Shorewall users - Dec 2009 - LOGFILE and non-logging shorewall-lite machine

Using shorewall-lite 4.2.8 on an openwrt machine, there is
no /var/log/messages (of course), and as such shorewall-lite show
complains:

# shorewall-lite show
LOGFILE (/var/log/messages) does not exist!

This of course has more dire consequences when trying to load rules.

How should this be handled?  I could certainly set the LOGFILE variable
to some file in /etc/shorewall-lite/shorewall-lite.conf but that it
would not be an actual syslog file, seems hacky.

Is there a cleaner, more approved way for dealing with this on a machine
that does not log locally?

Cheers,
b.


------------------------------------------------------------------------------
Join us December 9, 2009 for the Red Hat Virtual Experience,
a free event focused on virtualization and cloud computing. 
Attend in-depth sessions from your desk. Your couch. Anywhere.
http://p.sf.net/sfu/redhat-sfdev2dev

Damn,

I always hit return too soon.

I have since noticed in /sbin/shorewall-lite:

    if ( ps ax 2> /dev/null | grep -v grep |  qt grep
''syslogd.*-C'' ) ; then
        LOGREAD="logread | tac"
    elif [ -f $LOGFILE ]; then
        LOGREAD="tac $LOGFILE"
    else
        echo "LOGFILE ($LOGFILE) does not exist!" >&2
        exit 2
    fi

And I''m guessing that first condition is supposed to be trying to
detect
this remote-syslogging situation.  However in my case I am using
syslog-ng and it does not use the -C argument to punt to a remote syslog
but instead uses a configuration file command for that.

Thots?

b.



------------------------------------------------------------------------------
Join us December 9, 2009 for the Red Hat Virtual Experience,
a free event focused on virtualization and cloud computing. 
Attend in-depth sessions from your desk. Your couch. Anywhere.
http://p.sf.net/sfu/redhat-sfdev2dev

Brian J. Murrell wrote:
> Damn,
> 
> I always hit return too soon.
> 
> I have since noticed in /sbin/shorewall-lite:
> 
>     if ( ps ax 2> /dev/null | grep -v grep |  qt grep
''syslogd.*-C'' ) ; then
>         LOGREAD="logread | tac"
>     elif [ -f $LOGFILE ]; then
>         LOGREAD="tac $LOGFILE"
>     else
>         echo "LOGFILE ($LOGFILE) does not exist!" >&2
>         exit 2
>     fi
> 
> And I''m guessing that first condition is supposed to be trying to
detect
> this remote-syslogging situation.
The first condition was contributed by the OpenWRT user (I thought it
was you) who complained that Shorewall couldn''t read the local log.

  However in my case I am using
> syslog-ng and it does not use the -C argument to punt to a remote syslog
> but instead uses a configuration file command for that.
> 
> Thots?
Point LOGFILE at a small file that you know will exist.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Join us December 9, 2009 for the Red Hat Virtual Experience,
a free event focused on virtualization and cloud computing. 
Attend in-depth sessions from your desk. Your couch. Anywhere.
http://p.sf.net/sfu/redhat-sfdev2dev

Tom Eastep wrote:
> Brian J. Murrell wrote:
>> Damn,
>>
>> I always hit return too soon.
>>
>> I have since noticed in /sbin/shorewall-lite:
>>
>>     if ( ps ax 2> /dev/null | grep -v grep |  qt grep
''syslogd.*-C'' ) ; then
>>         LOGREAD="logread | tac"
>>     elif [ -f $LOGFILE ]; then
>>         LOGREAD="tac $LOGFILE"
>>     else
>>         echo "LOGFILE ($LOGFILE) does not exist!" >&2
>>         exit 2
>>     fi
>>
>> And I''m guessing that first condition is supposed to be trying
to detect
>> this remote-syslogging situation.
> 
> The first condition was contributed by the OpenWRT user (I thought it
> was you) who complained that Shorewall couldn''t read the local
log.
> 
>   However in my case I am using
>> syslog-ng and it does not use the -C argument to punt to a remote
syslog
>> but instead uses a configuration file command for that.
>>
>> Thots?
> 
> Point LOGFILE at a small file that you know will exist.
In 4.4.5, you will be able to set LOGFILE=/dev/null. You can do that now
if you change:

	    elif [ -f $LOGFILE ]; then

to

	    elif [ -r $LOGFILE ]; then

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Join us December 9, 2009 for the Red Hat Virtual Experience,
a free event focused on virtualization and cloud computing. 
Attend in-depth sessions from your desk. Your couch. Anywhere.
http://p.sf.net/sfu/redhat-sfdev2dev

On Thu, 2009-12-03 at 17:09 -0800, Tom Eastep wrote: 
> 
> In 4.4.5, you will be able to set LOGFILE=/dev/null. You can do that now
> if you change:
> 
> 	    elif [ -f $LOGFILE ]; then
> 
> to
> 
> 	    elif [ -r $LOGFILE ]; then
Heh.  Yeah.  /dev/null was my initial instinct until I saw the -f test
rather than, as you have used, -r.

Cheers,
b.



------------------------------------------------------------------------------
Join us December 9, 2009 for the Red Hat Virtual Experience,
a free event focused on virtualization and cloud computing. 
Attend in-depth sessions from your desk. Your couch. Anywhere.
http://p.sf.net/sfu/redhat-sfdev2dev

On Thu, 2009-12-03 at 16:07 -0800, Tom Eastep wrote: 
> 
> The first condition was contributed by the OpenWRT user (I thought it
> was you) who complained that Shorewall couldn''t read the local
log.
That could very well be the case.  :-)
> Point LOGFILE at a small file that you know will exist.
Just out of curiosity, I wonder what the reasoning behind making this be
a fatal error is.

b.



------------------------------------------------------------------------------
Join us December 9, 2009 for the Red Hat Virtual Experience,
a free event focused on virtualization and cloud computing. 
Attend in-depth sessions from your desk. Your couch. Anywhere.
http://p.sf.net/sfu/redhat-sfdev2dev

Brian J. Murrell wrote:
> On Thu, 2009-12-03 at 16:07 -0800, Tom Eastep wrote: 
>> The first condition was contributed by the OpenWRT user (I thought it
>> was you) who complained that Shorewall couldn''t read the local
log.
> 
> That could very well be the case.  :-)
> 
>> Point LOGFILE at a small file that you know will exist.
> 
> Just out of curiosity, I wonder what the reasoning behind making this be
> a fatal error is.
Shorewall User: My Shorewall doesn''t work. When I try to connect....
<incoherent tail of woe follows>

Shorewall Support: What shows in your log when you try to connect?

Shorewall User: There''s a log???

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Join us December 9, 2009 for the Red Hat Virtual Experience,
a free event focused on virtualization and cloud computing. 
Attend in-depth sessions from your desk. Your couch. Anywhere.
http://p.sf.net/sfu/redhat-sfdev2dev

Hello,


I''m sorry by write this email, but, I already read 
(/usr/share/doc/shorewall-common/README.Debian.gz) many times and
didn''t
understand.

I''m changing my firewall, from a fedora to debian.

When a run "/etc/init.d/shorewall start" I see .....

#### WARNING ####
The firewall won''t be started/stopped unless it is configured

Please read about Debian specific customization in
/usr/share/doc/shorewall-common/README.Debian.gz.
#################


How can I resolv it?


Thanks a lot.

Watanabe Anderson
 


------------------------------------------------------------------------------
Join us December 9, 2009 for the Red Hat Virtual Experience,
a free event focused on virtualization and cloud computing. 
Attend in-depth sessions from your desk. Your couch. Anywhere.
http://p.sf.net/sfu/redhat-sfdev2dev

Check /etc/default/shorewall and make sure you have: 
startup=1

and in /etc/shorewall/shorewall.conf 

STARTUP_ENABLED=Yes

Cris

--
LcX.at - Web Design, Development & Hosting
VoIP & Linux Groupware Solutions
w: http://lcx.at

On 4. Dec 2009, at 11:32 , Watanabe Anderson wrote:
> Hello,
> 
> 
> I''m sorry by write this email, but, I already read 
> (/usr/share/doc/shorewall-common/README.Debian.gz) many times and
didn''t
> understand.
> 
> I''m changing my firewall, from a fedora to debian.
> 
> When a run "/etc/init.d/shorewall start" I see .....
> 
> #### WARNING ####
> The firewall won''t be started/stopped unless it is configured
> 
> Please read about Debian specific customization in
> /usr/share/doc/shorewall-common/README.Debian.gz.
> #################
> 
> 
> How can I resolv it?
> 
> 
> Thanks a lot.
> 
> Watanabe Anderson
> 
> 
> 
>
------------------------------------------------------------------------------
> Join us December 9, 2009 for the Red Hat Virtual Experience,
> a free event focused on virtualization and cloud computing. 
> Attend in-depth sessions from your desk. Your couch. Anywhere.
> http://p.sf.net/sfu/redhat-sfdev2dev
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users

------------------------------------------------------------------------------
Join us December 9, 2009 for the Red Hat Virtual Experience,
a free event focused on virtualization and cloud computing. 
Attend in-depth sessions from your desk. Your couch. Anywhere.
http://p.sf.net/sfu/redhat-sfdev2dev

Watanabe Anderson wrote:
>I''m sorry by write this email, but, I already read
>(/usr/share/doc/shorewall-common/README.Debian.gz) many times and
didn''t
>understand.
>
>I''m changing my firewall, from a fedora to debian.
>
>When a run "/etc/init.d/shorewall start" I see .....
>
>#### WARNING ####
>The firewall won''t be started/stopped unless it is configured
>
>Please read about Debian specific customization in
>/usr/share/doc/shorewall-common/README.Debian.gz.
>#################
>
>How can I resolv it?
 From the file you reference :
>1. AUTOMATIC STARTUP
>--------------------
>
>In order to avoid the startup of the firewall on an unconfigured machine,
>automatic startup, on boot, is disabled by default. To enable it just edit
the
>file /etc/default/shorewall and set the "startup" variable to 1.

-- 
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.

------------------------------------------------------------------------------
Join us December 9, 2009 for the Red Hat Virtual Experience,
a free event focused on virtualization and cloud computing. 
Attend in-depth sessions from your desk. Your couch. Anywhere.
http://p.sf.net/sfu/redhat-sfdev2dev

I am assuming that you allready have configured interfaces, policies and
rules ...

After that, you need to edit /etc/default/shorewall  and change
"startup"
from "0" to  "1"

then you can run shorewall start

Fábio Rabelo


2009/12/4 Watanabe Anderson <wataankaol@gmail.com>
> Hello,
>
>
> I''m sorry by write this email, but, I already read
> (/usr/share/doc/shorewall-common/README.Debian.gz) many times and
didn''t
> understand.
>
> I''m changing my firewall, from a fedora to debian.
>
> When a run "/etc/init.d/shorewall start" I see .....
>
> #### WARNING ####
> The firewall won''t be started/stopped unless it is configured
>
> Please read about Debian specific customization in
> /usr/share/doc/shorewall-common/README.Debian.gz.
> #################
>
>
> How can I resolv it?
>
>
> Thanks a lot.
>
> Watanabe Anderson
>
>
>
>
>
------------------------------------------------------------------------------
> Join us December 9, 2009 for the Red Hat Virtual Experience,
> a free event focused on virtualization and cloud computing.
> Attend in-depth sessions from your desk. Your couch. Anywhere.
> http://p.sf.net/sfu/redhat-sfdev2dev
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>

------------------------------------------------------------------------------
Join us December 9, 2009 for the Red Hat Virtual Experience,
a free event focused on virtualization and cloud computing. 
Attend in-depth sessions from your desk. Your couch. Anywhere.
http://p.sf.net/sfu/redhat-sfdev2dev

Hello,



Now is running.

Thanks a lot

W. Anderson.
 

------------------------------------------------------------------------------
Join us December 9, 2009 for the Red Hat Virtual Experience,
a free event focused on virtualization and cloud computing. 
Attend in-depth sessions from your desk. Your couch. Anywhere.
http://p.sf.net/sfu/redhat-sfdev2dev