similar to: Shorewall, ipp2p and ipt_CONNTRACK

Hi! I''m wondering whether anyone has successfully set up a bandwidth control system using ipp2p and shorewall. I have been able to drop connecions altogether, but I don''t seem to be able to get CONNMARK working with ipp2p. Any pointers would be greatly appreciated :) ______________________________ Mario R. Pizzolanti

Hi! I''m trying to get shorewall to work with kernel 2.6.11, but to no avail :( There seems to be some problem with nat, whereupon iptables cannot set it up. Kernel compiled on base of mandrake kernel-source, patched with ipp2p and the ipsec patches from Tom''s contrib. Here''s the error: /sbin/iptables -t nat -A eth2_masq -s 192.168.0.0/23 -d 0.0.0.0/0 -j MASQUERADE

Hello, I run Shorewall 2.0.3a backport on a debian woody box (with 2.4.18 homemade kernel). When I start shorewall I got the following errors. Oct 30 11:13:12 fwr modprobe: modprobe: Can''t locate module ipt_conntrack Oct 30 11:13:17 fwr modprobe: modprobe: Can''t locate module ipt_pkttype Oct 30 11:13:18 fwr modprobe: modprobe: Can''t locate module ipt_pkttype Oct 30

Hi, I tried shorewall 2.2.0-rc4 and 2.2.0-rc5 on 3 different machines (just to be sure it''s not pebkac). The IPP2P support is broken, line like: DROP loc net ipp2p generates: iptables -A loc2net -j DROP that''s _wrong_ :) i have tried playing with debug to no avail, and I''m not that good at bashing... just to be complete, the suggested status.txt from one of the

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Is there interest in ipp2p support in Shorewall? While the ipp2p code is not part of the standard kernel.org distributions, my experience is that it is very easy to install and I would be willing to provide support for it if there is interest. See http://rnvs.informatik.uni-leipzig.de/ipp2p/index_en.html for information about ipp2p. - -Tom - -- Tom

Hello I am looking for a way to have snort to dynamically update my shorewall config. I have seen software out there but I would like to see if anyone had tried this first. Aslo I would like to know if there is a way clear the Netfilter tables when I do a shorewall restart. The reason being is that when I make a change to my firewall setting I want all connections to have to re-establish

Hi, I''m using following rule in /etc/shorewall/rules REJECT:ULOG:P2P loc net ipp2p:all ipp2p iptables -L : Chain loc2net (1 references) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ULOG all -- anywhere anywhere ipp2p v0.8.2--ipp2p ULOG

I have two (interconnected) questions: First of all, I''m trying to use IPP2P to classify my P2P traffic and give it a lower network priority. I''ve already successfully built IPP2P into iptables and the kernel. I read http://www.shorewall.net/IPP2P.html, but it''s confusing me. Using the documentation for normal tcrules in 3.0

I think I''ve found a mistake in the http://www.shorewall.net/ipp2p.html documentation. I''ve been trying to get traffic shaping working on the p2p traffic (Using ipp2p and wonder shaper) and lossing clumps of hair in the process. I followed the web page documentation but the "tcpost" rule that clasifies the packet and actually starts the "castration"

Hello, I''ve tried to change ipt_conntrack hashsize and con under my debian charge but doesn''t work ! Ive got 2876Mb available for conntrack so I''ve done (according to some previous mail and this http://www.wallfire.org/misc/netfilter_conntrack_perf.txt) CONNTRACK_MAX = 2876 * 64 = 184064 HASHSIZE = 2876 * 8 = 23002 But the near power of 2 is 2^16 = 131072

I think we should add an FAQ entry for tcp_ecn. I remember Tom giving a good description in one of his many responses and there is mention of it in the pptp page, but I could not find the response from Tom about different tcp stacks. Thanks, -- Steve Herber herber@thing.com work: 206-261-0307 Systems Engineer, AMCIS, UoW home: 425-454-2399 ---------- Forwarded message ---------- Date: Sat,

Hi, I get this error when trying to insmod the ipp2p kernel module: "insmod: error inserting ''ipt_ipp2p.ko'': -1 Invalid module format" in the kernel log: "ipt_ipp2p: disagrees about version of symbol struct_module" Kernel version 2.6.20.4 iptables version: 1.3.5 ipp2p version: 0.8.2 (latest) Anyone tried ipp2p with kernel 2.6.20? Best Regards Niclas

Hello list, I''m newbie in this list. Well, i''m going crazy with ipp2p. Googling i find a mini-howto but i''ve got problems. 1) Download: * iptables-dev (apt-get) * kernel-headers-2.x.x (your kernel, "uname -r") * src of your iptables (iptables -V and apt-get source) * ipp2p-0.8.0.tar.gz (stable) 2) untar ipp2p and cd ipp2p 3) Edit Makefile, if it''s

Hi all, I have found problems in p2p traffic detection. The ipp2p module works fine but in shorewall the rules written for this protocols never match because the initials p2p connection (login) match in ''-m state --state RELATED,ESTABLISHED -j ACCEPT'' rule before ''-m ipp2p --ipp2p -j DROP'' rule, so netfilter never filter p2p traffic. I have had to run

Hi all. On Sep 26th I decided to try and get ipp2p working on my machine that acts as a gateway for my Internet connection. This machine is running Debian. I performed the install by doing the following steps: - I installed the Debian package called linux-source-2.6.22 for my Linux kernel source and unpacked the resulting tar.bz2 file. - From the netfilter.org site I downloaded the following

Just a note to mention that I have been using the RC1 release at work for a simple one interface firewall. No problems that I have seen. We use Solaris, AIX, Tru64, and Linux in my group at the U of W. I know some IP filter package is available on Solaris and Tru64. On the Tru64 system you can configure an interface with a list of cidr notation subnets to accept or deny access. I reformatted

Rather than have lots of folks downloading a version with a broken ''check'' command, I''ve released 1.4.1a that corrects the problem. Sorry for the back-to-back releases today... -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.sf.net Washington USA \ teastep@shorewall.net

Subject says it all... -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net

Hi I using ipp2p to block p2p traffic. How to enable to use p2p to me host in my net ? I using this setup: iptables -A FORWARD -m ipp2p --ipp2p --bit --apple --winmx --soul --ares -j DROP This setup: iptables -A FORWARD -m ipp2p --ipp2p --bit --apple --winmx --soul --ares -d ! mynet -j DROP iptables -A FORWARD -m ipp2p --ipp2p --bit --apple --winmx --soul --ares -s ! mynet -j DROP not

Does anyone here implement traffic shaping with shorewall? I need to shape BitTorrent traffic on my network so that upload/downloads do not overwhelm normal function or, even more importantly, my imminent conversion to VOIP for all telephone service. I followed the shorewall documentation guide but am not sure if what I have done is the Right Way Of Doing Things. Nor am I satsified with the