Re: [Shorewall-users] IPsec gateway - Shorewall - 1to1 NAT

You want to read about netmap. https://shorewall.org/manpages/shorewall-netmap.html On Mon, Apr 14, 2025 at 12:37:34PM -0500, Rich Goodwin via Shorewall-users wrote: > HELP! -- I just can't seem to figure out how to configure this. > I have a Shorewall/IPSEC VPN gateway configuration that is work

Re: [Shorewall-users] Shorewall with OpenVPN Hub and Spoke

ter-client communication unfettered by Shorewall. Why is routeback not > having the desired effect of allowing me firewall traffic that is arriving > and leaving on my vpn zone interface? -- Justin Pryzby System Administrator Telsasoft +1-952-707-8581 __

Re: [Shorewall-users] Can connect to http via lan but not https

35, options [mss 1460,nop,wscale 6,nop,nop,TS val > 2777840162 ecr 0,sackOK,eol], length 0 This shows that it's connecting with the client's IP. But it's possible that it's hitting the gateway and being forwarded, but without hitting a NAT rule. Check which rule is being hit

Re: [Shorewall-users] Can connect to http via lan but not https

On Wed, Oct 09, 2024 at 12:30:00PM +0200, Peter Andersson wrote: > Hi! > > I'm having a problem that I can't get my head around. > We have a webserver that runs both http and https. I have no problems > connecting to it from external networks. But when I try to connect to it > locally via https I

Re: [Shorewall-users] Shorewall not starting

On Sat, Jul 29, 2023 at 02:25:05PM +0100, Philip Le Riche via Shorewall-users wrote: > As before, this is running under Linux Mint (Ubuntu-based), and this time I > installed Shorewall from the standard repository for the distro (perhaps > that was my mistake?) It's failing to start on boot even t

Re: [Shorewall-users] Multi-Homed BGP - Shorewall & FRR

On Wed, Apr 26, 2023 at 05:45:15PM -0500, Red Baron wrote: > I don't know if this is something that I should attempt to configure within > shorewall (multi-ISP setup and conntrack) or if there is a better way to > handle this via FRR. I don't know anything about FRR, but it sounds like you should

Re: [Shorewall-users] ejabberd DNAT problem

On Tue, Apr 18, 2023 at 12:02:56AM -0400, Phil Stracchino wrote: > > > Can anyone suggest to me why my firewall is apparently ignoring my > > > instructions to accept and DNAT XMPP traffic? > > > > Are the rules being hit ? > > > > Either add ":info:xmpp" > > Add that to what? to the end of you

Re: [Shorewall-users] ejabberd DNAT problem

On Mon, Apr 17, 2023 at 10:56:17PM -0400, Phil Stracchino wrote: > Greetings, > > I have a weird problem. I had a power interruption today during a generator > install, and when everything came back up afterwards, my XMPP server > (ejabberd) is not receiving any external connections. No firewall

Re: [Shorewall-users] Redirect incoming connection on a given interface to the loopback interface

On Sat, Apr 01, 2023 at 11:00:17PM +0200, Olivier Sannier wrote: > Le 01/04/2023 à 18꞉45, Justin Pryzby a écrit : > > On Sat, Apr 01, 2023 at 06:10:50PM +0200, Olivier Sannier wrote: > > > Hello, > > > > > > I am using Shorewall 5.2.8 on a server that has three

Re: [Shorewall-users] Redirect incoming connection on a given interface to the loopback interface

On Sat, Apr 01, 2023 at 06:10:50PM +0200, Olivier Sannier wrote: > Hello, > > I am using Shorewall 5.2.8 on a server that has three interfaces, one > internal, one DMZ and one connected to the Internet. > On that server, there is a service that binds itself only on localhost and > that cannot be c

Re: [Shorewall-users] shorewall have AllowICPMs incomplete or buggy

On Thu, Mar 16, 2023 at 07:53:24PM +0100, Benny Pedersen wrote: > hi all :) > > https://bugs.gentoo.org/901503 > > shorewall is okay in track if implement what ufw do with icmp and ipv6-icmp What does DNS have to do with ICMP ? Show a log or rule matching of what you think was missed. ___

Re: [Shorewall-users] ineffective shorewall ban

On Tue, Feb 14, 2023 at 02:14:58PM +0100, Yassine Chaouche wrote: > Le 2/13/23 à 3:16 PM, Simon Matter a écrit : > > Hi Yassine, > > Isn't it possible that all the requests you see are coming in over the > > already established TCP connection? I guess only new connections will then > > be blocked.

Re: [Shorewall-users] ROUTES file and routing traffic

On Thu, Jan 19, 2023 at 08:28:00AM -0700, Shorewall via Shorewall-users wrote: > On 2023-01-18 23:52, Simon Matter wrote: > > Hi, > > > > > I am trying to route traffic from LOC to a network I have configured in > > > the routes file. > > > Everything in LOC has the firewall running shorewall con

Re: [Shorewall-users] Rule matching with USER?

On Fri, Dec 16, 2022 at 01:27:15PM +, Mark Dixon wrote: > Hi all, > > I'm having a play with shorewall rules, specifically using the USER column > to restrict access to a local port. If I have a rule like this... > > DROP:info fw fw tcp 1332 - - - !foo - - - - - - > > ...then only local us

Re: [Shorewall-users] HELP

On Fri, Sep 16, 2022 at 02:59:50PM +, Tim Taylor wrote: > I do not know if this is the correct place, but I am looking for assistance. > If this is not the right place, or if there is a better place, I would > appreciate any assistance. > I am very new to Shorewall, and inherited it from a p

Re: [Shorewall-users] ERROR: Invalid command: debug

On Tue, Aug 23, 2022 at 02:35:32PM +0200, Matt Darfeuille wrote: > On 8/22/2022 12:09 PM, Vieri Di Paola wrote: > > I hit this error message on a shorewall check: > > > > ERROR: Invalid command: debug ... > > What does "debug" refer to? > > As far as I can tell, the doc does not talk about 'debug

Re: [Shorewall-users] Problema de DNAT con el Shorewall

Hola, Lo siento antes para mi malo español. Roberto pueden corregirme :) Creo que es mejor usar "split DNS" entonces los clientes interno van ver unos direccion differente que los clientes publica para el mismo nombre, como: desde interno: http://servicio => 192.168.100.3 (y DNAT a puerta 443) d

Re: [Shorewall-users] Shorewall6 on Fedora 36

On Thu, Jul 28, 2022 at 09:47:53AM -0500, Eric Teeter wrote: > Running Fedora 36 with shorewall6 5.2.3.4 > It loads fine, but can' ping6 from client What client ? Are there any log messages ? Could you check using tcpdump if the pings reach the server ? -- Justin __

Re: [Shorewall-users] NAT for VPN

I think you probably want this part ("Using this support, only firewall1 requires /etc/shorewall/netmap"). https://shorewall.org/netmap.html#idm140072814490512 I think it should be /32. I doubt I can help more than that; it's been years since I used this, and never combined it with ipsec. -- J

Re: [Shorewall-users] NAT for VPN

I don't know why you lost access to internal resources, but it may be important to understand that. It seems like your NAT rule applied when it shouldn't have. The usual way to deal with overlapping subnets is netmap. https://shorewall.org/netmap.html -- Justin ___

Re: [Shorewall-users] Shorewall not start at boot

On Wed, May 18, 2022 at 07:04:54PM +0200, dam...@povej.net wrote: > On centos 6 that works perfect, but on centos 7, 8 and 9. not and dont know > why. It sounds like https://shorewall.org/FAQ.htm#faq103 ___ Shorewall-users mailing list Shorewall-users

Re: [Shorewall-users] Shorewall not start at boot

On Wed, May 18, 2022 at 06:12:08PM +0200, dam...@povej.net wrote: > Hi > Today I have istalled my 10th centos server and problem is the same. > I am desperate and will search for another firewall soon. > On ALL Centos servers where I use shorewall I never know when centos boot if > shorewall will s

Re: [Shorewall-users] Multiple ISP today

On Wed, Apr 13, 2022 at 05:37:40PM -0400, rcor...@edos.cl wrote: > somebody have a example working with two ISP provider? I`m use shorewall > 5.1.10 over centos7. If is necessary can upgrade to 5.2.8 I'm using it with an old shorewall 5.0.x. Send your configuration and problem report? __

Re: [Shorewall-users] FTP SSL

This conversation has gone off into the weeds, but I should point out that: > Yes, you can use SFTP (aka FTP over SSH) SFTP is not actually "FTP over SSH", even if the commands are similar. > Remember … FTPS or SFTP, whatever u want to call it, is just SSH providing a > “secure tunnel” for your

Re: [Shorewall-users] FTP SSL

On Wed, Mar 16, 2022 at 04:14:10PM +0100, Ruud Baart wrote: > Hi, > > I can find quite a lot of documentation concerning a FTP server. But I don't > find the way to do it. > > My situation: > >     Internet <--> Firewall <--> FTP server > > Firewall and FTP server are Debian 11 and I use the la

Re: [Shorewall-users] Cannot ping between two hosts

for you to reply to the same thread, and also be easier for people to help you if all the related messages were associated with each other. On Thu, Dec 17, 2020 at 11:18:54AM -0600, Justin Pryzby wrote: > I don't understand why you started yet anothe

Re: [Shorewall-users] redirecting LAN->NET DNS to internal server, with SNAT

On Wed, Jan 12, 2022 at 07:19:07PM -0500, Brian J. Murrell wrote: > Looks like Google has upped the ante with Chromecasts and it's no > longer sufficient to just block external DNS queries and expect the > Chromecast devices to fall-back to the DHCP supplied local DNS > resolvers. > > Looks like w

Re: [Shorewall-users] shorewall startup

On Sat, Jan 01, 2022 at 10:59:36PM +0100, Damjan Hajsek wrote: > Is there a way to make shorewall start when centos server starts boot up? You maybe need to enable it with systemctl. Or set STARTUP_ENABLED=Yes https://shorewall.org/FAQ.htm -- Justin __

Re: [Shorewall-users] Shorewall 5.2.3.2 Events - Port Knocking

On Sun, Dec 05, 2021 at 05:50:44PM +0100, Jean-Francois Bogaerts wrote: > Using command "shorewall show events" I can see the event was triggered but > the relevant port action is not taked into account > > From the log I can see ACCEPT and REJECT actions > Dec  5 17:22:46 nltsystem1 kernel: [4362

Re: [Shorewall-users] DNAT from localhost to other host

On Thu, Dec 02, 2021 at 07:09:04PM +0100, shacky wrote: > Hi, > I'm trying to setup a DNAT which forwards requests originally directed to > 127.0.0.1:8404 to 10.1.3.253:8404. > /etc/shorewall/interfaces: > ### > #ZONE IN

Re: [Shorewall-users] arptables-legacy

On Wed, Dec 01, 2021 at 11:46:13AM +0100, Vieri Di Paola wrote: > Shorewall won't start on a recently built Linux system because it > doesn't find the arptables executable. > However, /sbin/arptables-legacy is present. > Is it as simple as making a symlink, or am I facing a much bigger > challenge

Re: [Shorewall-users] Static route configuration

On Mon, Sep 13, 2021 at 12:44:23PM -0400, David Cherry wrote: > FORWARD REJECT IN=ens2 OUT=ens2 This shows that the packet is going out the same interface it came in. The interfaces file needs "routeback" to allow that. This may be fixing only the immediate problem - I haven't tried to see furthe

Re: [Shorewall-users] Static route configuration

On Mon, Sep 13, 2021 at 05:57:50AM -0400, Dave via Shorewall-users wrote: > My firewall/router is a basic two-interfaces setup running shorewall > 5.2.8 on RHEL 8.4 (actually Rocky 8.4). Send its configuration or shorewall dump: https://shorewall.org/support.htm > I need to route packets to and f

Re: [Shorewall-users] Issues with default route

On Sat, Jul 24, 2021 at 01:38:17PM +0100, Norman and Audrey Henderson wrote: > Hi, I have been using rt_rules to force certain traffic out one or the > other of my iSP's, and it has worked will for years. I seem to have done > "something" that has caused the following behavior. It sounds like an O

Re: [Shorewall-users] DNAT routes Net -> ExternalServer -> VPN -> InternalServer correctly, but *return* not routed BACK over VPN. DNAT, SNAT, or routing?

On Tue, Jul 06, 2021 at 04:27:41PM -0400, PGNet Dev wrote: > Configs include: > > Shorewall @ "Public Server": > /rules > ACCEPT net$FW:AA.AA.AA.AAtcp12345 > DNATnetvpn:10.10.10.99tcp12345- > AA.AA

Re: [Shorewall-users] Dynamic var usage in /snat? var fails functionally, without error; static data works OK in same rule

On Mon, Jul 05, 2021 at 06:53:08PM -0400, PGNet Dev wrote: > In my shorewall6-lite config, I've > /init > MYIP6=$( cat /etc/shorewall/MYIP6.current ) Can you try setting it to a static value without $() ? > I use it in SNAT as > /snat > ?FORMAT 2 >

Re: [Shorewall-users] Closed port after ubuntu update

On Mon, Jun 28, 2021 at 07:47:53PM +0200, Bern D wrote: > Hi, > I use shorewall version 5.2.3.4 with Ubuntu 21.04 with the three network > interfaces: > WAN-enp3s0, > LAN-enp2s0, > WLAN-wlp4s0 > I think that  after update some _Ubuntu _packets one of my open port 6535 is > closed. What packages ?

Re: [Shorewall-users] Routing issue

On Wed, May 05, 2021 at 06:32:17AM +0100, Norman and Audrey Henderson wrote: > Shorewall ought to give an error when encountering $FW in the rtrules file, > but does not... $FW isn't magic, it's just a shell variable. But if there's a poor validation, that may be legitimate complaint. -- Justin

Re: [Shorewall-users] Problem pinging ip addresses in a vpn from behind the shorewall

On Sun, Jan 10, 2021 at 10:49:26PM +0100, Richard Emling wrote: > Hello. > > I recently setup a vpn between two Fritz! boxes. > the one is in a 192.168.179.0/16 range and the other is of type > 192.168.10.0/16. > So far, everything works fine and all devices connected to the one > Fritz! Box can s

Re: [Shorewall-users] HTTPS ACK dropped

On Thu, Dec 17, 2020 at 10:46:54AM +0100, Vieri Di Paola wrote: > I believe this topic was dealt with some time ago here: > https://sourceforge.net/p/shorewall/mailman/shorewall-users/thread/CABLYT9j-KvM0JEwxoZ3xppoL5yxZqQe6qyEj0_wJJ8eecyE3nA%40mail.gmail.com/#msg37123538 I don't understand why yo

Re: [Shorewall-users] Viewing my cable modem's status page from LAN/FW

On Tue, Dec 15, 2020 at 11:06:34PM +, Paul Elliott wrote: > My cable modem sits outside the firewall (on the net NIC) on the IP > address 192.168.100.1, and with my current setup I cannot connect to > it, either from the internal network or the firewall. I would like to > do this in order to be

Re: [Shorewall-users] Re (2): (1)"shorewall status" and (2)$FW.

On Sun, Nov 29, 2020 at 07:41:57PM -0800, pe...@easthope.ca wrote: > From: Justin Pryzby > Date: Sun, 29 Nov 2020 19:20:04 -0600 > > ... variable called NET_IF but then referred to it without a dollar sign, > > ... > > NET_IF appears in the 2nd column of the installed i

Re: [Shorewall-users] (1)"shorewall status" and (2)$FW.

On Sun, Nov 29, 2020 at 03:55:55PM -0800, pe...@easthope.ca wrote: > From: Justin Pryzby > > I guess it should be while shorewall is running. > > Sorry. Try now. > http://easthope.ca/shorewall.dump.txt I'm not in the habit of reading shorewall dumps, but it seems l

Re: [Shorewall-users] (1)"shorewall status" and (2)$FW.

On Sun, Nov 29, 2020 at 03:29:21PM -0800, pe...@easthope.ca wrote: > > Would you send your entire config or preferably a shorweall dump ? > > Click here . > http://easthope.ca/shorewall.dump.txt I guess it should be while shorewall is running. -- Justin ___

Re: [Shorewall-users] (1)"shorewall status" and (2)$FW.

On Sun, Nov 29, 2020 at 11:13:58AM -0800, pe...@easthope.ca wrote: > Those status reports are semantically inconsistent with "not a > daemon". Status reports such as "Shorewll has configured Netfilter" > and "Shorewall has cleared its configuration of Netfilter" would be > better. > > (2) The l

Re: [Shorewall-users] How to add a second LAN segment and give it access to the internet but isolate from the other LAN?

On Wed, Nov 25, 2020 at 05:35:41AM -0800, dav...@postpro.net wrote: > What Shorewall ruleset do I need to just allow this guest access to the > internet but keep it isolated to its 10.16.1.X segment? You should look for logfile entries showing why not, and send a debugging dump to the list. http

Re: [Shorewall-users] need a rule! going bonkers :-(

On Mon, Nov 23, 2020 at 08:00:11PM -0800, PGNet Dev wrote: > what shorewall rule do I need to PASS this > > 2020-11-23T19:53:48.470332-08:00 test kernel: SW:[P4]OUTPUT:REJECT IN= > OUT=enp3s0 SRC=10.100.100.100 DST=10.100.100.130 LEN=112 TOS=0x00 PREC=0xC0 > TTL=64 ID=22257 PROTO=ICMP TYPE=3 COD

Re: [Shorewall-users] Whitelisting and ipsets

Are you running a cronjob which is messing with it ? Check sudo crontab -l and /etc/crontab and /etc/cron.d When / how often are the ipsets being changed/added ? Install "psacct" or acct package and enable accounting and see what's running when that happens. Or move ipset out of the way (or repl

Re: [Shorewall-users] Shorewall reload doesn't reload?

On Tue, Oct 06, 2020 at 03:59:06PM +0200, Simon Matter wrote: > >> Compilation will only happen when '/etc/shorewall' is modified. > >> So if I'm not mistaking, updating the firewall will not trigger a > >> recompilation. > >> > > > > Recompilation should occur if ANY file in ANY directory in $CONF

Re: [Shorewall-users] Keepalived ?

On Thu, Sep 17, 2020 at 07:42:51PM +0200, Jord Wegge (Aqua Bio) wrote: > There is a mentioning on the FAQ for this, but the link supplied is not valid > any more… > (FAQ 65) How do I accomplish failover with Shorewall? > > Answer: This article by Paul Gear >

Re: [Shorewall-users] Building in a failsafe

On Sat, Jun 06, 2020 at 10:30:58AM -0400, Alex wrote: > Hi, > > I have a shorewall-5.2.0.5 system on fedora and need to make some > changes. It's in a remote datacenter that would be difficult to access > if I locked myself out while making these changes. > > I see there are files that are used w

Re: [Shorewall-users] implement rules with NEW and ESTABLISHED

On Sat, May 16, 2020 at 03:27:07PM -0400, merlinverde...@infomed.sld.cu wrote: > > Then, why appear this(sudo lsof -nP -iTCP -sTCP:LISTEN) > > sshd 2275root3u IPv4 24181 0t0 TCP *:22 (LISTEN) Shorewall controls the iptables layer, not which applications are listeni

Re: [Shorewall-users] implement rules with NEW and ESTABLISHED

On Sat, May 16, 2020 at 09:23:36AM -0400, merlinverde...@infomed.sld.cu wrote: > How can i implement the following rules: > > iptables -A INPUT -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED > -j ACCEPT > iptables -A INPUT -p tcp -m tcp --sport 80 -m state --state NEW,ESTABLISHED > -j

Re: [Shorewall-users] Only a desktop computer

On Sat, May 16, 2020 at 06:42:29AM -0400, merlinverde...@infomed.sld.cu wrote: > #SOURCE DESTPOLICY LOGLEVELRATECONNLIMIT > $FW net ACCEPT > Supposedly I thought that this way I could not have any kind of internet > connection, but I still maintain

Re: [Shorewall-users] Only a desktop computer

On Fri, May 15, 2020 at 05:32:31PM -0400, merlinverde...@infomed.sld.cu wrote: > Hi, > I only have a pc, with this pc (desktop) I connect to the internet. Where > can I find a guide to configure Shorewall in this scenario? Maybe you'd want to start here. https://shorewall.org/standalone.htm Alter

Re: [Shorewall-users] OpenVPN Client Connection -- Route Specific Local Source connections

On Mon, May 11, 2020 at 11:53:34AM -0700, Shorewall via Shorewall-users wrote: > So I have a fairly typical 3 interface setup with shorewall. A couple of > local LAN networks and an ISP internet network. The firewall also runs > OpenVPN server so there is also a vpn zone for that tun interface. >

Re: [Shorewall-users] May be a problem of routing priority ?

On Wed, Apr 22, 2020 at 10:28:09AM +0200, Gaétan QUENTIN wrote: > ok so i added a masquerade rule for ppp0 and it works > > MASQUERADE 172.20.10.0/24 enp0s31f6 > MASQUERADE 172.20.10.0/24 ppp0 This means: masq traffic leaving PPP0 which is from 172.20.10.0/24 (and unmasq it when it comes ba

Re: [Shorewall-users] May be a problem of routing priority ?

On Wed, Apr 22, 2020 at 12:30:58AM +0200, Gaétan QUENTIN wrote: > and snat: > MASQUERADE 172.20.10.0/24 enp0s31f6 > > Now the problem: > > i add a vpn: ppp0. this one add routes like this ones: > 192.168.0.0/19 via 172.19.13.95 dev ppp0 > the vpn gateway is 172.19.13.95 > > From my containe

Re: [Shorewall-users] Interface choice not correct for source address

On Thu, Mar 26, 2020 at 07:11:57PM +0100, Norman Henderson wrote: > Hi, > Suddenly -not sure why - I can't establish my OpenVPN tunnel because the > packets are leaving from the wrong interface, not appropriate to the source > address given to OpenVPN. A shorewall trace shows (with IP's altered): >

Re: [Shorewall-users] Intra zone traffic rejected by FORWARD chain

On Wed, Mar 25, 2020 at 07:13:50PM -0500, Kevin Parent wrote: > > > I think you need interfaces option "routeback". > > > > In the man file for shorewall zones it states: > >    For $FW and for all of the zones defined in /etc/shorewall/zones, > >    the POLICY for connections from

Re: [Shorewall-users] Intra zone traffic rejected by FORWARD chain

On Wed, Mar 25, 2020 at 05:14:32PM -0500, Kevin Parent wrote: > I've read the documentation.  It states that intra zone traffic is enabled > by default.  Unfortunately, not in my case. Where does it say that ? I think you need interfaces option "routeback". -- Justin _

Re: [Shorewall-users] Incorrect cksums

On Sat, Feb 29, 2020 at 10:27:24AM +1100, Bruce Bannerman wrote: > I have noticed problems with my nameserver not sustaining the propagation of > my DNS records. I don't know what you mean by that ? > On investigation, I have found a number of intermittent incorrect cksum > messages when using

Re: [Shorewall-users] Shorewall Restart Failing, DEBUG makes it work!

On Sat, Feb 15, 2020 at 06:30:04PM -0600, Diego Rivera wrote: > similar to the docker rules. I'm not sure how this was done previously other > than the fact that > everything worked as intended and I never bothered to audit what was being > done. > Any insights or suggestions will be greatly appr

Re: [Shorewall-users] Shorewall Restart Failing, DEBUG makes it work!

On Sat, Feb 15, 2020 at 05:20:41PM -0600, Diego Rivera wrote: > Running /sbin/iptables-restore --wait 60...iptables-restore v1.8.3 (legacy): > Couldn't load target > `LIBVIRT_PRT':No such file or directory >

Re: [Shorewall-users] Problems Starting Shorewall 5.2.3.5

On Sat, Feb 08, 2020 at 04:46:44AM +, Sparechicken wrote: > Wondering if someone can assist with this error trying to start/check > Shorewall 5.2.3.5 on OpenWRT compiled for a WNDR3700v2: > > ERROR: The command 'uname -r' failed /etc/shorewall/shorewall.conf (EOF) at > /usr/share/shorewall/S

Re: [Shorewall-users] Problem after shorewall instalation.

On Thu, Jan 9, 2020 at 12:10 PM José Sarabia wrote: > Hi, I installed shorewall 5.2.3.4 to a router using openwrt 18.06 firmware. > > After I configured the vi zones, rules, policy, etc, I started the > shorewall by using the shorewall start command, but after that I wasn't > able to logging to th

Re: [Shorewall-users] Is this a DOS attack?

ec 29 05:01:56 piccolo kernel: Shorewall:net2fw:DROP:IN=eth1 OUT= > MAC=00:60:81:3a:06:73:9c:80:df:47:1a:26:08:00 SRC=220.121.97.43 > DST=192.168.1.1 LEN=44 TOS=0x00 PREC=0x00 TTL=234 ID=7849 PROTO=TCP SPT=59466 > DPT=8933 WINDOW=1024 RES=0x00 SYN URGP=0 Show SYN packets (connection

Re: [Shorewall-users] Is this a DOS attack?

On Wed, Jan 01, 2020 at 11:12:51AM +, David Watkins wrote: > My configuration is a BT Homehub 5 as my ISP access point connected to my > shorewall firewall box on eth1 (192.168.1.1). My home network is connected > to the firewall on eth0 (192.168.0.1). > 10s of thousands - mostly attempting t

Re: [Shorewall-users] bridged firewall - connections initiated from privileged zone not established

On Sun, Dec 22, 2019 at 11:08:30PM +0100, Markus Reitschuster wrote: > The policy file is quite simple: > > ofen all ACCEPT debug > allfw ACCEPT > fw all ACCEPT > all all REJECTdebug > > When trying to ssh from a member o

Re: [Shorewall-users] Shorewall6 dont't accept SSH rules

On Mon, Oct 07, 2019 at 07:39:36PM +0200, Andreas Günther wrote: > Hi > my Shorewall6 for the SSH rule on an interface without an internal network > provides the following error message: > > ERROR: Unknown destination zone (2a03) /etc/shorewall6/macro.SSH (line 9) > from /etc/shorewall6/r

Re: [Shorewall-users] Shorewall 5.2.3.2 doesn't start

On Thu, Oct 03, 2019 at 07:43:12PM +0200, Andreas Günther wrote: > was ok before. before what ? > I don't use eth0, eth1. Instead I use ens3 and docker0. I don't know where > eth0, eth1 are configured. what is /etc/shorewall/interfaces -- Justin Pryzby System Administrat

Re: [Shorewall-users] Access webserver internally with public IP

On Fri, Aug 30, 2019 at 07:40:58PM +0200, Øyvind Lode wrote: > When trying from the internet it does not work. > The problem is then that the pdf code tries to call itself using the > public ip 1.2.3.4. > That fails. I think among all possible solutions, you should be asking yourself why it doesn'

Re: [Shorewall-users] DNAT redirect help

On Wed, Aug 21, 2019 at 10:49:33AM -0600, Richard B. Pyne wrote: > What I want to do is to redirect incoming traffic from all interfaces for > 166.70.103.226:8080 to 166.70.169.36:80 > > Both addresses are in my DMZ Are they on the same interface and do you have "routeback" enabled ? > shorewall

Re: [Shorewall-users] Multihoming advice sought

On Fri, Jul 19, 2019 at 08:03:44PM -0400, Phil Stracchino wrote: > In the face of increasing unreliability of my ISP over the last year, > with frequent service outages and my connection currently having been > unstable for four days, I'm giving serious consideration to getting a > second connectio

Re: [Shorewall-users] monitor shorewall

On Fri, Jul 12, 2019 at 07:31:19PM +0200, Damjan Hajsek wrote: > Hi > > I like to know how can I monitor shorewall with monit. > > So I like to use monit which check if software runs but shorewall have no > pid file. Shorewall isn't a resident daemon so there's no process nor PID. > Is there an

Re: [Shorewall-users] interface specific rules

1.1.1.1/32 It says: http://shorewall.net/manpages/shorewall-rules.html SOURCE - source-spec[,...] Source hosts to which the rule applies. source-spec is one of the following: zone:interface ... -- Justin Pryzby System Administrator Tels

Re: [Shorewall-users] one to one NAT

On Thu, Jan 10, 2019 at 04:31:51PM -0800, Naveen Neelakanta wrote: > How to achieve one to one NAT. I believe one to one Nat is equivalent of > having a snat and a matching reverse DNAT rule. If that's what you want, did you read this? http://shorewall.org/NAT.htm Justin ___

Re: [Shorewall-users] snat and nat

On Thu, Jan 10, 2019 at 03:30:49PM -0800, Naveen Neelakanta wrote: > I am using snat file to translate private to public address and change port. > When do i need to use nat file? and what is its significance, please > through some light on the difference between snat and nat ( files in > Shorewall

Re: [Shorewall-users] Invalid Zone Name

On Sun, Jan 06, 2019 at 03:17:10PM -0800, C. Cook wrote: > I am trying to set up some WireGuard VPN channels, and one of them is > called incomingWG. > > Wireguard starts up just fine with this as an interface, but Shorewall > is unhappy with this as a zone. > > I changed the zone to all lower-ca

Re: [Shorewall-users] WireGuard Port Forwarding

ou can maybe run date |logger to make a timestampped log. Or configure r/syslog to include timestamps to /var/log/syslog (messages?) On Sun, Dec 23, 2018 at 10:59:09AM -0800, C. Cook wrote: > On 12/22/18 5:04 PM, Justin Pryzby wrote: > > eth0 is "net" but has a private IP ? >

Re: [Shorewall-users] WireGuard Port Forwarding

On Sat, Dec 22, 2018 at 04:17:59PM -0800, C. Cook wrote: > I've set up WireGuard on a VM in my LAN.  In the LAN's router I am > port-forwarding my chosen (UDP) WireGuard port to the WireGuard server > in the LAN. (All CentOS 7.6)  I've forwarded the shorewall.dmp from the > WG server to Tom. What

Re: [Shorewall-users] SECTIONS in shorewall-rules

On Thu, Nov 01, 2018 at 02:07:44PM +0100, Kevin Olbrich wrote: > Hi! > > I have these rules in my shorewall-rules: > > > # Allow ping to the callserver > > Ping(ACCEPT) all fw > > # Allow SSH to the callserver > > ACCEPT all fw tcp 1337 > > # Allow SIP traffic to the callserver from the internet

Re: [Shorewall-users] DDOS UDP flood

On Thu, Sep 20, 2018 at 09:27:35AM +1000, Richard wrote: > Not going to help for UDP, but it would stop TCP replies if it was a TCP > flood ? If you DROP TCP initial "SYN" packet, there's no connection nor reason to reply to anything else. shorewall/blacklist is the easy way (see also shorewall/i

Re: [Shorewall-users] DDOS UDP flood

On Thu, Sep 20, 2018 at 08:52:20AM +1000, Richard wrote: > My child was playing fortnite last night when another kid in the lobby > threatened to DDOS him, It doesn't appear to be "distributed", right ? > SRC= 98.139.130.248 > SRC= 98.139.130.248 > SRC= 98.139.130.248 > SRC= 98.139.130.248 > Is

Re: [Shorewall-users] OpenVPN and Multi-ISP with USE_DEFAULT_RT=Yes

On Sun, Sep 09, 2018 at 08:30:36PM +0100, Ben Webber wrote: > I have a connection to the internet (talktalk) and an openvpn connection to a > provider that uses redirect-gateway def1 to add entries to the main routing > table [...] > Currently I have USE_DEFAULT_RT=No set in shorewall.conf. I th

Re: [Shorewall-users] Redirecting DNS requests

On Sun, Aug 19, 2018 at 06:29:28PM +0200, David Ventura wrote: > I would like to redirect (LAN) DNS requests to a different LAN server > (essentially forcing a failover for DHCP clients during the main DNS > maintenance) > > How can I achieve this? Something like #ACTION SOURCE

[Shorewall-users] inline comments

Hi, Is it possible to create an inline comment? Something like this; if not, consider this a feature request from a longtime happy customer. ACCEPT net,loc $FW tcp 3679,3680,3681,8800 - ; -m comment --comment xyz To me, that's frequently preferable to

[Shorewall-users] inline comments

Hi, Is it possible to create an inline comment? Something like this; if not, consider this a feature request from a longtime happy customer. ACCEPT net,loc $FW tcp 3679,3680,3681,8800 - ; -m comment --comment xyz To me, that's frequently preferable to

Re: [Shorewall-users] site to site vpn in shorewall

On Mon, Jul 31, 2017 at 12:42:09PM -0400, Lennart Sorensen wrote: > On Mon, Jul 31, 2017 at 11:35:34AM -0500, Justin Pryzby wrote: > > No - OpenVPN (not VON) is popular but not a standard protocol like ipsec, > > and > > doesn't interoperate with cisco (or other

Re: [Shorewall-users] site to site vpn in shorewall

On Mon, Jul 31, 2017 at 05:29:18PM +0100, Simon Hobson wrote: > B dcunha wrote: > > > I have a remote site and need to setup a site to site vpn > > site A i have shorewall > > site B cisco asa 5300 > > This is out of scope for Shorewall. Shorewall will manage policies/rules for > traffic throu

Re: [Shorewall-users] ipsec policy matching in both directions to clamp TCP MSS

On 05/04/2017 04:12 PM, Tom Eastep wrote: > > Sounds to me like you have an IPSEC configuration problem, with > > IPSEC only being used in one direction. I don't *think* so .. for example a ping: 19:06:05.127457 IP 50.244.222.3.4500 > 66.32.11.4500: UDP-encap: ESP(spi=0xe10dde9c,seq=0x44), le

[Shorewall-users] ipsec policy matching in both directions to clamp TCP MSS

I'm having an issue setting MSS=1300 for an ipsec host. Depending on if I define the zone to be "ipsec" or "ipv4" I can get incoming SYN or SYN,ACK to hit the MSS rule, but not both. I have FASTACCEPT=No. It seems like iptables thinks the originating packet from our LAN to the remote host matche

Re: [Shorewall-users] Limiting bandwidth to a set of machines

On Mon, Dec 05, 2016 at 01:26:28PM -0500, Stefan Monnier wrote: > I've been looking at the traffic shaping documentation but can't find > the answer there: the "simple traffic shaping" seems to only be able to > limit bandwidth on a whole interface (I only want to limit bandwidth to > some of the m

Re: [Shorewall-users] Startup error with more than 9 entries in tcinterfaces

On Sun, Jun 05, 2016 at 11:19:59PM +0200, Felix Eckhofer wrote: > Hey. > > We are currently experimenting with TC_ENABLED=Simple and it seems that > when we add more than 9 interfaces to tcinterfaces, shorewall fails to > start. > It does not matter in which order the interfaces are listed or if

[Shorewall-users] tc error if tcclasses classify MARK "0"

A tcclasses entry with mark=0 causes shorewall 5.0.4 restart to terminate abruptly, breaking connections. This is with iproute2-3.12.0-2 on an ubuntu system. I propose that the compiler should reject this entry with a clean error message. [...] Setting up Proxy ARP... Adding Providers... Setting

[Shorewall-users] CLASSIFY vs MARK

Hi All I'm trying to understand the difference between shorewall/iptables MARK and CLASSIFY. As I understand, classify used to be done at the TC layer (not iptables), but now (can be) done in iptables. Is there some reason to use MARK/CLASSIFY over the other ? tcclasses: OPTIONS - {-|{classify

[Shorewall-users] sport="=" in ./mangle

I see the "rules" file now supports SPORT="=" to match a previously-given list of DPORTs. Is it reasonable to request the same functionality in mangle, for traffic shaping ? For example, I want to make mark=1 mean "prioritized traffic" (on every interface), and guarantee 20kbps in tcclasses with

[Shorewall-users] limiting conntrack ctevents

I'm using conntrackd; and wondered if shorewall-conntrack syntax allows limiting conntrack to only "assured,destroyed" events as described here: http://conntrack-tools.netfilter.org/manual.html#sync-iptables-filtering The intent is to reduce CPU use. I see that's possible using CT:helper:..(...),

Re: [Shorewall-users] HTB Traffic Shaping - Limit Download

On Sun, Dec 20, 2009 at 07:34:49PM -0500, Brian J. Murrell wrote: > P.S. One thing I have not done any research into is how all of this > could work when encapsulating prioritized traffic into a tunnel like > openvpn. It's all fine and dandy for the VOIP traffic to have priority > while it's unwra

[Shorewall-users] man page corrections

I reread the manual pages and made corrections with varying degrees of importance. It doesn't appear to be the source format, but I wasn't immediately able to find that. Some of these changes are formatting only. Justin shorewall-typos.bz2 Description: Binary data -

  1   2   >