similar to: Your opinion please

Using Shorewall v1.2, and testing the firewall using scan.sygate.com, I am informed that several ports (web (80), ident (113) and DCE locator (135) are ''closed'' rather than ''blocked''. All other ports show as blocked or ''stealthed''. I haven''t set up any rules or policies that have anything to do with 80, 113 or 135. Is this

I''m beginning to believe that the use of the last column in the rules file to designate redirection/forwarding is too subtle for many users. For 1.3, I think I''ll do something like the following: Current rule: ACCEPT net loc:192.168.1.3 tcp 80 - all New rule: FORWARD net loc:192.168.1.3 tcp 80 Current rule: ACCEPT net fw::3128 tcp 80 - all New rule: REDIRECT net

Now that 1.3 is out, I thought it would be a good idea to tell you what my plans are for Shorewall and to solicit input from this list. My focus for the next several minor releases will be to incorporate recent Netfilter enhancements into Shorewall. For example, this afternoon I have integrated support for the ''multiport'' match facility. I would like to defer the next minor

Although the parameterized samples have allowed people to get a firewall up and running quickly, they have unfortunately set the wrong level of expectation among those who have used them. I am therefore withdrawing support for the samples and I am recommending that they not be used in new Shorewall installations. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \

In a previous thread, Tom listed advantages (reproduced below) of Proxy ARP over NAT. They are great reasons, but I have one reservation. By using private addresses with NAT for servers in my DMZ, I can granularly allow specific traffic, such as to/from the SMTP gateway/relay in the DMZ, to connect inbound from the DMZ to an internal (LOC) mail server, and know that it comes only from a

I''m wondering if is is posable to do something like . /etc/shorewall/somefile from inside the blacklist file is a future release. is is this sort of thing already available and I''m just doing it wrong? -- Brad Wyman |\ _,,,---,,_ bradw@sta-care.com /,`.-''`'' -. ;-;;,_ Network Admin |,4- ) )-,_. ,\ ( `''-'' Sta-Care,

Hi folks, When we first started talking about Shorewall post-Tom, a few people offered to help with testing. Would those people please raise their hands again? :-) I''m investigating Nicolas Helleringer''s recent message on shorewall-users (http://lists.shorewall.net/pipermail/shorewall-users/2005-June/018898.html), and a good test environment would come in really handy,

As 2.2.0 is nearing release, I''ve begun to think about what I''ll do for 2.3 and I think that it is time for Shorewall to add support for IPV6. Because of parsing ambiguities, the need to maintain upward compatibility with both Shorewall and 6Wall, and different available functionality in IPV4 and IPV6 Netfilter, I believe that it is going to be necessary for some files to be

I''m beginning to think again about what will be different in 2.0. Here are some thoughts. a) User-defined actions will be emphasized. - A library of actions will be available with names such as: AcceptSSH AcceptDNS DropWindows (drops all SMB noise) DropBroadcasts (Silently drop all Broadcast traffic) ... The possibilities are nearly endless but should

Hi, I plug my laptop in different networks and use the following hack to configure automatically shorewall for trusted/untrusted networks: In /etc/shorewall/params: # none is a dummy zone associated to the loopback interface NONE="none:0.0.0.0" # Network scheme, automatically detected by intuitively NETWORK_SCHEME="$(cat /etc/network/scheme 2>/dev/null)" case

I have a perferctly working shorewall system, with basic configuration (external real IP, one private address internal network with some forwarded services), and log handling with fwlogwatch. My problem is that I can''t find out how to make something like this with shorewall (TCP-connections only): - Allow protocol x connections from IP x.x.x.x without logging - Allow protocol x

Hello, With reference to the problems listed below. I too am having incredibly long start up times. I''m talking minutes here (around 5 minutes). My configuration is not complex I don''t think. We are you using ldap too and the settings are bellow. The network is up as I''m restarting shorewall whilst the machine is running. Any suggestions? Is there no way to

I believe that 2.4.0 is about ready to be sent out the door. I''ve made a couple of small changes since RC2 but I don''t believe that they warrant another RC. There remains the issue of what to do about support for Shorewall 2.0 given that 2.2 has only been available since March. It would be my recommendation to make 2.4 the new "stable" release but continue to

The params file appears to be simply "sourced" by the firewall script, which means one can put any Bourne shell code into it and it will execute it. This feature isn''t documented, so I''m wondering if it can be documented and thus guaranteed to always work. I''d like to dig out the IP parameters of my interface cards from the ifcfg-eth? files and set shorewall

Hi folks, I''ve added a couple of ''help wanted'' ads to our SourceForge project. You can see them at http://sourceforge.net/people/?group_id=22587 I''ll add more as i have the opportunity. If you can think of other jobs we need to assign, please let me know. -- Paul <http://paulgear.webhop.net> -- Did you know? Using accepted quoting conventions makes

Greetings to all of the Shorewall community! We''d like to find out a little more about the environments in which Shorewall runs, and to this end i''ve created a survey. It is mostly designed to allow Shorewall users to see how their environment compares with that of the average Shorewall user (if such a thing exists!), but the results may be used by the Shorewall team to assist

Anyone know how/where we can get some? It has been raised before: http://lists.shorewall.net/pipermail/shorewall-users/2004-July/013594.html I''d like to see an IRC or Jabber service for both support and development. -- Paul <http://paulgear.webhop.net> -- Did you know? OpenOffice.org has built-in PDF creation. Better yet, it''s compatible with Microsoft Office, and

Guys, Just a quick check. From what i have read in the shorewall site, intrazone traffic is allowed completely by shorewall i.e. there is no filtering or packet size limiting ,etc,etc. I ask this becos after getting shorewall up and running well, someone has complained that they cannot print pdf files larger than 100k at one go but that they have to print one page at a time. Some details;

Skipped content of type multipart/mixed-------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 186 bytes Desc: OpenPGP digital signature Url : http://lists.shorewall.net/pipermail/shorewall-devel/attachments/20050604/bee263f3/signature.bin

Hi folks, Last night and this morning i''ve hacked up a quick web site for coordinating our development work based on Drupal (http://drupal.org). You can find it at: http://shorewall.dyndns.org I''ve put a few ideas in there - feel free to use the comments or sign up for an account and create your own pages (particularly in the two books about development and web site work).