Displaying 20 results from an estimated 20000 matches similar to: "multiple providers and tcrules without highmarks"
2007 May 25
49
Problem with ssh limit and scp stalling
Hi,
I have a very simple server setup, using shorewall as my firewall. I
have a line like this at the top of my rules file to allow ssh
connections, but limited to 3 connection per minute with a burst rate
of 3:
SSH/ACCEPT net $FW - - -
- 3/min:3 -
Now when I have that in place, and from a remote machine run scp
server:/some/file ., I find
2007 Jun 05
9
PPTP port forwarding question
Hello,
Please see the following picture:
http://www.wilson-kwok.com/pptp.jpg
I used one to one NAT from 210.0.0.1 to 192.168.0.2 for web server,
and then use port forwarding from 210.0.0.1 to 192.168.0.3 for pptp server,
but I cannot connect from my home to pptp server.
Here is the nat file:
210.0.0.1 eth0:2 192.168.0.2
Here is the rules
2007 Jun 09
20
Shorewall 4.0.0 Beta 4
I''ve uploaded Beta 4. It corrects a bad bug involving exclusion in the
hosts file. In addition, it contains the first release of a new
Bridge/firewall implementation that uses the reduced-function physdev
match found in kernel 3.6.20 and 3.6.21.
-Tom
--
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \
2007 Jun 09
20
Shorewall 4.0.0 Beta 4
I''ve uploaded Beta 4. It corrects a bad bug involving exclusion in the
hosts file. In addition, it contains the first release of a new
Bridge/firewall implementation that uses the reduced-function physdev
match found in kernel 3.6.20 and 3.6.21.
-Tom
--
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \
2007 Jun 18
3
ip_tables: policy match: invalid size 308 != 116
when i start or restart syslog-ng, i''ve above message.
Can this be a shorewall or iptables synchro ?
mess-mate
--
April 1
This is the day upon which we are reminded of what we are on the other three
hundred and sixty-four.
-- Mark Twain, "Pudd''nhead Wilson''s Calendar"
2007 Jun 27
3
Adding custom iptables rules to shorewall
Hi,
I''m trying to add following iptables rules to shorewall:
iptables -I INPUT -d 192.168.1.1
iptables -I OUTPUT -s 192.168.1.1
What should I put in my custom action or any ware else?
I need these rules for munin accounting.
iptables -L INPUT -v -n -x
Chain INPUT (policy DROP 5 packets, 260 bytes)
pkts bytes target prot opt in out source
destination
7175
2007 May 22
5
Shorewall and Xen with network-dummy
Hello *,
I''m trying to setup Shorewall under Ubuntu 7.04 and Xen configured to
use network-dummy instead of network-bridge (network-bridge seems to be
buggy at the moment under Debian/Ubuntu).
Is there a shorewall config example I can use in combination with
network-dummy?
In particular, with network-dummy there is no peth interface and the
bridge include the real eth interface.
I
2007 Jul 06
8
interop with strongswan / ipsec
I see support in shorewall for the KAME-tools, how about strongswan ?
I have setup shorewall 3.4.4 and strongswan 4.1.3, making this my
vpn-gateway for the subnet behind it.
# Shorewall version 3.4 - Zones File
#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
fil ipsec mode=tunnel mss=1400
net ipv4
2007 Jun 15
2
Using Proxy ARP inside Xen DomUs
Hello list
I''m considering moving shorewall to a xen domu and the using the Proxy ARP
method (we use NAT today).
Is it possible to have a Proxy ARP firewall inside a domu serving requests
to other domus with public IP-addresses placed on separate hardware (not the
hardware the domu with the firewall is on) ?
I figure that there''s a problem since it''s different bridges
2007 Jul 11
3
Restricting access by time of day in Shorewall?
I''m currently using Shorewall 3.4.1 to manage a firewall for my LAN at
home. It works very well, and I''m definitely pleased, but . . . .
I now have a situation where I need to enforce access restrictions on
a specific computer during specific times of day -- e.g., a particular
computer might have no Internet access at all between 10 PM and 6 AM.
Is there any way to do such a
2007 May 16
1
www.shorewall.net/ftp.shorewall.net is down
The administrator of the main web/ftp site has informed me that the site
is currently down. Until service is restored, you can use:
http://www1.shorewall.net
ftp://ftp1.shorewall.net
Sorry for the inconvenience.
-Tom
--
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ teastep@shorewall.net
PGP Public Key \
2007 Jul 05
2
Re: [strongSwan] Interop problem Linksys WRV200 with Strongswan 4.1.3 / PSK
Hi Andreas,
I don''t know if the WRV200 is running freeswan or openswan.
We use the newest US-version of the linksys firmware 1.0.32.2 from 2.5.2007.
Another problem is in accessing the vpn-Gateway itself with ssh for
instance,
I get a freezing windows, whenever I tranfer more than just a few bytes.
I can type my login-name and my password, then get a prompt ...
but if I call,
2007 Jun 14
1
Conntrackd and shorewall
Hi,
I´m trying use conntrackd, shorewall and keepalived.
Conntrackd (now know as conntrack-tools) is working ok, keepalived
too, but i don´t know how to put some iptables rules in shorewall.
eth0 is the local area (192.168.0.0/24)
eth1 is the net area (192.168.1.0/24)
[1] iptables -P FORWARD DROP
[2] iptables -A FORWARD -i eth0 -m state --state ESTABLISHED,RELATED -
j ACCEPT
[3] iptables -A
2011 Mar 28
2
ERROR: Invalid Mark Value (1) with HIGH_ROUTE_MARKS=Yes
Hello,
When i restart the firewall when i put the HIGH_ROUTE_MARKS=Yes i can''t restart it, i receive the following message in the logs:
18:17:35 Compiling /etc/shorewall/providers ... ERROR: Invalid Mark Value (1) with HIGH_ROUTE_MARKS=Yes : /etc/shorewall/providers (line 13)
My files have:
tcrules: empty
Providers:New 1 1 main eth0 192.168.1.1
2007 Jun 29
1
ipp2p traffic not rejected
Hi,
I''m using following rule in /etc/shorewall/rules
REJECT:ULOG:P2P loc net ipp2p:all ipp2p
iptables -L :
Chain loc2net (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
ULOG all -- anywhere anywhere ipp2p
v0.8.2--ipp2p ULOG
2007 Jul 09
1
Ipsec in Shorewall 4.0.0-RC1
Hi Tom, hi list.
I have an issue in in RC1. The Setup works flawlessly with 3.x and with the
shelll compiler of RC1, but with the same setup and the perl compiler my
IPSEC traffic gets dropped in net2all chain. Attached is a dump, compiled
with perl, including some dropped traffic, e.g. SRC=192.168.66.10
DST=192.168.1.2
Did I overlook something in migration process?
Alex
2007 May 22
1
Two questions about REDIRECT and iptables chain errors
Hi all, I''ve shorewall 3.2.6-2, kernel 2.4.27, iptables 1.3.6.0debian1-5
on a debian sarge machine.
>From yesterday shorewall can''t start anymore and in the
shorewall-init.log I''ve this:
ERROR: Rule "REDIRECT lan 8081 tcp 80 " requires NAT which is
disabled
/sbin/shorewall: line 527: 17071 Terminated
$SHOREWALL_SHELL ${SHAREDIR}/compiler
2007 Jul 11
1
IPSec Problem / hanging session
Hello Tom,
now here''s my dump file as .zip attachment, but named .txt, because the
list-server rejected the .zip,
then my second try (uncompressed) was rejected because of the size.
What I was doing is connecting from remote side of an ipsec tunnel
(behind gw 212.168.178.226), from
a windows machine with 192.168.246.20 to the firewall-system (remote ip
217.19.188.182 / internal ip
is
2007 Jun 13
1
[Fwd: Bug#428647: mss problem.]
Please see enclosed - from the Debian BTS.
-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
2009 May 29
5
CONNMARK target and connmark match support in Ubuntu kernel
Hi,
as per the shorewall MultiISP documentation ( http://www1.shorewall.net/MultiISP.html
), it says
"Use of this feature requires that your kernel and iptables include
CONNMARK target and connmark match support (Warning: Standard Debian™
and Ubuntu™ kernels are lacking that support!)."
it means MultiISP wont work properly if i am using Ubuntu server. if
yes whats the