http://www1.shorewall.net/pub/shorewall/development/3.9/shorewall-3.9.4/ ftp://ftp1.shorewall.net/pub/shorewall/development/3.9/shorewall-3.9.4/ Again, there are a large number of bug fixes thanks to the continued testing by Steven Springl. See the releasenotes.txt file in the release directory for details. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Setting DYNAMIC_ZONES=Yes in shorewall.conf produces the messages in the attached file. Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> Tom > > Setting DYNAMIC_ZONES=Yes in shorewall.conf produces the messages in the > attached file.I can''t reproduce the problem, Steven. Please send me a tarball (with capabilities file) of the test case. Thanks! -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On Monday 23 April 2007 23:59, Tom Eastep wrote:> Steven Jan Springl wrote: > > Tom > > > > Setting DYNAMIC_ZONES=Yes in shorewall.conf produces the messages in the > > attached file. > > I can''t reproduce the problem, Steven. > > Please send me a tarball (with capabilities file) of the test case. > > Thanks! > -TomTom Attached is the test configuration. Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> On Monday 23 April 2007 23:59, Tom Eastep wrote: >> Steven Jan Springl wrote: >>> Tom >>> >>> Setting DYNAMIC_ZONES=Yes in shorewall.conf produces the messages in the >>> attached file. >> I can''t reproduce the problem, Steven. >> >> Please send me a tarball (with capabilities file) of the test case. >> >> Thanks! >> -Tom > Tom > > Attached is the test configuration. >Thanks! Fixed in revision 6095. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Setting LOGALLNEW=yes in shorewall.conf generates a number of invalid iptables rules. These rules contain the string: --state NEW-j LOG Attached is a file containing the iptables rules. Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> Tom > > Setting LOGALLNEW=yes in shorewall.conf generates a number of invalid > iptables rules. These rules contain the string: > > --state NEW-j LOGTime to go to bed Steven -- LOGALLNEW''s value must be a log level, not Yes/No. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Eastep wrote:> Steven Jan Springl wrote: >> Tom >> >> Setting LOGALLNEW=yes in shorewall.conf generates a number of invalid >> iptables rules. These rules contain the string: >> >> --state NEW-j LOG > > Time to go to bed Steven -- LOGALLNEW''s value must be a log level, not > Yes/No.But the missing space before between NEW and -j is fixed in revision 6097. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On Tuesday 24 April 2007 01:13, Tom Eastep wrote:> Steven Jan Springl wrote: > > Tom > > > > Setting LOGALLNEW=yes in shorewall.conf generates a number of invalid > > iptables rules. These rules contain the string: > > > > --state NEW-j LOG > > Time to go to bed Steven -- LOGALLNEW''s value must be a log level, not > Yes/No. > > -TomTom Sorry for that, I should have read the manual first. You are correct, it''s 1.15 in the morning. I am going to bed. Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> On Tuesday 24 April 2007 01:13, Tom Eastep wrote: >> Steven Jan Springl wrote: >>> Tom >>> >>> Setting LOGALLNEW=yes in shorewall.conf generates a number of invalid >>> iptables rules. These rules contain the string: >>> >>> --state NEW-j LOG >> Time to go to bed Steven -- LOGALLNEW''s value must be a log level, not >> Yes/No. >> >> -Tom > Tom > > Sorry for that, I should have read the manual first. > > You are correct, it''s 1.15 in the morning. I am going to bed.Since this seems like a mistake that others could make, in revision 6101 I have added validation of all log levels. As part of the validation process, level names such as ''info'' are translated into their numeric equivalents. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Eastep wrote:> Steven Jan Springl wrote: >> On Tuesday 24 April 2007 01:13, Tom Eastep wrote: >>> Steven Jan Springl wrote: >>>> Tom >>>> >>>> Setting LOGALLNEW=yes in shorewall.conf generates a number of invalid >>>> iptables rules. These rules contain the string: >>>> >>>> --state NEW-j LOG >>> Time to go to bed Steven -- LOGALLNEW''s value must be a log level, not >>> Yes/No. >>> >>> -Tom >> Tom >> >> Sorry for that, I should have read the manual first. >> >> You are correct, it''s 1.15 in the morning. I am going to bed. > > Since this seems like a mistake that others could make, in revision 6101 I > have added validation of all log levels. As part of the validation process, > level names such as ''info'' are translated into their numeric equivalents.Revision 6102 fixes a silly syntax error. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On Tuesday 24 April 2007 15:55, Tom Eastep wrote:> Steven Jan Springl wrote: > > On Tuesday 24 April 2007 01:13, Tom Eastep wrote: > >> Steven Jan Springl wrote: > >>> Tom > >>> > >>> Setting LOGALLNEW=yes in shorewall.conf generates a number of invalid > >>> iptables rules. These rules contain the string: > >>> > >>> --state NEW-j LOG > >> > >> Time to go to bed Steven -- LOGALLNEW''s value must be a log level, not > >> Yes/No. > >> > >> -Tom > > > > Tom > > > > Sorry for that, I should have read the manual first. > > > > You are correct, it''s 1.15 in the morning. I am going to bed. > > Since this seems like a mistake that others could make, in revision 6101 I > have added validation of all log levels. As part of the validation process, > level names such as ''info'' are translated into their numeric equivalents. > > -TomTom It sounds like a good idea especially for insomniac Shorewall testers who cannot be bothered to read the documentation. Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Setting IP_FORWARDING=No in shorewall.conf works for shorewall start/restart/check but gives the following message for shorewall stop/clear: ERROR: Invalid value (No) for IP_FORWARDING Steven ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> Tom > > Setting IP_FORWARDING=No in shorewall.conf > works for shorewall start/restart/check > but gives the following message for > shorewall stop/clear: > > ERROR: Invalid value (No) for IP_FORWARDING >Fix is in revision 6103. Thanks, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom I am getting the following error with the attached config: Argument "ACCEPT" isn''t numeric in numeric ne (!=) at /usr/share/shorewall-perl/Shorewall/Rules.pm line 749. Argument "DROP" isn''t numeric in numeric ne (!=) at /usr/share/shorewall-perl/Shorewall/Rules.pm line 749. I don''t know which config option has caused this, as I am using a semi-automated shorewall.conf generator to try as many different configs as possible. Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> Tom > > I am getting the following error with the attached config: > > Argument "ACCEPT" isn''t numeric in numeric ne (!=) > at /usr/share/shorewall-perl/Shorewall/Rules.pm line 749. > > Argument "DROP" isn''t numeric in numeric ne (!=) > at /usr/share/shorewall-perl/Shorewall/Rules.pm line 749. > > I don''t know which config option has caused this, as I am using a > semi-automated shorewall.conf generator to try as many different configs as > possible.It was MACLIST_LOG_LEVEL. Fixed in REV 6104. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On Tuesday 24 April 2007 20:54, Tom Eastep wrote:> Steven Jan Springl wrote: > > Tom > > > > I am getting the following error with the attached config: > > > > Argument "ACCEPT" isn''t numeric in numeric ne (!=) > > at /usr/share/shorewall-perl/Shorewall/Rules.pm line 749. > > > > Argument "DROP" isn''t numeric in numeric ne (!=) > > at /usr/share/shorewall-perl/Shorewall/Rules.pm line 749. > > > > I don''t know which config option has caused this, as I am using a > > semi-automated shorewall.conf generator to try as many different configs > > as possible. > > It was MACLIST_LOG_LEVEL. > > Fixed in REV 6104. > > -TomTom The same config now produces the following iptables rule: -A eth0_rec -j LOG -log-level --log-prefix "Shorewall:eth0_rec:DROP:" If I set MACLIST_TTL= then the following iptables rule is generated: -A eth0_mac -j LOG -log-level --log-prefix "Shorewall:eth0_mac:DROP:" Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> On Tuesday 24 April 2007 20:54, Tom Eastep wrote: >> Steven Jan Springl wrote: >>> Tom >>> >>> I am getting the following error with the attached config: >>> >>> Argument "ACCEPT" isn''t numeric in numeric ne (!=) >>> at /usr/share/shorewall-perl/Shorewall/Rules.pm line 749. >>> >>> Argument "DROP" isn''t numeric in numeric ne (!=) >>> at /usr/share/shorewall-perl/Shorewall/Rules.pm line 749. >>> >>> I don''t know which config option has caused this, as I am using a >>> semi-automated shorewall.conf generator to try as many different configs >>> as possible. >> It was MACLIST_LOG_LEVEL. >> >> Fixed in REV 6104. >> >> -Tom > Tom > > The same config now produces the following iptables rule: > > -A eth0_rec -j LOG -log-level --log-prefix "Shorewall:eth0_rec:DROP:" > > If I set MACLIST_TTL= then the following iptables rule is generated: > > -A eth0_mac -j LOG -log-level --log-prefix "Shorewall:eth0_mac:DROP:" >Fixed in revision 6105. Thanks, Steven. -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Specifying norfc1918 on an interface and RFC1918_LOG_LEVEL= in shorewall.conf produces the following iptables rule: -A rfc1918 -j LOG --log-level --log-prefix "Shorewall:rfc1918:DROP:" Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> Tom > > Specifying norfc1918 on an interface and > RFC1918_LOG_LEVEL= in shorewall.conf > produces the following iptables rule: > > -A rfc1918 -j LOG --log-level --log-prefix "Shorewall:rfc1918:DROP:"Steven, That should be fixed if you are up to date with SVN (rev 3108). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Eastep wrote:> Steven Jan Springl wrote: >> Tom >> >> Specifying norfc1918 on an interface and >> RFC1918_LOG_LEVEL= in shorewall.conf >> produces the following iptables rule: >> >> -A rfc1918 -j LOG --log-level --log-prefix "Shorewall:rfc1918:DROP:" > > Steven, > > That should be fixed if you are up to date with SVN (rev 3108).But I just checked in 3109 that corrects a problem with RFC1918_STRICT=Yes. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On Tuesday 24 April 2007 22:32, Tom Eastep wrote:> Steven Jan Springl wrote: > > Tom > > > > Specifying norfc1918 on an interface and > > RFC1918_LOG_LEVEL= in shorewall.conf > > produces the following iptables rule: > > > > -A rfc1918 -j LOG --log-level --log-prefix "Shorewall:rfc1918:DROP:" > > Steven, > > That should be fixed if you are up to date with SVN (rev 3108). > > -TomTom That''s fixed it. Steven ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom After REV 6111 I am getting the following errors: Use of uninitialized value in string ne at /usr/share/shorewall-perl/Shorewall/Rules.pm line 1174, <$currentfile> line 14. Use of uninitialized value in string ne at /usr/share/shorewall-perl/Shorewall/Rules.pm line 1174, <$currentfile> line 15. Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> Tom > > After REV 6111 I am getting the following errors: > > Use of uninitialized value in string ne > at /usr/share/shorewall-perl/Shorewall/Rules.pm line 1174, <$currentfile> > line 14. > > Use of uninitialized value in string ne > at /usr/share/shorewall-perl/Shorewall/Rules.pm line 1174, <$currentfile> > line 15.Please try 6112. Thanks, Steven -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On Wednesday 25 April 2007 01:11, Tom Eastep wrote:> Steven Jan Springl wrote: > > Tom > > > > After REV 6111 I am getting the following errors: > > > > Use of uninitialized value in string ne > > at /usr/share/shorewall-perl/Shorewall/Rules.pm line 1174, <$currentfile> > > line 14. > > > > Use of uninitialized value in string ne > > at /usr/share/shorewall-perl/Shorewall/Rules.pm line 1174, <$currentfile> > > line 15. > > Please try 6112. > > Thanks, Steven > > -TomTom It''s OK now. Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> On Wednesday 25 April 2007 01:11, Tom Eastep wrote: >> Steven Jan Springl wrote: >>> Tom >>> >>> After REV 6111 I am getting the following errors: >>> >>> Use of uninitialized value in string ne >>> at /usr/share/shorewall-perl/Shorewall/Rules.pm line 1174, <$currentfile> >>> line 14. >>> >>> Use of uninitialized value in string ne >>> at /usr/share/shorewall-perl/Shorewall/Rules.pm line 1174, <$currentfile> >>> line 15. >> Please try 6112. >> >> Thanks, Steven >> >> -Tom > Tom > > It''s OK now.Good. I hope I didn''t break it with 6113. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On Wednesday 25 April 2007 01:34, Tom Eastep wrote:> Steven Jan Springl wrote: > > On Wednesday 25 April 2007 01:11, Tom Eastep wrote: > >> Steven Jan Springl wrote: > >>> Tom > >>> > >>> After REV 6111 I am getting the following errors: > >>> > >>> Use of uninitialized value in string ne > >>> at /usr/share/shorewall-perl/Shorewall/Rules.pm line 1174, > >>> <$currentfile> line 14. > >>> > >>> Use of uninitialized value in string ne > >>> at /usr/share/shorewall-perl/Shorewall/Rules.pm line 1174, > >>> <$currentfile> line 15. > >> > >> Please try 6112. > >> > >> Thanks, Steven > >> > >> -Tom > > > > Tom > > > > It''s OK now. > > Good. I hope I didn''t break it with 6113. > > -TomTom I have just tried 6113 and it''s OK. Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> On Wednesday 25 April 2007 01:34, Tom Eastep wrote: >> Steven Jan Springl wrote: >>> On Wednesday 25 April 2007 01:11, Tom Eastep wrote: >>>> Steven Jan Springl wrote: >>>>> Tom >>>>> >>>>> After REV 6111 I am getting the following errors: >>>>> >>>>> Use of uninitialized value in string ne >>>>> at /usr/share/shorewall-perl/Shorewall/Rules.pm line 1174, >>>>> <$currentfile> line 14. >>>>> >>>>> Use of uninitialized value in string ne >>>>> at /usr/share/shorewall-perl/Shorewall/Rules.pm line 1174, >>>>> <$currentfile> line 15. >>>> Please try 6112. >>>> >>>> Thanks, Steven >>>> >>>> -Tom >>> Tom >>> >>> It''s OK now. >> Good. I hope I didn''t break it with 6113. >> >> -Tom > Tom > > I have just tried 6113 and it''s OK.About time for you to call it a night, isn''t it? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On Wednesday 25 April 2007 01:41, Tom Eastep wrote:> Steven Jan Springl wrote: > > On Wednesday 25 April 2007 01:34, Tom Eastep wrote: > >> Steven Jan Springl wrote: > >>> On Wednesday 25 April 2007 01:11, Tom Eastep wrote: > >>>> Steven Jan Springl wrote: > >>>>> Tom > >>>>> > >>>>> After REV 6111 I am getting the following errors: > >>>>> > >>>>> Use of uninitialized value in string ne > >>>>> at /usr/share/shorewall-perl/Shorewall/Rules.pm line 1174, > >>>>> <$currentfile> line 14. > >>>>> > >>>>> Use of uninitialized value in string ne > >>>>> at /usr/share/shorewall-perl/Shorewall/Rules.pm line 1174, > >>>>> <$currentfile> line 15. > >>>> > >>>> Please try 6112. > >>>> > >>>> Thanks, Steven > >>>> > >>>> -Tom > >>> > >>> Tom > >>> > >>> It''s OK now. > >> > >> Good. I hope I didn''t break it with 6113. > >> > >> -Tom > > > > Tom > > > > I have just tried 6113 and it''s OK. > > About time for you to call it a night, isn''t it? > > -TomIt sure is. I am just going. Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Host file entry: tan eth0:192.168.0.99,192.168.0.98,192.168.0.100-192.168.0.200,!192.168.0.132 produces the following error: Use of uninitialized value in string ne at /usr/share/shorewall-perl/Shorewall/Rules.pm line 1309. Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom When masq contains: eth0 192.168.0.0/24 detect the following message is generated: ERROR: Invalid IP address ( detect ) Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> Tom > > Host file entry: > > tan eth0:192.168.0.99,192.168.0.98,192.168.0.100-192.168.0.200,!192.168.0.132 > > produces the following error: > > Use of uninitialized value in string ne > at /usr/share/shorewall-perl/Shorewall/Rules.pm line 1309. >Fixed in revision 6114. Thanks, Steven. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> Tom > > When masq contains: > > eth0 192.168.0.0/24 detect > > the following message is generated: > > ERROR: Invalid IP address ( detect ) >I don''t seem to be able to reproduce that one, Steven. Guess I''ll need the test configuration. Thanks, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On Wednesday 25 April 2007 16:39, Tom Eastep wrote:> Steven Jan Springl wrote: > > Tom > > > > When masq contains: > > > > eth0 192.168.0.0/24 detect > > > > the following message is generated: > > > > ERROR: Invalid IP address ( detect ) > > I don''t seem to be able to reproduce that one, Steven. Guess I''ll need the > test configuration. > > Thanks, > -TomTom Config. attached. Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> On Wednesday 25 April 2007 16:39, Tom Eastep wrote: >> Steven Jan Springl wrote: >>> Tom >>> >>> When masq contains: >>> >>> eth0 192.168.0.0/24 detect >>> >>> the following message is generated: >>> >>> ERROR: Invalid IP address ( detect ) >> I don''t seem to be able to reproduce that one, Steven. Guess I''ll need the >> test configuration. >> >> Thanks, >> -Tom > Tom > > Config. attached. >The bug was triggered by ADD_SNAT_ALIASES=Yes. Fixed in revision 6115. Thanks, Steven. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On Wednesday 25 April 2007 16:33, Tom Eastep wrote:> Steven Jan Springl wrote: > > Tom > > > > Host file entry: > > > > tan eth0:192.168.0.99,192.168.0.98,192.168.0.100-192.168.0.200,!192.168.0 > >.132 > > > > produces the following error: > > > > Use of uninitialized value in string ne > > at /usr/share/shorewall-perl/Shorewall/Rules.pm line 1309. > > Fixed in revision 6114. > > Thanks, Steven. > > -TomTom I can''t get exclusion to work in the hosts file. The following entry: tan eth0:192.168.0.0/16!192.168.0.2 generates the following error: iptables-restore v.1.3.6: invalid mask ''16!192.168.0.2'' specified Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> On Wednesday 25 April 2007 16:33, Tom Eastep wrote: >> Steven Jan Springl wrote: >>> Tom >>> >>> Host file entry: >>> >>> tan eth0:192.168.0.99,192.168.0.98,192.168.0.100-192.168.0.200,!192.168.0 >>> .132 >>> >>> produces the following error: >>> >>> Use of uninitialized value in string ne >>> at /usr/share/shorewall-perl/Shorewall/Rules.pm line 1309. >> Fixed in revision 6114. >> >> Thanks, Steven. >> >> -Tom > Tom > > I can''t get exclusion to work in the hosts file. > The following entry: > > tan eth0:192.168.0.0/16!192.168.0.2 > > generates the following error: > > iptables-restore v.1.3.6: invalid mask ''16!192.168.0.2'' specified >Steve, Please give revision 6116 a try. It looks like it is generating the proper rules. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Eastep wrote:> Steven Jan Springl wrote: >> On Wednesday 25 April 2007 16:33, Tom Eastep wrote: >>> Steven Jan Springl wrote: >>>> Tom >>>> >>>> Host file entry: >>>> >>>> tan eth0:192.168.0.99,192.168.0.98,192.168.0.100-192.168.0.200,!192.168.0 >>>> .132 >>>> >>>> produces the following error: >>>> >>>> Use of uninitialized value in string ne >>>> at /usr/share/shorewall-perl/Shorewall/Rules.pm line 1309. >>> Fixed in revision 6114. >>> >>> Thanks, Steven. >>> >>> -Tom >> Tom >> >> I can''t get exclusion to work in the hosts file. >> The following entry: >> >> tan eth0:192.168.0.0/16!192.168.0.2 >> >> generates the following error: >> >> iptables-restore v.1.3.6: invalid mask ''16!192.168.0.2'' specified >> > > Steve, > > Please give revision 6116 a try. It looks like it is generating the proper > rules. >Stop the presses! Revision 6117 fixes another exclusion bug. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On Wednesday 25 April 2007 17:28, Tom Eastep wrote:> Tom Eastep wrote: > > Steven Jan Springl wrote: > >> On Wednesday 25 April 2007 16:33, Tom Eastep wrote: > >>> Steven Jan Springl wrote: > >>>> Tom > >>>> > >>>> Host file entry: > >>>> > >>>> tan eth0:192.168.0.99,192.168.0.98,192.168.0.100-192.168.0.200,!192.16 > >>>>8.0 .132 > >>>> > >>>> produces the following error: > >>>> > >>>> Use of uninitialized value in string ne > >>>> at /usr/share/shorewall-perl/Shorewall/Rules.pm line 1309. > >>> > >>> Fixed in revision 6114. > >>> > >>> Thanks, Steven. > >>> > >>> -Tom > >> > >> Tom > >> > >> I can''t get exclusion to work in the hosts file. > >> The following entry: > >> > >> tan eth0:192.168.0.0/16!192.168.0.2 > >> > >> generates the following error: > >> > >> iptables-restore v.1.3.6: invalid mask ''16!192.168.0.2'' specified > > > > Steve, > > > > Please give revision 6116 a try. It looks like it is generating the > > proper rules. > > Stop the presses! Revision 6117 fixes another exclusion bug. > > -TomTom I am now getting the following error: iptables-restore v1.3.6: Couldn''t load target `tan_input'':/lib/iptables/libipt_tan_input.so: cannot open shared object file: No such file or directory from the following rule: -A eth0_in -s 192.168,0.0/15 -j tan_input Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On Wednesday 25 April 2007 18:44, Steven Jan Springl wrote:> On Wednesday 25 April 2007 17:28, Tom Eastep wrote: > > Tom Eastep wrote: > > > Steven Jan Springl wrote: > > >> On Wednesday 25 April 2007 16:33, Tom Eastep wrote: > > >>> Steven Jan Springl wrote: > > >>>> Tom > > >>>> > > >>>> Host file entry: > > >>>> > > >>>> tan eth0:192.168.0.99,192.168.0.98,192.168.0.100-192.168.0.200,!192. > > >>>>16 8.0 .132 > > >>>> > > >>>> produces the following error: > > >>>> > > >>>> Use of uninitialized value in string ne > > >>>> at /usr/share/shorewall-perl/Shorewall/Rules.pm line 1309. > > >>> > > >>> Fixed in revision 6114. > > >>> > > >>> Thanks, Steven. > > >>> > > >>> -Tom > > >> > > >> Tom > > >> > > >> I can''t get exclusion to work in the hosts file. > > >> The following entry: > > >> > > >> tan eth0:192.168.0.0/16!192.168.0.2 > > >> > > >> generates the following error: > > >> > > >> iptables-restore v.1.3.6: invalid mask ''16!192.168.0.2'' specified > > > > > > Steve, > > > > > > Please give revision 6116 a try. It looks like it is generating the > > > proper rules. > > > > Stop the presses! Revision 6117 fixes another exclusion bug. > > > > -Tom > > Tom > > I am now getting the following error: > > iptables-restore v1.3.6: Couldn''t load target > `tan_input'':/lib/iptables/libipt_tan_input.so: cannot open shared object > file: No such file or directory > > from the following rule: > > -A eth0_in -s 192.168,0.0/15 -j tan_input > > Steven.Tom The rule should have been: A eth0_in -s 192.168,0.0/16 -j tan_input Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On Wed, Apr 25, 2007 at 06:50:18PM +0100, Steven Jan Springl wrote:> > I am now getting the following error: > > > > iptables-restore v1.3.6: Couldn''t load target > > `tan_input'':/lib/iptables/libipt_tan_input.so: cannot open shared object > > file: No such file or directory > > > > from the following rule: > > > > -A eth0_in -s 192.168,0.0/15 -j tan_input > > > > Steven. > Tom > > The rule should have been: > > A eth0_in -s 192.168,0.0/16 -j tan_inputI''m pretty sure it shouldn''t, because there is a comma in that IP address. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On Wednesday 25 April 2007 19:10, Andrew Suffield wrote:> On Wed, Apr 25, 2007 at 06:50:18PM +0100, Steven Jan Springl wrote: > > > I am now getting the following error: > > > > > > iptables-restore v1.3.6: Couldn''t load target > > > `tan_input'':/lib/iptables/libipt_tan_input.so: cannot open shared > > > object file: No such file or directory > > > > > > from the following rule: > > > > > > -A eth0_in -s 192.168,0.0/15 -j tan_input > > > > > > Steven. > > > > Tom > > > > The rule should have been: > > > > A eth0_in -s 192.168,0.0/16 -j tan_input >Tom I really shouldn''t try to type and eat at the same time. Third time lucky, the rule was: A eth0_in -s 192.168.0.0/16 -j tan_input Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> On Wednesday 25 April 2007 19:10, Andrew Suffield wrote: >> On Wed, Apr 25, 2007 at 06:50:18PM +0100, Steven Jan Springl wrote: >>>> I am now getting the following error: >>>> >>>> iptables-restore v1.3.6: Couldn''t load target >>>> `tan_input'':/lib/iptables/libipt_tan_input.so: cannot open shared >>>> object file: No such file or directory >>>> >>>> from the following rule: >>>> >>>> -A eth0_in -s 192.168,0.0/15 -j tan_input >>>> >>>> Steven. >>> Tom >>> >>> The rule should have been: >>> >>> A eth0_in -s 192.168,0.0/16 -j tan_input > Tom > > I really shouldn''t try to type and eat at the same time. > > Third time lucky, the rule was: > > A eth0_in -s 192.168.0.0/16 -j tan_input >Steven, Please try revision 6119. Thanks, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On Wednesday 25 April 2007 19:45, Tom Eastep wrote:> Steven Jan Springl wrote: > > On Wednesday 25 April 2007 19:10, Andrew Suffield wrote: > >> On Wed, Apr 25, 2007 at 06:50:18PM +0100, Steven Jan Springl wrote: > >>>> I am now getting the following error: > >>>> > >>>> iptables-restore v1.3.6: Couldn''t load target > >>>> `tan_input'':/lib/iptables/libipt_tan_input.so: cannot open shared > >>>> object file: No such file or directory > >>>> > >>>> from the following rule: > >>>> > >>>> -A eth0_in -s 192.168,0.0/15 -j tan_input > >>>> > >>>> Steven. > >>> > >>> Tom > >>> > >>> The rule should have been: > >>> > >>> A eth0_in -s 192.168,0.0/16 -j tan_input > > > > Tom > > > > I really shouldn''t try to type and eat at the same time. > > > > Third time lucky, the rule was: > > > > A eth0_in -s 192.168.0.0/16 -j tan_input > > Steven, > > Please try revision 6119. > > Thanks, > -TomTom That works. However the following hosts file entry: tan eth0:192.168.0.99,192.168.0.98,192.168.0.100-192.168.0.200!192.168.0.132 generates the following error: iptables-restore v1.3.6: Unknown arg `--dst-range'' Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> On Wednesday 25 April 2007 19:45, Tom Eastep wrote: >> Steven Jan Springl wrote: >>> On Wednesday 25 April 2007 19:10, Andrew Suffield wrote: >>>> On Wed, Apr 25, 2007 at 06:50:18PM +0100, Steven Jan Springl wrote: >>>>>> I am now getting the following error: >>>>>> >>>>>> iptables-restore v1.3.6: Couldn''t load target >>>>>> `tan_input'':/lib/iptables/libipt_tan_input.so: cannot open shared >>>>>> object file: No such file or directory >>>>>> >>>>>> from the following rule: >>>>>> >>>>>> -A eth0_in -s 192.168,0.0/15 -j tan_input >>>>>> >>>>>> Steven. >>>>> Tom >>>>> >>>>> The rule should have been: >>>>> >>>>> A eth0_in -s 192.168,0.0/16 -j tan_input >>> Tom >>> >>> I really shouldn''t try to type and eat at the same time. >>> >>> Third time lucky, the rule was: >>> >>> A eth0_in -s 192.168.0.0/16 -j tan_input >> Steven, >> >> Please try revision 6119. >> >> Thanks, >> -Tom > > Tom > > That works. However the following hosts file entry: > > tan eth0:192.168.0.99,192.168.0.98,192.168.0.100-192.168.0.200!192.168.0.132 > > generates the following error: > > iptables-restore v1.3.6: Unknown arg `--dst-range''Steven, I''m not going to be able to do any more today. I''ve been ill since Sunday and I''m not up to trying to work on complex problems at the moment. Sorry, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On Wednesday 25 April 2007 20:10, Tom Eastep wrote:> > > I''m not going to be able to do any more today. I''ve been ill since > Sunday and I''m not up to trying to work on complex problems at the moment. > > Sorry, > -TomTom I am sorry to hear you are not well. I will hold off sending any further problem reports until you feel better. Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> On Wednesday 25 April 2007 19:45, Tom Eastep wrote: >> Steven Jan Springl wrote: >>> On Wednesday 25 April 2007 19:10, Andrew Suffield wrote: >>>> On Wed, Apr 25, 2007 at 06:50:18PM +0100, Steven Jan Springl wrote: >>>>>> I am now getting the following error: >>>>>> >>>>>> iptables-restore v1.3.6: Couldn''t load target >>>>>> `tan_input'':/lib/iptables/libipt_tan_input.so: cannot open shared >>>>>> object file: No such file or directory >>>>>> >>>>>> from the following rule: >>>>>> >>>>>> -A eth0_in -s 192.168,0.0/15 -j tan_input >>>>>> >>>>>> Steven. >>>>> Tom >>>>> >>>>> The rule should have been: >>>>> >>>>> A eth0_in -s 192.168,0.0/16 -j tan_input >>> Tom >>> >>> I really shouldn''t try to type and eat at the same time. >>> >>> Third time lucky, the rule was: >>> >>> A eth0_in -s 192.168.0.0/16 -j tan_input >> Steven, >> >> Please try revision 6119. >> >> Thanks, >> -Tom > > Tom > > That works. However the following hosts file entry: > > tan eth0:192.168.0.99,192.168.0.98,192.168.0.100-192.168.0.200!192.168.0.132 > > generates the following error: > > iptables-restore v1.3.6: Unknown arg `--dst-range''Steven, Please give revision 6120 a try. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On Thursday 26 April 2007 17:08, Tom Eastep wrote:> > Steven, > > Please give revision 6120 a try. > > -TomTom I have tried it and it seems to be OK. How are you? If you are feeling up to it, I have three further bug reports. I will hold off sending them to you, until you say it''s OK. Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> On Thursday 26 April 2007 17:08, Tom Eastep wrote: >> Steven, >> >> Please give revision 6120 a try. >> >> -Tom > > Tom > > I have tried it and it seems to be OK. > > How are you? > > If you are feeling up to it, I have three further bug reports. I will hold off > sending them to you, until you say it''s OK.I''m feeling better today, thanks. Go ahead and send the reports and I''ll work on them as time permits. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom An alias that has been added by a masq entry such as: eth0:1 192.169.0.0/24 10.1.1.8 or eth0 192.168.0.0/24 10.1.1.8 is not removed when ''shorewall stop'' is issued. Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> Tom > > An alias that has been added by a masq entry such as: > > eth0:1 192.169.0.0/24 10.1.1.8 > > or > > eth0 192.168.0.0/24 10.1.1.8 > > is not removed when ''shorewall stop'' is issued. >Are the aliases being recorded correctly in /var/lib/shorewall/nat? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On Thursday 26 April 2007 18:28, Tom Eastep wrote:> Steven Jan Springl wrote: > > Tom > > > > An alias that has been added by a masq entry such as: > > > > eth0:1 192.169.0.0/24 10.1.1.8 > > > > or > > > > eth0 192.168.0.0/24 10.1.1.8 > > > > is not removed when ''shorewall stop'' is issued. > > Are the aliases being recorded correctly in /var/lib/shorewall/nat? > > -TomTom /var/lib/shorewall/nat is created, but it is empty. Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> On Thursday 26 April 2007 18:28, Tom Eastep wrote: >> Steven Jan Springl wrote: >>> Tom >>> >>> An alias that has been added by a masq entry such as: >>> >>> eth0:1 192.169.0.0/24 10.1.1.8 >>> >>> or >>> >>> eth0 192.168.0.0/24 10.1.1.8 >>> >>> is not removed when ''shorewall stop'' is issued. >> Are the aliases being recorded correctly in /var/lib/shorewall/nat? >> >> -Tom > Tom > > /var/lib/shorewall/nat is created, but it is empty. >Steven, Can you check to see if this works with shorewall-shell? Thanks, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On Thursday 26 April 2007 18:42, Tom Eastep wrote:> Steven Jan Springl wrote: > > On Thursday 26 April 2007 18:28, Tom Eastep wrote: > >> Steven Jan Springl wrote: > >>> Tom > >>> > >>> An alias that has been added by a masq entry such as: > >>> > >>> eth0:1 192.169.0.0/24 10.1.1.8 > >>> > >>> or > >>> > >>> eth0 192.168.0.0/24 10.1.1.8 > >>> > >>> is not removed when ''shorewall stop'' is issued. > >> > >> Are the aliases being recorded correctly in /var/lib/shorewall/nat? > >> > >> -Tom > > > > Tom > > > > /var/lib/shorewall/nat is created, but it is empty. > > Steven, > > Can you check to see if this works with shorewall-shell? > > Thanks, > > -TomTom. No, it does exactly the same. The timestamp /var/lib/shorewall/nat is updated, but the file is empty. Note: the shell compiler is 3.9.4 with no fixes applied. Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> On Thursday 26 April 2007 18:42, Tom Eastep wrote: >> Steven Jan Springl wrote: >>> On Thursday 26 April 2007 18:28, Tom Eastep wrote: >>>> Steven Jan Springl wrote: >>>>> Tom >>>>> >>>>> An alias that has been added by a masq entry such as: >>>>> >>>>> eth0:1 192.169.0.0/24 10.1.1.8 >>>>> >>>>> or >>>>> >>>>> eth0 192.168.0.0/24 10.1.1.8 >>>>> >>>>> is not removed when ''shorewall stop'' is issued. >>>> Are the aliases being recorded correctly in /var/lib/shorewall/nat? >>>> >>>> -Tom >>> Tom >>> >>> /var/lib/shorewall/nat is created, but it is empty. >> Steven, >> >> Can you check to see if this works with shorewall-shell? >> >> Thanks, >> >> -Tom > > Tom. > > No, it does exactly the same. The timestamp /var/lib/shorewall/nat is updated, > but the file is empty. > > Note: the shell compiler is 3.9.4 with no fixes applied.What is the setting of RETAIN_ALIASES? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On Thursday 26 April 2007 19:47, Tom Eastep wrote:> Steven Jan Springl wrote: > > On Thursday 26 April 2007 18:42, Tom Eastep wrote: > >> Steven Jan Springl wrote: > >>> On Thursday 26 April 2007 18:28, Tom Eastep wrote: > >>>> Steven Jan Springl wrote: > >>>>> Tom > >>>>> > >>>>> An alias that has been added by a masq entry such as: > >>>>> > >>>>> eth0:1 192.169.0.0/24 10.1.1.8 > >>>>> > >>>>> or > >>>>> > >>>>> eth0 192.168.0.0/24 10.1.1.8 > >>>>> > >>>>> is not removed when ''shorewall stop'' is issued. > >>>> > >>>> Are the aliases being recorded correctly in /var/lib/shorewall/nat? > >>>> > >>>> -Tom > >>> > >>> Tom > >>> > >>> /var/lib/shorewall/nat is created, but it is empty. > >> > >> Steven, > >> > >> Can you check to see if this works with shorewall-shell? > >> > >> Thanks, > >> > >> -Tom > > > > Tom. > > > > No, it does exactly the same. The timestamp /var/lib/shorewall/nat is > > updated, but the file is empty. > > > > Note: the shell compiler is 3.9.4 with no fixes applied. > > What is the setting of RETAIN_ALIASES? > > -TomTom Currently RETAIN=ALIASES=Yes but I have tried No . It makes no difference. Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> On Thursday 26 April 2007 19:47, Tom Eastep wrote: >> Steven Jan Springl wrote: >>> On Thursday 26 April 2007 18:42, Tom Eastep wrote: >>>> Steven Jan Springl wrote: >>>>> On Thursday 26 April 2007 18:28, Tom Eastep wrote: >>>>>> Steven Jan Springl wrote: >>>>>>> Tom >>>>>>> >>>>>>> An alias that has been added by a masq entry such as: >>>>>>> >>>>>>> eth0:1 192.169.0.0/24 10.1.1.8 >>>>>>> >>>>>>> or >>>>>>> >>>>>>> eth0 192.168.0.0/24 10.1.1.8 >>>>>>> >>>>>>> is not removed when ''shorewall stop'' is issued. >>>>>> Are the aliases being recorded correctly in /var/lib/shorewall/nat? >>>>>> >>>>>> -Tom >>>>> Tom >>>>> >>>>> /var/lib/shorewall/nat is created, but it is empty. >>>> Steven, >>>> >>>> Can you check to see if this works with shorewall-shell? >>>> >>>> Thanks, >>>> >>>> -Tom >>> Tom. >>> >>> No, it does exactly the same. The timestamp /var/lib/shorewall/nat is >>> updated, but the file is empty. >>> >>> Note: the shell compiler is 3.9.4 with no fixes applied. >> What is the setting of RETAIN_ALIASES? >> >> -Tom > Tom > > Currently RETAIN=ALIASES=Yes but I have tried No . It makes no difference.Stop shorewall, delete the aliases and start shorewall -- the addresses should show up in /var/lib/shorewall/nat. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On Thursday 26 April 2007 20:03, Tom Eastep wrote:> Steven Jan Springl wrote: > > On Thursday 26 April 2007 19:47, Tom Eastep wrote: > >> Steven Jan Springl wrote: > >>> On Thursday 26 April 2007 18:42, Tom Eastep wrote: > >>>> Steven Jan Springl wrote: > >>>>> On Thursday 26 April 2007 18:28, Tom Eastep wrote: > >>>>>> Steven Jan Springl wrote: > >>>>>>> Tom > >>>>>>> > >>>>>>> An alias that has been added by a masq entry such as: > >>>>>>> > >>>>>>> eth0:1 192.169.0.0/24 10.1.1.8 > >>>>>>> > >>>>>>> or > >>>>>>> > >>>>>>> eth0 192.168.0.0/24 10.1.1.8 > >>>>>>> > >>>>>>> is not removed when ''shorewall stop'' is issued. > >>>>>> > >>>>>> Are the aliases being recorded correctly in /var/lib/shorewall/nat? > >>>>>> > >>>>>> -Tom > >>>>> > >>>>> Tom > >>>>> > >>>>> /var/lib/shorewall/nat is created, but it is empty. > >>>> > >>>> Steven, > >>>> > >>>> Can you check to see if this works with shorewall-shell? > >>>> > >>>> Thanks, > >>>> > >>>> -Tom > >>> > >>> Tom. > >>> > >>> No, it does exactly the same. The timestamp /var/lib/shorewall/nat is > >>> updated, but the file is empty. > >>> > >>> Note: the shell compiler is 3.9.4 with no fixes applied. > >> > >> What is the setting of RETAIN_ALIASES? > >> > >> -Tom > > > > Tom > > > > Currently RETAIN=ALIASES=Yes but I have tried No . It makes no > > difference. > > Stop shorewall, delete the aliases and start shorewall -- the addresses > should show up in /var/lib/shorewall/nat. > > -TomTom Unfortunately it doesn''t make any difference. The date stamp is updated, but nat is empty. I have even rebooted the PC, but it doesn''t help. Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> On Thursday 26 April 2007 20:03, Tom Eastep wrote: >> Steven Jan Springl wrote: >>> On Thursday 26 April 2007 19:47, Tom Eastep wrote: >>>> Steven Jan Springl wrote: >>>>> On Thursday 26 April 2007 18:42, Tom Eastep wrote: >>>>>> Steven Jan Springl wrote: >>>>>>> On Thursday 26 April 2007 18:28, Tom Eastep wrote: >>>>>>>> Steven Jan Springl wrote: >>>>>>>>> Tom >>>>>>>>> >>>>>>>>> An alias that has been added by a masq entry such as: >>>>>>>>> >>>>>>>>> eth0:1 192.169.0.0/24 10.1.1.8 >>>>>>>>> >>>>>>>>> or >>>>>>>>> >>>>>>>>> eth0 192.168.0.0/24 10.1.1.8 >>>>>>>>> >>>>>>>>> is not removed when ''shorewall stop'' is issued. >>>>>>>> Are the aliases being recorded correctly in /var/lib/shorewall/nat? >>>>>>>> >>>>>>>> -Tom >>>>>>> Tom >>>>>>> >>>>>>> /var/lib/shorewall/nat is created, but it is empty. >>>>>> Steven, >>>>>> >>>>>> Can you check to see if this works with shorewall-shell? >>>>>> >>>>>> Thanks, >>>>>> >>>>>> -Tom >>>>> Tom. >>>>> >>>>> No, it does exactly the same. The timestamp /var/lib/shorewall/nat is >>>>> updated, but the file is empty. >>>>> >>>>> Note: the shell compiler is 3.9.4 with no fixes applied. >>>> What is the setting of RETAIN_ALIASES? >>>> >>>> -Tom >>> Tom >>> >>> Currently RETAIN=ALIASES=Yes but I have tried No . It makes no >>> difference. >> Stop shorewall, delete the aliases and start shorewall -- the addresses >> should show up in /var/lib/shorewall/nat. >> >> -Tom > > Tom > > Unfortunately it doesn''t make any difference. The date stamp is updated, but > nat is empty. > > I have even rebooted the PC, but it doesn''t help.But the aliases are being added? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On Thursday 26 April 2007 20:14, Tom Eastep wrote:> Steven Jan Springl wrote: > > On Thursday 26 April 2007 20:03, Tom Eastep wrote: > >> Steven Jan Springl wrote: > >>> On Thursday 26 April 2007 19:47, Tom Eastep wrote: > >>>> Steven Jan Springl wrote: > >>>>> On Thursday 26 April 2007 18:42, Tom Eastep wrote: > >>>>>> Steven Jan Springl wrote: > >>>>>>> On Thursday 26 April 2007 18:28, Tom Eastep wrote: > >>>>>>>> Steven Jan Springl wrote: > >>>>>>>>> Tom > >>>>>>>>> > >>>>>>>>> An alias that has been added by a masq entry such as: > >>>>>>>>> > >>>>>>>>> eth0:1 192.169.0.0/24 10.1.1.8 > >>>>>>>>> > >>>>>>>>> or > >>>>>>>>> > >>>>>>>>> eth0 192.168.0.0/24 10.1.1.8 > >>>>>>>>> > >>>>>>>>> is not removed when ''shorewall stop'' is issued. > >>>>>>>> > >>>>>>>> Are the aliases being recorded correctly in > >>>>>>>> /var/lib/shorewall/nat? > >>>>>>>> > >>>>>>>> -Tom > >>>>>>> > >>>>>>> Tom > >>>>>>> > >>>>>>> /var/lib/shorewall/nat is created, but it is empty. > >>>>>> > >>>>>> Steven, > >>>>>> > >>>>>> Can you check to see if this works with shorewall-shell? > >>>>>> > >>>>>> Thanks, > >>>>>> > >>>>>> -Tom > >>>>> > >>>>> Tom. > >>>>> > >>>>> No, it does exactly the same. The timestamp /var/lib/shorewall/nat is > >>>>> updated, but the file is empty. > >>>>> > >>>>> Note: the shell compiler is 3.9.4 with no fixes applied. > >>>> > >>>> What is the setting of RETAIN_ALIASES? > >>>> > >>>> -Tom > >>> > >>> Tom > >>> > >>> Currently RETAIN=ALIASES=Yes but I have tried No . It makes no > >>> difference. > >> > >> Stop shorewall, delete the aliases and start shorewall -- the addresses > >> should show up in /var/lib/shorewall/nat. > >> > >> -Tom > > > > Tom > > > > Unfortunately it doesn''t make any difference. The date stamp is updated, > > but nat is empty. > > > > I have even rebooted the PC, but it doesn''t help. > > But the aliases are being added? > > -TomTom Yes. eth0:1 is created with the correct IP address. Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> > Tom > > Yes. eth0:1 is created with the correct IP address. >Wow! --------------------------------------------------------------- ip addr add ${external}${val} dev $interface $label [ -n "$arping" ] && qt $arping -U -c 2 -I $interface $external echo "$external $interface" >> $STATEDIR/nat --------------------------------------------------------------- I guess I''m going to need a trace. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Eastep wrote:> Steven Jan Springl wrote: > >> Tom >> >> Yes. eth0:1 is created with the correct IP address. >> > > Wow! > > --------------------------------------------------------------- > ip addr add ${external}${val} dev $interface $label > [ -n "$arping" ] && qt $arping -U -c 2 -I $interface $external > echo "$external $interface" >> $STATEDIR/nat > --------------------------------------------------------------- > > I guess I''m going to need a trace. >Never mind -- please try revision 6122. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On Thursday 26 April 2007 20:29, Tom Eastep wrote:> Tom Eastep wrote: > > Steven Jan Springl wrote: > >> Tom > >> > >> Yes. eth0:1 is created with the correct IP address. > > > > Wow! > > > > --------------------------------------------------------------- > > ip addr add ${external}${val} dev $interface $label > > [ -n "$arping" ] && qt $arping -U -c 2 -I $interface $external > > echo "$external $interface" >> $STATEDIR/nat > > --------------------------------------------------------------- > > > > I guess I'm going to need a trace. > > Never mind -- please try revision 6122. > > -TomTom I replied with a trace, but am getting the following. Do you want me to split the trace and resend it? Your mail to 'Shorewall-users' with the subject   Re: [Shorewall-users] Shorewall 3.9.4 Is being held until the list moderator can review it for approval. The reason it is being held:   Message body is too big: 145892 bytes with a limit of 50 KB Either the message will get posted to the list, or you will receive notification of the moderator's decision.  If you would like to cancel this posting, please visit the following URL:   https://lists.sourceforge.net/lists/confirm/shorewall-users/e1574b3fee9709ce6f9db8e802e03db15dc6159e ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Steven Jan Springl wrote:> On Thursday 26 April 2007 20:29, Tom Eastep wrote: >> Tom Eastep wrote: >>> Steven Jan Springl wrote: >>>> Tom >>>> >>>> Yes. eth0:1 is created with the correct IP address. >>> Wow! >>> >>> --------------------------------------------------------------- >>> ip addr add ${external}${val} dev $interface $label >>> [ -n "$arping" ] && qt $arping -U -c 2 -I $interface $external >>> echo "$external $interface" >> $STATEDIR/nat >>> --------------------------------------------------------------- >>> >>> I guess I''m going to need a trace. >> Never mind -- please try revision 6122. >> >> -Tom > > Tom > > I replied with a trace, but am getting the following. Do you want me to split > the trace and resend it? > > Your mail to ''Shorewall-users'' with the subject > > Re: [Shorewall-users] Shorewall 3.9.4 > > Is being held until the list moderator can review it for approval. > > The reason it is being held: > > Message body is too big: 145892 bytes with a limit of 50 KB > > Either the message will get posted to the list, or you will receive > notification of the moderator''s decision. If you would like to cancel > this posting, please visit the following URL:You can send it to me directly. I take it that revision 6122 didn''t correct the problem? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
teven Jan Springl wrote:> On Thursday 26 April 2007 20:29, Tom Eastep wrote: >> Tom Eastep wrote: >>> Steven Jan Springl wrote: >>>> Tom >>>> >>>> Yes. eth0:1 is created with the correct IP address. >>> Wow! >>> >>> --------------------------------------------------------------- >>> Â Â ip addr add ${external}${val} dev $interface $label >>> Â Â [ -n "$arping" ] && qt $arping -U -c 2 -I $interface $external >>> Â Â echo "$external $interface" >> $STATEDIR/nat >>> --------------------------------------------------------------- >>> >>> I guess I'm going to need a trace. >> Never mind -- please try revision 6122. >> >> -Tom > Tom > > I have tried it with the shell compiler, but it still doesn't work. > > I have attached a trace of a shorewall start for the shell compiler prior to > REV 6122 being applied. >Hmmm -- it works here with Shorewall-perl and 6122. -Tom I have just tried it with Shorewall-perl and it works here too. I had only tried the shell compiler. Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Steven Jan Springl wrote:> teven Jan Springl wrote: >> On Thursday 26 April 2007 20:29, Tom Eastep wrote: >>> Tom Eastep wrote: >>>> Steven Jan Springl wrote: >>>>> Tom >>>>> >>>>> Yes. eth0:1 is created with the correct IP address. >>>> Wow! >>>> >>>> --------------------------------------------------------------- >>>> ip addr add ${external}${val} dev $interface $label >>>> [ -n "$arping" ] && qt $arping -U -c 2 -I $interface $external >>>> echo "$external $interface" >> $STATEDIR/nat >>>> --------------------------------------------------------------- >>>> >>>> I guess I''m going to need a trace. >>> Never mind -- please try revision 6122. >>> >>> -Tom >> Tom >> >> I have tried it with the shell compiler, but it still doesn''t work. >> >> I have attached a trace of a shorewall start for the shell compiler prior to >> REV 6122 being applied. >> > > Hmmm -- it works here with Shorewall-perl and 6122. > > -Tom > > I have just tried it with Shorewall-perl and it works here too. > > I had only tried the shell compiler.Please give revision 6123 a try. Thanks, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On Thursday 26 April 2007 21:28, Tom Eastep wrote:> Steven Jan Springl wrote: > > teven Jan Springl wrote: > >> On Thursday 26 April 2007 20:29, Tom Eastep wrote: > >>> Tom Eastep wrote: > >>>> Steven Jan Springl wrote: > >>>>> Tom > >>>>> > >>>>> Yes. eth0:1 is created with the correct IP address. > >>>> > >>>> Wow! > >>>> > >>>> --------------------------------------------------------------- > >>>> ip addr add ${external}${val} dev $interface $label > >>>> [ -n "$arping" ] && qt $arping -U -c 2 -I $interface $external > >>>> echo "$external $interface" >> $STATEDIR/nat > >>>> --------------------------------------------------------------- > >>>> > >>>> I guess I''m going to need a trace. > >>> > >>> Never mind -- please try revision 6122. > >>> > >>> -Tom > >> > >> Tom > >> > >> I have tried it with the shell compiler, but it still doesn''t work. > >> > >> I have attached a trace of a shorewall start for the shell compiler > >> prior to REV 6122 being applied. > > > > Hmmm -- it works here with Shorewall-perl and 6122. > > > > -Tom > > > > I have just tried it with Shorewall-perl and it works here too. > > > > I had only tried the shell compiler. > > Please give revision 6123 a try. > > Thanks, > -TomTom The shell compiler works now. Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Whilst testing the shell compiler for the ''alias'' problem, I came across a couple of other issues. If upnp is added to an interface the following message is displayed: WARNING:Missing forwardUPnP rule (required by ''upnp'' interface option on eth0) This message is not displayed by the perl compiler. The second issue: The following maclist entry: DROP:info eth0 00:11:22:33:44:55 !192.168.15.22 generates the following error: iptables v1.3.6 host/network ''!192.168.15.22'' not found This works with the perl compiler. Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Adding the following line to masq: eth0 192.168.0.0/24 SAME:192.168.0.254 produces the following message from shorewall-perl: ERROR: Invalid IP address (SAME) It works with the shell compiler. Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> Tom > > Whilst testing the shell compiler for the ''alias'' problem, I came across a > couple of other issues. > > If upnp is added to an interface the following message is displayed: > > WARNING:Missing forwardUPnP rule (required by ''upnp'' interface option on eth0) > > This message is not displayed by the perl compiler.That''s because the Netfilter feature required to implement forwardUPnP was removed some time back. So it seemed silly to keep issuing that message.> The second issue: > > The following maclist entry: > > DROP:info eth0 00:11:22:33:44:55 !192.168.15.22 > > generates the following error: > > iptables v1.3.6 host/network ''!192.168.15.22'' not found > > This works with the perl compiler.Should be fixed in revision 6126. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> Tom > > Adding the following line to masq: > > eth0 192.168.0.0/24 SAME:192.168.0.254 > > produces the following message from shorewall-perl: > > ERROR: Invalid IP address (SAME) > > It works with the shell compiler. >Fixed in revision 6127. Thanks, Steven. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On Thursday 26 April 2007 22:56, Tom Eastep wrote:> Steven Jan Springl wrote: > > Tom > > > > Whilst testing the shell compiler for the ''alias'' problem, I came across > > a couple of other issues. > > > > If upnp is added to an interface the following message is displayed: > > > > WARNING:Missing forwardUPnP rule (required by ''upnp'' interface option on > > eth0) > > > > This message is not displayed by the perl compiler. > > That''s because the Netfilter feature required to implement forwardUPnP > was removed some time back. So it seemed silly to keep issuing that > message. > > > The second issue: > > > > The following maclist entry: > > > > DROP:info eth0 00:11:22:33:44:55 !192.168.15.22 > > > > generates the following error: > > > > iptables v1.3.6 host/network ''!192.168.15.22'' not found > > > > This works with the perl compiler. > > Should be fixed in revision 6126. >Tom Yes, it is fixed. Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Commands: shorewall check -C perl and: shorewall check -C shell just display the help screen. Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom When the following is entered in masq: eth0 192.168.0.0/24 192.168.0.15 icmp - mode=transport the following message is displayed when compiled with shorewall-perl: iptables-restore v1.3.6: Couldn''t load match `policy--mode'':/lib/iptables/libipt_policy--mode.so: cannot open shared object file: No such file or directory Note: it works with the shell compiler. Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> Tom > > Commands: > > shorewall check -C perl > > and: > > shorewall check -C shell > > just display the help screen. >Fixed in revision 6128. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> Tom > > When the following is entered in masq: > > eth0 192.168.0.0/24 192.168.0.15 icmp - mode=transport > > the following message is displayed when compiled with shorewall-perl: > > iptables-restore v1.3.6: Couldn''t load match > `policy--mode'':/lib/iptables/libipt_policy--mode.so: cannot open shared > object file: No such file or directory > > Note: it works with the shell compiler.Fixed in revision 6129. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On Friday 27 April 2007 01:18, Tom Eastep wrote:> Steven Jan Springl wrote: > > Tom > > > > When the following is entered in masq: > > > > eth0 192.168.0.0/24 192.168.0.15 icmp - mode=transport > > > > the following message is displayed when compiled with shorewall-perl: > > > > iptables-restore v1.3.6: Couldn''t load match > > `policy--mode'':/lib/iptables/libipt_policy--mode.so: cannot open shared > > object file: No such file or directory > > > > Note: it works with the shell compiler. > > Fixed in revision 6129. > > -TomTom After applying the 6129 the following message is displayed: iptables-restore v1.3.6: policy match: neither --in nor --out specified Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Masq entry: eth0 192.168.0.0/24 192.168.0.15 icmp 8 works with shorewall-perl, but when compiled with shorewall-shell, the following message is displayed: ERROR: Ports only allowed with UDP or TCP (8) Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> On Friday 27 April 2007 01:18, Tom Eastep wrote: >> Steven Jan Springl wrote: >>> Tom >>> >>> When the following is entered in masq: >>> >>> eth0 192.168.0.0/24 192.168.0.15 icmp - mode=transport >>> >>> the following message is displayed when compiled with shorewall-perl: >>> >>> iptables-restore v1.3.6: Couldn''t load match >>> `policy--mode'':/lib/iptables/libipt_policy--mode.so: cannot open shared >>> object file: No such file or directory >>> >>> Note: it works with the shell compiler. >> Fixed in revision 6129. >> >> -Tom > Tom > > After applying the 6129 the following message is displayed: > > iptables-restore v1.3.6: policy match: neither --in nor --out specifiedPlease try revision 6130 Thanks, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> Tom > > Masq entry: > > eth0 192.168.0.0/24 192.168.0.15 icmp 8 > > works with shorewall-perl, but when compiled with shorewall-shell, the > following message is displayed: > > ERROR: Ports only allowed with UDP or TCP (8)Thanks for the report, but I think I will let that one go. I''m sure that Shorewall-shell is full of that kind of problem -- one of the reasons for Shorewall-perl. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On Friday 27 April 2007 01:50, Tom Eastep wrote:> Steven Jan Springl wrote: > > On Friday 27 April 2007 01:18, Tom Eastep wrote: > >> Steven Jan Springl wrote: > >>> Tom > >>> > >>> When the following is entered in masq: > >>> > >>> eth0 192.168.0.0/24 192.168.0.15 icmp - mode=transport > >>> > >>> the following message is displayed when compiled with shorewall-perl: > >>> > >>> iptables-restore v1.3.6: Couldn''t load match > >>> `policy--mode'':/lib/iptables/libipt_policy--mode.so: cannot open shared > >>> object file: No such file or directory > >>> > >>> Note: it works with the shell compiler. > >> > >> Fixed in revision 6129. > >> > >> -Tom > > > > Tom > > > > After applying the 6129 the following message is displayed: > > > > iptables-restore v1.3.6: policy match: neither --in nor --out specified > > Please try revision 6130 > > Thanks, > -TomTom That works. Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom The following entry in masq: eth0 192.168.0.0/24 SAME:nodst:192.168.0.15 generates error: iptables-restore v1.3.6: Unknown arg `--nodst--to'' Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> Tom > > The following entry in masq: > > eth0 192.168.0.0/24 SAME:nodst:192.168.0.15 > > generates error: > > iptables-restore v1.3.6: Unknown arg `--nodst--to'' >Fixed in revision 6131. Thanks, Steven -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Eastep wrote:> Steven Jan Springl wrote: >> Tom >> >> The following entry in masq: >> >> eth0 192.168.0.0/24 SAME:nodst:192.168.0.15 >> >> generates error: >> >> iptables-restore v1.3.6: Unknown arg `--nodst--to'' >> > > Fixed in revision 6131. >Revision 6134 also corrects the case where there are more than one ipsec options in a list in /etc/shorewall/masq. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Masq entry: eth0 192.168.0.0/24 detect works with shorewall-perl, but displays the following message with shorewall-shell ERROR: Unable to determine the IP address(es) of eth0 Steven ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> Tom > > Masq entry: > > eth0 192.168.0.0/24 detect > > works with shorewall-perl, but displays the following message with > shorewall-shell > > ERROR: Unable to determine the IP address(es) of eth0 >Steve, Can you please verify that shorewall-perl still works with revision 6135? I would appreciate a trace of the shorewall-shell failure. Thanks!, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Eastep wrote:> Steven Jan Springl wrote: >> Tom >> >> Masq entry: >> >> eth0 192.168.0.0/24 detect >> >> works with shorewall-perl, but displays the following message with >> shorewall-shell >> >> ERROR: Unable to determine the IP address(es) of eth0 >> > > Steve, > > Can you please verify that shorewall-perl still works with revision 6135? > > I would appreciate a trace of the shorewall-shell failure. >Nevermind -- the cause is obvious. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Eastep wrote:> Tom Eastep wrote: >> Steven Jan Springl wrote: >>> Tom >>> >>> Masq entry: >>> >>> eth0 192.168.0.0/24 detect >>> >>> works with shorewall-perl, but displays the following message with >>> shorewall-shell >>> >>> ERROR: Unable to determine the IP address(es) of eth0 >>> >> Steve, >> >> Can you please verify that shorewall-perl still works with revision 6135? >> >> I would appreciate a trace of the shorewall-shell failure. >> > > Nevermind -- the cause is obvious. >The shorewall-shell fix is in revision 6136. Thanks, Steven. -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On Friday 27 April 2007 17:27, Tom Eastep wrote:> Tom Eastep wrote: > > Tom Eastep wrote: > >> Steven Jan Springl wrote: > >>> Tom > >>> > >>> Masq entry: > >>> > >>> eth0 192.168.0.0/24 detect > >>> > >>> works with shorewall-perl, but displays the following message with > >>> shorewall-shell > >>> > >>> ERROR: Unable to determine the IP address(es) of eth0 > >> > >> Steve, > >> > >> Can you please verify that shorewall-perl still works with revision > >> 6135? > >> > >> I would appreciate a trace of the shorewall-shell failure. > > > > Nevermind -- the cause is obvious. > > The shorewall-shell fix is in revision 6136. > > Thanks, Steven.Tom It now gives the error: iptables v.3.6:Bad IP address ''224.0.0.0/4'' Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> On Friday 27 April 2007 17:27, Tom Eastep wrote: >> Tom Eastep wrote: >>> Tom Eastep wrote: >>>> Steven Jan Springl wrote: >>>>> Tom >>>>> >>>>> Masq entry: >>>>> >>>>> eth0 192.168.0.0/24 detect >>>>> >>>>> works with shorewall-perl, but displays the following message with >>>>> shorewall-shell >>>>> >>>>> ERROR: Unable to determine the IP address(es) of eth0 >>>> Steve, >>>> >>>> Can you please verify that shorewall-perl still works with revision >>>> 6135? >>>> >>>> I would appreciate a trace of the shorewall-shell failure. >>> Nevermind -- the cause is obvious. >> The shorewall-shell fix is in revision 6136. >> >> Thanks, Steven. > Tom > > It now gives the error: > > iptables v.3.6:Bad IP address ''224.0.0.0/4''Trace please. Thanks, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Eastep wrote:> Steven Jan Springl wrote: >> On Friday 27 April 2007 17:27, Tom Eastep wrote: >>> Tom Eastep wrote: >>>> Tom Eastep wrote: >>>>> Steven Jan Springl wrote: >>>>>> Tom >>>>>> >>>>>> Masq entry: >>>>>> >>>>>> eth0 192.168.0.0/24 detect >>>>>> >>>>>> works with shorewall-perl, but displays the following message with >>>>>> shorewall-shell >>>>>> >>>>>> ERROR: Unable to determine the IP address(es) of eth0 >>>>> Steve, >>>>> >>>>> Can you please verify that shorewall-perl still works with revision >>>>> 6135? >>>>> >>>>> I would appreciate a trace of the shorewall-shell failure. >>>> Nevermind -- the cause is obvious. >>> The shorewall-shell fix is in revision 6136. >>> >>> Thanks, Steven. >> Tom >> >> It now gives the error: >> >> iptables v.3.6:Bad IP address ''224.0.0.0/4'' > > Trace please.Nevermind -- it is a compile-time error that is causing this. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Eastep wrote:> Tom Eastep wrote: >> Steven Jan Springl wrote: >>> On Friday 27 April 2007 17:27, Tom Eastep wrote: >>>> Tom Eastep wrote: >>>>> Tom Eastep wrote: >>>>>> Steven Jan Springl wrote: >>>>>>> Tom >>>>>>> >>>>>>> Masq entry: >>>>>>> >>>>>>> eth0 192.168.0.0/24 detect >>>>>>> >>>>>>> works with shorewall-perl, but displays the following message with >>>>>>> shorewall-shell >>>>>>> >>>>>>> ERROR: Unable to determine the IP address(es) of eth0 >>>>>> Steve, >>>>>> >>>>>> Can you please verify that shorewall-perl still works with revision >>>>>> 6135? >>>>>> >>>>>> I would appreciate a trace of the shorewall-shell failure. >>>>> Nevermind -- the cause is obvious. >>>> The shorewall-shell fix is in revision 6136. >>>> >>>> Thanks, Steven. >>> Tom >>> >>> It now gives the error: >>> >>> iptables v.3.6:Bad IP address ''224.0.0.0/4'' >> Trace please. > > Nevermind -- it is a compile-time error that is causing this. >Fixed in revision 6140. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On Friday 27 April 2007 18:43, Tom Eastep wrote:> Tom Eastep wrote: > > Tom Eastep wrote: > >> Steven Jan Springl wrote: > >>> On Friday 27 April 2007 17:27, Tom Eastep wrote: > >>>> Tom Eastep wrote: > >>>>> Tom Eastep wrote: > >>>>>> Steven Jan Springl wrote: > >>>>>>> Tom > >>>>>>> > >>>>>>> Masq entry: > >>>>>>> > >>>>>>> eth0 192.168.0.0/24 detect > >>>>>>> > >>>>>>> works with shorewall-perl, but displays the following message with > >>>>>>> shorewall-shell > >>>>>>> > >>>>>>> ERROR: Unable to determine the IP address(es) of eth0 > >>>>>> > >>>>>> Steve, > >>>>>> > >>>>>> Can you please verify that shorewall-perl still works with revision > >>>>>> 6135? > >>>>>> > >>>>>> I would appreciate a trace of the shorewall-shell failure. > >>>>> > >>>>> Nevermind -- the cause is obvious. > >>>> > >>>> The shorewall-shell fix is in revision 6136. > >>>> > >>>> Thanks, Steven. > >>> > >>> Tom > >>> > >>> It now gives the error: > >>> > >>> iptables v.3.6:Bad IP address ''224.0.0.0/4'' > >> > >> Trace please. > > > > Nevermind -- it is a compile-time error that is causing this. > > Fixed in revision 6140. > > -TomTom I am now getting the following message: /var/lib/shorewall/.start line 921: combine_list: command not found Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> On Friday 27 April 2007 18:43, Tom Eastep wrote: >> Tom Eastep wrote: >>> Tom Eastep wrote: >>>> Steven Jan Springl wrote: >>>>> On Friday 27 April 2007 17:27, Tom Eastep wrote: >>>>>> Tom Eastep wrote: >>>>>>> Tom Eastep wrote: >>>>>>>> Steven Jan Springl wrote: >>>>>>>>> Tom >>>>>>>>> >>>>>>>>> Masq entry: >>>>>>>>> >>>>>>>>> eth0 192.168.0.0/24 detect >>>>>>>>> >>>>>>>>> works with shorewall-perl, but displays the following message with >>>>>>>>> shorewall-shell >>>>>>>>> >>>>>>>>> ERROR: Unable to determine the IP address(es) of eth0 >>>>>>>> Steve, >>>>>>>> >>>>>>>> Can you please verify that shorewall-perl still works with revision >>>>>>>> 6135? >>>>>>>> >>>>>>>> I would appreciate a trace of the shorewall-shell failure. >>>>>>> Nevermind -- the cause is obvious. >>>>>> The shorewall-shell fix is in revision 6136. >>>>>> >>>>>> Thanks, Steven. >>>>> Tom >>>>> >>>>> It now gives the error: >>>>> >>>>> iptables v.3.6:Bad IP address ''224.0.0.0/4'' >>>> Trace please. >>> Nevermind -- it is a compile-time error that is causing this. >> Fixed in revision 6140. >> >> -Tom > Tom > > I am now getting the following message: > > /var/lib/shorewall/.start line 921: combine_list: command not found >Should be elminated in revision 6141. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On Friday 27 April 2007 19:27, Tom Eastep wrote:> Steven Jan Springl wrote: > > On Friday 27 April 2007 18:43, Tom Eastep wrote: > >> Tom Eastep wrote: > >>> Tom Eastep wrote: > >>>> Steven Jan Springl wrote: > >>>>> On Friday 27 April 2007 17:27, Tom Eastep wrote: > >>>>>> Tom Eastep wrote: > >>>>>>> Tom Eastep wrote: > >>>>>>>> Steven Jan Springl wrote: > >>>>>>>>> Tom > >>>>>>>>> > >>>>>>>>> Masq entry: > >>>>>>>>> > >>>>>>>>> eth0 192.168.0.0/24 detect > >>>>>>>>> > >>>>>>>>> works with shorewall-perl, but displays the following message > >>>>>>>>> with shorewall-shell > >>>>>>>>> > >>>>>>>>> ERROR: Unable to determine the IP address(es) of eth0 > >>>>>>>> > >>>>>>>> Steve, > >>>>>>>> > >>>>>>>> Can you please verify that shorewall-perl still works with > >>>>>>>> revision 6135? > >>>>>>>> > >>>>>>>> I would appreciate a trace of the shorewall-shell failure. > >>>>>>> > >>>>>>> Nevermind -- the cause is obvious. > >>>>>> > >>>>>> The shorewall-shell fix is in revision 6136. > >>>>>> > >>>>>> Thanks, Steven. > >>>>> > >>>>> Tom > >>>>> > >>>>> It now gives the error: > >>>>> > >>>>> iptables v.3.6:Bad IP address ''224.0.0.0/4'' > >>>> > >>>> Trace please. > >>> > >>> Nevermind -- it is a compile-time error that is causing this. > >> > >> Fixed in revision 6140. > >> > >> -Tom > > > > Tom > > > > I am now getting the following message: > > > > /var/lib/shorewall/.start line 921: combine_list: command not found > > Should be elminated in revision 6141. > > -TomTom Success. Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On Friday 27 April 2007 17:20, Tom Eastep wrote:> Steven Jan Springl wrote: > > Tom > > > > Masq entry: > > > > eth0 192.168.0.0/24 detect > > > > works with shorewall-perl, but displays the following message with > > shorewall-shell > > > > ERROR: Unable to determine the IP address(es) of eth0 > > Steve, > > Can you please verify that shorewall-perl still works with revision 6135? > > I would appreciate a trace of the shorewall-shell failure. > > Thanks!, > -TomTom Yes, it still works with shorewall-perl. Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Should the following masq rule work? eth0 192.168.0.0/24 SAME:detect Reading the shorewall-masq man page, I suspect it probably isn''t support. If it should work, then I get the following message when using shorewall-perl: iptables-restore v1.3.6: Bad IP address ''detect'' When using shorewall-shell, i get the following messages: iptables v1.3.6: Unknown arg `--to-source'' ERROR: Command "/sbin/iptables -t nat -A eth0_masq -s 192.168.0.0/24 -d 0.0.0.0/0 -j SAME --to-source 192.168.0.4" Failed Steven ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> Tom > > Should the following masq rule work? > > eth0 192.168.0.0/24 SAME:detect > > Reading the shorewall-masq man page, I suspect it probably isn''t support. >It isn''t supported. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom The following masq rule: eth0 192.168.0.0/24 SAME:192.168.1.1-192.168.1.2:10000-20000 tcp when compiled with shorewall-perl generates the following message: ERROR: Invalid IP address ( 10000 ) Steven ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> Tom > > The following masq rule: > > eth0 192.168.0.0/24 SAME:192.168.1.1-192.168.1.2:10000-20000 tcp > > when compiled with shorewall-perl generates the following message: > > ERROR: Invalid IP address ( 10000 )In this case, shorewall-perl is correct. The rule is not supported but: a) Is not flagged by ''shorewall-shell'' -- an invalid iptables command is generated. b) The documentation (shorewall-masq(5)) is wrong. Thanks, Steven -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Eastep wrote:> Steven Jan Springl wrote: >> Tom >> >> The following masq rule: >> >> eth0 192.168.0.0/24 SAME:192.168.1.1-192.168.1.2:10000-20000 tcp >> >> when compiled with shorewall-perl generates the following message: >> >> ERROR: Invalid IP address ( 10000 ) > > In this case, shorewall-perl is correct. The rule is not supported but: > > a) Is not flagged by ''shorewall-shell'' -- an invalid iptables command is > generated. > > b) The documentation (shorewall-masq(5)) is wrong. >Steven, I will be leaving soon for Linuxfest. I''ll not be available much this weekend but I''ll check in when I can. Cheers, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On Friday 27 April 2007 21:57, Tom Eastep wrote:> Tom Eastep wrote: > > Steven Jan Springl wrote: > >> Tom > >> > >> The following masq rule: > >> > >> eth0 192.168.0.0/24 SAME:192.168.1.1-192.168.1.2:10000-20000 tcp > >> > >> when compiled with shorewall-perl generates the following message: > >> > >> ERROR: Invalid IP address ( 10000 ) > > > > In this case, shorewall-perl is correct. The rule is not supported but: > > > > a) Is not flagged by ''shorewall-shell'' -- an invalid iptables command is > > generated. > > > > b) The documentation (shorewall-masq(5)) is wrong. > > Steven, > > I will be leaving soon for Linuxfest. I''ll not be available much this > weekend but I''ll check in when I can. > > Cheers, > -TomTom Have a good time. Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom When eth0!192.168.0.2 is entered in the source field of masq e.g. eth0 eth0!192.168.0.2 detect shorewall-perl generates error: iptables-restore v1.3.6 host/network ''eth0'' not found It works with shorewall-shell. Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> Tom > > When eth0!192.168.0.2 is entered in the source field of masq e.g. > > eth0 eth0!192.168.0.2 detect > > shorewall-perl generates error: > > iptables-restore v1.3.6 host/network ''eth0'' not found > > It works with shorewall-shell.Steven, Given Shorewall-shell''s uniform treatment of all rules, the canonical form of that rule is now accepted: ethx eth0:!192.168.0.2 ... I''ll document that for the next 3.9 release (I seem to recall documenting that somewhere already but I can''t lay my hands on it at the moment). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Eastep wrote:> Steven Jan Springl wrote: >> Tom >> >> When eth0!192.168.0.2 is entered in the source field of masq e.g. >> >> eth0 eth0!192.168.0.2 detect >> >> shorewall-perl generates error: >> >> iptables-restore v1.3.6 host/network ''eth0'' not found >> >> It works with shorewall-shell. > > Steven, > > Given Shorewall-shell''s uniform treatment of all rules, the canonicalThat should have read "Given Shorewall-*perl*s uniform treatment...". -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On Saturday 28 April 2007 02:52, Tom Eastep wrote:> Steven Jan Springl wrote: > > Tom > > > > When eth0!192.168.0.2 is entered in the source field of masq e.g. > > > > eth0 eth0!192.168.0.2 detect > > > > shorewall-perl generates error: > > > > iptables-restore v1.3.6 host/network ''eth0'' not found > > > > It works with shorewall-shell. > > Steven, > > Given Shorewall-shell''s uniform treatment of all rules, the canonical > form of that rule is now accepted: > > ethx eth0:!192.168.0.2 ... > > I''ll document that for the next 3.9 release (I seem to recall > documenting that somewhere already but I can''t lay my hands on it at the > moment). > > -TomTom Changing the masq rule to: eth0 eth0:!192.168.0.2 detect generates the following iptables rule: -A eth0_masq -s 192.168.0.0/24 -s ! 192.168.0.2 -j SNAT --to-source 192.168.0.4 which gives the error: iptables-restore v1.3.6 multiple -s flags not allowed Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> On Saturday 28 April 2007 02:52, Tom Eastep wrote: >> Steven Jan Springl wrote: >>> Tom >>> >>> When eth0!192.168.0.2 is entered in the source field of masq e.g. >>> >>> eth0 eth0!192.168.0.2 detect >>> >>> shorewall-perl generates error: >>> >>> iptables-restore v1.3.6 host/network ''eth0'' not found >>> >>> It works with shorewall-shell. >> Steven, >> >> Given Shorewall-shell''s uniform treatment of all rules, the canonical >> form of that rule is now accepted: >> >> ethx eth0:!192.168.0.2 ... >> >> I''ll document that for the next 3.9 release (I seem to recall >> documenting that somewhere already but I can''t lay my hands on it at the >> moment). >> >> -Tom > > Tom > > Changing the masq rule to: > > eth0 eth0:!192.168.0.2 detect > > generates the following iptables rule: > > -A eth0_masq -s 192.168.0.0/24 -s ! 192.168.0.2 -j SNAT --to-source > 192.168.0.4 > > which gives the error: > > iptables-restore v1.3.6 multiple -s flags not allowedPlease try 6145. Thanks, Steven -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom The following test was conducted with: ADD_IP_ALIASES=Yes ADD_SNAT_ALIASES=Yes RETAIN_ALIASES= both Yes and No, the result was the same The following rule was added to nat: 10.1.1.1 eth0 192.168.1.1 yes yes A ''shorewall start'' was issued. An ''ip addr show'' showed that 10.1.1.1 had been added to eth0 /var/lib/shorewall/nat contained: 10.1.1.1 eth0 The EXTERNAL IP address in nat was then changed to 10.1.1.2: 10.1.1.2 eth0 192.168.1.1 yes yes A ''shorewall restart'' was then issued. An ''ip addr show'' showed that both 10.1.1.1 and 10.1.1.2 have been added to eth0. /var/lib/shorewall/nat contained: 10.1.1.2 eth0 A ''shorewall stop'' was then issued. An ''ip addr show'' showed eth0 still had alias 10.1.1.1 Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On Saturday 28 April 2007 16:00, Tom Eastep wrote:> Steven Jan Springl wrote: > > On Saturday 28 April 2007 02:52, Tom Eastep wrote: > >> Steven Jan Springl wrote: > >>> Tom > >>> > >>> When eth0!192.168.0.2 is entered in the source field of masq e.g. > >>> > >>> eth0 eth0!192.168.0.2 detect > >>> > >>> shorewall-perl generates error: > >>> > >>> iptables-restore v1.3.6 host/network ''eth0'' not found > >>> > >>> It works with shorewall-shell. > >> > >> Steven, > >> > >> Given Shorewall-shell''s uniform treatment of all rules, the canonical > >> form of that rule is now accepted: > >> > >> ethx eth0:!192.168.0.2 ... > >> > >> I''ll document that for the next 3.9 release (I seem to recall > >> documenting that somewhere already but I can''t lay my hands on it at the > >> moment). > >> > >> -Tom > > > > Tom > > > > Changing the masq rule to: > > > > eth0 eth0:!192.168.0.2 detect > > > > generates the following iptables rule: > > > > -A eth0_masq -s 192.168.0.0/24 -s ! 192.168.0.2 -j SNAT --to-source > > 192.168.0.4 > > > > which gives the error: > > > > iptables-restore v1.3.6 multiple -s flags not allowed > > Please try 6145. > > Thanks, Steven > > -TomTom That works provided eth0 has only one IP address. If eth0 has 2 IP addresses then the following iptables rule is generated: -A exc10 -j SNAT --to--source 192.168.0.4 --to-source 10.1.1.1 this produces error: iptables-restore v1.3.4: Multiple --to-source not supported. Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> On Saturday 28 April 2007 16:00, Tom Eastep wrote: >> Steven Jan Springl wrote: >>> On Saturday 28 April 2007 02:52, Tom Eastep wrote: >>>> Steven Jan Springl wrote: >>>>> Tom >>>>> >>>>> When eth0!192.168.0.2 is entered in the source field of masq e.g. >>>>> >>>>> eth0 eth0!192.168.0.2 detect >>>>> >>>>> shorewall-perl generates error: >>>>> >>>>> iptables-restore v1.3.6 host/network ''eth0'' not found >>>>> >>>>> It works with shorewall-shell. >>>> Steven, >>>> >>>> Given Shorewall-shell''s uniform treatment of all rules, the canonical >>>> form of that rule is now accepted: >>>> >>>> ethx eth0:!192.168.0.2 ... >>>> >>>> I''ll document that for the next 3.9 release (I seem to recall >>>> documenting that somewhere already but I can''t lay my hands on it at the >>>> moment). >>>> >>>> -Tom >>> Tom >>> >>> Changing the masq rule to: >>> >>> eth0 eth0:!192.168.0.2 detect >>> >>> generates the following iptables rule: >>> >>> -A eth0_masq -s 192.168.0.0/24 -s ! 192.168.0.2 -j SNAT --to-source >>> 192.168.0.4 >>> >>> which gives the error: >>> >>> iptables-restore v1.3.6 multiple -s flags not allowed >> Please try 6145. >> >> Thanks, Steven >> >> -Tom > > Tom > > That works provided eth0 has only one IP address. > > If eth0 has 2 IP addresses then the following iptables rule is generated: > > -A exc10 -j SNAT --to--source 192.168.0.4 --to-source 10.1.1.1 > > this produces error: > > iptables-restore v1.3.4: Multiple --to-source not supported.Yes. That support was removed from Netfilter some time ago. So ''detect'' in the ADDRESSES column only works when there is a single address (unless you have an old kernel). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> Tom > > The following test was conducted with: > > ADD_IP_ALIASES=Yes > ADD_SNAT_ALIASES=Yes > RETAIN_ALIASES= both Yes and No, the result was the same > > The following rule was added to nat: > > 10.1.1.1 eth0 192.168.1.1 yes yes > > A ''shorewall start'' was issued. > An ''ip addr show'' showed that 10.1.1.1 had been added to eth0 > /var/lib/shorewall/nat contained: > 10.1.1.1 eth0 > > The EXTERNAL IP address in nat was then changed to 10.1.1.2: > > 10.1.1.2 eth0 192.168.1.1 yes yes > > A ''shorewall restart'' was then issued. > An ''ip addr show'' showed that both 10.1.1.1 and 10.1.1.2 have been added > to eth0. > /var/lib/shorewall/nat contained: > 10.1.1.2 eth0 > > A ''shorewall stop'' was then issued. > An ''ip addr show'' showed eth0 still had alias 10.1.1.1 >This is fixed in revision 6148. With RETAIN_ALIASES=Yes, the stale address (10.1.1.1) will remain configured until "shorewall stop" at which time it will be deleted. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On Sunday 29 April 2007 05:36, Tom Eastep wrote:> Steven Jan Springl wrote: > > Tom > > > > The following test was conducted with: > > > > ADD_IP_ALIASES=Yes > > ADD_SNAT_ALIASES=Yes > > RETAIN_ALIASES= both Yes and No, the result was the same > > > > The following rule was added to nat: > > > > 10.1.1.1 eth0 192.168.1.1 yes yes > > > > A ''shorewall start'' was issued. > > An ''ip addr show'' showed that 10.1.1.1 had been added to eth0 > > /var/lib/shorewall/nat contained: > > 10.1.1.1 eth0 > > > > The EXTERNAL IP address in nat was then changed to 10.1.1.2: > > > > 10.1.1.2 eth0 192.168.1.1 yes yes > > > > A ''shorewall restart'' was then issued. > > An ''ip addr show'' showed that both 10.1.1.1 and 10.1.1.2 have been > > added to eth0. > > /var/lib/shorewall/nat contained: > > 10.1.1.2 eth0 > > > > A ''shorewall stop'' was then issued. > > An ''ip addr show'' showed eth0 still had alias 10.1.1.1 > > This is fixed in revision 6148. With RETAIN_ALIASES=Yes, the stale > address (10.1.1.1) will remain configured until "shorewall stop" at > which time it will be deleted. > > -TomTom It works now, The shorewall.conf man page for RETAIN_ALIASES states: Regardless of the setting of RETAIN_ALIASES, addresses added during shorewall start are still deleted at a subsequent shorewall stop or shorewall restart. Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Just one last observation on aliases. When interface eth0 has IP address 192.168.0.4 and the following rules are defined: NAT 10.1.1.1 eth0 192.168.1.1 yes yes MASQ eth0 192.168.0.0/24 detect the shorewall-shell compiler generates the rule: -A eth0_masq -s 192.168.0.0/255.255.255.0 -j SNAT --to-source 192.168.0.4 whereas shorewall-perl generates the invalid rule: -A eth0_masq -s 192.168.0.0/24 -j SNAT --to-source 192.168.0.4 --to-source 10.1.1.1 Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> Tom > > Just one last observation on aliases. > > When interface eth0 has IP address 192.168.0.4 and the following rules are > defined: > > NAT > 10.1.1.1 eth0 192.168.1.1 yes yes > > MASQ > > eth0 192.168.0.0/24 detect > > the shorewall-shell compiler generates the rule: > > -A eth0_masq -s 192.168.0.0/255.255.255.0 -j SNAT --to-source 192.168.0.4 > > whereas shorewall-perl generates the invalid rule: > > -A eth0_masq -s 192.168.0.0/24 -j SNAT --to-source 192.168.0.4 --to-source > 10.1.1.1Okay; I''ve change Shorewall-perl to only use the primary address, no matter how many other addresses there are. I''ve also corrected the RETAIN_ALIASES behavior that you reported. Change is revision 6149. Thanks, Steven -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Shorewall-netmap man page states that ''The interface must be defined in shorewall-interfaces(5)'' Shorewall-shell checks this and produces an error message if the interface is not defined shorewall-interfaces. Shorewall-perl does not check it. The upshot if this is, if the following netmap rule is defined: DNAT 192.168.0.0/24 garbage 192.168.20.0/24 shorewall-perl generates the following iptables rule: -A garbage_in -d 192.168.0.0/24 -j NETMAP --to 192.168.20.0/24 but nothing in the PREROUTING chain points to it. Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> Tom > > Shorewall-netmap man page states that ''The interface must be defined in > shorewall-interfaces(5)'' > > Shorewall-shell checks this and produces an error message if the interface is > not defined shorewall-interfaces. > > Shorewall-perl does not check it. > > The upshot if this is, if the following netmap rule is defined: > > DNAT 192.168.0.0/24 garbage 192.168.20.0/24 > > shorewall-perl generates the following iptables rule: > > -A garbage_in -d 192.168.0.0/24 -j NETMAP --to 192.168.20.0/24 > > but nothing in the PREROUTING chain points to it. >I''ve added interface validation in revision 6150. Thanks, Steven. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom A policy of: all all NONE warn 1:2 produces the following error: Use of uninitialized value in string eq at /usr/share/shorewall-perl/Shorewall/Policy.pm line 178, <$currentfile> line 14 Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom A policy of: all all DROP:None warn 1:2 produces the following errors: Use of uninitialized value in bitwise and (&) at /usr/share/shorewall-perl/Shorewall/Policy.pm line 163, <$currentfile> line 14. ERROR: Unknown Default Action (None) : /etc/shorewall/policy ( line 14 ) Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> Tom > > A policy of: > > all all DROP:None warn 1:2 > > produces the following errors: > > Use of uninitialized value in bitwise and (&) > at /usr/share/shorewall-perl/Shorewall/Policy.pm line 163, <$currentfile> > line 14. > > ERROR: Unknown Default Action (None) : /etc/shorewall/policy ( line 14 ) >Steven, Both policy file bugs you reported are fixed in revision 6151. Thanks, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom If a policy specifies the same SOURCE and DEST zone and LIMIT:BURST is specified e.g. lan lan REJECT warn 1 when it is compiled with shorewall-shell, the following message is produced: iptables: Chain already exists ERROR: Command "sbin/iptables -N @lan2lan" failed Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> Tom > > If a policy specifies the same SOURCE and DEST zone and LIMIT:BURST is > specified e.g. > > lan lan REJECT warn 1 > > when it is compiled with shorewall-shell, the following message is produced: > > iptables: Chain already exists > ERROR: Command "sbin/iptables -N @lan2lan" failed >Tom, Revision 6152 should correct this problem. Thanks, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On Monday 30 April 2007 01:46, Tom Eastep wrote:> Steven Jan Springl wrote: > > Tom > > > > If a policy specifies the same SOURCE and DEST zone and LIMIT:BURST is > > specified e.g. > > > > lan lan REJECT warn 1 > > > > when it is compiled with shorewall-shell, the following message is > > produced: > > > > iptables: Chain already exists > > ERROR: Command "sbin/iptables -N @lan2lan" failed > > Tom, > > Revision 6152 should correct this problem. > > Thanks, > > -TomTom Unfortunately it hasn''t corrected the problem. The error messages are still produced. Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom The following rule ACTIONs are rejected as unknown by shorewall-perl: CONTINUE! QUEUE! A- The following rule ACTIONs are rejected as invalid by shorewall-shell: DROP! REJECT! A- The following rule: LOG lan:192.168.0.3 $FW udp 123 is accepted by shorewall-perl, but shorewall-shell produces the following error message: ERROR: LOG requires log level Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Hi Tom, I was lurking for a long time here and finally decided to jump into the perl testing (mostly due to the slow shell compilation). I upgraded my 3.4.1 to 3.9.4 and run shorewall check on my current settings. I got a few errors: Checking /etc/shorewall/blacklist... ERROR: ipset names in Shorewall configuration files requires Ipset Match in your kernel and iptables : /etc/shorewall/blacklist ( line 62 ) My capabilities list: [root@vector/etc/shorewall]# shorewall show capabilities Shorewall has detected the following iptables/netfilter capabilities: NAT: Available Packet Mangling: Available Multi-port Match: Available Extended Multi-port Match: Available Connection Tracking Match: Available Packet Type Match: Available Policy Match: Available Physdev Match: Available Packet length Match: Available IP range Match: Available Recent Match: Available Owner Match: Available Ipset Match: Available CONNMARK Target: Available Extended CONNMARK Target: Available Connmark Match: Available Extended Connmark Match: Available Raw Table: Available IPP2P Match: Available CLASSIFY Target: Available Extended REJECT: Available Repeat match: Available MARK Target: Available Extended MARK Target: Available Mangle FORWARD Chain: Available Comments: Available Address Type Match: Available and: Checking /etc/shorewall/tcrules... ERROR: Invalid Numeric Value : /etc/shorewall/tcrules ( line 11 ) Commenting out line 11 I got the following error: Checking /etc/shorewall/tcrules... Use of uninitialized value in concatenation (.) or string at /usr/share/shorewall-perl/Shorewall/Config.pm line 683, <$currentfile> line 12. ERROR: PROTO = ipp2p requires in your kernel and iptables : /etc/shorewall/tcrules ( line 12 ) Commenting out line 12 I got the following error: Checking /etc/shorewall/tcrules... ERROR: Invalid MARK (512:P) : /etc/shorewall/tcrules ( line 29 ) I have HIGH_ROUTE_MARKS=Yes in shorewall.conf I bit the bullet and get the latest repository (6152). It failed to install the manpages but I wasn''t upset about that one :) I got the exact same errors with that version too. Here is the tcrules file: # # Shorewall version 3.2 - Tcrules File # # See http://shorewall.net/traffic_shaping.htm for additional information. # For usage in selecting among multiple ISPs, see # http://shorewall.net/MultiISP.html ############################################################################### #MARK SOURCE DEST PROTO DEST SOURCE USER TEST LENGTH TOS # PORT(S) PORT(S) RESTORE 0.0.0.0/0 0.0.0.0/0 all - - - 0 CONTINUE 0.0.0.0/0 0.0.0.0/0 all - - - !0 6 0.0.0.0/0 0.0.0.0/0 ipp2p:all SAVE 0.0.0.0/0 0.0.0.0/0 all - - - !0 1 0.0.0.0/0 0.0.0.0/0 icmp echo-request 1 0.0.0.0/0 0.0.0.0/0 icmp echo-reply 2 0.0.0.0/0 0.0.0.0/0 tcp 22 2 0.0.0.0/0 0.0.0.0/0 tcp - 22 3 0.0.0.0/0 0.0.0.0/0 tcp smtp,pop3 3 0.0.0.0/0 0.0.0.0/0 tcp - smtp,pop3 5 0.0.0.0/0 0.0.0.0/0 udp 6881:6901 5 0.0.0.0/0 0.0.0.0/0 udp - 6881:6901 5 0.0.0.0/0 0.0.0.0/0 tcp 6881:6901 5 0.0.0.0/0 0.0.0.0/0 tcp - 6881:6901 512:P 192.168.2.169/32 0.0.0.0/0 all - - #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE The given file set compiles with the shell compiler just fine. Do I miss some settings in the shorewall.conf file to resolve those errors? Thanks, Andras ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> On Monday 30 April 2007 01:46, Tom Eastep wrote: >> Steven Jan Springl wrote: >>> Tom >>> >>> If a policy specifies the same SOURCE and DEST zone and LIMIT:BURST is >>> specified e.g. >>> >>> lan lan REJECT warn 1 >>> >>> when it is compiled with shorewall-shell, the following message is >>> produced: >>> >>> iptables: Chain already exists >>> ERROR: Command "sbin/iptables -N @lan2lan" failed >> Tom, >> >> Revision 6152 should correct this problem. >> >> Thanks, >> >> -Tom > Tom > > Unfortunately it hasn''t corrected the problem. The error messages are still > produced.Then I will need a trace. No hurry -- this is a day one problem that I very much doubt that anyone will actually run into other than during this kind of testing. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> Tom > > The following rule ACTIONs are rejected as unknown by shorewall-perl: > > CONTINUE! QUEUE! A- > > > > The following rule ACTIONs are rejected as invalid by shorewall-shell: > > DROP! REJECT! A- > > > > The following rule: > > LOG lan:192.168.0.3 $FW udp 123 > > is accepted by shorewall-perl, but shorewall-shell produces the following > error message: > > ERROR: LOG requires log level >Steven, I think that everything is fixed in 6155. Thanks, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On Monday 30 April 2007 16:25, Tom Eastep wrote:> Steven Jan Springl wrote: > > Tom > > > > The following rule ACTIONs are rejected as unknown by shorewall-perl: > > > > CONTINUE! QUEUE! A- > > > > > > > > The following rule ACTIONs are rejected as invalid by shorewall-shell: > > > > DROP! REJECT! A- > > > > > > > > The following rule: > > > > LOG lan:192.168.0.3 $FW udp 123 > > > > is accepted by shorewall-perl, but shorewall-shell produces the following > > error message: > > > > ERROR: LOG requires log level > > Steven, > > I think that everything is fixed in 6155. > > Thanks, > -TomTom Everything works except ACCEPT- which is rejected as an invalid action by shorewall-shell. Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom When the following rule is compiled with shorewall-shell: CONTINUE! lan:192.168.0.3 $FW udp 123 produces the following error messages: iptables v1.3.6: Couldn''t load target `CONTINUE'':/lib/iptables/libipt_CONTINUE.so: cannot open shared object file: No such file or directory ERROR: Command "/sbin/iptables -A lan2fw -p udp -s 192.168.0.3 --dport 123 -j CONTINUE" Failed Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Andras Sarkozy wrote:> Hi Tom, > > I was lurking for a long time here and finally decided to jump into the perl testing (mostly due to the slow shell compilation). > I upgraded my 3.4.1 to 3.9.4 and run shorewall check on my current settings.> > The given file set compiles with the shell compiler just fine. > > Do I miss some settings in the shorewall.conf file to resolve those errors?No, you didn''t miss anything. The problems you have reported are fixed in revision 6157. Thanks for helping with the testing, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> Tom > > When the following rule is compiled with shorewall-shell: > > CONTINUE! lan:192.168.0.3 $FW udp 123 > > produces the following error messages: > > iptables v1.3.6: Couldn''t load target > `CONTINUE'':/lib/iptables/libipt_CONTINUE.so: cannot open shared object file: > No such file or directory > > ERROR: Command "/sbin/iptables -A lan2fw -p udp -s 192.168.0.3 --dport > 123 -j CONTINUE" Failed >Steven, Should be fixed in revision 6158. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On Monday 30 April 2007 19:02, Tom Eastep wrote:> Steven Jan Springl wrote: > > Tom > > > > When the following rule is compiled with shorewall-shell: > > > > CONTINUE! lan:192.168.0.3 $FW udp 123 > > > > produces the following error messages: > > > > iptables v1.3.6: Couldn''t load target > > `CONTINUE'':/lib/iptables/libipt_CONTINUE.so: cannot open shared object > > file: No such file or directory > > > > ERROR: Command "/sbin/iptables -A lan2fw -p udp -s 192.168.0.3 --dport > > 123 -j CONTINUE" Failed > > Steven, > > Should be fixed in revision 6158. > > -TomTom Yes, that''s fixed it. Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom The following rule: LOG:6! lan:192.168.0.3 $FW udp 123 produces the following error message when compiled with shorewall-perl: ERROR: Invalid log level (6!) It works when compiled with shorewall-shell. Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Eastep wrote:> Steven Jan Springl wrote: >> On Monday 30 April 2007 01:46, Tom Eastep wrote: >>> Steven Jan Springl wrote: >>>> Tom >>>> >>>> If a policy specifies the same SOURCE and DEST zone and LIMIT:BURST is >>>> specified e.g. >>>> >>>> lan lan REJECT warn 1 >>>> >>>> when it is compiled with shorewall-shell, the following message is >>>> produced: >>>> >>>> iptables: Chain already exists >>>> ERROR: Command "sbin/iptables -N @lan2lan" failed >>> Tom, >>> >>> Revision 6152 should correct this problem. >>> >>> Thanks, >>> >>> -Tom >> Tom >> >> Unfortunately it hasn''t corrected the problem. The error messages are still >> produced. > > Then I will need a trace. No hurry -- this is a day one problem that I very > much doubt that anyone will actually run into other than during this kind of > testing. >Nevermind -- should be corrected in revision 6159. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On Monday 30 April 2007 19:38, Tom Eastep wrote:> Tom Eastep wrote: > > Steven Jan Springl wrote: > >> On Monday 30 April 2007 01:46, Tom Eastep wrote: > >>> Steven Jan Springl wrote: > >>>> Tom > >>>> > >>>> If a policy specifies the same SOURCE and DEST zone and LIMIT:BURST is > >>>> specified e.g. > >>>> > >>>> lan lan REJECT warn 1 > >>>> > >>>> when it is compiled with shorewall-shell, the following message is > >>>> produced: > >>>> > >>>> iptables: Chain already exists > >>>> ERROR: Command "sbin/iptables -N @lan2lan" failed > >>> > >>> Tom, > >>> > >>> Revision 6152 should correct this problem. > >>> > >>> Thanks, > >>> > >>> -Tom > >> > >> Tom > >> > >> Unfortunately it hasn''t corrected the problem. The error messages are > >> still produced. > > > > Then I will need a trace. No hurry -- this is a day one problem that I > > very much doubt that anyone will actually run into other than during this > > kind of testing. > > Nevermind -- should be corrected in revision 6159. > > -TomTom That''s fixed it. Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Eastep wrote:> You are welcome. > > Any additional testing of ipsets that you can do would be very much appreciated. > > -TomRight now I''m using ipsets only for blacklisting purposes. I had to go with ipsets due to the sheer size of the blacklist. I have one set for dropping SMTP requests from several countries I''m not expecting any email. I have two more sets for totally blocking access to my servers. The way it is used is: ############################################################################### #ADDRESS/SUBNET PROTOCOL PORT # +maildrops tcp 25 +blacklist +blacklistnet # #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE What other kind of testing is in your mind? Andras ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Andras Sarkozy wrote:> Tom Eastep wrote: > >> You are welcome. >> >> Any additional testing of ipsets that you can do would be very much appreciated. >> >> -Tom > > Right now I''m using ipsets only for blacklisting purposes. I had to go with ipsets due to the sheer size of the blacklist. > I have one set for dropping SMTP requests from several countries I''m not expecting any email. > I have two more sets for totally blocking access to my servers. > The way it is used is: > ############################################################################### > #ADDRESS/SUBNET PROTOCOL PORT > # > +maildrops tcp 25 > +blacklist > +blacklistnet > # > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE > > What other kind of testing is in your mind?Primarily, using ipset names in rules and in zone definition (/etc/shorewall/hosts). Thanks, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Eastep wrote:> > Revision 6174 should get by that one. > > Thanks, > -TomHi Tom, It solved all the compilation problems. Unfortunately the generated firewall doesn''t work :( I''ll do some more debugging tomorrow on it. Thanks, Andras ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Eastep wrote:> I was able to hack up your configuration and get it to compile. The > Shorewall-perl compiler now generates rules similar to those generated by > shorewall-shell. > > Revision are 6189/6190. > > -TomHi Tom, It works so far! Thanks a lot (thinking how to test ipsets in rules :) Best wishes, Andras ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Andras Sarkozy wrote:> Hi Tom, > > It works so far! > > Thanks a lot (thinking how to test ipsets in rules :) > > Best wishes, > Andras >Hi Tom, Ipset works in the ACCEPT rule like: ACCEPT bnet:+mycomputers all - - ACCEPT:debug anet:+mycomputers all - - ACCEPT:info cnet:+mycomputers all - - I tried the following and it did not work probably because I did not RTFM but I was hoping to make the ports opening dynamic through ipset: ACCEPT bnet wan:$MAILIP tcp +mailports where [root@vector/etc/shorewall]# ipset -N mailports portmap --from 1 --to 1023 [root@vector/etc/shorewall]# ipset -A mailports 20 [root@vector/etc/shorewall]# ipset -A mailports 21 [root@vector/etc/shorewall]# ipset -A mailports 25 Well,, I''ll continue to make discoveries with ipset. I see a tremendous opportunity to use them especially for dynamic configurations! Andras ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Andras Sarkozy wrote:> Andras Sarkozy wrote: > >> Hi Tom, >> >> It works so far! >> >> Thanks a lot (thinking how to test ipsets in rules :) >> >> Best wishes, >> Andras >> > > Hi Tom, > > Ipset works in the ACCEPT rule like: > ACCEPT bnet:+mycomputers all - - > ACCEPT:debug anet:+mycomputers all - - > ACCEPT:info cnet:+mycomputers all - - > > I tried the following and it did not work probably because I did not RTFM but I was hoping to make the ports opening dynamic through ipset: > ACCEPT bnet wan:$MAILIP tcp +mailports > where > [root@vector/etc/shorewall]# ipset -N mailports portmap --from 1 --to 1023 > [root@vector/etc/shorewall]# ipset -A mailports 20 > [root@vector/etc/shorewall]# ipset -A mailports 21 > [root@vector/etc/shorewall]# ipset -A mailports 25 > > Well,, I''ll continue to make discoveries with ipset. I see a tremendous opportunity to use them especially for dynamic configurations!Shorewall does not allow an ipset in the PORT columns. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/