similar to: Running two shorewall processes.

I am currently using shorewall on leaf-bering. I have set it up with keepalived to create a high availabilty firewall cluster. I have an odd question in regards to shorewall. Currently in production I have keepalived controlling shorewall starts and stops. If I remove this and leave shorewall running on the backup firewall, will I run into any problems with having the nat tables built out and

I recently implemented v2.0.9 using ''shorewall setup guide'' 2004-07-31. Starting with block everything not known to be in use and opening ports as complaints come in. This has led to a few rule changes. After a rule change I use shorewall restart to reload the rules. Seems to work OK... except for an outbound NAT SMTP connection from a mail server on .122 to postini.com. The

Greetings, I''m new to Shorewall but not to working with Iptables. Shorewall is the simplest firewall front end I have found thus far. I''m currently trying to build a Cfengine policy to maintain Shorewall configurations. My main problem at them moment is confirming that the running iptables rules match what Shorewall originally built. If I understand Shorewall correctly the

I have an old Pentium II which I use as a gateway and firewall for a home network. The external interface is a modem on ppp and the internal interface is ethernet. I have had this setup running successfully for many years starting with the early 2.x series Shorewall. My ISP recently changed my dial-up ''phone number and presumably also the system at the other end of my modem (they

Hello all. I''m about to set up a new firewall on an old 400 MHz K6-2 machine. What is the recommended, or most common way to go about it? I was thinking of doing a MINIMUM install of RedHat 8 (the option where they actually say "used for setting up things like firewalls") and then installing shorewall on top of that. Would this leave me with anything crucial missing in my

For some time, I have been working half-heartedly on a document that details how Shorewall uses Netfilter. I have finally come to terms with the fact that I am changing Shorewall at a much faster rate than I am writing the paper with the result that the paper will never be finished. To try to help people understand the structure of a Shorewall-generated ruleset, I have therefore written a brief

Hello I am looking for a way to have snort to dynamically update my shorewall config. I have seen software out there but I would like to see if anyone had tried this first. Aslo I would like to know if there is a way clear the Netfilter tables when I do a shorewall restart. The reason being is that when I make a change to my firewall setting I want all connections to have to re-establish

Hello! We''re using Shorewall 1.4.2 and running into an interesting problem when we try to enable logging of traffic that netfilter classifies as "related" to an existing connection: there doesn''t seem to be a way to do it. Places where we''ve run into this problem are: (1) Attempting to log individual active or passive FTP data connections separately from

What version of shorewall do you suggest I try on a FC3 system? TIA, /ChJ

Hello, I''ve shorewall running a three interfaces firewall (net, loc, dmz) and I''ve got performances problems. My measured bandwidth from internet is up to 6.8 Mb/s, and I "only" get 3.5Mb/s on my LAN and 5Mb/s on my dmz. I checked with iperf, and all my interfaces (eth0, eth1, eth2) can actually work at 10 Mb/s. I tried disabling all the rules from loc to net

I have installed the shorewall frontend with pptpd tunnelling server. All works fine except only one thing: When the outside users connect to my centos server to shorewall over pptpd vpn tunneling  then the client computer can''t login to live messenger, but the customer can connect perfectly with skype, use mail, internet etc... all of this program installed in their outside computers.

Problems Corrected: 1) A problem seen on RH7.3 systems where Shorewall encountered start errors when started using the "service" mechanism has been worked around. 2) A problem introduced in earlier snapshots has been corrected. This problem caused incorrect netfilter rules to be created when the destination zone in a rule was qualified by an address in CIDR format.

John, I''m taking the liberty of copying the Shorwall Development list since I believe that these issues will be of interest. On Tue, 6 Aug 2002, Links at Momsview wrote: > Tom, > I''m not sure if you ever saw this document but it describes some of the > reasons you are seeing strange packets > after setting up NEW not SYN >

how to make this work, its seem to me that netfilter is changed more or less someplaces that shorewall do not support, using 4.4.27 shorewall and shorewall6 suggestion welcomed ------------------------------------------------------------------------------ Try before you buy = See our experts in action! The most comprehensive online learning library for Microsoft developers is just $99.99!

RC 2 is ready for testing. Problems corrected: 1) The 4.5.1 Shorewall Lite and Shorewall6 Lite installers install the wrong SysV init script on Debian and derivatives. That has been corrected. 2) The getparams program now reads the installed shorewallrc file rather than ~/.shorewallrc. 3) The ''load'' and ''reload'' now copy the

RC 2 is ready for testing. Problems corrected: 1) The 4.5.1 Shorewall Lite and Shorewall6 Lite installers install the wrong SysV init script on Debian and derivatives. That has been corrected. 2) The getparams program now reads the installed shorewallrc file rather than ~/.shorewallrc. 3) The ''load'' and ''reload'' now copy the

Hi, enabling this line in hosts file "WAN eth2:0.0.0.0/0!1.0.0.0/8,10.0.0.0/8,169.254.0.0/16,172.16.0.0/12,192.168.0.0/16 routeback,blacklist,tcpflags" results in this error message -- Preparing iptables-restore input... Running /usr/sbin/iptables-restore... iptables-restore v1.3.8: error creating chain ''ACCEPT'':File exists Error occurred at line: 29 Try

I have a standard 3 interface shorewall setup and I want to receive multicast stuff from ''net'' -> ''loc''. This requires me, first, to do an IGMP join which involves 192.168.1.x -> 224.0.0.x being NATed out as the ''net'' interface''s IP address. Obviously replies have to be NATed back to ''loc'' addresses. Can

Dear newfound friends, please be patient. For me reading and writing in English is more painful than dissecting IP traces :) I have tried reading through the FAQ but could not quite understand: I would like the logs to be terser. I think I can live without MAC, LEN, TOS, PREC, TTL, ID fields normally (maybe need them only in special situations). Could not understand if/how I can achieve this.

Hi, I''d like to use psad from www.cipherdyne.com that analyze iptables log messages on my firewall-shorewall. It complains to incorrectly configured iptables when starting. This is the message : -------------------------------------------------------------------------------------------------- ** The INPUT chain in the iptables ruleset on debian4 includes a default LOG rule for all