similar to: netfilter modules

e.g. string-matching CodeRed or Nimda viruses before they hit your Web server. The following rules achieve this: # DROP HTTP packets related to CodeRed and Nimda # viruses silently iptables -t filter -A INPUT -i $EXT_IFACE -p tcp \ -d $IP --dport http -m string \ --string "/default.ida?" -j DROP iptables -t filter -A INPUT -i $EXT_IFACE -p tcp \ -d $IP --dport http -m string \

hi, i have a strange situtation. i try to connect to my machine with ssh and the packets are dropped but i have at the top of my rules an accept. the configuration looks like: rules-file: ----------- ACCEPT net fw tcp 22 - TCPDUMP-log: ------------ 12:16:08.153934 84.153.98.30.1322 > [my-destination-machine].ssh: S 3717288415:3717288415(0) win 64240 <mss

hi, i want to build openssh in my uclibc environment with a cross-compiler. my problem is that the configure-script is not very cross-compile friendly. there are a lot of things that will be tested while configuring. if the script find a cross compiler it exits with code 1. how to solve this issue ? thanks claus

There was a lengthy power failure here in Shoreline this morning and my firewall did not come back up when power was restored. The firewall is now up and service to the server has been restored. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \

Hello, after upgrading to samba 3.5.6 of Debian Squeeze some printouts will not printed. The same prinjob will printed after a couple of tries. I increased the loglevel and there are only a few messages which showing whtat could be the problem. The printjobs doesn't arrive at cups. [2011/08/10 11:32:12.700665,? 0] lib/charcnv.c:650(convert_string_talloc)? Conversion error: Illegal multibyte

Hi all, I haven''t been paying attention to this for a while, but now that I download the latest patch-o-matic-ng, I see that most of the patches are gone... Anybody have an idea where I can download the ''extras'' repository? Specifically geoip. Thanks! -justin

Hi all, We are investigating on firewall failover design. I have searched the net and found that projects like LVS have it mostly solved for their side but that netfilter lacks it. Of course, a simple failover of the firewall is available using things like VRRP (KeepAlive software) but without state syncronization, and that is preciselly the part we need to investigate. Is this issue

Thats really annoying because the printing with samba is not possible, just printing directly to cups is possible. The clients are working with UTF-8, the server is working with UTF-8, don't know why character conversion should be a problem here. More details: [2011/09/14 13:55:24.173846, ?5] rpc_server/srv_pipe.c:2367(api_pipe_request) ? Requested \PIPE\\spoolss [2011/09/14 13:55:24.173878,

Greetings folks, I've been researching the various iptables modules that are included with the stock CentOS4 distro; particularly the connlimit module. Is connlimit included by default? I thought it is since performing # iptables -m connlimit --help returns information on connlimit usage along with the general iptables help info: <SNIP> connlimit v1.2.11 options: [!]

Does anyone know what this means and how to fix it? I know it looks like a file named lockhelp.h is missing. What can I do to fix it? I tried to put in some POM patches from patch-o-matic-ng-20060624. Could this have been my problem? . . . CC [M] net/ipv4/ipvs/ip_vs_nq.o CC [M] net/ipv4/ipvs/ip_vs_ftp.o scripts/Makefile.build:52: kbuild: net/ipv4/netfilter/Makefile - Usage of

This article describes how to implement "Port Knocking" in Shorewall. http://shorewall.net/PortKnocking.html -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key

hi, can i use shorewall with configured stealth match. it described as followed: Enabling this option will drop all syn packets coming to unserved tcp ports as well as all packets coming to unserved udp ports. If you are using your system to route any type of packets (ie. via NAT) you should put this module at the end of your ruleset, since it will drop packets that aren''t going to

Thank you for your support. The next question: Is there a kind of common chain applied before ACCEPT policy? I want to DROP or REJECT Netbios traffic on most interfaces but do not want to repeat those rules in the rules file. Thanks, Boi -----Th?ng ?i?p chuy?n ti?p----- > From: Tom Eastep <tmeastep@hotmail.com> > To: Le.Hong.Boi@sg.netnam.vn > Subject: Re: Shorewall 1.4.6: common

Hi, i have big trouble with a Debian Lenny dom0 and latest kernel 2.6.32.19 with xen-4.0.1rc5. Due some reason the system freezes from time to time. I used kernel 2.6.31.9 with xen-3.4.2 before. The machine doesn''t write anything to serial console so there are no errors or something like that. Perhaps there is something to see from the logs ... Hardware Board: Intel DQ45CB CPU:

Hello! We''re using Shorewall 1.4.2 and running into an interesting problem when we try to enable logging of traffic that netfilter classifies as "related" to an existing connection: there doesn''t seem to be a way to do it. Places where we''ve run into this problem are: (1) Attempting to log individual active or passive FTP data connections separately from

Hi all, Whenever I start up TC and implement traffic policing using ingress, I get logs that goes something like this: Classifier actions preferred over ingress. What does that mean?? This are the relevent lines : tc qdisc add dev $DEV handle ffff: ingress tc filter add dev $DEV parent ffff: protocol ip prio 50 u32 match ip src 0.0.0.0/0 police rate ${DOWNLINK}kbit burst 10k drop flowid :1

In the docs at http://www.shorewall.net/Shorewall-perl.html, "Your ipsets must be loaded before Shorewall starts. You are free to try to do that with the following code in /etc/shorewall/start" implies that code in /etc/shorewall/start is executed BEFORE Shorewall starts. In the default /etc/shorewall/start # /etc/shorewall/start # # Add commands below that you want to be

hi list! i'm trying to find a convenient way to build a redundant filtering bridge under linux i looked at carp project, but carp doesn't support bridge now i thing the most appropriate way is using stp or rstp it seems that 2.6 kernel supports stp but what about rstp? I read some docs about stp, but they are rather outdated (2001 and kernel 2.2) there are several problems indeed: *

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 claas@rootdir.de wrote: > Hello, > > > I am trying to get ipsec with kernel 2.6.8.1 and shorewall 2.1.9 running, > but I still have a problem: > > Validating hosts file... > Error: Your kernel and/or iptables does not not support policy match: ipsec > > I had a look for netfilter patch-o-matic, but I did not find the

Hi, i have used shorewall for several years now, but now i have a problem i can not solve by my own. I use Debian (Testing/Sarge) with shorewall 2.2 and 2.6.10 Kernel. In the next few weeks i need several IPSEC VPN tunnels - ans thats the problem. "shorewall check" tells me that "Policy Match: not available". As i have RTFMd i need some iptables ans netfilter patches for 2.6