similar to: Shorewall 2.3.0

I have been using shorewall for years with ipsets. I have encountered a problem after upgrading from 4.2.11 to 4.4.10. When I run ''shorewall-check'' or ''shorewall start'', it halts with the error: ---------------------------------------------------------------------- ERROR: ipset names in Shorewall configuration files require Ipset Match in your kernel and

After I''ve played with ipsets for several days, I''m beginning to become disenchanted with the way the SAVE_IPSETS=Yes works. I spent almost an hour configuring a bunch of ipsets to be just the way that I wanted them only to wipe them out with a "shorewall restart" :-( So, I think that I will change the implementation as follows: a) The ipset contents will only be

Shorewall 4.3.7 is available for testing. ---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 4 . 3 . 7 ---------------------------------------------------------------------------- 1) Klemens Rutz reported a problem that affects all Shorewall-perl 4.2 and 4.3 versions. The problem: a) Only occurs when

hi i''ve created an emergingthreats fwrules ipset updater for use with my shorewall. maybe others find this usefull too. short howto: * get bash script (emerging-ipset-update.txt) from http://doc.emergingthreats.net/bin/view/Main/EmergingFirewallRules * add the configured ipsets to shorewall configfile "blacklist" * if not already configured: configure your interfaces for

This is the latest development release and may be found at: http://shorewall.net/pub/shorewall/2.3/shorewall-2.3.1 ftp://shorewall.net/pub/shorewall/2.3/shorewall-2.3.1 This release changes the way that SAVE_IPSETS=Yes works to try to make it harder to shoot yourself in the foot. Read the release notes carefully. In addition, there are two problems corrected: 1) A typo in the

Hi, I''ve been successfully using shorewall in our K12 school since the 2.x days initially on Mandrake and now on Debian. Because of that my config has got quite complicated. The firewall has a working MultiISP setup with four interfaces (I''ve renamed them with udev to easy their identification): lan-if, dmz-if, snt-if and dnt-if (one of the providers (the one on dnt-if) is a DSL

Hi everybody. I''m sorry to bother you because I''m probably doing something wrong, but I have already read the documentation and I have been using shorewall for quite a long time. I recently installed 3.2.3 from source (but there was the same problem with 3.0.7 from apt-get ... -t unstable) The thing is, that I can''t get masq working. Maybe this is because

Hi, I use shorewall-4.5.4 + lsm-0.143 and it does not seem to work as expected... When all providers are up, everything seems fine. When one goes down, lsm says "link <provider> down event"... and it seems ok but we then experience some problems such as a few unreachable sites, DNS problems... If I remove the downed provider from all confs and restart, everything works again.

-------- Original Message -------- Subject: Re: [CentOS] ipset and blacklisting From: "Albert McCann" <mac358 at newsguy.com> Date: Wed, September 21, 2016 5:34 am To: "'CentOS mailing list'" <centos at centos.org> How are you saving and reloading the ipsets over a reboot? > -----Original Message----- > From: centos-bounces at centos.org

Hi, Is it possible to get Shorewall to reload the static blacklist file without resetting the packet and byte counters? I am following the guide at http://mudy.wordpress.com/2009/02/21/shorewall-blacklist-spamhaus-dshield/ to periodically generate a blacklist, but "shorewall -qq refresh -n blacklst" resets all my accounting. Is there a way to do this without resetting the counters? I

Hi all, I have a strange problem in trying to install a transparent proxy (in my internal net not on the shorewall server) according to the instructions as outlined in http://www.shorewall.net/Shorewall_Squid_Usage.html#Local My Network looks the following: Internal Net: 10.0.0.0/24 Squid Server listening on port 3128 (ip 10.0.0.152, DNS name server01) | |

Shorewall 4.5.8 Beta 1 is now available for testing. ---------------------------------------------------------------------------- I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- 1) This release includes the defect repair from Shorewall 4.5.7.1. 2) The restriction that TTL and HL rules could

Shorewall 4.5.8 Beta 1 is now available for testing. ---------------------------------------------------------------------------- I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- 1) This release includes the defect repair from Shorewall 4.5.7.1. 2) The restriction that TTL and HL rules could

Hello all. First of all, please be a bit indulgent to my poor English :-). Second, this message is "kinda" BIG, so if you don''t like BIG messages, simply don''t read it :-). I''ve read http://shorewall.net/2.0/Shorewall_and_Routing.html and http://shorewall.net/MultiISP.html, however I still a bit confused how to organize what I need :-). I''ve a

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi: I have a small infrastructure of network of local area, that are based on a computer, with computer and with a Point Access, with Debian Etch 4.0r1. With Shorewall 3.2.6-2. Well. Since I have two cards of network, which of which, I have left like that: Internet --> Router (217.126.221.65) --> eth1 (217.126.221.117) --> eth0 (LAN

I haven''t debugged this enough to understand what is happening, but I observe the following: someipset = bitmap:ip,mac 1) br0:+someipset 2) br0:+someipset[2] The first 1) doesn''t match anything in rules or tcrules, the second 2) matches fine. (Also using +someipset[1] doesn''t match anything) Is it possible/sensible/feasible to have shorewall figure out the

In the docs at http://www.shorewall.net/Shorewall-perl.html, "Your ipsets must be loaded before Shorewall starts. You are free to try to do that with the following code in /etc/shorewall/start" implies that code in /etc/shorewall/start is executed BEFORE Shorewall starts. In the default /etc/shorewall/start # /etc/shorewall/start # # Add commands below that you want to be

Hi all I have a CentOS6 box with shorewall-4.5.21. If I have IPSET= in shorewall.conf and I issue the command "shorewall add ppp:192.168.33.3 ptp", I get the error: /usr/share/shorewall/lib.cli: line 585: [: too many arguments ERROR: Zone ptp, interface ppp does not have a dynamic host list The error is corrected setting the actual path to ipset in shorewall.conf, or via the patch:

> -----Original Message----- > From: centos-bounces at centos.org [mailto:centos-bounces at centos.org] On > Behalf Of John R Pierce > Sent: Sunday, September 11, 2016 10:44 PM > To: centos at centos.org > Subject: Re: [CentOS] Iptables not save rules > > On 9/11/2016 8:55 AM, TE Dukes wrote: > > I have been using ipset to blacklist badbots. Works like a champ! >

http://bugzilla.netfilter.org/show_bug.cgi?id=744 Summary: set:list behavior Product: ipset Version: unspecified Platform: All OS/Version: All Status: NEW Severity: enhancement Priority: P5 Component: default AssignedTo: netfilter-buglog at lists.netfilter.org ReportedBy: martinbarrowcliff