similar to: bridging and masquerading

hi list, oh it''s not really a problem. Each time i fire shorewall, i run a custom iptables script: (for the openvpn machines to have route back from my bridge/fw - $SOURCEIP is the ip of my OpenVPN/Fw/bridge) iptables -A POSTROUTING -t nat -s 10.8.0.0/16 -j SNAT --to-source $SOURCEIP i wish to better integrate it within shorewall, so is there any config files that could achieve the

I don''t think this has anything to do with Shorewall but I am not too familiar with iptables stuff yet so I''m not sure. Running Shorewall shorewall-1.4.9 on Mandrake Linux release 9.2 (FiveStar) for i586 Kernel 2.4.22-37mdk. Run "nmap -sP 192.168.x.x/24" (for example), where 192.168.x.x/24 is the LAN. You can do this from a firewall/router, or even from a

Hello, I''m not sure if this has been asked before but I would like to ask assistance for this problem I have. I installed gentoo for my firewall/gateway and installed dhcp and shorewall. Currently, I can ssh, ftp, remote desktop connect, ping, etc (anything I can think of) from an internal computer inside my network to an external IP, except I cannot surf the net. I can ssh/ftp to

Hy, sorry for my poor english i think i''m having a very unusual problem and very dificult to track, but i''ll try to explain it as best as i can. here is my scenario: a firewall/bridge composed of 3 ethernet devices and 1 virtual one. my bridge (br0 ) is composed of eth0, eth1 and tap0 br0:eth0 is my connection to my router (200.244.92.1) br0:eth1 is my connection to my

I'm looking for some information regarding the interaction of KVM, VLANs, firewalld, and the kernel's forwarding configuration. I would appreciate input especially from anyone already running a similar configuration in production. In short, I'm trying to figure out if a current configuration is inadvertently opening up traffic across network segments. On earlier versions of CentOS

Greetings all, I''m a bit of a linux rookie, but a friend and I have built a firewall running Shorewall 1.4.6c over a minimal install of Redhat 9. Out network setup looks something like this: Cable Modem : eth0 :12.xxx.xxx.3 (Zone is named INSIGHT) Campus Lan : eth1 : 10.176.9.21 (Zone is named MULAN) DMZ : eth2 : 192.168.1.0 255.255.255.0 (Zone is named DMZ) Currently, I

Dear All, Firstly, thank you very much - shorewall is great. I''m not a member of this list, and please forgive me if I am suggesting something stupid, but the following occurs to me, and I thought it might be useful. Why no make it possible to specify zones as well as interfaces in the /etc/shorewall/masq file ? Eg: instead of: eth0 eth1 one might write: net loc (or masq in

Hi all, I'm observing an issue that as soon as libvirt starts, UPD broadcasts going through physical network (and unrelated to any virtualization) get broken. Specifically, windows neighbourhood browsing through samba's nmbd starts suffering badly (Samba is running on this same box). At the moment I'm running a quite outdated version 1.2.9 of libvirt, but other than this issue,

hi list! i'm trying to find a convenient way to build a redundant filtering bridge under linux i looked at carp project, but carp doesn't support bridge now i thing the most appropriate way is using stp or rstp it seems that 2.6 kernel supports stp but what about rstp? I read some docs about stp, but they are rather outdated (2001 and kernel 2.2) there are several problems indeed: *

Dear All, I try to upgrade, my old shorewall from 4.4.13-3 to 4.5.2.3-1 on CentOS, after upgrade i can''t start shorewall with this message: "/Shorewall: Address Ranges require the Multiple Match capability in your kernel and iptables/" I try to search on the net about this, but no still no light. Somebody can help me? Great appreciate for any help. Regards,

From reading the documentation, I understand that it is recommended to put servers that may be at risk in a DMZ served via proxy-arp. In this case, the local clients that are behind a NAT would have their connections to the DMZ masqueraded, yes? Is there any way around this that would still be considered secure? Just looking for advice. Thanks, A.

Hi I have Linux box (Debian) that acting as a bridge. Eth0 and Eth1 are bridged (br0). Br0 have public IP. Eth0 connects to the internet. Eth1 connect to servers in DMZ (with public IPs). Eth2 connects my Lan (192.168.1.0/24). My connections is 2Mbit/2Mbit. I''m doing SNAT for my Lan. QoS on eth0 works fine for DMZ, but is there a possibility to doing QoS on

Ok folks, here goes.. I have been boggling with a problem for the past week, and still haven''t found a solution.. I''m trying to route traffic from two providers through a Linux machine. But that is not the problem. The ISP''s have provided me with a WAN IP class for both of the lines, to be routed into a DMZ where the machines a to respond to their respective

To rephrase the question, "Can I use masquerading and proxy ARP in the same zone simultaneously?" It''s not a stupid question--I couldn''t see any reason why it wouldn''t work, but I had actually try it out to convince myself that it did (which isn''t a bad thing to do before posting the question to the list, by the way). In any case, the answer is

Hey, I have a setup that has one machine communicating to a server using UDP over IPv6. For specifics, it is using collectd with a boosted MaxPacketSize in the network config. What this means is there is some IP fragmentation happening, and that is getting REJECTed. My policy is to REJECT, and I have an ALLOW for the particular communication I want. What I''m getting in my logs is

Hi Daniel and Laine, [...] >> -A POSTROUTING -o br0 -j MASQUERADE >> -A POSTROUTING -o enp0s25 -j MASQUERADE >> -A POSTROUTING -o virbr2_nic -j MASQUERADE >> -A POSTROUTING -o vnet0 -j MASQUERADE > > *None* of those rules were added by libvirt (unless your build of [...] > You can verify my "counter-claim" by running "virsh net-destroy" for all

Hi Alex, and thanks for your time. Probably not. The servers are only configured like they where when they where parallel to the fw. Just the default gateway, same as for the external interface on the fw. That''s what the documentation instructed to configure the servers using arp. But is it required with extra configuration on the server connected via proxy arp? Or is it some parameter

Hello everyone. I''ve been trying to get Qos to work here for two days now, but it REALLY doesn''t seem to work the way I want to. Here is my situation: Internet Wireless LAN Firewall DMZ Local lan As you can see, I got a Debian box in the middle as my firewall with 3 network interfaces and a wireless one. I use

Hi All, I''m using Shorewall 3.0.4 and I''m wondering if it is possible to do traffic shapping on only one interface from a bridge. The firewall has got 3 NIC, eth0, eth1, eth2. eth0 and eth2 are bridged, but if I''m right, when you specify a traffic rate for a link, you do it for the interface. In my case, eth0 and eth2 do not appear in the interface file, but it is

Hello , I installed Shorewall on a linux RedHat 8.0. No problem , it works very well. I have two interfaces: eth0 : 193.95.47.194 , mask 255.255.255.192 gateway : 193.95.47.193 dns: 193.95.66.10 eth1 : 192.168.54.250 mask 255.255.255.0 (no gateway) all computers in my local network have ip addresses 192.168.54.xx , gateway: 192.168.54.250 , dns:193.95.66.10 almost 100 local machines using