similar to: outdated bogons table in current Shorewall...

As far as I can tell from <http://shorewall.net/errata.htm> the current shorewall bogons file is <http://shorewall.net/pub/shorewall/errata/2.0.8/bogons> which contains the line: 58.0.0.0/7 logdrop # Reserved This is incorrect. These two /8s were allocated to APNIC as of April 2004. See also <http://marc.theaimsgroup.com/?l=nanog&m=108319003517919&w=2> and the main

Updated rfc1918 and bogons files are now available: rfc1918 for Shorewall 2.0.0 and earlier: http://shorewall.net/pub/shorewall/errata/1.4.10/rfc1918 bogons for Shorwall 2.0.1: http://shorewall.net/pub/shorewall/errata/2.0.1/bogons Thanks go to Thomas Backlund for pointing out that the file was out of date. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool

I have an ADSL router, a linux box with two NICS connected to the router and another PC connected to the router. I installed shorewall using the two interface method. I can ping and see the webserver on the linux box from the local network, but not from the internet. Sys info as follows: [root@wilma root]# shorewall version 1.4.6b [root@wilma root]# ip addr show 1: lo: <LOOPBACK,UP> mtu

hi, i have a strange situtation. i try to connect to my machine with ssh and the packets are dropped but i have at the top of my rules an accept. the configuration looks like: rules-file: ----------- ACCEPT net fw tcp 22 - TCPDUMP-log: ------------ 12:16:08.153934 84.153.98.30.1322 > [my-destination-machine].ssh: S 3717288415:3717288415(0) win 64240 <mss

Hello all: I''ve got a confusing issue. I had a working shorewall configuration (based on the two interface model) using DNAT for redirection to my HTTP server. The HTTP server is on my inside network (I know - bad juju, but one thing at a time). I changed my configuration this morning to use views in my BIND (named) configuration. Everyone outside the firewall is able to get in

Hello All, I am trying to implement OpenVPN on Fedora core Linux 3 with the latest pathces installed. This server is used only as firewall/internet gateway/proxy/VPN server, with kernel 2.6.1-1.27.FC3 and kernel 2.6.1-1.27.FC3 SMP It has two NIC''s eth0 (10.0.0.150) connected to ADSL, eth1 (192.168.3.12) connected to the local network. I use shorewall 2.4 on this machine. I like to test

Hello All, I have a question about setting up the shorewall firewall for squid, I followed the instructions on "Using Shorewall with Squid" --> "Squid Running in the DMZ" section. For some reason I am unable to get the program to work. I am able to have the squid work properly by using squidclient program, but once I setup the firewall to use the redirect I am unable to

I''m attempting to setup Squid as shown on: http://shorewall.sourceforge.net/Shorewall_Squid_Usage.html#DMZ The firewall is a Bering 1.0 firewall running Shorewall 1.3.11, Red Hat 7.2 on the server in the DMZ. I''m not seeing the requests come in to the server using tcpdump. The server is 192.168.2.1 connecting to eth2 on the firewall, the local traffic I''m trying to

Hello all, Yesterday I noticed that my system was "leaking" traffic towards the 10/8 network, I have shorewall installed on multiple machines ranging from single interface devices to ones with 10+ interfaces. I tested all the boxes and they are showing the same behavior. All systems are CentOS 3.4, 2.4.21-27.0.2.ELsmp. Shorewall version: 2.2.1 For the host mentioned is a single

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 An updated bogons file is available at: http://shorewall.net/pub/shorewall/errata/2.0.8/bogons ftp://shorewall.net/pub/shorewall/errata/2.0.8/bogons Thanks to Lorenzo Martignoni for bringing the resent IANA allocations to my attention. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The initial file that I uploaded was incorrect. If you downloaded a file that still contains 72.0.0.0/8 then please download again. Sorry for the confusion. An updated bogons file is available at: http://shorewall.net/pub/shorewall/errata/2.0.8/bogons ftp://shorewall.net/pub/shorewall/errata/2.0.8/bogons Thanks to Lorenzo Martignoni for bringing

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 To reflect recent allocations by the IANA, the following files are available: For Shorewall 2.0.0b and earlier: http://shorewall.net/pub/shorewall/errata/1.4.10/rfc1918 ftp://shorewall.net/pub/shorewall/errata/1.4.10/rfc1918 For Shorewall 2.0.1 and later: http://shorewall.net/pub/shorewall/errata/2.0.10/bogons

Hello: I just started using Shorewall this morning and must say that I''m very impressed. Much nicer than what I was using previously. I love the ability to type ''shorewall logdrop ww.xx.yy.zz'' and completely block a particular IP address. However, the log part doesn''t happen. When I look in the logdrop chain, there is no LOG prefix. I''ve looked

Ray Brownrigg <ray@mcs.vuw.ac.nz> writes today about the inaccurate log1p() on NetBSD 1.6 and OpenBSD 3.2: >> Well, the source which I have access to doesn't bear that out. Interesting. Our NetBSD installation is pretty recent: % uname -a NetBSD netbsd.vm.math.utah.edu 1.6 NetBSD 1.6 (GENERIC) #0: Sun Sep 8 19:43:40 UTC 2002

Hello, I forgot to put my #/etc/shorewall/policy file: # /etc/shorewall/policy ############################################################################### #SOURCE DEST POLICY LOG LIMIT: CONNLIMIT: # LEVEL BURST MASK # adm net DROP info tlm net DROP info # net adm DROP

I forgot to add the last new feature to the previous announcement. Shorewall 2.2.2 is now available. http://shorewall.net/pub/shorewall/2.2/shorewall-2.2.2 ftp://shorewall.net/pub/shorewall/2.2/shorewall-2.2.2 Problems Corrected: 1. The SOURCE column in the /etc/shorewall/tcrules file now correctly allows IP ranges (assuming that your iptables and kernel support ranges). 2.

hi: Just a litle update: 41/8 allocated to AfriNIC (APR 2005). 73/8 allocated to ARIN (MAR 2005). hope it helps.

Hello shorewall-users, we have a strange problem where some of our customers cannot access our webshop, but most of the customers can. I have been slowly eliminating possibilities and am now left with either the firewall (Shorewall 1.4) or the webshop server. What appears a lot in the logfiles is: Jul 26 11:51:04 gw kernel: Shorewall:logdrop:DROP:IN=eth0 OUT=eth1 SRC=84.128.198.240

I have tried (RH7.3/shorewall-1.3.12-1) both of the following in shorewall.conf to eliminate ''rfc1918'' logging into /var/log/messages: RFC1918_LOG_LEVEL=debug RFC1918_LOG_LEVEL=notice Neither appear to eliminate the logging. Here''s what the ''logdrop'' chain shows: 1 229 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix \

Hi I'd want to pin the vcpu of a guest to a pcpu. the docs clearly say https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Virtualization_Administration_Guide/ch09s04.html "Locking a guest to a particular NUMA node offers no benefit if that node does not have sufficient free memory for that guest. libvirt stores information on the free memory available on