similar to: Shorewall 1.3.12 Beta1

It seems to me that ipsecnat tunnel type is not complete. Latest drafts of ipsec nat-traversal use udp port 4500 for nat-traversal communications. (It''s called port floating). That is needed to get rid of ugly ipsec passthru devices. Now ipsecnat opens port udp/500 from any source port. And I think ipsecnat won''t work at all with gw zone defined? I''m not sure about

I have /bin/ash from rh8 installation and I have following error when I tried to change using ash instead of sh with shorewall-1.4.7: + eval options=$tap0_options + options= + list_search newnotsyn + local e=newnotsyn + [ 1 -gt 1 ] + return 1 + run_user_exit newnotsyn + find_file newnotsyn + [ -n -a -f /newnotsyn ] + echo /etc/shorewall/newnotsyn + local user_exit=/etc/shorewall/newnotsyn + [

Hello, I''ve been doing some tests on a firewall system running Shorewall 1.4, and have been getting some unexpected behavior when enabling the "newnotsyn" option. In the test setup, I have: ---------------------------------------- /etc/shorewall/interfaces net eth0 detect routefilter,tcpflags,blacklist loc eth1 10.0.0.255 dhcp,tcpflags,newnotsyn

Tuomo Soini wrote: > You don''t happen to read shorewall-devel mailinglist ? I read it -- I just didn''t know what to make of your post and it arrived while I was on vacation. What exactly are you trying to accomplish that Shorewall isn''t doing for you now? e.g. /etc/shorewall/zones rw Roadwarriors Road Warriors /etc/shorewall/interfraces rw ipsec+

I just added 802.1Q VLAN support to redhat initscripts. And after support was ready, I tried to restart shorewall. Well it blew into pieces. Seems like shorewall can''t handle device names like: eth0.3 very properly. That''s default naming of vlan devices. eth1 is master device and 3 is id of my test vlan. So when I added to interfaces line: home eth0.3 detect seems like

Hi folks, I''m conducting a straw poll for your opinions on whether we should send CVS commit logs (probably with diffs) to the shorewall-devel list, or to another (new) list? I can see advantages to both ways: separate lists mean that people who aren''t contributing code don''t get flooded with code noise, but a single list will help keep everyone involved in the

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I''m running systems with openswan and modified _updown script supporting shorewall dynamic hosts. Because on problems with cvs head version of openswan I found a error from shorewall dynamic hosts support. When host is already in zone shorewall aborts adding process with error. This is not good thing(tm). I found out that deleting host from

Although 1.4 is now released, there is one aspect of Shorewall''s design that I''m still quite unhappy with. It involves two areas: a) when and when not to create rules to allow inbound traffic on an interface to be routed back out that same interface. b) intrazone traffic. I''m currently running 1.4.0 plus a change that: a) Allows intrazone traffic unconditionally --

All, I have been using Shorewall successfully for years on many different machines and configurations. However, I just built a new box and wanted to setup shorewall on it. I''m running SuSE Linux Enterprise Server 11 and Shorewall 4.4.8 (latest version as of this e-mail) using the RPM download. I am able to install Shorewall just fine and I''m able to setup everything except

shorewall-docs-html-1.4.10a is missing following files: Banner.htm Shorewall_index_frame.htm seattle_firewall_index.htm Or there should be different index.htm in tar. There might be other missing files but that''s what I found out immidiately when I tried to check local docs. -- Tuomo Soini <tis@foobar.fi> Linux and network services +358 40 5240030 Foobar Oy

This is a minor release of Shorewall. WARNING: This release introduces incompatibilities with prior releases. See http://www.shorewall.net/upgrade_issues.htm. Changes are: a) There is now a new NONE policy specifiable in /etc/shorewall/policy. This policy will cause Shorewall to assume that there will never be any traffic between the source and destination zones. b) Shorewall no longer

Many people prefer to use LMTP for delivery from postfix for better efficiency but X-Original-to header support still missing after many years. One affect of this is need to set sieve_vacation_dont_check_recipient = yes which violate Sieve standard and cause auto-replyies sent to messages that should not happen. Or abandon LMTP. or abandon postfix?? So while feature request is stalled are

I have implemented the ability to specify ''all'' in the SOURCE and DESTINATION columns of the rules file and I''m not sure I like the result. The code is in CVS if any of you are interested in giving it a try. If you do try it, please let me know what you think. If you specify ''all'' in those columns it must not be qualified (may not be followed by

Hello all, Name is Andrew and in desperate need of some info. Setup: - Mandrake 9.1 with three interfaces (eth0 --> WAN) C-class /28 network (with tree virtual addresses which I am DNAT-ing to the DMZ) (eth1 --> LAN) A-class 10.0.0.0/8 (eth2 --> DMZ) A-class subnet 10.1.123.0/24 - Running stock Shorewall ver: shorewall-1.3.14-3.1.91mdk Dilemma: - LAN can not access the DMZ zone

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I found out problems with dynamic add of hosts to zones. If somebody has idea how to fix it, please do tell. My head is not working on this on properly. Hope you get idea from this message. I''m trying to simplify this as much as possible to get problem clear. Problem is: Zones: vpn wlan net Interfaces: net eth0 wlan eth1 Policies: vpn all

Hi, I have shorewall version 1.4.10g on Redhat 9 Local clients are on eth1 in subnet 192.168.3.0/24. eth0 is for the outside (over xdsl with includes a ppp0 interface). Nessus (nessusd) is installed *on the firewall* and managed trough nessus (the client or frontend) running on one of the internal machines. When I was running a scan against 194.152.181.36 I observed several entries like

On May 10, 2018, at 1:33 AM, Karanbir Singh <kbsingh at centos.org> wrote: > > I am pleased to announce the general availability of CentOS Linux 7 > (1804) for across all architectures. I?ve checked about a dozen of the mirrors, and see no *.torrent files yet. Any idea how long they?ll take to appear? I ask because we?re building a system today, so if it?s going to be more than

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I found a problem with my tcstart script. First I was running system TC enabled for testing and then to stop all TC I changed TC_ENABLED=No. But I started to wonder why shorewall restart did _not_ clear TC rules after TC was disabled? So I checked firewall and found out that if TC_ENABLED=No TC_CLEAR is disabled automatically. Question is: should

Just something I patch in my rpm set to make shorewall configurable. -- Tuomo Soini <tis@foobar.fi> Linux and network services +358 40 5240030 Foobar Oy <http://foobar.fi/> -------------- next part -------------- --- shorewall-2.0.2d/install.sh.orig 2004-05-28 03:17:01.000000000 +0300 +++ shorewall-2.0.2d/install.sh 2004-05-30 01:08:00.000000000 +0300 @@ -87,11 +87,20 @@ # RUNLEVELS