similar to: Call for Testers of Shorewall/Fireparse (take 2)

Given that there are new features and there are external changes to get around the Fireparse fiasco, I have called this release 1.4.4 rather than 1.4.3b. Problems Corrected: None. New Features: 1) A REDIRECT-rule target has been added. This target behaves for REDIRECT in the same was as DNAT-does for DNAT in that the Netfilter nat table REDIRECT rule is added but not the companion

I found a minor problem in new logging system. New logging system limits zone-names effectively to 4 characters. If you have REJECT policy between 2 zones which have 5 characters long, here example ipsec zone, I iptables will give error because logprefix is limited to 29 characters. --log-prefix "Shorewall:ipsec2ipsec:1:REJECT:" So zone names should be limited to 4 characters or

Problems Corrected: 1) There were several cases where Shorewall would fail to remove a temporary directory from /tmp. These cases have been corrected. 2) The rules for allowing all traffic via the loopback interface have been moved to before the rule that drops status=INVALID packets. This insures that all loopback traffic is allowed even if Netfilter connection tracking is confused.

The Fireparse --log-prefix fiasco continues. Version 1.4.4a omits the logging rule number if the LOGFORMAT value does not contain ''%d''. The default value of LOGFORMAT is then changed to "Shorewall:%s:%s:" so that the maximum length of a short zone name is once again back at 5. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \

The 1.4.6 version of Shorewall makes additional demands on the shell. I have found that both the RH9.0 version of ash and the version of ash that has long been available from the Shorewall download sites are *not* suitable for use with Shorewall 1.4.6. The LEAF Bering version of ash on the other hand works fine. Attached is a small shell program that will allow you to test your shell for

How does LOGFORMAT in shorewall.conf control the length of the zone name as discussed in the zones man page? The default max length is 5. What would I specify in LOGFORMAT to allow a 6 character zone name? ------------------------------------------------------------------------------ Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are powering Web 2.0 with engaging,

Let''s move this to the Shorewall Development list.... On Tuesday 10 February 2004 03:14 pm, xavier wrote: > here is a patch to allow this : > |ACCEPT<10/sec:20>:debug fw lan:$ntp_servers udp 123 - - - - ntp > > a problem with the patch is that now the logprefix is mandatory. > i''m trying to debug it, but i can''t find the flaw. Also, with

Hi all, Freshly installed apache 2.2 with httpd-itk (from epel). When I try to access apache's document root from a browser on local network, it always serve me the Apache welcome page, even if I have a index.html and a phpinfo.php file in the /var/www/html folder. If point the browser specifically to http://server/index.html, I get a '404 Not found error'. I'm running CentOS

I forgot to mention it. All the files under /var/html are owned by apache:apache On 15-05-07 04:07 PM, Eric Lehmann wrote: > Have you checked the file rights under your document root ? > Your apache group need reading right. > Am 07.05.2015 21:42 schrieb "John" <tuxfed at gmail.com>: > >> Hi all, Freshly installed apache 2.2 with httpd-itk (from epel). When I

Javier Fernández-Sanguino Peña has discovered an exploitable vulnerability in the way that Shorewall handles temporary files and directories. The vulnerability can allow a non-root user to cause arbitrary files on the system to be overwritten. LEAF Bering and Bering uClibc users are generally not at risk due to the fact that LEAF boxes do not typically allow logins by non-root users. For 2.0

A fix is available at http://www1.shorewall.net/pub/shorewall/3.2/shorewall-3.2.5 If white space is included in LOGFORMAT then a startup error results. Either: a) Replace /usr/share/shorewall/compiler and /usr/share/shorewall/functions with the ''compiler'' and ''functions'' files from the errata/Shorewall/ sub-directory. b) Patch

Hi there. I''m reading and reading through the doc''s and previous posts, but cannot seem to find what I''m looking for. I want to create a rule that prevents DoS and maybe even DDoS attacks against a specific port. The current rule looks like this (the PORT''s and IP''s are dummies of course): #ACTION SOURCE DEST

I think you can change the existing firewall logging code for log_rule_limit (where you have one case for for LOGRULENUMBERS and another almost identical case without) down to this slightly shorter version with no duplication (excerpt): if [ -n "$LOGRULENUMBERS" ]; then eval rulenum=\$${chain}_logrules [ -z "$rulenum" ] && rulenum=1 fi case

I think we should add an FAQ entry for tcp_ecn. I remember Tom giving a good description in one of his many responses and there is mention of it in the pptp page, but I could not find the response from Tom about different tcp stacks. Thanks, -- Steve Herber herber@thing.com work: 206-261-0307 Systems Engineer, AMCIS, UoW home: 425-454-2399 ---------- Forwarded message ---------- Date: Sat,

Folks I'd love to use Cockpit, but I cannot open port 9090 for the access in all cases. I'd like to access it via my usual http port (such as 80) where I'm limited to a single HTTP port. I understand the security implications, and can deal with them later. My attempt was to allow the following URL to access the cockpit functionality: http://xxx.example.com/cockpit (not the

Hi all, Currently at work we use a commercial product called "Gnatbox", which, I believe, is a BSD derivative running on a floppy disk. They have a pretty UI and all, but I''d feel much safer/happier with a GNU/Linux box and Shorewall doing the same thing. In fact, I''m doing something very close to this at home using Openwrt and Shorewall on my WRT54G router, but I

Hello I''m trying to setup tinyproxy and shorewall on a LEAF Bering firewall. What I''d like to do is block all HTTP connections to the internet on port 80 and 8080 and force users to use port 8888. So in shorewall/rules I have ACCEPT loc fw tcp 8888 DROP loc fw tcp 80,8080 The ACCEPT works fine but the DROP does not seem to work. If I

--On Wednesday, January 15, 2003 8:57 AM +0000 Julian Church <jc@ljchurch.co.uk> wrote: > Tom > > There''s no reason you should let a complete stranger question your better > judgement, but weren''t you supposed to be taking a break from all of this? > The problem I am having is "Now what do I do with myself in the early mornings and evenings?":

I have been using the LEAF Bering firewall for a year or so. It boots with Syslinux 1.75. But Bering is too large for a 1440KB floppy, so it formats the diskette as 1680KB. Recently I found a small Compaq 2266 box to replace a larger Compaq 7170 to run the firewall. But when I try to boot the Bering diskette on the 2266 I get the following message: Loading Linux ............ Boot failed:

Dear All, After installing Shorewall, on a router with 4 NIC, seems running ok. Next day, when connecting from clients, (MS) we keep getting ip conflict for non-conflicting ip addresses. Any help is appreciated. Detals of Startup: + shift + nolock= + ''['' 1 -gt 1 '']'' + trap ''my_mutex_off; exit 2'' 1 2 3 4 5 6 9 + command=start +