similar to: SW 2.2.0: 4 interface system, log reports impossible "IN=" and DROPS

Hello Mailinglist, please excuse my bad english - but I am not a native speaker. My Network looks like this: Internet --- dyn. IP --- Firewall (shorewall) --- LAN (192.168.X.X) No I try to connect my iphone (from mobile Internet G3) over VPN (l2tp/ipsec) with the firewall. But I can´t open the necessary Port 1701. /var/log/syslog ... Dec 30 00:24:29 router kernel: [226128.293757]

Hi, I am running OpenVPN where i have one central hub VPN server, and multiple spoke VPN clients. I can ping from each client to the server and each client to computers on the subnet which the server resides (192.168.2.0/24) so it works ok there. I cannot however, ping from one client to another client. I guess the packet path would go: clienta -> vpn -> shorewall/router -> vpn ->

Hello all, Yesterday I noticed that my system was "leaking" traffic towards the 10/8 network, I have shorewall installed on multiple machines ranging from single interface devices to ones with 10+ interfaces. I tested all the boxes and they are showing the same behavior. All systems are CentOS 3.4, 2.4.21-27.0.2.ELsmp. Shorewall version: 2.2.1 For the host mentioned is a single

Hello, Thanks for the great Shorewall which has replaced my hard to maintain home-made scripts. First, what works. Our local network is 10.48.X.X with multiple vlan, each on a dedicated interface. We use Shorewall 4.4.11 from Debian Squeeze. We have a 2 ISP: - isp1 : an optical fiber provider with 10 Mbps. - isp2 : a DSL provider with 15Mbits/1Mbits. We use isp2 as the default outgoing

Release candidate 1 is available at: http://shorewall.net/pub/shorewall/Beta ftp://shorewall.net/pub/shorewall/Beta The ''releasenotes.txt'' file tells you about the release. -Tom PS to those of you on the Shorewall Announcement List: Feedback to this point is overwelmingly in favor of keeping Beta and Release Candidate announcements on this list. I have configured the list

Hi, I configured some ha services using heartbeat, I have this on my log: Nov 14 09:59:06 mail1 heartbeat[3932]: ERROR: Unable to send bcast [-1] packet: Operation not permitted Nov 14 09:59:06 mail1 heartbeat[3932]: ERROR: write failure on bcast bond1.: Operation not permitted how allow broadcast only on some interfaces with shorewall? attacched is shorewall status Thanks Nicola

I have been using shorewall and freeswan successfully for 3 or more years now. But they have all been using the Linux 2.4 kernel. My current configuration is (as the title suggests) using SuSE 9.1 which has a 2.6.5 kernel and freeswan 2.0.4 built-in. After much reading and a lot of trial and error, I did get this combination to work with Shorewall 2.0.9. It is happily talking to an older Mandrake

https://bugzilla.netfilter.org/cgi-bin/bugzilla/show_bug.cgi?id=40 laforge@netfilter.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED ------- Additional Comments From laforge@netfilter.org 2003-02-03 16:49 ------- We haven't seen this

Hello, I''m migrating my laptop setup to a shiny new ThnikPad W520 and in the process am getting rid of VirtualBox (marked by kernel maintainers as "unsupportable crap" or some such) and shifting to virt-manager/kvm. As with the old setup I am running shorewall-init exactly as the great online documentation lays it out. BUT: with VBox it was enough to add > net

I''m trying to setup some DNAT and the packets seem to be disappearing after the PREROUTING step. The packets are coming in eth2 (both LOG targets in iptables and tcpdump confirm this). They are then DNATed to an IP that should cause them to go out eth3. However I never see them go out that interface. I have tried putting LOG rules into the FORWARD chain with no success. I''m

Hi, i connect to the internet over my eth4 interface using pppoe. The internet always comes on ppp0. I am trying to setup an L2TP/IPSEC VPN and i am reading http://www.shorewall.net/IPSEC-2.6.html#RW-L2TP I notice in the example the interfaces file is given as: #ZONE INTERFACE BROADCAST OPTIONS net eth0 detect routefilter loc eth1

I''m playing around with VLAN''s and I have a VLAN capable (layer 2) smart switch. I see a steady stream of martians in the logfile if I have the routefilter option set on the loc zone interfaces in /etc/shorewall/interfaces. I have two interfaces in the loc zone, eth1 and vlan2 respectively. vlan2 is an 802.1q trunk going towards the switch. Is this the expected behavior in

Hi, I''m having problems with new Shorewall installation on Fedora Core 3 (had same problem with Core 2 and upgrade did not help even iptables was upgraded from 1.2.9 to 1.2.11). I''ve followed two nic example, but starting Shorewall drops all connections and don''t permit any outgoing requests, even with "all allowed" policy. Policy file is below. Current setup

Hello , The folllowing is the error problem: Validating interfaces file... ERROR: The ''norfc1918'' option may not be specified on an interface with an RFC 1918 address. Interface:eth2 The shorewall interface file: net eth2 detect tcpflags,routefilter,norfc1918,nosmurfs,logmartians P.S. I tried to remove norfc1918 from interface

Hello, I have started playing around with docker (https://www.docker.io/) and am having trouble to integrate the "docker0" bridge it creates on the fly into my shorewall setup (version 4.5.16.1) on debian testing. IP forwarding is on and I have defined a "doc" ipv4 zone and the interfaces has an entry like so, > doc docker0

Hi, I have a multi-isp configuration both on ppp interfaces. As one of them is 32Mbit/s and the other is 8Mbit/s , I have a weight setting of 4 to 1 as in the following providers file entries: vdsl 1 0x10000 - ppp1 - track,balance=4 adsl 2 0x20000 - ppp0 - track,balance=1 I would also like to have fallback between them so that if one is

Hi: According to http://www.shorewall.net/Documentation.htm#Interfaces there is one recommendation for internal interface but wireless Wireless Interface -- maclist,routefilter,tcpflags,detectnets,nosmurfs a recommendation for wired internal interface?(100 win32 clients) I use tcpflags,detectnets thanks

hi, Please see the following text diagram: 10.0.15.0/24 --> 10.0.15.1 (f0/1) cisco router (f0/0) 192.168.0.5 <-- 192.168.0.0/24 --> 192.168.0.1 firewall --> internet I have some problem after added a static route in shorewall in /etc/sysconfig/network-scripts/route-eth0, the syntax is: 10.0.15.0/24 via 192.168.0.5 in 192.168.0.0/24 computers cannot ping or

I''ve been digging around the documentation and seem to have just confused myself. Here is what I have on a fedora core 3 machine with 4 network cards (the built in is dead) eth2 - connects to the web via dsl-line-1 eth4 - connects to the web via dsl-line-2 eth2 is the route the local network addresses 10.1.x.x connected via eth0 go out on eth4 is the route the dmz network addresses

Hello, when I execute "shorewall hits" command I find this stats: HITS IP DATE ---- --------------- ------ 92099 192.168.0.2 Nov 24 7764 59.104.107.85 Nov 23 3997 192.168.1.77 Nov 24 337 181.50.93.89 Nov 23 331 59.104.156.68 Nov 23 315 99.109.157.73 Nov 23 301 190.225.157.40 Nov 23 275 179.153.183.53 Nov 23 268