Menu
▾
▴
shorewall-devel — Shoreline Firewall development
You can subscribe to this list here.
| 2002 |
Jan
(16) |
Feb
(1) |
Mar
(4) |
Apr
(13) |
May
(33) |
Jun
(34) |
Jul
(9) |
Aug
(4) |
Sep
(7) |
Oct
(14) |
Nov
(9) |
Dec
(28) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2003 |
Jan
(39) |
Feb
(11) |
Mar
(32) |
Apr
|
May
(13) |
Jun
(1) |
Jul
(24) |
Aug
(30) |
Sep
|
Oct
(19) |
Nov
(3) |
Dec
(165) |
| 2004 |
Jan
(75) |
Feb
(31) |
Mar
(24) |
Apr
(29) |
May
(16) |
Jun
(10) |
Jul
(26) |
Aug
(27) |
Sep
(22) |
Oct
(24) |
Nov
(15) |
Dec
(4) |
| 2005 |
Jan
(30) |
Feb
(4) |
Mar
(5) |
Apr
(26) |
May
(260) |
Jun
(65) |
Jul
(130) |
Aug
(70) |
Sep
(91) |
Oct
(51) |
Nov
(34) |
Dec
(17) |
| 2006 |
Jan
(42) |
Feb
(63) |
Mar
(11) |
Apr
(13) |
May
(4) |
Jun
(14) |
Jul
(8) |
Aug
(25) |
Sep
(19) |
Oct
(17) |
Nov
(32) |
Dec
(18) |
| 2007 |
Jan
(42) |
Feb
(25) |
Mar
(23) |
Apr
(32) |
May
(259) |
Jun
(125) |
Jul
(39) |
Aug
(12) |
Sep
(29) |
Oct
(111) |
Nov
(32) |
Dec
(79) |
| 2008 |
Jan
(41) |
Feb
(21) |
Mar
(45) |
Apr
(28) |
May
(13) |
Jun
(9) |
Jul
(11) |
Aug
(2) |
Sep
(3) |
Oct
(6) |
Nov
(19) |
Dec
(47) |
| 2009 |
Jan
(8) |
Feb
(20) |
Mar
(6) |
Apr
(37) |
May
(7) |
Jun
(37) |
Jul
(2) |
Aug
(13) |
Sep
|
Oct
|
Nov
|
Dec
(14) |
| 2010 |
Jan
(25) |
Feb
(10) |
Mar
(7) |
Apr
(4) |
May
(10) |
Jun
(10) |
Jul
(36) |
Aug
(40) |
Sep
(125) |
Oct
(10) |
Nov
(18) |
Dec
(74) |
| 2011 |
Jan
(43) |
Feb
(122) |
Mar
(50) |
Apr
(34) |
May
(123) |
Jun
(47) |
Jul
(126) |
Aug
(80) |
Sep
(83) |
Oct
(43) |
Nov
(33) |
Dec
(64) |
| 2012 |
Jan
(13) |
Feb
(34) |
Mar
(93) |
Apr
(51) |
May
(24) |
Jun
(23) |
Jul
(25) |
Aug
(8) |
Sep
(119) |
Oct
(22) |
Nov
(129) |
Dec
(85) |
| 2013 |
Jan
(123) |
Feb
(172) |
Mar
(127) |
Apr
(229) |
May
(145) |
Jun
(48) |
Jul
(22) |
Aug
(32) |
Sep
(55) |
Oct
(13) |
Nov
(13) |
Dec
(5) |
| 2014 |
Jan
(10) |
Feb
(15) |
Mar
(7) |
Apr
(2) |
May
(5) |
Jun
(8) |
Jul
(7) |
Aug
(20) |
Sep
(23) |
Oct
(29) |
Nov
(48) |
Dec
(14) |
| 2015 |
Jan
(22) |
Feb
(2) |
Mar
(11) |
Apr
(16) |
May
(20) |
Jun
(11) |
Jul
(10) |
Aug
(8) |
Sep
(3) |
Oct
(4) |
Nov
(23) |
Dec
(8) |
| 2016 |
Jan
(6) |
Feb
(14) |
Mar
(14) |
Apr
(43) |
May
(18) |
Jun
(14) |
Jul
(2) |
Aug
(3) |
Sep
(3) |
Oct
(51) |
Nov
(35) |
Dec
(25) |
| 2017 |
Jan
(8) |
Feb
(46) |
Mar
(26) |
Apr
(10) |
May
(5) |
Jun
(4) |
Jul
(7) |
Aug
(28) |
Sep
(13) |
Oct
(15) |
Nov
(6) |
Dec
(10) |
| 2018 |
Jan
(21) |
Feb
(5) |
Mar
(34) |
Apr
(18) |
May
(91) |
Jun
(5) |
Jul
(14) |
Aug
(1) |
Sep
(1) |
Oct
(3) |
Nov
(8) |
Dec
(6) |
| 2019 |
Jan
(20) |
Feb
(10) |
Mar
(2) |
Apr
(2) |
May
|
Jun
|
Jul
|
Aug
|
Sep
(3) |
Oct
|
Nov
|
Dec
(5) |
| 2020 |
Jan
|
Feb
|
Mar
(1) |
Apr
(5) |
May
|
Jun
(5) |
Jul
(1) |
Aug
|
Sep
(5) |
Oct
(20) |
Nov
(3) |
Dec
|
| 2021 |
Jan
|
Feb
|
Mar
(1) |
Apr
(2) |
May
|
Jun
(1) |
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Tom E. <te...@sh...> - 2005-05-22 23:57:11
|
Paul Gear wrote: > Tom Eastep wrote: >>... >>Thanks, Juan >> >>Guys: I'll put Juan's patch in 2.4.0 and I'll let you decide if you want >>to release it in 2.0 and 2.2. >>... >>I have added the CROSSBEAM patch to 2.4.0 but I'm withholding the >>POLICY_ACCEPT_STARTING patch for now. I really don't like the idea of >> an option that opens the firewall completely like this one does. >> >>I suspect that an option in shorewall.conf that works in conjunction >>with /etc/shorewall/routestopped would be more appropriate for both >>the 2.2 and 2.4 series (since 2.2.3, communication *between* hosts >>listed in routestopped is now enabled during [re]start). > > It seems to me that both of these are very similar circumstances to my > issue a few weeks/months back about restarting shorewall on a > high-availability firewall running heartbeat. In that case, it seems > that a more general approach that works in conjunction with routestopped > would be warranted. Once we get CVS converted over to sf.net, i'll do a > bit of work on integrating them. > In -RC1, I extended the routestopped options to include 'source' and 'dest' to indicate that all traffic from or to a host or set of hosts respectively should be accepted. I'm not sure that my changes solve the entire problem that Juan's customers are seeing but I think that it is in the right direction. If folks on the list disagree, I'll back out that change in -RC2 and the new maintainers can decide how best to address this issue. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ te...@sh... PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key |
|
From: Ron S. <rsh...@cr...> - 2005-05-22 20:50:34
|
> > 2005/5/22, Paul Gear <pa...@ge...>: > > > Perhaps using something like FAQ-O-Matic or a FAQ wiki would make > > maintenance easier. What think y'all? > > > yes; I 'll propose a similar thing. > a wiki-FAQ will be very nice. > the "problem" is the mirrors,since wikis are dinamically > generated,The FAQ needs to be linked to the master site in > the mirrors.( or database replication will be needed.) > > ideas are _really_ welcome ;) DocuWiki (http://wiki.splitbrain.org/wiki:dokuwiki) is file based, so it should mirror easily. Ron |
|
From: Cristian R. <jud...@gm...> - 2005-05-22 20:35:01
|
2005/5/22, Paul Gear <pa...@ge...>: > Perhaps using something like FAQ-O-Matic or a FAQ wiki would make > maintenance easier. What think y'all? >=20 yes; I 'll propose a similar thing. a wiki-FAQ will be very nice. the "problem" is the mirrors,since wikis are dinamically generated,The FAQ needs to be linked to the master site in the mirrors.( or database replication will be needed.) ideas are _really_ welcome ;) |
|
From: Paul G. <pa...@ge...> - 2005-05-22 20:23:54
|
Tom Eastep wrote: > Ian! D. Allen wrote: > >>Tom Eastep wrote: >> >>>Tried to access any external FTP servers from your local LAN lately? >>>I'll bet that they all seem to have exactly the same content as your own >>>server :-) >> >>Indeed they do. I missed that. That's why we pay you the big bucks! :-) >> >>We need to add a note explaining this good stuff into the FAQ - unless >>you've already explained this somewhere and I missed it? >> > > > I don't believe that it is explained in the FAQ -- OTOH, the FAQ is getting > pretty large and it certainly isn't feasible to explain everything about > Shorewall in that single document. Perhaps using something like FAQ-O-Matic or a FAQ wiki would make maintenance easier. What think y'all? -- Paul <http://paulgear.webhop.net> -- Did you know? Using Microsoft Internet Explorer can make your computer less secure. Find out more at <http://browsehappy.com>. |
|
From: Paul G. <pa...@ge...> - 2005-05-22 20:16:38
|
Tom Eastep wrote: > ... > Thanks, Juan > > Guys: I'll put Juan's patch in 2.4.0 and I'll let you decide if you want > to release it in 2.0 and 2.2. > ... > I have added the CROSSBEAM patch to 2.4.0 but I'm withholding the > POLICY_ACCEPT_STARTING patch for now. I really don't like the idea of > an option that opens the firewall completely like this one does. > > I suspect that an option in shorewall.conf that works in conjunction > with /etc/shorewall/routestopped would be more appropriate for both > the 2.2 and 2.4 series (since 2.2.3, communication *between* hosts > listed in routestopped is now enabled during [re]start). It seems to me that both of these are very similar circumstances to my issue a few weeks/months back about restarting shorewall on a high-availability firewall running heartbeat. In that case, it seems that a more general approach that works in conjunction with routestopped would be warranted. Once we get CVS converted over to sf.net, i'll do a bit of work on integrating them. -- Paul <http://paulgear.webhop.net> -- Did you know? Most email-borne viruses use a false sender address, so you cannot track down the sender using that address. Instead, keep your virus scanning software up-to-date and just delete any suspicious emails you receive. |
|
From: Tom E. <te...@sh...> - 2005-05-22 17:16:31
|
Ian! D. Allen wrote: > Tom Eastep wrote: >>Tried to access any external FTP servers from your local LAN lately? >>I'll bet that they all seem to have exactly the same content as your own >>server :-) > > Indeed they do. I missed that. That's why we pay you the big bucks! :-) > > We need to add a note explaining this good stuff into the FAQ - unless > you've already explained this somewhere and I missed it? > I don't believe that it is explained in the FAQ -- OTOH, the FAQ is getting pretty large and it certainly isn't feasible to explain everything about Shorewall in that single document. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ te...@sh... PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key |
|
From: Ian! D. A. <id...@id...> - 2005-05-22 17:03:45
|
Tom Eastep wrote: > Tried to access any external FTP servers from your local LAN lately? > I'll bet that they all seem to have exactly the same content as your own > server :-) Indeed they do. I missed that. That's why we pay you the big bucks! :-) We need to add a note explaining this good stuff into the FAQ - unless you've already explained this somewhere and I missed it? -- -IAN! Ian! D. Allen Ottawa, Ontario, Canada - www.ottawa.ca EMail: id...@id... Home Page: http://www.idallen.com/ College professor (Linux) via: http://teaching.idallen.com/ Support free and open public digital rights: http://eff.org/ |
|
From: Tom E. <te...@sh...> - 2005-05-22 13:52:24
|
Ian! D. Allen wrote: > I'm using: shorewall-2.0.8-2mdk (Mandrake 10.2 Limited Edition 2005) > My comments below apply equally to latest shorewall CVS. > > http://shorewall.net/FAQ.htm#faq1d > http://shorewall.net/FAQ.htm#faq2b > > We need to combine FAQ #1D and FAQ #2B - they are the same thing and > repeat exactly the same shorewall code. #1d was recently cloned from 2b because people couldn't seem to find 2b reliably. You can change it back to the way it was before -- fine with me as I don't have to answer the user questions any more... The code given is: > >>DNAT loc dmz:192.168.2.4 tcp 80 - 206.124.146.176 > > Although it doesn't say so explicitly, the above two FAQs must be > referring to a three-interface router with separate "net", "dmz", and > "loc" networks. (The case of the two-interface router is FAQ #2.) The number of interfaces is irrelevant although you are correct that it must be three or more -- the point is that the server and the clients are on different internal LANs. > > Why is the "ORIGINAL DEST" (and all the ETH0_IP code given for a dynamic > IP) needed in the above three-interface example? I'm running an FTP > server in the DMZ and my local clients (on a different interface from > the DMZ) can see the FTP server in the DMZ just fine using the external > address, without giving the ORIGINAL DEST IP in the shorewall rule. Tried to access any external FTP servers from your local LAN lately? I'll bet that they all seem to have exactly the same content as your own server :-) > I think both these FAQs should say just this: > > DNAT loc dmz:192.168.2.4 tcp 80 > > Isn't the external IP needed only if we want to match a *particular* > original destination IP (using --ctorigdst)? If we only have one > external IP address, we don't need to specify it in the rule. With the rule "DNAT loc dmz:192.168.2.4 tcp 80", there are two possibilities: a) DETECT_DNAT_ADDRS=Yes in shorewall.conf. Shorewall determines the first IP address of each interface to the 'loc' zone and for HTTP traffic destined for each of those IP addresses, it generates a DNAT rule to 192.168.2.4. b) DETECT_DNAT_ADDRS=No in shorewall.conf. All HTTP traffic from the loc zone (to any IP address whatsoever) is redirected to 192.168.2.4. Without attaching meaning to zone names, Shorewall cannot suddenly decide that neither of those is appropriate and that it should look at interfaces to the 'net' zone to determine which traffic to redirect?; 'net' doesn't even appear in the rule. Hence, it is necessary to specify the original destination IP address. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ te...@sh... PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key |
|
From: Ian! D. A. <id...@id...> - 2005-05-22 10:05:41
|
I'm using: shorewall-2.0.8-2mdk (Mandrake 10.2 Limited Edition 2005) My comments below apply equally to latest shorewall CVS. http://shorewall.net/FAQ.htm#faq1d http://shorewall.net/FAQ.htm#faq2b We need to combine FAQ #1D and FAQ #2B - they are the same thing and repeat exactly the same shorewall code. The code given is: > DNAT loc dmz:192.168.2.4 tcp 80 - 206.124.146.176 Although it doesn't say so explicitly, the above two FAQs must be referring to a three-interface router with separate "net", "dmz", and "loc" networks. (The case of the two-interface router is FAQ #2.) Why is the "ORIGINAL DEST" (and all the ETH0_IP code given for a dynamic IP) needed in the above three-interface example? I'm running an FTP server in the DMZ and my local clients (on a different interface from the DMZ) can see the FTP server in the DMZ just fine using the external address, without giving the ORIGINAL DEST IP in the shorewall rule. I think both these FAQs should say just this: DNAT loc dmz:192.168.2.4 tcp 80 Isn't the external IP needed only if we want to match a *particular* original destination IP (using --ctorigdst)? If we only have one external IP address, we don't need to specify it in the rule. All the code given to set ETH0_IP can be moved to a separate FAQ ("How do I port forward only one of my multiple external addresses"?) for both these FAQs. It isn't needed unless we want to match a particular external IP (which I would think is fairly rare). The key point to get across in both these FAQs is that we need a simple rule to DNAT the local net to the DMZ as well as a rule to DNAT the external net to the DMZ. The fine point about selecting which external IP to use is a secondary concern, not the direct issue raised by these FAQs. Sending router traffic into the DMZ via the external addresses -------------------------------------------------------------- We might mention at the same time that we need a third rule to DNAT the router packets into the DMZ, if we also want the router to access our DMZ servers by their external addresses: DNAT fw dmz:192.168.2.4 tcp 80 Sending DMZ traffic into the DMZ via the external addresses ----------------------------------------------------------- For completeness, we could finally mention that if we want our DMZ clients to access servers in the DMZ using the server external addresses, we need a fourth rule in the router to DNAT the DMZ to the DMZ. You might wonder if the fact that both the clients and the server are on the same DMZ network might cause problems; it does. The first problem is that shorewall needs to permit traffic that comes from the DMZ to return to the DMZ. The "routeback" option must be set on the dmz zone in shorewall/interfaces, to allow packets coming into the router from the DMZ to be routed right back out to the DMZ again: dmz eth1 detect routeback The second problem is that a packet arriving in the DMZ via the router with a source address in the DMZ will not have reply packets routed correctly, since the reply will go directly to the client on the same network and will not return via the router. There are two ways to work around the reply problem - both ways force the source address of the DMZ client packet to appear to come from the router instead of from the actual DMZ client (using SNAT). The SNAT is needed because the (web) server is on the same network as the DMZ client, and return packets would not pass through the router unless the source address were set this way. (For a full explanation of this see: http://idallen.com/dnat.txt ) Reply packet fix method 1: -------------------------- We can add this complex rule to shorewall/rules to get the SNAT we need: DNAT dmz:192.168.2.0/24 dmz:192.168.2.4 tcp 80 - 206.124.146.176:192.168.2.254 The above line is complicated because it is doing two things at the same time. It's a combination of a simple DNAT of the DMZ to the DMZ mixed with the extra addresses that tell shorewall to SNAT to the router address (192.168.2.254) all packets that (a) come from the DMZ and (b) go back out the DMZ to the web server. Reply packet fix method 2: -------------------------- This is cleaner than the above but it means adding a line to the shorewall/interfaces file something like this (192.168.2.254 is the router address for eth1, eth1 is the DMZ network): # shorewall/interfaces: # SNAT to 192.168.2.254 all traffic coming from the DMZ that goes back # to the DMZ (which happens when DMZ clients access DMZ servers using # external interface IP addresses on the router): # eth1 eth1 192.168.2.254 With the above line in shorewall/interfaces, the fourth DNAT line in shorewall/rules becomes much simpler and familiar: DNAT dmz dmz:192.168.2.4 tcp 80 Note that the necessary use of SNAT means that packets from any DMZ clients that go to DMZ services via the router (via the external IP addresses) will appear, to the service, to be from the router, not from the DMZ client, and replies to those packets will return via the router. |
|
From: Tom E. <te...@sh...> - 2005-05-21 21:38:26
|
Cristian and Alex, Both of you have asked about this. A routing table can only have one default route so when the second link comes up, adding the second default route will fail. So in general, Shorewall can only reliably detect the gateway for P-T-P connections which is what the CVS current code does. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ te...@sh... PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key |
|
From: Tom E. <te...@sh...> - 2005-05-20 19:48:24
|
Juan J. Prieto wrote: > > > Also, some of our clients need to permit all new traffic during > iptables compilling (shorewall start or restart) because they have a > great number of zones and rules, so I have had to add a new > configuration variable POLICY_ACCEPT_STARTING. If it is set to 'Yes', > then DROP default policy will be added at the end of compilling period. > I have added the CROSSBEAM patch to 2.4.0 but I'm withholding the POLICY_ACCEPT_STARTING patch for now. I really don't like the idea of an option that opens the firewall completely like this one does. I suspect that an option in shorewall.conf that works in conjunction with /etc/shorewall/routestopped would be more appropriate for both the 2.2 and 2.4 series (since 2.2.3, communication *between* hosts listed in routestopped is now enabled during [re]start). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ te...@sh... PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key |
|
From: Tom E. <te...@sh...> - 2005-05-20 18:39:03
|
Juan J. Prieto wrote: > Hi, > > Here is the shorewall.conf patch. > Thanks, Juan! -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ te...@sh... PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key |
|
From: Juan J. P. <jjp...@en...> - 2005-05-20 18:32:45
|
Hi, Here is the shorewall.conf patch. Enjoy ;-) ! El vie, 20-05-2005 a las 10:57 -0700, Tom Eastep escribi=F3: > Juan J. Prieto wrote: > > Hi, > >=20 > > Here is the patch for shorewall-2.0 and 2.2. > >=20 >=20 > Juan -- Isn't a patch required for shorewall.conf also? Or do you want > this feature to be undocumented? >=20 > Thanks, > -Tom --=20 Juan Jes=FAs Prieto - Consultor=EDa TI jjp...@en... http://www.eneotecnologia.com --------------------------------------- fingerprint: BFC2 0370 7708 F800 0BEC 60A4 EC71 4BB1 CC85 99F5 http://pgp.rediris.es:11371/pks/lookup?op=3Dget&search=3D0xCC8599F5 |
|
From: Juan J. P. <jjp...@en...> - 2005-05-20 18:05:14
|
Hi Tom, El vie, 20-05-2005 a las 10:57 -0700, Tom Eastep escribi=F3: > Juan J. Prieto wrote: > > Hi, > >=20 > > Here is the patch for shorewall-2.0 and 2.2. > >=20 >=20 > Juan -- Isn't a patch required for shorewall.conf also? Or do you want > this feature to be undocumented? Ok (sorry ;-)), I'll make a patch for shorewall.conf. Regards. --=20 Juan Jes=FAs Prieto - Consultor=EDa TI jjp...@en... http://www.eneotecnologia.com --------------------------------------- fingerprint: BFC2 0370 7708 F800 0BEC 60A4 EC71 4BB1 CC85 99F5 http://pgp.rediris.es:11371/pks/lookup?op=3Dget&search=3D0xCC8599F5 |
|
From: Tom E. <te...@sh...> - 2005-05-20 17:57:28
|
Juan J. Prieto wrote: > Hi, > > Here is the patch for shorewall-2.0 and 2.2. > Juan -- Isn't a patch required for shorewall.conf also? Or do you want this feature to be undocumented? Thanks, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ te...@sh... PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key |
|
From: Tom E. <te...@sh...> - 2005-05-20 17:53:12
|
Juan J. Prieto wrote: > Hi, > > Here is the patch for shorewall-2.0 and 2.2. > > Regards. Thanks, Juan Guys: I'll put Juan's patch in 2.4.0 and I'll let you decide if you want to release it in 2.0 and 2.2. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ te...@sh... PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key |
|
From: Juan J. P. <jjp...@en...> - 2005-05-20 17:41:23
|
Hi, Here is the patch for shorewall-2.0 and 2.2. Regards. El vie, 20-05-2005 a las 10:25 -0700, Tom Eastep escribi=F3: > Juan J. Prieto wrote: >=20 > > I'm working on a patch for shorewall to make it run with a Crossbeam > > X40 machine (www.crossbeamsystems.com) and I would like to know where t= o > > send it, is this list the correct location?. > >=20 >=20 > Yes, >=20 > Thanks, Juan > -Tom --=20 Juan Jes=FAs Prieto - Consultor=EDa TI jjp...@en... http://www.eneotecnologia.com --------------------------------------- fingerprint: BFC2 0370 7708 F800 0BEC 60A4 EC71 4BB1 CC85 99F5 http://pgp.rediris.es:11371/pks/lookup?op=3Dget&search=3D0xCC8599F5 |
|
From: Tom E. <te...@sh...> - 2005-05-20 17:25:26
|
Juan J. Prieto wrote: > I'm working on a patch for shorewall to make it run with a Crossbeam > X40 machine (www.crossbeamsystems.com) and I would like to know where to > send it, is this list the correct location?. > Yes, Thanks, Juan -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ te...@sh... PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key |
|
From: Juan J. P. <jjp...@en...> - 2005-05-20 17:12:14
|
Hi all, I'm working on a patch for shorewall to make it run with a Crossbeam X40 machine (www.crossbeamsystems.com) and I would like to know where to send it, is this list the correct location?. The patch is necesary because of Crossbeam X series running mode: when you make a shorewall start, restart or clear, there are a packet dropping until shorewall is Started or cleaned. At this moment the CPM Crossbeam module send a reset signal to the APM module (where the Linux system is running shorewall). With this patch, if you declare CROSSBEAM=3Dyes in shorewall.conf, first shorewall will set main policies to ACCEPT, then setcontinue in chains INPUT, FORWARD and OUTPUT, insert particular rules for Crossbeam backbone, and finally set main policies to DROP. Also, some of our clients need to permit all new traffic during iptables compilling (shorewall start or restart) because they have a great number of zones and rules, so I have had to add a new configuration variable POLICY_ACCEPT_STARTING. If it is set to 'Yes', then DROP default policy will be added at the end of compilling period. Regards. cheer up, Tom! --=20 Juan Jes=FAs Prieto - Consultor=EDa TI jjp...@en... http://www.eneotecnologia.com --------------------------------------- fingerprint: BFC2 0370 7708 F800 0BEC 60A4 EC71 4BB1 CC85 99F5 http://pgp.rediris.es:11371/pks/lookup?op=3Dget&search=3D0xCC8599F5 |
|
From: Tom E. <te...@sh...> - 2005-05-20 17:01:25
|
Alexander Wilms wrote: > Hi Tom, > > as you requested via ICQ, here comes the "restart trace" file. > > If I'm right, a restart or a clear/start cycle doesn't flush the default > routing entry, but shorewall tries to generate it again. > Result: RTNETLINK answers: File exists > This problem is corrected by the 'firewall' script in http://shorewall.net/pub/shorewall/2.3/shorewall-2.3.2/errata. Thanks, Alex -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ te...@sh... PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key |
|
From: Alexander W. <ale...@ad...> - 2005-05-20 15:15:24
|
Hi Tom, as you requested via ICQ, here comes the "restart trace" file. If I'm right, a restart or a clear/start cycle doesn't flush the default routing entry, but shorewall tries to generate it again. Result: RTNETLINK answers: File exists Thank you, Alex |
|
From: Tom E. <te...@sh...> - 2005-05-20 01:31:03
|
Jerry Vonau wrote: > Patches attached, are they in the correct format? They are perfect, Jerry. Thanks. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ te...@sh... PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key |
|
From: Jerry V. <jv...@sh...> - 2005-05-20 01:07:31
|
Hi all: The new providers file was not in the install.sh and shorewall.spec files Patches attached, are they in the correct format? Jerry |
|
From: Tom E. <te...@sh...> - 2005-05-19 22:27:37
|
Mike Noyes wrote: > On Thu, 2005-05-19 at 14:38, Tom Eastep wrote: >>Mailing Lists: I'm currently running a later version of Mailman than are >>SF. Mike tells me that SF are upgrading in the near future. Once they >>have done so, it will be easier to do the move. When the mailing lists >>move, the web site need to be updated to reflect the move. Just let me >>know what I need to do here. > > Tom, > The issue becomes the SF meaning of "near future". How long are you > willing to maintain the mailing lists? Maintaining the lists is pretty easy now that I got rid of htdig. I'll maintain them until SF upgrades. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ te...@sh... PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key |
|
From: Mike N. <mh...@us...> - 2005-05-19 21:55:00
|
On Thu, 2005-05-19 at 14:38, Tom Eastep wrote: > Mailing Lists: I'm currently running a later version of Mailman than are > SF. Mike tells me that SF are upgrading in the near future. Once they > have done so, it will be easier to do the move. When the mailing lists > move, the web site need to be updated to reflect the move. Just let me > know what I need to do here. Tom, The issue becomes the SF meaning of "near future". How long are you willing to maintain the mailing lists? Strategic Projects =C2=BB Mailing List Service=20 https://sourceforge.net/docman/display_doc.php?group_id=3D1&docid=3D2352 --=20 Mike Noyes <mhnoyes at users.sourceforge.net> http://sourceforge.net/users/mhnoyes/ SF.net Projects: leaf, phpwebsite, phpwebsite-comm, sitedocs |
39 messages has been excluded from this view by a project administrator.