http://permalink.gmane.org/gmane.comp.security.shorewall hourly 1 1901-01-01T00:00+00:00 http://gmane.org/img/gmane-25t.png http://gmane.org http://permalink.gmane.org/gmane.comp.security.shorewall/21065 It should be noted that this file is placed in /etc/shorewall/ and that TC_ENABLED=Yes must be specified in shorewall.conf. ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ Shorewall Geek 2008-12-03T22:31:00 http://permalink.gmane.org/gmane.comp.security.shorewall/21064 Yes, but I personally haven't had the time to sit down and collate the information you're asking for. I run a setup at work where we shape inbound and outbound traffic with multiple bandwidth allocations (for customers) and 4 priorities of traffic within each allocation. I've copied the same setup at home (though obviously without the multiple bandwidth allocations). This is my home setup "tcstart" file. run_tc is a Shorewall provided wrapper that calls tc and checks the exit status so Shorewall can abort if a tc command fails. Note that rules are "last match applies" rather than "first match applies" so generally need to be listed in increasing order of detail if multiple rules can match a stream. Oh yes, and there is some cruft that still needs cleaning up, sorry. # clean existing down- and uplink qdiscs, hide errors tc qdisc del dev eth0 root 2> /dev/null > /dev/null tc qdisc del dev eth0 ingress 2> /dev/null > /dev/null tc qdisc del dev ethext root 2> /dev/null > /dev/null tc qdisc del dev eth Simon Hobson 2008-12-03T08:14:45 http://permalink.gmane.org/gmane.comp.security.shorewall/21063 Hi no answer ? he don't have a personn that use TC in shorewall on this mailing list ? ;=) Phibee Network Operation Center a écrit : ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ Phibee Network Operation Center 2008-12-03T06:01:02 http://permalink.gmane.org/gmane.comp.security.shorewall/21062 You almost certainly need to update your iptables. You will know that your iptables is correct when you can enter this command: iptables -m conntrack -h and you don't get an error. Don't know about your kernel -- the config info you posted didn't include anything about your netfilter configuration and I haven't built a 2.4 kernel in years. ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ Shorewall Geek 2008-12-02T23:35:18 http://permalink.gmane.org/gmane.comp.security.shorewall/21061 Hay Tom. Long time no talk... finally like 5 years later I am starting the process of upgrading some of my network appliances. I am moving from Shorewall 1.4 to 4.0 mainly for the multi isp support. In my testing under QEMU with my flash drive housing all of my LRP based packages I am getting an error starting Shorewall with a multiple providers configuration. Again my system is embeded running on a diskless low power board with 4 ethernet ports. It is using busybox and my own init process so its not exactly standard and already in the past I found some issues with the "arp" command as I recall that you patched into 1.4 back in the day. So here is the error. ERROR: the provider 'track' option requires Connmark Match in your kernel and iptables At the end of this email is some info that will help figure out whats up. I have looked it over for a few days and to me it seems that my kernel and iptables should support the Connmark module. I updated the kernel with what is as best I sean mathews 2008-12-02T14:40:36 http://permalink.gmane.org/gmane.comp.security.shorewall/21060 The limit has been relaxed in Shorewall-perl but no one has yet tested it as far as we know. The limit comes about because of the algorithm used to number HTB classes. Once someone confirms that the code works with more than 10 devices, we can update the doc. ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ Shorewall Geek 2008-12-02T15:01:37 http://permalink.gmane.org/gmane.comp.security.shorewall/21059 Don, thank you for strengthening this point. This is indeed an aspect in firewall operations often overseen. Interesting tool. Unfortunately it crashes when feeded with my firewall config (but it runs with the smaller ruleset of a second firewall). If I get it working (and manage to understand the query syntax) this would definitely meet my needs. Regards, Christian ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ Christian Vieser 2008-12-02T14:37:23 http://permalink.gmane.org/gmane.comp.security.shorewall/21058 Hello Tom, On page "Traffic Shaping/Control" of Shorewall documentation you write: Warning Shorewall's builtin traffic shaping feature is limited to ten (10) devices. Do you plan to extend this limit? What causes of such limitation? Thank you, Alex ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ alex 2008-12-02T08:12:38 http://permalink.gmane.org/gmane.comp.security.shorewall/21057 This is an excellent question, and has relevance beyond just troubleshooting and maintenance. I don't know how many times an auditor has asked the pointed audit question, "What controls (tools and processes) do you use to verify the technology in place is configured correctly to support policy...". The fact that the Shorewall config files are further "compiled", before loading to firewall, really says that unless you are reviewing the output from iptables directly, you really have no good answer to that question. You may have already found this, but take a look at ITVal on Sourceforge (http://sourceforge.net/projects/itval/). It doesn't give you a "picture" of the firewall, but probably better, it lets you formulate queries against the table rules. I have been playing with it a bit (mostly reading docs) and it is something I plan on looking into deeper at later date. I liked what I have seen so far, especially that you can create scripts so that testing runs are repeatable, and can be built to answer speci Don Drohman 2008-12-01T21:53:44 http://permalink.gmane.org/gmane.comp.security.shorewall/21056 One thing you might try is to set the 'loose' option on both providers. Note that doing so will prevent you from being able to pick a provider by having a firewall-resident application bind to a particular external address. ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ Shorewall Geek 2008-12-01T18:54:17 http://permalink.gmane.org/gmane.comp.security.shorewall/21055 Hi anyone can help me to create a TC Rules on my shorewall 3.2.X ? Shorewall are on my linux gateway (eth0: Net and Eth1:Lan) I have a link: eth0 2048kbits 2048kbits (Sdsl) I want create a tc for: eth1 and fw to eth0: All protocol are limited at 1792kbits (a ftp or web download can't get more 1792 kbits of BP) a exeption: port UDP 4639 with in source: eth1:192.168.20.1 can use the reserved 256 Kbits (2048 - 1792) and more if necessary but have in minimum 256 Kbs .. i don't have understand the documentation sorry ;=) Thanks for your help jerome ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ Phibee Network Operation Center 2008-12-01T16:26:28 http://permalink.gmane.org/gmane.comp.security.shorewall/21054 Shorewall itself has nothing to do with ISP selection. Once 'shorewall start' completes, there is no Shorewall code running in your system at all. I couldn't follow that at all. If you are using balancing, both ISPs have a part of the default route. But the Multi-ISP documentation clearly states that there is no failover capability in what Shorewall configures and if a connection fails, 'shorewall restart' is required (assuming that both connections are marked as 'optional'). That is necessary -- you can't have a single connection ping-ponging packets between the two ISPs! It *was* supposed to solve that problem but it didn't work -- it prevented balancing from working at all. It is even mentioned in the Shorewall Multi-ISP doc. Almost certainly. CONFIG_IP_ROUTE_MULTIPATH_CACHED has been de-implemented because it was broken. Forget about it! Hard to say. Multi-ISP works differently for connections originating on the firewall itself which is what occurs when you run a Proxy on the firewall. See h Shorewall Geek 2008-12-01T16:11:24 http://permalink.gmane.org/gmane.comp.security.shorewall/21053 But your goal should be to get them to that skill level, right? I disagree. If you try to account for policy routing (multi-ISP), packet marking, NAT, Proxy ARP, ... the tool will be quite complex. ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ Shorewall Geek 2008-12-01T15:52:57 http://permalink.gmane.org/gmane.comp.security.shorewall/21052 Ok, just putting a few answers together. Karsten Bräckelmann wrote: > To put it in other words: Isn't the shorewall configuration sufficient > to get a picture of allowed traffic? > > Since you specifically mentioned "small businesses", how large and > complicated are your policies and rules? The rules file has nearly 1000 lines (a third of them are comments or blank lines), we have about twenty zones and interfaces defined (and yes, we really need them). Of course the shorewall configuration is much pretty readable, but you have to arrange your rules in one or the other way. And there are rules applying to groups of destinations. So it's nearly impossible to arrange the rules in such a manner that all lines affecting a distinct host or zone are grouped together. Shorewall Geek wrote: And this is the point. Not all employees are at the same high skill level. So there is the wish to have a little command line tool (perhaps it could even be embedded in an apache service), where you put in a Christian Vieser 2008-12-01T13:10:32 http://permalink.gmane.org/gmane.comp.security.shorewall/21051 ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ Hinrich Fraemcke 2008-12-01T12:52:57 http://permalink.gmane.org/gmane.comp.security.shorewall/21050 Adrian Chapela escribió: I had a connectivity problem. Now this problem is solved. ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ Adrian Chapela 2008-12-01T11:00:08 http://permalink.gmane.org/gmane.comp.security.shorewall/21049 Hello, I have configured a Multi ISP recently but It didn't start, it shown me the error: ERROR: Unable to determine the MAC address of 192.168.22.254 through interface eth0 ip addr show output: inet 192.168.21.219/24 brd 192.168.21.255 scope global eth0 (real Ip) inet 192.168.22.220/24 brd 192.168.22.255 scope global eth0 (Virtual Ip) inet 192.168.21.220/24 brd 192.168.21.255 scope global secondary eth0 (Virtual Ip) configuration: ISP1 2 2 main eth0:192.168.21.220 192.168.21.254 track lan,lan2 ISP2 3 3 main eth0:192.168.22.220 192.168.22.254 track lan,lan2 The first provider is installed OK. What could be the error ? ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywh Adrian Chapela 2008-12-01T08:30:13 http://permalink.gmane.org/gmane.comp.security.shorewall/21047 As clearly described in the shorewall.conf man page, USE_ACTIONS=No allows the disk (and RAM) footprint of Shorewall-shell to be reduced in embedded applications. ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ Shorewall Geek 2008-11-30T15:47:34 http://permalink.gmane.org/gmane.comp.security.shorewall/21046 That is not an error message. You should include no configuration for the loopback interface. The default intra-zone ACCEPT policy is automatically applied to fw->fw traffic. ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ Shorewall Geek 2008-11-30T15:39:16 http://permalink.gmane.org/gmane.comp.security.shorewall/21045 Excellent! I thought USE_ACTIONS was a previous implementation and macros are the favored method. So I'm not sure why USE_ACTIONS=No is not supported. Maybe I'm reading too much into this? ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ Tom Allison 2008-11-30T15:19:04 http://permalink.gmane.org/gmane.comp.security.shorewall/21044 Found an error I didn't expect on bind starting. "command channel listening on 127.0.0.1#953" So.... I should be setting up an interface for 'lo' as well? Haven't found anyone mentioning the lo interface. I just assumed that lo would have been given a default ACCEPT policy. Just checking before I start trying to configure all this into the files. ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ Tom Allison 2008-11-30T15:10:54 Search the mailing list at Gmane query http://search.gmane.org/?group=$group=gmane.comp.security.shorewall