# /sbin/shorewall version 4.4.18.2 # /sbin/shorewall status Shorewall-4.4.18.2 Status at ws01 - Tue Apr 5 15:04:10 BST 2011 Shorewall is running State:Started (Tue Apr 5 14:59:59 BST 2011) from /etc/shorewall/ # /sbin/shorewall show zones Shorewall 4.4.18.2 Zones at ws01 - Tue Apr 5 15:10:01 BST 2011 fw (firewall) net (ipv4) +:0.0.0.0/0 General status =============Shorewall has been working fine, filtering as expected, external ssh and other connections to workstation working, all functions appear normal, until I wanted to add a REDIRECT command so that ssh connections could be made to the machine on tcp port 1234 in addition to the usual port 22 Minimal rules file used in testing REDIRECT ==========================================#SECTION ESTABLISHED #SECTION RELATED SECTION NEW # ACCEPT net $FW tcp 22 ACCEPT net $FW tcp 1234 REDIRECT net 22 tcp 1234 Observed behaviour =================1. Compiler (optimiser?) reports error on line 862 of Chains.pm, shown below: # /sbin/shorewall restart Compiling... (lines omitted for clarity) Applying Policies... Generating Rule Matrix... Optimizing Ruleset... Can''t use an undefined value as an ARRAY reference at /usr/share/shorewall/Shorewall/Chains.pm line 862. Restarting Shorewall.... Initializing... (lines omitted for clarity) done. 1a. Shorewall starts and functions normally, except REDIRECT does not appear to be functional. 2. If in shorewall.conf, change OPTIMIZE=15 to OPTIMIZE=3, error is no longer reported, but REDIRECT is still non-functional. 3. chain ''dnat'' appears to be orphaned, i.e. 0 references # /sbin/shorewall show -t nat Shorewall 4.4.18.2 nat Table at ws01 - Tue Apr 5 15:55:28 BST 2011 Counters reset Tue Apr 5 15:45:45 BST 2011 Chain PREROUTING (policy ACCEPT 295 packets, 32493 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 72 packets, 5387 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 72 packets, 5387 bytes) pkts bytes target prot opt in out source destination Chain dnat (0 references) pkts bytes target prot opt in out source destination 0 0 net_dnat all -- * * 0.0.0.0/0 0.0.0.0/0 Chain net_dnat (1 references) pkts bytes target prot opt in out source destination 0 0 REDIRECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1234 redir ports 22 4. Other chains ( /sbin/shorewall show ) appear normal, but I can send if that would help. Many thanks, George -- --------------------------------------------------------------------- George Cameron Email: g.cameron@abdn.ac.uk School of Medical Sciences College of Life Sciences& Medicine University of Aberdeen Foresterhill Fax: +44 (0)1224-552514 Aberdeen AB25 2ZD Telephone: +44 (0)1224-553210 Scotland, UK ------------------------------------------------------------------------------ Xperia(TM) PLAY It''s a major breakthrough. An authentic gaming smartphone on the nation''s most reliable network. And it wants your games. http://p.sf.net/sfu/verizon-sfdev
On 04/05/2011 07:57 AM, Cameron, George G. wrote:> > General status > =============> Shorewall has been working fine, filtering as expected, external ssh and > other connections to workstation working, all functions appear normal, > until I wanted to add a REDIRECT command so that ssh connections could > be made to the machine on tcp port 1234 in addition to the usual port 22 > > Minimal rules file used in testing REDIRECT > ==========================================> #SECTION ESTABLISHED > #SECTION RELATED > SECTION NEW > # > ACCEPT net $FW tcp 22 > ACCEPT net $FW tcp 1234 > REDIRECT net 22 tcp 1234 > > Observed behaviour > =================> 1. Compiler (optimiser?) reports error on line 862 of Chains.pm, shown > below: > > # /sbin/shorewall restart > Compiling... > > (lines omitted for clarity) > > Applying Policies... > Generating Rule Matrix... > Optimizing Ruleset... > Can''t use an undefined value as an ARRAY reference at > /usr/share/shorewall/Shorewall/Chains.pm line 862. > Restarting Shorewall.... > Initializing...I''m unable to reproduce this failure and REDIRECT works fine here. Please: 1. shorewall show -f capabilities > /etc/shorewall/caps 2. tar -xf shorewall.tar /etc/shorewall 3. Send me the tarball Thanks, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Xperia(TM) PLAY It''s a major breakthrough. An authentic gaming smartphone on the nation''s most reliable network. And it wants your games. http://p.sf.net/sfu/verizon-sfdev
Cameron, George G.
2011-Apr-06 08:48 UTC
Re: Shorewall 4.4.18.2 - REDIRECT compiler problem?
Tom, 1. shorewall.tar.gz attached (including generated caps file) as requested 2. I noticed that I was still using shorewall.conf from 4.4.18.1, so swapped to the new conf file: 1. now, no error is reported - but this appears to be because OPTIMIZE=0 has now been made the default 2. OPTIMIZE=4 results in the error report as before; other bits (e.g. OPTIMIZE=11) do not 3. however, REDIRECT still does not appear to be working, with or without the OPTIMIZE bit that results in the error report 3. I have some experience with iptables-based firewalls, but would not claim to be ''expert''. Is it correct that in ''shorewall show -t nat'', the dnat chain (which references net_dnat) should show 0 references? And of course, many thanks again for taking a look. George On 05/04/2011 16:49, Tom Eastep wrote:> On 04/05/2011 07:57 AM, Cameron, George G. wrote: >> General status >> =============>> Shorewall has been working fine, filtering as expected, external ssh and >> other connections to workstation working, all functions appear normal, >> until I wanted to add a REDIRECT command so that ssh connections could >> be made to the machine on tcp port 1234 in addition to the usual port 22 >> >> Minimal rules file used in testing REDIRECT >> ==========================================>> #SECTION ESTABLISHED >> #SECTION RELATED >> SECTION NEW >> # >> ACCEPT net $FW tcp 22 >> ACCEPT net $FW tcp 1234 >> REDIRECT net 22 tcp 1234 >> >> Observed behaviour >> =================>> 1. Compiler (optimiser?) reports error on line 862 of Chains.pm, shown >> below: >> >> # /sbin/shorewall restart >> Compiling... >> >> (lines omitted for clarity) >> >> Applying Policies... >> Generating Rule Matrix... >> Optimizing Ruleset... >> Can''t use an undefined value as an ARRAY reference at >> /usr/share/shorewall/Shorewall/Chains.pm line 862. >> Restarting Shorewall.... >> Initializing... > I''m unable to reproduce this failure and REDIRECT works fine here. Please: > > 1. shorewall show -f capabilities> /etc/shorewall/caps > 2. tar -xf shorewall.tar /etc/shorewall > 3. Send me the tarball > > Thanks, > -Tom-- --------------------------------------------------------------------- George Cameron Email: g.cameron@abdn.ac.uk School of Medical Sciences College of Life Sciences& Medicine University of Aberdeen Foresterhill Fax: +44 (0)1224-552514 Aberdeen AB25 2ZD Telephone: +44 (0)1224-553210 Scotland, UK ------------------------------------------------------------------------------ Xperia(TM) PLAY It''s a major breakthrough. An authentic gaming smartphone on the nation''s most reliable network. And it wants your games. http://p.sf.net/sfu/verizon-sfdev
Steven Jan Springl
2011-Apr-06 11:03 UTC
Re: Shorewall 4.4.18.2 - REDIRECT compiler problem?
On Wednesday 06 April 2011 09:48:42 Cameron, George G. wrote:> Tom, > > 1. shorewall.tar.gz attached (including generated caps file) as > requested 2. I noticed that I was still using shorewall.conf from 4.4.18.1, > so swapped to the new conf file: > 1. now, no error is reported - but this appears to be because > OPTIMIZE=0 has now been made the default > 2. OPTIMIZE=4 results in the error report as before; other bits > (e.g. OPTIMIZE=11) do not > 3. however, REDIRECT still does not appear to be working, with > or without the OPTIMIZE bit that results in the error report > 3. I have some experience with iptables-based firewalls, but would > not claim to be ''expert''. Is it correct that in ''shorewall show -t > nat'', the dnat chain (which references net_dnat) should show 0 > references? > > > And of course, many thanks again for taking a look. > > George > > On 05/04/2011 16:49, Tom Eastep wrote:George I have recreated both problems. They seem to be caused by the parameter ''physical=+'' in the interfaces file. If the parameter is removed or its value changed to a value other than just ''+'' the problems do not occur. Steven. ------------------------------------------------------------------------------ Xperia(TM) PLAY It''s a major breakthrough. An authentic gaming smartphone on the nation''s most reliable network. And it wants your games. http://p.sf.net/sfu/verizon-sfdev
Cameron, George G.
2011-Apr-06 11:29 UTC
Re: Shorewall 4.4.18.2 - REDIRECT compiler problem?
On 06/04/2011 12:03, Steven Jan Springl wrote:> On Wednesday 06 April 2011 09:48:42 Cameron, George G. wrote: >> Tom, >> >> 1. shorewall.tar.gz attached (including generated caps file) as >> requested 2. I noticed that I was still using shorewall.conf from 4.4.18.1, >> so swapped to the new conf file: >> 1. now, no error is reported - but this appears to be because >> OPTIMIZE=0 has now been made the default >> 2. OPTIMIZE=4 results in the error report as before; other bits >> (e.g. OPTIMIZE=11) do not >> 3. however, REDIRECT still does not appear to be working, with >> or without the OPTIMIZE bit that results in the error report >> 3. I have some experience with iptables-based firewalls, but would >> not claim to be ''expert''. Is it correct that in ''shorewall show -t >> nat'', the dnat chain (which references net_dnat) should show 0 >> references? >> >> >> And of course, many thanks again for taking a look. >> >> George > George > > I have recreated both problems. They seem to be caused by the parameter > ''physical=+'' in the interfaces file. > > If the parameter is removed or its value changed to a value other than > just ''+'' the problems do not occur.Indeed - so the problem was an error in my configuration after all. That does indeed fix the problem and my rules now work as expected. Many thanks for your help! George> Steven. > > > ------------------------------------------------------------------------------ > Xperia(TM) PLAY > It''s a major breakthrough. An authentic gaming > smartphone on the nation''s most reliable network. > And it wants your games. > http://p.sf.net/sfu/verizon-sfdev > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users-- --------------------------------------------------------------------- George Cameron Email: g.cameron@abdn.ac.uk School of Medical Sciences College of Life Sciences& Medicine University of Aberdeen Foresterhill Fax: +44 (0)1224-552514 Aberdeen AB25 2ZD Telephone: +44 (0)1224-553210 Scotland, UK ------------------------------------------------------------------------------ Xperia(TM) PLAY It''s a major breakthrough. An authentic gaming smartphone on the nation''s most reliable network. And it wants your games. http://p.sf.net/sfu/verizon-sfdev
Steven Jan Springl
2011-Apr-06 11:45 UTC
Re: Shorewall 4.4.18.2 - REDIRECT compiler problem?
On Wednesday 06 April 2011 12:29:16 Cameron, George G. wrote:> > > > I have recreated both problems. They seem to be caused by the parameter > > ''physical=+'' in the interfaces file. > > > > If the parameter is removed or its value changed to a value other than > > just ''+'' the problems do not occur. > > Indeed - so the problem was an error in my configuration after all. >George No. This is a bug in the Shorewall compiler that Tom will need to look at. Steven. ------------------------------------------------------------------------------ Xperia(TM) PLAY It''s a major breakthrough. An authentic gaming smartphone on the nation''s most reliable network. And it wants your games. http://p.sf.net/sfu/verizon-sfdev
On 4/6/11 4:45 AM, Steven Jan Springl wrote:> > No. This is a bug in the Shorewall compiler that Tom will need to look at.Indeed. Patch attached. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Xperia(TM) PLAY It''s a major breakthrough. An authentic gaming smartphone on the nation''s most reliable network. And it wants your games. http://p.sf.net/sfu/verizon-sfdev
Steven Jan Springl
2011-Apr-06 20:36 UTC
Re: Shorewall 4.4.18.2 - REDIRECT compiler problem?
On Wednesday 06 April 2011 15:51:35 Tom Eastep wrote:> On 4/6/11 4:45 AM, Steven Jan Springl wrote: > > No. This is a bug in the Shorewall compiler that Tom will need to look > > at. > > Indeed. Patch attached. > > -TomTom The patch fixed the problem resulting in the following error: Can''t use an undefined value as an ARRAY reference at /usr/share/shorewall/Shorewall/Chains.pm line 862 However the problem that George reported with the unreferenced dnat chain in the nat table remains. I will send further details on the devel mailing list. Steven. ------------------------------------------------------------------------------ Xperia(TM) PLAY It''s a major breakthrough. An authentic gaming smartphone on the nation''s most reliable network. And it wants your games. http://p.sf.net/sfu/verizon-sfdev