similar to: Shorewall Release Model

Hi, all: This is just a note and suggestion, not a question; but I really like this system and thought it might be useful to others so I decided to share. Hope it helps someone, and comments or suggestions are always welcome. 1. Overview: Shorewall accepts traffic on ports that I consider "hostile" (i.e. ports on which I would NEVER expect to see connections) and redirects

Harald Welte just announced that the 2.6 Kernels will not support the ''unclean'' match extension except via Patch-O-Matic. Since I have a polciy of not supporting Netfilter features that are only available in P-O-M, I will be removing the ''logunclean'' and ''dropunclean'' interface options from Shorewall. In 1.4.7, a warning will be issued if

Javier Fernández-Sanguino Peña has discovered an exploitable vulnerability in the way that Shorewall handles temporary files and directories. The vulnerability can allow a non-root user to cause arbitrary files on the system to be overwritten. LEAF Bering and Bering uClibc users are generally not at risk due to the fact that LEAF boxes do not typically allow logins by non-root users. For 2.0

If any of you have been so bold as to install the Shorewall CA Certificate in your browser(s), the current certificate will expire on 11/13. There is a new 10-year certificate available for installation at: http://lists.shorewall.net/Shorewall_CA_html.html -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \

Thank you for your support. The next question: Is there a kind of common chain applied before ACCEPT policy? I want to DROP or REJECT Netbios traffic on most interfaces but do not want to repeat those rules in the rules file. Thanks, Boi -----Th?ng ?i?p chuy?n ti?p----- > From: Tom Eastep <tmeastep@hotmail.com> > To: Le.Hong.Boi@sg.netnam.vn > Subject: Re: Shorewall 1.4.6: common

I don''t know whether this is the right place to ask, but kindly point me to an FM that I can R if it isn''t. My wife is creating lots of Kazaa traffic, and I am using rsync to create a full mirror of Red Hat''s FTP site, Aurora Linux FTP site, the LDP site, and some other stuff. Clearly, when one is moving well over 100GB over a 128 Kbps link, this is going to take a

I think we should add an FAQ entry for tcp_ecn. I remember Tom giving a good description in one of his many responses and there is mention of it in the pptp page, but I could not find the response from Tom about different tcp stacks. Thanks, -- Steve Herber herber@thing.com work: 206-261-0307 Systems Engineer, AMCIS, UoW home: 425-454-2399 ---------- Forwarded message ---------- Date: Sat,

Hi folks, I''ve added a couple of ''help wanted'' ads to our SourceForge project. You can see them at http://sourceforge.net/people/?group_id=22587 I''ll add more as i have the opportunity. If you can think of other jobs we need to assign, please let me know. -- Paul <http://paulgear.webhop.net> -- Did you know? Using accepted quoting conventions makes

Greetings, What programming languages besides shell scripting are used in shorewall? What knowledge is needed to help in shorewall development? I figure iptables is a goood bet but is there anything else as well? Thank you for your time. Regards, Jason

The ''firewall'' and ''functions'' file in CVS together produce a 30%+ speedup of ''shorewall restart'' on my firewall when compared to 1.3.11a. Please test with these files -- I don''t anticipate making any more performance changes for 1.3.12 and I want to be sure that I didn''t break anything. -Tom -- Tom Eastep \ Shorewall

Hi, I read the news about Tom Steps quit. I use shorewall for some days now and as many people I ike it very much. I asked Tom in a personal mail, what could be done to continue the project and he told me I had to subscribe to this list. My ideas where: a) Mirroring the site b) I would like to study the code and help c) I am studying computer science and I could ask some teachers and friends

Just a note to mention that I have been using the RC1 release at work for a simple one interface firewall. No problems that I have seen. We use Solaris, AIX, Tru64, and Linux in my group at the U of W. I know some IP filter package is available on Solaris and Tru64. On the Tru64 system you can configure an interface with a list of cidr notation subnets to accept or deny access. I reformatted

Rather than have lots of folks downloading a version with a broken ''check'' command, I''ve released 1.4.1a that corrects the problem. Sorry for the back-to-back releases today... -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.sf.net Washington USA \ teastep@shorewall.net

Although Shorewall provides safeguards against it, people seem to regularly shoot themselves in the foot when doing remote system administration. I''ve been thinking about this problem and wonder if a change to the way that "shorewall stop" behaves might help. Today, "shorewall stop" stops all traffic except to/from those destinations listed in

Hi! Taking into consideration the great speed with which the use of P2P filesharing systems is expanding, is there any plan of including ipp2p and ipt_CONNTRACK support into shorewall? I''m sure that many admins managing gateways would be very happy about it... Thanx, -- Mario R. Pizzolanti <mario@zavood.ee> Zavood O?

The generic tunnel support that I posted about yesterday has been updated: a) A bug that caused [re]start errors has been corrected. b) A list of zones may now be included in the third column of /etc/shorewall/tunnels; the semantics are the same as for ipsec tunnels. In addition, the ADDRESS column in /etc/shorewall/masq may now contain a comma-separated list of IP ranges/addresses. This enables

Hi, First of all, thanks to all shorewall developers. Shorewall is really great. Here is a patch to add the following feature : This patch allows you to mark packets according to the user name under which the program generating output is running. To do so, the patch will allow you to write rules in the tcrules file looking like that : #MARK SOURCE DEST PROTO PORT(S) CLIENT USER #

Hi, i have been using shorewall for 3 months, and shorewall was working well, but i don''t know why, when I type "shorewall start" o "shorewall restart", it says that. I have two files of rules: The first: DNS/ACCEPT net:208.67.222.222,208.67.220.220 The second: DNS/ACCEPT net:208.67.222.222,208.67.220.220 HTTP/ACCEPT net:www.google.com,mail.google.com,...

Subject says it all... -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net

The current CVS version (/Shorewall project) contains a redesigned IP accounting facility. The new facility is: a) Much simpler. :-) b) More flexible. :-) c) Compatible with bw-acct. :-) c) Incompatible with the previous implementation :-( There''s a new Accounting Page available at: http://shorewall.net/AccountingNew.html On top of Snapshot 20030813: a) Move the