similar to: Strange problem, please help

Hi all, I dont know if this problem is related to shorewall, but as here we have a lot of firewall experts ... :) We are using a Leaf box (1GHz 256MB RAM) for a network with normal traffic of about 6Mbps but peaks of up to 40Mbps. The chipset of the ethernets is a Realtek. We are experiencing some high latency high CPU usage issues (the CPU is at 90%) and we discovered the process

Hi all, I have found problems in p2p traffic detection. The ipp2p module works fine but in shorewall the rules written for this protocols never match because the initials p2p connection (login) match in ''-m state --state RELATED,ESTABLISHED -j ACCEPT'' rule before ''-m ipp2p --ipp2p -j DROP'' rule, so netfilter never filter p2p traffic. I have had to run

Hi all, http://www.hipac.org/index.htm I have just discovered this great project. It seems it surpasses standard netfilter in performance. The documentation states they are more or less compatible with standard netfilter, but anybody has tested if it is compatible with shorewall? Tom, have you? Regards -- Jaime Nebrera - jnebrera@eneotecnologia.com Consultor TI - ENEO Tecnologia SL

Hi all, We want to do some stress testing of firewall configurations/hardware. We have discovered hping that seems a great tool for this, but funny enough Shorewall cuts it !!! even when you leave ports open :) So besides hping, any tool for this? Why is shorewall cutting this traffic? Thanks in advance. Regards. -- Jaime Nebrera - jnebrera@eneotecnologia.com Consultor TI - ENEO

Hi all, Anybody has configured a Shorewall firewall to protect Citrix servers? Could you give us some clue on the rules you have to define? Citrix opens a connection from the inside to the outside from a different port (more or less like ftp) and seems not works. Regards -- Jaime Nebrera - jnebrera@eneotecnologia.com Consultor TI - ENEO Tecnologia SL Telf.- 95 455 40 62 - 619 04 55 18

Hi Tom and folks, There are some svn or cvs system for the shorewall-dev community?. If Tom want to leave the project for a while, maybe it will be necesary some cooperation system. Regards. -- Juan Jes?s Prieto - Consultor?a TI jjprieto@eneotecnologia.com http://www.eneotecnologia.com --------------------------------------- fingerprint: BFC2 0370 7708 F800 0BEC 60A4 EC71 4BB1 CC85 99F5

Hi all, I have seen Shorewall places the state verification rules (-m state --state ESTABLISHED,RELATED) as the first rule in a zone2zone chain. This means that state checking is done after all the rules involving from this zone to this zone. As you could have a lot of them, wont be better to place them just after checking the state is not invalid? This will mean a lot of packages will be

Is anyone using an inline IDS like hogwash or snort-inline to drop packets in a system running shoreline? I _think_ I see how to configure it, but I''d be really interested in finding a howto or something... Thanks! Mike- -- Mornings: Evolution in action. Only the grumpy will survive. -- Please note - Due to the intense volume of spam, we have installed site-wide spam filters at

Hi all, We are investigating on firewall failover design. I have searched the net and found that projects like LVS have it mostly solved for their side but that netfilter lacks it. Of course, a simple failover of the firewall is available using things like VRRP (KeepAlive software) but without state syncronization, and that is preciselly the part we need to investigate. Is this issue

I believe that 2.4.0 is about ready to be sent out the door. I''ve made a couple of small changes since RC2 but I don''t believe that they warrant another RC. There remains the issue of what to do about support for Shorewall 2.0 given that 2.2 has only been available since March. It would be my recommendation to make 2.4 the new "stable" release but continue to

I made an atempt to run snort_inline and shorewall on the same system but I could not get snort to see the packets. Maybe someone with a little more iptables knowledge could tell me what I''m doing wrong or if its possible to have the systems setup so that it places packets that the firewall would allow into QUEUE. After setting up and starting shorewall I then issue the following

Hello I am looking for a way to have snort to dynamically update my shorewall config. I have seen software out there but I would like to see if anyone had tried this first. Aslo I would like to know if there is a way clear the Netfilter tables when I do a shorewall restart. The reason being is that when I make a change to my firewall setting I want all connections to have to re-establish

Hi I''m currently setting up a game server and have opened all ports needed to run it. What other options do I have regarding protecting the open ports? I''m worried about people attacking the open ports to render the server useless. Any help or advice would be appreciated. Thank you. Recoil UK

Hi list, I''m using Dom0 gentoo with xen 3.0.4 and xenman. I have several DomU working and it is really nice :) so all my DomUs are installed with disk images. Now i want to use an ISO to boot and install a linux system (or win). When i try to boot the DomU i dont have nothing, nothing relevant (for me) in logs and i can connect to the console. The state of the DomU is unknow. Any help

Hi all, I''m working on a patch for shorewall to make it run with a Crossbeam X40 machine (www.crossbeamsystems.com) and I would like to know where to send it, is this list the correct location?. The patch is necesary because of Crossbeam X series running mode: when you make a shorewall start, restart or clear, there are a packet dropping until shorewall is Started or cleaned. At

Hi List, I'm trying to configure two switches to provide redundancy (i.e. in case one switch goes down), and am wondering if there is a standard way to configure a CentOS box to use different gateways in a bonded interface, depending upon which physical nic is being used? A bit more detail might help answer the "And why do you want to do that?" questions... - Switch 1,

Hi, I have 8 ethernet cards installed. Is it possible to use eth0-eth6 as the net interface for shorewall and eth1 as the lan network? Thanks. sangprabv sangprabv@gmail.com ------------------------------------------------------------------------------

Hi All :) I have three servers, all with centos 7 installed 3 days ago. I need on them "old" naming scheme (ethX) for network interfaces, because of that: # grep GRUB_CMDLINE_LINUX /etc/sysconfig/grub GRUB_CMDLINE_LINUX="rd.lvm.lv=centos_node-XY/swap rd.lvm.lv=centos_node-XY/root rhgb quiet ipv6.disable=1 net.ifnames=0" net.ifnames=0 was added and afterwards I ran:

Hi, I don't have ifcfg-eth1 in my /etc/sysconfig/network-scripts. But when I do ifconfig eth1 I can see output as below. If I do ifconfig eth12 , I don't see anything which i am assume is normal. eth1 Link encap:Ethernet HWaddr 00:24:E8:44:DB:CC BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0

Anyone know how to get statistics on bonded interfaces? I have a system that does not use eth0-3, rather we have bond0, bond1, bond2. The members of each bond are not eth0-3, rather they are eth6, eth7, etc. I didn't see anything in the man page about forcing sar to collect data on specific network interfaces.