Greetings, I have been using shorewall since version 1.2.12 in debian. Recently I upgraded from the version in woody to the one in sarge. Im not sure what the version in sarge was at that point but it is now 1.4.10. I had to modify some of my 1.2.12 configs to make it work with the new configs in 1.4.10 but after that was done I went about my business as usual. Then the other day I totally re-installed my firewall box. So I set up shorewall again from scratch this time. I noticed things would work fine once I had the configuration set up and ran shorewall start. However on a reboot the firewall would be able to access the internet but the natting of my local network and my dmz to the internet and local to dmz would fail. I had made a backup of my previous shorewall configs so I restored them and shorewall worked fine on reboot and everything. I am thinking that there has to be something in those old configs of mine that is not in the new ones that is causing this. I have searched between the two sets of configs to try to figure it out but have been unsuccessful. Therefore my question is this. Is there anything anyone can think of that would help point out to me why the new configs will work once configured but not after a reboot but my old configs work fine? Thank you all for your time. Regards, Jason Harrison PS: To Tom Eastep: I have used shorewall for about 2 years now. Thank you for everything you do and for shorewall especially. :)
bahadunn wrote:> Therefore my question is this. Is there anything anyone > can think of that would help point out to me why the new configs will > work once configured but not after a reboot but my old configs work > fine? >Did you enable Shorewall startup in /etc/default/shorewall? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Greetings, Yes I did enable the startup=1 in /etc/default/shorewall. Regards, Jason Harrison On Sun, 2004-04-11 at 12:43, Tom Eastep wrote:> bahadunn wrote: > > > Therefore my question is this. Is there anything anyone > > can think of that would help point out to me why the new configs will > > work once configured but not after a reboot but my old configs work > > fine? > > > > Did you enable Shorewall startup in /etc/default/shorewall? > > -Tom
bahadunn wrote:> Greetings, > > Yes I did enable the startup=1 in /etc/default/shorewall. > > Regards, > Jason Harrison > > On Sun, 2004-04-11 at 12:43, Tom Eastep wrote: > >>bahadunn wrote: >> >> >>> Therefore my question is this. Is there anything anyone >>>can think of that would help point out to me why the new configs will >>>work once configured but not after a reboot but my old configs work >>>fine? >>> >> >>Did you enable Shorewall startup in /etc/default/shorewall?Then I guess we''ll need more than "it doesn''t work"... -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Greetings, Thats the problem. Im not exactly sure what the differences between the two confiurations are. Is there any way to easily list the differences in files? Like a program that compares two files and tells you what is different about them? I suppose I could go through them by hand. Anyways I just thought maybe you might have an idea. Thank you for your time. Regards, Jason Harrison On Sun, 2004-04-11 at 18:45, Tom Eastep wrote:> bahadunn wrote: > > > Greetings, > > > > Yes I did enable the startup=1 in /etc/default/shorewall. > > > > Regards, > > Jason Harrison > > > > On Sun, 2004-04-11 at 12:43, Tom Eastep wrote: > > > >>bahadunn wrote: > >> > >> > >>> Therefore my question is this. Is there anything anyone > >>>can think of that would help point out to me why the new configs will > >>>work once configured but not after a reboot but my old configs work > >>>fine? > >>> > >> > >>Did you enable Shorewall startup in /etc/default/shorewall? > > Then I guess we''ll need more than "it doesn''t work"... > > -Tom
bahadunn wrote:> Greetings, > > Thats the problem. Im not exactly sure what the differences between the > two confiurations are.My advise is to not focus on the differences but rather to just try to determine what''s wrong.> Is there any way to easily list the differences > in files? Like a program that compares two files and tells you what is > different about them?man diff -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep wrote:> > My advise is to not focus on the differences but rather to just try to > determine what''s wrong. >Also keep in mind what I posted here the other day regarding the shorewall.conf file and how I design changes involving that file. You can take a set of config files and replacing a 1.2.12 shorewall.conf with one from version 2.0.1 will totally change the behavior of the firewall -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Greetins, Ok I will follow your advise. If and when I figure out what is wrong I will reply and let you know the outcome. Thank you for your time and help and for shorewall. Regards, Jason On Sun, 2004-04-11 at 19:33, Tom Eastep wrote:> bahadunn wrote: > > > Greetings, > > > > Thats the problem. Im not exactly sure what the differences between the > > two confiurations are. > > My advise is to not focus on the differences but rather to just try to > determine what''s wrong. > > > Is there any way to easily list the differences > > in files? Like a program that compares two files and tells you what is > > different about them? > > man diff > > -Tom
bahadunn wrote:> Greetins, > > Ok I will follow your advise. If and when I figure out what is wrong I > will reply and let you know the outcome. >Make sure that IP_FORWARDING=On in shorewall.conf -- the Debian maintainer disables it by default. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Greetings, :) I think that was it. I went through all my setup files and then through shorewall.conf and I noticed that it was set to keep. So I turned it on and everything seems fine. I upgraded to 2.0.0b out of sid though. I guess its always wise to run the latest and greatest. I hope you arent tired of me saying thank you. Thank you very much for your help and for shorewall. Regards, Jason On Sun, 2004-04-11 at 20:40, Tom Eastep wrote:> bahadunn wrote: > > > Greetins, > > > > Ok I will follow your advise. If and when I figure out what is wrong I > > will reply and let you know the outcome. > > > > Make sure that IP_FORWARDING=On in shorewall.conf -- the Debian > maintainer disables it by default. > > -Tom
bahadunn wrote:> I upgraded to 2.0.0b out of sid though.Package managers can subvert my strategy for upgrades of shorewall.conf if you let them or, in the case of RPM, if you haven''t modified the file. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
They ought not to do that in my opinion. I noticed in my old shorewall.conf there was an option enable_nat=yes or no. Is that the equivalent to the ip-forwarding option in the new shorewall.conf? Regards, Jason On Sun, 2004-04-11 at 21:23, Tom Eastep wrote:> bahadunn wrote: > > > I upgraded to 2.0.0b out of sid though. > > Package managers can subvert my strategy for upgrades of shorewall.conf > if you let them or, in the case of RPM, if you haven''t modified the file. > > -Tom
bahadunn wrote:> They ought not to do that in my opinion. I noticed in my old > shorewall.conf there was an option enable_nat=yes or no. Is that the > equivalent to the ip-forwarding option in the new shorewall.conf? >No. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep wrote:> bahadunn wrote: > >> They ought not to do that in my opinion. I noticed in my old >> shorewall.conf there was an option enable_nat=yes or no. Is that the >> equivalent to the ip-forwarding option in the new shorewall.conf? >> > > No. >Changes and what to do about them are chronicled in the Release Notes, all of which are reproduced in the News Archive accessible from the Shorewall home page. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep wrote:> > Changes and what to do about them are chronicled in the Release Notes, > all of which are reproduced in the News Archive accessible from the > Shorewall home page. >The "Upgrade Issues" page, also accessible from the Shorewall home page, is also recommended reading before you try an upgrade. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
I think the main thing that tripped me up was that I was always using my old config files so this issue never came up. However when I reinstalled my firewall box I wanted to use the new config files instead. Anyways I think I mainly just assumed there was no option in the shorewall.conf file I needed to set so I overlooked it a bit. Its all a learning process. I wont make that mistake again. I probably need to read all the docs on 2.0 as well since its been a while since my last read. Regards, Jason On Sun, 2004-04-11 at 22:14, Tom Eastep wrote:> Tom Eastep wrote: > > > > > > Changes and what to do about them are chronicled in the Release Notes, > > all of which are reproduced in the News Archive accessible from the > > Shorewall home page. > > > > The "Upgrade Issues" page, also accessible from the Shorewall home page, > is also recommended reading before you try an upgrade. > > -Tom