similar to: iptables-save is broken with policy match

The version of Shorewall currently in CVS (Shorewall2/ project) has been integrated with iptables-save/iptables-restore. This provides the means to start and restart shorewall very quickly (mine restarts in under a second) in the case where you are not changing your configuration. The release notes are attached. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool

I''ve gotten the basic code working on my firewall. So that I can quickly get back online if I screw up, I''m currently calling it shorewall2. That way if it screws up I can just "shorewall restart". /sbin/shorewall2 -- command interpreter /etc/shorewall2/ -- configuration files /usr/share/shorewall2/ -- shared files Both Shorewall and Shorewall2 use the

The current CVS Project Shorewall2/ contains my implementation of this feature. Thanks go to Xavier for ideas about the design. Xavier -- please give my code a try and see if it works ok for you. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net

The Shorewall2/ project in CVS contains my initial attempt to establish correct routing for traffic forwarded from two different ISPs to internal servers. >From the release notes: Shorewall 2.3.2 includes support for multiple Internet interfaces to different ISPs. This feature is enabled by setting the "default" option for each Internet interface in

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 claas@rootdir.de wrote: > Hello, > > > > #--- file: policy --- > #vpn policies: > loc vpn ACCEPT info > fw vpn ACCEPT info > vpn loc ACCEPT info > vpn fw ACCEPT info > > net

I''ve opened the Shorewall 2.3 thread in the Shorewall2/ CVS project. The config files all show version 2.4 -- that saves me having to edit each one of them again when I move from 2.3->2.4. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \

If you are willing to patch your iptables and kernel to support the ROUTE target, the code in CVS project Shorewall2/ now supports very flexible routing. As an example, I run Squid in my DMZ for transparent proxy. Rather than the complex routing setup described in http://shorewall.net/Shorewall_Squid_Usage.html, I now use this single entry in /etc/shorewall/routes to route all HTTP requests from

If you encounter strange problems with the Beta then either set IPTABLES (in shorewall.conf) to point to the iptables binary that you normally use or download and install the ''/sbin/shorewall'' program from CVS (Shorewall2/ project). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \

Attached please find updated build and publish scripts. They set the ''ulink.target'' parameter appropriately when converting docbook->HTML. I have always hacked my xhtml/params.xsl file to set this parameter; these updated scripts make that abomination unnecessary. Paul/Mike: It might be a good idea to add a CVS project for these scripts. -Tom -- Tom Eastep \ Nothing is

If you encounter strange problems with 2.1.2 and are using a shell other than bash, you might try installing the ''functions'' file from CVS Shorewall2/. It corrects a problem that I ran into with ''ash''. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 claas@rootdir.de wrote: > Hello, > > > I am trying to get ipsec with kernel 2.6.8.1 and shorewall 2.1.9 running, > but I still have a problem: > > Validating hosts file... > Error: Your kernel and/or iptables does not not support policy match: ipsec > > I had a look for netfilter patch-o-matic, but I did not find the

FYI This bug will prevent ''shorewall restore'' from working if you have "!<single IP address>" in the ORIGINAL DEST column. -Tom ---------- Forwarded Message ---------- Subject: [PATCH] Another iptables-save buglet Date: Wednesday 14 September 2005 15:09 From: Tom Eastep <teastep@shorewall.net> To: netfilter-devel@lists.netfilter.org The conntrack

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I''ve built a 1.2.9 iptables RPM that corrects the two iptables-save problems that I know about. It is available at: http://shorewall.net/pub/shorewall/iptables/iptables-1.2.9-95.7.i386.rpm ftp://shorewall.net/pub/shorewall/iptables/iptables-1.2.9-95.7.i386.rpm I''m using this on SuSe 9.1 -- for other distros, YYMV... This RPM works

The following is taken from the Release notes for 2.2.3 (which will be released in a month or so). 2) There has been ongoing confusion about how the /etc/shorewall/routestopped file works. People understand how it works with the ''shorewall stop'' command but when they read that ''shorewall restart'' is logically equivalent to ''shorewall

http://shorewall.net/pub/shorewall/Alpha/shorewall-2.0.0 ftp://shorewall.net/pub/shorewall/Alpha/shorewall-2.0.0 -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net

Dear Tom, Very, very thanks the quikly answer. It''s working. I made mistake on shorewall2 here, i wrote "wifi" zone to "eth0" /etc/shorewall/interfaces: net eth0 192.168.2.255 <---------- lan2 eth1 192.168.3.255 lan3 eth2 192.168.4.255 and don''t kept my mind the order in zone file. Thanks Tom Psw

http://shorewall.net/pub/shorewall/2.2-Beta/shorewall-2.2.0-Beta2 ftp://shorewall.net/pub/shorewall/2.2-Beta/shorewall-2.2.0-Beta2 Problems Corrected: 1. The "shorewall check" command results in the (harmless) error message: /usr/share/shorewall/firewall: line 2753: check_dupliate_zones: command not found 2. The

The current thread on the User''s List entitled "Multi-ISP in 2.4.0" includes the following tcrules file: ############################################################################ ## #MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST # PORT(S) 201:P eth2 ppp1

The 1.2.7 release of iptables has made an incompatible change in the syntax used to specify multiport matches. As a consequence, users upgrading to iptables 1.2.7 must set MULTIPORT=No in /etc/shorewall/shorewall.conf. I''ll have an updated firewall script available in the next day or two. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \

--3Y2Mr1SP1gWKl0+e Content-Type: multipart/mixed; boundary="j9XQ5cF5hebrmXqw" Content-Disposition: inline --j9XQ5cF5hebrmXqw Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi! The netfilter coreteam proudly presents: iptables version 1.2.10 1.2.10 is (like most other 1.2.x releases) a maintainance release,