similar to: Clear and list hosts in a zone

Hi Tom, This is my first post on this list. First, I''m a Shorewall user since 1.4.6 version, and I''am a very satisfied with the results in my own business: WISP using this excelent GNU firewall in all of my servers (about a dozen). Tom, sincerely: THANK YOU for your creation. Shorewall really works fine. Otherwise Iptables had been vudu for me. Well, in the past weeks I have

That log message looks like someone (or some program) is trying to browse to moreover.com from your web server machine--it''s not a reply to an external request. You''d see messages like that if you were running some sort of HTTP proxy server (like Squid) on that box (although they''d likely be to multiple IPs, unless your users only browsed to p.moreover.com). It could

Hi again, I have now configured a 2.0.8 shorewall with two interfaces: interfaces: net eth0 detect loc eth2 detect masq: eth0 eth2 the interface eth0 has the 192.168.1.10 ip and its connected to internet the interface eth2 has the 192.168.2.1 ip and its conected to a router (CMTS - Cable Modem Termination System)

Hi all, net : internet zone dmz : DMZ zone Lan : local network zone in 1.4.6c this rule : DNAT all lan:10.0.0.1 tcp http - 192.0.0.1 does generate the following iptables rules in nat table : Chain OUTPOUT DNAT tcp -- 0.0.0.0/0 192.0.0.1 tcp dpt:http to:10.0.0.1 Chain net_dnat DNAT tcp -- 0.0.0.0/0 192.0.0.1 tcp dpt:http to:10.0.0.1 Chain dmz_dnat

On September 5, Tom wrote: > In Shorewall 4.2, you can leave the ''loc:'' out of the DNAT- rule. I tried that just now (shorewall-perl 4.2.1), and I got an error: Checking... WARNING: Destination zone (172.29.0.29) ignored : /etc/shorewall/rules (line 38) ERROR: Unknown Host (0.0.0.0/0) : /etc/shorewall/rules (line 38) where 172.29.0.29 is the destination address on

Hi folks, I''ve been using shorewall in a very simple way, and very successfully, for a time, but have now come across a situation I am stumped by, so am hoping someone can help. I am rebuilding my main gateway/firewall machine, which has been using Fedora 13, to use Ubuntu Server 12, and because it''s a complex change I decided to get it running as a VM before trying to roll

We have a Shorewall installation which has a cron job that dynamically adds and deletes subnets to/from a zone during the day. We want to be able to list which subnets are currently in the zone at any one time. Initially we were parsing the output of "shorewall status", which works but can be very slow. Looking at the output of "shorewall status", it seems that the subnets we

Hi, I got an existing solution with shorewall where I can differentiate tun10 from tun+ as different zone. For example: /etc/shorewall/zones A ipv4 B:A ipv4 /etc/shorewall/interfaces A tun+ B tun10 Now, I have a requirement to add tun11 to zone B. When I do this in interfaces config: A tun+ B tun10,tun11 It doesn''t like it (although it''s ok when performing

Hi, The "all" zone you can use in /etc/shorewall/policy isn''t valid in /etc/shorewall/rules, is this correct? I was entering a rule to (for example) block all TCP port 12345 traffic from all sources to all destinations, and logically thinking I began typing this line. REJECT all all tcp 12345 But it didn''t work :-) If I have to enter the zone names, I would

Hi, This subject has been brought up in the forum, but it''s a bit different. If I have a set of tun interfaces. I already defined tun+ as zone A, and I have excluded tun15 as zone B (a subset of zone A). I need to add tun16 to zone B. My config: /etc/shorewall/interfaces: A tun+ - routeback B tun15 /etc/shorewall/ A ipv4 B:A ipv4 I tried to define in

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I''m running systems with openswan and modified _updown script supporting shorewall dynamic hosts. Because on problems with cvs head version of openswan I found a error from shorewall dynamic hosts support. When host is already in zone shorewall aborts adding process with error. This is not good thing(tm). I found out that deleting host from

Hi, I''ve set up a bridge which connects two parts of the same subnet with each other. I''ve set up everything as described in the Documentation and it works very nicely. However: I have a problem with adding hosts to zones dynamically. The zone I want to add hosts to is called ''work''. Since only the bridge br0 is defined in /etc/shorewall/interfaces

Folk, My network is described and illustrated here. http://carnot.yi.org/NetworksPage.html To allow Cantor and Dalton, in the vpn zone connected to Joule through tun0, to SMTP to my ISP, I tried this in /etc/shorewall/masq. #INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK eth0 tun0 Shorewall complains. 07:21:58 Setting up Masquerading/SNAT... 07:21:58 To 0.0.0.0/0

Hi, the new function ''shorewall show zones'' in 2.2.0-Beta showed a thing which is (in my view) either abug or not documented. If I have a line in /etc/shorewall/hosts which reads work br0:eth0:192.168.2.10,192.168.2.11,192.168.2.12 then "show zones" has the output work br0:eth0:192.168.2.10 br0:192.168.2.11 br0:192.168.2.12 That is, the

I''ve got shorewall installed on Mandrake 9.0 As I boot my computer ( single workstation ) I do not get any connection to the net before doing; shorewall stop, shorewall clear, shorewall restart. Only after giving those three instructions everything is normal. Is there an easy way fixing this ? Or else how can I prevent shorewall starting-up at boot, in order to start it manualy once the

To rephrase the question, "Can I use masquerading and proxy ARP in the same zone simultaneously?" It''s not a stupid question--I couldn''t see any reason why it wouldn''t work, but I had actually try it out to convince myself that it did (which isn''t a bad thing to do before posting the question to the list, by the way). In any case, the answer is

Hi list, I''m struggling with this problem for a long time, hopefully someone can explain me what I''m doing wrong: I have a shorewall installation with interfaces net eth0 - eth1 hosts loc 10.0.10.0/24 loc 10.0.20.0/24 +some other zones and subnets there are aliases on eth1 for gateways for the two loc subnets eth1:1 10.0.10.1 eth1:2 10.0.20.1 Everything works fine, loc

Ok, I give up. I tried, really hard, before asking but I must be the most stupid shorewall user on the planet :( My laptop runs a single eth0 interface and knows Net and Firewall as zones and the default "inbound" policies are Net->Any DROP and >ny->Any REJECT. Now at home I have my trusted 192.168.174.240/29 subnet which hosts my very trusted 192.168.174.242 host and I

Hello all, Name is Andrew and in desperate need of some info. Setup: - Mandrake 9.1 with three interfaces (eth0 --> WAN) C-class /28 network (with tree virtual addresses which I am DNAT-ing to the DMZ) (eth1 --> LAN) A-class 10.0.0.0/8 (eth2 --> DMZ) A-class subnet 10.1.123.0/24 - Running stock Shorewall ver: shorewall-1.3.14-3.1.91mdk Dilemma: - LAN can not access the DMZ zone

Are there any scenarios that require traffic from a zone to itself to be blocked? If not, Shorewall should possibly allow it as a matter of course. It seems strange having to explicitly create such a policy & it''s not immediately obvious when it is required. -- Taso Hatzi caesar 17 <<-salad cjbx jc vdwwjar jc xi jc jd salad