Serious bandwith delay with Mandrake Bamboo as gateway

[emilioestevezz]

Hi, i finally get my Mandrake 9.1 Up and Running, but i got a big problem. I use the pc that i just installed mandrake as a gateway, the thing is that i got a ADSL (512k) connecction, and when i use it with Win Nt i was able to provide my work intranet of a reasonable navigation speed, but now with mandrake its awfully slow i got very slow connecctions and i don´t know why. As i am new to linux i really don´t know where to search the problem, and i cant find good documentation on the net or tweaking tools as i used in Windoze, can anybody help me! the hole office is just about to kill me because they said that before with Nt the have incomparable faster connecctions than with linux i don´t want to install Nt again i´ve seen linux in action an simply it just can´t be compared with any Microsot Server Os. What can i do, or where i can find good tutorials or how to´s??

 

PS: I ´ve tested adsl modem with a notebook and connecction speed is good, so im afraid i got a problem with Bamboo´s configuration.

 

Useful info:

 

Got 2 nics, both with static address manually assigned, both set to sart at boot, one of them is 3com 3c509 10mb and the other generic brand 10/100mb. Gaeway= Pentium II, 300Mb Ram, S3 Virge Video with 8Mb, 40G Seagate , 7200rpm hard drive. ADSL connecction 512mb.

 

Got running some servers as:

 

Apache 2.0

Postfix

Samba

DHCP

Postgresql

[Michel]

Ok, I don't know much about netwoking, but shorewall is teh firewall on your computer. All configs of it are locatred in /etc/shorewall.

 

Here is the site:

 

http://www.shorewall.net/

 

There are some how-to's...

 

Heopfullt this helps....and hopefully(again:)) soemone helps you as quick as possible out of this one, so your office canb enjoy speed again.

 

(Once you have done this, maybe also a proxy???? if people there use teh same page frequentley???)

[Michel]

shorewall is in fact more than a firewall...you can redurect traffic,...

[Michel]

Although I don't know if it is handy....printing here the oytput of shorewall found in /var/log/syslog may be handy, since it tells your shorewall-setup. Every entry is specified with shorewall in front of it.

[Michel]

SQince you're running it as a server (do you do also desktop stuff on it??if not..). I think that it is even better that you don't go in graphic-mode, but stay inb text-mode(this way saving resources ofcourse), but maybe this is too difficult for now. Although I assume this isn't the reason for your big slowdown, but others coudl advise on this.

[Michel]

Gorgot something important :)...

 

Welcome to this board...

 

And while nobody else ansers with more knowledge than me, this may help maybe:

 

http://www.mandrakeusers.org/viewtopic.php...4fcd194ea1b1229

 

Looked in the FAQS??

[Gowator]

emilioestevezz,

Sorry, as Michel points out you'd usually get a quicker response here.

 

Ive been messing with my own firewall this weekend :-) and I wasn't sure what exactly the problem was.

 

We will need a bit more info otherwise we are guessing.

 

Firstly, the server is at work ?

You mention Intranet, is it on that machine ?? I'm presuming you need intranet and internet.

 

When you say slow, is it slow to access the intranet as well? If you connect directly to your server with its IP address is that slow?

If you connect to http://localhost is that as slow?

 

What I'm getting at is is the Mandrake machine slow all round or is it just a routing problem.

 

Can you access the internet from the server, if so is that slow too.

 

 

Are you running squid or another cache, perhaps its using too much memory ??

 

One thing you might have a problem with your DNS resolution ?? Perhaps its searching for a local server first. You running DHCP, where are the PC's getting their names from (/etc/resolv.conf)

[emilioestevezz]

emilioestevezz,

 

 

:) Well guys first of all, i would like to thank you for trying to help out with the far best server OS available, and for dedicating time for users like me who have our little problems.

 

I ´ll try to clarify my situation...

 

 

Sorry, as Michel points out you'd usually get a quicker response here.  

 

no problem.

 

 

 

We will need a bit more info otherwise we are guessing.  

 

Firstly, the server is at work ?  

 

yes it is

 

You mention  Intranet, is it on that machine ??  I'm presuming you need intranet and internet.  

 

well, i have 2 servers really 1. Domain controller, with darn Windoze NT, but this is because at work (LAW BAR) we use a program for lawyers that need Windows Nt dedicated server, cos it is installed there so it can be used in multiuser mode by the rest of the desktops that must be windows 98 pc´s, we have as well as 5 pc´s total that use this program and use internet ocassionaly just for email and browsing the web, but they use it really ocasionally (in my case its quite the oposite).

 

2. I ´ve got a gateway running Bamboo, that is used too like web, mail and postgresql server, obviously this pc is the one that is attached to the dsl router.

 

 

When you say slow, is it slow to access the intranet as well?

 

no, intranet access is normal and very fast.

 

 If you connect directly to your server with its IP address is that slow?  

If you connect to http://localhost is that as slow?  

 

no, in that case the speed is just fine or should i say perfect!!

 

 

What I'm getting at is is the Mandrake machine slow all round or is it just a routing problem.  

 

think is a routing problem at all.

 

Can you access the internet from the server, if so is that slow too.  

 

yes i can, but its really slow i don´t know why!!

 

 

Are you running squid or another cache, perhaps its using too much memory ??  

 

no, as a matter of fact, im plenty of free mem i can´t believe it, the pc is at optimum usage of mem , cpu, etc but even that i ´ve problems with that, that must be and indicator of misconfiguration i think, and i always leave mandrake in text mode to easy the cpu, no i ´m not running any any proxy server, but im planning to put another pc with multi network firewall with proxy server, is that convenient???

 

 

One thing you might have a problem with your DNS resolution ??  Perhaps its searching for a local server first.  

 

i surely need a hand with that, i didn´t configure it by myself i just left the defaults configs that was set by bamboo´s instalation. I know that i should check /etc/resolv and /etc/hosts but i don´t know what to set there.

 

 

You running DHCP, where are the PC's getting their names from (/etc/resolv.conf)

 

Thing is in each terminal of win 98 i set in the network properties in the DNS configuration tab, the primary and secondary ip´s from my isp dns servers, i been told thats not the way to do it but as it give´s me conecction i just leave it like that, maybe that is one problem too???

 

i didnt configure the DHCP Server in bamboo, neither, i just use the defaults when i configured the sharing conecction wizard, do i have to do some deep configuration by hand???

 

Again, i would like to thank you for your help, and if you need further information just mention it!

 

Emilio

[Gowator]

Well,

First thing you can do is check out if its something from the firewall.

 

The Internet connection wizard is OK but its not really designed if your using it as a server.

 

If your Windows PC's are having problems then the windows domaine controller might notbe helping but first you gotta sort out your internet connection.

 

So your DSL router is connected via ethernet.

The sharing connection wizard didn't work for me and left me in a bit of a mess.

 

Anyway, first things, lets check if its your firewall.

You need to use your gateway PC at this point.

shorewall clear <typed as root> will turn off the firewall. If it gives you normal access when its off then its a pretty good bet its the firewall.

 

I gave up on the sharing wizard. I used the configuration from shorewall themselves. I'd recommend trying this if your connection is playing up.

 

Since your in init 3 and presuming you installed pppoe with the wizard you should have adsl-start adsl-connect etc. (adsl<tab> will give you a nice list in a bash shell :-))

 

So id say first thing is find out if it works with the firewall disabled.

If it doesn't then hopefully we can look elsewhere for some clues but no point blindly speculating.

[emilioestevezz]

Well,

First thing you can do is check out if its something from the firewall.  

 

The Internet connection wizard is OK but its not really designed if your using it as a server.  

 

If your Windows PC's are having problems then the windows domaine controller might notbe helping but first you gotta sort out your internet connection.  

 

So your DSL router is connected via ethernet.  

The sharing connection wizard didn't work for me and left me in a bit of a mess.  

 

Anyway, first things, lets check if its your firewall.  

You need to use your gateway PC at this point.  

shorewall clear  <typed as root> will turn off the firewall.  If it gives you normal access when its off then its a pretty good bet its the firewall.  

 

I gave up on the sharing wizard.  I used the configuration from shorewall  themselves.  I'd recommend trying this if your connection is playing up.  

 

Since your in init 3 and presuming you installed pppoe with the wizard you should have adsl-start adsl-connect etc.  (adsl<tab> will give you a nice list in a bash shell :-))

 

So id say first thing is find out if it works with the firewall disabled.  

If it doesn't then hopefully we can look elsewhere for some clues but no point blindly speculating.

 

i´ve tried, i´ve disabled shorewall, but then when i tried to connect from pc´s i couldn´t, i think it´s necesary for sharing internet connection from the gateway, to have shorewall enabled. Am i wrong??

[Gowator]

Well nealy, actually shorewall uses IPtables to route but thats a bit of a technicality

 

Point is if you have good access from the firewall to internet when shorewall is disabled then you have a config problem in shorewall. If its the same its something else.

 

 

If its shorewall then (having just done this myself) Id recommend using the shorewall provided config as opposed to the one set up by Mandrake which is more suitable for a standalone PC and apt to confuse you if you try reading the shorewall manualls or quickstart guide.

 

 

Anyway, first can you access the internet OK from the forewall PC with shorewall disabled.??

[emilioestevezz]

Well nealy, actually shorewall uses IPtables to route but thats a bit of a technicality

 

Point is if you have good access from the firewall to internet when shorewall is disabled then you have a config problem in shorewall.  If its the same its something else.  

 

 

If its shorewall then (having just done this myself) Id recommend using the shorewall provided config as opposed to the one set up by Mandrake which is more suitable for a standalone PC and apt to confuse you if you try reading the shorewall manualls or quickstart guide.  

 

 

Anyway, first can you access the internet OK from the forewall PC with shorewall disabled.??

 

ok, i ´ll search shorewall config´s at shorewall.org, anyway, i was testing the gateway and after stoping shorewall i try to download a file at symantec.com, the rate of downloading was 20k my adsl connection is 512, is this normal??? i mean the speed? anyway i dont really know if i got resolv.conf and host .conf properly configured could you give me some pointers?? and any other file y should really check for misconfigurations?? im gonna investigate shorewall to set it up correctly in the meantime. I really apreciate your help??

 

Ohh, another thing, i was trying to use ddclient 3.6.3 but i cant start the service eatch time i type in the shell ddclient start it tells me "-bash: /usr/sbin/ddclient: Permission denied. Got any clues of what is going wrong? i really need that client up and running but i don´t know whats going on.

 

Thanks again, for help.

[Gowator]

OK, shorewall was stopped and you tried access from your gateway/fw and it was VERY SLOW.

 

So, its not shorewall. (At least something else is messing up).

 

If you can I would try a seperate machine and configure it just to connect to the DSL modem and access the internet.

 

When its working (a much simpler setup) you can check this was your other machine and find out what might be cuasing the problems.

[Michel]

Maybe you could post a part of your syslog(/var/log/syslog) here, maybe it helps...I would suggest a link to it somewhere. The part after the startup would be fine Is suppose.....or what you think where the error could be..

 

a link to your shorewall-config-files???(just to check them out...) Especially the rules/policy/interface/zones -files. The general shorewall-config-file also maybe...:)

Since your recieving something, I'm not sure if it's the routing....

 

something that maybe can help (but can be confusing) is

 

shorewall monitor 15

 

 

You can look if lot of things are dropped...and what is dropped, but this should also be in your syslog, but not so detailed then..

 

the 15 is after how many seconds it has to update (or something like that). You have to be root again ofcourse...

[emilioestevezz]

Maybe you  could post a part of your syslog(/var/log/syslog) here, maybe it helps...I would suggest a link to it somewhere. The part after the startup would be fine Is suppose.....or what you think where the error could be..

 

a link to your shorewall-config-files???(just to check them out...) Especially the rules/policy/interface/zones -files. The general shorewall-config-file also maybe...:)

Since your recieving something, I'm not sure if it's the routing....

 

something that maybe can help (but can be confusing) is

 

shorewall monitor 15

 

 

You can look if lot of things are dropped...and what is dropped, but this should also be in your syslog, but not so detailed then..

 

the 15 is after how many seconds it has to update (or something like that). You have to be root again ofcourse...

 

Allright i transcript some config files:

 

/etc/shorewall/policy:

 

masq net ACCEPT

loc net ACCEPT

fw net ACCEPT

net all DROP INFO

all all REJECT INFO

 

 

/etc/shorewall/zones:

 

Zone Display Comment

 

net net Internet Zone

masq Masquerade Masquerade Local

loc Local Local

 

/etc/shorewall/interfaces:

 

net ppp+ detect

masq eth1 detect

loc eth0 detect

 

/etc/shorewall/rules:

 

#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL

# PORT PORT(S) DEST

ACCEPT net fw udp 53 -

ACCEPT net fw tcp 80,443,53,22,25,109,110,143 -

ACCEPT masq fw udp 53 -

ACCEPT masq fw tcp 80,443,53,22,25,109,110,143 -

ACCEPT loc fw udp 53 -

ACCEPT loc fw tcp 80,443,53,22,25,109,110,143 -

ACCEPT masq fw tcp domain,bootps,http,https,631,imap,pop3,smtp,nntp,ntp -

ACCEPT masq fw udp domain,bootps,http,https,631,imap,pop3,smtp,nntp,ntp -

ACCEPT fw masq tcp 631,515,137,138,139 -

ACCEPT fw masq udp 631,515,137,138,139 -

#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

 

 

/etc/shorewall/shorewall.conf:

 

#

# PATH - Change this if you want to change the order in which Shorewall

# searches directories for executable files.

#

PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin

 

#

# NAME OF THE FIREWALL ZONE

#

# Name of the firewall zone -- if not set or if set to an empty string, "fw"

# is assumed.

#

FW=fw

 

#

# SUBSYSTEM LOCK FILE

#

# Set this to the name of the lock file expected by your init scripts. For

# RedHat, this should be /var/lock/subsys/shorewall. On Debian, it

# should be /var/state/shorewall. If your init scripts don't use lock files,

# set this to "".

#

 

SUBSYSLOCK=/var/lock/subsys/shorewall

 

#

# SHOREWALL TEMPORARY STATE DIRECTORY

#

# This is the directory where the firewall maintains state information while

# it is running

#

 

STATEDIR=/var/lib/shorewall

 

#

# ALLOW RELATED CONNECTIONS

#

# Set this to "yes" or "Yes" if you want to accept all connection requests

# that are related to already established connections. For example, you want

# to accept FTP data connections. If you say "no" here, then to accept

# these connections between particular zones or hosts, you must include

# explicit "related" rules in /etc/shorewall/rules.

#

 

ALLOWRELATED=yes

 

#

# KERNEL MODULE DIRECTORY

#

# If your netfilter kernel modules are in a directory other than

# /lib/modules/`uname -r`/kernel/net/ipv4/netfilter then specify that

# directory in this variable. Example: MODULESDIR=/etc/modules.

 

MODULESDIR=

 

#

# LOG RATE LIMITING

#

# The next two variables can be used to control the amount of log output

# generated. LOGRATE is expressed as a number followed by an optional

# `/second', `/minute', `/hour', or `/day' suffix and specifies the maximum

# rate at which a particular message will occur. LOGBURST determines the

# maximum initial burst size that will be logged. If set empty, the default

# value of 5 will be used.

#

# Example:

#

# LOGRATE=10/minute

# LOGBURST=5

#

# If BOTH variables are set empty then logging will not be rate-limited.

#

 

LOGRATE=

LOGBURST=

 

#

# LEVEL AT WHICH TO LOG 'UNCLEAN' PACKETS

#

# This variable determines the level at which Mangled/Invalid packets are logged

# under the 'dropunclean' interface option. If you set this variable to an

# empty value (e.g., LOGUNCLEAN= ), Mangled/Invalid packets will be dropped

# silently.

#

# The value of this variable also determines the level at which Mangled/Invalid

# packets are logged under the 'logunclean' interface option. If the variable

# is empty, these packets will still be logged at the 'info' level.

#

# See the comment at the top of this file for a description of log levels

#

 

LOGUNCLEAN=info

 

#

# LOG FILE LOCATION

#

# This variable tells the /sbin/shorewall program where to look for Shorewall

# log messages. If not set or set to an empty string (e.g., LOGFILE="") then

# /var/log/messages is assumed.

#

# WARNING: The LOGFILE variable simply tells the 'shorewall' program where to

# look for Shorewall messages.It does NOT control the destination for

# these messages. For information about how to do that, see

#

# http://www.shorewall.net/FAQ.htm#faq6

 

LOGFILE=/var/log/messages

 

#

# ENABLE NAT SUPPORT

#

# You probally want yes here. Only gateways not doing NAT in any form, like

# SNAT,DNAT masquerading, port forwading etc. should say "no" here.

#

NAT_ENABLED=Yes

 

#

# ENABLE MANGLE SUPPORT

#

# If you say "no" here, Shorewall will ignore the /etc/shorewall/tos file

# and will not initialize the mangle table when starting or stopping

# your firewall. You must enable mangling if you want Traffic Shaping

# (see TC_ENABLED below).

#

MANGLE_ENABLED=Yes

 

#

# ENABLE IP FORWARDING

#

# If you say "On" or "on" here, IPV4 Packet Forwarding is enabled. If you

# say "Off" or "off", packet forwarding will be disabled. You would only want

# to disable packet forwarding if you are installing Shorewall on a

# standalone system or if you want all traffic through the Shorewall system

# to be handled by proxies.

#

# If you set this variable to "Keep" or "keep", Shorewall will neither

# enable nor disable packet forwarding.

#

IP_FORWARDING=On

 

#

# AUTOMATICALLY ADD NAT IP ADDRESSES

#

# If you say "Yes" or "yes" here, Shorewall will automatically add IP addresses

# for each NAT external address that you give in /etc/shorewall/nat. If you say

# "No" or "no", you must add these aliases youself.

#

ADD_IP_ALIASES=Yes

 

#

# AUTOMATICALLY ADD SNAT IP ADDRESSES

#

# If you say "Yes" or "yes" here, Shorewall will automatically add IP addresses

# for each SNAT external address that you give in /etc/shorewall/masq. If you say

# "No" or "no", you must add these aliases youself. LEAVE THIS SET TO "No" unless

# you are sure that you need it -- most people don't!!!

#

ADD_SNAT_ALIASES=No

 

#

# ENABLE TRAFFIC SHAPING

#

# If you say "Yes" or "yes" here, Traffic Shaping is enabled in the firewall. If

# you say "No" or "no" then traffic shaping is not enabled. If you enable traffic

# shaping you must have iproute[2] installed (the "ip" and "tc" utilities) and

# you must enable packet mangling above.

#

TC_ENABLED=yes

 

#

# BLACKLIST DISPOSITION

#

# Set this variable to the action that you want to perform on packets from

# Blacklisted systems. Must be DROP or REJECT. If not set or set to empty,

# DROP is assumed.

#

BLACKLIST_DISPOSITION=DROP

 

#

# BLACKLIST LOG LEVEL

#

# Set this variable to the syslogd level that you want blacklist packets logged

# (beward of DOS attacks resulting from such logging). If not set, no logging

# of blacklist packets occurs.

#

# See the comment at the top of this file for a description of log levels

#

BLACKLIST_LOGLEVEL=

 

#

# MSS CLAMPING

#

# Set this variable to "Yes" or "yes" if you want the TCP "Clamp MSS to PMTU"

# option. This option is most commonly required when your internet

# interface is some variant of PPP (PPTP or PPPoE). Your kernel must

# have CONFIG_IP_NF_TARGET_TCPMSS set.

#

# [From the kernel help:

#

# This option adds a `TCPMSS' target, which allows you to alter the

# MSS value of TCP SYN packets, to control the maximum size for that

# connection (usually limiting it to your outgoing interface's MTU

# minus 40).

#

# This is used to overcome criminally braindead ISPs or servers which

# block ICMP Fragmentation Needed packets. The symptoms of this

# problem are that everything works fine from your Linux

# firewall/router, but machines behind it can never exchange large

# packets:

# 1) Web browsers connect, then hang with no data received.

# 2) Small mail works fine, but large emails hang.

# 3) ssh works fine, but scp hangs after initial handshaking.

# ]

#

# If left blank, or set to "No" or "no", the option is not enabled.

#

CLAMPMSS=yes

 

#

# ROUTE FILTERING

#

# Set this variable to "Yes" or "yes" if you want kernel route filtering on all

# interfaces (anti-spoofing measure).

#

# If this variable is not set or is set to the empty value, "No" is assumed.

# In that case, you can still enable route filtering on individual interfaces

# in the /etc/shorewall/interfaces file.

 

ROUTE_FILTER=No

 

#

# NAT BEFORE RULES

#

# Shorewall has traditionally processed static NAT rules before port forwarding

# rules. If you would like to reverse the order, set this variable to "No".

#

# If this variable is not set or is set to the empty value, "Yes" is assumed.

 

NAT_BEFORE_RULES=Yes

 

# MULTIPORT support

#

# If your kernel includes the multiport match option

# (CONFIG_IP_NF_MATCH_MULTIPORT), you may enable it's use here. When this

# option is enabled by setting it's value to "Yes" or "yes":

#

# 1) If you list more that 15 ports in a comma-seperated list in

# /etc/shorewall/rules, Shorewall will not use the multiport option

# but will generate a separate rule for each element of each port

# list.

# 2) If you include a port range (<low port>:<high port>) in the

# rule, Shorewall will not use the multiport option but will generate

# a separate rule for each element of each port list.

#

# See the /etc/shorewall/rules file for additional information on this option.

#

# if this variable is not set or is set to the empty value, "No" is assumed.

 

MULTIPORT=No

 

# DNAT IP ADDRESS DETECTION

#

# Normally when Shorewall encounters the following rule:

#

# DNAT net loc:192.168.1.3 tcp 80

#

# it will forward TCP port 80 connections from the net to 192.168.1.3

# REGARDLESS OF THE ORIGINAL DESTINATION ADDRESS. This behavior is

# convenient for two reasons:

#

# a) If the the network interface has a dynamic IP address, the

# firewall configuration will work even when the address

# changes.

#

# B) It saves having to configure the IP address in the rule

# while still allowing the firewall to be started before the

# internet interface is brought up.

#

# This default behavior can also have a negative effect. If the

# internet interface has more than one IP address then the above

# rule will forward connection requests on all of these addresses;

# that may not be what is desired.

#

# By setting DETECT_DNAT_IPADDRS=Yes, rules such as the above will apply

# only if the original destination address is the primary IP address of

# one of the interfaces associated with the source zone. Note that this

# requires all interfaces to the source zone to be up when the firewall

# is [re]started.

 

DETECT_DNAT_IPADDRS=No

 

#

# MERGE HOSTS FILE

#

# The traditional behavior of the /etc/shorewall/hosts file has been that

# if that file has ANY entry for a zone then the zone must be defined

# entirely in the hosts file. This is counter-intuitive and has caused

# people some problems.

#

# By setting MERGE_HOSTS=Yes, a more intuitive behavior of the hosts file

# is enabled. With MERGE_HOSTS=Yes, the zone contents in the hosts file

# are added to the contents described in the /etc/shorewall/interfaces file.

#

# Example: Suppose that we have the following interfaces and hosts files:

#

# Interfaces:

#

# net eth0

# loc eth1

# - ppp+

#

# Hosts:

#

# loc ppp+:192.168.1.0/24

# wrk ppp+:!192.168.1.0/24

#

# With MERGE_HOSTS=No, the contents of the 'loc' zone would be just

# ppp+:192.168.1.0/24. With MERGE_HOSTS=Yes, the contents would be

# ppp+:192.168.1.0 and eth1:0.0.0.0/0

#

# If this variable is not set or is set to the empty value, "No" is assumed.

 

MERGE_HOSTS=Yes

 

#

# MUTEX TIMEOUT

#

# The value of this variable determines the number of seconds that programs

# will wait for exclusive access to the Shorewall lock file. After the number

# of seconds corresponding to the value of this variable, programs will assume

# that the last program to hold the lock died without releasing the lock.

#

# If not set or set to the empty value, a value of 60 (60 seconds) is assumed.

#

# An appropriate value for this parameter would be twice the length of time

# that it takes your firewall system to process a "shorewall restart" command.

 

MUTEX_TIMEOUT=60

 

#

# LOGGING 'New not SYN' rejects

#

# This variable only has an effect when NEWNOTSYN=No (see below).

#

# When a TCP packet that does not have the SYN flag set and the ACK and RST

# flags clear then unless the packet is part of an established connection,

# it will be rejected by the firewall. If you want these rejects logged,

# then set LOGNEWNOTSYN to the syslog log level at which you want them logged.

#

# See the comment at the top of this file for a description of log levels

#

# Example: LOGNEWNOTSYN=debug

 

 

LOGNEWNOTSYN=

 

#

# Old Ping Handling

#

# If this option is set to "Yes" then Shorewall will use its old ping handling

# facility including the FORWARDPING option in this file and the 'noping' and

# 'filterping' interface options. If this option is set to 'No' then ping

# is handled via policy and rules just like any other connection request.

#

# If you are a new Shorewall user DON'T CHANGE THE VALUE OF THIS OPTION AND

# DON'T DELETE IT!!!!!!

#

OLD_PING_HANDLING=No

 

#

# NEWNOTSYN

#

# If this variable is set to "No" or "no", then When a TCP packet that does

# not have the SYN flag set and the ACK and RST flags clear then unless the

# packet is part of an established connection, it will be dropped by the

# firewall

#

# If this variable is set to "Yes" or "yes" then such packets will not be

# dropped but will pass through the normal rule processing.

#

# Users with a High-availability setup with two firewall's and one acting

# as a backup should set NEWNOTSYN=Yes. Users with asymmetric routing may

# also need to select NEWNOTSYN=Yes.

 

NEWNOTSYN=No

 

#

# MAC List Disposition

#

# This variable determines the disposition of connection requests arriving

# on interfaces that have the 'maclist' option and that are from a device

# that is not listed for that interface in /etc/shorewall/maclist. Valid

# values are ACCEPT, DROP and REJECT. If not specified or specified as

# empty (MACLIST_DISPOSITION="") then REJECT is assumed

 

MACLIST_DISPOSITION=REJECT

 

#

# MAC List Log Level

#

# Specifies the logging level for connection requests that fail MAC

# verification. If set to the empty value (MACLIST_LOG_LEVEL="") then

# such connection requests will not be logged.

#

# See the comment at the top of this file for a description of log levels

#

 

MACLIST_LOG_LEVEL=info

 

#

# TCP FLAGS Disposition

#

# This variable determins the disposition of packets having an invalid

# combination of TCP flags that are received on interfaces having the

# 'tcpflags' option specified in /etc/shorewall/interfaces. If not specified

# or specified as empty (TCP_FLAGS_DISPOSITION="") then DROP is assumed.

 

TCP_FLAGS_DISPOSITION=DROP

 

#

# TCP FLAGS Log Level

#

# Specifies the logging level for packets that fail TCP Flags

# verification. If set to the empty value (TCP_FLAGS_LOG_LEVEL="") then

# such packets will not be logged.

#

# See the comment at the top of this file for a description of log levels

#

 

TCP_FLAGS_LOG_LEVEL=info

 

#

# RFC1918 Log Level

#

# Specifies the logging level for packets that fail RFC 1918

# verification. If set to the empty value (RFC1918_LOG_LEVEL="") then

# RFC1918_LOG_LEVEL=info is assumed.

#

# See the comment at the top of this file for a description of log levels

#

 

RFC1918_LOG_LEVEL=info

 

#

# Mark Packets in the forward chain

#

# When processing the tcrules file, Shorewall normally marks packets in the

# PREROUTING chain. To cause Shorewall to use the FORWARD chain instead, set

# this to "Yes". If not specified or if set to the empty value (e.g.,

# MARK_IN_FORWARD_CHAIN="") then MARK_IN_FORWARD_CHAIN=No is assumed.

#

# Marking packets in the FORWARD chain has the advantage that inbound

# packets destined for Masqueraded/SNATed local hosts have had their destination

# address rewritten so they can be marked based on their destination. When

# packets are marked in the PREROUTING chain, packets destined for

# Masqueraded/SNATed local hosts still have a destination address corresponding

# to the firewall's external interface.

#

# Note: Older kernels do not support marking packets in the FORWARD chain and

# setting this variable to Yes may cause startup problems.

 

MARK_IN_FORWARD_CHAIN=yes

 

#

# Clear Traffic Shapping/Control

#

# If this option is set to 'No' then Shorewall won't clear the current

# traffic control rules during [re]start. This setting is intended

# for use by people that prefer to configure traffic shaping when

# the network interfaces come up rather than when the firewall

# is started. If that is what you want to do, set TC_ENABLED=Yes and

# CLEAR_TC=No and do not supply an /etc/shorewall/tcstart file. That

# way, your traffic shaping rules can still use the 'fwmark'

# classifier based on packet marking defined in /etc/shorewall/tcrules.

#

# If omitted, CLEAR_TC=Yes is assumed.

 

CLEAR_TC=Yes

 

#LAST LINE -- DO NOT REMOVE

 

i guess it´s all of it, well check ´em out and tell me what you think??

 

Thaks