similar to: Dynamic Failover

Hello all, Running the "ancient" 1.4.7-RC1 version I have a problem with port forwarding. I have for a number of external fixed IP addresses forwarding to an internal terminal server - this works :-) DNAT net:111.22.33.44 loc:192.168.1.11 tcp 3389 DNAT net:222.33.44.55 loc:192.168.1.11 tcp 3389 Now I need to forward port 80 from one external address to an

Hello shorewall-users, we have a strange problem where some of our customers cannot access our webshop, but most of the customers can. I have been slowly eliminating possibilities and am now left with either the firewall (Shorewall 1.4) or the webshop server. What appears a lot in the logfiles is: Jul 26 11:51:04 gw kernel: Shorewall:logdrop:DROP:IN=eth0 OUT=eth1 SRC=84.128.198.240

Hi everyone, Sorry for asking OT here, but I need your expertise :-) I am running a standard 3 I/F net, dmz, loc Shorewall 1.4.7 on a RH 9 server In the DMZ I have a web shop running with DNAT from the external address to the DMZ - this all works I want to add a develop server in the DMZ with external access so I set this up as per the live server and from internal network it works, but from

Hi I am looking at converting a Linux terminal server box to iptables using Shorewall 2.0. (At the moment it uses ipchains). The server currently has scripts which are called as each user logs in which run a series of "ipchains" commands to set the access rights for that user (and again to cancel them when the user logs out). My plan is to replace these scripts with ones that call

Shorewall 2.2.0 is expected to be released in the February/March timeframe so it is now time to begin thinking about preparing to upgrade. This is particularly important for those of you still running Shorewall 1.4 since support for that version will end with the release of 2.2. For those of you still running Shorewall 1.4, here are some things that you can do ahead of time to ease the upgrade to

Mike Lander wrote: > I am building a shorewall box that the last post has the SSH error and > wanted > some feedback from the list if possible. At first I thought the two ISP''s > I > building this > for had two T-1''s with FQ ip''s as it. I have the box built for this ready > to > go. > Now I find out that one of the T-1''s is

Begging indulgence of the list - asking here because due to the higher likelyhood of getting an answer... I have an application that often loses connection from one machine to another when one (or more) of the machines has particular brands of 1gig nics, but which runs rock solid when on 10meg nics and some 1 gig nics. The application senses (falsely) that the connection has been shut

Hello shorewall-users, now that I''ve got v1.4 problems solved I''d just like to ask a general question. Are there any real benefits to upgrading if v1.4 does what I want ? I''m not a fan of bleeding-edge in production and I don''t go for "v2 must be better than v1 because it''s newer" Tom, if you have a few minutes, what''s new in 2.0

Hey Tom, I have successfully set up to servers on a Dmz practice network woohoo :). If I take out the proxyarp option in /etc/shorewall/interfaces Then Dmz can ping outside ip''s on the net but not and of my servers on network 66.224.62.96/27 (Other than its own gateway server 66.224.62.120) The reason I ask is to learn. I thought I would not need the proxyarp option for this to

Hello all, I''m setting up (for the first time) IPsec and have a question I need to allow another location access to a specific server in our local network, and deny access to all other servers I have followed Tom''s IPsec tunnel guide and setup a vpn zone, but I don''t want to allow all traffic in both directions so I haven''t added a general policy for vpn.

Is there a way to listen on port 25 for repeated dictionary attacks to harvest email address and blacklist that Ip with shorewall? Thanks, Mike

Hello, You may recall some of My Dmz question around Thanksgiving. While I have configured a Proxy arp Dmz. I would like to practice with the routed setup you suggested Tom as your network was simular. Here is one of your quotes "The configuration of eth2 is largely irrelevant but you certainly don''t want to confuse things by assigning any default gateway out of that

Hi all, We are investigating on firewall failover design. I have searched the net and found that projects like LVS have it mostly solved for their side but that netfilter lacks it. Of course, a simple failover of the firewall is available using things like VRRP (KeepAlive software) but without state syncronization, and that is preciselly the part we need to investigate. Is this issue

Dear list, Shorewall is running here with 2 ISP''s: ISP1: corporate ADSL-line with fixed set of IP''s ISP2: fast consumer-grade cable-connection with higher bandwidth All our main traffic (web, e-mail) is routed trough ISP1. Only for special purposes (frequent large ftp-transfers) ISP2 is used, configured trough tcrules. ISP2 is not so reliable as ISP1 (duh) and they sometimes

Hi all and specially Mr. Tom.... (Please, do not be acid with me please! I am only a newbie, trying learn more about shorewall) I get involved with a Firewall Project in a customer here in my city... In this customer, he has two Internet Providers. So, he ask me how make certain connection following one routing path (like RT_1) and others connections type, following the other routing path

Hello Tom, I am not sure if you can help with this but I am at my wits end. If you hit this site and do a force refresh (ctrl + F5) the site will time out and lose connections. Do the same on port 443 and it does not time out??? The web site I am reffering to is www.tituswill.com I think the only problem is port 80. Do you have any idea how to diagnose this I have sent a dump of just

The 2.6 kernel series includes Netfilter ''physdev'' match support. That support makes it feasible for Shorewall to support bridge/firewall configurations. I''m looking for early testers of such support. Requirements: a) Willing to run Shorewall 2.0.0-RC1 or later (RC1 will be released in a day or so) plus private updates. b) Running a 2.6 kernel or a 2.4 kernel with

I have had a web server listining sql-1433, www 80, ftp-21 using proxy arp with sub-netting in a three interface DMZ. All these ports are in the rules file as ACCEPT. With one exeception that 1433 allows a few host from the net. 21 and 80 allow all net to dmz connections. The policy is DMZ to net ACCEPT This has been working great for about a month or more until I rebooted the

Bit of a shorewall newbie so if the answer is obvious please be gentle. We have been using version 1.4.2 for a while now and are very happy with how it performs, however we are looking to increase the resilience of our internet connection by providing a second internet feed. The idea being that should the primary connection fail shorewall will transparently (as far as users are concerned) switch

I have built a fedora 3 test box that has 4 pptp client vpn''s from my T-1 to a Group of businesses (test environment). The businesses all have pptp vpn concentrators on their ends. The purpose is that all of the businesses will be at an offsite location together for a 3 day sale. I have the box working now with the latest ver of shorewall with two nics on this fedora box eth0 will