similar to: "ERROR: Invalid action" for FTP

For a same configuration in which the default policy is drop and only one connection is accepted in rules, continuous pinging to devices will stop squarely in 4.0.15 as soon as a very basic firewall is enabled whereas in 4.4.26.1, pinging will still continue after the firewall is enabled. All tests are done with proper reboot of the unit3 where the firewall is applied: unit1 <---> eth4

Greetings, I''m new to Shorewall but not to working with Iptables. Shorewall is the simplest firewall front end I have found thus far. I''m currently trying to build a Cfengine policy to maintain Shorewall configurations. My main problem at them moment is confirming that the running iptables rules match what Shorewall originally built. If I understand Shorewall correctly the

Hi, in shorewall version 3.4.8 used this rule to block access to Facebook through port 443 (https): /shorewall/rules: REJECT loc net:69.171.224.12, 69.171.224.0/19,69.63.176.0/20,66.220.144.0/20 tcp 443 What I did was block the public IP network segment to fitthrough https. Now I use this same rule in version 4.4 and I works already. Has anything changed in this

I am currently using Fedora 16 with the distribution provided shorewall-*-4.4.23.3-6.fc16 packages. shorewall-init seems to be missing a critical file. /lib/systemd/system/shorewall-init.service attempts to call /sbin/shorewall-init, but, /sbin/shorewall-init does not exist. I thought maybe it was a packaging error, so, downloaded the original source, (i.e., shorewall-init-4.4.23.3.tar.bz2), still

Beta 3 is now available for testing. Corrections in this release: 1) Corrections included in Shorewall 4.4.21.1. 2) Several problems reported by Steven Springl. The rest is largely cleanup of the new rule infrastructure. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \

Beta 3 is now available for testing. Corrections in this release: 1) Corrections included in Shorewall 4.4.21.1. 2) Several problems reported by Steven Springl. The rest is largely cleanup of the new rule infrastructure. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \

When I attempt to start shorewall (version 4.0.15) I get an RTNETLINK error (see below). /var/log/shorewall-init.log [...] 21:02:18 Creating Interface Chains... 21:02:19 Adding Providers... RTNETLINK answers: File exists ERROR: Command "ip route add table 1 129.116.XXX.0/24 dev eth2 proto kernel s cope link src 129.116.XXX.30" Failed 21:02:25 Shorewall-generated routing tables and

hi Tom I have use Shorewall version 3.4.8 what it would be for me in this rules? > As I can have more than two MAC addresses to apply a rule > in shorewall, I have the following to block port 443: > > > REJECT loc:~00-11-22-33-44-55 net tcp 443 > > > I try this > > > REJECT loc:~00-11-22-33-44-55,~AA-BB-CC-DD-EE-FF net tcp 443 That

I haven''t debugged this enough to understand what is happening, but I observe the following: someipset = bitmap:ip,mac 1) br0:+someipset 2) br0:+someipset[2] The first 1) doesn''t match anything in rules or tcrules, the second 2) matches fine. (Also using +someipset[1] doesn''t match anything) Is it possible/sensible/feasible to have shorewall figure out the

Hi All! I only ever have complex setups. Customer site has a dedicated leased line from their ISP terminating on a Cisco router. Router is configuered with the first usable address on a /28 network - 196.x.y.73. The linux firewall is configured with the remaining 5 ip''s, 196.x.y.74 to 196.x.y.78 and 79 as the broadcast. Sounds normal but here is the twist. The primary or first ip

Hi, Sorry, not an experienced shorewall user, this is my first basic setup. This starts to drive me crazy. I wanted to use DNAT to forward port 33890 to an internal machine (windows) port 3389. To reach my workstation when I''m not home. In my rules : DNAT:debug net loc:192.168.0.11:3389 tcp 33890 - pub.lic.ip.add #SECTION BLACKLIST #well known port scans DROP net

Okay, so I''m trying to setup my multiple ISP setup that I described earlier. I have: # ip addr 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: em1: <BROADCAST,MULTICAST,UP,LOWER_UP>

The Shorewall Team is pleased to announce the availability of Shorewall 4.5.0. ---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- 1) This release includes all defect repair included in 4.4.27.1-4.4.27.3. 2) The start

Dear All, I try to upgrade, my old shorewall from 4.4.13-3 to 4.5.2.3-1 on CentOS, after upgrade i can''t start shorewall with this message: "/Shorewall: Address Ranges require the Multiple Match capability in your kernel and iptables/" I try to search on the net about this, but no still no light. Somebody can help me? Great appreciate for any help. Regards,

4.5.4 Beta 3 is now available for testing. I apologize for the back-to-back Betas but I guess it''s better to find these problems during the Beta period rather than later. Problems corrected: 1) This release includes all defect repairs from Shorewall 4.5.3.1. 2) When EXPORTMODULES=No in shorewall.conf, the following errors were issued: /usr/share/shorewall/modules: line 19:

4.5.4 Beta 3 is now available for testing. I apologize for the back-to-back Betas but I guess it''s better to find these problems during the Beta period rather than later. Problems corrected: 1) This release includes all defect repairs from Shorewall 4.5.3.1. 2) When EXPORTMODULES=No in shorewall.conf, the following errors were issued: /usr/share/shorewall/modules: line 19:

I want to test shorewall6 in a scenario with several virtual machines. Each virtual machine has the interface eth0. With IPv4, I would assign an IP-alias to eth0:1 and so would have eth0 and eth0:1 as interfaces for shorewall6. How is this done with IPv6? Viele Grüße Andreas Rittershofer -- ------------------------------------------------------------------------------ Live Security

Hello, I wonder if someone could use the TPROXY with Shorewall and transparent Squid  with using the routing rules on shorewall (tcrules) for hosts / networks (LAN) with multiples providers (WANs) directly from the internal network on port 80 (with TPROXY transparent squid or REDIRECT). On this issue, the routing rules is not work propertly because the source is the

Hi all: I see a lot of the errors below in /var/log/messages on my firewall: Aug 1 00:47:44 munin kernel: [109008.257109] martian source 192.168.1.5 from 127.0.0.1, on dev eth1 Aug 1 00:48:44 munin kernel: [109068.257384] martian source 192.168.1.5 from 127.0.0.1, on dev eth1 Aug 1 00:49:44 munin kernel: [109128.257509] martian source 192.168.1.5 from 127.0.0.1, on dev eth1 Aug 1 00:50:44

Hi I have a default route to 192.168.1.1 as soon as I start shorewall the default route dissapear. What do I need to do to have it not disappear. Kind Regards My network setup /etc/network/interfaces: # The primary network interface auto eth0 iface eth0 inet static address 192.168.1.17 netmask 255.255.255.0 network 192.168.1.0 broadcast 192.168.1.255