http://shorewall.net/pub/shorewall/Beta ftp://shorewall.net/pub/shorewall/Beta -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom;
I have been doing some testing of Shorewall 1.4.10-RC1 & 1.4.10-RC2
and have come across 3 problems with the rules file. The environment that the
tests have been carried out in is:
SuSE 9.0
Kernel 2.4.24
iptables 1.2.9
Firstly, I cannot get the action CONTINUE to work. The rule:
CONTINUE sys fw icmp
produces the error:
iptables v1.2.9: Couldn''t load target
`CONTINUE'':/usr/lib/iptables-1.2.9/
iptables/libipt_CONTINUE.so: cannot open shared object file: No such file or
directory
The attached file contains a patch against 1.4.10-RC2. Note this patch has
only been lightly tested, but seems to work.
Secondly, a rule of the following format:
ACCEPT<3/sec:10> fw tbc tcp 22,80 - - - root:
produces the error:
Error: <user>:<group> may only be specified in ACCEPT, REJECT and
DROP rules:
rule "ACCEPT<3/sec:10> fw tbc tcp 22,80 - - - root:"
The attached file also contains a patch for this. Again, this patch has only
been lightly tested, but seems to work.
Lastly; the Shorewall documentation says:
Beginning with Shorewall version 1.4.7, you may rate-limit the rule by
optionally following ACCEPT, DNAT[-], REDIRECT[-] or LOG with
< <rate>/<interval>[:<burst>] >
However I found that the following rules are also valid:
REJECT<3/sec:10> fw tbc tcp 22,80
DROP fw tbc tcp 22,80 - - 3/sec:10 root:
If you need any further information on the above, do not hesitate to contact
me.
Regards
Steven.
On Tue, 27 Jan 2004, Steven Jan Springl wrote:> iptables v1.2.9: Couldn''t load target `CONTINUE'':/usr/lib/iptables-1.2.9/ > iptables/libipt_CONTINUE.so: cannot open shared object file: No such file or > directory > > The attached file contains a patch against 1.4.10-RC2. Note this patch has > only been lightly tested, but seems to work. >That''s the correct patch.> Secondly, a rule of the following format: > ACCEPT<3/sec:10> fw tbc tcp 22,80 - - - root: > > produces the error: > Error: <user>:<group> may only be specified in ACCEPT, REJECT and DROP rules: > rule "ACCEPT<3/sec:10> fw tbc tcp 22,80 - - - root:" > > The attached file also contains a patch for this. Again, this patch has only > been lightly tested, but seems to work. >I''ve come up with a slightly different patch. Thanks.> Lastly; the Shorewall documentation says: > Beginning with Shorewall version 1.4.7, you may rate-limit the rule by > optionally following ACCEPT, DNAT[-], REDIRECT[-] or LOG with > < <rate>/<interval>[:<burst>] > > > However I found that the following rules are also valid: > REJECT<3/sec:10> fw tbc tcp 22,80 > DROP fw tbc tcp 22,80 - - 3/sec:10 root:I had already corrected these in 2.0 -- they are a PITA to fix in 1.4; one of the reasons that I''m thinking about dropping usersets in 2.0.> > If you need any further information on the above, do not hesitate to contact > me. >Thanks, Steven. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net