similar to: Shorewall actions question

Ian has proposed that we change the way that logging interacts with defined actions. Currently, if logging is specified on the invocation of an action (e.g., "AllowFTP:info all all"), all traffic sent to the AllowFTP chain is logged. In most cases, this isn''t what the user intended and other people have expressed surprise about this behavior in the past. The way I see this

Whilst configuring another shorewall firewall router for another site, I must have made some totally newbie error.... While directly on the cable modem, it works great. But when placed on the LAN side of my existing Shorewall box, the NEW shorwall box could not ping, or look up dns or anything else. If I shutdown shorewall (clear) in the NEW box then it could surf the net and ping etc. When

The 2.0.2 .lrp released yesterday contained the wrong version of /usr/share/shorewall/functions. I have updated the .lrp with the correct version of the functions file. [root@lists shorewall-2.0.2]# ls -l shorwall-2.0.2.lrp -rw-r--r-- 1 root ftp 78325 May 14 06:28 shorwall-2.0.2.lrp [root@lists shorewall-2.0.2]# grep shorwall 2.0.2.md5sums 3ae771fcbfe217006e88e69a597c6455

John, I''m taking the liberty of copying the Shorwall Development list since I believe that these issues will be of interest. On Tue, 6 Aug 2002, Links at Momsview wrote: > Tom, > I''m not sure if you ever saw this document but it describes some of the > reasons you are seeing strange packets > after setting up NEW not SYN >

I have just uploaded a new version of the 2.0.2b .lrp: http://shorewall.net/pub/shorewall/shorewall-2.0.2b/shorwall-2.0.2b.lrp ftp://shorewall.net/pub/shorewall/shorewall-2.0.2b/shorwall-2.0.2b.lrp This version already includes the normal LEAF changes that are present in the shorewall.lrp distributed with Bering and Bering-uClibc. Thanks to K.-P. Kirchdörfer, future versions of the .lrp will

Attached please find updated build and publish scripts. They set the ''ulink.target'' parameter appropriately when converting docbook->HTML. I have always hacked my xhtml/params.xsl file to set this parameter; these updated scripts make that abomination unnecessary. Paul/Mike: It might be a good idea to add a CVS project for these scripts. -Tom -- Tom Eastep \ Nothing is

Hello List. I''m new here, and am staring off with a pretty common question, i think. I want to have my router DNAT incomeing connections for other IP''s than it''s WAN IP. In my other setup, just adding that IP as Destination Address was enough. But that was a bit older Version of Shorwall. In my new Setup, Shorewall 2.0.7 Debian Sarge, i have this line: DNAT

Hello, Since the ipmasq package has been dropped from debian I decided to migrate to shorewall. My setup is pretty simple: [DSL Modem] -eth0- [shorwall/gateway] -eth1- [local network] ipmasq required that I set the MTU on eth0 to 1492. Migrating to shorewall went well, but a small number of web sites would load slow or not at all. Setting the MTU on eth0 to 1492 and setting CLAMPMSS=Yes

I''m wondering if the following is possible under recent versions of shorewall: 1. We have several class-C networks from both UUNet and Internap, both of which are actually routed over a single inbound ethernet line from UUNet at our colocation facility: 204.176.148.0/23 and 216.52.83.0/24. This gives us a total of 3 class-C subnets. All packets for these three subnets would land on

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The packages that I uploaded earlier were unfortunately incorrect. I have uploaded the correct packages. The incorrect md5sums are: 14e8f2bfa08cc5ca2715c8b1179d5eb2 shorewall-2.0.10-1.noarch.rpm 54bcbb2216ad3db9870507cd9716fd99 shorewall-2.0.10.tgz c2fe0acc7f056acb56d089cf8dafa39a shorwall-2.0.10.lrp The correct md5sums are:

Hello, after upgrading Shorewall (see subject) and Gentoo-Linux (from Kernel 2.6.12 to 2.6.15, both with Gentoo patches, e.g. not Vanilla) the firewall on our load balancer rejects HTTP packets for the VIP with >Mar 5 23:22:51 balance Shorewall:all2all:REJECT:IN= OUT=eth0 >SRC=XX.XXX.XXX.XXX >DST=XXX.XXX.XXX. XXX LEN=48 TOS=0x00 PREC=0x00 TTL=114 >ID=26421 DF PROTO=TCP SPT=2025

After gaining some experience with the new release model, it has become apparent to me that a small adjustment is warrented. I previously announced that updates to the stable release would only contain bug fixes. I''m modifying that slightly to allow for small low-risk enhancements; large and/or risky enhancements will still be restricted to the development release. We have seen this

Hi!, I have Fedora 2 installed (Kernel 2.6), 3 interfaces (eth0,eth1,eth2), in the eth1 i have my local network and eth0 the Internet conection, when i do masquerading (eth1 out by eth0) only works for a few minutes. I dont know what i?m doing wrong, or only is an incompability or error between the OS Fedora 2 and the shorewall 2.0.7...i restart the shorewall service ones works anothers doesnt.

By popular demand, I will NOT be posting email addresses on my web site. = You=20 will have to check http://www.shorwall.net/mailman/listinfo/<list name> t= o=20 see if delivery has been disabled. -Tom --=20 Tom Eastep \ A Firewall for Linux 2.4.* AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net

Please see http://shorewall.net/PacketHandling.html. It details the flow of a packet through a Shorwall-generated firewall. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net

Thanks to Fabien Demassieux, French Language versions of the QuickStart Guides and the Setup Guide are now available: http://shorewall.net/shorewall_quickstart_guide.htm http://shorewall.sf.net/shorewall_quickstart_guide.htm These guides will be available shortly on the other Shorwall Mirrors -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \

Updated rfc1918 and bogons files are now available: rfc1918 for Shorewall 2.0.0 and earlier: http://shorewall.net/pub/shorewall/errata/1.4.10/rfc1918 bogons for Shorwall 2.0.1: http://shorewall.net/pub/shorewall/errata/2.0.1/bogons Thanks go to Thomas Backlund for pointing out that the file was out of date. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool

A new rfc1918 file that reflects the recent IANA allocation of 222/8 and 223/8 may be found at: http://www.shorwall.net/pub/shorewall/errata/1.3.14/rfc1918 ftp://ftp.shorewall.net/pub/shorewall/errata/1.3.14/rfc1918 -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net

Thanks to a Shorewall user in Paris, there is now a mirror in France. http://france.shorwall.net -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net

Hi there... I want to use MAC validation for strict computer access rules to our server and LAN. I do not want any computer have ANY kind of access (neither LAN or Internet access, not even get an IP from the dhcp server, or being able to connect to anything manually configuring the IP settings) unless its MAC is on the list. Our server has two interfaces (eth0 & eth1) and 2 zones (net and