similar to: ''all'' in rules file

Tuomo Soini wrote: > You don''t happen to read shorewall-devel mailinglist ? I read it -- I just didn''t know what to make of your post and it arrived while I was on vacation. What exactly are you trying to accomplish that Shorewall isn''t doing for you now? e.g. /etc/shorewall/zones rw Roadwarriors Road Warriors /etc/shorewall/interfraces rw ipsec+

The first Beta Version is available at: http://www.shorewall.net/pub/shorewall/Beta ftp://ftp.shorewall.net/pub/shorewall/Beta New features include: 1) "shorewall refresh" now reloads the traffic shaping rules (tcrules and tcstart). 2) "shorewall debug [re]start" now turns off debugging after an error occurs. This places the point of the failure near the end of the

I just added 802.1Q VLAN support to redhat initscripts. And after support was ready, I tried to restart shorewall. Well it blew into pieces. Seems like shorewall can''t handle device names like: eth0.3 very properly. That''s default naming of vlan devices. eth1 is master device and 3 is id of my test vlan. So when I added to interfaces line: home eth0.3 detect seems like

Hello all, Name is Andrew and in desperate need of some info. Setup: - Mandrake 9.1 with three interfaces (eth0 --> WAN) C-class /28 network (with tree virtual addresses which I am DNAT-ing to the DMZ) (eth1 --> LAN) A-class 10.0.0.0/8 (eth2 --> DMZ) A-class subnet 10.1.123.0/24 - Running stock Shorewall ver: shorewall-1.3.14-3.1.91mdk Dilemma: - LAN can not access the DMZ zone

It seems to me that ipsecnat tunnel type is not complete. Latest drafts of ipsec nat-traversal use udp port 4500 for nat-traversal communications. (It''s called port floating). That is needed to get rid of ugly ipsec passthru devices. Now ipsecnat opens port udp/500 from any source port. And I think ipsecnat won''t work at all with gw zone defined? I''m not sure about

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I''m running systems with openswan and modified _updown script supporting shorewall dynamic hosts. Because on problems with cvs head version of openswan I found a error from shorewall dynamic hosts support. When host is already in zone shorewall aborts adding process with error. This is not good thing(tm). I found out that deleting host from

Although 1.4 is now released, there is one aspect of Shorewall''s design that I''m still quite unhappy with. It involves two areas: a) when and when not to create rules to allow inbound traffic on an interface to be routed back out that same interface. b) intrazone traffic. I''m currently running 1.4.0 plus a change that: a) Allows intrazone traffic unconditionally --

All, I have been using Shorewall successfully for years on many different machines and configurations. However, I just built a new box and wanted to setup shorewall on it. I''m running SuSE Linux Enterprise Server 11 and Shorewall 4.4.8 (latest version as of this e-mail) using the RPM download. I am able to install Shorewall just fine and I''m able to setup everything except

I have /bin/ash from rh8 installation and I have following error when I tried to change using ash instead of sh with shorewall-1.4.7: + eval options=$tap0_options + options= + list_search newnotsyn + local e=newnotsyn + [ 1 -gt 1 ] + return 1 + run_user_exit newnotsyn + find_file newnotsyn + [ -n -a -f /newnotsyn ] + echo /etc/shorewall/newnotsyn + local user_exit=/etc/shorewall/newnotsyn + [

shorewall-docs-html-1.4.10a is missing following files: Banner.htm Shorewall_index_frame.htm seattle_firewall_index.htm Or there should be different index.htm in tar. There might be other missing files but that''s what I found out immidiately when I tried to check local docs. -- Tuomo Soini <tis@foobar.fi> Linux and network services +358 40 5240030 Foobar Oy

Hi folks, I''m conducting a straw poll for your opinions on whether we should send CVS commit logs (probably with diffs) to the shorewall-devel list, or to another (new) list? I can see advantages to both ways: separate lists mean that people who aren''t contributing code don''t get flooded with code noise, but a single list will help keep everyone involved in the

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I found out problems with dynamic add of hosts to zones. If somebody has idea how to fix it, please do tell. My head is not working on this on properly. Hope you get idea from this message. I''m trying to simplify this as much as possible to get problem clear. Problem is: Zones: vpn wlan net Interfaces: net eth0 wlan eth1 Policies: vpn all

I found a minor problem in new logging system. New logging system limits zone-names effectively to 4 characters. If you have REJECT policy between 2 zones which have 5 characters long, here example ipsec zone, I iptables will give error because logprefix is limited to 29 characters. --log-prefix "Shorewall:ipsec2ipsec:1:REJECT:" So zone names should be limited to 4 characters or

I have problem with my shorewall. We are now doing some stress test with a http application behind the shorewall. Firstly we send 10.000 requests to a http based application with no firewall. It can received 100% requests. But when we put shorewall in front of it then it stats to loose requests. Is there any packet limitation from shorewall all it''s about conntrack? Thanks for the reply.

Hi, I have setup a IPSEC VPN using Openswan to connect a Draytek router to a CentOS 5.2/Shorewall 4.2.9 firewall. The VPN establishes OK but I''m getting a problem with packets from the left hand subnet getting masqueraded rather than routed down the IPSEC VPN as though they were going out onto the net. I''ve spent the last day searching Google and so far I''ve hit a

After a fresh install, I noticed that shorewall 2.4.0 wasn''t starting automatically under FC4. The startup script installs properly from the rpm: /etc/rc.d/init.d/shorewall ... but the post install "/sbin/chkconfig --add shorewall" produces this in the runlevel symlink directories: /etc/rc.d/rc5.d/S-1shorewall /etc/rc.d/rc0.d/K-1shorewall /etc/rc.d/rc6.d/K-1shorewall

Do those of you who are testing 4.4.16 RC 1 plan to do additional testing or can we consider 4.4.16 ready for release? Please let me know by close of business on Tuesday, Jan 11 if you plan additional testing. Thank you for helping with the testing effort, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not

Do those of you who are testing 4.4.16 RC 1 plan to do additional testing or can we consider 4.4.16 ready for release? Please let me know by close of business on Tuesday, Jan 11 if you plan additional testing. Thank you for helping with the testing effort, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not

My actual scenario is: -Hundreds PCs in a internal network (fixed IP), divided in +- 6 different subnets -A +- 6 customers with leased lines -A Cisco Catalyst 4006 connecting groups of PCs to corresponding customers (imagine a Call Center company) -Works fine. The problem: Frequently, it''s necessary to migrate dozens PCs from a customer to another. You know, change all IPs and