Hi
I have a shorewall configuration where on the internal interface I set
up several vlans which are represented to shorewall as zones loc1 to locn.
Now all these zones are masqueraded towards the net using entries in
SNAT. So far so good.
Zone loc1 serves as something like a master or administr
Hi Tom
took me a few days to reply, Internet outside the three mile zone is
still rare.
We all were afraid this moment would come but I wish you all the best
for your many travels to come. But back to shorewall, do you see any way
your work could be carried on? I recall last time you were thinkin
Hi
Am 18.03.2019 um 06:28 schrieb C. Cook:
> Can anyone recommend a solution? Tracing this out I find that Shorewall
> is not actually port-forwarding my WireGuard-in port.
>
> # tcpdump -i eth0 port wgin
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on
Hi Folks
I am trying to get geoip match running on my very reliable firewall
Shorewall 5.2.3.3 Dump at gatekeeper - Tue Mar 10 02:07:17 UTC 2020
Shorewall is running
State:Started Tue Mar 10 02:06:37 UTC 2020 from /etc/shorewall/
(/var/lib/shorewall/firewall compile
Counters reset Tue Mar 10 02
Hi Tom
Am 10.03.2020 um 17:59 schrieb Tom Eastep:
> On 3/9/20 7:26 PM, Erich Titl wrote:
...
>>
>> Obviously I am not home else all this would be pointless. My current IP
>> address is 92.144.119.39 and the shorewall log shows the following:
>>
>> Mar 10 00:49:55
Hi Witold
Am 11.03.2020 um 07:21 schrieb Witold Tosta:
> W dniu 2020.03.10 o 19:59, Tom Eastep pisze:
>>
>> Obviously the CN database is being found, since the rule is being
>> installed. If you can't find anything, please send me a full dump and
>> I'll take a look...
>>
>> -Tom
>
> Hi Everyone,
Am 11.03.2020 um 22:33 schrieb Vieri Di Paola:
> Hi,
>
> My rules are similar to Witek's, but I have to admit that I too have
> seen erroneous IP addr./country matching. I used the latest geoIP2
> databases from Maxmind and xtables-addons. The xt_geoip module might
> be faster, but I've decided
Am 11.03.2020 um 22:47 schrieb Vieri Di Paola:
>> How did you select the ipset contents? Did you use one set per country?
>> Do you have code to share?
>
> You can try this code out:
>
> https://github.com/chr0mag/geoipsets
That is fine although I hate to have the functionalities heaped up in
Hi
Am 23.03.2020 um 13:56 schrieb Vieri Di Paola:
> On Mon, Mar 23, 2020 at 12:45 PM Matt Darfeuille wrote:
>>
>> On 3/23/2020 11:40 AM, Vieri Di Paola wrote:
>>> Hi,
>>>
>>> I set up my Shorewall gateway with the following logic:
>>> - accept incoming connections for ports tcp 443, 80, and sev
Hi
Am 23.03.2020 um 15:44 schrieb Vieri Di Paola:
> On Mon, Mar 23, 2020 at 2:03 PM Erich Titl wrote:
>>
>>>>> IN=ppp3 OUT= MAC= SRC=1.2.3.4 DST=4.3.2.1 LEN=72 TOS=0x00 PREC=0x00
>>>>> TTL=48 ID=46761 DF PROTO=UDP SPT=41152 DPT=58129 LEN=52 MARK=0x3
>&g
Hi
Am 28.03.2020 um 00:55 schrieb José Sarabia:
> Hi guys, I have the following questions:
>
> Do you know by any chance which ports do I need to enable in order to
> allow remote access using the chrome remote access feature?
A quick search yields the following
If you are having problems using
Hi Boris
Am 10.05.2020 um 00:29 schrieb Boris:
> Hello Shorewall – List,
>
>
...>
>
> That‘s it. Sorry for the description is quite rough. I will do a
> documentation like it is proposed in the Problem Reporting Guidelines
> with shorewall dump in some days, but maybe there is one of you have a
Hi Boris
Am 10.05.2020 um 20:37 schrieb Boris:
> Hej Erich,
>
> (back to the list)
>
> Am 10.05.20 um 20:18 schrieb Erich Titl:
>> Hi Boris
>>
>> Am 10.05.2020 um 19:56 schrieb Boris:
>>
>>
>>>>
>>>> Ju
Hi Boris
Am 10.05.2020 um 20:41 schrieb Boris:
> Am 10.05.20 um 20:31 schrieb Matt Darfeuille:
...>
> Hello Matt,
>
> thank you very much! It's a bit embarassing: After using shorewall for
> many years, I don't know this basic.
>
> Of course I will give it a try.
I don't think this will wor
Hi Boris
Am 10.05.2020 um 21:04 schrieb Boris:
> Am 10.05.20 um 20:50 schrieb Erich Titl:
>> Hi Boris
>>
>> Am 10.05.2020 um 20:41 schrieb Boris:
>>> Am 10.05.20 um 20:31 schrieb Matt Darfeuille:
>> ...>
>>> Hello Matt,
>>>
>>>
Hi Boris
Am 10.05.2020 um 21:25 schrieb Boris:
...
>
> Hej Erich,
>
> this is what makes me crazy about my lack of understanding VoIP!
> I have a CISCO SPA112 in my own home LAN working perfect _without any
> additional rule or forwarding_. What is the TCPIP-side difference
> between the Fritzb
This is just a test message
sorry for the noise
regards
ET
smime.p7s
Description: S/MIME Cryptographic Signature
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
Hi
Am 11.05.2020 um 20:53 schrieb Shorewall via Shorewall-users:
> So I have a fairly typical 3 interface setup with shorewall. A couple
> of local LAN networks and an ISP internet network. The firewall also
> runs OpenVPN server so there is also a vpn zone for that tun interface.
>
> I am cons
Hi Boris
Am 11.05.2020 um 23:10 schrieb Boris:
> Hej Erich,
> hej list,
>
...>
> My plan with the VM failed (from other reason) but - lucky I am - I have
> another ALIX box on my table. So I wrote leaf.cfg and configdb.lrp into
> an existing LEAF 6.2.4...
>
> Result:
>
> agate# lsmod | grep nf_
Hi Boris
Am 11.05.2020 um 23:56 schrieb Boris:
> Hej Erich,
>
> Am 11.05.20 um 23:22 schrieb Erich Titl:
>> Hi Boris
>>
>> Am 11.05.2020 um 23:10 schrieb Boris:
>>> Hej Erich,
>>> hej list,
>>>
>> ...>
>>> My plan with the
Hi Boris
Am 12.05.2020 um 00:08 schrieb Boris:
> Am 11.05.20 um 23:35 schrieb Sassy Natan:
>> Hi,
>>
>> Can you please try to unload the nf_nat_sip?
>>
>> Just put this in /etc/modprobe.d/blacklist.conf
>>
>> blacklist nf_nat_sip
>> blacklist nf_conntrack_sip
>> blacklist nf_conntrack_h323
>> bl
Hi Boris
Am 12.05.2020 um 00:17 schrieb Boris:
> Am 12.05.20 um 00:10 schrieb Erich Titl:
...
>>> So, there is no 11*_sip and no *_h323 there
>>
>> Yes and one suggestion in FAQ77 suggests the same.
>>
>
> OK, thank you both.
> I put all my hope on thi
Hi Boris
Am 12.05.2020 um 17:17 schrieb Boris:
> Hej Erich and Sassy,
> hej list,
>
>>
>> Yes and one suggestion in FAQ77 suggests the same.
>>
>
> Wow, what a success! Thank you so very much! That was the key!
> I wrote the two sip-helpers in DONT_LOAD in shorewall.conf and the
> phonecal
Hi Boris
Am 12.05.2020 um 18:59 schrieb Boris:
> Am 12.05.20 um 18:51 schrieb Erich Titl:
>> Hi Boris
>>
>> Am 12.05.2020 um 18:46 schrieb Boris:
>>> Am 12.05.20 um 18:32 schrieb Erich Titl:
>>>> Hi Boris
>>>>
>>>> Am 12.05.2020
Hi Boris
Am 12.05.2020 um 19:09 schrieb Boris:
> Am 12.05.20 um 19:06 schrieb Boris:
>> Am 12.05.20 um 19:04 schrieb Erich Titl:
>>> Hi Boris
>>>
>>> Am 12.05.2020 um 18:59 schrieb Boris:
>>>> Am 12.05.20 um 18:51 schrieb Erich Titl:
>>>>
Hi Boris
Am 12.05.2020 um 19:09 schrieb Boris:
> Am 12.05.20 um 19:06 schrieb Boris:
...
>>
>
> agate# shorewall check
> Checking using Shorewall 5.2.3.4...
> Processing /etc/shorewall/params ...
> Processing /etc/shorewall/shorewall.conf...
>ERROR: CLAMPMSS=Yes requires TCPMSS Target in you
Hi Boris
Am 12.05.2020 um 20:13 schrieb Boris:
> Am 12.05.20 um 19:52 schrieb Erich Titl:
>> Hi Boris
>>
>> Am 12.05.2020 um 19:47 schrieb Boris:
>>> Hej Erich,
>>>
>>>
>>> thank you VERY MUCH being online!
>>>
>>> Am 12.
Hi Folks
This might not even be a shorewall issue
I know this is just a warning, but I would like to get rid of it anyway.
It happens at shorewall restart.
Preparing iptables-restore input...
Running /sbin/iptables-restore --wait 60...
warn: --nflog-range has never worked and is no longer sup
Hi Tom
Thanks for the quick reply
Am 20.11.2020 um 18:28 schrieb Thom M Eastep:
Hi Erich,
That message is covered in the "Migration Issues" section of the release notes.
Thanks for pointing this out. Do you think we could address this in
shorewall upgrade?
Thanks
ET
--
Diese E-Mail wur
Am 21.11.2020 um 22:42 schrieb Thom M Eastep:
This cannot be handled entirely in 'update', because all loggIng rules must be
processed before we know if it is safe to set USE_NFLOG_SIZE=Yes.
Unfortunately, the shorewall[6].conf file is updated prior to processing the
other files.
Thanks Tom
Hi Norm
Am 24.07.2021 um 14:38 schrieb Norman and Audrey Henderson:
Hi, I have been using rt_rules to force certain traffic out one or the
other of my iSP's, and it has worked will for years. I seem to have done
"something" that has caused the following behavior.
One ISP is vlan5 and it's flaky
Hi
Am 31.12.2021 um 15:48 schrieb Thomas:
Hello,
I'm currently running VyOS 1.1.8 on a PC Engines ALIX2D13, a 500MHz
single x86 CPU, 256MB memory board with i586 architecture.
This OS is based on Squeeze, and I cannot upgrade to a newer release.
Therefore I consider to switch to Shorewall runn
Hi
Am 11.01.2022 um 13:29 schrieb Bruce Bannerman:
Are you running Shorewall as a system service?
Under Debian I ran once:
systemctl enable shorewall
Shorewall then starts at boot, and can be managed as a service.
To check status:
systemctl status shorewall
You also have a range of other
Hi
Am 14.04.2022 um 12:25 schrieb Nicola Ferrari (#554252):
Hi list!
Anyone using wireguard with shorewall?
Yes
i was playing with a PtP tunnel, server (with static public ip address)
and a client..
No problem whatsoever, I guess you did not specify a wireguard zone and
the corresponding
Hi Nicola
Am 14.04.2022 um 12:56 schrieb Nicola Ferrari (#554252):
On 14/04/2022 12:50, Erich Titl wrote:
No problem whatsoever, I guess you did not specify a wireguard zone
and the corresponding rule(s).
Many thanks Erich for your response!
I can confirm you I defined a "vpn1" zo
Hi NIcola
Am 14.04.2022 um 13:01 schrieb Erich Titl:
Hi Nicola
Am 14.04.2022 um 12:56 schrieb Nicola Ferrari (#554252):
On 14/04/2022 12:50, Erich Titl wrote:
No problem whatsoever, I guess you did not specify a wireguard zone
and the corresponding rule(s).
Many thanks Erich for your
Hi Folks
I have a problem starting shorewall on LEAF BuB 5.2. It shows up when
shorewall is trying to restore the iptables rules.
Here is the error
Preparing iptables-restore input...
Running /sbin/iptables-restore ...
iptables-restore: line 168 failed
ERROR: iptables-restore Failed. Input is
Hi Jérôme
m 29.09.2015 um 17:27 schrieb Jérôme Blion:
> Le 29/09/2015 16:51, Erich Titl a écrit :
>> Hi Folks
...
>>
>> I have a trace file available if needed. It is about 1000 lines long
>> though, so I am reluctant to just post it here.
>>
>> cheers
>
Hi Tom
Am 29.09.2015 um 19:21 schrieb Tom Eastep:
> On 09/29/2015 08:27 AM, Jérôme Blion wrote:
...
>>
>
> Also, look in the system log -- the reason for failure is sometime
> logged by the kernel rather than being reported back by iptables-restore.
You were right, switching to kernel 4.x I mus
Hi Tom
Am 29.09.2015 um 22:29 schrieb Tom Eastep:
..
>
> Also looks like there may be a problem with the ipt_REJECT module. The
> 'no such helper' messages are probably being generated when the compiler
> is probing your system to determine its capabilities.
Yes, I am checking the checksums of a
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi Tom
Am 29.09.2015 um 22:29 schrieb Tom Eastep:
> On 9/29/2015 11:32 AM, Erich Titl wrote:
>> Hi Tom
>>
>
> Also looks like there may be a problem with the ipt_REJECT module.
> The 'no such helper' messages are
Hi Folks
I am seeing this in shorewall-init.log, probably some date template glitch.
Oct 7 13:44:26 Shorewall configuration compiled to /var/lib/.start
Oct %_d 13:44:26 Starting Shorewall
Oct %_d 13:44:26 Initializing...
gatekeeper# shorewall version
4.6.13
cheers
Erich
-
Hi Tom
Am 07.10.2015 um 19:48 schrieb Tom Eastep:
...
> I suspect that the issue is in your version of the 'date' utility. The
> Shorewall-generated script is executing this command:
>
> timestamp=$(date +'%b %_d %T')
>
FWIW
from 'man date'
%e day of month, space padded; same as
Hi Tom
Than
Am 07.10.2015 um 19:48 schrieb Tom Eastep:
> On 10/7/2015 7:06 AM, Erich Titl wrote:
>> Hi Folks
>>
>> I am seeing this in shorewall-init.log, probably some date template glitch.
>>
>> Oct 7 13:44:26 Shorewall configuration compiled to /var/lib/.s
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi Tom
Am 07.10.2015 um 19:48 schrieb Tom Eastep:
I patched the code in lib.core and it appears to be fixed. Would you
consider adapting this in the upcoming releases?
gatekeeper# diff -Nu lib.core lib.core.patched
- --- lib.core
+++ lib.core.patc
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi Tom
Am 07.10.2015 um 19:48 schrieb Tom Eastep:
> On 10/7/2015 7:06 AM, Erich Titl wrote:
>> Hi Folks
>>
>> I am seeing this in shorewall-init.log, probably some date
>> template glitch.
>>
>> Oct 7 13:44
Hi Folks
I am trying to log using netlink as a backend and the NFLOG ulogd combo.
I can see that shorewall includes NFLOG as log target into the iptable
rules, but ulogd is not impressed. I appear to be stuck with this as I
don't know where to continue diagnosis.
Here just a few straws
--- shor
Am 09.10.2015 um 17:21 schrieb Erich Titl:
> Hi Folks
>
> I am trying to log using netlink as a backend and the NFLOG ulogd combo.
>
> I can see that shorewall includes NFLOG as log target into the iptable
> rules, but ulogd is not impressed. I appear to be stuck with this
Hi
I need my firewall to connect temporarily to a http/https server and
before shorewall 4.6.8 the only way I could come up with was
iptables -I fw-net -p tcp -m multiport \
--dports http,https -j ACCEPT > /dev/null 2>&1
now with the availability of shorewall open I coul
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi Tom
Am 15.10.2015 um 17:44 schrieb Tom Eastep:
> On 10/15/2015 08:08 AM, Erich Titl wrote:
>> Hi
>>
..
>>
>> shorewall open fw net tcp http,https or even shorewall open fw
>> net WEB
>
> "shorewal
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi Tom
Am 15.10.2015 um 20:28 schrieb Tom Eastep:
> On 10/15/2015 9:40 AM, Erich Titl wrote:
...
>
> You are correct -- zones can't be used there. Only IP addresses,
> DNS names or 'all'.
I am reluctant to use all as
Hi everybody
I am running shorewall
kerberos# shorewall version
4.6.13.3
on an embedded system and a spurious message pops up from time to time:
kerberos# [ 222.443737] nf_conntrack: automatic helper assignment is
deprecated and it will be removed soon. Use the iptables CT target to
attach hel
Hi Tom
Thanks for the quick reply
Am 10.01.2016 um 05:47 schrieb Tom Eastep:
...
>
> Hi Erich,
>
> Check out AUTOHELPERS in the shorewall.conf man page.
Will AUTOHELPERS get a default of NO in some close future (when
automatic helper selection will be disabled)
Would you know why the netfilte
Hi Tom
some more questions after a look at the macros
Am 10.01.2016 um 05:47 schrieb Tom Eastep:
...>
> Check out AUTOHELPERS in the shorewall.conf man page.
I looked at macro.FTP
?if ( __CT_TARGET && ! $AUTOHELPERS && __FTP_HELPER )
PARAM - - tcp 21 { helper=ftp }
?else
PARAM - - tcp 21
?endif
Hi Tom
Thanks for the explicit information.
Am 10.01.2016 um 17:59 schrieb Tom Eastep:
> On 01/10/2016 02:36 AM, Erich Titl wrote:
>> Hi Tom
...
>
> Netfilter's automatic helper assignment is controlled by
> /proc/sys/net/netfilter/nf_conntrack_helper.
>
> Shorewal
Hi Jorn
Am 30.12.2016 um 08:52 schrieb j...@jorneriksen.com:
Have you posted on the Bering uClibc mailing list? There seems to be a
problem with module loading in the latest release of Bering.
Not yet - however I do know how to load modules but I'm not a kernel wiz,
so a pointer to a module nam
Hi Folks
Am 21.12.2017 um 18:54 schrieb Tom Eastep:
> Bill Shirley has contributed a PHP program that will populate an IPSET
> from DNS. The program is available at:
>
> http://www.shorewall.org/pub/shorewall/contrib/DNSLookup/
> ftp://ftp.shorewall.org/pub/shorewall/contrib/DNSLookup
Hi
Am 28.12.2017 um 22:51 schrieb Colony.three via Shorewall-users:
> I am at a complete loss. I know this is not the Strongswan forum,
Yes it is not and Tom in his incredible helpfulness tried to get you
through shallows of networking.
Now it appears that you had problems understanding the bui
Hi
I am running the LEAF instance of shorewall and I just upgraded to
AP# shorewall status
Shorewall-5.1.9 Status at AP - Sat Feb 10 17:25:56 UTC 2018
Shorewall is running
State:Started Sat Feb 10 17:11:57 UTC 2018 from /etc/shorewall/
(/var/lib/shorewall/firewall compiled Sat Feb 10 17:11:55 UT
Hi everybody
after updating shorewall I am faced with a few warnings I would like to
get rid off.
SALT# shorewall restart
Compiling using Shorewall 5.1.12.1...
Compiling /usr/share/shorewall/deprecated/action.Reject for chain Reject...
WARNING: "You are using the deprecated Reject defaul
Hi Tom
Am 06.05.2018 um 05:50 schrieb Tom Eastep:
> On 05/05/2018 02:21 PM, Erich Titl wrote:
...
>
> Erich,
>
> Search the word 'deprecated' in that article - you will find what you need.
Sorry to be that dense. I deduct that the current format of the DROP and
RE
Hi everybody
Am 06.05.2018 um 08:22 schrieb Tuomo Soini:
> On Sat, 5 May 2018 23:21:21 +0200
> Erich Titl wrote:
>
...
>
> Please note: action.Reject is deprecated. Not REJECT. And same for
> action.Drop versus DROP.
#SOURCE DESTPOLICY LOGLEVEL
Hi Tom
I have seen that the snat file has been exended with the content of the
(legacy) masq file.
leaftester# shorewall version
5.2.0.4
leaftester# cat snat
#
# Shorewall -- /etc/shorewall/snat
#
# For information about entries in this file, type "man shorewall-snat"
#
# See http://shorewall.net
Hi Tom
It looks like the domain shorewall.net has gone, but there are many
places in the documentation which refer to a URL using this domain. Do
we need to change all those referrals?
Thanks
Erich
___
Shorewall-users mailing list
Shorewall-users@lis
64 matches
Mail list logo
