similar to: My Availability will be limited this week

I need to replace one of the firewall''s NICs so I''ll be taking shorewall.net down for maintenance this evening. I''m planning to start around 4PM PST (Midnight GMT) -- shouldn''t take more than half an hour. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net

This is becoming a FAQ and should probably be added to the docs. Thanks, -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net ---------- Forwarded message ---------- Date: Sun, 28 Apr 2002 16:09:01 -0700 (Pacific Daylight Time) From: Tom Eastep <teastep@shorewall.net> To: Carl Spelkens

---------- Forwarded Message ---------- Subject: Re: [Shorewall-users] strange UDP scan results on a Shorewall=20 firewall Date: Sun, 3 Mar 2002 08:33:20 -0800 From: Tom Eastep <teastep@shorewall.net> To: "Scott Duncan" <sduncan@cytechconsult.com> On Saturday 02 March 2002 04:30 am, Scott Duncan wrote: > Yes, the net->all policy is the same on all three (REJECT log

Shorewall.net will be unavailable for approximately two hours this evening beginning at 23:00 GMT (16:00 PDT) for installation of RH7.3. The http and ftp mirrors will still be available and mail will be queued in the backup MX. The mailing list archives and site/archive search will not be available. Apologies for any inconvenience this may cause. -Tom -- Tom Eastep \ Shorewall - iptables

Shorewall 1.3.9 is available. In this release: 1. DNS Names are now allowed in Shorewall config files (I still recommend against using them however). 2. The connection SOURCE may now be qualified by both interface and IP address in a Shorewall rule. 3. Shorewall startup is now disabled after initial installation until the file /etc/shorewall/startup_disabled is removed. 4. The

Due to an emergency in the family, I will be away from the list for a few days beginning tomorrow. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net

I have purchased a license for Vexira MailArmor (an antivirus product) and the good news is that it is installed and working at shorewall.net. The bad news is that I have yet to get Vexira running together with SpamAssassin :-( As things currently stand, list posts will be protected from viruses but may contain Spam. I''ll continue to work to correct this situation. -Tom -- Tom Eastep

In an email yesterday evening, Perry Nguyen expressed concern about the moving of the ''restarted'' file from /var/lib/shorewall to $STATEDIR (STATEDIR is set in your shorewall.conf file and defaults to /var/state/shorewall). I''m afraid I was a bit short with Perry for which I apologize. Here''s the story: 1. What is the ''restarted'' file

Let me know if there are any problems. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net

I''m currently running kernel 2.4.20 + the MPPE patch (linux-2.4.16-openssl-0.9.6b-mppe.patch). [root@gateway root]# uname -a Linux gateway.shorewall.net 2.4.20 #2 Thu Dec 5 18:02:38 PST 2002 i686 i686 i386 GNU/Linux [root@gateway root]# Seems to be OK with Shorewall. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://shorewall.sf.net ICQ: #60745924 \

Rafa³ Dutko has just discovered a potentially serious bug in version 1.3.0 and 1.3.1. In both versions, where an interface option appears on multiple interfaces, the option may only be applied to the first interface on which it appears. A corrected firewall script for 1.3.1 is available at: http://www.shorewall.net/pub/shorewall/errata/1.3.1/firewall and

Thanks to Stefan Mohr, a Shorewall 1.2.11 RPM package for SuSE is now available. See http://www.shorewall.net. Thanks Stefan!! -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net

Shorewall 1.3.4 is available: 1. A new /etc/shorewall/routestopped file has been added. This file is intended to eventually replace the routestopped option in the /etc/shorewall/interface and /etc/ shorewall/hosts files. This new file makes remote firewall administration easier by allowing any IP or subnet to be enabled while Shorewall is stopped. 2. An /etc/shorewall/stopped

I have implemented the ability to specify ''all'' in the SOURCE and DESTINATION columns of the rules file and I''m not sure I like the result. The code is in CVS if any of you are interested in giving it a try. If you do try it, please let me know what you think. If you specify ''all'' in those columns it must not be qualified (may not be followed by

shorewall.net will be down for maintenance this evening beginning at 22:00 GMT. The downtime should be 15 minutes or less. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net

The ''firewall'' and ''functions'' file in CVS together produce a 30%+ speedup of ''shorewall restart'' on my firewall when compared to 1.3.11a. Please test with these files -- I don''t anticipate making any more performance changes for 1.3.12 and I want to be sure that I didn''t break anything. -Tom -- Tom Eastep \ Shorewall

The 1.2 firewall contains messy logic to support the old sample configurations in that any rule that contains "none" in any of its columns is ignored. I''m considering removing that messiness in 1.3 and seek the opinion of the list. Thanks, -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net

Shorewall 1.2.4 will have the following changes: a) ''#'' comments now allowed at end-of-line in all config files. b) Firewall zone may be renamed c) Protection against concurrent state-changing operations (start, stop, restart, refresh, clear) d) ''shorewall start'' no longer fails if ''detect'' is specified for an interface with netmask

Lorenzo Marignoni reports that: o Shorewall 1.2.10 is in the Debian Testing Branch o Shorewall 1.2.11 is in the Debian Unstable Branch Thanks, Lorenzo! -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net

In this release: 1. The ''try'' command now accepts an optional timeout. If the timeout is given in the command, the standard configuration will automatically be restarted after the new configuration has been running for that length of time. This prevents a remote admin from being locked out of the firewall in the case where the new configuration starts but prevents