Hello, I assume that the same verification done when running ''shorewall check'' is automatically done when starting a firewall. Is this the case, or is there some difference as far as verifying the firewall configuration ? Thanks. ------------------------------------------------------------------------------ ThinkGeek and WIRED''s GeekDad team up for the Ultimate GeekDad Father''s Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo
On 6/12/10 6:15 PM, lanas wrote:> Hello, > > I assume that the same verification done when running ''shorewall > check'' is automatically done when starting a firewall. Is this the > case, or is there some difference as far as verifying the firewall > configuration ?It depends very much on the version of Shorewall that you are running. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ ThinkGeek and WIRED''s GeekDad team up for the Ultimate GeekDad Father''s Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo
On Sat, 12 Jun 2010 18:49:12 -0700, Tom Eastep <teastep@shorewall.net> wrote :> On 6/12/10 6:15 PM, lanas wrote: > > Hello, > > > > I assume that the same verification done when running ''shorewall > > check'' is automatically done when starting a firewall. Is this the > > case, or is there some difference as far as verifying the firewall > > configuration ?> It depends very much on the version of Shorewall that you are running.That''d be the latest from Debian, which is, if I''m not mistaken, 4.4.9. The idea behind the question is to provide users a consistent approach as far as, when they''ve run ''shorewall check'' and it verifies OK, then no errors would be returned when doing a ''shorewall start''. Is this possible at all, assuming everything is OK (needed modules) with iptables ? Thanks ! ------------------------------------------------------------------------------ ThinkGeek and WIRED''s GeekDad team up for the Ultimate GeekDad Father''s Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo
On 6/13/10 2:54 PM, lanas wrote:> > That''d be the latest from Debian, which is, if I''m not mistaken, 4.4.9. > > The idea behind the question is to provide users a consistent approach > as far as, when they''ve run ''shorewall check'' and it verifies OK, then > no errors would be returned when doing a ''shorewall start''. >The checks that *Shorewall* makes are identical during ''check'', ''start'' and ''restart''. But we can never guarantee that iptables-restore won''t find something to complain about. That''s why I always recommend saving your configuration ("shorewall save") once you are satisfied that it is working correctly. That way, if you change the configuration and ''restart'' fails during the execute phase, your firewall will be restored to its last good state. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ ThinkGeek and WIRED''s GeekDad team up for the Ultimate GeekDad Father''s Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo
Tom Eastep wrote:> On 6/13/10 2:54 PM, lanas wrote: > > >> That''d be the latest from Debian, which is, if I''m not mistaken, 4.4.9. >> >> The idea behind the question is to provide users a consistent approach >> as far as, when they''ve run ''shorewall check'' and it verifies OK, then >> no errors would be returned when doing a ''shorewall start''. >> >> > > The checks that *Shorewall* makes are identical during ''check'', ''start'' > and ''restart''. But we can never guarantee that iptables-restore won''t > find something to complain about. That''s why I always recommend saving > your configuration ("shorewall save") once you are satisfied that it is > working correctly. That way, if you change the configuration and > ''restart'' fails during the execute phase, your firewall will be restored > to its last good state. >Another good practice is the use shorewall safe-start and safe-restart, that way if your new config dont pass shorewall check the system will fall back to the last good config.> -Tom > > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------------ > ThinkGeek and WIRED''s GeekDad team up for the Ultimate > GeekDad Father''s Day Giveaway. ONE MASSIVE PRIZE to the > lucky parental unit. See the prize list and enter to win: > http://p.sf.net/sfu/thinkgeek-promo > ------------------------------------------------------------------------ > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >-- Jorge Armando Medina Computación Gráfica de México Web: http://www.e-compugraf.com Tel: 55 51 40 72, Ext: 124 Email: jmedina@e-compugraf.com GPG Key: 1024D/28E40632 2007-07-26 GPG Fingerprint: 59E2 0C7C F128 B550 B3A6 D3AF C574 8422 28E4 0632 ------------------------------------------------------------------------------ ThinkGeek and WIRED''s GeekDad team up for the Ultimate GeekDad Father''s Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo
Hi Jorge, After reading " Another good practice is the use shorewall safe-start and safe-restart, that way if your new config dont pass shorewall check the system will fall back to the last good config." I tried safe-restart and found it hangs my session for 150 seconds but restart works in an instant. See attached for a more detailed description. Regards, Trent ------------------------------------------------------------------------------ ThinkGeek and WIRED''s GeekDad team up for the Ultimate GeekDad Father''s Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo
On 6/14/10 10:12 PM, Trent O''Callaghan wrote:> Hi Jorge, > > After reading " > Another good practice is the use shorewall safe-start and safe-restart, > that way if your new config dont pass shorewall check the system will > fall back to the last good config." > > I tried safe-restart and found it hangs my session for 150 seconds but > restart works in an instant. > > See attached for a more detailed description.We will need to see a trace to understand what is going wrong on your system (I''m unable to reproduce it here): sh -x /sbin/shorewall safe-restart 2> trace and forward the ''trace'' file. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ ThinkGeek and WIRED''s GeekDad team up for the Ultimate GeekDad Father''s Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo
Hi Tom,
For comparison I have attached the requested
''sh -x /sbin/shorewall safe-restart 2> trace '' as
trace-safe.txt
And
''sh -x /sbin/shorewall restart 2> trace-ok'' as
trace-ok.txt
for comparison.
The process wait during safe-restart (150 seconds) is occurring during;
+ awk BEGIN { sline=""; };\
/^-j/ { print sline $0; next };\
/-m policy.*-j/ { print $0; next };\
/-m policy/ { sline=$0; next };\
/--mask ff/ { sub( /--mask ff/, "--mask 0xff" ) };\
{ print ; sline="" }
-Trent
-----Original Message-----
From: Tom Eastep [mailto:teastep@shorewall.net]
Sent: Tuesday, 15 June 2010 10:32 PM
To: shorewall-users@lists.sourceforge.net
Subject: Re: [Shorewall-users] When starting a firewall setup...
We will need to see a trace to understand what is going wrong on your system
(I''m unable to reproduce it here):
sh -x /sbin/shorewall safe-restart 2> trace
and forward the ''trace'' file.
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
------------------------------------------------------------------------------
ThinkGeek and WIRED''s GeekDad team up for the Ultimate
GeekDad Father''s Day Giveaway. ONE MASSIVE PRIZE to the
lucky parental unit. See the prize list and enter to win:
http://p.sf.net/sfu/thinkgeek-promo
On 6/15/10 6:16 PM, Trent O''Callaghan wrote:> Hi Tom, > > For comparison I have attached the requested > ''sh -x /sbin/shorewall safe-restart 2> trace '' as trace-safe.txt > And > ''sh -x /sbin/shorewall restart 2> trace-ok'' as trace-ok.txt > for comparison. > > The process wait during safe-restart (150 seconds) is occurring during; > + awk BEGIN { sline=""; };\ > /^-j/ { print sline $0; next };\ > /-m policy.*-j/ { print $0; next };\ > /-m policy/ { sline=$0; next };\ > /--mask ff/ { sub( /--mask ff/, "--mask 0xff" ) };\ > { print ; sline="" }You apparently possess insight which I lack; the above invocation of ''awk'' is part of a pipeline of two commands; from the source: do_save() { local status status=0 if [ -f ${VARDIR}/firewall ]; then if $iptables_save | iptablesbug > ${VARDIR}/restore-$$; then cp -f ${VARDIR}/firewall $g_restorepath mv -f ${VARDIR}/restore-$$ ${g_restorepath}-iptables chmod +x $g_restorepath echo " Currently-running Configuration Saved to $g_restorepath" The ''awk'' command ia the active statement in ''iptablesbug (if awk isn''t installed, iptablesbug runs ''cat''). So it is still not obvious why your system produces the awkward pause (pun intended :-) ). Does ''shorewall save'' show a similar pause on your system? -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ ThinkGeek and WIRED''s GeekDad team up for the Ultimate GeekDad Father''s Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo
The ''awk'' command
root@per-r1:~# dpkg -l | grep awk
ii gawk 1:3.1.6.dfsg-0ubuntu1
GNU awk, a pattern scanning and processing l
ii mawk 1.3.3-13ubuntu1
a pattern scanning and text processing langu
root@per-r1:~# awk -h
Usage: awk [POSIX or GNU style options] -f progfile [--] file ...
Usage: awk [POSIX or GNU style options] [--] ''program'' file
...
POSIX options: GNU long options:
-f progfile --file=progfile
-F fs --field-separator=fs
-v var=val --assign=var=val
-m[fr] val
-W compat --compat
-W copyleft --copyleft
-W copyright --copyright
-W dump-variables[=file] --dump-variables[=file]
-W exec=file --exec=file
-W gen-po --gen-po
-W help --help
-W lint[=fatal] --lint[=fatal]
-W lint-old --lint-old
-W non-decimal-data --non-decimal-data
-W profile[=file] --profile[=file]
-W posix --posix
-W re-interval --re-interval
-W source=program-text --source=program-text
-W traditional --traditional
-W usage --usage
-W use-lc-numeric --use-lc-numeric
-W version --version
To report bugs, see node `Bugs'' in `gawk.info'', which is
section `Reporting Problems and Bugs'' in the printed version.
gawk is a pattern scanning and processing language.
By default it reads standard input and writes standard output.
Examples:
gawk ''{ sum += $1 }; END { print sum }'' file
gawk -F: ''{ print $1 }'' /etc/passwd
''shorewall save'' shows a similar pause on your system - YES
-Trent
-----Original Message-----
From: Tom Eastep [mailto:teastep@shorewall.net]
Sent: Wednesday, 16 June 2010 11:28 AM
To: shorewall-users@lists.sourceforge.net
Subject: [Shorewall-users] [SPAM] Re: When starting a firewall setup...
On 6/15/10 6:16 PM, Trent O''Callaghan wrote:> Hi Tom,
>
> For comparison I have attached the requested ''sh -x
/sbin/shorewall
> safe-restart 2> trace '' as trace-safe.txt And ''sh -x
/sbin/shorewall
> restart 2> trace-ok'' as trace-ok.txt for comparison.
>
> The process wait during safe-restart (150 seconds) is occurring
> during;
> + awk BEGIN { sline=""; };\
> /^-j/ { print sline $0; next };\
> /-m policy.*-j/ { print $0; next };\
> /-m policy/ { sline=$0; next };\
> /--mask ff/ { sub( /--mask ff/, "--mask 0xff" )
};\
> { print ; sline="" }
You apparently possess insight which I lack; the above invocation of
''awk''
is part of a pipeline of two commands; from the source:
do_save() {
local status
status=0
if [ -f ${VARDIR}/firewall ]; then
if $iptables_save | iptablesbug > ${VARDIR}/restore-$$; then
cp -f ${VARDIR}/firewall $g_restorepath
mv -f ${VARDIR}/restore-$$ ${g_restorepath}-iptables
chmod +x $g_restorepath
echo " Currently-running Configuration Saved to
$g_restorepath"
The ''awk'' command ia the active statement in
''iptablesbug (if awk isn''t
installed, iptablesbug runs ''cat''). So it is still not obvious
why your
system produces the awkward pause (pun intended :-) ).
Does ''shorewall save'' show a similar pause on your system?
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
------------------------------------------------------------------------------
ThinkGeek and WIRED''s GeekDad team up for the Ultimate
GeekDad Father''s Day Giveaway. ONE MASSIVE PRIZE to the
lucky parental unit. See the prize list and enter to win:
http://p.sf.net/sfu/thinkgeek-promo
Sorry Tom The symptom was caused by a local issue with DNS not working in my build environment. safe-restart is Lightning fast now that root cause has been resolved. -Trent -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: Wednesday, 16 June 2010 11:28 AM To: shorewall-users@lists.sourceforge.net Subject: [Shorewall-users] [SPAM] Re: When starting a firewall setup... On 6/15/10 6:16 PM, Trent O''Callaghan wrote:> Hi Tom, > > For comparison I have attached the requested ''sh -x /sbin/shorewall > safe-restart 2> trace '' as trace-safe.txt And ''sh -x /sbin/shorewall > restart 2> trace-ok'' as trace-ok.txt for comparison. > > The process wait during safe-restart (150 seconds) is occurring > during; > + awk BEGIN { sline=""; };\ > /^-j/ { print sline $0; next };\ > /-m policy.*-j/ { print $0; next };\ > /-m policy/ { sline=$0; next };\ > /--mask ff/ { sub( /--mask ff/, "--mask 0xff" ) };\ > { print ; sline="" }You apparently possess insight which I lack; the above invocation of ''awk'' is part of a pipeline of two commands; from the source: do_save() { local status status=0 if [ -f ${VARDIR}/firewall ]; then if $iptables_save | iptablesbug > ${VARDIR}/restore-$$; then cp -f ${VARDIR}/firewall $g_restorepath mv -f ${VARDIR}/restore-$$ ${g_restorepath}-iptables chmod +x $g_restorepath echo " Currently-running Configuration Saved to $g_restorepath" The ''awk'' command ia the active statement in ''iptablesbug (if awk isn''t installed, iptablesbug runs ''cat''). So it is still not obvious why your system produces the awkward pause (pun intended :-) ). Does ''shorewall save'' show a similar pause on your system? -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ ThinkGeek and WIRED''s GeekDad team up for the Ultimate GeekDad Father''s Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo
On 6/15/10 10:49 PM, Trent O''Callaghan wrote:> Sorry Tom > > The symptom was caused by a local issue with DNS not working in my build > environment. > > safe-restart is Lightning fast now that root cause has been resolved.Thanks for the update, Trent. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ ThinkGeek and WIRED''s GeekDad team up for the Ultimate GeekDad Father''s Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo