Displaying 20 results from an estimated 10000 matches similar to: "Dynamic Zones and IPSET (with a DNAT for good measure!)"
2012 Sep 30
12
shorewall dynamic zones confusion
Hi,
I''ve been successfully using shorewall in our K12 school since the 2.x
days initially on Mandrake and now on Debian. Because of that my config
has got quite complicated. The firewall has a working MultiISP setup
with four interfaces (I''ve renamed them with udev to easy their
identification): lan-if, dmz-if, snt-if and dnt-if (one of the providers
(the one on dnt-if) is a DSL
2011 Sep 17
4
Shorewall DNAT to IPSET
I would like to dnat certain protocols (HTTP, HTTPS, SSH) to the
contents of an ipset (lan:+serviceshost or similar) where the ipset is
ensured to contain only one host, but can be changed dynamically when
services are in maintenance mode and go to the "services are down"
message on another server. Will this work, or am I barking up a fish here?
2004 Oct 09
2
odd problem with proxyarp and DNAT
I have some hosts in a DMZ zone with proxyarp. In my local zone I have a host to which I DNAT.
I have discovered that I can reach the host in the local zone by attempting to connect to the fw (As expected) or ANY proxyarped host in my dmz zone (as not expected). Is this normal ?
(I''ve just discovered that actually the dnated host answers to requests sent to any IP routed to my host!)
2005 Jun 06
23
Multi-ISP in 2.4.0
Hello Shorewall list,
I''m a happy Shorewall user since a few years now and everything works fine
for me except one thing that I try to implement since a week, the multi-isp.
I''ve downloaded the 2.4.0 Stable release yesterday and tried the RC2 since a
week.
My config is a Debian running a kernel 2.4.27 home made with the
CONNMARK.diff patch applied
I''m using 2 ISP,
2007 Oct 18
4
exporting service on multiple wan
Hi all,
I''ve a routing problem. I''m setting up a router based on debian (kernel
2.4).
I need to setup routing to export an ftp service (ftp server is in dmz)
to 2 wan (both).
I setup prerouting ad forward rule with no problem.
The problem is that reply packet use default gateway (default wan) even
though they are enter using the other wan.
I solved it marking packets in input
2005 Nov 25
1
2 WAN links and DNAT
Hi
Here is a short description of my network:
ppp0 (adsl) ppp1 (adsl)
| |
| |
---------------------
| Router |
| Firewall |
| MASQUERAD |
| DNAT |
| |
| eth0 |
---------------------
|
|
|
----------------------
|
2006 May 29
4
IpSec support with kernel 2.6.16.18
Hi all,
I''m currently using ipsec with Shorewall 3.0.7 on a patched 2.6.10
kernel. Having heard that ipsec support was in the standard kernel
starting from 2.6.16, I tried to upgrade to the last kernel.
My problem is that shorewall won''t start anymore.
I get this output in /var/log/shorewall-init.log:
Starting Shorewall...
Initializing...
Shorewall has detected the
2004 Sep 10
1
Is ProxyARP or NAT entries really neccesary for DNAT to work?
I have been trying to get DNAT to work and I actually have succeeded
too, however, not how I thought it would work when reading through the
documentation.
1. No matter what I do I cannot get DNAT to work unless I have an entry
in eiter the nat or the proxyarp file. Is that really how it''s supposed
to be? I can''t find anything about it in the documentation.
2. Also, in the
2011 Apr 15
1
Proxyarp vs DNAT
Hello list,
I am in the process of switching from IPCOP to Shorewall s the firewall
for our small office. I very much like the fact that Shorewall runs on
top of the same OS (openSuSE 11.4) that I run on the server and my desktop.
Our setup is fairly straightforward. We have 8 static ip addresses from
our ISP, which provides a cable modem and a Cisco 800 series router.
The ip addresses are
2007 Mar 02
8
DNAT and Load Balancing
Hi all!
After that good thread "DGD patch not detecting dead gateway" I was
able to set up a Load Balancing with ping based DGD (without Julian
Anastasov patch). But now I''m facing a new problem and tried some
options, with only partial solutions.
I made a script based on
http://www.mail-archive.com/lartc@mailman.ds9a.nl/msg16257.html (Thank
you Manish Kathuria),
2015 Feb 17
3
Using "ipset" under CentOS7
ipset on CentOS6 comes with /etc/rc.d/init.d/ipset so that "service
ipset reload" can be used to (re)load the configuration. CentOS7
doesn't come with an equivalent for systemd:
# systemctl reload ipset.service
Failed to issue method call: Unit ipset.service failed to load: No
such file or directory.
# systemctl start ipset.service
Failed to issue method call: Unit ipset.service
2007 Sep 25
1
DNAT PREROUTING issue with iptables
Hi,
I have an DNAT ISSUE with PREROUTING.
This is my setup.
I have 2 firewalls running iptables.
Pls asume 1.2.3.4/29 is the internet interace of FIRST firewall.
2.3.4.5/29 is the internet interface of SECOND firewall. it has DMZ zone. in
that DMZ zone, mail server runnig @ 192.168.100.3
Now I want to DNAT port 25 of FISRT firewall (i.e - its ip address -
1.2.3.4/29) to the internet ip
2013 Dec 17
1
shorewall add fails with IPSET=
Hi all
I have a CentOS6 box with shorewall-4.5.21.
If I have IPSET= in shorewall.conf and I issue the command "shorewall add
ppp:192.168.33.3 ptp", I get the error:
/usr/share/shorewall/lib.cli: line 585: [: too many arguments
ERROR: Zone ptp, interface ppp does not have a dynamic host list
The error is corrected setting the actual path to ipset in shorewall.conf,
or via the patch:
2003 Jan 30
4
ACCEPT vs DNAT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi all,
Can someone refresh my memory on the difference between the following
(where dmz contains an RFC 1918 address host)?
ACCEPT net dmz tcp 80 - all
DNAT net dmz tcp 80
I''m trying to generate a script for maintaining multiple interconnected
firewalls from shared policy, rules, and zone files, and i
2008 Oct 01
2
DNAT Issue
Hi.
Im setting up a web farm test lab. I have a number of machines in the
test last on a dmz zone on network 10.20.30.0.
The test lab firewall has two NICS. One (eth0) has two ip addresses,
eth0 10.161.101.40 and eth0:0 10.161.10.49. The other one, eth1 is
on a private network, 10.20.30.0.
I want to use DNAT to allow test engineers to ssh into the machines in
the web farm. I have
2010 Mar 11
2
[Bug 640] New: ipset-4.2 : ipset -T <some_setlist> <address> always negative
http://bugzilla.netfilter.org/show_bug.cgi?id=640
Summary: ipset-4.2 : ipset -T <some_setlist> <address> always
negative
Product: ipset
Version: unspecified
Platform: All
OS/Version: All
Status: NEW
Severity: normal
Priority: P1
Component: default
AssignedTo:
2004 Oct 11
1
DNAT e.g. port 80 to different hosts
Hi,
just cracking my head how to solve this:
Firewall has more than one public IP Address and NET/LOC/DMZ configured.
Requests on public 1.1.1.2:80 should go to dmz:192.168.0.1:80
Requests on public 1.1.1.3:80 should go to dmz:192.168.0.2:80
How can I manage that with DNAT?
I tried it with the original destination, but keep getting "REFUSED"
always for one connection.
Thx
Andy
2005 Apr 03
6
v1.2/DNAT
Some probably wish v1.2.12-2 out of Debian Woody would just go away, but it''s
what I''m using and really don''t wish to upgrade at this time (but will
eventually). My needs are rather simple and I''m sure it can handle the job.
I''ve read and re-read the FAQs and searched extensively for docs on what my
problem might be, but just cannot put my finger
2023 Dec 05
3
[Bug 1726] New: invalid json generated by ipset list -output json
https://bugzilla.netfilter.org/show_bug.cgi?id=1726
Bug ID: 1726
Summary: invalid json generated by ipset list -output json
Product: ipset
Version: unspecified
Hardware: x86_64
OS: Debian GNU/Linux
Status: NEW
Severity: trivial
Priority: P5
Component: default
Assignee:
2014 Dec 08
2
ipset not actually blocking
i created an ipset and added 8.8.8.8 to it and used the same iptables
working all summer long but
?i can still ping 8.8.8.8 and do nslookup queries against it. ipset or
iptables is broken.
Anybody else rebooted since ipset-6.11-3.el6.i686 was installed and
actually tested that IP addresses that are supposed to be blacklisted are
actually blocked?
?
Filed CentOS bug report 7977