similar to: New Article at Shorewall.net

Hi, this method for block SSH Login Attack it seems to be good. http://www.soloport.com/iptables.html which it is the better way in order to implement it into shorewall config files? Many thanks -- Dario Lesca <d.lesca@solinos.it>

I was wondering if anyone had implemented rules like this in shorewall: http://blog.andrew.net.au/tech I see tons of brute force attempts on the machines I administer, and I like the idea of limiting them without the need for extra daemons scanning for attacks. Thanks, Dale -- Dale E. Martin - dale@the-martins.org http://the-martins.org/~dmartin

hi, i create rule such action.AllowPostGrey: ----------------------------------------------- ###################################################################################### #TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ # PORT PORT(S) LIMIT GROUP ACCEPT $A_IP $PORTAL_IP tcp 10023 ACCEPT

hi, we use openvpn as for our vpn endpoints and we''ve got about 70-80 vpn connections which means we have tun0 - tun80 interface. i''d like to define one zone for all of our vpn connections how can I do that? actualy our local zone is 192.168.0.0/17 (not 16) and all of the vpn''s are in 192.168.128.0/17. our should i define somehow the local zone as 192.168.0.0/16? but in

hi, it''d be very useful to add some kind of "log everything" option to shorewall. currently the logging is useful if you know what you would like to log. but if you don''t know than it''s a problem... another problem that currently it''s not possible to log the nat table. at least i can''t find any way (can''t add logging into masq and

hi, in the masq file''s documentation, there is a sentence: "If you have a static IP on that interface, listing it here makes processing of output packets a little less expensive for the firewall." this realy means that SNAT to the primary address is less expensive than a MASQ rules in the netfilter? is this documented anywhere in iptables/netfilter? thanks. -- Levente

Hi all, Another Debian Etch fan here, running shorewall (shell) 3.2.6-2 (and Yes I''m going to upgrade when Lenny goes stable). I already have the SSHKnock working, as documented on the website: http://www.shorewall.net/PortKnocking.html Thanks, works great! In addition to the knock to open 22, I want to also ADD a redirect, from 2222 to 22 on an internal box. So, when I knock on 1600

Hello! We''re using Shorewall 1.4.2 and running into an interesting problem when we try to enable logging of traffic that netfilter classifies as "related" to an existing connection: there doesn''t seem to be a way to do it. Places where we''ve run into this problem are: (1) Attempting to log individual active or passive FTP data connections separately from

hi, there was some email problems and i repeat my question too fast, but this is the second part of my questions. - only the rules and policy files give access right? ie. rules in the FORWARD chain of the filter table in iptables ? - is a line in masq file automaticaly add an accept rule too? eg. in msaq file eth0 <internal ip> allow connection from <internal ip> (local zona) to the

hi, is there any reason why there is no such thing as ADD_DNAT_ALIASES in shorewall.conf or in rules (or am i just missed it)? i think about it like in masq file if the masquaraded outgoing interface is different from the default firewall intyerface than i can use ip:<digit> where the digit is the alias number. since dnat is in the rules it can be used from there. eg: if would like to dnat

http://shorewall.net/pub/shorewall/2.2-Beta/shorewall-2.2.0-RC1 ftp://shorewall.net/pub/shorewall/2.2-Beta/shorewall-2.2.0-RC1 Problems Corrected: 1. The syntax of the add and delete command has been clarified in the help summary produced by /sbin/shorewall. New Features: 1. TCP OpenVPN tunnels are now supported using the ''openvpn'' tunnel type. OpenVPN

hi, in the interface documentation at the dhcp option 3. said: ----------------------------------- 3. you have a static IP but are on a LAN segment with lots of Laptop DHCP clients. ----------------------------------- can someone explain it for me? what the laptop means here? on the loc zones interface we have a static ip but the whole network is dhcp clients. but they are not laptops rather

I''ve been using the port knocking technique described in the Shorewall docs to control ssh access on one of our servers: http://www.shorewall.net/PortKnocking.html It works great, but occasionally one of the admins forgets to perform the close port operation. This leaves ssh open to the world until one of us notices. I''ve considered adding a cron job to close the port every

While I''m in temporary retirement, I''ve decided spend a little time experimenting with new things and making some updates to the web site. The biggest result of this effort to date has been: http://shorewall.sf.net/Shorewall_Squid_Usage.html This outlines how to use Squid as a transparent proxy running on the firewall, in the DMZ or in the local network. In the latter two

Hi, I''ve attached a patch which fixes a logging problem with log_rule_limit in custom actions. E.g. this action: ,----[ Whitelist ] | if [ -n "$LEVEL" ]; then | run_iptables -N ${CHAIN}Add | log_rule_limit $LEVEL ${CHAIN}Add WhitelistAdd DROP "$LOG_LIMIT" $TAG | run_iptables -A ${CHAIN}Add -j DROP | run_iptables -N ${CHAIN}Del | log_rule_limit

Hi folks Im currently doin firewall project.. the scenario is like this.. my application server open port number 3079 the server ip is 202.188.0.132. and now the port can be accessed from everywhere. Now i want to block all the everywhere accessed. But my problem is, the application will be accessed by few locations that doing transaction with the application server. and the said locations are

The rule: ACCEPT loc $FW::3128 tcp www doesn''t work propertly, the http access does not redirect to squid but directly exit. what''s wrong? Thanks ------- Dario Lesca (d.lesca@ivrea.osra.it) -------------------------------------- @@@@@@@ this is my shorewall-1.2.13 config: #[/etc/shorewall/common.def]-----------------------------------------------

hi, while all files is owned by nsd user and nsd run as nsd the nsd.db is still owned by root user (because the compiler run as root and create this file as root, ok i know just it'd be better if this file is owned by nsd too). another strange thing is that on the slave nsd i've got such messages: ----------------------------------------- zonec: reading zone "lfarkas.org".

hi, we've a few 10-20 server in a lan each has 4-8 hdd. we'd like to create one big file server on these server hard disks and we'd like to create it in a redundant way ie: - if one (or more) of the hdd or server fails the whole filesystem still usable and consistent. - any server in this farm can see the same storage/filesystem. it's someting a big network raid5-6... storage where

may here someone can answer me... -------- Original Message -------- Subject: Re: [CentOS-announce] Release for CentOS-5.2 i386 and x86_64 Date: Tue, 24 Jun 2008 18:31:20 +0200 From: Farkas Levente <lfarkas at lfarkas.org> To: The CentOS developers mailing list. <centos-devel at centos.org> References: <4860E6EB.5000906 at centos.org> Karanbir Singh wrote: > > We are