similar to: Oops...

I''ve been using the port knocking technique described in the Shorewall docs to control ssh access on one of our servers: http://www.shorewall.net/PortKnocking.html It works great, but occasionally one of the admins forgets to perform the close port operation. This leaves ssh open to the world until one of us notices. I''ve considered adding a cron job to close the port every

Hi Guys, I am setting a Firewall server up now and would like to know if this setup will actually work. (I think I have thought it through...) (please tell me if I''m wrong....) (Thank You in advance) Firewall : 4 NIC''s (net zone) Nic 1 - eth0 ----> 512/512 ADSL (net1 zone) Nic 2 - eth1 -----> 1.5Mb/256 ADSL (loc - zone) Nic 3 - eth2 ------> to the LAN -

In preparation for splitting the list server off from my mail server, I have updated all of the mailing lists. The list addresses are: Users: shorewall-users@lists.shorewall.net Announce: shorewall-users@lists.shorewall.net Devel: shorewall-devel@lists.shorewall.net The old addresses will continue to work for a while but I urge you to update your address book now as the old addresses will

After a fresh install, I noticed that shorewall 2.4.0 wasn''t starting automatically under FC4. The startup script installs properly from the rpm: /etc/rc.d/init.d/shorewall ... but the post install "/sbin/chkconfig --add shorewall" produces this in the runlevel symlink directories: /etc/rc.d/rc5.d/S-1shorewall /etc/rc.d/rc0.d/K-1shorewall /etc/rc.d/rc6.d/K-1shorewall

Hi all, I have a strange problem in trying to install a transparent proxy (in my internal net not on the shorewall server) according to the instructions as outlined in http://www.shorewall.net/Shorewall_Squid_Usage.html#Local My Network looks the following: Internal Net: 10.0.0.0/24 Squid Server listening on port 3128 (ip 10.0.0.152, DNS name server01) | |

Hiya, My two cents here .. I use a locked down Linux Sendmail relay (use sendmail null-client feature on any spare old server or PC) in my DMZ to relay Mail to the exchange server in my local zone. Its sort of the moat you have to cross over to get at the castle walls and the hot oil dumped on your head approach. Francesca C. Smith Lady Linux Internet Services 1801 Bolton Street # 1 Baltimore,

http://www.shorewall.net/pub/shorewall/shorewall-1.4.10d ftp://www.shorewall.net/pub/shorewall/shorewall-1.4.10d This release corrects the problem whereby rules involving user-defined actions often produce a warning. Note that the documentation packages have not been updated for this bugfix release. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \

I''m working on shorewall_setup_guide.htm -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net

This fixes a problem discovered by Antonio Pallua. If ADD_SNAT_ALIASES=Yes, then the following entry in /etc/shorewall/masq generates a startup error: eth0 eth1 212.103.200.20-212.103.200.24 The problem also exists in 1.4.7 Beta 1 -- the ''firewall'' and ''functions'' scripts in CVS correct the problem in that version and I will include the fix in

The ''firewall'' and ''functions'' file in CVS together produce a 30%+ speedup of ''shorewall restart'' on my firewall when compared to 1.3.11a. Please test with these files -- I don''t anticipate making any more performance changes for 1.3.12 and I want to be sure that I didn''t break anything. -Tom -- Tom Eastep \ Shorewall

----- Original Message ----- From: "Tom Eastep" <teastep@shorewall.net> To: "Gary Gale" <gary@vicchi.org> Sent: Monday, March 11, 2002 11:48 AM Subject: Re: [Shorewall-users] Firewall and Port Forward Clash? > Gary, > > ----- Original Message ----- > From: "Gary Gale" <gary@vicchi.org> > To: "Shorewall Users List"

The search capability at http://www.shorewall.net has been improved. - The quick search on the main page no longer includes the mailing list archives. - The extended search page (http://www.shorewall.net/htdig/search.html) allows you to search: a) the entire site (including the archives); b) the site excluding the archivesj; or, c) just the archives. - The mailing list information page

Folks, You can''t post to this list by sending mail to ''shorewall-users-bounces@shorewall.net'' even though that''s the envelope sender address in posts from the list. Mailman 2.1 expects all traffic to that address to be DSNs (''bounce''/''delay'' nodifications from MTAs) and instead of forwarding your post to the list, it

1.3.0 is available from the main site -- mirrors will syncronize in 6-12 hours. Features include: 1. The rules syntax for port forwarding and port redirection has been simplified. 2. Compatibility has been maintained with version 1.2 configurations so that users may migrate their configuration at their convenience. WARNING: Compatibility has NOT been maintained with the parameterized

I am forwarding this post to the Shorewall Users mailing list. The email address ''support@shorewall.net'' is reserved for sending large or confidential attachments to the Shorewall support team. See http://www.shorewall.net/support.htm -Tom -------- Original Message -------- Subject: Question Date: Mon, 20 Oct 2008 11:30:04 +0000 From: Raul <rfunez@polar.es> To:

In this release: 1. Whitelist support has been added. 2. Optional SYN Flood protection is now available. 3. Aliases added under ADD_IP_ALIASES and ADD_SNAT_ALIASES now use the VLSM and broadcast address of the interface''s primary address. 4. Port forwarding rules may now optionally override the contents of the /etc/shorewall/nat file. -Tom -- Tom Eastep \ Shorewall -

Now that 1.3 is out, I thought it would be a good idea to tell you what my plans are for Shorewall and to solicit input from this list. My focus for the next several minor releases will be to incorporate recent Netfilter enhancements into Shorewall. For example, this afternoon I have integrated support for the ''multiport'' match facility. I would like to defer the next minor

I''m beginning to believe that the use of the last column in the rules file to designate redirection/forwarding is too subtle for many users. For 1.3, I think I''ll do something like the following: Current rule: ACCEPT net loc:192.168.1.3 tcp 80 - all New rule: FORWARD net loc:192.168.1.3 tcp 80 Current rule: ACCEPT net fw::3128 tcp 80 - all New rule: REDIRECT net

Following up on the original topic of synchronization between the local mic and local speaker streams: We can separate this problem into two sub-problems: (1) compensating for differences in sampling rates; and (2) compensating for delay between the two streams. For estimating the delay, what do you think of the idea of using cross-correlation? -mjc -----Original Message----- From: Jean-Marc

The rule structure for handling complex zones (those requiring entries in /etc/shorewall/hosts) has been improved through the addition of an intermediate forwarding chain. For those who have such zones, this change can substantiallyreduce the number of rules in the <interface>_fwd chains. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.sf.net