similar to: If you are planning to use dynamic zones....

The version of Shorewall in the CVS development tree contains the first implementation of dynamic zones. While these zones are aimed at IPSEC Road Warriors, there is nothing ipsec-specific in the implementation except for a small extension in the tunnels file. There are two new commands: add and delete shorewall {add|delete} <interface>[:<host or subnet>] zone The interface

It''s becoming clear that there will be a restriction on what should be added to dynamic zones. In particular, you don''t want to add something to a dynamic zone that is a super-set of an existing zone. Other than that, I think the new code is working rather well with the latest CVS version. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \

This is becoming a FAQ and should probably be added to the docs. Thanks, -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net ---------- Forwarded message ---------- Date: Sun, 28 Apr 2002 16:09:01 -0700 (Pacific Daylight Time) From: Tom Eastep <teastep@shorewall.net> To: Carl Spelkens

---------- Forwarded Message ---------- Subject: Re: [Shorewall-users] strange UDP scan results on a Shorewall=20 firewall Date: Sun, 3 Mar 2002 08:33:20 -0800 From: Tom Eastep <teastep@shorewall.net> To: "Scott Duncan" <sduncan@cytechconsult.com> On Saturday 02 March 2002 04:30 am, Scott Duncan wrote: > Yes, the net->all policy is the same on all three (REJECT log

... using LATEST.rpm, LATEST.tgz, etc. then you probably downloaded 1.2.13 rather that 1.3.0. I''ve now fixed the problem. Sorry for the screwup... -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net

Rafa³ Dutko has just discovered a potentially serious bug in version 1.3.0 and 1.3.1. In both versions, where an interface option appears on multiple interfaces, the option may only be applied to the first interface on which it appears. A corrected firewall script for 1.3.1 is available at: http://www.shorewall.net/pub/shorewall/errata/1.3.1/firewall and

Shorewall 1.3.9 is available. In this release: 1. DNS Names are now allowed in Shorewall config files (I still recommend against using them however). 2. The connection SOURCE may now be qualified by both interface and IP address in a Shorewall rule. 3. Shorewall startup is now disabled after initial installation until the file /etc/shorewall/startup_disabled is removed. 4. The

--On Friday, January 24, 2003 1:59 PM -0700 Steve Fink <stevef@netvantix.com> wrote: > On Fri, 2003-01-24 at 08:31, Tom Eastep wrote: >> >> >> --On Friday, January 24, 2003 8:20 AM -0700 Steve Fink >>> <stevef@netvantix.com> wrote: >>> >>> http://leaf.netvantix.com/012303/swstatus.txt >>> >> >> It looks like your

----- Original Message ----- From: "Tom Eastep" <teastep@shorewall.net> To: "Gary Gale" <gary@vicchi.org> Sent: Monday, March 11, 2002 11:48 AM Subject: Re: [Shorewall-users] Firewall and Port Forward Clash? > Gary, > > ----- Original Message ----- > From: "Gary Gale" <gary@vicchi.org> > To: "Shorewall Users List"

Version 1.0 of the Quick Start Guide and accompanying sample configurations is available at: http://www.shorewall.net/shorewall_quickstart_guide.htm. Comments and suggestions are most welcome. Thanks, -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net

This is a minor release of Shorewall which rolls up a number of bug fixes. New features include: 1. A NEWNOTSYN option has been added to shorewall.conf. This option determines whether Shorewall accepts TCP packets which are not part of an established connection and that are not ''SYN'' packets (SYN flag on and ACK flag off). 2. The need for the

Hello, I''m a Shorewall novice. I have a problem and I''m not quite sure how to troubleshoot it. I''m using a Mandrake 9.0 (Security Level "4") system, which came with Shorewall. (I live in Lynnwood, not far from Shoreline, btw.) Long lived but idle connections are dying. Examples are SSH terminals where I don''t type anything, and IMAP connections

Thanks to Stefan Mohr, a Shorewall 1.2.11 RPM package for SuSE is now available. See http://www.shorewall.net. Thanks Stefan!! -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net

Shorewall 1.3.4 is available: 1. A new /etc/shorewall/routestopped file has been added. This file is intended to eventually replace the routestopped option in the /etc/shorewall/interface and /etc/ shorewall/hosts files. This new file makes remote firewall administration easier by allowing any IP or subnet to be enabled while Shorewall is stopped. 2. An /etc/shorewall/stopped

When an interface name appears in the second column of an entry in /etc/shorewall/masq, Shorewall will detect all hosts and subnets routed through that interface and will masquerade traffic from those hosts and subnets. This is slightly more general than what I posted recently on the users list since it uses the routing table rather than the IP configuration of the interface. Example:

The PDF documentation is now available on all mirrors. The files are located in the contrib/pdf directory. Example: http://www.shorewall.net/pub/shorewall/contrib/pdf ftp://ftp.shorewall.net/pub/shorewall/contrib/pdf -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: teastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net

Let me know if there are any problems. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net

I have purchased a license for Vexira MailArmor (an antivirus product) and the good news is that it is installed and working at shorewall.net. The bad news is that I have yet to get Vexira running together with SpamAssassin :-( As things currently stand, list posts will be protected from viruses but may contain Spam. I''ll continue to work to correct this situation. -Tom -- Tom Eastep

See http://security.dsi.unimi.it/~lorenzo/debian.html -Tom -- Tom Eastep \ Shorewall -- iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net

Shorewall 1.2.4 will have the following changes: a) ''#'' comments now allowed at end-of-line in all config files. b) Firewall zone may be renamed c) Protection against concurrent state-changing operations (start, stop, restart, refresh, clear) d) ''shorewall start'' no longer fails if ''detect'' is specified for an interface with netmask