similar to: Short Netfilter Overview

In a previous thread, Tom listed advantages (reproduced below) of Proxy ARP over NAT. They are great reasons, but I have one reservation. By using private addresses with NAT for servers in my DMZ, I can granularly allow specific traffic, such as to/from the SMTP gateway/relay in the DMZ, to connect inbound from the DMZ to an internal (LOC) mail server, and know that it comes only from a

Hi, I''m trying to use shorewall for a RAS dialup solution We have networks we need to connect to with the same ranges internally (i.e. 2 separate users with a 192.168.0.0/24 range). We connect to these via a pptp tunnel (or isdn) The problem we have is that we need to access these networks all the time, so allocate them a range from our internal range. This will then be NATed to the

I have tried to replace these lines from ipchains to work with shorewall. # /NFS requires 111/tcp (sunrpc/portmapper) and *all* UDP ports./ # ipchains -A input -p tcp -s $SUBNET -i eth0 -d 0/0 111 -j ACCEPT ipchains -A input -p udp -s $SUBNET -i eth0 -d 0/0 -j ACCEPT # /These ports are required by bootp, tftpd, and PXE./ # /There are also a handful of udp ports that need to/ # /be open,

Hi, I have a problem with asterisks on Linux. Looks like it is a iptables problem. My external client (eyebeam, on a different computer) cannot register to the asterisk server, but the asterisk server itself *looks* working. If I dial one of the incoming phone numbers for the server, I can see the call arriving in Asterisk (using asterisk -r). I tried nmap on my server, and this is the result:

Hi, I have a few questions about the inner workings of netfilter (a graphical layout of my network setup @ https://aequorin.homeunix.net:62389/local/media/network-graph.png) 1) These are the syslog entries for some simple connection tests. Shorewall/netfilter has been set to record all stateful connections SSH is recognized as phys(eth0) -> $FW traffic. This is because PHYSIN is

Hi, I use shorewall on my router (internal ip: 192.168.1.4). The router is used as a gateway for my lan. If I try to access an IRC server from any "client" (for exaples 192.168.1.1) I get the message "no identd". I tried the following in my shorewall rules config (etc/shorewall/rules), but i doesn''t work: ACCEPT net loc tcp 113

hi, is there any reason why there is no such thing as ADD_DNAT_ALIASES in shorewall.conf or in rules (or am i just missed it)? i think about it like in masq file if the masquaraded outgoing interface is different from the default firewall intyerface than i can use ip:<digit> where the digit is the alias number. since dnat is in the rules it can be used from there. eg: if would like to dnat

Hello Shorewall users, I have some questions I am hoping someone can answer. I have searched around the archives but so far I have been unable to find answers. I am trying to configure traffic shaping on my router/firewall box running Shorewall 3.0.5/kernel 2.4.31 and have run into some problems/questions. My basic set up is: 1500/256kbit ADSL (PPPoE/ppp0) -> Shorewall box

Hello, on my old system I''m using ipchains. Can anyone help me with converting rule /sbin/ipchains -A forward -j MASQ -s source_addr -d destination_addr 443 -p tcp to shorewall. I know that I can write eth0 source_addr to /etc/shorewall/masq file but I can''t found where I can specify the destination address. The reason for this is to allow one user (computer) access only to

Hey all- Trying to run sh 1.2.8 and iptables 1.2.5 on my linux 2.4.17 box. I build the kernel from kernel.org sources, and then patched it with iptables 1.2.5 by doing %make pending-patches KERNEL_DIR=/usr/src/linux I let it run and patched these: Welcome to Rusty''s Patch-o-matic! Each patch is a new feature: many have minimal impact, some do not. Almost every one has bugs, so I

Problems Corrected: 1) A problem seen on RH7.3 systems where Shorewall encountered start errors when started using the "service" mechanism has been worked around. 2) A problem introduced in earlier snapshots has been corrected. This problem caused incorrect netfilter rules to be created when the destination zone in a rule was qualified by an address in CIDR format.

When shorewall starts up does it completely flush any other iptables rule sets or nat entries that are already in there? Or Can I run two instances of shorewall each loading a different set of rules and a different set of IP addresses in the NAT table and have each one only control what it adds?

I recently setup shorewall on my freshly rebuilt router box. I setup transparent proxying using transproxy/dansguardian/privoxy/squid. My current rules for the redirect are: REDIRECT loc 81 tcp www - !192.168.100.0/24 ACCEPT fw net tcp www How do I set this so that all the request are redirected except for requests FROM a certain machine (192.168.100.11)? I

Hi List, I am not familiar with the commands of IPtables so I want use tools on top of it. What do you suggest. Can I make test of it inside CentOS on top of VMWare server with only one LAN inteface? I try to use Pfsense, I believe it has easy to understand GUI but it fails to install on my desktop machine to test, maybe due to hardware comaptibility. Kernel panic during boot even after disabling

I''m havign a HUGE amount of difficulty getting shoreline to work with LVS. We use it here constantly so we know it works. The problem is packets come in, get directed to a webserver, webserver returns the packet to firewall, and then it goes into a black hole. rp_filter is off globally on all interfaces. LVS seems to be working right.... I use shorewall tcrules to mark packets on

On 1/30/19 10:05 PM, Simon Matter via CentOS wrote: > Did you look at Shorewall? IMHO that's what is best used in such > situations and it works since many years now. shorewall doesn't support nftables, which is largely the point of firewalld:? The Linux firewall system is currently undergoing yet another deprecation and migration from iptables to nftables. firewalld should

Hello! We''re using Shorewall 1.4.2 and running into an interesting problem when we try to enable logging of traffic that netfilter classifies as "related" to an existing connection: there doesn''t seem to be a way to do it. Places where we''ve run into this problem are: (1) Attempting to log individual active or passive FTP data connections separately from

The patches may be found at: http://shorewall.net/pub/shorewall/contrib/IPSEC ftp://shorewall.net/pub/shorewall/contrib/IPSEC I found these patches on the netfilter-devel list and make no warranties as to how well they work (or not). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP

Hi, I realise that one can simply start fail2ban and then it will insert its own ruleset before shorewall''s ruleset. Are there subscribers to this list having alternative (and probably better) ways to use both fail2ban and shorewall? Thanks, Mark ------------------------------------------------------------------------------ This SF email is sponsosred by: Try Windows Azure free for 90

Hi All, born out of frustration with conflicting info on the net, I thought I'd share a simple guide to set up the port forwarding side of masquerading... this presumes you already have basic ipchains setup and simple masquerading of internal machines installed. PORT FORWARDING USING IPMASQADM. “Ipmasqadm” supercedes the “ipportfw” feature. 1 - Upgrade to Kernel 2.2.12-20 if not already