Hi, Tom Seeing that you''re about to release a new version of shorewall, I KINDLY request from you a very small feature: In order to separate the customized configuration, would it be possible to modify line 67 of /etc/init.d/shorewall to add something like -c /usr/local/shorewall That could allow the users to store our customized configuration files out of the shorewall package. It would then be a lot easier to upgrade to newer version of shorewall : just drop the new lrp then check the release notes and compare the new "vanilla" configuration files and the customized ones on the bering machine itself. Thanks in advance and congratulation for your wonderfull work on shorewall !!! Kind regards, Etienne Charlier
On Wednesday 03 March 2004 02:55 pm, Etienne Charlier wrote:> Hi, Tom > > Seeing that you''re about to release a new version of shorewall, I KINDLY > request from you a very small feature: > > In order to separate the customized configuration, would it be possible to > modify line 67 of > /etc/init.d/shorewall to add something like -c /usr/local/shorewall > > That could allow the users to store our customized configuration files out > of the shorewall package. > > It would then be a lot easier to upgrade to newer version of shorewall : > just drop the new lrp then check the release notes and compare the new > "vanilla" configuration files and the customized ones on the bering machine > itself. > > Thanks in advance and congratulation for your wonderfull work on shorewall > !!!Merci Etienne. Another thing that we could do is just place all of the config files in /usr/shorewall/share. Steve (and other Leaf users) -- any opinions. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
Tom Eastep wrote:> On Wednesday 03 March 2004 02:55 pm, Etienne Charlier wrote: >> Hi, Tom >> >> Seeing that you''re about to release a new version of shorewall, I >> KINDLY request from you a very small feature: >> >> In order to separate the customized configuration, would it be >> possible to modify line 67 of /etc/init.d/shorewall to add something >> like -c /usr/local/shorewall >> >> That could allow the users to store our customized configuration files >> out of the shorewall package. >> >> It would then be a lot easier to upgrade to newer version of shorewall >> : just drop the new lrp then check the release notes and compare the >> new "vanilla" configuration files and the customized ones on the >> bering machine itself. >> >> Thanks in advance and congratulation for your wonderfull work on >> shorewall !!! > > Merci Etienne. > > Another thing that we could do is just place all of the config files in > /usr/shorewall/share.Do you mean /usr/share/shorewall?> > Steve (and other Leaf users) -- any opinions. >Personally, I think being able to maintain a customized set of shorewall config files in a separate directory (like /etc/shorewall/custom) would definitely streamline the upgrade process for shorewall. Especially if there are no syntax changes in the config files. FWIW: Right now I have the luxory of creating a new shorewall.lrp on my RH9 box. It''s not a big deal after you have upgraded a few times. Procedurally, it goes something like... 1) Download and extract the new shorwall.lrp into a directory on my RH9 box. 2) Manually cut/paste each modified shorewall config file into the corresponding shorewall config file of the new release so that I can reference the new header section of these files. i.e. any new syntax/options. This is the time consuming part of the upgrade. Maybe 10-15 minutes. Not a big deal, but one time I actually forgot to cut/paste the contents of the masq file. Needless to say, this caused my all kinds of grief until I discovered my error. 3) Edit shorewall.conf to my specifications along with removing all references to ULOG in shorewall.conf, policy, etc... 4) Create the new shorwall.lrp (tarball) At this point, I simply scp the new .lrp file to my leaf box and then copy this file to my floppy drive and reboot. In short, if I could just download the new .lrp file and copy this directly to my leaf box without having to perform step 2 above would definitely streamline the upgrade process. In my case, editing just shorewall.conf to my specs and removing the ULOG references could be done on the leaf box in a few minutes. :-) Steve Cowles
On Wed, 3 Mar 2004, Cowles, Steve wrote:> > > > Another thing that we could do is just place all of the config files in > > /usr/shorewall/share. > > > Do you mean /usr/share/shorewall? >Of course.> > > > > Steve (and other Leaf users) -- any opinions. > > > > Personally, I think being able to maintain a customized set of shorewall > config files in a separate directory (like /etc/shorewall/custom) would > definitely streamline the upgrade process for shorewall. Especially if there > are no syntax changes in the config files. >My point is that it would result in no code changes for Shorewall 2.0.0-RC1 if you were to release all of the configuration files in /usr/share/shorewall. That code already looks for files there as a last resort. It would result in the .lrp being completely different though since it would require the user to first copy any file that needed changing from /usr/share/shorewall to /etc/shorewall. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
It can be easily simulated... Create three zones If Per for In hosts defined them Inf eth0:192.168.143.138/30 Per eth0:192.168.141.68/32,192.168.142.68/32 For eth0:192.168.0.0/16 In interfaces bind for to interface For eth0 192.168.143.139 blacklist,routefilter,tcpflags And create REDIRECT rule in rules REDIRECT for!per,inf 80 tcp http - Shorewall fault on that rule. Litin -----Original Message----- From: shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of Tom Eastep Sent: Thursday, March 04, 2004 3:36 AM To: Mailing List for Experienced Shorewall Users Cc: Etienne Charlier Subject: RE: [Shorewall-users] Feature request for shorewall.lrp On Wed, 3 Mar 2004, Cowles, Steve wrote:> > > > Another thing that we could do is just place all of the config filesin> > /usr/shorewall/share. > > > Do you mean /usr/share/shorewall? >Of course.> > > > > Steve (and other Leaf users) -- any opinions. > > > > Personally, I think being able to maintain a customized set ofshorewall> config files in a separate directory (like /etc/shorewall/custom)would> definitely streamline the upgrade process for shorewall. Especially ifthere> are no syntax changes in the config files. >My point is that it would result in no code changes for Shorewall 2.0.0-RC1 if you were to release all of the configuration files in /usr/share/shorewall. That code already looks for files there as a last resort. It would result in the .lrp being completely different though since it would require the user to first copy any file that needed changing from /usr/share/shorewall to /etc/shorewall. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
Sorry to all posted to bad thread... It too late for me... :-) -----Original Message----- From: shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of Dominik Strnad Sent: Thursday, March 04, 2004 3:48 AM To: ''Mailing List for Experienced Shorewall Users'' Subject: RE: [Shorewall-users] Feature request for shorewall.lrp It can be easily simulated... Create three zones If Per for In hosts defined them Inf eth0:192.168.143.138/30 Per eth0:192.168.141.68/32,192.168.142.68/32 For eth0:192.168.0.0/16 In interfaces bind for to interface For eth0 192.168.143.139 blacklist,routefilter,tcpflags And create REDIRECT rule in rules REDIRECT for!per,inf 80 tcp http - Shorewall fault on that rule. Litin -----Original Message----- From: shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of Tom Eastep Sent: Thursday, March 04, 2004 3:36 AM To: Mailing List for Experienced Shorewall Users Cc: Etienne Charlier Subject: RE: [Shorewall-users] Feature request for shorewall.lrp On Wed, 3 Mar 2004, Cowles, Steve wrote:> > > > Another thing that we could do is just place all of the config filesin> > /usr/shorewall/share. > > > Do you mean /usr/share/shorewall? >Of course.> > > > > Steve (and other Leaf users) -- any opinions. > > > > Personally, I think being able to maintain a customized set ofshorewall> config files in a separate directory (like /etc/shorewall/custom)would> definitely streamline the upgrade process for shorewall. Especially ifthere> are no syntax changes in the config files. >My point is that it would result in no code changes for Shorewall 2.0.0-RC1 if you were to release all of the configuration files in /usr/share/shorewall. That code already looks for files there as a last resort. It would result in the .lrp being completely different though since it would require the user to first copy any file that needed changing from /usr/share/shorewall to /etc/shorewall. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
> >> Thanks in advance and congratulation for your wonderfull work on > >> shorewall !!!Let me second the congratulation and thanks for this *very* fine piece of software (again ;). Managing firewalls have never been that easy and clean before.> > Another thing that we could do is just place all of the config files in > > /usr/shorewall/share. > > Do you mean /usr/share/shorewall? > > > Steve (and other Leaf users) -- any opinions. > > > > Personally, I think being able to maintain a customized set of shorewall > config files in a separate directory (like /etc/shorewall/custom) would > definitely streamline the upgrade process for shorewall. Especially if there > are no syntax changes in the config files.As the upgrade steps mentioned below are the same as for rpm packages, let me extend this discussion. Two different directories probably would be handy. One to include all the default files, of course with the very fine documentation headers. And a second one for user files only. Default files are only evaluated, if there is no corresponding user file. The benefit would be to always have a vanilla shorewall handy if needed and always have the latest documentation headers. Without having to change anything, if there are no syntax changes. The shorewall.conf file could be handled diffently: Include the default shorewall.conf, then overwrite only the set variables in the user file... All the above will lead to some very small and clean user files. Although I don''t know, if this would be applicable, as having the same files in different directories likely will be confusing to some users.> FWIW: Right now I have the luxory of creating a new shorewall.lrp on my RH9 > box. It''s not a big deal after you have upgraded a few times. Procedurally, > it goes something like... > > 1) Download and extract the new shorwall.lrp into a directory on my RH9 box. > > 2) Manually cut/paste each modified shorewall config file into the > corresponding shorewall config file of the new release so that I can > reference the new header section of these files. i.e. any new > syntax/options. This is the time consuming part of the upgrade. Maybe 10-15 > minutes.Sounds familiar, it''s the same approach I use with rpm packages.> Not a big deal, but one time I actually forgot to cut/paste the > contents of the masq file. Needless to say, this caused my all kinds of > grief until I discovered my error.Oh well, this indeed sounds *very* familiar. ;)> 3) Edit shorewall.conf to my specifications along with removing all > references to ULOG in shorewall.conf, policy, etc...karsten -- Davision - Atelier fuer Gestaltung / Internet / Multimedia UNIX / Linux Netzwerke und Schulungen Telefon 06151/17865 Fax 06151/178659
Sorry for the stupid Cc: cut-n-paste error... :-/ karsten -- Davision - Atelier fuer Gestaltung / Internet / Multimedia UNIX / Linux Netzwerke und Schulungen Telefon 06151/17865 Fax 06151/178659
----- Original Message ----- From: "Tom Eastep" <teastep@shorewall.net> To: "Mailing List for Experienced Shorewall Users" <shorewall-users@lists.shorewall.net>; "Etienne Charlier" <ech@sourceforge.net>; <leaf-devel@lists.sourceforge.net> Cc: "Cowles, Steve" <steve@stevecowles.com> Sent: Thursday, March 04, 2004 1:00 AM Subject: Re: [Shorewall-users] Feature request for shorewall.lrp> On Wednesday 03 March 2004 02:55 pm, Etienne Charlier wrote: > > Hi, Tom > > > > Seeing that you''re about to release a new version of shorewall, I KINDLY > > request from you a very small feature: > > > > In order to separate the customized configuration, would it be possibleto> > modify line 67 of > > /etc/init.d/shorewall to add something like -c /usr/local/shorewall > > > > That could allow the users to store our customized configuration filesout> > of the shorewall package. > > > > It would then be a lot easier to upgrade to newer version of shorewall : > > just drop the new lrp then check the release notes and compare the new > > "vanilla" configuration files and the customized ones on the beringmachine> > itself. > > > > Thanks in advance and congratulation for your wonderfull work onshorewall> > !!! > > Merci Etienne.You''re welcome !!!> > Another thing that we could do is just place all of the config files in > /usr/shorewall/share. >I should have formulated a "requirement", not proposing a solution ! What I would like is the possibility to have my configurations files stored in a directory NOT belonging to the shorewall .LRP package. I that directory is referenced in the -c option, the files in this directory will take precedence. If the directory is not backuped in shorwall.lrp, I could build my own shorcfg.lrp ( or local.lrp if the directory is /usr/local/...) containing only my configuration directory that directory must not exist in shorwall.lrp, only the -c . If a user doesn''t want that behaviour, he just have to modify the vanillia configuration files the same way we all do it now. When doing an upgrade, I could just drop a new shorwall.lrp being confident that my configuration files are preserved. Thanks for your patience and excuse my "freechie" english.... ;-) Kind regards, Etienne> Steve (and other Leaf users) -- any opinions. > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe:https://lists.shorewall.net/mailman/listinfo/shorewall-users> Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm
Sorry for jumping in late and I haven''t followed that thread closely.... But if you don''t bother about doc updates in /etc/shorewall/ files and you are shure that shorewall update haven''t changed keywords etc. (as it does sometimes in history - like force to use DNAT) upgrading a lrp and preserve your setup should be easy: 1) copy all files from /etc/shorewall to a directory like /tmp/shorewall/ 2) scp (or use any other appropriate way) new shorewall.lrp to your LEAF router root dir / 3) lrpkg -i /shorwall.lrp 4) copy /shorwall.lrp to your boot device 5) mv all files from /tmp/shorewall back to /etc/shorewall 6) run shorewall restart and check if everything is working again 7) save shorwall.lrp from lrcfg optionally do a diff after step 3 to see what has been changed. kp Am Donnerstag, 4. März 2004 18:19 schrieb Etienne Charlier:> ----- Original Message ----- > From: "Tom Eastep" <teastep@shorewall.net> > To: "Mailing List for Experienced Shorewall Users" > <shorewall-users@lists.shorewall.net>; "Etienne Charlier" > <ech@sourceforge.net>; <leaf-devel@lists.sourceforge.net> > Cc: "Cowles, Steve" <steve@stevecowles.com> > Sent: Thursday, March 04, 2004 1:00 AM > Subject: Re: [Shorewall-users] Feature request for shorewall.lrp > > > On Wednesday 03 March 2004 02:55 pm, Etienne Charlier wrote: > > > Hi, Tom > > > > > > Seeing that you''re about to release a new version of shorewall, I > > > KINDLY request from you a very small feature: > > > > > > In order to separate the customized configuration, would it be possible > > to > > > > modify line 67 of > > > /etc/init.d/shorewall to add something like -c /usr/local/shorewall > > > > > > That could allow the users to store our customized configuration files > > out > > > > of the shorewall package. > > > > > > It would then be a lot easier to upgrade to newer version of shorewall > > > : just drop the new lrp then check the release notes and compare the > > > new "vanilla" configuration files and the customized ones on the bering > > machine > > > > itself. > > > > > > Thanks in advance and congratulation for your wonderfull work on > > shorewall > > > > !!! > > > > Merci Etienne. > > You''re welcome !!! > > > Another thing that we could do is just place all of the config files in > > /usr/shorewall/share. > > I should have formulated a "requirement", not proposing a solution ! > > What I would like is the possibility to have my configurations files stored > in a directory NOT > belonging to the shorewall .LRP package. > I that directory is referenced in the -c option, the files in this > directory will take precedence. > > > If the directory is not backuped in shorwall.lrp, I could build my own > shorcfg.lrp ( or local.lrp if the directory is /usr/local/...) containing > only my configuration directory > that directory must not exist in shorwall.lrp, only the -c . If a user > doesn''t want that behaviour, he just have to modify the vanillia > configuration files the same way we all do it now. > > > When doing an upgrade, I could just drop a new shorwall.lrp being confident > that my configuration files are preserved. > > Thanks for your patience and excuse my "freechie" english.... ;-) > Kind regards, > Etienne > > > Steve (and other Leaf users) -- any opinions. > > > > -Tom > > -- > > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > > Shoreline, \ http://shorewall.net > > Washington USA \ teastep@shorewall.net > > > > > > _______________________________________________ > > Shorewall-users mailing list > > Post: Shorewall-users@lists.shorewall.net > > Subscribe/Unsubscribe: > > https://lists.shorewall.net/mailman/listinfo/shorewall-users > > > Support: http://www.shorewall.net/support.htm > > FAQ: http://www.shorewall.net/FAQ.htm > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: > http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm
Hi, You''re right but having 2 directories where shorewall looks for configuration files is ( IMHO) better.. Most of the time, you modify rules, interfaces,... a handfull number of files. having only those modified files in a separate directory is a lot easier: when you follow the Tom''s release notes, if he explains incompatibilites in a file you don''t have in your config directory--> you used the default one and.. nothing to do, ... Kind regards Etienne ----- Original Message ----- From: "K.-P. Kirchdörfer" <kapeka@ondit.dyndns.org> To: <shorewall-users@lists.shorewall.net> Cc: "Etienne Charlier" <ech@sourceforge.net>; <leaf-devel@lists.sourceforge.net> Sent: Thursday, March 04, 2004 7:07 PM Subject: Re: [Shorewall-users] Feature request for shorewall.lrp Sorry for jumping in late and I haven''t followed that thread closely.... But if you don''t bother about doc updates in /etc/shorewall/ files and you are shure that shorewall update haven''t changed keywords etc. (as it does sometimes in history - like force to use DNAT) upgrading a lrp and preserve your setup should be easy: 1) copy all files from /etc/shorewall to a directory like /tmp/shorewall/ 2) scp (or use any other appropriate way) new shorewall.lrp to your LEAF router root dir / 3) lrpkg -i /shorwall.lrp 4) copy /shorwall.lrp to your boot device 5) mv all files from /tmp/shorewall back to /etc/shorewall 6) run shorewall restart and check if everything is working again 7) save shorwall.lrp from lrcfg optionally do a diff after step 3 to see what has been changed. kp Am Donnerstag, 4. März 2004 18:19 schrieb Etienne Charlier:> ----- Original Message ----- > From: "Tom Eastep" <teastep@shorewall.net> > To: "Mailing List for Experienced Shorewall Users" > <shorewall-users@lists.shorewall.net>; "Etienne Charlier" > <ech@sourceforge.net>; <leaf-devel@lists.sourceforge.net> > Cc: "Cowles, Steve" <steve@stevecowles.com> > Sent: Thursday, March 04, 2004 1:00 AM > Subject: Re: [Shorewall-users] Feature request for shorewall.lrp > > > On Wednesday 03 March 2004 02:55 pm, Etienne Charlier wrote: > > > Hi, Tom > > > > > > Seeing that you''re about to release a new version of shorewall, I > > > KINDLY request from you a very small feature: > > > > > > In order to separate the customized configuration, would it bepossible> > to > > > > modify line 67 of > > > /etc/init.d/shorewall to add something like -c /usr/local/shorewall > > > > > > That could allow the users to store our customized configuration files > > out > > > > of the shorewall package. > > > > > > It would then be a lot easier to upgrade to newer version of shorewall > > > : just drop the new lrp then check the release notes and compare the > > > new "vanilla" configuration files and the customized ones on thebering> > machine > > > > itself. > > > > > > Thanks in advance and congratulation for your wonderfull work on > > shorewall > > > > !!! > > > > Merci Etienne. > > You''re welcome !!! > > > Another thing that we could do is just place all of the config files in > > /usr/shorewall/share. > > I should have formulated a "requirement", not proposing a solution ! > > What I would like is the possibility to have my configurations filesstored> in a directory NOT > belonging to the shorewall .LRP package. > I that directory is referenced in the -c option, the files in this > directory will take precedence. > > > If the directory is not backuped in shorwall.lrp, I could build my own > shorcfg.lrp ( or local.lrp if the directory is /usr/local/...) containing > only my configuration directory > that directory must not exist in shorwall.lrp, only the -c . If a user > doesn''t want that behaviour, he just have to modify the vanillia > configuration files the same way we all do it now. > > > When doing an upgrade, I could just drop a new shorwall.lrp beingconfident> that my configuration files are preserved. > > Thanks for your patience and excuse my "freechie" english.... ;-) > Kind regards, > Etienne > > > Steve (and other Leaf users) -- any opinions. > > > > -Tom > > -- > > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > > Shoreline, \ http://shorewall.net > > Washington USA \ teastep@shorewall.net > > > > > > _______________________________________________ > > Shorewall-users mailing list > > Post: Shorewall-users@lists.shorewall.net > > Subscribe/Unsubscribe: > > https://lists.shorewall.net/mailman/listinfo/shorewall-users > > > Support: http://www.shorewall.net/support.htm > > FAQ: http://www.shorewall.net/FAQ.htm > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: > http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm_______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm