similar to: Fwd: [PATCH] Another iptables-save buglet

I''ve also placed the patch in: http://shorewall.net/pub/shorewall/contrib/ipset/ ftp://shorewall.net/pub/shorewall/contrib/ipset/ -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 iptables=save is producing bad output for rules involving policy match. I''ve checked in a version of /sbin/shorewall to the Shorewall2/ CVS project that compensates for this bug. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP

The version of Shorewall currently in CVS (Shorewall2/ project) has been integrated with iptables-save/iptables-restore. This provides the means to start and restart shorewall very quickly (mine restarts in under a second) in the case where you are not changing your configuration. The release notes are attached. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool

FYI... ---------- Forwarded Message ---------- Subject: RE: [Shorewall-users] 2.6 kernel ipsec and shorewall Date: Thursday 23 September 2004 07:44 From: "Jonathan Schneider" <jon@clearconcepts.ca> To: "''Tom Eastep''" <teastep@shorewall.net> I must have been up too late working on this, looking at it the next day I noticed I completely forgot

Unpatched 2.6.10 kernels are apparently broken WRT TCP connection tracking. Established connections that are ended with an RST are not removed from the conntrack table. See: http://lists.netfilter.org/pipermail/netfilter-devel/2005-January/017956.html -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \

The Shorewall2/ project in CVS contains my initial attempt to establish correct routing for traffic forwarded from two different ISPs to internal servers. >From the release notes: Shorewall 2.3.2 includes support for multiple Internet interfaces to different ISPs. This feature is enabled by setting the "default" option for each Internet interface in

http://shorewall.net/pub/shorewall/2.2-Beta/shorewall-2.2.0-Beta2 ftp://shorewall.net/pub/shorewall/2.2-Beta/shorewall-2.2.0-Beta2 Problems Corrected: 1. The "shorewall check" command results in the (harmless) error message: /usr/share/shorewall/firewall: line 2753: check_dupliate_zones: command not found 2. The

Hi I have 2nic firewall . I had to open some ranges of udp and tcp ports . I faced a problem that although all the ports are open Some functionality was not working . Any body used shorewall with H323 Voip traffic DNATed . Any help is appretiated . Thanks ----- Original Message ----- From: <shorewall-users-request@lists.shorewall.net> To: <shorewall-users@lists.shorewall.net> Sent:

http://shorewall.net/pub/shorewall/2.2-Beta/shorewall-2.2.0-Beta2 ftp://shorewall.net/pub/shorewall/2.2-Beta/shorewall-2.2.0-Beta2 Problems Corrected: 1. The "shorewall check" command results in the (harmless) error message: /usr/share/shorewall/firewall: line 2753: check_dupliate_zones: command not found 2. The

The current thread on the User''s List entitled "Multi-ISP in 2.4.0" includes the following tcrules file: ############################################################################ ## #MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST # PORT(S) 201:P eth2 ppp1

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I''ve built a 1.2.9 iptables RPM that corrects the two iptables-save problems that I know about. It is available at: http://shorewall.net/pub/shorewall/iptables/iptables-1.2.9-95.7.i386.rpm ftp://shorewall.net/pub/shorewall/iptables/iptables-1.2.9-95.7.i386.rpm I''m using this on SuSe 9.1 -- for other distros, YYMV... This RPM works

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 As I pointed out to Wilson in a private message, this appears to show that no other connection requests (other than port 3000) are being sent from the client to the server (or at least no other connection requests are being received by the Shorewall box). Wilson: Are you sure that the client is supposed to open port 3001 on the server and not the

^%$# List Server removed the attachment. Please download from http://shorewall.net/pub/shorewall/Website/index.htm or ftp://shorewall.net/pub/shorewall/Website/index.htm. Thanks, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 claas@rootdir.de wrote: > Hello, > > > I am trying to get ipsec with kernel 2.6.8.1 and shorewall 2.1.9 running, > but I still have a problem: > > Validating hosts file... > Error: Your kernel and/or iptables does not not support policy match: ipsec > > I had a look for netfilter patch-o-matic, but I did not find the

Thanks for such a quick reply Tom! Any suggestions then as to what I might do other than putting a second nic in the SBS and opening it up for web access? I don''t like the idea, but since MS SBS includes fireall that is actually what MS suggests. Boyd -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: January 3, 2005 3:05 PM To: Shorewall Users Cc: Boyd

This will be the final 2.3 release. It makes available multiple-ISP support. There is one external change to the version that has been in CVS for the last couple of days -- the ''default'' provider option has been named ''balance'' to better describe what the option does (load balancing). Please see http://shorewall.net/Shorewall_and_Routing.html for more

Hi Tom, Many thanks for that, that''s really helped. Netfilter is indeed dropping the packets as invalid. Thanks and regards, Frances -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: 23 March 2007 18:05 To: Shorewall Users Subject: Re: [Shorewall-users] Expected handling of [SYN] when expecting[SYN, ACK]? Frances Flood wrote: > Basically, if the

In policy $FW Net ACCEPT Dump.rar join THX -----Message d''origine----- De : shorewall-users-bounces@lists.sourceforge.net [mailto:shorewall-users-bounces@lists.sourceforge.net] De la part de Tom Eastep Envoyé : jeudi 12 octobre 2006 21:22 À : Shorewall Users Objet : Re: [Shorewall-users] Tc rules Help with multiISP + squid& squidguard... Joffrey FLEURICE wrote: > > >

>-----Original Message----- >From: Ama Kalu [mailto:ama.kalu@cwlgroup.net] >Sent: Wednesday, November 19, 2003 9:07 PM >To: ''Tom Eastep'' >Subject: RE: [Shorewall-users] logwatch > >Thanks Tom and Andrew, > >About 2 months ago, I setup the most current (at the time) version of >logwatch, it required a service filter for IPTABLES which I did not have

Plus I would like to let you know that it works like a charm. Snort can now see those packets. -----Original Message----- From: shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of Thibodeau, Jamie L. Sent: Wednesday, March 30, 2005 9:25 AM To: Mailing List for Shorewall Users Subject: RE: [Shorewall-users] Shorewall and an inline