similar to: Shorewall 4.5.15 Beta 1

Hello, Is it possible to split a port direction so it goes to one server or another? For example, I want abc.com to be routed to server X and def.com to go to server Y. Is it also possible to have e-mail addresses going to one server or another in the same concept so joe@abc.com will to server E and jane@abc.com goes to server F? If any of this is possible, what is the name of the

i''m running SW v4.5.14 i''ve created a basic /rules set, referencing a single action: cat /etc/shorewall/rules ############################################################################################################################################### #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS

I''m attaching a few changes that are specific to Arch Linux and are motivated by our recent switch to systemd. System V init scripts are no longer used/supported on Arch Linux and, therefore, the Arch Linux init scripts can be removed from Shorewall. The two patches that follow are based against master; if it''s possible to apply them to the upcoming Shorewall 4.5.13 as well,

Hi, I''ve been successfully using shorewall in our K12 school since the 2.x days initially on Mandrake and now on Debian. Because of that my config has got quite complicated. The firewall has a working MultiISP setup with four interfaces (I''ve renamed them with udev to easy their identification): lan-if, dmz-if, snt-if and dnt-if (one of the providers (the one on dnt-if) is a DSL

I''m experiencing a problem with masquerade downloads saturating my internet connection. I''ve implemented an IFB and now am looking into flow keys. Although I''ve read the documentation, I''m not sure I have this right. Can someone help? /etc/shorewall/params: MID_IF=eth0 MID_IF_TC=1 INET1_IF=eth1 INET1_IF_TC=2 INET1_IFB_IF=ifb0 INET1_IFB_TC=3 Note: MID_IF

Hi, Is it possible to get Shorewall to reload the static blacklist file without resetting the packet and byte counters? I am following the guide at http://mudy.wordpress.com/2009/02/21/shorewall-blacklist-spamhaus-dshield/ to periodically generate a blacklist, but "shorewall -qq refresh -n blacklst" resets all my accounting. Is there a way to do this without resetting the counters? I

Hi, I am trying to do the simplest configuration of traffic shaping. So I did: shorewall.conf TC_ENABLED=Simple tcinterfaces eth0.2 External 500kbit tcdevices eth0.2 500kbit 200kbit And I am testing the speed on that interface - whether I did it ok or not, and my speed is still 4mbit/512kbit. So the question is - How to reduce the speed on interface connected

Hi, I need some special masq rules to allow internal servers to resolve public IP''s which are loadbalanced by LVS - the rule are: iptables -t nat -A POSTROUTING -m ipvs --vaddr <LVS PUBLIC IP>/32 --vport 80 -j SNAT --to-source <LVS INTERNAL IP> Also I need to enable: echo 1 > /proc/sys/net/ipv4/vs/conntrack Currently I do all this from /etc/shorewall/started - but is

Hi, I use shorewall-4.5.4 + lsm-0.143 and it does not seem to work as expected... When all providers are up, everything seems fine. When one goes down, lsm says "link <provider> down event"... and it seems ok but we then experience some problems such as a few unreachable sites, DNS problems... If I remove the downed provider from all confs and restart, everything works again.

Hi, I was reading document http://shorewall.net/MultiISP.html#idp3634200. Inspired by the document I was trying to establish the following changes: * one additional interface: COMA_IF * COM[A,B,C]_IF interfaces request IP address via DHCP * all non-RFC 1918 destined trafic is NATed from INT_IF to COMA_IF * all non-RFC 1918 destined trafic from GW is routed via COMB_IF by default * non-RFC 1918

Hi all. There is an interesting project that was called opendpi (originally by ipoque GmbH) and recently been forked and maintained by the ntop guys under the nDPI label. It offers a new and currently maintained layer 7 (L7) packet identification library. It could definitely benefit from more eyes and development effort, but at present it gives much better breakdown of traffic for ntop

> > If rpm is configured for _that_ location of log files, I would remove the > repository this rpm comes from from configuration and will remember to > never-never ever use that repository for anything. > > Just my $0.02 > Yeah I completely get where you're coming from there. However it's not an RPM from a repo. I downloaded the rpm from the appdynamics site itself.

Tom In Shorewall6 4.4.27 the following proxyndp entry: 2001:4d48:ad51:24::f3 eth2 eth0 no no does not add the required route. The code produced in /var/lib/shorewall6/.restart is: qt $IP -6 route del 2001:4d48:ad51:24::f3/128 dev eth2 run_ip route add 2001:4d48:ad51:24::f3/128 dev eth2 Splitting the line into 2 separate lines: qt $IP -6 route del 2001:4d48:ad51:24::f3/128 dev eth2

Hi, I have a multi-isp configuration both on ppp interfaces. As one of them is 32Mbit/s and the other is 8Mbit/s , I have a weight setting of 4 to 1 as in the following providers file entries: vdsl 1 0x10000 - ppp1 - track,balance=4 adsl 2 0x20000 - ppp0 - track,balance=1 I would also like to have fallback between them so that if one is

Hi, I'm trying to manage LXC instances through OpenStack, which use libvirt as a virtualization driver layer. After launching LXC instance, I simply could not attach to the console. virsh # list Id Name State ---------------------------------- 14366 instance-00000078 running virsh # console 14366 Connected to domain instance-00000078 Escape character is ^] And it keeps

Hey guys, I've got another C7 problem I was hoping to solve. I installed appdynamics-php-agent-4.0.5.0-1.x86_64 on a C7.1 host. It's failing to communicate with it's controller on another host. And this is the interesting part. Whether or not I have SELinux enabled, I have apache reporting SELinux problems. [root at web1:~] #getenforce Permissive May 10 20:47:56 web1 python[25735]:

Hi Tom, Thanks for the feedback about my Shorewall evaluation I''ve published a blog today covering general things I''ve observed about the way to combine Shorewall with strongSwan: http://danielpocock.com/practical-linux-vpns-with-strongswan-shorewall-and-openwrt Please let me know if anything is inaccurate or if there is anything substantial that I missed and I''ll

> > That's a rather odd (personally, I think bad) place for a log (or > even logfile lock) and I'm not at all surprised that selinux is > keeping your application from writing there. I would check to see if > there is a setup/configuration option for your application to put > the log files and related in a more standard location (/var/log, > /var/run), where it is less

I did not subscribe to the list. I''ve been using shorewall for some time and I appreciate it very much. I think it would be useful to have an option to generate a script of the commands Shorewall is about to issue, instead of issuing the commands directly. This script could then be used for revision, modification, and could also be used on another system. I thought about modifying

Hi all, I''m tring to convert some manually written iptables rules into a shorewall configuration but I''m facing some issue with mode statistic. In our outgoing smtp we balance the source IP address of outgoing connections originating from the firewall between 4 alias configured on eth0 interface: eth0 inet addr:xxx.xxx.xxx.18 Bcast:xxx.xxx.xxx.255 Mask:255.255.255.0 eth0:1