similar to: Can''t allow ICMP to firewall?

Sorry for the frantic nature of this message, but we need to allow pings on our firewall so our ISP can test things. I''ve done this, and it still doesn''t work: (I am now at v.2.0.10) rules: AllowPing net fw AllowPing sls fw show indicates some matches, so where are they? Chain AllowPing (4 references) pkts bytes target prot opt in out source

I''m re-reading the section on dns names in the shorewall docs: "I personally recommend strongly against using DNS names in Shorewall configuration files. If you use DNS names and you are called out of bed at 2:00AM because Shorewall won''t start as a result of DNS problems then don''t say that you were not forewarned." Having been stung by this a few times

Hi folks, Has anyone tested the changes to multiple ISPs/load balancing or routestopped in 2.4.0-RC1 yet? We need to talk about what criteria we will use for determining whether 2.4.0 is ready for release. I''ve started configuring a firewall at work with the multiple ISPs support, but its kernel doesn''t have connection marking support, so it''s going to be a couple of

The problem scenario I describe was reported previously in the Shorewall lists but its resolution does not seem to have made it into the lists. Scenario: Windows XP client seeking to establish a VPN connection to a Windows 2003 Server located behind a Shorewall firewall (running on Mandrake kernel 2.4.22-37mdk). The connection cannot be made, the client reports error code 721. Discussion:

We are seeing the following in our logs: Nov 25 16:21:41 fw kernel: martian source 139.142.66.253 from 10.0.0.199, on dev eth0 Nov 25 16:21:41 fw kernel: ll header: 00:a0:c9:60:0e:b2:00:02:7e:21:0e:dc:08:00 00:a0:c9:60:0e:b2 is the mac of our firewall interface on IP 139.142.66.253. 00:02:7e:21:0e:dc is the mac of our Cisco router on IP 10.0.0.1 10.0.0.199 is a Cisco switch - we have about

We have encountered a number of problems with our firewall recently, and the past 24 hours have left me quite concerned. Here is what we are seeing: 1. Original firewall, a PentiumPro/200 with 96Mb RAM, serving approx 500 client PCs for a 10Mb internet connection. Running Mandrake 9.2, we began seeing severe swapping a few weeks, with kernel mem usage exceeding 200Mb. Given an ip_conntrack

I *think* we are finally making some progress in tracking our elusive performance problems. After employing a second 10Mb link from our ISP, along with another firewall box and proxy, we were able to determine the problem *is* our firewall. We don''t know exactly why yet, but our sporadic slow web access seems to have gone away since swapping a new firewall in this morning. The

In the panic of replacing our firewall(s) earlier in the week, we ended up moving our original shorewall 1.4 config onto a machine with 2.0.10 already installed, overwriting all the 2.0.10 config files. Most things seem to work fine, except for our masq entries. I''ve examined the default 2.0.10 files compared with our 1.4 files, and can''t spot the problem. What am I missing?

I just recompiled a plain vanilla 2.4.28 kernel, and used the Shorewall.net kernel config as a guideline. For some reason, I get this: Nov 30 12:05:34 fw shorewall: Shorewall has detected the following iptables/netfilter capabilities: Nov 30 12:05:34 fw shorewall: NAT: Available Nov 30 12:05:34 fw shorewall: Packet Mangling: Available Nov 30 12:05:34 fw shorewall: Multi-port Match:

Hi to all. I would to ask if there''s way in shorewall that I can be able to check my bandwidth, if im really getting what I paid for. Second, Is there a fast and effective way to implement traffic shaping with shorewall. Many thanks Jan --------------------------------- Yahoo! Messenger - Communicate instantly..."Ping" your friends today! Download Messenger Now

Ok, I''ve flogged this issue probably longer than some of you can stand by now. (remember, I''m the nut trying to use a PPro200 to support ~500 users on a 10Mb internet link :o) To appease those who think I''m nuts, I am ordering a new firewall shortly to allow for future growth. (probably a Dell PE750 with P4/2.8 and dual GE nics.) However, since I have yet to prove

I have just completed the installation of a new firewall running Shorewall 1.4 on Mandrake 9.2 for our campus network. It appears to be running fairly well so far, but is generating significantly more log entries than our previous linux 2.0.x firewall... Our previous firewall enjoyed more than 6 years of 24/7 operation with no downtime before we finally decided it needed more horsepower, and

I am getting the following message when Shorewall stops can anybody shed any light on this message and where I should be looking? Thanks root@bobshost:~# shorewall stop Loading /usr/share/shorewall/functions... Processing /etc/shorewall/params ... Processing /etc/shorewall/shorewall.conf... Loading Modules... Stopping Shorewall...Processing /etc/shorewall/stop ... IP Forwarding Enabled

I''m getting my zones confused. Help. I need to have a bunch of systems using OpenVPN to gain an IP in the virtual subnet 10.100.1.0/24, on interface tun0. I will then route whole subnets to those IPs, like 10.100.2.0/24 via 10.100.1.12, etc. I want to have a policy for: - all hosts behind tun0 - all hosts in 10.100.1.0/24 - individual subnets being routed through IPs in

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dear all, I''m a bit confused on the rules and would like your help. I''ve 4 NIC, eth0 --> WAN (net) eth1 --> OSPF1 (bb1) eth2 --> OSPF2 (bb2) I would like to enable all the icmp function (ping and traceroute) Wonder what effect will the following policy make. bb0 all ACCEPT info bb1

Hello, all. I''ve been trying to get shorewall to get LISa working on my Gentoo box. It works as long as I have shorewall turned off, but whenever I turn it on, it seems to block all LISa activity. I have TCP port 7741 opened (as per lisa-home.sourceforge.net), and nmap says it''s open. Ethereal indicates that LISa is communicating via TCP port 7741, from 127.0.0.1 to

It''s now been over a week, and we are nearly at wits end trying to track down our performance issues here. We now have a P3/667 (single CPU! SMP was definitely the source of previous lockups) with 256Mb RAM. It is running along with a load avg of less than 0.1 even at peak times. Max ip_conntrack is around 1500-2000. Sounds fine, but, we have also tried 3 different squid proxies (2

I'm building 3.0.14a on Mandrake 10.2, trying to use the same config as my other servers (3.0.11), but ACLs are not working. In checking the outout of smbd -b, I see this line is missing: System Headers: HAVE_SYS_ACL_H .... But I am specifying ./configure --with-acl-support ... Adding an acl using 'setfacl -m 'NTDOMAIN+NTUSER' file does successfully add an ACL for the NT

Hi, I''m new to shorewall and iptables. I installed shorewalls ver. 2.2 two days ago and it''s working now, but I have some questions concerning pppoe. I have my ISP''s connection to internet trough PPPoE over an ethernet card. On the ethernet card I have a static IP and I have access to all other ISP''s clients wich are in the same subnet (it''s a small

I have searched your FAQ''s and read the documentation on your site as well as googling. I am not able to figure this out. If you have any ideas can you please help. I am using the linux-ha failover with redundant firewalls. As part of the function of the linux-ha software consists a service called heartbeat which is a connection from each failover node through a serial cable or ethernet.