similar to: Problems with dynamic zones

We have a Shorewall installation which has a cron job that dynamically adds and deletes subnets to/from a zone during the day. We want to be able to list which subnets are currently in the zone at any one time. Initially we were parsing the output of "shorewall status", which works but can be very slow. Looking at the output of "shorewall status", it seems that the subnets we

Hi everyone! First of all: Big thanks to Tom for this great work!! Now on to my qestion: I am using Shorewall among other machines on an new server where we need some kind of accounting. The script we would like to use for this is iam (http://intevation.de/iam/). The docs say: Alternatively you can use your own iptables script and only add the ''dump'' option, which should

If I''m using eth1 as my lan zone on my router box, it needs a static ip... what do I set the gateway option to in /etc/network/interfaces since this computer is actually the gateway for the rest of the lan? Itself? My "net" NIC''s address? Something else? My lan isn''t getting internet access using the default Shorewall config file (edited per

Hi all, I have seen Shorewall places the state verification rules (-m state --state ESTABLISHED,RELATED) as the first rule in a zone2zone chain. This means that state checking is done after all the rules involving from this zone to this zone. As you could have a lot of them, wont be better to place them just after checking the state is not invalid? This will mean a lot of packages will be

Hi everyone. I am so baffled by the following problem: Office 1 is using ADSL and it is building a VPN tunnel with IPSEC to Office 2. Both ends are using shorewall/freeswan firewalls. Diagram: Office1 fw --- VPN TUNNEL --- Office2 fw --- cisco router ----- VLANS | DMZ Office 1 has the following interfaces: 2: eth0:

Hello all, I''ve read the shorewall guides and browsed through the mailing lists, but I haven''t been able to find out if the following is possible or not using shorewall. Our provider has given us 16 IPs + 4 in a separate range for our uplink. I would like to replace that router with a Linux box running shorewall with three interfaces. I want the DMZ to be a standard, routed

Hi, it seems not to be possible to add more than one host at once to a zone. So shorewall add br0:eth0:192.168.2.10,eth0:192.168.2.11 work fails, since "br0:eth0:192.168.2.10,eth0" is interpreted as one interface. --snip -- iptables v1.2.9: interface name `eth0:192.168.2.10,eth0'' must be shorter than IFNAMSIZ (15) Try `iptables -h'' or ''iptables

Hi, I was reading document http://shorewall.net/MultiISP.html#idp3634200. Inspired by the document I was trying to establish the following changes: * one additional interface: COMA_IF * COM[A,B,C]_IF interfaces request IP address via DHCP * all non-RFC 1918 destined trafic is NATed from INT_IF to COMA_IF * all non-RFC 1918 destined trafic from GW is routed via COMB_IF by default * non-RFC 1918

Hi All, I created a couple of virtual networks (forward mode=nat) in my rhel6-kvm box. I've come across 2 weird issues. 1. My Iptables rule chainset contains repeated rules. The same rule gets repeated block by block 2. For connecting to guest using SSH, I created a custom IPTables chain. I want this chain to be on top of the FORWARD chain, but everytime the libvirtd is restarted the rule

Hi, My asterisk's version is 1.6.0.26. I've couple sip providers and I've for new SIP provider I need define outbound proxy. Everything is ok in peer section (outboundproxy=192.0.2.1). But what about SIP REGISTER messages? I need send SIP register messages also via outbound proxy. How to write SIP OUTBOUND call register statement and send this to proxy? If I define in general

Hi all, I have found problems in p2p traffic detection. The ipp2p module works fine but in shorewall the rules written for this protocols never match because the initials p2p connection (login) match in ''-m state --state RELATED,ESTABLISHED -j ACCEPT'' rule before ''-m ipp2p --ipp2p -j DROP'' rule, so netfilter never filter p2p traffic. I have had to run

Digging more, loadfile("192.0.2.1::pxe.0", &file.data, &file.size), queries DNS, which sounds like it doesn't follow the same call path as a COM32 calling pxe_dns(). If the DNS won't resolve the IP, things won't load properly. pxechn.c32 sets sname in the intended packet to "192.0.2.1" which may be confusing something. More debugging needed. -- -Gene

Mandi! Rowland Penny via samba In chel di` si favelave... > How is the 'old' server now set up ? > Is it now an AD DC domain member ? No, it remain in the old state, simply we have a tool that keep in sync passwords, so access works to the old server because users and password matches. > It sounds like the machines are still looking for the old PDC. How do > the win7

A system whose network routing table looks like this (abbreviated): Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 0.0.0.0 192.168.0.1 0.0.0.0 UG 0 0 0 eth0 needs to look like this: Destination Gateway Genmask Flags Metric Ref Use

hi, i wann to make multigateway routing and i read ur how to on http://lartc.org/howto/lartc.rpdb.multiple-links.html and create some rules which i am sending u, but with this rules i am not able to do multigateway routing on my linux router so plz help me out. thanks the rules are given below IF0=eth0 IF1=eth1 IF2=eth2 IP1=192.168.1.2 IP2=61.246.243.86 P1=192.168.1.1 P2=61.246.243.81

Hi! I'm experiencing some serious problems setting up Samba as PDC. File sharing works fine and I can even add my computer to the domain, but when I reboot I can't log in with my samba username and password. I've previously set up similiar server, though it wasn't trough VPN. I'm running latest Debian Etch with every package upgraded. I've also tried some older samba

On Sat, Mar 18, 2023 at 03:10:10PM +0100, Hans J. Schultz wrote: > +# Test of dynamic FDB entries. > +locked_port_dyn_fdb() > +{ > + local mac=00:01:02:03:04:05 > + local ageing_time > + > + RET=0 > + ageing_time=$(bridge_ageing_time_get br0) > + tc qdisc add dev $swp2 clsact > + ip link set dev br0 type bridge ageing_time $LOW_AGEING_TIME > + bridge link set dev

On Sun, Mar 26, 2023 at 05:41:06PM +0200, Hans Schultz wrote: > On Mon, Mar 20, 2023 at 10:44, Ido Schimmel <idosch at nvidia.com> wrote: > >> + $MZ $swp1 -c 1 -p 128 -t udp "sp=54321,dp=12345" \ > >> + -a $mac -b `mac_get $h2` -A 192.0.2.1 -B 192.0.2.2 -q > >> + tc_check_packets "dev $swp2 egress" 1 1 > >> + check_fail $?

Test FDB ageing of user entry created by bridge fdb replace ADDR dev <DEV> master dynamic Use LOW_AGEING_TIME variable in forwarding.config to set a low ageing time. Beware, DSA might not accept the ageing time you want. Check the age_time_coeff value for your driver. Signed-off-by: Hans J. Schultz <netdev at kapio-technology.com> --- .../net/forwarding/bridge_locked_port.sh |

On Sat, Jul 13, 2013 at 10:34 AM, Gene Cumm <gene.cumm at gmail.com> wrote: > Digging more, loadfile("192.0.2.1::pxe.0", &file.data, &file.size), > queries DNS, which sounds like it doesn't follow the same call path as > a COM32 calling pxe_dns(). If the DNS won't resolve the IP, things > won't load properly. pxechn.c32 sets sname in the intended