevel i see no change. How can i debug shorewall? > What am i missing? > shorewall-hosts(5) says this:"This file is used to define zones in terms of subnets and/or individual IP addresses. Most simple setups don´t need to (should not) place anything in this file." I am guessing that your setup is simple, so you should remove that entry from the hosts file, restart Shorewall and try again. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkuj0bIACgkQ5SXWIKfIlGQzpQCdFXR7zt5JYLaBk3YAjyEHK+Ue nR8AnRnjbk53u9VOOv72Na91I2IxhmUm =fJNT -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users -- Nikolai K. Bochev System Administrator Website : GrandstarCO | http://www.grandstarco.com ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev