similar to: FORWARD:REJECT

I''ve got a Shorewall firewall setup that''s similar to the standard 3 interface configuration (net,loc,dmz). Several ports are forwarded from the internet to computers in the dmz. I''d like to have any connections to that same public IP address from either loc or dmz to be treated exactly as if they were coming in from the internet itself. There''s some

hello before asking my question I come My name is Santiago and I''m from Spain but I''m in Colombia I followed this guide: https://www.doas.montanalinux.org/proxmox-ve-with-shorewall.html but when I run shorewall check, this error occurs: Checking... Initializing... Determining Zones... IPv4 Zones: net loc Firewall Zone: fw Validating interfaces file... ERROR: Invalid

Hi, enabling this line in hosts file "WAN eth2:0.0.0.0/0!1.0.0.0/8,10.0.0.0/8,169.254.0.0/16,172.16.0.0/12,192.168.0.0/16 routeback,blacklist,tcpflags" results in this error message -- Preparing iptables-restore input... Running /usr/sbin/iptables-restore... iptables-restore v1.3.8: error creating chain ''ACCEPT'':File exists Error occurred at line: 29 Try

This is a minor release of Shorewall. Problems Corrected: 1) TCP connection requests rejected out of the common chain are now properly rejected with TCP RST; previously, some of these requests were rejeced with an ICMP port-unreachable response. 2) ''traceroute -I'' from behind the firewall previously timed out on the first hop (e.g., to the firewall). This has been

Hi all, The first couple of xen machines we setup used the default xen bridging setup for dom0. I am sure there are many other people out there with this setup. Now that I know a bit more there are probably better ways out there to configure the xen box for firewalling, most notably assigning the red card to a domU and running shorewall in there. But in the meantime I would like to further

Great piece of software there... Just a few minor problems. First, the sourceforge site doesn''t seem to be kept up to date. This should be pointed out more (Sourceforge probably shouldn''t be the first mirror either). It caused me some long hours trying to solve a bug in 1.4.6, thinking this was the latest version, when in fact this bug was solved in 1.4.8 (routeback for if+).

In the last 15 minutes I have had a major firewall running Shorewall display some problems. This machine has been working fine for the better part of a year, no changes made in the last week. This machine has three zones. There is a DNAT running from the net zone and the loc zone to a webserver in the dmz port 80 only. The DNAT from the loc zone seems to not be working correctly. If I make a web

Hi, This subject has been brought up in the forum, but it''s a bit different. If I have a set of tun interfaces. I already defined tun+ as zone A, and I have excluded tun15 as zone B (a subset of zone A). I need to add tun16 to zone B. My config: /etc/shorewall/interfaces: A tun+ - routeback B tun15 /etc/shorewall/ A ipv4 B:A ipv4 I tried to define in

Hi everybody. I''m trying to configure shorewall folowing this manual: http://www.montanalinux.org/proxmox-ve-with-shorewall.html But with shorewall check it tells me thah: Checking /etc/shorewall/interfaces... ERROR: Unknown zone (dmz) : /etc/shorewall/interfaces (line 16) How can I define it in the zone file? thanks for the help. best regards, Santiago.

Hi, I am running OpenVPN where i have one central hub VPN server, and multiple spoke VPN clients. I can ping from each client to the server and each client to computers on the subnet which the server resides (192.168.2.0/24) so it works ok there. I cannot however, ping from one client to another client. I guess the packet path would go: clienta -> vpn -> shorewall/router -> vpn ->

Hello, I''m not sure if this has been asked before but I would like to ask assistance for this problem I have. I installed gentoo for my firewall/gateway and installed dhcp and shorewall. Currently, I can ssh, ftp, remote desktop connect, ping, etc (anything I can think of) from an internal computer inside my network to an external IP, except I cannot surf the net. I can ssh/ftp to

I'm running CentOS 4 with Blue Quartz on a white box, and having problems with installing Portsentry vi the .tar.gz route. Various errors, etc. Anyone here know of a source, like an RPM or something, for Portsentry for CentOS? ... or a similar app? thnx, Manny

I''m getting my zones confused. Help. I need to have a bunch of systems using OpenVPN to gain an IP in the virtual subnet 10.100.1.0/24, on interface tun0. I will then route whole subnets to those IPs, like 10.100.2.0/24 via 10.100.1.12, etc. I want to have a policy for: - all hosts behind tun0 - all hosts in 10.100.1.0/24 - individual subnets being routed through IPs in

I am trying to setup a 2 ISP shorewall box and I have 1 question. Does the routeback option replace the steps in FAQ 32 or do I need both? Thanks Jim

Hi everyone! I''m having time out problems when using a DNAT rule. Rule: DNAT:info cmtc loc:192.168.0.158 tcp 8011 Log: Mar 17 17:50:17 gw kernel: [1583997.524924] Shorewall:cmtc_dnat:DNAT:IN=eth3 OUT= SRC=10.1.0.2 DST=10.0.0.2 LEN=60 TOS=0x10 PREC=0x00 TTL=62 ID=4279 DF PROTO=TCP SPT=32791 DPT=8011 WINDOW=5840 RES=0x00 SYN URGP=0 Telnet: root@emudar:~# telnet

Hi folks, As you''ve no doubt noticed incoming spam recently massively increased. This has overloaded our current server (24.74.9.226) which does HTTP, SMTP, POP and IMAP. To help cope with this, I''ve put up a second server (24.74.9.225) which will be the mail server, leaving the original server to just be a web server. Can I use shorewall on the first machine (version

Hi, In log I get: ----------------------------------------------------------- Sep 30 16:19:03 host kernel: Shorewall:FORWARD:REJECT:IN=eth0 OUT=eth0 SRC=ip1 DST=ip2 LEN=48 TOS=0x00 PREC=0x00 TTL=118 ID=27279 DF PROTO=TCP SPT=51501 DPT=25 WINDOW=8192 RES=0x00 SYN URGP=0 ---------------------------------------------------------- Even in /etc/shorewall/rules I have

Hi all, I appologise in advance if this is a little OT, but I am building a box that will serve as firewall and router for a small ''internet cafe / netcafe'' and am using CentOS... So here it is: What are the best tools to be used for keeping the potential script kiddies from ''harming the Internet'' :) ? I specifically want to be able to detect and prevent

Hi list, I''m struggling with this problem for a long time, hopefully someone can explain me what I''m doing wrong: I have a shorewall installation with interfaces net eth0 - eth1 hosts loc 10.0.10.0/24 loc 10.0.20.0/24 +some other zones and subnets there are aliases on eth1 for gateways for the two loc subnets eth1:1 10.0.10.1 eth1:2 10.0.20.1 Everything works fine, loc

(Shorewall 1.4.4b; running the Mandrake edition.) Occasionally, usually during a zone transfer, I get unusual Shorewall messages, like this: Sep 30 20:30:08 yoreach kernel: Shorewall:FORWARD:REJECT:IN=eth1 OUT=eth1 SRC=10.1.1.1 DST=10.1.1.230 LEN=54 TOS=0x00 PREC=0x00 TTL=63 ID=21332 DF PROTO=UDP SPT=4778 DPT=53 LEN=34 where the src is the DNS master, and the DST is the slave server.