similar to: Shorewall problems

I installed Shorewall 2.2.2 on a vanilla install of Fedora FC3 I have not udated the kernel yet. After some fault finding I went back to the 2 interface example configuration files for 2.2.2. In shorewall.conf I have to specify the path for IPTABLES="/sbin". If I leave this commented out then shorewall reports that it cannot find iptables. When I have this line in shorewall will

Hi, I´m trying use conntrackd, shorewall and keepalived. Conntrackd (now know as conntrack-tools) is working ok, keepalived too, but i don´t know how to put some iptables rules in shorewall. eth0 is the local area (192.168.0.0/24) eth1 is the net area (192.168.1.0/24) [1] iptables -P FORWARD DROP [2] iptables -A FORWARD -i eth0 -m state --state ESTABLISHED,RELATED - j ACCEPT [3] iptables -A

Hi, I''ve installed Emule (p2p program) on my client box but I can''t access the servers due to the firewall. I''m getting this blocking errors: Jan 22 01:26:07 servidor kernel: Shorewall:net2all:DROP:IN=eth1 OUT=eth0 SRC=213.22.49.86 DST=192.168.0.3 LEN=60 TOS=0x00 PREC=0x00 TTL=57 ID=50538 DF PROTO=TCP SPT=46408 DPT=4662 WINDOW=5840 RES=0x00 SYN URGP=0 My rules file

I just installed the latest kernel 2.6.32-573.8.1.el6.x86_64 and when I rebooted it shorewall (shorewall-4.5.4-1.el6.noarch) failed with the following error ERROR: a non-empty masq file requires NAT in your kernel and iptables /etc/shorewall/masq (line 15) Question is is this a problem in the kernel or is it a problem in Shorewall? Booting the previous kernel allowed shorewall to start

In /etc/shorewall/masq I have: eth0 eth1 eth0 vmnet1 eth0 vmnet8 ------------- eth0 is my default route to the Linksys router connected to the cable modem. eth1 is my connection to 192.168.1 subnet and it is the gateway for all other machines on this subnet. My routing table is: # netstat -nr Kernel IP routing table Destination

This is a minor release of Shorewall which rolls up a number of bug fixes. New features include: 1. A NEWNOTSYN option has been added to shorewall.conf. This option determines whether Shorewall accepts TCP packets which are not part of an established connection and that are not ''SYN'' packets (SYN flag on and ACK flag off). 2. The need for the

Hello, Could someone with the requisite shorewall expertise please help me? Here is a description of my problem. I dial in to my ISP using kppp. It seems to establish a connection just fine. However, only a handful of bytes are exchanged. I must then become ''root'' and issue ''shorewall start'' in order to get the Internet connection to work normally. Once

When using shorewall with a road warrior openvpn setup, how can I get the tun interface to masq through a lan interface? Example Setup: Machine A (tun0 10.0.0.1) -----------VPN---------(tun0 10.0.0.2)---------Machine B(10.10.10.1) When I ping Machine B from Machine B, Machine B is receiving the echo request, but it doesn''t know the route back to the 10.0.0.0/24, and there

All, I have been using Shorewall successfully for years on many different machines and configurations. However, I just built a new box and wanted to setup shorewall on it. I''m running SuSE Linux Enterprise Server 11 and Shorewall 4.4.8 (latest version as of this e-mail) using the RPM download. I am able to install Shorewall just fine and I''m able to setup everything except

Hi I wonder if you can help... I have setup shorewall(2.2.3) under debian on a machine that has 4 network ports... the idea is that there is 1 WAN port, 1 DMZ port, and 2 LAN ports, 1 LAN port has static NAT setup for selected incoming connection from trusted sources, and the second LAN port I am trying to setup using masq NAT as it only requires outgoing connections, no incoming. the static NAT

Hello, On my systems i use shorewall 3.2.6. Now all systems where replace by new ones with new ip''s. So i tried with DNAT to map the old ip''s to the new one as long as DNS is updated. But i didn''t get it work. I see in tcpdump that a connect from client-ip to new-server-ip is done while connection the old on. But i get no response. Did i configure something in the

I setup some IPSEC between 2 networks. From 1 network I can ping the other networks local connection but not anything beyond that. Network A - 10.0.1.1 (loc) 23.23.23.23 (net) Network B - 10.0.2.1 (loc) 44.44.44.44 (net) I''m on local machine 10.0.1.10 on network A, I can ping 10.0.2.1 but I cannot ping a machine on that network ex. 10.0.2.200. I was thinking it probally has to do

Shorewall 1.3.14 is now available. Thanks go to Francesca Smith for helping with updating the sample configurations. New in 1.3.14: 1) An OLD_PING_HANDLING option has been added to shorewall.conf. When set to Yes, Shorewall ping handling is as it has always been (see http://www.shorewall.net/ping.html). When OLD_PING_HANDLING=No, icmp echo (ping) is handled via rules and

Hi guys, I''m not sure where to post for help on this one, shorewall or lvs, I''ll start with shorewall (only cause Tom is a gun at this stuff, and is polite enough to tell me to bugger off to the LVS list if I''m posting in the wrong one ;) I have a single box that is my router/firewall/LVS. Internet -- eth0 - router/firewall - eth1 --- internal lan | eth2

The second Beta is now available at: http://www.shorewall.net/pub/shorewall/Beta ftp://ftp.shorewall.net/pub/shorewall/Beta Function from 1.3 that has been omitted from this version includes: 1) The ''check'' command is no longer supported. 2) The MERGE_HOSTS variable in shorewall.conf is no longer supported. Shorewall 1.4 behavior is the same as 1.3 with MERGE_HOSTS=Yes.

Hi, I am creating a stock control application. I have a table called "equipment_type" that stores a general description of a piece of equipment. This could be for instance: Canon 60D DSLR camera. I also have an table called "equipment" that stores all the equipment we have with their serial numbers. There may be many Canon 60Ds and they should refer to the

I am currently using shorewall on leaf-bering. I have set it up with keepalived to create a high availabilty firewall cluster. I have an odd question in regards to shorewall. Currently in production I have keepalived controlling shorewall starts and stops. If I remove this and leave shorewall running on the backup firewall, will I run into any problems with having the nat tables built out and

Hi Folks! I''m new to shorewall (in the process of switching from Bastille), and I have a question as to how to address using Bluetooth enabled Palms with a BT dongle on a linux box protected by shorewall. Basically I followed the directions located at http://www.metacon.ca/bcs/view.php?page=bluetooth to get things working strictly with iptables, specifically: echo

Hi !, I have this problem. On a Mandrake 10.0 server with all the updates (Kernel 2.6.3-15mdk, iptables-1.2.9-7mdk and shorewall-2.0.3a-1mdk), one of our internal users have to FTP some files to our external web server. I think we have the correct configuration and rules in shorewall, and have read the http://www.shorewall.net/FTP.html document. Still, our users can''t FTP to the

I''m doing more releases of 1.4.* to try to work around the absurd way in which the 2.6 kernel supports ipsec. 1.4.10 will provide a means for excluding multiple destination hosts/subnets from masquerade/SNAT. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net