similar to: Preparing for Shorewall 2.2 -- End of Support for Shorewall 1.4 is near!

Shorewall 2.2.0 is expected to be released in the February/March timeframe so it is now time to begin thinking about preparing to upgrade. This is particularly important for those of you still running Shorewall 1.4 since support for that version will end with the release of 2.2. For those of you still running Shorewall 1.4, here are some things that you can do ahead of time to ease the upgrade to

Shorewall 2.0.0 is now in Beta so this is a good time to begin thinking about preparing to migrate to the 2.0 Shorewall series. Shorewall 2.0 makes a number of incompatible changes in the configuration files. Luckily, you will be able to make changes ahead of time to your 1.4 configuration that will ease the migration when the time comes. a) Shorewall 2.0 doesn''t allow you to specify

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 In this release: 1) Dynamic Ipsec Zones now work. 2) Output Traffic Accounting by user/group is supported (thanks to Tuomas Jormola). 3) The following negative test options are added in /etc/shorewall/ipsec and /etc/shorewall/masq: reqid!=<number> spi!=<number> proto!=esp|ah|ipcomp mode!=tunnel|transport

Yes thank you for answering so fast ! I have corrected it, here the new diagram and the new routing table. But it still doesn''t work. >From the router i can access to 192.168.11.254 I have add the rules : DNAT loc priv:192.168.11.254:22 tcp 22 But i can''t connect to 192.168.11.254 from LAN The DNAT fonction doesn''t work, but i can DROP packet arriving on eth0 (loc)

Sorry some email problem, i have change it for more reliable one. I have try this morning to netmasq 192.168.11.0 (eth1) to 192.168.1.0 (eth0), but it is a mistake. Yes thank you for answering so fast ! I have corrected it, here the new diagram and the new routing table. But it still doesn''t work. From the router i can access to 192.168.11.254 I have add the rules : DNAT loc

Hi guys, i have a 2-interfaces nic cards Shorewall 3.0.x Firewall. I need to allow access to an internal saprouter server from internet. When i try a connection from the sapgui from a workstation on Internet i get a connection time-out on port 3299 by the saprouter My shorewall interfaces configuration is: ZONE INTERFACE BROADCAST OPTIONS loc eth3 detect

I''m not a subscribed user, so please cc me on any replies (fier0@bigfoot.com). I know this has been asked a few times, but i have not been able to find a direct answer. I was using shorewall with 2 nics, and it worked fine, except if that linux box went down then nobody could get out to the internet (and the wife would kick my ass). I''ve now started to use my linksys

Dear All, After installing Shorewall, on a router with 4 NIC, seems running ok. Next day, when connecting from clients, (MS) we keep getting ip conflict for non-conflicting ip addresses. Any help is appreciated. Detals of Startup: + shift + nolock= + ''['' 1 -gt 1 '']'' + trap ''my_mutex_off; exit 2'' 1 2 3 4 5 6 9 + command=start +

Hello, I am running a web server on my internal network. Clients outside the web can view it but inside the network, they get page cannot be displayed. I have tried shorewall faq 2 but it still doesn''t work. interfaces #ZONE INTERFACE BROADCAST OPTIONS net ppp0 detect dhcp,routefilter,norfc1918,routeback masq eth1 detect routeback masq #INTERFACE SUBNET ADDRESS ppp0 eth1 #LAST LINE --

I''ve got a Shorewall firewall setup that''s similar to the standard 3 interface configuration (net,loc,dmz). Several ports are forwarded from the internet to computers in the dmz. I''d like to have any connections to that same public IP address from either loc or dmz to be treated exactly as if they were coming in from the internet itself. There''s some

Shorewall 4.3.7 is available for testing. ---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 4 . 3 . 7 ---------------------------------------------------------------------------- 1) Klemens Rutz reported a problem that affects all Shorewall-perl 4.2 and 4.3 versions. The problem: a) Only occurs when

Hi all, Perhaps I''ve miss something... I have read every FAQ and documentation from shorewall.net before asking question here, hope someone can help me ! Try many things DNAT, netmasq, proxy arp, it doesn''t work. LAN and PRIVATE network can''t see each other, i can''t ping PRIVATE LAN from LAN and vice-versa. I first think of routing error, but i can''t

On Tue, 2003-10-28 at 13:41, AdStar wrote: > Hi Tom, > > I''ve upgraded my firewall to 1.4.7c (and copied the firewall/functions from > the CVS over for the accounting names) > > I still get this reject in my logs. > Oct 29 08:35:08 pyro Shorewall:FORWARD:REJECT: IN=eth1 OUT=eth1 > MAC=00:02:b3:61:64:6e:00:02:b3:5f:c3:5c:08:00 SRC=10.0.100.11 DST=10.0.100.10 >

I''m beginning to believe that the use of the last column in the rules file to designate redirection/forwarding is too subtle for many users. For 1.3, I think I''ll do something like the following: Current rule: ACCEPT net loc:192.168.1.3 tcp 80 - all New rule: FORWARD net loc:192.168.1.3 tcp 80 Current rule: ACCEPT net fw::3128 tcp 80 - all New rule: REDIRECT net

Hi everyone! I''m having time out problems when using a DNAT rule. Rule: DNAT:info cmtc loc:192.168.0.158 tcp 8011 Log: Mar 17 17:50:17 gw kernel: [1583997.524924] Shorewall:cmtc_dnat:DNAT:IN=eth3 OUT= SRC=10.1.0.2 DST=10.0.0.2 LEN=60 TOS=0x10 PREC=0x00 TTL=62 ID=4279 DF PROTO=TCP SPT=32791 DPT=8011 WINDOW=5840 RES=0x00 SYN URGP=0 Telnet: root@emudar:~# telnet

Hello, On my systems i use shorewall 3.2.6. Now all systems where replace by new ones with new ip''s. So i tried with DNAT to map the old ip''s to the new one as long as DNS is updated. But i didn''t get it work. I see in tcpdump that a connect from client-ip to new-server-ip is done while connection the old on. But i get no response. Did i configure something in the

This is a minor release of Shorewall. Problems Corrected: 1) TCP connection requests rejected out of the common chain are now properly rejected with TCP RST; previously, some of these requests were rejeced with an ICMP port-unreachable response. 2) ''traceroute -I'' from behind the firewall previously timed out on the first hop (e.g., to the firewall). This has been

Hello all, I had setup shorewall before succesfully with a normal LAN to internet connection. Now I''m connected to the internet via VPN and I got problems with configuring Shorewall. Any help is appreciated. This is my setup: - Gentoo Linux laptop (kernel gentoo-dev-sources-2.6.8.1) with Shorewall 2.0.4 (setup for Standalone one interface) and iptables 1.2.11 - VPN client is

Hi all, net : internet zone dmz : DMZ zone Lan : local network zone in 1.4.6c this rule : DNAT all lan:10.0.0.1 tcp http - 192.0.0.1 does generate the following iptables rules in nat table : Chain OUTPOUT DNAT tcp -- 0.0.0.0/0 192.0.0.1 tcp dpt:http to:10.0.0.1 Chain net_dnat DNAT tcp -- 0.0.0.0/0 192.0.0.1 tcp dpt:http to:10.0.0.1 Chain dmz_dnat

My dcgui-qt (chat/file-sharing program) doesn''t work and I''m pretty sure it''s my firewall settings. dcgui-qt is a direct connect (file sharing & chat) client. According to the FAQ here (http://dcplusplus.sourceforge.net/faq/faq.php) all I should need to do is: ------- #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL #