AW: [Shorewall-users] Shorewall and OpenVPN woes

Files files at
Thu Sep 23 09:41:20 PDT 2004

Thanks for pointing that out, Graham.

I found that out the hard way when I first started using Shorewall - I could
have really used this list then. I didn't know it existed. Ugh.

The things you wish you had known.

Anyway - to clarify - w/o briding, shorewall works like a champ for me.

Personally, I went one step further and created a signalling system from the
apache error trapping pages (/error) to log all attempts to hack my webserver
(nimda et al) by detecting regex's - when they're detected, a file is dropped
into /tmp/shorewall/drop and a corresponding file is dropped into
/tmp/shorewall/lock. The lock file identifies the drop file to process.

fam is watches /tmp/shorewall/lock for drop requests.

Drop requests get logged to gdbm and a "shorewall drop" is executed for each
IP address - quarantined as it were.

Every hour via cron, the dropped IPs are reinstated unless they have made too
many attempts to hack in which case they get permanently put into the
blacklist. So every hour the blacklist is autogenerated.

Also, I have it set up so that I have an admin interface to allow me to
identify IPs to always ignore, IPs to always block, and to also create the
patterns to look for.

All in PHP - works like a champ. I love it. That's why I want to stick w/ it
w/ my VPN setup.

A cron job makes sure that "drop" is always running (checks like every minute).

I wish there was an easier way to do something like this but I haven't had
time to explore shorewall nor do I see any real database capabilities that can
be triggered. So I'm relegated to using apache to do that part.

So - hopefully I will have a working VPN w/ shorewall as my firewall when this
whole process is done.

Thanks again Graham.

P.S. Do I need to post my config files or anything?
Shamim Islam

Graham Dodd said:
> Shamim,
> By default Shorewall has pinging disabled so you need to add it into rules
> ACCEPT  fw              loc             icmp
> Hopefully this will knock down another problem
> Graham
> -----Ursprüngliche Nachricht-----
> Von: shorewall-users-bounces at
> [mailto:shorewall-users-bounces at] Im Auftrag von Files
> Gesendet: Donnerstag, 23. September 2004 16:39
> An: shorewall-users at
> Betreff: [Shorewall-users] Shorewall and OpenVPN woes
> Ok. I'm knocking down one problem at a time.
> I've managed to figure out how to bridge my tap0 and my eth1 with br0.
> This is good stuff.
> But if I have shorewall running, I can't ping the local network at all.
> If I have shorewall not running, I can ping the local network.
> --
> Shamim Islam
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users at
> Subscribe/Unsubscribe:
> Support:
> FAQ:

More information about the Shorewall-users mailing list