You can subscribe to this list here.
2001 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
(93) |
Nov
(89) |
Dec
(68) |
---|---|---|---|---|---|---|---|---|---|---|---|---|
2002 |
Jan
(229) |
Feb
(204) |
Mar
(314) |
Apr
(380) |
May
(367) |
Jun
(244) |
Jul
(300) |
Aug
(505) |
Sep
(359) |
Oct
(531) |
Nov
(427) |
Dec
(390) |
2003 |
Jan
(585) |
Feb
(623) |
Mar
(412) |
Apr
(315) |
May
(480) |
Jun
(394) |
Jul
(544) |
Aug
(768) |
Sep
(602) |
Oct
(680) |
Nov
(499) |
Dec
(398) |
2004 |
Jan
(407) |
Feb
(400) |
Mar
(410) |
Apr
(576) |
May
(619) |
Jun
(424) |
Jul
(513) |
Aug
(404) |
Sep
(433) |
Oct
(455) |
Nov
(550) |
Dec
(659) |
2005 |
Jan
(450) |
Feb
(472) |
Mar
(443) |
Apr
(465) |
May
(434) |
Jun
(273) |
Jul
(518) |
Aug
(484) |
Sep
(380) |
Oct
(400) |
Nov
(351) |
Dec
(265) |
2006 |
Jan
(335) |
Feb
(462) |
Mar
(498) |
Apr
(398) |
May
(280) |
Jun
(273) |
Jul
(229) |
Aug
(377) |
Sep
(201) |
Oct
(279) |
Nov
(247) |
Dec
(229) |
2007 |
Jan
(301) |
Feb
(190) |
Mar
(281) |
Apr
(444) |
May
(394) |
Jun
(247) |
Jul
(259) |
Aug
(391) |
Sep
(219) |
Oct
(306) |
Nov
(307) |
Dec
(257) |
2008 |
Jan
(256) |
Feb
(248) |
Mar
(330) |
Apr
(219) |
May
(194) |
Jun
(179) |
Jul
(183) |
Aug
(116) |
Sep
(260) |
Oct
(204) |
Nov
(274) |
Dec
(228) |
2009 |
Jan
(251) |
Feb
(160) |
Mar
(178) |
Apr
(196) |
May
(189) |
Jun
(239) |
Jul
(92) |
Aug
(155) |
Sep
(147) |
Oct
(169) |
Nov
(159) |
Dec
(205) |
2010 |
Jan
(63) |
Feb
(230) |
Mar
(94) |
Apr
(103) |
May
(113) |
Jun
(149) |
Jul
(158) |
Aug
(203) |
Sep
(255) |
Oct
(138) |
Nov
(122) |
Dec
(108) |
2011 |
Jan
(93) |
Feb
(100) |
Mar
(153) |
Apr
(175) |
May
(349) |
Jun
(210) |
Jul
(176) |
Aug
(179) |
Sep
(148) |
Oct
(151) |
Nov
(102) |
Dec
(83) |
2012 |
Jan
(179) |
Feb
(125) |
Mar
(211) |
Apr
(164) |
May
(195) |
Jun
(160) |
Jul
(137) |
Aug
(159) |
Sep
(214) |
Oct
(189) |
Nov
(71) |
Dec
(90) |
2013 |
Jan
(161) |
Feb
(99) |
Mar
(190) |
Apr
(133) |
May
(119) |
Jun
(97) |
Jul
(116) |
Aug
(109) |
Sep
(213) |
Oct
(175) |
Nov
(119) |
Dec
(90) |
2014 |
Jan
(104) |
Feb
(105) |
Mar
(125) |
Apr
(119) |
May
(141) |
Jun
(82) |
Jul
(193) |
Aug
(164) |
Sep
(160) |
Oct
(162) |
Nov
(44) |
Dec
(43) |
2015 |
Jan
(92) |
Feb
(67) |
Mar
(117) |
Apr
(67) |
May
(121) |
Jun
(39) |
Jul
(31) |
Aug
(87) |
Sep
(143) |
Oct
(130) |
Nov
(116) |
Dec
(67) |
2016 |
Jan
(66) |
Feb
(78) |
Mar
(127) |
Apr
(148) |
May
(56) |
Jun
(67) |
Jul
(30) |
Aug
(48) |
Sep
(87) |
Oct
(113) |
Nov
(64) |
Dec
(115) |
2017 |
Jan
(95) |
Feb
(73) |
Mar
(166) |
Apr
(27) |
May
(75) |
Jun
(94) |
Jul
(144) |
Aug
(94) |
Sep
(70) |
Oct
(98) |
Nov
(69) |
Dec
(176) |
2018 |
Jan
(140) |
Feb
(112) |
Mar
(68) |
Apr
(68) |
May
(97) |
Jun
(59) |
Jul
(75) |
Aug
(44) |
Sep
(44) |
Oct
(75) |
Nov
(64) |
Dec
(54) |
2019 |
Jan
(107) |
Feb
(100) |
Mar
(30) |
Apr
(31) |
May
(40) |
Jun
(14) |
Jul
(40) |
Aug
(37) |
Sep
(29) |
Oct
(78) |
Nov
(41) |
Dec
(42) |
2020 |
Jan
(43) |
Feb
(91) |
Mar
(86) |
Apr
(38) |
May
(70) |
Jun
(52) |
Jul
(48) |
Aug
(27) |
Sep
(48) |
Oct
(63) |
Nov
(61) |
Dec
(34) |
2021 |
Jan
(26) |
Feb
(4) |
Mar
(1) |
Apr
(5) |
May
(26) |
Jun
(13) |
Jul
(23) |
Aug
(14) |
Sep
(35) |
Oct
(13) |
Nov
(2) |
Dec
(33) |
2022 |
Jan
(32) |
Feb
(28) |
Mar
(29) |
Apr
(23) |
May
(15) |
Jun
(7) |
Jul
(6) |
Aug
(10) |
Sep
(3) |
Oct
|
Nov
(7) |
Dec
(3) |
2023 |
Jan
(7) |
Feb
(7) |
Mar
(6) |
Apr
(23) |
May
(1) |
Jun
(7) |
Jul
(4) |
Aug
(7) |
Sep
|
Oct
(27) |
Nov
(4) |
Dec
|
2024 |
Jan
(5) |
Feb
(28) |
Mar
(11) |
Apr
|
May
|
Jun
|
Jul
(3) |
Aug
|
Sep
(10) |
Oct
|
Nov
|
Dec
|
From: Barry, C. <cb...@in...> - 2003-02-04 21:41:43
|
Maybe LEAF can stay on the 1.x.x series. It works great, and it's less = filling! -- Christopher Barry Manager of Information Systems InfiniCon Systems http://www.infiniconsys.com office: 610.233.4747 direct: 610.233.4870 cell: 267.879.8321 -----Original Message----- From: Tom Eastep [mailto:te...@sh...] Sent: Tuesday, February 04, 2003 4:35 PM To: Shorewall Users Subject: RE: [Shorewall-users] About Shorewall 1.3.14 --On Tuesday, February 04, 2003 4:08 PM -0500 "Barry, Christopher"=20 <cb...@in...> wrote: >> Additionally, I think I've taken the shell-based Shorewall idea about = as >> far as I want to so Shorewall 2 will be written in another language >> (probably another interpretive one though). I'll make another attempt = at >> getting myself excited about writing a GUI... > > > Python is *very* cool. I'm working on a Python based logger for = Shorewall > now. I want to push all Shorewall traffic into a MySQL database, and = then > allow graphing and other querying/alerting/etc. capabilities from = there. > Python is a leading candidate -- unfortunately, it isn't very attractive = to=20 the LEAF folks. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ te...@sh... _______________________________________________ Shorewall-users mailing list Sho...@li... http://lists.shorewall.net/mailman/listinfo/shorewall-users |
From: Tom E. <te...@sh...> - 2003-02-04 21:37:21
|
--On Tuesday, February 04, 2003 4:08 PM -0500 "Barry, Christopher" <cb...@in...> wrote: >> Additionally, I think I've taken the shell-based Shorewall idea about as >> far as I want to so Shorewall 2 will be written in another language >> (probably another interpretive one though). I'll make another attempt at >> getting myself excited about writing a GUI... > > > Python is *very* cool. I'm working on a Python based logger for Shorewall > now. I want to push all Shorewall traffic into a MySQL database, and then > allow graphing and other querying/alerting/etc. capabilities from there. > Python is a leading candidate -- unfortunately, it isn't very attractive to the LEAF folks. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ te...@sh... |
From: Mike N. <mh...@us...> - 2003-02-04 21:32:23
|
On Tue, 2003-02-04 at 13:08, Barry, Christopher wrote: > >Additionally, I think I've taken the shell-based Shorewall idea about as > >far as I want to so Shorewall 2 will be written in another language > >(probably another interpretive one though). I'll make another attempt at > >getting myself excited about writing a GUI... > > > Python is *very* cool. I'm working on a Python based logger for Shorewall now. I want to push all Shorewall traffic into a MySQL database, and then allow graphing and other querying/alerting/etc. capabilities from there. Barry, Agreed. Python is nice, but it's not small. What about using a language designed for embedded applications, like Lua or eforth/gforth? There is even a Lua package for LEAF releases/branches. http://www.lua.org/ http://directory.google.com/Top/Computers/Programming/Languages/Lua/ Here is a short run down of available languages. http://www.mail-archive.com/lea...@li.../msg04263.html -- Mike Noyes <mhnoyes @ users.sourceforge.net> http://sourceforge.net/users/mhnoyes/ http://leaf-project.org/ http://sitedocs.sf.net/ http://ffl.sf.net/ |
From: Barry, C. <cb...@in...> - 2003-02-04 21:08:33
|
>Additionally, I think I've taken the shell-based Shorewall idea about = as=20 >far as I want to so Shorewall 2 will be written in another language=20 >(probably another interpretive one though). I'll make another attempt = at=20 >getting myself excited about writing a GUI... Python is *very* cool. I'm working on a Python based logger for = Shorewall now. I want to push all Shorewall traffic into a MySQL = database, and then allow graphing and other querying/alerting/etc. = capabilities from there. Regards, -- Christopher Barry Manager of Information Systems InfiniCon Systems http://www.infiniconsys.com |
From: Jim H. <ji...@dy...> - 2003-02-04 20:57:29
|
On the subject of a "wish list" for 2.0, I'd love to see the dynamic firewalling capabilities extended. Maybe integrate something like swatch to watch logfiles for patterns and modify the firewall accordingly. OR just maybe have a plugin type architecture where things like the gui, logwatcher, and such can be added on or left out (and developed) according to your needs. Just my $0.02 Sincerely, Jim Hubbard .--. |o_o | |:_/ | // \ \ (| | ) /'\_ _/`\ \___)=(___/ Rockingham County Linux Users Group www.rock.lug.net ____________________________________ > -----Original Message----- > From: sho...@li... > [mailto:sho...@li...]On > Behalf Of Shaun > Marolf > Sent: Tuesday, February 04, 2003 3:07 PM > To: sho...@li... > Subject: Re: [Shorewall-users] About Shorewall 1.3.14 > > > I would love to see a GUI that's solid and intuitive as > well. Just out of > curiosity what new features can we expect in version 2? > > _______________________________________________ > Shorewall-users mailing list > Sho...@li... > http://lists.shorewall.net/mailman/listinfo/shorewall-users > |
From: Shaun M. <sha...@ho...> - 2003-02-04 20:07:14
|
I would love to see a GUI that's solid and intuitive as well. Just out of curiosity what new features can we expect in version 2?=0D =20 |
From: Tom E. <te...@sh...> - 2003-02-04 19:41:47
|
--On Tuesday, February 04, 2003 8:38 PM +0100 Henrik Flindt Hansen <hf...@li...> wrote: > Hi ! > > I have setup a complete shorewall now with DMZ, and Private zones and > masq, rules, port-forwarding etc. worx like expected. > BUT > > I have a wish to use a couple of more public IP's and relate those to > inernal servers on the DMZ zone and i am now so confused about it. I have > searched this archive for SNAT port allow > Setup: > > 3 public adresses on the WAN nic. lets call them 80.80.80.80 - 80.80.80.81 > - 80.80.80.82 > .80 is the default adress now, used for masq etc. > > Lets asume i setup SNAT on .81 and .82 and relate them to 192.168.0.81 and > 192.168.0.82 respectively in the DMZ zone > Now to my questions: > > 1: Will all traffic get forwarded (SNAT'ed) without restrictions from .81 > and .82 towards 192.168.0.81 and 192.168.0.82 ? > 2: If not (i hope not :) how does a proper rule for allowing tcp port 80 > to be forwarded (SNAT'ed) from the 80.80.80.81 SNAT to the DMZ ditto > 192.168.0.81 > I really hope someone can show me the logic in this exact matter :) > You want DNAT not SNAT!!! This is simple port forwarding which is FAQ #1 (http://www.shorewall.net/FAQ.htm#faq1). Alternatively, you can use static NAT or Proxy ARP. These are introduced in http://www.shorewall.net/shorewall_setup_guide.htm -- given your confusion about SNAT/DNAT, I suggest that you read that guide in its entirety. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ te...@sh... |
From: Henrik F. H. <hf...@li...> - 2003-02-04 19:38:15
|
Hi ! I have setup a complete shorewall now with DMZ, and Private zones and masq, rules, port-forwarding etc. worx like expected. BUT I have a wish to use a couple of more public IP's and relate those to inernal servers on the DMZ zone and i am now so confused about it. I have searched this archive for SNAT port allow Setup: 3 public adresses on the WAN nic. lets call them 80.80.80.80 - 80.80.80.8= 1 - 80.80.80.82 .80 is the default adress now, used for masq etc. Lets asume i setup SNAT on .81 and .82 and relate them to 192.168.0.81 an= d 192.168.0.82 respectively in the DMZ zone Now to my questions: 1: Will all traffic get forwarded (SNAT'ed) without restrictions from .81 and .82 towards 192.168.0.81 and 192.168.0.82 ? 2: If not (i hope not :) how does a proper rule for allowing tcp port 80 to be forwarded (SNAT'ed) from the 80.80.80.81 SNAT to the DMZ ditto 192.168.0.81 I really hope someone can show me the logic in this exact matter :) Best regards Henrik Flindt Hansen www.linuxplanet.dk |
From: Tom E. <te...@sh...> - 2003-02-04 19:21:39
|
--On Tuesday, February 04, 2003 5:11 PM -0200 Gilson Soares <g.s...@da...> wrote: > At 2/4/2003 04:17 PM, Tom Eastep wrote: >> I will continue to support Shorewall 1.3 but will be making no more >> enhancements to it. I will be devoting my time to Shorewall 2. > > Do you already have a 'wish list' for Shorewall 2.x ? > There are several things that WON'T be in 2.0: a) Old Ping Handling. There won't be any 'noping' or 'forwardping' interface options and there won't be a FORWARDPING option in shorewall.conf. b) 'routestopped' interface and hosts option. Use the routestopped file instead. c) MERGE_HOSTS. The only behavior available will be what MERGE_HOSTS=Yes provides in 1.3. Additionally, I think I've taken the shell-based Shorewall idea about as far as I want to so Shorewall 2 will be written in another language (probably another interpretive one though). I'll make another attempt at getting myself excited about writing a GUI... -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ te...@sh... |
From: Gilson S. <g.s...@da...> - 2003-02-04 19:11:32
|
At 2/4/2003 04:17 PM, Tom Eastep wrote: >I will continue to support Shorewall 1.3 but will be making no more >enhancements to it. I will be devoting my time to Shorewall 2. Do you already have a 'wish list' for Shorewall 2.x ? -Gilson |
From: <itd...@co...> - 2003-02-04 19:00:00
|
Duh. That fixed it. Thanks Tom. > > From: Tom Eastep <te...@sh...> > Date: 2003/02/04 Tue PM 01:49:41 EST > To: Sho...@li... > Subject: Re: [Shorewall-users] shorewall on the local network > > > > --On Tuesday, February 04, 2003 1:34 PM -0500 itd...@co... wrote: > > > The rules are there but it's not working the way I anticipated. Where did > > I screw up? > > I suspect that you have 'net' before 'loc' in /etc/shorewall/zones. Since > 'loc' is nested within 'net', the order of the zone definitions is > significant. > > -Tom > -- > Tom Eastep \ Shorewall - iptables made easy > Shoreline, \ http://www.shorewall.net > Washington USA \ te...@sh... > _______________________________________________ > Shorewall-users mailing list > Sho...@li... > http://lists.shorewall.net/mailman/listinfo/shorewall-users > |
From: Tom E. <te...@sh...> - 2003-02-04 18:51:44
|
--On Tuesday, February 04, 2003 1:34 PM -0500 itd...@co... wrote: > The rules are there but it's not working the way I anticipated. Where did > I screw up? I suspect that you have 'net' before 'loc' in /etc/shorewall/zones. Since 'loc' is nested within 'net', the order of the zone definitions is significant. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ te...@sh... |
From: kb <kb...@bl...> - 2003-02-04 18:44:22
|
cheers(); > I want to thank Karsten, I'm glad, I could help. > He was right that the ACCEPT policy needed to be placed before DROP and > REJECT. Once I did that The Local Host got Internet access. I had previously > uncommented the line in the default policy file supplied by Mandrake. I > moved it up on the list all all started working as desired. Hopefully > Mandrake release 9.1 will fix this problem. I am not a heavily skilled network hacker, but I know the traps. ;) Mandrake: I hope so, too -- but it is really a good idea, to upgrade shorewall and doing it from scratch instead of using the pre configured firewall... karsten -- Hi, I'm a signature virus. Copy me into your ~/.signature to help me spread! |
From: <itd...@co...> - 2003-02-04 18:34:29
|
Hi, I have a system on my local network. I want to run shorewall on it because I'm paranoid :-) I've used shorewall (and previously seawall) for many years so I dove right in and setup what I thought would work. I keep getting rejected packets even though I have the rules in place. Here's my setup: (shorewall 1.3.13 + errata) policy: (one line - paranoid) all all REJECT info interfaces: - eth0 10.0.0.255 routestopped,dhcp,tcpflags,blacklist hosts: loc eth0:10.0.0.0/16 net eth0:0.0.0.0/0 zones: net Internet Internet loc Local Local networks and finally rules: ACCEPT fw loc:10.0.0.5 tcp 53 ACCEPT fw loc:10.0.0.5 udp 53 ACCEPT loc fw tcp 22 All other files are default. I see this from shorewall show log when testing nslookup: all2all:REJECT:IN= OUT=eth0 SRC=10.0.0.3 DST=10.0.0.5 LEN=76 TOS=0x00 PREC=0x00 TTL=64 ID=52283 DF PROTO=UDP SPT=32770 DPT=53 LEN=56 and this when trying to ssh in from my workstation: all2all:REJECT:IN=eth0 OUT= SRC=10.0.0.111 DST=10.0.0.3 LEN=48 TOS=0x10 PREC=0x00 TTL=128 ID=25350 DF PROTO=TCP SPT=4193 DPT=22 WINDOW=8192 RES=0x00 SYN URGP=0 The rules are there but it's not working the way I anticipated. Where did I screw up? Thanks. |
From: Tom E. <te...@sh...> - 2003-02-04 18:19:22
|
It is my plan that the upcoming release of Shorewall (1.3.14) will definitely be the last of the 1.3.x releases and will very probably be the last release of Shorewall 1.x.x. I will continue to support Shorewall 1.3 but will be making no more enhancements to it. I will be devoting my time to Shorewall 2. If anyone is interested in taking over the development of Shorewall 1, please let me know. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ te...@sh... |
From: Tom E. <te...@sh...> - 2003-02-04 17:03:26
|
Release Candidate 1 is available for testing at: http://www.shorewall.net/pub/shorewall/Beta ftp://ftp.shorewall.net/pub/shorewall/Beta In addition to the Beta 2 content, RC1 contains my variation on Simon Matter's OpenVPN support patch. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ te...@sh... |
From: Shaun M. <sha...@ho...> - 2003-02-04 13:44:21
|
I want to thank Karsten,=0D =0D He was right that the ACCEPT policy needed to be placed before DROP and REJECT. Once I did that The Local Host got Internet access. I had previou= sly uncommented the line in the default policy file supplied by Mandrake. I moved it up on the list all all started working as desired. Hopefully Mandrake release 9.1 will fix this problem.=0D =0D --Shaun |
From: Felix O. <fe...@fi...> - 2003-02-04 13:24:33
|
Put this in your shorewall policy file: $FW net ACCEPT felix ----- Original Message ----- From: "Shaun Marolf" <sha...@ho...> To: <Sho...@li...> Sent: Sunday, February 02, 2003 7:12 PM Subject: [Shorewall-users] Local Host Internet Access Okay I have configured Shorewall and have access to Webmin, VNC, Samba and SSH on my Linux system from my Windows systems (all on the local net only). So I have that all going and my clients al have Internet access so all but one problem is solved. I want the local host (My Linux server) to access the Internet as well so I can setup cron jobs to access the Internet to do various jobs. Currently I have to use shorewall clear for the local host to gain access and that requires manual intervention. Not an ideal solution for my needs. Any help would be appreciated. --Shaun _______________________________________________ Shorewall-users mailing list Sho...@li... http://lists.shorewall.net/mailman/listinfo/shorewall-users |
From: Tom E. <te...@sh...> - 2003-02-04 01:38:59
|
--On Monday, February 03, 2003 4:31 PM -0800 Mike Noyes <mh...@us...> wrote: > Tom, > Was there a problem with mail.shorewall.net? I just received list > traffic that showed a significant delay in the Received headers. > > Received: from localhost.localdomain (localhost.localdomain > [127.0.0.1]) by > lists.shorewall.net (Postfix) with ESMTP id 7D1881C032 for > <Sho...@li...>; Mon, 3 Feb 2003 > 15:42:27 -0800 (PST) > Received: from hotmail.com (oe67.law9.hotmail.com [64.4.8.202]) by > lists.shorewall.net (Postfix) with ESMTP id 9C2DE1B911 for > <Sho...@li...>; Sun, 2 Feb 2003 > 17:40:32 -0800 (PST) > Received: from mail pickup service by hotmail.com with Microsoft > SMTPSVC; > Sun, 2 Feb 2003 10:12:05 -0800 > Message-Id: <3E3D5F70.000005.01260@control> > Yes -- while I was away this weekend, VaMailArmor decided to become confused about how many processes it had running. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ te...@sh... |
From: kb <kb...@bl...> - 2003-02-04 00:17:35
|
cheers(); > I want the local host (My Linux server) to access the Internet as well so I > can setup cron jobs to access the Internet to do various jobs. Currently I > have to use shorewall clear for the local host to gain access and that > requires manual intervention. Not an ideal solution for my needs. /etc/shorewall/policy : fw net ACCEPT % shorewall restart Tom provides really good documentation. Check the QuickStart Guide on shorewall.net -- as you may have some other flaws without reading that. karsten -- Hi, I'm a signature virus. Copy me into your ~/.signature to help me spread! |
From: Mike N. <mh...@us...> - 2003-02-03 23:53:17
|
Enzo, I'm no VPN expert, but I can tell from this post that you've failed to supply us with enough information to assist you properly. Please read the Shorewall Support page for the minimum information we'll need to troubleshoot your problem. Support -- Before Reporting a Problem http://www.shorewall.net/support.htm In addition you may find these pages useful. VPN http://www.shorewall.net/VPN.htm Shorewall IPSec Tunneling/ http://www.shorewall.net/IPSEC.htm Linux FreeS/WAN Troubleshooting Guide (for 1.99) http://www.freeswan.org/freeswan_trees/freeswan-1.99/doc/trouble.html On Sat, 2003-02-01 at 15:57, enzo bontempo wrote: > Hi all. > Here is my scenario to configure a subnet-subnet vpn with SuperFreeswan-1.99 > (Nat Traversal patch): > > left subnet 192.168.2.0/24 > | > | > --- -------|--192.168.2.1------ > | shorewall linux gw/freeswan | > | with masquerade | > -----------|---10.0.0.2--------- > | > | 10.0.0.1 > ---------------------------- > | ADSL NAT Router | > ---------------------------- > | > a.b.c.d > | > | > ~ INTERNET ~ > | > | > k.x.y.z > | > ---------------------------- > | ADSL NAT Router | > ---------------------------- > | 10.10.10.1 > | > --- -------|--10.10.10.2-------- > | shorewall linux gw/freeswan | > | with masquerade | > -----------|--192.168.3.1------ > | > right subnet 192.168.3.0/24 > > I'm using Nat traversal patch of freeswan because the routers they do not > allow the ipsec protocol. > The tunnel go up but 'ipsec verify' show: > .......... > Does the machine have at least one non-private address [OK] > Two or more interfaces found, checking IP forwarding [OK] > Checking NAT and MASQUERADING > tun...@xx... [FAILED] > eth0_masq from 0.0.0.0/0 to 0.0.0.0/0 kills tunnel 192.168.1.0/24 -> > 192.168.0.0/24 > > and i am not able to ping any host from the left subnet to the right and > viceversa. > > With 'tcpdump -i ipsec0' i see the packets (echo request, netbios-ns ans > others..) on both gw > > > Please, help me to make my vpn. -- Mike Noyes <mhnoyes @ users.sourceforge.net> http://sourceforge.net/users/mhnoyes/ http://leaf-project.org/ http://sitedocs.sf.net/ http://ffl.sf.net/ |
From: Tom E. <te...@sh...> - 2003-02-03 23:51:37
|
--On Sunday, February 02, 2003 12:12 PM -0600 Shaun Marolf <sha...@ho...> wrote: > Okay I have configured Shorewall and have access to Webmin, VNC, Samba and > SSH on my Linux system from my Windows systems (all on the local net > only). So I have that all going and my clients al have Internet access so > all but one problem is solved. > > > > I want the local host (My Linux server) to access the Internet as well so > I can setup cron jobs to access the Internet to do various jobs. > Currently I have to use shorewall clear for the local host to gain access > and that requires manual intervention. Not an ideal solution for my needs. > > > > Any help would be appreciated. > Did you following the instructions at http://www.shorewall.net/two-interface.htm? If not, why not??? If so, what is it about this statement that needs clarification? "In the two-interface sample, the line below is included but commented out. If you want your firewall system to have full access to servers on the internet, uncomment that line." -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ te...@sh... |
From: Barry, C. <cb...@in...> - 2003-02-03 23:51:15
|
Dan, I want the SBC, but inadvertently deleted the email with your address - = please resend. -- Christopher Barry Manager of Information Systems InfiniCon Systems http://www.infiniconsys.com office: 610.233.4747 direct: 610.233.4870 cell: 267.879.8321 |
From: Mauro G. T. <m.t...@it...> - 2003-02-03 23:49:20
|
On 3 Feb 2003 at 6:50, sho...@li...orewa wrote: > Hi, > this is my first message to the list and I want to thank the the autor for developing > Shorewall. Ok, this is my first message but I should have waited to send It :))). I found the problem (a stupid error I've made configuring my machine), and It didn't depend on Shorewall. Ignore my first message, sorry. Bye -- Mauro G. Todeschini e-mail: m.t...@it... |
From: Mauro G. T. <m.t...@it...> - 2003-02-03 23:48:52
|
Hi, this is my first message to the list and I want to thank the the autor for developing Shorewall. And now the problem. I'm using version 1.3.13 and I have eth0 (IP a.b.c.d/24) as a public interface. I have an alias on eth0:0 (address a.b.c.e/24) and my dns servce listens on this IP (in this moment the dns is stopped). This is my policy file: #SOURCE... fw all ACCEPT all all DROP #LAST.... This is my rules file: #ACTION... ACCEPT net fw:155.253.4.253 tcp 53 ACCEPT net fw:155.253.4.253 udp 53 ACCEPT net fw:155.253.4.254 tcp 22 ACCEPT net fw:155.253.4.254 tcp 53 ACCEPT net fw:155.253.4.254 udp 53 #LAST... But If I scan with nmap (from another machine) this is the result: Starting nmap V. 3.00 ( www.insecure.org/nmap ) Interesting ports on (155.253.4.253): (The 1600 ports scanned but not shown below are in state: closed) Port State Service 22/tcp open ssh Remote operating system guess: Linux Kernel 2.4.0 - 2.5.20 Uptime 4.942 days (since Wed Jan 29 07:36:00 2003) Nmap run completed -- 1 IP address (1 host up) scanned in 14 seconds Starting nmap V. 3.00 ( www.insecure.org/nmap ) Interesting ports on mi-gw.itia.cnr.it (155.253.4.254): (The 1597 ports scanned but not shown below are in state: filtered) Port State Service 22/tcp open ssh 53/tcp open domain 113/tcp closed auth 135/tcp closed loc-srv Remote operating system guess: Linux Kernel 2.4.0 - 2.5.20 Uptime 4.841 days (since Wed Jan 29 09:59:03 2003) Nmap run completed -- 1 IP address (1 host up) scanned in 263 seconds It is strange. It seems that eth0:0 is not filtered but eth0 is correctly filtered. Probably I've done something wrong. I want that eth0:0 is filtered as eth0 and to be able to selectively accept connections through rules file. Is it possible? Any hint? Here is the output of the commnad you suggest... Linux mi-gw 2.4.19 #3 Thu Jan 23 15:38:17 CET 2003 i686 unknown 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:01:02:f5:8a:61 brd ff:ff:ff:ff:ff:ff inet 155.253.4.254/24 brd 155.253.4.255 scope global eth0 inet 155.253.4.253/24 brd 155.253.4.255 scope global secondary eth0:0 3: dummy0: <BROADCAST,NOARP> mtu 1500 qdisc noop link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff 4: tunl0@NONE: <NOARP> mtu 1480 qdisc noop link/ipip 0.0.0.0 brd 0.0.0.0 5: gre0@NONE: <NOARP> mtu 1476 qdisc noop link/gre 0.0.0.0 brd 0.0.0.0 155.253.4.0/24 dev eth0 proto kernel scope link src 155.253.4.254 10.2.0.0/16 dev eth1 proto kernel scope link src 10.2.1.254 default via 155.253.4.1 dev eth0 metric 1 Bye -- Mauro G. Todeschini e-mail: m.t...@it... |