similar to: Kernel/iptables question

I know this is a FAQ and that it''s been discussed much before, I''m just looking for a few key things. I need to setup our gateway so that traffic FROM a range of IPs is sent out, masqueraded, via a new cable connection. I''m running 2.6.9. Am I going to require any of the CONNMARK patches or other patches from http://www.ssi.bg/~ja/#routes? I''m really not sure

I''ve just discovered that I do not have access to the remote gateways for a set of IPsec tunnels to remote networks. This prevents me from changing the routing table on those gateways. I need "roadwarrior" systems connecting to me local network using OpenVPN (tun) to be able to access those systems. Since the remote gateways don''t know about 10.100.1.0/24, where my

I''m having a problem where transferring files accross our IPsec gateway to another host on a remote network is failing. I see no packets being rejected in the logs. Attached is a packet trace, showing the problem. In this case, 10.100.0.0/24 is the local network and 10.100.14.0/24 is the remote network. The trace was taken on the local gateway. In the trace, there is a set of TCP

I have a zone "rw" defined as tun0 in interfaces. From that zone, pings to zone "loc" succeed but pings to remote networks (On IPsec VPNs) are rejected in the all2all chain. From my point of view, these pings should be in the rw2cctc chain. (rw to cctc is ACCEPTed in policy.) I must have a hole in my config, where would it be? Thanks, A.

Hello ! I have a performance issue with Kernel 2.6.X and policy match support as suggested in http://shorewall.net/IPSEC-2.6.html. My IPSEC performance doesn''t exeed about 30kbyte/sec even if my downlink is 1024kbit/sec and should reach more than 100kbyte/sec. No, its not the cpu''s performance (AMD Barton 2500+) and no it''s not the gateway (CELERON 600 Mhz) on the

While I have concentrated on support for 2.6 native IPSEC in release 2.2.0, I am still of the opinion that unless you absolutely need IPSEC compatibility that OpenVPN is a much easier (and in the case of roadwarriors, a much better) solution. Having already generated all of the required X.509 certificates, it took me less than 1/2 hr to replace my IPSEC testbed with an OpenVPN one using the new

Hi, I successfully connected quite a few servers with their associated networks using Suse 9.1/9.2 (Kernel 2.6.x) and IPSEC tunnels. But now I have to add another server that has a ADSL connection to the internet, that means it has a dynamic IP address which is likely to change every few hours, since the provider disconnects from time to time. I found a way to restart the IPSEC connection when

http://bugzilla.netfilter.org/show_bug.cgi?id=577 Summary: cannot set spi/reqid numbers higher than 0x7fffffff (policy match) Product: iptables Version: unspecified Platform: i386 OS/Version: All Status: NEW Severity: normal Priority: P1 Component: iptables AssignedTo: laforge

Hi all, I''m currently using ipsec with Shorewall 3.0.7 on a patched 2.6.10 kernel. Having heard that ipsec support was in the standard kernel starting from 2.6.16, I tried to upgrade to the last kernel. My problem is that shorewall won''t start anymore. I get this output in /var/log/shorewall-init.log: Starting Shorewall... Initializing... Shorewall has detected the

Hi, I've converted some accounts with "dsync mirror maildir:~/Maildir". It seemed to work, but when I access the folders via IMAP I get the following error: Jul 11 09:41:59 shrike dovecot: imap(matze): Debug: acl vfile: file /home/matze/mdbox/mailboxes/Telefon/dbox-Mails/dovecot-acl not found Jul 11 09:41:59 shrike dovecot: imap(matze): Panic: file mailbox-list-fs.c: line 150

Jason Wohlford wrote: > > linux:/etc/shorewall# shorewall check > /sbin/shorewall: line 261: Added: command not found > Loading /usr/share/shorewall/functions... > Processing /etc/shorewall/params ... > Processing /etc/shorewall/shorewall.conf... > /usr/share/shorewall/firewall: line 261: Added: command not found BTW -- it looks like you have a missing "#" on a

Hello Lartc Mailing List: Been working on something the last week and a half and ALMOST have it working.., just need a few pointers from the wizards on this mailing list to nail it. Ok, my setup is a hub and spoke arrangement, hub is Cisco 2821 with IOS 12.4. Spokes are ruggencom RX1000 routers, Debian based with the following versions installed: rx1000test:~# uname -a Linux rx1000test

Hi, I wanted to know whats the ideal way to install puppet client ie the below packages on Red Hat Linux release 9 (Shrike) system -- 2.4.20-8smp I get the dependencies issue with the below(bcso they are for RHEL4 which is 2.6 kernel). What would be an ideal way, where can I get the tar source of the compatible version of puppet/facter/ruby for Redhat 9

Hello all -- I am trying to get Shorewall, ipsec and RedHat ES version 3 to cooperate. Before posting any specific problems, I thought I''d find out if I have the right stuff to work with. (I''ve gotten ipsec to work flawlessly with Shorewall using RH 8 and 9 kernels, so I have some experience with it. Shorewall 2.0.12 works fine on this ES 3 box, except for the ipsec part)

I think you can change the existing firewall logging code for log_rule_limit (where you have one case for for LOGRULENUMBERS and another almost identical case without) down to this slightly shorter version with no duplication (excerpt): if [ -n "$LOGRULENUMBERS" ]; then eval rulenum=\$${chain}_logrules [ -z "$rulenum" ] && rulenum=1 fi case

I've just tried setting up a Shrike (9) version of Redhat. Using the medium settings of lokkit, then adding manually accept commands for ports 137/udp 138/udp, 139/tcp and 445/tcp, I thought I should have been ready to go. This isn't the case, however. I know it's not the smb.conf settup because when I kill iptables samba works. When iptables IS running however, it will respond

Hi list, Well I really didn't want to see things get to this point, but Sherman at Sipura along with their President Jan F. leave me no other choice. SIPURA has been provided a letter from our attorney for Breach of Contract and damages. They have yet to respond. A quick background. 1. Sherman (SIPURA's Director of Marketing), stated that we would do a join press release for the Oct

Hi, I''m asking my question here, because I could not find any answer to my problem, but I''m affraid shorewall is not the one to blame. First of all I''m using shorewall version 2.0.15 on two linux box. I set up an ipsec tunnel beetween those 2 boxes to be ables to connect 2 not routable subnetworks. Here is my network topology: 10.66.17.0/24 - 10.66.17.1 = eth0

Hi, I try to mirror two dovecots with: dsync -v -f -u login mirror ssh -o IdentityFile=/etc/dovecot/dsync.d/id_rsa root at shrike dsync -u login This usually works, but if I delete a certain number of emails, I get this messages: dsync-local(mailverwalter): Info: Posteingang: Ignored 178 modseq changes dsync-local(mailverwalter): Info: Posteingang: Couldn't keep all uids

OK I have searched high and low and have not found anything that works. We are running a software program which requires the user to have Power User access level on the local machine. The machines are Win2K sp3 and they are logging into a ADC which is Red Hat 9 (Shrike) and Samba Version 2.2.7a-security-rollup-fix. I have been able to setup the ADC and all users have "User" level access