similar to: Short Netfilter Overview

In a previous thread, Tom listed advantages (reproduced below) of Proxy ARP over NAT. They are great reasons, but I have one reservation. By using private addresses with NAT for servers in my DMZ, I can granularly allow specific traffic, such as to/from the SMTP gateway/relay in the DMZ, to connect inbound from the DMZ to an internal (LOC) mail server, and know that it comes only from a

Hi, I have a problem with asterisks on Linux. Looks like it is a iptables problem. My external client (eyebeam, on a different computer) cannot register to the asterisk server, but the asterisk server itself *looks* working. If I dial one of the incoming phone numbers for the server, I can see the call arriving in Asterisk (using asterisk -r). I tried nmap on my server, and this is the result:

I have tried to replace these lines from ipchains to work with shorewall. # /NFS requires 111/tcp (sunrpc/portmapper) and *all* UDP ports./ # ipchains -A input -p tcp -s $SUBNET -i eth0 -d 0/0 111 -j ACCEPT ipchains -A input -p udp -s $SUBNET -i eth0 -d 0/0 -j ACCEPT # /These ports are required by bootp, tftpd, and PXE./ # /There are also a handful of udp ports that need to/ # /be open,

Hi, I''m trying to use shorewall for a RAS dialup solution We have networks we need to connect to with the same ranges internally (i.e. 2 separate users with a 192.168.0.0/24 range). We connect to these via a pptp tunnel (or isdn) The problem we have is that we need to access these networks all the time, so allocate them a range from our internal range. This will then be NATed to the

Hey all- Trying to run sh 1.2.8 and iptables 1.2.5 on my linux 2.4.17 box. I build the kernel from kernel.org sources, and then patched it with iptables 1.2.5 by doing %make pending-patches KERNEL_DIR=/usr/src/linux I let it run and patched these: Welcome to Rusty''s Patch-o-matic! Each patch is a new feature: many have minimal impact, some do not. Almost every one has bugs, so I

hi, is there any reason why there is no such thing as ADD_DNAT_ALIASES in shorewall.conf or in rules (or am i just missed it)? i think about it like in masq file if the masquaraded outgoing interface is different from the default firewall intyerface than i can use ip:<digit> where the digit is the alias number. since dnat is in the rules it can be used from there. eg: if would like to dnat

Hi, I use shorewall on my router (internal ip: 192.168.1.4). The router is used as a gateway for my lan. If I try to access an IRC server from any "client" (for exaples 192.168.1.1) I get the message "no identd". I tried the following in my shorewall rules config (etc/shorewall/rules), but i doesn''t work: ACCEPT net loc tcp 113

Hello Shorewall users, I have some questions I am hoping someone can answer. I have searched around the archives but so far I have been unable to find answers. I am trying to configure traffic shaping on my router/firewall box running Shorewall 3.0.5/kernel 2.4.31 and have run into some problems/questions. My basic set up is: 1500/256kbit ADSL (PPPoE/ppp0) -> Shorewall box

Hi, I have a few questions about the inner workings of netfilter (a graphical layout of my network setup @ https://aequorin.homeunix.net:62389/local/media/network-graph.png) 1) These are the syslog entries for some simple connection tests. Shorewall/netfilter has been set to record all stateful connections SSH is recognized as phys(eth0) -> $FW traffic. This is because PHYSIN is

Hello, on my old system I''m using ipchains. Can anyone help me with converting rule /sbin/ipchains -A forward -j MASQ -s source_addr -d destination_addr 443 -p tcp to shorewall. I know that I can write eth0 source_addr to /etc/shorewall/masq file but I can''t found where I can specify the destination address. The reason for this is to allow one user (computer) access only to

Problems Corrected: 1) A problem seen on RH7.3 systems where Shorewall encountered start errors when started using the "service" mechanism has been worked around. 2) A problem introduced in earlier snapshots has been corrected. This problem caused incorrect netfilter rules to be created when the destination zone in a rule was qualified by an address in CIDR format.

On 1/30/19 10:05 PM, Simon Matter via CentOS wrote: > Did you look at Shorewall? IMHO that's what is best used in such > situations and it works since many years now. shorewall doesn't support nftables, which is largely the point of firewalld:? The Linux firewall system is currently undergoing yet another deprecation and migration from iptables to nftables. firewalld should

Hi, I realise that one can simply start fail2ban and then it will insert its own ruleset before shorewall''s ruleset. Are there subscribers to this list having alternative (and probably better) ways to use both fail2ban and shorewall? Thanks, Mark ------------------------------------------------------------------------------ This SF email is sponsosred by: Try Windows Azure free for 90

Hi All, born out of frustration with conflicting info on the net, I thought I'd share a simple guide to set up the port forwarding side of masquerading... this presumes you already have basic ipchains setup and simple masquerading of internal machines installed. PORT FORWARDING USING IPMASQADM. “Ipmasqadm” supercedes the “ipportfw” feature. 1 - Upgrade to Kernel 2.2.12-20 if not already

Greetings, I''m new to Shorewall but not to working with Iptables. Shorewall is the simplest firewall front end I have found thus far. I''m currently trying to build a Cfengine policy to maintain Shorewall configurations. My main problem at them moment is confirming that the running iptables rules match what Shorewall originally built. If I understand Shorewall correctly the

Wondering about being able to see MASQ activities with IPTABLES. With IPCHAINS I used -M -L to make this possible. Nothing like that with iptables, at least as far as I can see. Any thoughts on that fellows.. --- Ted Gervais Coldbrook Nova Scotia Canada B4R1A7

I recently setup shorewall on my freshly rebuilt router box. I setup transparent proxying using transproxy/dansguardian/privoxy/squid. My current rules for the redirect are: REDIRECT loc 81 tcp www - !192.168.100.0/24 ACCEPT fw net tcp www How do I set this so that all the request are redirected except for requests FROM a certain machine (192.168.100.11)? I

--7ZAtKRhVyVSsbBD2 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Netfilter Core Team Security Advisory =20 CVE: CAN-2003-0467 Subject: Netfilter / NAT Remote DoS Released: 01 Aug 2003 Effects: Under limited circumstances, a remote user may be able to crash

When shorewall starts up does it completely flush any other iptables rule sets or nat entries that are already in there? Or Can I run two instances of shorewall each loading a different set of rules and a different set of IP addresses in the NAT table and have each one only control what it adds?

Hi List, I am not familiar with the commands of IPtables so I want use tools on top of it. What do you suggest. Can I make test of it inside CentOS on top of VMWare server with only one LAN inteface? I try to use Pfsense, I believe it has easy to understand GUI but it fails to install on my desktop machine to test, maybe due to hardware comaptibility. Kernel panic during boot even after disabling