Displaying 20 results from an estimated 9000 matches similar to: "New Article at Shorewall.net"
2005 May 12
2
A Cure for the Common SSH Login Attack
Hi, this method for block SSH Login Attack it seems to be good.
http://www.soloport.com/iptables.html
which it is the better way in order to implement it into shorewall
config files?
Many thanks
--
Dario Lesca <d.lesca@solinos.it>
2005 Feb 23
9
shorewall friendly way of limiting ssh brute force attacks?
I was wondering if anyone had implemented rules like this in shorewall:
http://blog.andrew.net.au/tech
I see tons of brute force attempts on the machines I administer, and I like
the idea of limiting them without the need for extra daemons scanning for
attacks.
Thanks,
Dale
--
Dale E. Martin - dale@the-martins.org
http://the-martins.org/~dmartin
2004 Sep 17
8
can I write such an action?
hi,
i create rule such action.AllowPostGrey:
-----------------------------------------------
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE
RATE USER/
# PORT PORT(S)
LIMIT GROUP
ACCEPT $A_IP $PORTAL_IP tcp 10023
ACCEPT
2004 Aug 06
9
how to define a dozens of interface as one zone
hi,
we use openvpn as for our vpn endpoints and we''ve got about 70-80 vpn
connections which means we have tun0 - tun80 interface. i''d like to
define one zone for all of our vpn connections how can I do that?
actualy our local zone is 192.168.0.0/17 (not 16) and all of the vpn''s
are in 192.168.128.0/17. our should i define somehow the local zone as
192.168.0.0/16? but in
2004 Oct 18
11
how can i log everything?
hi,
it''d be very useful to add some kind of "log everything" option to
shorewall. currently the logging is useful if you know what you would
like to log. but if you don''t know than it''s a problem...
another problem that currently it''s not possible to log the nat table.
at least i can''t find any way (can''t add logging into masq and
2004 Oct 06
4
SNAT is less expensive than MASQ
hi,
in the masq file''s documentation, there is a sentence:
"If you have a static IP on that interface, listing it here makes
processing of output packets a little less expensive for the firewall."
this realy means that SNAT to the primary address is less expensive than
a MASQ rules in the netfilter? is this documented anywhere in
iptables/netfilter?
thanks.
--
Levente
2008 Jun 18
8
Expanding SSHKnock shell script, a few questions please
Hi all,
Another Debian Etch fan here, running shorewall (shell) 3.2.6-2 (and Yes I''m going to upgrade when Lenny goes stable).
I already have the SSHKnock working, as documented on the website:
http://www.shorewall.net/PortKnocking.html
Thanks, works great!
In addition to the knock to open 22, I want to also ADD a redirect, from 2222 to 22 on an internal box. So, when I knock on 1600
2003 Jul 23
3
How to Log "Related" Traffic?
Hello!
We''re using Shorewall 1.4.2 and running into an interesting problem when
we try to enable logging of traffic that netfilter classifies as
"related" to an existing connection: there doesn''t seem to be a way to
do it. Places where we''ve run into this problem are:
(1) Attempting to log individual active or passive FTP data connections
separately from
2004 Aug 10
11
who gives access? was: why ADD_DNAT_ALIASES missing?
hi,
there was some email problems and i repeat my question too fast, but
this is the second part of my questions.
- only the rules and policy files give access right? ie. rules in the
FORWARD chain of the filter table in iptables ?
- is a line in masq file automaticaly add an accept rule too? eg. in
msaq file
eth0 <internal ip>
allow connection from <internal ip> (local zona) to the
2004 Aug 10
6
why ADD_DNAT_ALIASES missing?
hi,
is there any reason why there is no such thing as ADD_DNAT_ALIASES in
shorewall.conf or in rules (or am i just missed it)? i think about it
like in masq file if the masquaraded outgoing interface is different
from the default firewall intyerface than i can use ip:<digit> where the
digit is the alias number. since dnat is in the rules it can be used
from there. eg: if would like to dnat
2004 Dec 19
8
Shorewall 2.2.0 RC1
http://shorewall.net/pub/shorewall/2.2-Beta/shorewall-2.2.0-RC1
ftp://shorewall.net/pub/shorewall/2.2-Beta/shorewall-2.2.0-RC1
Problems Corrected:
1. The syntax of the add and delete command has been clarified in
the help summary produced by /sbin/shorewall.
New Features:
1. TCP OpenVPN tunnels are now supported using the ''openvpn'' tunnel
type. OpenVPN
2004 Oct 20
3
what is this dhcp flag?
hi,
in the interface documentation at the dhcp option 3. said:
-----------------------------------
3. you have a static IP but are on a LAN segment with lots of Laptop
DHCP clients.
-----------------------------------
can someone explain it for me?
what the laptop means here? on the loc zones interface we have a static
ip but the whole network is dhcp clients. but they are not laptops
rather
2005 Jun 26
1
Knocked port timeout...
I''ve been using the port knocking technique described in the Shorewall
docs to control ssh access on one of our servers:
http://www.shorewall.net/PortKnocking.html
It works great, but occasionally one of the admins forgets to perform
the close port operation. This leaves ssh open to the world until one
of us notices.
I''ve considered adding a cron job to close the port every
2003 Jan 09
19
New on the Web Site
While I''m in temporary retirement, I''ve decided spend a little time
experimenting with new things and making some updates to the web site. The
biggest result of this effort to date has been:
http://shorewall.sf.net/Shorewall_Squid_Usage.html
This outlines how to use Squid as a transparent proxy running on the
firewall, in the DMZ or in the local network. In the latter two
2005 Mar 01
1
Logging patch
Hi,
I''ve attached a patch which fixes a logging problem with
log_rule_limit in custom actions. E.g. this action:
,----[ Whitelist ]
| if [ -n "$LEVEL" ]; then
| run_iptables -N ${CHAIN}Add
| log_rule_limit $LEVEL ${CHAIN}Add WhitelistAdd DROP "$LOG_LIMIT" $TAG
| run_iptables -A ${CHAIN}Add -j DROP
| run_iptables -N ${CHAIN}Del
| log_rule_limit
2006 Jan 31
24
Need help and advised
Hi folks
Im currently doin firewall project.. the scenario is like this.. my
application server open port number 3079 the server ip is 202.188.0.132. and
now the port can be accessed from everywhere. Now i want to block all the
everywhere accessed. But my problem is, the application will be accessed by
few locations that doing transaction with the application server. and the
said locations are
2002 May 14
4
Redirect loc::80 to fw::3128 not work
The rule:
ACCEPT loc $FW::3128 tcp www
doesn''t work propertly, the http access does not redirect
to squid but directly exit.
what''s wrong?
Thanks
-------
Dario Lesca (d.lesca@ivrea.osra.it)
--------------------------------------
@@@@@@@ this is my shorewall-1.2.13 config:
#[/etc/shorewall/common.def]-----------------------------------------------
2006 Dec 07
1
a few more notes
hi,
while all files is owned by nsd user and nsd run as nsd the nsd.db is
still owned by root user (because the compiler run as root and create
this file as root, ok i know just it'd be better if this file is owned
by nsd too).
another strange thing is that on the slave nsd i've got such messages:
-----------------------------------------
zonec: reading zone "lfarkas.org".
2007 Jun 13
4
network raid file system/server
hi,
we've a few 10-20 server in a lan each has 4-8 hdd. we'd like to create
one big file server on these server hard disks and we'd like to create
it in a redundant way ie:
- if one (or more) of the hdd or server fails the whole filesystem still
usable and consistent.
- any server in this farm can see the same storage/filesystem.
it's someting a big network raid5-6... storage where
2008 Jun 25
2
[Fwd: Re: [CentOS-announce] Release for CentOS-5.2 i386 and x86_64]
may here someone can answer me...
-------- Original Message --------
Subject: Re: [CentOS-announce] Release for CentOS-5.2 i386 and x86_64
Date: Tue, 24 Jun 2008 18:31:20 +0200
From: Farkas Levente <lfarkas at lfarkas.org>
To: The CentOS developers mailing list. <centos-devel at centos.org>
References: <4860E6EB.5000906 at centos.org>
Karanbir Singh wrote:
>
> We are