Is there any interest in having shorewall able to configure iptables/netfilter on a remote node? i.e. one installs shorewall on node foo, and executes the shorewall command(s) on node foo but has it install the actual rules on node bar? Indeed, a single shorewall installation could install rules/manage a network of nodes. Obviously the easiest path to such a goal is to simply allow some form of remote execution to the node "bar". Could be rsh ~shudder~ or more appropriately, ssh, complete with keys and .ssh/authorized_keys entries that limits the scope of what the node "foo" is allowed to execute on "bar". Thots? Would I be wasting my time hacking up shorewall to do this or would such patches be considered for inclusion? b. -- My other computer is your Microsoft Windows server. Brian J. Murrell ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier. Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Brian J. Murrell wrote:> Is there any interest in having shorewall able to configure > iptables/netfilter on a remote node? i.e. one installs shorewall on > node foo, and executes the shorewall command(s) on node foo but has it > install the actual rules on node bar? Indeed, a single shorewall > installation could install rules/manage a network of nodes. > > Obviously the easiest path to such a goal is to simply allow some form > of remote execution to the node "bar". Could be rsh ~shudder~ or more > appropriately, ssh, complete with keys and .ssh/authorized_keys entries > that limits the scope of what the node "foo" is allowed to execute on > "bar". > > Thots? Would I be wasting my time hacking up shorewall to do this or > would such patches be considered for inclusion?I''ve been thinking of implementing that but as a wrapper. My ideas was to manage separate configurations in a subversion repository and do the editing and validation on a central station. The "compiled" rules could them be uploaded using ssh to the appropriate firewall. With he recent purchase of the company I put that on hold since the new Masters have their own firewalls and usually look down their noses at OSS. -- Stephen Carville <stephen@totalflood.com> Unix and Network Admin Land America Flood Services 6033 W. Century Blvd Los Angeles, CA 90045 310-342-3602 ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier. Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
On Fri, 2007-02-02 at 10:17 -0800, Stephen Carville wrote:> > I''ve been thinking of implementing that but as a wrapper.Not sure I follow "as a wrapper".> My ideas was > to manage separate configurations in a subversion repositorySure, in SVN if one wishes.> and do the > editing and validation on a central station.And compilation. But compilation requires information from the remote machine. Those would have to be remote commands too. Perhaps some batching could be done to reduce overhead.> The "compiled" rules could > them be uploaded using ssh to the appropriate firewall.Yeah. Have run_iptables batch up the iptables commands for a single execution of them all over a single ssh session. It seems (at a very first quick glance) as though all externally executed commands are run through a "run_*" wrapper. This would make such modifications quite easy. Even one more level of wrappage to have all run_*() commands optionally runnable remotely in a single function. b. -- My other computer is your Microsoft Windows server. Brian J. Murrell ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier. Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Brian J. Murrell wrote:> Is there any interest in having shorewall able to configure > iptables/netfilter on a remote node? i.e. one installs shorewall on > node foo, and executes the shorewall command(s) on node foo but has it > install the actual rules on node bar? Indeed, a single shorewall > installation could install rules/manage a network of nodes.Shorewall can already do this. It''s what Shorewall Lite is all about. See http://www.shorewall.net/CompiledPrograms.html#Lite -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier. Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
On Fri, 2007-02-02 at 10:54 -0800, Tom Eastep wrote:> > Shorewall can already do this. It''s what Shorewall Lite is all about. > > See http://www.shorewall.net/CompiledPrograms.html#LiteHrm. How much of the "grunt work" is offloaded from the "firewall" system though? I find rule compilation quite slow on my puny little firewall system, which is why I want to move it off to a more powerful "administrative" system and have the firewall do nothing more than run a bunch of iptables rules. Is this an accurate description of the workload split in Shorewall Lite? b. -- My other computer is your Microsoft Windows server. Brian J. Murrell ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier. Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Brian J. Murrell wrote:> On Fri, 2007-02-02 at 10:54 -0800, Tom Eastep wrote: >> Shorewall can already do this. It''s what Shorewall Lite is all about. >> >> See http://www.shorewall.net/CompiledPrograms.html#Lite > > Hrm. How much of the "grunt work" is offloaded from the "firewall" > system though? I find rule compilation quite slow on my puny little > firewall system, which is why I want to move it off to a more powerful > "administrative" system and have the firewall do nothing more than run a > bunch of iptables rules. > > Is this an accurate description of the workload split in Shorewall Lite?Yes. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier. Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> Brian J. Murrell wrote: > > Hrm. How much of the "grunt work" is offloaded from the "firewall" > > system though?And to put a number on that, I find it''s usually about a 10:1 split. The part that''s left running on the firewall system appears to spend almost all its time doing the fork+exec thing for iptables - once per rule, and fork+exec is a lot slower than people expect. It could be made faster, but not by running on a different host. ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier. Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Andrew Suffield wrote:>> Brian J. Murrell wrote: >>> Hrm. How much of the "grunt work" is offloaded from the "firewall" >>> system though? > > And to put a number on that, I find it''s usually about a 10:1 > split. The part that''s left running on the firewall system appears to > spend almost all its time doing the fork+exec thing for iptables - > once per rule, and fork+exec is a lot slower than people expect. It > could be made faster, but not by running on a different host.I''m thinking that the big thrust for Shorewall 3.6 will be to have the compiler generate rules in iptables-restore format -- that will make rule activation much faster because it eliminates almost all of the fork+exec overhead. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier. Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Does the administrative system still need access to /etc/shorewall/shorewall.conf? I would have thought it would use the shorewall.conf in the target''s export dir: $ /sbin/shorewall load -c gw Cannot read /etc/shorewall/shorewall.conf! (Hint: Are you root?) $ ls accounting maclist policy shorewall.conf tcrules.old actions maclog providers shorewall.conf.old tcstart blacklist Makefile proxyarp start test continue masq rfc1918 started tos ecn masq.static-ip rfc1918.old stop tspc.log hosts modules rfc1918.older stopped tunnels init modules.rpmsave route_rules tcclasses zones initdone nat routestopped tcclear interfaces netmap rules tcdevices ipsec params shorewall tcrules b. -- My other computer is your Microsoft Windows server. Brian J. Murrell ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier. Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Brian J. Murrell wrote:> Does the administrative system still need access > to /etc/shorewall/shorewall.conf?Yes -- I would have thought it would use the> shorewall.conf in the target''s export dir:It does for most things. The compiler runs under the SHOREWALL_SHELL specified in /etc/shorewall/shorewall.conf, however. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier. Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
On Fri, 2007-02-02 at 11:53 -0800, Tom Eastep wrote:> It does for most things. The compiler runs under the SHOREWALL_SHELL > specified in /etc/shorewall/shorewall.conf, however.Ahhh. As just a minor point of documentation then, in http://www.shorewall.net/CompiledPrograms.html there is a note that starts out: On the administrative system, for each firewall system you do the following (this may be done by a non-root user who has root ssh access to the firewall system): ... If you are running Shorewall 3.2.6 or later then: cd <export directory> /sbin/shorewall load -c firewall Perhaps it''s Ubuntu specific, but /etc/shorewall/shorewall.conf is only readable by root: -rw-r----- 1 root root 32660 2006-11-22 11:51 /etc/shorewall/shorewall.conf In any case, on to real issues... Having followed http://www.shorewall.net/CompiledPrograms.html I''ve run into my first issue. This is the sort of problem I predicted I would have for myself when I started down the road of doing this myself (before Tom kindly pointed out shorewall-lite). But the problem is: ERROR: Can''t determine the IP address of eth1 Of course eth1 lives on the firewall, not the admin box, yet the admin box is trying to do: + find_first_interface_address eth1 + ip -f inet addr show eth1 ... That is something that is going to have to be remotely executed. In my implementation I had kind of planned on opening a single ssh session to the firewall before doing anything and keeping it open (just to beat the overhead of one shell per command) for the duration, executing commands on the shell and getting their output back. Thots? b. -- My other computer is your Microsoft Windows server. Brian J. Murrell ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier. Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Brian J. Murrell wrote:> > But the problem is: > > ERROR: Can''t determine the IP address of eth1 > > Of course eth1 lives on the firewall, not the admin box, yet the admin > box is trying to do: > > + find_first_interface_address eth1 > + ip -f inet addr show eth1 > ... > > That is something that is going to have to be remotely executed.Please send a trace. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier. Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Tom Eastep wrote:> Brian J. Murrell wrote: > >> But the problem is: >> >> ERROR: Can''t determine the IP address of eth1 >> >> Of course eth1 lives on the firewall, not the admin box, yet the admin >> box is trying to do: >> >> + find_first_interface_address eth1 >> + ip -f inet addr show eth1 >> ... >> >> That is something that is going to have to be remotely executed. > > Please send a trace.Or are you calling find_first_interface_address out of your /etc/shorewall/params script? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier. Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Brian J. Murrell wrote:> If you are running Shorewall 3.2.6 or later then: > > cd <export directory> > /sbin/shorewall load -c firewall > > Perhaps it''s Ubuntu specific, but /etc/shorewall/shorewall.conf is only > readable by root: > > -rw-r----- 1 root root 32660 2006-11-22 11:51 /etc/shorewall/shorewall.conf >Then you need to speak to the Ubuntu Shorewall maintainer -- all of the installers that I release from shorewall.net, secure it as rw-r--r--. -Tom PS to Lorenzo -- does the Debian installer also secure this rw-r-----? Maybe Ubuntu is just picking up your package''s permissions setting. -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier. Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Ubuntu packages are not unique in that regard, Fedora Core packages use -rw-------. On Fri, 2007-02-02 at 12:33 -0800, Tom Eastep wrote:> Brian J. Murrell wrote: > > > If you are running Shorewall 3.2.6 or later then: > > > > cd <export directory> > > /sbin/shorewall load -c firewall > > > > Perhaps it''s Ubuntu specific, but /etc/shorewall/shorewall.conf is only > > readable by root: > > > > -rw-r----- 1 root root 32660 2006-11-22 11:51 /etc/shorewall/shorewall.conf > > > > Then you need to speak to the Ubuntu Shorewall maintainer -- all of the > installers that I release from shorewall.net, secure it as rw-r--r--. > > -Tom > > PS to Lorenzo -- does the Debian installer also secure this rw-r-----? Maybe > Ubuntu is just picking up your package''s permissions setting. > ------------------------------------------------------------------------- > Using Tomcat but need to do more? Need to support web services, security? > Get stuff done quickly with pre-integrated technology to make your job easier. > Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 > _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier. Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Tom Eastep wrote:> Tom Eastep wrote: >> Brian J. Murrell wrote: >> >>> But the problem is: >>> >>> ERROR: Can''t determine the IP address of eth1 >>> >>> Of course eth1 lives on the firewall, not the admin box, yet the admin >>> box is trying to do: >>> >>> + find_first_interface_address eth1 >>> + ip -f inet addr show eth1 >>> ... >>> >>> That is something that is going to have to be remotely executed. >> Please send a trace. > > Or are you calling find_first_interface_address out of your > /etc/shorewall/params script? >If you need to set an address in /etc/shorewall/params, here''s a trick: if [ $HOSTNAME = remote ]; then ADDR=$(find_first_interface_address eth1) else ADDR=$(ssh root@remote "shorewall-lite call find_first_interface_address eth1") fi -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier. Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Tom Eastep wrote:> If you need to set an address in /etc/shorewall/params, here''s a trick: > > if [ $HOSTNAME = remote ]; then > ADDR=$(find_first_interface_address eth1) > else > ADDR=$(ssh root@remote "shorewall-lite call find_first_interface_address > eth1") > fiPlease disregard -- the above works from the command line but not in /etc/shorewall/params. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier. Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
On Fri, 2007-02-02 at 12:25 -0800, Tom Eastep wrote:> > Or are you calling find_first_interface_address out of your > /etc/shorewall/params script?~sigh~ Yeah, that''s it. I think the Multi-ISP document had me do that. It seems, I guess, that grabbing capabilities should also grab some basic network information with which these kinds of queries could be satisfied. Would there be any objection to my starting to work on this and submitting patches? Heh. If I can find the time. b. -- My other computer is your Microsoft Windows server. Brian J. Murrell ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier. Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
On Fri, 2007-02-02 at 13:07 -0800, Tom Eastep wrote:> Tom Eastep wrote: > > > If you need to set an address in /etc/shorewall/params, here''s a trick: > > > > if [ $HOSTNAME = remote ]; then > > ADDR=$(find_first_interface_address eth1) > > else > > ADDR=$(ssh root@remote "shorewall-lite call find_first_interface_address > > eth1") > > fi > > Please disregard -- the above works from the command line but not in > /etc/shorewall/params.Well the $HOSTNAME goop doesn''t work for whatever reason (I didn''t investigate): + [ = gw ] [: 1: gw: unexpected operator But since this is the params file for that remote node, I just disregarded the conditional end put: ETH1_IP=$(ssh root@gw shorewall-lite call find_first_interface_address eth1) in my params file, and indeed it seems to have worked: + ssh root@gw shorewall-lite call find_first_interface_address eth1 + ETH1_IP=72.38.184.236 I got a bunch of compiling going on and then: ERROR: Chain designator not allowed when source is $FW; rule "256:P fw " Which has got something to do with my "route everything through one interface by default" tcrules entry: 256:P $FW But I have not investigated yet to see why. This was working using shorewall directly on the firewall. Let me dig into the source a bit... b. -- My other computer is your Microsoft Windows server. Brian J. Murrell ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier. Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Brian J. Murrell wrote:> On Fri, 2007-02-02 at 12:25 -0800, Tom Eastep wrote: >> Or are you calling find_first_interface_address out of your >> /etc/shorewall/params script? > > ~sigh~ Yeah, that''s it. I think the Multi-ISP document had me do that. > > It seems, I guess, that grabbing capabilities should also grab some > basic network information with which these kinds of queries could be > satisfied.The functions file in the current errata/Shorewall directory (http://www1.shorewall.net/pub/shorewall/3.2/shorewall-3.2.8/errata/Shorewall/) invokes a ''compiler'' extension script during compiler startup. This script can be used to pull what you need from the remote system. I think it''s better to put that under user control rather than for Shorewall to try to anticipate what information you need. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier. Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Brian J. Murrell wrote:> On Fri, 2007-02-02 at 13:07 -0800, Tom Eastep wrote: >> Tom Eastep wrote: >> >>> If you need to set an address in /etc/shorewall/params, here''s a trick: >>> >>> if [ $HOSTNAME = remote ]; then >>> ADDR=$(find_first_interface_address eth1) >>> else >>> ADDR=$(ssh root@remote "shorewall-lite call find_first_interface_address >>> eth1") >>> fi >> Please disregard -- the above works from the command line but not in >> /etc/shorewall/params. > > Well the $HOSTNAME goop doesn''t work for whatever reason (I didn''t > investigate): > > + [ = gw ] > [: 1: gw: unexpected operatorThat''s what I was telling you -- it doesn''t work in the /etc/shorewall/params file.> > But since this is the params file for that remote node, I just > disregarded the conditional end put: > > ETH1_IP=$(ssh root@gw shorewall-lite call find_first_interface_address eth1) > > in my params file, and indeed it seems to have worked: > > + ssh root@gw shorewall-lite call find_first_interface_address eth1 > + ETH1_IP=72.38.184.236 > > I got a bunch of compiling going on and then: > > ERROR: Chain designator not allowed when source is $FW; rule "256:P fw " > > Which has got something to do with my "route everything through one > interface by default" tcrules entry: > > 256:P $FW > > But I have not investigated yet to see why. This was working using > shorewall directly on the firewall. Let me dig into the source a bit...Is the version of Shorewall on the admin system the same as the one that you had on the firewall? I think that older versions let you get away with that invalid rule. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier. Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Tom Eastep wrote:> Brian J. Murrell wrote: >> On Fri, 2007-02-02 at 12:25 -0800, Tom Eastep wrote: >>> Or are you calling find_first_interface_address out of your >>> /etc/shorewall/params script? >> ~sigh~ Yeah, that''s it. I think the Multi-ISP document had me do that. >> >> It seems, I guess, that grabbing capabilities should also grab some >> basic network information with which these kinds of queries could be >> satisfied. > > The functions file in the current errata/Shorewall directory > (http://www1.shorewall.net/pub/shorewall/3.2/shorewall-3.2.8/errata/Shorewall/) > invokes a ''compiler'' extension script during compiler startup. ThisSorry -- make that ''compile'' rather than ''compiler''. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier. Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
On Fri, 2007-02-02 at 17:03 -0800, Tom Eastep wrote:> > That''s what I was telling you -- it doesn''t work in the > /etc/shorewall/params file.Right. Was just ACKing what the problem was and that it was really only a peripheral problem.> Is the version of Shorewall on the admin system the same as the one that > you had on the firewall?Nope. What was on the firewall was 3.2.3. The new admin version is 3.2.6. Had just figured out that it was invalid.> I think that older versions let you get away > with that invalid rule.Seems so. So what is the valid way to do that? Just drop the :P (this whole marking stuff is still fairly green for me yet). Might want to update http://www.shorewall.net/FAQ.htm#faq58. :-) b. -- My other computer is your Microsoft Windows server. Brian J. Murrell ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier. Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Brian J. Murrell wrote:> > > So what is the valid way to do that? Just drop the :P (this whole > marking stuff is still fairly green for me yet).Yes -- just drop the :P.> > Might want to update http://www.shorewall.net/FAQ.htm#faq58. :-)Yep -- thanks. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier. Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
On Fri, 2007-02-02 at 17:20 -0800, Tom Eastep wrote:> > Yep -- thanks.NP. Unfortunately, the gains I was hoping for in using shorewall-lite are just not there, but more importantly... I have this suspicion that shorewall-lite is not going to deal with an interface getting a different ip address too well. I suspect that a recompile of rules, which would need to happen on the admin station would need to be done. Am I correct? Wow. This is taking a while... oh well. b. -- My other computer is your Microsoft Windows server. Brian J. Murrell ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier. Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Brian J. Murrell wrote:> On Fri, 2007-02-02 at 17:20 -0800, Tom Eastep wrote: >> Yep -- thanks. > > NP. > > Unfortunately, the gains I was hoping for in using shorewall-lite are > just not there, but more importantly... I have this suspicion that > shorewall-lite is not going to deal with an interface getting a > different ip address too well. I suspect that a recompile of rules, > which would need to happen on the admin station would need to be done. > Am I correct? >Yes --> Wow. This is taking a while... oh well. >Have you looked at http://www.shorewall.net/ScalabilityAndPerformance.html? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier. Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642