I always use Shorewall on my Ubuntu Servers and it works great, one things I have never been able to get right is the TOS.Let say for example I would like:
HTTP traffic (80, but all traffic get routed to 3128 [Squid]) to get highest priority
SMTP (25) second highest
POP (110) third highest
The rest forth
How would I get that right?
Any time I try and restart the Shorewall it takes forever. Sometimes I have to reboot the File Server as its faster.In the shorewall-init.log it seems to stick on the loading modules and goes no further. Anyone come accross this before.I have Ubunut 8.04LTS - everything seemed to be working OK until I installed NFS, NIS, AUTOFS - but I can't be 100% sure.
View 1 Replies View RelatedI installed ubuntu server and got it set up, and im trying to install shorewall as a firewall, but whenever i do sudo apt-get install shorewall i get a package not found error.
View 5 Replies View RelatedI've got a Ubuntu Server Linux router that I've got 2 internet connections hooked to. One of them is DSL and the other is cable.
What I'd like to do is have everything go through the DSL connection EXCEPT for one desktop, I'd like that system to go through cable for everything.
Here's a diagram of how I've got things set up.
[URL]
I don't have any more expansion slots on the mainboard of my server for another NIC, also I do a lot of file transferring between a laptop and the desktop I want on the cable connection so I don't want that slowing down the rest of my network.
I've got both providers set up in the providers file and I've got everything going through the DSL connection right now. So far everything I've tried has stopped the desktop from connecting out at all.
let me show you my config and tell me if its ok
Its pretty simple:
eth2 -> 192.168.1.0
eth2:0 ->192.168.50.0
eth1 and eth0 are the net interfaces, 1 router each to provide wan failover (not implemented here)
Hosts:
loc1 eth2:192.168.1.0/24
loc50 eth2:192.168.50.0/24
Interfaces
net6 eth0 detect
net7 eth1 detect
- eth2 192.168.1.255,192.168.50.255
Masq
eth0 eth2
eth1 eth2
eth2 eth2
Policy
all all ACCEPT info
Rules
SECTION NEW
REJECT loc50 loc1 all
Zones
fw firewall
net6 ipv4
net7 ipv4
loc1 ipv4
loc50 ipv4
Problems / Doubs:
1) Is the hosts file required?
2) I guess I need doing masq from local to each external, and also from local to local even if they share the same interface, hence the eth2 eth2 in the masq file...
3) So is shorewall well implemented in these scripts to handle aliases?
First I will give some background. We have a currently working network that the Previous network Admin assigned an internal IP scheme of 200.1.1.0/24. I have no idea why he would have done such a thing, but it is my job to fix it (and keep our systems up and running). We have a Fedora 10 box on the 200 network that is acting as a router and a firewall (shorewall to be exact).
I added another NIC card (thank you again to all the great people on this forum for helping me get that working) and it is eth2. Assigned it a 10.100.1.A/24 (This is just a variable for the real IP). The other end of the cable that I plugged into that NIC connects to a Cisco Layer 3 switch. I assigned the port that connects to the other end of the cable the IP address of 10.100.1.B/24
Ok, I added the static route of ˜ip route add 10.100.1.0/24 via 10.100.1.A dev eth2' I added loc2 (which is my eth2 adapter) to the /etc/shorewall/zones file. I set eth2 on loc2 in the /etc/shorewall/interfaces file. loc2 eth2 detect I set the lines in the /etc/shorewall/policies file loc loc2 ACCEPT info loc2 loc ACCEPT info I can ping the cisco switch from the linux server itself. From a PC on the original network I can ping the new NIC card in the linux server, but cannot ping the cisco switch, so I figure it has to be either the route or shorewall.
I found one strange issue with ubuntu, can anyone suggest if its a bug or as designed? If I have two nameservers in my resolv.conf, ubuntu only checks the first (and receives a not found reply from there) and never goes to the next two nameservers. This behaviour is very different from windows or other linux systems.
View 3 Replies View Relatedclean install of Slackware 13.1 64-bit. From day 1 I have been unable to browse Samba servers and shares on my home network. NFS, FTP, SSH, etc all seem to be working fine. I've been updating it regularly in case this was a bug, but I'm not so sure any more.
Reboot in WinXP sp3, I can browse fine. My wife's Win7 laptop works fine. My old Slack 12.2 system worked fine. I have not made any changes to the network other than adding this computer to the mix.
Pentium Dual Core e6700 @ 3.2GHz
Asus P5G41T-M/CSM
4GB DDR3 Ram
1 TB Hitachi SATA
Gigabyte ATI Radeon HD 5670 1GB Video PCIe
[Code]....
I am trying to send an email by sendmail (ubuntu) to external servers, but unable to send. following is what i am trying to do and what i got the response:
sendmail -v xxx@hotmail/gmail.com < mail.test
where mail.test contains
[COLOR="rgb(105, 105, 105)"]
From: bla@bla.com
[code]....
I got Shorewall firewall all Set-up perfect but I'm stuck at 1 last bit. The aim is to let on 2 clients max onto my server. I have the policy setup in webmin as.
Uploaded with ImageShack.us
More than 2 clients can get onto the server. The aim is to have it as a ddos protection allowing 100 clients on and a max burst of 10 clients at a time.
I posted a previous topic on bridging, and that didn't seem to work, so I went with Shorewall and I'm trying to setup NAT, but I'm struggling very badly. I have the interfaces configured where eth1 is my Local LAN (loc) network, and eth0 connects to my ISP (net). But my problem is that I have no clue how to forward traffic from eth1 to eth0, without using ProxyARP, which routes all traffic to eth1, and doesn't allow traffic out on itself. I've looked at the NAT tutorials, and they don't make sense to me, because I have two interfaces that I want to be able to talk to each other and the internet at the same time. Is there anyone who's good with Shorewall?
View 3 Replies View RelatedI have searched the web for this answer and i can't find it. I'm using Shorewall for my company firewall and all is working well. But i need to tweak down a few problems that i have. Employees have internet connection over a proxy server (http and https traffic), but some do need to connect to other ports not through proxy but directly. I want to add a exception to the rules. For example i want to allow that a local ip can connect to a predefined ip on the net to a specific port. All my attempts have failed.
View 3 Replies View RelatedThe server I'm running runs Debian Etch, Squid and Shorewall. Every 24 hours the server gets a new internet IP so I need to use dyndns to keep the dns pointing to the correct PC.
I have a webserver that is running behind the debian server and am having trouble with it. When I enter the web address, it gets a timeout.
- I have setup an application in my local subnet 10.1.0.0/16 which broadcast udp packet.
- My application broadcast from machine with 10.1.2.240 and also broadcast from multicast address 225.1.2.3 using port 3035 (it's the correct multicast address right ?)
- I have develop small application to receive the udp packet from the multicast address. It's running OK.
Problems/question :
How can i setup my firewall (using shorewall) so that user from internet can receive the udp packet from multicast ?
Is it possible to listen udp broadcast address behind the firewall (without setting up vpn connection) ?
How to get logwatch working with shorewall logs. I tried fwlogwatch but could not get that working.
View 1 Replies View RelatedI have just set up shorewall on my router running Arch Linux. The external network is on eth0 and the internal network on eth1.I have set it up for masquerading and that works fine and I can open ports to the firewall. But I'm having trouble with port forwarding to my internal machines.The problem I have is that when port 22350 is forwarded to 192.168.1.3 on my local network, checking the port with nmap from a remote computer gives me:
Code:
PORT STATE SERVICE
22350/tcp closed unknown
[code]....
I want to learn about setting up Shorewall, but the website refers to several versions. How do I ascertain which version of Shorewall is on my system?
View 1 Replies View RelatedI have my system set up to where the router(dd-wrt) will send it's syslog messages to my Linux PC system. I am using shorewall as my firewall. I have two questions: How can I configure shorewall to allow the messages from my router? If I use my router IP address to allow the messages to come through the firewall, will this be a great security risk as anything from the internet can come through on that router ipaddress?
View 1 Replies View RelatedI have the Shorewall firewall running on Ubuntu 10.10 server and the issue I am having is the firewall is blocking traffic from my transmission-daemon even though I have allowed it in the /etc/shorewall/rules.
the rules file has the following lines
Code:
ACCEPT$FWnettcp60000:60035
ACCEPTnet$FWtcp60000:60035
ACCEPT$FWnetudp51413
ACCEPTnet$FWudp51413
[Code]...
as you can see, Shorewall is rejecting packets with source and destination port 51413 on incoming net2fw and outgoing fw2net even though the rules are set to accept.
I've got a Shorewall (Shoreline?) firewall up and running, but it's logging to /var/log/messages. I'd much rather have it logging to another location e.g. /var/log/firewall but can't find (a clear enough) explanation on how to do this. Apparently, it varies greatly depending on the distro, the kernel, and the version of Shorewall that is running. You'd think it would be something as simple as setting a path in a config file, but apparently not. I'm running a stock Lenny kernel on the firewall machine. It comes with version 4.0.15 of Shorewall.
View 9 Replies View RelatedI have a Linux box being used as a firewall with Fedora 10 and shorewall 4.2.10. Secondary IPs are loaded on the WAN (eth1)card through Shorewall NAT and Rules file. The problem is that if there is a network hickup or if the circuit bounces, the primary IP comes back but I have to reload Shorewall to get the secondary ips back. Is there a way so that they can automatically reload or just not go away if the connection bounces?
View 4 Replies View RelatedI am setting up a mail server. After installation of shorewall-common, shorewall-doc
Following this link http://flurdy.com/docs/postfix/
For setting up
It requires me to copy thge content of /usr/share/doc/shorewall-common/default-config/rules to /etc/shorewall
cp /usr/share/doc/shorewall-common/default-config/rules /etc/shorewall/
But i observed that the folder default-config is missing. I have purge it apt-get and reinstalled but still it does it have that folder. What could cause this thing and how can i go about it?
I just switched from Ubuntu to Fedora 13 because I was unable to get Ubuntu to connect to wireless networks. I tried everything suggested in help and forums, and kept getting "Bad Password" with WICD and Network Manager. Now, with Fedora...I still can't connect.
Problem #1: The guide says to "...make sure that the relevant wireless interface (usually eth0 or eth1) is controlled by NetworkManager," and that I do this via: System>Administration>Network
However, there is no Network option under System>Administration.
Problem #2: I open Network Manager, which displays a list of networks. I click on mine, configure it with WPA and the right password, and it fails to connect: "The network connection has been disconnected."
I'm having a problem connecting to my server with ssh.I'm running the latest Ubuntu 9.10 32-bit server, inside a virtual machine on a Mac (VMware Fusion 3, running on OS X 10.6.2 with 64-bit kernel).I've set up a network interface (eth2) to act as a host-only network between the virtual machine and the host.I can ssh into the server from my Mac when I type in its IP address ssh root@[IP address] BUT, I can not connect to the server.do I need to open a port with ufw? or configure something else in the ssh settings?
View 1 Replies View RelatedI have a Ubuntu Server machine that I can't get to 10.04. Sometime in the past I updated it to 9.04, but perhaps something went wrong. When I do a do-release-upgrade, it tells me there are no upgrades available. I tried a bunch of things but no luck, so I installed gnome to try the gui update manager on the console. When I start it, it first tells me that my distribution is no longer supported and that I should update. It gives me the button that says 9.04 is available, but after I click it I'm told that there are no new versions available.
View 5 Replies View RelatedI am setting up dhcp server for my public library and need to divide clients into a number of pools on the same network. The different ranges will be for different filtering requirements via squid/dansguard proxy. I have inhouse clients: staff, adult patron, and child patron, that have different filtering requirements and wireless guests that I want to shorter lease times to handle the rapid turnover rate. Trying to understand the terse manual, you assign pools via allow/deny members of classes, but classes are assigned by matching on mac address or vendor ids. Unfortunately as a poor rural library we have a hodge-podge of hardware with no matchable pattern. So I can solve the inhouse clients by using fixed-address, and remove them from the dynamic pool. Now the dhcp server would be serving only the short term wireless guests from the pool.
A common problem at libraries, you always get a few that are compelled to misbehave and break the libraries TOS. In the past the librarians would kick the offenders out of the library only to have them link in from the step or parking lot. Since I have their mac address in their initial lease I would like to prevent them from reestablishing a connection when they are banned.
My thinking is this; the library's computers are static and not part of the pool, the wireless clients would be unknown-clients, so set the pool to allow only unknown-clients, and for the "bad-boys" add their hosts in a group directive would make them "known" and therefore unable to get a IP from the dhcp server.
group {
host banned1 { hardware ethernet 00:00:00:00:00:01; }
host banned2 { hardware ethernet 00:00:00:95:a6:c1; }
host banned3 { hardware ethernet 0c:f1:b6:fe:00:01; }
}
[Code]....
I have just done a fresh install of server 11.04 32bit.I installed webmin. I can hit webmin , but it doesn't take my login. I tried with both my users but it refuses to log me in as if my username or password is wrong.
View 5 Replies View RelatedI want to install mod_scgi. I have install the libapache2-mod-scgi package and changed the httpd.conf. When I try to restart the apache2 server, I got a syntax error :
Code:
I'm trying to run this command code...
how do I fix this? Although I'm working on Ubuntu 8.04.4 server 32 bit
I am trying to mount my usb printer in Ubuntu Server 9.10. I'm trying to do this so that the usb printer will be picked up by vmware server so the Windows XP guest I have on there will then be able to access the printer as if it were hooked up to it directly. I found a few posts online and this is what I've done so far. I found in a couple of posts that they said I should uncomment out the following lines in /etc/init.d/mountdevsubfs.sh. Well I found that the file didn't exsist. Someone posted up their copy of it so I copied that code into the mountdevsubfs.sh script. That code is the following:
Code:
#! /bin/sh
### BEGIN INIT INFO
# Provides: mountdevsubfs mountvirtfs
# Required-Start: mountkernfs
# Required-Stop:
[code]....
I also added this line to the bottom of my /etc/fstab file
Code:
usbfs /proc/bus/usb usbfs auto 0 0
When I go ahead and run the script it errors out on this line:
Code:
. /lib/init/mount-functions.sh
I went to go look in /lib/init and the mount-functions.sh script doesn't exist. I've googled this and I haven't been able to find anything. why am I missing /lib/init/mount-functions.sh and how can I get that script?