Shorewall users - May 2007 - shorewall-perl do not LOG dropped packets

Hi,

On Tom advices, I installed  :
shorewall-3.4.3-1
shorewall-perl-3.9.0-1
To get my shorewall reload very faster. And it IS very faster!! great news.
I just have a little problem :
Everything works fine with : SHOREWALL_COMPILER=perl but no packet are
logged (!?) is that normal? Without chaning anything but
SHOREWALL_COMPILER=shell, packets are logged as before... Is there a
parameter in shorewall-perl for this issue?

Another questions probably linked :
When I''m in SHOREWALL_COMPILER=shell mode and I do a
"iptables-save >
shorewall-shell.txt" I''ve got my rules, if I do the same with
SHOREWALL_COMPILER=perl ("iptables-save > shorewall-perl.txt"), the
rules
are a bit differents :
For instance :
I''ve got this in my shorewall-perl.txt :
-A @fw2all -j LOG --log-prefix "Shorewall:fw2all:DROP:" --log-level 7
And the same line is this one in shorewall-shell.txt :
-A @fw2all -m limit --limit 5/min -j LOG --log-prefix
"Shorewall:@fw2all:DROP:"
--log-level 7
It also seems that initdone file is no longer used for instance with
shorewall-perl..
Can someone explain me or have an idea for these issues?

Thanx by advance for your answers!

Hindisvik


-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Reykjavik hindisvik wrote:
> Hi,
>  
> On Tom advices, I installed  :
> shorewall-3.4.3-1
> shorewall-perl-3.9.0-1
> To get my shorewall reload very faster. And it IS very faster!! great news.
> I just have a little problem :
> Everything works fine with : SHOREWALL_COMPILER=perl but no packet are
> logged (!?) is that normal? Without chaning anything but
> SHOREWALL_COMPILER=shell, packets are logged as before... Is there a
> parameter in shorewall-perl for this issue?
>  
> Another questions probably linked :
> When I''m in SHOREWALL_COMPILER=shell mode and I do a
"iptables-save >
> shorewall-shell.txt" I''ve got my rules, if I do the same with
> SHOREWALL_COMPILER=perl ("iptables-save > shorewall-perl.txt
"), the
> rules are a bit differents :
> For instance :
> I''ve got this in my shorewall-perl.txt :
> -A @fw2all -j LOG --log-prefix "Shorewall:fw2all:DROP:"
--log-level 7
> And the same line is this one in shorewall-shell.txt :
> -A @fw2all -m limit --limit 5/min -j LOG --log-prefix
> "Shorewall:@fw2all:DROP:" --log-level 7
>  
> It also seems that initdone file is no longer used for instance with
> shorewall-perl..
> Can someone explain me or have an idea for these issues?
>  
> Thanx by advance for your answers!
This is Beta Software -- expect BUGS

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Tom Eastep wrote:
> Reykjavik hindisvik wrote:
>> Hi,
>>  
>> On Tom advices, I installed  :
I have never ''advised'' anyone to install beta software. I
point out that
it is available and what it does.
>> shorewall-3.4.3-1
>> shorewall-perl-3.9.0-1
>> To get my shorewall reload very faster. And it IS very faster!! great
news.
>> I just have a little problem :
>> Everything works fine with : SHOREWALL_COMPILER=perl but no packet are
>> logged (!?) is that normal? Without chaning anything but
>> SHOREWALL_COMPILER=shell, packets are logged as before... Is there a
>> parameter in shorewall-perl for this issue?
>>  
>> Another questions probably linked :
>> When I''m in SHOREWALL_COMPILER=shell mode and I do a
"iptables-save >
>> shorewall-shell.txt" I''ve got my rules, if I do the same
with
>> SHOREWALL_COMPILER=perl ("iptables-save > shorewall-perl.txt
"), the
>> rules are a bit differents :
>> For instance :
>> I''ve got this in my shorewall-perl.txt :
>> -A @fw2all -j LOG --log-prefix "Shorewall:fw2all:DROP:"
--log-level 7
>> And the same line is this one in shorewall-shell.txt :
>> -A @fw2all -m limit --limit 5/min -j LOG --log-prefix
>> "Shorewall:@fw2all:DROP:" --log-level 7
There is no difference in those rules except the order of the predicates
(which is not significant).
>>  
>> It also seems that initdone file is no longer used for instance with
>> shorewall-perl..
Please read the release notes.
>> Can someone explain me or have an idea for these issues?
>>  
>> Thanx by advance for your answers!
> 
> This is Beta Software -- expect BUGS
And when you find a bug, please document it fully. Your statement of the
initial problem about no log messages is not a problem report -- is is
at most an observation.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Tom Eastep wrote:
> Reykjavik hindisvik wrote:
>> Hi,
>>  
>> On Tom advices, I installed  :
>> shorewall-3.4.3-1
>> shorewall-perl-3.9.0-1
>> To get my shorewall reload very faster. And it IS very faster!! great
news.
>> I just have a little problem :
>> Everything works fine with : SHOREWALL_COMPILER=perl but no packet are
>> logged (!?) is that normal? Without chaning anything but
>> SHOREWALL_COMPILER=shell, packets are logged as before... Is there a
>> parameter in shorewall-perl for this issue?
>>  
>> Another questions probably linked :
>> When I''m in SHOREWALL_COMPILER=shell mode and I do a
"iptables-save >
>> shorewall-shell.txt" I''ve got my rules, if I do the same
with
>> SHOREWALL_COMPILER=perl ("iptables-save > shorewall-perl.txt
"), the
>> rules are a bit differents :
>> For instance :
>> I''ve got this in my shorewall-perl.txt :
>> -A @fw2all -j LOG --log-prefix "Shorewall:fw2all:DROP:"
--log-level 7
>> And the same line is this one in shorewall-shell.txt :
>> -A @fw2all -m limit --limit 5/min -j LOG --log-prefix
>> "Shorewall:@fw2all:DROP:" --log-level 7
>>  
>> It also seems that initdone file is no longer used for instance with
>> shorewall-perl..
>> Can someone explain me or have an idea for these issues?
>>  
>> Thanx by advance for your answers!
> 
> This is Beta Software -- expect BUGS
And in your case, you are running Alpha software -- 3.9.0 was *really*
buggy.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Tom Eastep wrote:
> ...
>> It also seems that initdone file is no longer used for instance with
>> shorewall-perl..
>> Can someone explain me or have an idea for these issues?
>>  
>> Thanx by advance for your answers!
> 
> This is Beta Software -- expect BUGS
P.S.  Bug reporting is better done on the shorewall-devel list...  :-)

-- 
Paul
<http://paulgear.webhop.net>
--
A: Because it breaks the logical sequence of discussion.
Q: Why shouldn''t i write my replies at the top of emails?



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

I''ve upgraded to shorewall-perl-3.9.7-1 and the problem of logging does
no
longer exist! great news! :)
Thx for your advices


2007/5/26, Paul Gear <paul@gear.dyndns.org>:
>
> Tom Eastep wrote:
> > ...
> >> It also seems that initdone file is no longer used for instance
with
> >> shorewall-perl..
> >> Can someone explain me or have an idea for these issues?
> >>
> >> Thanx by advance for your answers!
> >
> > This is Beta Software -- expect BUGS
>
> P.S.  Bug reporting is better done on the shorewall-devel list...  :-)
>
> --
> Paul
> <http://paulgear.webhop.net>
> --
> A: Because it breaks the logical sequence of discussion.
> Q: Why shouldn''t i write my replies at the top of emails?
>
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by DB2 Express
> Download DB2 Express C - the FREE version of DB2 express and take
> control of your XML. No limits. Just data. Click to get it now.
> http://sourceforge.net/powerbar/db2/
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>
>

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

OK Tom, thank you for your explanations. As I said this afternoon, I''ve
upgraded to the last shorewall-perl version, and, indeed, I have no problem
with the logging! good news!
But I still don''t know how to tell shorewall perl to use my initdone
file or
to make shorewall-perl launch these rules :

-A FORWARD -i eth4 -o eth4 -j ACCEPT
-A FORWARD -i eth3 -o eth3 -j ACCEPT
-A FORWARD -i eth2 -o eth2 -j ACCEPT
-A FORWARD -i eth1 -o eth1 -j ACCEPT

If you have an idea...
Thank you by advance,

Hindisvik



2007/5/26, Tom Eastep <teastep@shorewall.net>:
>
> Tom Eastep wrote:
> > Reykjavik hindisvik wrote:
> >> Hi,
> >>
> >> On Tom advices, I installed  :
>
> I have never ''advised'' anyone to install beta software. I
point out that
> it is available and what it does.
>
> >> shorewall-3.4.3-1
> >> shorewall-perl-3.9.0-1
> >> To get my shorewall reload very faster. And it IS very faster!!
great
> news.
> >> I just have a little problem :
> >> Everything works fine with : SHOREWALL_COMPILER=perl but no packet
are
> >> logged (!?) is that normal? Without chaning anything but
> >> SHOREWALL_COMPILER=shell, packets are logged as before... Is there
a
> >> parameter in shorewall-perl for this issue?
> >>
> >> Another questions probably linked :
> >> When I''m in SHOREWALL_COMPILER=shell mode and I do a
"iptables-save >
> >> shorewall-shell.txt" I''ve got my rules, if I do the
same with
> >> SHOREWALL_COMPILER=perl ("iptables-save >
shorewall-perl.txt "), the
> >> rules are a bit differents :
> >> For instance :
> >> I''ve got this in my shorewall-perl.txt :
> >> -A @fw2all -j LOG --log-prefix "Shorewall:fw2all:DROP:"
--log-level 7
> >> And the same line is this one in shorewall-shell.txt :
> >> -A @fw2all -m limit --limit 5/min -j LOG --log-prefix
> >> "Shorewall:@fw2all:DROP:" --log-level 7
>
> There is no difference in those rules except the order of the predicates
> (which is not significant).
>
> >>
> >> It also seems that initdone file is no longer used for instance
with
> >> shorewall-perl..
>
> Please read the release notes.
>
> >> Can someone explain me or have an idea for these issues?
> >>
> >> Thanx by advance for your answers!
> >
> > This is Beta Software -- expect BUGS
>
> And when you find a bug, please document it fully. Your statement of the
> initial problem about no log messages is not a problem report -- is is
> at most an observation.
>
> -Tom
> --
> Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
> PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
>
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by DB2 Express
> Download DB2 Express C - the FREE version of DB2 express and take
> control of your XML. No limits. Just data. Click to get it now.
> http://sourceforge.net/powerbar/db2/
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>
>

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Reykjavik hindisvik wrote:
> OK Tom, thank you for your explanations. As I said this afternoon,
I''ve
> upgraded to the last shorewall-perl version
You said that you had upgraded to 3.9.7. The latest Shorewall-perl
release is 4.0.0-Beta2.
> and, indeed, I have no
> problem with the logging! good news!
> But I still don''t know how to tell shorewall perl to use my
initdone
> file or to make shorewall-perl launch these rules :
Please:

a) Read the mailing list release announcements. In the Beta2
announcement, I embedded a message to you personally.

b) Read the release notes CAREFULLY. Extension scripts such as initdone
must be *written in Perl* if you are going to run Shorewall-perl. The
''initdone'' script was not supported in 3.9.x; it is once again
supported
in 4.0.0-Beta2 (but must be written in Perl).
>  
> -A FORWARD -i eth4 -o eth4 -j ACCEPT 
> -A FORWARD -i eth3 -o eth3 -j ACCEPT 
> -A FORWARD -i eth2 -o eth2 -j ACCEPT 
> -A FORWARD -i eth1 -o eth1 -j ACCEPT
You don''t need an extension script at all to add those silly rules; you
just have to set the ''routeback'' option on each interface in
/etc/shorewall/interfaces.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

2007/5/28, Tom Eastep <teastep@shorewall.net>:
>
> Reykjavik hindisvik wrote:
> > OK Tom, thank you for your explanations. As I said this afternoon,
I''ve
> > upgraded to the last shorewall-perl version
>
> You said that you had upgraded to 3.9.7. The latest Shorewall-perl
> release is 4.0.0-Beta2.

I''ve just installed this last one
> and, indeed, I have no
> > problem with the logging! good news!
> > But I still don''t know how to tell shorewall perl to use my
initdone
> > file or to make shorewall-perl launch these rules :
>
> Please:
>
> a) Read the mailing list release announcements. In the Beta2
> announcement, I embedded a message to you personally.
>
> b) Read the release notes CAREFULLY. Extension scripts such as initdone
> must be *written in Perl* if you are going to run Shorewall-perl. The
> ''initdone'' script was not supported in 3.9.x; it is once
again supported
> in 4.0.0-Beta2 (but must be written in Perl).
>
> >
> > -A FORWARD -i eth4 -o eth4 -j ACCEPT
> > -A FORWARD -i eth3 -o eth3 -j ACCEPT
> > -A FORWARD -i eth2 -o eth2 -j ACCEPT
> > -A FORWARD -i eth1 -o eth1 -j ACCEPT
>
> You don''t need an extension script at all to add those silly
rules; you
> just have to set the ''routeback'' option on each interface
in
> /etc/shorewall/interfaces.


Indeed, I didn''t know this option, it does the same thing. Thx!

-Tom
> --
> Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
> PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
>
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by DB2 Express
> Download DB2 Express C - the FREE version of DB2 express and take
> control of your XML. No limits. Just data. Click to get it now.
> http://sourceforge.net/powerbar/db2/
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>
>

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/