You can subscribe to this list here.
2001 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
(93) |
Nov
(89) |
Dec
(68) |
---|---|---|---|---|---|---|---|---|---|---|---|---|
2002 |
Jan
(229) |
Feb
(204) |
Mar
(314) |
Apr
(380) |
May
(367) |
Jun
(244) |
Jul
(300) |
Aug
(505) |
Sep
(359) |
Oct
(531) |
Nov
(427) |
Dec
(390) |
2003 |
Jan
(585) |
Feb
(623) |
Mar
(412) |
Apr
(315) |
May
(480) |
Jun
(394) |
Jul
(544) |
Aug
(768) |
Sep
(602) |
Oct
(680) |
Nov
(499) |
Dec
(398) |
2004 |
Jan
(407) |
Feb
(400) |
Mar
(410) |
Apr
(576) |
May
(619) |
Jun
(424) |
Jul
(513) |
Aug
(404) |
Sep
(433) |
Oct
(455) |
Nov
(550) |
Dec
(659) |
2005 |
Jan
(450) |
Feb
(472) |
Mar
(443) |
Apr
(465) |
May
(434) |
Jun
(273) |
Jul
(518) |
Aug
(484) |
Sep
(380) |
Oct
(400) |
Nov
(351) |
Dec
(265) |
2006 |
Jan
(335) |
Feb
(462) |
Mar
(498) |
Apr
(398) |
May
(280) |
Jun
(273) |
Jul
(229) |
Aug
(377) |
Sep
(201) |
Oct
(279) |
Nov
(247) |
Dec
(229) |
2007 |
Jan
(301) |
Feb
(190) |
Mar
(281) |
Apr
(444) |
May
(394) |
Jun
(247) |
Jul
(259) |
Aug
(391) |
Sep
(219) |
Oct
(306) |
Nov
(307) |
Dec
(257) |
2008 |
Jan
(256) |
Feb
(248) |
Mar
(330) |
Apr
(219) |
May
(194) |
Jun
(179) |
Jul
(183) |
Aug
(116) |
Sep
(260) |
Oct
(204) |
Nov
(274) |
Dec
(228) |
2009 |
Jan
(251) |
Feb
(160) |
Mar
(178) |
Apr
(196) |
May
(189) |
Jun
(239) |
Jul
(92) |
Aug
(155) |
Sep
(147) |
Oct
(169) |
Nov
(159) |
Dec
(205) |
2010 |
Jan
(63) |
Feb
(230) |
Mar
(94) |
Apr
(103) |
May
(113) |
Jun
(149) |
Jul
(158) |
Aug
(203) |
Sep
(255) |
Oct
(138) |
Nov
(122) |
Dec
(108) |
2011 |
Jan
(93) |
Feb
(100) |
Mar
(153) |
Apr
(175) |
May
(349) |
Jun
(210) |
Jul
(176) |
Aug
(179) |
Sep
(148) |
Oct
(151) |
Nov
(102) |
Dec
(83) |
2012 |
Jan
(179) |
Feb
(125) |
Mar
(211) |
Apr
(164) |
May
(195) |
Jun
(160) |
Jul
(137) |
Aug
(159) |
Sep
(214) |
Oct
(189) |
Nov
(71) |
Dec
(90) |
2013 |
Jan
(161) |
Feb
(99) |
Mar
(190) |
Apr
(133) |
May
(119) |
Jun
(97) |
Jul
(116) |
Aug
(109) |
Sep
(213) |
Oct
(175) |
Nov
(119) |
Dec
(90) |
2014 |
Jan
(104) |
Feb
(105) |
Mar
(125) |
Apr
(119) |
May
(141) |
Jun
(82) |
Jul
(193) |
Aug
(164) |
Sep
(160) |
Oct
(162) |
Nov
(44) |
Dec
(43) |
2015 |
Jan
(92) |
Feb
(67) |
Mar
(117) |
Apr
(67) |
May
(121) |
Jun
(39) |
Jul
(31) |
Aug
(87) |
Sep
(143) |
Oct
(130) |
Nov
(116) |
Dec
(67) |
2016 |
Jan
(66) |
Feb
(78) |
Mar
(127) |
Apr
(148) |
May
(56) |
Jun
(67) |
Jul
(30) |
Aug
(48) |
Sep
(87) |
Oct
(113) |
Nov
(64) |
Dec
(115) |
2017 |
Jan
(95) |
Feb
(73) |
Mar
(166) |
Apr
(27) |
May
(75) |
Jun
(94) |
Jul
(144) |
Aug
(94) |
Sep
(70) |
Oct
(98) |
Nov
(69) |
Dec
(176) |
2018 |
Jan
(140) |
Feb
(112) |
Mar
(68) |
Apr
(68) |
May
(97) |
Jun
(59) |
Jul
(75) |
Aug
(44) |
Sep
(44) |
Oct
(75) |
Nov
(64) |
Dec
(54) |
2019 |
Jan
(107) |
Feb
(100) |
Mar
(30) |
Apr
(31) |
May
(40) |
Jun
(14) |
Jul
(40) |
Aug
(37) |
Sep
(29) |
Oct
(78) |
Nov
(41) |
Dec
(42) |
2020 |
Jan
(43) |
Feb
(91) |
Mar
(86) |
Apr
(38) |
May
(70) |
Jun
(52) |
Jul
(48) |
Aug
(27) |
Sep
(48) |
Oct
(63) |
Nov
(61) |
Dec
(34) |
2021 |
Jan
(26) |
Feb
(4) |
Mar
(1) |
Apr
(5) |
May
(26) |
Jun
(13) |
Jul
(23) |
Aug
(14) |
Sep
(35) |
Oct
(13) |
Nov
(2) |
Dec
(33) |
2022 |
Jan
(32) |
Feb
(28) |
Mar
(29) |
Apr
(23) |
May
(15) |
Jun
(7) |
Jul
(6) |
Aug
(10) |
Sep
(3) |
Oct
|
Nov
(7) |
Dec
(3) |
2023 |
Jan
(7) |
Feb
(7) |
Mar
(6) |
Apr
(23) |
May
(1) |
Jun
(7) |
Jul
(4) |
Aug
(7) |
Sep
|
Oct
(27) |
Nov
(4) |
Dec
|
2024 |
Jan
(5) |
Feb
(28) |
Mar
(11) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
From: Hosney O. <hos...@gm...> - 2024-02-26 16:42:23
|
nice to know On Mon, Feb 26, 2024 at 9:10 AM Matt Darfeuille <ma...@sh...> wrote: > On 2/24/24 14:42, Hosney Bin Osman wrote: > > hi all > > > > kindly i need your support to made transformation from IP table to > > shorewall > > > > please find IP tables script attached > > > > We do not offer that kind of support. > > -- > Matt Darfeuille <ma...@sh...> > Community: https://sourceforge.net/p/shorewall/mailman/message/37107049/ > SPC: https://sourceforge.net/p/shorewall/mailman/message/36596609/ > Homepage: https://shorewall.org > > > > _______________________________________________ > Shorewall-users mailing list > Sho...@li... > https://lists.sourceforge.net/lists/listinfo/shorewall-users > |
From: Matt D. <ma...@sh...> - 2024-02-26 07:10:00
|
On 2/24/24 14:42, Hosney Bin Osman wrote: > hi all > > kindly i need your support to made transformation from IP table to > shorewall > > please find IP tables script attached > We do not offer that kind of support. -- Matt Darfeuille <ma...@sh...> Community: https://sourceforge.net/p/shorewall/mailman/message/37107049/ SPC: https://sourceforge.net/p/shorewall/mailman/message/36596609/ Homepage: https://shorewall.org |
From: Hosney B. O. <hos...@gm...> - 2024-02-24 13:44:13
|
hi all kindly i need your support to made transformation from IP table to shorewall please find IP tables script attached |
From: <rc...@ed...> - 2024-02-15 20:40:06
|
Hi! With shorewall 5.2.8? Thx. El 2024-02-14 11:28, Nigel Aves escribió: > All I'm doing is saying how it works on my server. > > On Wed, Feb 14, 2024 at 7:05 AM Tuomo Soini <ti...@fo...> wrote: > >> On Wed, 14 Feb 2024 06:35:02 -0700 >> Nigel Aves <nig...@gm...> wrote: >> >>> I had a similar issue with Debian 12 ,,, Discovered this works in the >>> snat file: >>> >>> MASQUERADE enp38s0 enp36s0 >> >> This is not correct syntax. Like man page shorewall-snat says: >> >> #ACTION SOURCE DEST >> MASQUERADE 192.168.0.0/24 [1] eth0 >> >> So source must be a network, not an interface. >> >> Also note /etc/shoreall/masq is deprecated. >> >> -- >> Tuomo Soini <ti...@fo...> >> Foobar Linux services >> +358 40 5240030 >> Foobar Oy <https://foobar.fi/> >> >> _______________________________________________ >> Shorewall-users mailing list >> Sho...@li... >> https://lists.sourceforge.net/lists/listinfo/shorewall-users > > -- > > Be Safe Out There. > Nigel Aves > > p.s. We have many fine video podcasts on YouTube. These are all > interview-based, and pretty well cover every subject. > > All our shows are here Captn's Lounge Studios [2] Please Subscribe to > CIT > > Come be interviewed: At The Captn's Lounge. [3] > _______________________________________________ > Shorewall-users mailing list > Sho...@li... > https://lists.sourceforge.net/lists/listinfo/shorewall-users Links: ------ [1] http://192.168.0.0/24 [2] https://tinyurl.com/2vurn3yw [3] https://youtu.be/paL0uRkZ69o?si=pUm3pWe8hAXScdC8 |
From: Nigel A. <nig...@gm...> - 2024-02-14 14:28:49
|
All I'm doing is saying how it works on my server. On Wed, Feb 14, 2024 at 7:05 AM Tuomo Soini <ti...@fo...> wrote: > On Wed, 14 Feb 2024 06:35:02 -0700 > Nigel Aves <nig...@gm...> wrote: > > > I had a similar issue with Debian 12 ,,, Discovered this works in the > > snat file: > > > > MASQUERADE enp38s0 enp36s0 > > This is not correct syntax. Like man page shorewall-snat says: > > #ACTION SOURCE DEST > MASQUERADE 192.168.0.0/24 eth0 > > So source must be a network, not an interface. > > Also note /etc/shoreall/masq is deprecated. > > -- > Tuomo Soini <ti...@fo...> > Foobar Linux services > +358 40 5240030 > Foobar Oy <https://foobar.fi/> > > > _______________________________________________ > Shorewall-users mailing list > Sho...@li... > https://lists.sourceforge.net/lists/listinfo/shorewall-users > -- *Be Safe Out There.* *Nigel Aves* p.s. We have many fine video podcasts on YouTube. These are all interview-based, and pretty well cover every subject. All our shows are here *Captn's Lounge Studios <https://tinyurl.com/2vurn3yw>* Please Subscribe to *CIT* *Come be interviewed: At The Captn's Lounge. <https://youtu.be/paL0uRkZ69o?si=pUm3pWe8hAXScdC8>* |
From: Tuomo S. <ti...@fo...> - 2024-02-14 14:04:55
|
On Wed, 14 Feb 2024 06:35:02 -0700 Nigel Aves <nig...@gm...> wrote: > I had a similar issue with Debian 12 ,,, Discovered this works in the > snat file: > > MASQUERADE enp38s0 enp36s0 This is not correct syntax. Like man page shorewall-snat says: #ACTION SOURCE DEST MASQUERADE 192.168.0.0/24 eth0 So source must be a network, not an interface. Also note /etc/shoreall/masq is deprecated. -- Tuomo Soini <ti...@fo...> Foobar Linux services +358 40 5240030 Foobar Oy <https://foobar.fi/> |
From: Nigel A. <nig...@gm...> - 2024-02-14 13:35:26
|
I had a similar issue with Debian 12 ,,, Discovered this works in the snat file: MASQUERADE enp38s0 enp36s0 Might be worth a try. Nigel. On Wed, Feb 14, 2024 at 3:22 AM <rc...@ed...> wrote: > Hi! > > is a simple scenario with 2 NIC, WAN and LAN. > > LAN-> WAN with full access > > same config with shorewall 5.1 dont work with 5.2 > > snat file contain: > > MASQUERADE 192.168.1.0/24 enp32s0f0 > > shorewall.conf change startup=YES > > some command to try debug why work with 5.1 but same config dont with > 5.2? > > Thx > > El 2024-02-13 18:49, Tuomo Soini escribió: > > On Tue, 13 Feb 2024 21:15:52 +0000 > > Rodrigo Araujo <ara...@gm...> wrote: > > > >> It works fine here with rpms rebuilt from the Fedora src.rpm packages > >> and iptables-legacy packages from EPEL. > >> > >> Ensure you remove (or at least disable and stop) firewalld, and also > >> make sure the ipset package is installed. Other than that, I'm not > >> remembering anything. > > > > It also works very well with iptables-nft (so without iptables-legacy). > > > _______________________________________________ > Shorewall-users mailing list > Sho...@li... > https://lists.sourceforge.net/lists/listinfo/shorewall-users > -- *Be Safe Out There.* *Nigel Aves* p.s. We have many fine video podcasts on YouTube. These are all interview-based, and pretty well cover every subject. All our shows are here *Captn's Lounge Studios <https://tinyurl.com/2vurn3yw>* Please Subscribe to *CIT* *Come be interviewed: At The Captn's Lounge. <https://youtu.be/paL0uRkZ69o?si=pUm3pWe8hAXScdC8>* |
From: Rodrigo A. <ara...@gm...> - 2024-02-14 11:34:53
|
Hi. If you are migrating between versions, make a backup of the configuration and do a "shorewall upgrade" before starting shorewall. Ensure firewalld is stopped and disabled (this is important, or else "pure" nftable rules it generates will take precedence). Also make sure that the interface name is correct and that it didn't change in Rocky Linux 9. And if you aren't enabling IP_FORWARDING by any other means, make sure it's IP_FORWARDING=Yes in shorewall.conf If it still doesn't work, please show more complete configuration (omitting anything that could be private). On 14/02/2024 10:21, rc...@ed... wrote: > Hi! > > is a simple scenario with 2 NIC, WAN and LAN. > > LAN-> WAN with full access > > same config with shorewall 5.1 dont work with 5.2 > > snat file contain: > > MASQUERADE 192.168.1.0/24 enp32s0f0 > > shorewall.conf change startup=YES > > some command to try debug why work with 5.1 but same config dont with > 5.2? > > Thx > > El 2024-02-13 18:49, Tuomo Soini escribió: >> On Tue, 13 Feb 2024 21:15:52 +0000 >> Rodrigo Araujo <ara...@gm...> wrote: >> >>> It works fine here with rpms rebuilt from the Fedora src.rpm packages >>> and iptables-legacy packages from EPEL. >>> >>> Ensure you remove (or at least disable and stop) firewalld, and also >>> make sure the ipset package is installed. Other than that, I'm not >>> remembering anything. >> >> It also works very well with iptables-nft (so without iptables-legacy). |
From: <rc...@ed...> - 2024-02-14 10:21:57
|
Hi! is a simple scenario with 2 NIC, WAN and LAN. LAN-> WAN with full access same config with shorewall 5.1 dont work with 5.2 snat file contain: MASQUERADE 192.168.1.0/24 enp32s0f0 shorewall.conf change startup=YES some command to try debug why work with 5.1 but same config dont with 5.2? Thx El 2024-02-13 18:49, Tuomo Soini escribió: > On Tue, 13 Feb 2024 21:15:52 +0000 > Rodrigo Araujo <ara...@gm...> wrote: > >> It works fine here with rpms rebuilt from the Fedora src.rpm packages >> and iptables-legacy packages from EPEL. >> >> Ensure you remove (or at least disable and stop) firewalld, and also >> make sure the ipset package is installed. Other than that, I'm not >> remembering anything. > > It also works very well with iptables-nft (so without iptables-legacy). |
From: Tuomo S. <ti...@fo...> - 2024-02-13 22:07:38
|
On Tue, 13 Feb 2024 21:15:52 +0000 Rodrigo Araujo <ara...@gm...> wrote: > It works fine here with rpms rebuilt from the Fedora src.rpm packages > and iptables-legacy packages from EPEL. > > Ensure you remove (or at least disable and stop) firewalld, and also > make sure the ipset package is installed. Other than that, I'm not > remembering anything. It also works very well with iptables-nft (so without iptables-legacy). -- Tuomo Soini <ti...@fo...> Foobar Linux services +358 40 5240030 Foobar Oy <https://foobar.fi/> |
From: Rodrigo A. <ara...@gm...> - 2024-02-13 21:16:14
|
It works fine here with rpms rebuilt from the Fedora src.rpm packages and iptables-legacy packages from EPEL. Ensure you remove (or at least disable and stop) firewalld, and also make sure the ipset package is installed. Other than that, I'm not remembering anything. On Tue, 13 Feb 2024, 20:33 Matt Darfeuille, <ma...@sh...> wrote: > On 2/13/24 20:16, rc...@ed... wrote: > > > > > > Hi! > > > > with rocky try with shorewall 5.2.8 and masq dont work, but with centos7 > > the same version dont work, only work with 5.1.10. Exist some tips or > > parameters different? > > > > Thx > > > > El 2024-02-13 10:34, rc...@ed... escribió: > > > >> Hi! > >> > >> somebody know why masquerade dont work with rocky9? I dont found any > >> about that. > >> > >> Thx > >> _______________________________________________ > > What other info(s) can you provide? > > In other words, we have nothing to help you with. > > -- > Matt Darfeuille <ma...@sh...> > Community: https://sourceforge.net/p/shorewall/mailman/message/37107049/ > SPC: https://sourceforge.net/p/shorewall/mailman/message/36596609/ > Homepage: https://shorewall.org > > > > _______________________________________________ > Shorewall-users mailing list > Sho...@li... > https://lists.sourceforge.net/lists/listinfo/shorewall-users > |
From: Matt D. <ma...@sh...> - 2024-02-13 20:32:42
|
On 2/13/24 20:16, rc...@ed... wrote: > > > Hi! > > with rocky try with shorewall 5.2.8 and masq dont work, but with centos7 > the same version dont work, only work with 5.1.10. Exist some tips or > parameters different? > > Thx > > El 2024-02-13 10:34, rc...@ed... escribió: > >> Hi! >> >> somebody know why masquerade dont work with rocky9? I dont found any >> about that. >> >> Thx >> _______________________________________________ What other info(s) can you provide? In other words, we have nothing to help you with. -- Matt Darfeuille <ma...@sh...> Community: https://sourceforge.net/p/shorewall/mailman/message/37107049/ SPC: https://sourceforge.net/p/shorewall/mailman/message/36596609/ Homepage: https://shorewall.org |
From: <rc...@ed...> - 2024-02-13 19:16:47
|
Hi! with rocky try with shorewall 5.2.8 and masq dont work, but with centos7 the same version dont work, only work with 5.1.10. Exist some tips or parameters different? Thx El 2024-02-13 10:34, rc...@ed... escribió: > Hi! > > somebody know why masquerade dont work with rocky9? I dont found any > about that. > > Thx > _______________________________________________ > Shorewall-users mailing list > Sho...@li... > https://lists.sourceforge.net/lists/listinfo/shorewall-users |
From: <rc...@ed...> - 2024-02-13 13:51:40
|
Hi! somebody know why masquerade dont work with rocky9? I dont found any about that. Thx |
From: Simon M. <sim...@in...> - 2024-01-08 18:21:30
|
> Shorewall version 5.2.8 on RHEL 7 virtualized on Ovirt hypervisors, > routing and filtering traffic between 5 networks full of VMs via VLANs > in Ovirt. > All virtual VM interfaces (including Shorewall VM), are on 10 Gbps. > > Effective speed between VMs on same network segment is full 10 Gbps. > > Speed between different networks that go trough Shorewall hardly ever > reaches 1 Gbps. > What can be done to achieve full throughput of traffic going trough > Shorewall? We don't know what exactly you're doing with Shorewall here, but, if you run your tests after 'shorewall clear', do you then see your expected throughput? Regards, Simon |
From: Ivica G. <ivi...@la...> - 2024-01-08 17:14:59
|
Shorewall version 5.2.8 on RHEL 7 virtualized on Ovirt hypervisors, routing and filtering traffic between 5 networks full of VMs via VLANs in Ovirt. All virtual VM interfaces (including Shorewall VM), are on 10 Gbps. Effective speed between VMs on same network segment is full 10 Gbps. Speed between different networks that go trough Shorewall hardly ever reaches 1 Gbps. What can be done to achieve full throughput of traffic going trough Shorewall? With regards Ivica |
From: Hosney O. <hos...@gm...> - 2024-01-03 13:03:17
|
do we have basic command should be applied to protect my network as recommendation On Tue, Jan 2, 2024 at 5:12 AM Nicola Ferrari (#554252) < nic...@po...> wrote: > Hi guys and happy new year! > > Just in case if someone will need this... > > To install shorewall on MicroOS, since it's an immutable distro and you > cannot modify the system root directly, you have to use the > transactional-update command which allows you to temporary access a > read-write shell on the system, install packages, and apply modifications. > > You'll have to: > > transactional-update pkg install shorewall > transactional-update apply > > It automatically takes shorewall from the zypper repos as a normal Suse > will do, install it and create a snapshot of the current state. By the > "apply" command you ask the system to activate the new snapshot without > having to reboot. > > Anyway this install approach should be used only for a minimum set of > system packages since normal software is supposed to be installed using > flatpak.. But I though shorewall is one of these rare cases. > > HtH, happy new year! > nik > > > _______________________________________________ > Shorewall-users mailing list > Sho...@li... > https://lists.sourceforge.net/lists/listinfo/shorewall-users > |
From: Nicola F. (#554252) <nic...@po...> - 2024-01-02 13:11:02
|
Hi guys and happy new year! Just in case if someone will need this... To install shorewall on MicroOS, since it's an immutable distro and you cannot modify the system root directly, you have to use the transactional-update command which allows you to temporary access a read-write shell on the system, install packages, and apply modifications. You'll have to: transactional-update pkg install shorewall transactional-update apply It automatically takes shorewall from the zypper repos as a normal Suse will do, install it and create a snapshot of the current state. By the "apply" command you ask the system to activate the new snapshot without having to reboot. Anyway this install approach should be used only for a minimum set of system packages since normal software is supposed to be installed using flatpak.. But I though shorewall is one of these rare cases. HtH, happy new year! nik |
From: Steve H. <he...@he...> - 2024-01-02 03:07:53
|
Hello: I am a long time, very happy, Shorewall user. Many years ago I worked near Tom E. and we had lunch together a few times. Hello Tom. I had a stable configuration with a DSL provider and a cable provider and it ran for years without problems, again thanks to a suggestion from Tom. Recently I added a fiber provider but my system became unstable when I added it into the mix. And I haven't been able to duplicate my original DSL and cable configuration. The problem I have is that I haven't found the right options in my providers and rtrules files and I hope people on the list can help me out. My goal is to respond to any inbound traffic on the original provider link, that is, not having an asymmetric response. I am running Shorewall 5.2.8 on a gentoo system. I run my internet services on the firewall and have the rest of my machines on their own interface. One service is an ntp server in the ntppool.org system. When I first start Shorewall, everything seems ok. I can see ntp packets come in on my public IP, on the dsl/eth0 line and the return message immediately follows - for about 5 minutes, then the return packets start going out the faster fiber line, so, obviously I don't have proper tracking. I have attached my shorewall.conf file, a shorewall dump file, and a shorewall -T start log to this email. I do not have any mangle entries. Here are condensed versions of all configuration files I have changed: Any help is greatly appreciated. Thank you, Steve Herber. zones --------------------------------------------------------------------- fw firewall loc ipv4 dsl ipv4 fib ipv4 cbl ipv4 interfaces ---------------------------------------------------------------- dsl eth0 # I have a static public IP address on this interface loc eth1 cbl eth2 dhcp,optional fib eth3 dhcp,optional snat ---------------------------------------------------------------------- MASQUERADE - eth0 MASQUERADE - eth2 MASQUERADE - eth3 providers ----------------------------------------------------------------- #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY dsl 1 1 - eth0 detect track,primary - cbl 2 2 - eth2 detect track,fallback - fib 4 4 - eth3 detect track,fallback - rtrules ------------------------------------------------------------------- #SOURCE DEST PROVIDER PRIORITY MASK eth1 - fib 1500 eth1 - cbl 1000 eth1 - dsl 1600 policy -------------------------------------------------------------------- loc dsl ACCEPT loc cbl ACCEPT loc fib ACCEPT loc fw ACCEPT fw dsl ACCEPT fw cbl ACCEPT fw fib ACCEPT fw loc ACCEPT dsl all DROP none cbl all DROP info fib all DROP none all all REJECT none rules --------------------------------------------------------------------- ?SECTION NEW DNAT dsl loc:192.168.168.10:980 tcp 6980 ACCEPT dsl fw tcp 6622 - - 4/min:3 ACCEPT cbl fw tcp 6622 - - 4/min:3 ACCEPT fib fw tcp 6622 - - 4/min:3 ACCEPT dsl fw tcp domain,rndc ACCEPT dsl fw udp domain,rndc ACCEPT cbl fw tcp domain,rndc ACCEPT cbl fw udp domain,rndc ACCEPT fib fw tcp domain,rndc ACCEPT fib fw udp domain,rndc ACCEPT dsl fw tcp auth,http,https,smtp,ntp ACCEPT dsl fw udp http,https,ntp ACCEPT cbl fw tcp http,https,ntp ACCEPT cbl fw udp http,https,ntp ACCEPT fib fw tcp http,https,ntp ACCEPT fib fw udp http,https,ntp DROP fib fw tcp netbios-ns DROP fib fw udp netbios-ns DROP fib fw tcp mdns DROP fib fw udp mdns ACCEPT dsl fw udp 51820 ACCEPT cbl fw udp 51820 ACCEPT fib fw udp 51820 Ping(ACCEPT) dsl fw Ping(ACCEPT) cbl fw Ping(ACCEPT) fib fw Trcrt(ACCEPT) dsl fw Trcrt(ACCEPT) cbl fw Trcrt(ACCEPT) fib fw Steve Herber he...@he... cell: 425-281-0355 Software Engineer, UW Medicine, IT Services |
From: Phil S. <ph...@ca...> - 2023-11-10 21:00:30
|
On 11/10/23 15:42, John Covici wrote: > -----Original Message----- > From: Phil Stracchino <ph...@ca...> > Sent: Friday, November 10, 2023 1:41 PM > To: sho...@li... > Subject: Re: [Shorewall-users] unrecognized item on my internal nic, how to prevent phonning home > > On 11/10/23 11:28, John Covici wrote: >> Hi. I have a linux server using iptables 1.8 and shorewall version >> 5.2.8. I have two nics in the box, one for the outside world and an >> internal nic for various computers. I have two items in there which I >> cannot identify -- even using nmap and I would like to prevent them >> from accessing the outside. Any way to do this with shorewall? > > Something along the lines of: > > REJECT LOCALZONE:1.2.3.4 WANZONE > > should do it. > Thanks much for your quick response. Where should I put this statement, in the rules? Correct. Obviously the above needs to be adjusted to match your zones and the IPs in question. -- Phil Stracchino Babylon Communications ph...@ca... ph...@co... Landline: +1.603.293.8485 Mobile: +1.603.998.6958 |
From: John C. <co...@cc...> - 2023-11-10 20:50:32
|
-----Original Message----- From: Phil Stracchino <ph...@ca...> Sent: Friday, November 10, 2023 1:41 PM To: sho...@li... Subject: Re: [Shorewall-users] unrecognized item on my internal nic, how to prevent phonning home On 11/10/23 11:28, John Covici wrote: > Hi. I have a linux server using iptables 1.8 and shorewall version > 5.2.8. I have two nics in the box, one for the outside world and an > internal nic for various computers. I have two items in there which I > cannot identify -- even using nmap and I would like to prevent them > from accessing the outside. Any way to do this with shorewall? Something along the lines of: REJECT LOCALZONE:1.2.3.4 WANZONE should do it. Thanks much for your quick response. Where should I put this statement, in the rules? _______________________________________________ Shorewall-users mailing list Sho...@li... https://lists.sourceforge.net/lists/listinfo/shorewall-users |
From: Phil S. <ph...@ca...> - 2023-11-10 18:40:48
|
On 11/10/23 11:28, John Covici wrote: > Hi. I have a linux server using iptables 1.8 and shorewall version > 5.2.8. I have two nics in the box, one for the outside world and an > internal nic for various computers. I have two items in there which I > cannot identify -- even using nmap and I would like to prevent them > from accessing the outside. Any way to do this with shorewall? Something along the lines of: REJECT LOCALZONE:1.2.3.4 WANZONE should do it. -- Phil Stracchino Babylon Communications ph...@ca... ph...@co... Landline: +1.603.293.8485 Mobile: +1.603.998.6958 |
From: John C. <co...@cc...> - 2023-11-10 16:28:25
|
Hi. I have a linux server using iptables 1.8 and shorewall version 5.2.8. I have two nics in the box, one for the outside world and an internal nic for various computers. I have two items in there which I cannot identify -- even using nmap and I would like to prevent them from accessing the outside. Any way to do this with shorewall? Let me know if you need any more information. Thanks in advance for any suggestions. -- Your life is like a penny. You're going to lose it. The question is: How do you spend it? John Covici wb2una co...@cc... |
From: Christophe P. <ch...@no...> - 2023-10-31 01:51:16
|
Le Fri, 27 Oct 2023 03:14:21 -0000 (UTC), Christophe PEREZ a écrit : > Not better: In your opinion, do I risk side effects (legitimate connection lost) if I put NotSyn(DROP) all all tcp in rules? |
From: Christophe P. <ch...@no...> - 2023-10-28 21:41:28
|
Le Fri, 27 Oct 2023 03:14:21 -0000 (UTC), Christophe PEREZ a écrit : >> Do I need to add ":$LOG_LEVEL" as: >> REJECT_DEFAULT="Broadcast(DROP),Multicast(DROP),dropInvalid:$LOG_LEVEL" >> ? > > Not better: No news ? |