Sebastien Routier
2002-Oct-18 04:26 UTC
[Shorewall-users] Potential serious problem with Shorewall.
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig05F2F5838E1DC28DCA5557B7
Content-Type: multipart/mixed;
boundary="------------040200040609050204020409"
This is a multi-part message in MIME format.
--------------040200040609050204020409
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Hi,
Using Mandrake 9.0 and Shorewall 1.3.8
First of all let me specify that since I had trouble seting up the
firewall and the Internet connection sharing using Mandrake Control
Center and the wizards I decided to do it all manually. Attached you
will find my configuration files which I beleive demonstrated the problem.
My PC has two or three NIC:
- eth0 connected to my cable modem.
- eth1 connected to my hub.
- usb0 connected to my Zaurus, this interface is not permanent, it is
there when the Zaurus is turn on and plug in the PC through a USB port.
But as soon as you un-plug the Zaurus the interface disapear.
It was all working fine until I decided to connect my PDA (SHARP Zaurus
SL-5500) on the network using usbdnet. Initially it worked fine but I
eventually removed my PDA from the docking station and turned off the
PC. Next time I booted the PC Shorewall failed with this error:
-------------------- Shorewall restart ouput START ---------------------
[root@hydrogen shorewall]# service shorewall restart
Processing /etc/shorewall/shorewall.conf ...
Processing /etc/shorewall/params ...
Shorewall Not Currently Running
Starting Shorewall...
Loading Modules...
Initializing...
Determining Zones...
Zones: net loc zaurus
Validating interfaces file...
Validating hosts file...
Validating Policy file...
Determining Hosts in Zones...
Net Zone: eth0:0.0.0.0/0
Local Zone: eth1:0.0.0.0/0
Zaurus Zone: usb0:0.0.0.0/0
Deleting user chains...
Creating input Chains...
Configuring Proxy ARP
Setting up NAT...
Adding Common Rules
Adding rules for DHCP
Enabling RFC1918 Filtering
Setting up Blacklisting...
Blacklisting enabled on eth0
Setting up Kernel Route Filtering...
IP Forwarding Enabled
Processing /etc/shorewall/tunnels...
Processing /etc/shorewall/rules...
Rule "ACCEPT fw net tcp 53" added.
Rule "ACCEPT fw net udp 53" added.
Rule "ACCEPT loc fw tcp 53" added.
Rule "ACCEPT loc fw udp 53" added.
Rule "ACCEPT zaurus fw tcp 53" added.
Rule "ACCEPT zaurus fw udp 53" added.
Rule "ACCEPT loc fw tcp 22" added.
Rule "ACCEPT zaurus fw tcp 22" added.
Rule "ACCEPT net fw tcp 22,443,10000" added.
Rule "DROP net fw tcp 113,135" added.
Setting up ICMP Echo handling...
Processing /etc/shorewall/policy...
Policy ACCEPT for fw to net using chain fw2net
Policy DROP for net to fw using chain net2all
Policy ACCEPT for loc to fw using chain all2all
Policy ACCEPT for loc to net using chain loc2net
Policy ACCEPT for zaurus to fw using chain all2all
Policy ACCEPT for zaurus to net using chain zaurus2net
Masqueraded Subnets and Hosts:
To 0.0.0.0/0 from eth1 through eth0
Device "usb0" does not exist.
/sbin/service: line 148: 23899 Terminated $debug
$servicedir/$service $options
-------------------- Shorewall restart ouput END ---------------------
Shorewall complains about a inexistent usb0 device!?!? Well of course
since my Zarus was not connected ?!?! It failed leaving my system wide
open ?!? That is not good....
Does any body know of a way to configure an optional interface in
Shorewall, or would you have anyother idea to prevent Shorewall from
failing if an interface does not exists?
Thanks.
/Sebast.
--------------040200040609050204020409
Content-Type: application/octet-stream;
name="shorewall-conf_broken.tgz"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="shorewall-conf_broken.tgz"
H4sIAGyFrz0AA+xd63MbN5LP1/FfgdB7ZamKpPiUYlWyVbRExbylSZ1Ix+dcXbmGJEjOejhg
5iGZ+bB/+/UDwDxISt4Lo+ymONkNFRJoAI1G968bDYyMp2fRUoXywfX9s4nvTj/7XhR/c8in
Vq/Vzmu1b2r8FD8brQv4+6Ldqrdq7VbrAsq3Gs3aN6J20F7seZIodkMhvgmVenTUT/3+b/q8
fPFSjMz8i3q1KSoV8caIgbjxfPkCy5zJ3YJCP46XXiTmUFRMVRC7XhAJV1B9NRe9W+HOZqGM
IhmVxbvOVfqfwg1mZyoUUTIJZPygws9RlQheKT9ZIZVQXuIXTuf6+q47Gp2N3r8ZdMfCqYi3
CshrSuUMBQH0Mo0QOcdxRKHlFcy7mEixDuXc+yJn4sGLl6L0jxL2SSSRFKVKSUDLWNXF8URy
7YZurMJqSrP7xV2tfXkp/lGrVTq1ytXrSr1dab6uXHxH3b69G46HV8M+9He4jj0VuH5V9OYi
WsupN/fkrGw74kJXVKymyhdBsprIULcNw8n+5K6kmIdqxRNivme2ObfDu/HIyTX2zt0IFfgb
bMK2Kry5iJfSktVNwSSOr27Fyfkptvr+Gv6sX5xWRQemdbVyK5oDUJ9nnvs3F2sVxrrTEdaM
ZHjvTSV1Nsr0Vn+v5/jDUgY4NBAkCTMZht49lFaB8PB/sQznLtCIl24sljAB2N9XVuxeCUVD
BDoZXnpxJCKVhFAvlToc1nQpoZWZcBconDEQMwKLsz3zorWK4Gc1B3rudKrCmRcsRKyo1Tf9
ztXf+r3R+NN1b3Q7HPXGveGAKqa/9Ic/9rs/dfvi3g09d+LDSLxge9nYv6qwUObEBpAGIyXI
O/s30qf5xEUA8r1e+zRGmkxmGkixG0+X0FWgk51PcYK1VSBxdugHmKEIZ50pGmqnRHviK2RO
VVB/jEjzwlb8q7gejMQviQw9M6GGufXXjWqt2qjWG+dcJb9S0xWALcPPmfKOk8zWjtNuYr3D
Pi9eFrpR7Ee/MxqLfm/QRXUHZcXH4fs70R2M73rdkXjTvRnedcX4bW8khlzmeigGw7G4674b
/tR98eLFH623D/Xk5RPXuQoO3cYT9r/WbJ6D/W9dtAEL1NptKN8EMHC0/8/xkAoKpn4yk6Qp
gBvBzA1ngkWhOpNzUpSwRqtFbZYW0SgATJPyffWAyjNMQLuClg1UULFEUS1BrbUMIrAjoEpA
4wH7ZxuojiomlKiX0GiHSfDJW8esSisd3R1RWQtQGrAgIzI6bYArK6AeS/yKPgfdD6Lyd3F9
N7z986zS3+/ZN6OHbOOJ9d9s1tpF/N+sNY/r/zmew1rdbVfiKZVhcBh84wWSYR6qjoiRH+IT
l8EKIFhQFwSUle9NN4htUG3AQkfgdNf9z+7VGDWOLg9AO0CY4iFONFiOSXNjM0SaFgmWNYaa
e3oADx78y/UjpYtDw9QWKTZUXNKdLrXjISahcmdTF1GxhUaZVgpcsPA2EiceKV/UmKWZjOU0
Lp0yPr5WoDtjsVIzb77JIFZgKgC5jUqgh9ESBzZdusGC1HekR1gW01CCNtxGoFqPQi3UtYiw
vRg4FSPjomSxkBHie+I9NsG9k5o35AaACi89YgpKOF6oGu5tm0YRqbQR4jR6jl6QSOzaQiJE
l8TLexc8ygUh2UA+QK996aIDR8hW86T6qMHwpqs1mgT8JME7rMhfhwraCO5d35sJtkHoRWmI
/kjPVro0dDGerq0B6w1+6vR719aIHbi7gIbf9IYjFJo4Ri/zSVM7I1Nbb15c1puvBT7QNV5u
X1m31WoL83xNXWaHabftUK1Q/h1Wx6HZ8f42uP16Hryu1bgzv8fMvLkbdq6vwDEZPdKhmWi0
29XM/21vHqnRaIHPBf+ctcwU/B7977wfv0XtNIIVGcTgpfKMgYKxqx0WeQBfgUIG9aiCVzEt
9Zn03Q0o7EfnIScT9WZGIo4w7zc8eQ29VFEcHbyNp+K/zUa9gP+arfoR/z3LswO0Fc02CQVB
Eng+dO4GvcGPl+J17T/QBqd1kwjDf7yqA4kgQiEUEqALKGxECMyLmIx9bBDuO6YXQ2tSPCyh
cLgxJKIEkJahgxrDw+gjE3gIVbCoiveBj5gL4QRixs6b0bD/ftztfxSj93fdFGtQzzQpSyOH
A/UQYoWNevG3FFlNgSp8JhGPTuPCX1VA4T4B5nRFwIRBoQlvQ3UvmHn33ixx/Vw4vCreYRQ7
8jDiJiIZJ+sCB6HuCcxE4s8QDJ4KhmxusIkx7JfrOIeAfx4Ouk6FfHGKFUNvXOrhI3CUBkC1
3w5H45PRaZFANiDLHj7C8Q1Qniof1PNJ6bJ0iqPFmLAQ0gPwFnLg3nHcUyKWCchSn1Cq6PfJ
qehk4/c0JkLYKx1iFt/zzxVN4K9n36/c6DPgxlm8/Cu3yf/GhtKumtB6Du5LLrkfkae8TAP8
kRmMjJf1S4xh1s+/q8JqMV827JcNMLONlkPlh7cYKh7BktodQkdOcBwbROEqCUOymxXdX+6B
/j3dCnGcUCUx4HS1XgOdiji5lutQTokqmF+QTiqlZbs40mzl01xB+kWsgMGAt2m94rqkaC8v
3EzZlcRoP6xTGeS9Ji/KsNkWN50lhIujePGSBNUKnGHVPxOZNYXyodk/WqH+mz2FZQAu0qGj
P18R/21fFO3/BXwc7f8zPIf0AXZEgIpqVstXIfgDn2oSKV/GjAVIiVDgYUaRFgwZu7E38Xwv
3vBOrfwC+pN3vrRfD1/FMogw2BNNQ3AidAhJbwh6MSr1P5rd/3LPPjN4yDYeX//1+vk57v+0
282LWqN+0cL4b6veOK7/53h2Bm17KRralwCSSgqBko8ArQluIVwHvIgIe5ODp2nINAV6Bqgp
EzF0LI6INlEsV3uyQRg7/IyolnaQlqQwNDUA1dgR2hrnLa0l5ScAmCVM8tWIWINAp8d76Gl3
MY+BUkj82EPgzg4AKRsKZU64oTzs3OlVaY8DHRNG+VSRQT7mnxgGTokD0CHAlU5vMO7e3XSu
us5AA/TM2LvI4QwEdinzA8Em5jcE/oZ5EKBG3HIebATKQSBtY9oWuDOzZRatA0p8WHrMaSKd
tj2R4BssANneYF5DZVy5TTsWlVNMyYNDpe/LOQB2zPGobjEdc0AMx9mvsLk8ID52LozrFSMy
JYwdZ4dSqEmJPbuQeZXhK+FXIwQ4S5gYRBzApBPw5u5dP5E2cl/OYWGqRwLBP+d7kmMqkKa8
IPikWpH0uQJaRnIAygV2GN8mWet9EapXhOKo22LMGtmY9bl074HMmrC+ni8o5PuSN2d3NGKy
h9woUjDmmB0Th6ywC75rsLBsZ65l+cXO7IMbxBTX9+5xG4WZZleunv9JwrNDOwK6gsSu2Bp6
IRmviuuVuRBV3blkUj/McZ50w0S6HWME2m5pG/drtpyu2bGpZHjlYTZOAJ4TecbXb69oV4pC
BZNNIeix93G5IimYUIRJEGBPVMHHUmHOuUKG0bS65F95U/S1gZsUCFGYY9XvDPLumFysgGuM
pHwVk0ved9fgpXEHpr4Hv0c8n4FaQy/siHE3RU6XqhLKXxLwJMUJ/nyabnhkGjIrbWb231L9
nqo7UxhkzFsEIMozHnFWqfNMeD78J7b2VT0Rv6kruB8VKloYk01m79AErPLEcctxilFrvTlJ
qzngQIh4xRx8lasCAxWv0hG94jQvm6GH+itXfntvEoazVgGN59U2fc0TUL+5VmL3syxwBoMH
cibRJKj7THdxm3GicJWHeW8el3FQ/bpQRL6pr45FfNgVWNAly8LFFZmfAOADxy/i0J3PYQ08
Gr5IDaaW8HA+rb+uf8ciPs6JnkjjbwI5BYMvNJ3m4z1Q9NJ4HBQKAWyQK64z8kLcso1wDnGt
k4zd3VwJ7ESu+IlXldUyzJF3j5uDIDQlzKjBsaK4lXbKeETipzMrQSstfAoW5nkgAyRA8CSf
lljeuZR5aDOJXpdLW+oZM1oQkF2j4q183E7nbRva74EqZLmNcilwPmvzQantHitNc9ZooK3C
lUjR02J4awK4RbJsrTIizEsEuxAnIU6a+CzDQPq6Fv+MTDRWa7c4YeJl7GFykppj6ZV0oySU
p1Ua2ddaAbZFYgo4mhgGAzKTtfDVBOZpQ9mlBe3waK6pQXlov0K1TsDMSaAPA+6rBfMQv49Y
XOTszOxop/vYWNdXC1vV1N1Tg0zQTMmooPZiashOQBX+sWm9LAVXmK1ryVBmsDWDW0bByoNN
7d3iRCZZPVMhZQigoS8bN1xrIeRSo9SCYJo10NtEZ4Bxzrz1fesMWXr2ve3JX8+IxicgopHj
taKgJONFi+JM5oZdMHK19tUGR3eLBETn7hbKg9At0g0PM9WFUZles2zZBjS7sWsBxk8wrLIh
scW+kMW3TXFRwG4VDeexIy5mrmAEZYKYML7kQss4Xl+enT08PFRjf7auqnBx9nb4YTw8W3mB
d0YkK0CyMiIkmAJB9CRUOIPFBYqGXQXkgIXmFnhhqiDXiwAGgBWc4npGIcJiVF5rYgI7AaDD
FXQRxwhkNZqN1qzU4T906F7UL51RssYE7xQpyXhZM5vReqdKXI/6mGwjV9a6Y7A/Xwq9VABM
U0D+xgFi1My7S6FeI/i7TgzyOEWatwtwZ6Ba2KRYGEXrxa+i7C7JvafRIJmwKGVro3ZeBY1a
rbdew2fjrHGRV4FovCNj+HRTpi6rRw2zquIjpfiYrkB7735mEck0l9/YAClCIcEtD66+R+u6
0ykOImfCbZfyHDSbCBrjbdl744d/ROabRWG9B9o1Ew8kGL5Sn0FSPtudEmgCZ7GW41mj0dSY
toxQPp0zmnAnna5Gu50DOKw9V7/Shk+GL1AuJ3GNS5L6CL1zVBTeIgnZZCJvgaDGebTu97mm
XrQ1CHYjnV2d566bAvs7zSVyvW1eUvTGeBC8FzkD57aCyIDCMCwTuOIQzxrByCZzFG0wSxiJ
YopEM+NZr9c1p2KGcuD0f725JNJASRrYMPtM2AlSA47lGvKznEEDZQsLy9aClHWHkeWCeL6b
6b+6SZhEYE6SaFLLmHbD/994/uBw8b99UT1U8Idq46n47/b5v3b94pj//yzPMf57jP8e47/H
+O8x/nuM/x7jv8f47zH+e4z/HuO/x/jvMf57jP8e47/H+O8x/nuM//4Z47//OhHYP/bJ25SV
G/1y+DaeyP9vN1uZ/N9zyv8/3v/2TM+u83/vQAoSGbozaa5+2Qr/oqDQ9+8NwCG/OD0UN9sE
7grcsEFnLE4sQXLP3SB7em7EzhKUA2onI/g83RP1tcsZV+MwiReKj8DZ2Cd7D3g+LyGMTNY6
a/4Kvh9X0CHSX6AOu954sG1mQkB4Tj50pxRh2oXVS5elwpG4rIuEQV5hL7ir8sknR19ih0el
GSRkbkLgGx1WdgbYyKIroG0Gc9uNeDyuwRl4TVyUO6lnAoocdYtz5/m4si26Jz4oHokNMoWt
KCSHsjHqmDP99jxdL9BgEIN7X/jaIRpDJGPjGqdBEGZU2YRFBc2VC1YN76D4lq/q2x2/LV48
qLmVvW4w2ma77lHx9N8l7fR9mwKDVtn83SRUdJEZHhGV2raaYAQhH4KTDFQmMjPFM5HQ4VU9
KTHMtrnkL9MkznD99flWq/qiM5SmE3PtH/ibZvKN1LjWXxdgwmHGcaXltiscilXyRIOE6Z94
RniNagIoWFwD2v6EdD51+r3OCMwm4zFk5UdJVwFu+GTsTgem4KBSxN6qIq7Bd7AksVphXJMW
NW4w8RLQw+FwHpdPVQTKut16ATGMYhMRFhqGOPYos/bVDKuKo/oBx+LpISM50zLFwQoBZ2QB
X8Xnrdxwo7t1u7WFkgkccx9t17lKrrOpK2MEbRuxrTI61oBinOmcrxNpeC60v4Nnqwi1W8dH
ZJ2eaLfPwxQyfoKV0xq7OJlehtmtQKkvCQVhxJhG7pgwIVxs3FTGKHf6S76FAtzOcoU2IDls
E+5x2fDKHB5gxs8RBT8t46tSEMYg26JqNoFaoVuO5BSDsjxq2vNE/uvD7zT+y13jqttxacOS
wvPMl+mTCkAAim7UvRJxEmDAykQPvDX0pFYE5jsopQOyIRfQqBTryqsg4gr647QjhAtiixZf
QZRGbkzAUJ/j4z1PEIV6Degxxd3D44fHcJkpzd8bPVjfFoZWThho1LRlYuBCTiMXxqZZx9XN
tCVRUf8JciZBzOst+Lw4r+6fT6dQ1PSNgMeDDiuHK1JseFAdd6XJHd7e08HTjSHodm1oUo0C
/jgdb4SJ/CyN8lHofVPQbJ6Onaua2YnUSj6gsZqD8ynxVtsDO2Gp+2Xm01zGqW3WC86/4VVP
/N7xYALNU95a5w24ZMdD4f+fZxvWHzLzh5+n/L/Gxdb9f7V6++j/Pcdz9P+O/t/R/zv6f0f/
7+j/Hf2/o/939P+O/t+z+X9Ht+4PfwqwXs0wyfHAbTx1/9d5o7F1/1fj6P89y3PoRf/4/V9a
vgrXf/nKnbHi0r/T7Zdp4m3qRbxALYLFuSAYiE98V/D2D/T9J07c21ENAQDYgunnx377NI/X
j/7uhdN9LYMHuKMqfLuHKP6C5J5ZqeXnBzrxO7Tx1P2/7a3zX81a63j/77M8h17/WxoArfZA
A++Ohizj0A0in0MkY1wtu0JMuICeunpXY6PH6J+kESXr8IFvjN3LJizNFDmv7EvRJeMAWB9c
ehEYXgmcy+bMAlZKIxUjKUUmRTJ1bTFj9KbzX9VlvHo5d3+pV0UHvIkyguAV34ALNKYuvRsv
TQFF9xZTldGHicAT5FdY0G2GesSdcT5KZiIxaRgElCflRQrKieRYiQmldf8boNmg0wfYzKgS
AaXhXkUn1nGyJY5bhwGyPm3+Ot+8R5vzvQMArjpdzJxhS4GhPWioT89JOx+mh1k3HyM/7p44
HDz4NjimjSMj0jiyjnkRoC7W6fdTZ3tEgZJMsOIEPukYmlyt481pWWTCJELO55jwhgcA9vSB
340GpcnVoRDcQCHtQHGA458jR56W8egeYXImeLCHEnPf/twfXgFv0yfPBBPtK7BKRzjMOx73
tpVS2sO+NBM0PSu3hxYnIB7cN7ELICOLWnJMy0U5MQ+x7k/juhRyykF3rA7+AoAn7D/4xcX9
n2a7fTz//SzPk5CdRYJf7RhhZj4deEpfc5m/WR8jjmyYdr5SyFTTrwadyIXHSdEYxkpAvYdk
C0ED87tpyDLzRb8JxeiXcsXKI+0AQQJPa3ufrwc2V5BnhrYO1cKOJPuSS2fQHX/q3fyA4Rv9
X28wVfgHQKHVRrtRBenlFG/6TScQ/6CTsO3RsSxdcbL/evlQ4utFT7lpTIX+C7fv8B/UNP9p
U5X1u/XAiiV+nA/M406BG5n3uTJtsXRxhwGMzUPoAR8D2xTvtxfG5ewcyU+Wvzpaq9nMWtu+
5Y+Oqpsr34Wi4465lHcghQiJk9n3XyJwuf1j+toJpwMjll+mcm13ldJw/i66oXEynZtMUeHO
EU+VLksIQjp0gnIFhgzHwSWiXcQ4rhpt/2AO4OyHrh16r5WmfGALlrE/j5ofyl7fb3wKQ6LD
q4fWMU+9/699fpHmf7ebpP/PW0f9/xzPzvs/bvkFe/vu/mApKThneLIkXNE7/CiqzD6VviUA
39yWHhcxJ0JQbT3gzl36KihX39thAeKulc0NAsI0pYDEzlfN/Q/eNf+/2kW7sa/so2j+WXaf
fu16YVlTMq6mDqKz1uNN6ySIPd/2EUeuEoDKJyVossSKmX4CKmgk+RS9eSO2DPclNoxg6QIA
dXQqBF4noi8xmRQ27nP3lvCpsd13l5TFX24+0Glh7BrvUFx3wbI415lhH74lauh22O9dfXQc
LUYwy4EqzmtmIg0fuSfUFvSm1Lm66t6OS2VRwpeV4Se/N65EjV0NB+Pe4H2XW+wPfxT0/m28
dyJ9VzZNd0buluDY+LTfTikISxqgC0aVGuVu0z0karGgw4+MWnx5L/m97Xh6NSUfKH38amHe
moKVFzKQ5IFzVAAcGChAW9wn7VPaBnP5TJbk1xRgx4DjSIUayt47s32FBhbDPTjzhqU0K6Rw
W4W9HkPfJvOplIIzp9971xtfvnl/BxJBJ8VRzss280IHY90v3ipZ0dsMs4vX1WctjZcYeb+a
1wThqT+Of0InwfKmTLMvaaeqeZK8U4jFfG/lxebEXwdjEB6f+M/MFd+w4MnMAnJPBZvalOKe
s4b67geTFKQPpVP2DtCZPEInV8XcU4EzkQoLTzWHdGgqxd/Ao+z2q73BzRAxx4zpW5hU0IfM
B3M8nrzwlDgRZNp5qocGFkYbsbowazldYRnZoWvQCFk6vFr1vWf5715SqflD+gX+TV/qL9hh
mKcBObWWLEw2vyPlP80I7eqb4EEZFjQqfFS2DPvTVeCD/nqB7WV7RH9DRRgkqBZUbfP/a+/a
mts2svQz+Ssw8oPIWlISqas1462lZdlWRRK1Ih2vk0o5oAhKGFMghyCtaB7mt++59gUAxXis
yEkGPZWJQgB9Od19+ly+Pge2Mv2Q/dX+yN/qy1+j/vd/P+p/ofz32AjQVfJfe387l/+5zP/z
NKWU/0r5r5T/SvmvlP9K+e8R5L9CycrKULyDH0OG+h25UP7Qpdik+bhtrMJ/tNq5+z/wv1L+
e4ry2NyjUJy08aYesqKvwHqYWhgU/28iHwR6SgAGgwxwvMCndFxYNztj6CUMDqH8JRwUHW16
6o4zX1FCy8/xZOEcIAw1R1cWn4F05Sa8lxinxdF+C3AaFjExMW4ZxEZovCV0uonPHCp42/n+
+LL7rn8sUYxn1LdwPIvC4b3i5PPueI3ihL/RHSaO/qdYjFjuPjS08x+ilMWye/hDpUV3LEEX
G7+L06gh0Pi1ZIIy3fmEPhxH4Wcbwlb8NQTBUGnI3MV5S/1BvQKmsLW7u9E62Ntob+9u7Hnz
o0Owk0I3G3AxKMyE4ejhfA5iInyAAbfECaiBsiSilVI3nkv4KxIL9TqMdPCZLi27mAyIJQjM
RNC7Xrc5dlPFuQB7Pnl0d5Fd90W9o+J0sQyO9J9SMuo1e4AfuY1V9p+97Rz+c3u39P89SSk8
sC9fH1HI1mUGIBcocBqnHG7diQovqBDUZgZwNH6yUO51gzJYd+P/kxa8YZAOqunRTU7JBI11
4hnk3urUuPZw2GiY2Ya8xk+gvjAN1jUe7bp246Rz3mGlkiIsdhbzCaMWgqsx6MLBy4bBwPEP
R1CTiWqrwTSh2eHkaoF2Z4mIixe/+JxKi209QUXvwPQNxYIaHbFOQFu8byZaKYZF7ncu3+An
7+n8RqUfL8DqPZ75ZNMEOXbjNl4e999dnleaCKZh+CbHAx5EjmlLbx/RF6SyNUGfH8OIxvcm
Tqt8qcYO+rlJlgiCNOJ/49ge+8hSSsn4q204NJ1/zAgrz4L3kTGIEN3UkOBEV2ztPYevdugC
YWtP9dNnvABCswCqrX28wMWvtc148U0TnxnveG1JPEzvDYX/2GvH7rVFbLWoOl311nSDG8eY
kYzIASLwPSzuRKFMYn2kEK0wN0vhx9PFwLOMYgTNwWYcJuFHXdKbphNa912YBvLqQmTqTgIi
4/v4+hoD0la3Nuh/m/v+oKTCalseHxQ/3n348f7Dj1tbDz9vb694vqL+7daK53sPD377+cPf
76yof2cV9Q4ebn9vBX32V0zevra/W/z8oP3w9wc78nxvyfODh+t/rvTdXjL/SybwdDKZDvBO
T+v5ihlut1cMob2jNNopfoHgfrD9JiNnq0p02uqzP4wIvTwg/+O1sQr/u7NN/j/89+7+Xhvz
P5XxX56oPPahXSROviU9u0M6dIwatUZ8BgHTRnvuabziAnnTi2e8wk6kNgtHCA0Lmq4+K4o1
/RWWJatYN10rjVze4GgC2K9aWqeQJYskxkQZZMog0crP8YHGm26vX+vVKxU3tAf0blm4k01H
+ssmg7B3WjgeDfuwUDpea641AvlGed4WWYnSFGRbdsb4iGk7VOki/EbhpXPhDBRyLBLTzs5v
eMtc+8LmlOYfhgV/07J8oz0eCmQl/29n8R+7+HrJ/5+gPPZ2LPl/yf+/Mf8v+f4XlAJ41aO3
sSL/636L43/w/Y8W3f/Y2Srv/z9J8Rn252iWoiGT40BeEkZrqRHYXLLi97xkr9eYSS5xMS7A
v8MB8KobNJdugB6tkBdKtsO57CSXWDbim0RXZDuYUyXF4IDf2AN3wjfq9UoaO24pOpa9qT5z
0vJItRpdEK+5USY8Tr6n3whPZYcjxhysRRvXG43gLz6nq7O7MU6GzNTp6FGcG2PfyLA7dsy8
zo02vzGoiFPsBecTIILUlky8swcRigi4nNO5JFnNNCgi+6X9WosN0ugSP8J7hgrhaQRoGW0E
DNWB/8Ib3EC4y+NXJ5fwi0bP47cDiu/ANlf23GZBTfw21klORnhbcsPwhUXnHW6R3xnGqa1U
4aKU5C+iBG2h5MSi0FKYCLK5SGYI9yOPLWLskuASTgG2XGtOLhyKdOI1R3fw6qeUgQTOcioX
138NG5/IIYyLMvciBo2ob+hQmFjkTImGcKRL+le3KYamZWrIJvtU7/JZeO82P4i8qKMYhZSD
YTIGLWAcWqXCMDRcszqjh4i9koR0wVW4SDVmGHsHyO+tln4DgnSDcjIasgi4KlKXkxGYlz9l
x0Q55IxDrTK4dOmV/xVpmXF2EXKKWYbsdstmj5qn0XikGI2AlzjumexyZiwGpkCTyrMxSAkH
KzFiJT4oZ5U0aAUa4+Desd/jr/QdwWmFdazzDEksjGIZTvvB96N17o84G6v2YrSYEYAQ9vZ8
FtsEZk4liSYVk4inPDMDDZ6KfbRLJtMZnny/rsCtZ0MEeumOIRUjd++R4cKrZ50jZWt/hVev
HMYncrXe/abv1v7F3aFn6FxDQAylZ5aOTWZKjuHtPw+d5FuVCiFCnF/0OvKrsx/kExjDoYu5
IM+NBN/N/i47UPalxBGJ5lIT7NlDy/pbDSdbmH7B1HFesuliXQHZdJPBQ4TFNk38a2ur2dlq
Hj1vtnab28+b+wcBA19y3wgJl+ylZcWZnWBr67CzdXj0HCh0uP38cP9ACd0ZE+gII3aM7xua
FDg377iu/JyMuYXm8qp8GBPC5tOH4jxt4PgOCa9jIcmh4unxNDS7SLSolHeZh2ESzm3SKUJ1
LhAekV4Kvu4RPj/DoBxGRM19ATPyc4ALMxKqkuOXEzyv2NCw7uH4X4zDmTIpWIcNE1TaybRe
tLF1DS/9jPHp4QBENbdvdAoZ+UV6GouvXfNRc88FYCVMERu1LM3i3qgGP7fhgB3OeBUfWfSE
xRg/fTrfp0BU+O1kCEvAYty9mxvQ242gE2R/ox5K6nK/m/GqIyGHOPP3/Pbhdqt94C1Me5AL
uYB4zmidbxnU7VISO0ufYq2cHJL6nyxuB1DT2bte399tNsz3tcgfWCfSidhlYoJH83qFDoEI
ac6S3OjNQeji9cibnkr4oYlsNor6w7KC08FscnJdOfSRijsSS2qAAhBLQ7TGuVMXl91+t1K5
mE3QCT/GAPRieFmbX00RJLgY0r9QzoN/h9I0H9189waxh7NojCuPl5T5r4bIXRjpAW99TCxq
k4GIauWRRUgzVITNV2uSDIxq56DhHKDEvqkROvg2hF5nQK4TXHQv0UaBLNi9iHMBBE1xGS8T
DC50lXDglFp+gusNd1qIMZmlxcmm/6pLf6qUhvlWovohrC1yElSiOS86voJh+0xS9/x+GtXS
ujkxuA/UHtYe/TKVpOtQwd9Qnsfn/334t5sYODL9zWeecB8vjLZesoBe0xI56p4GL0iHwmsX
Mm06kZG8ifeuRIaz8lgcjYesWarhi1vVcO0Yc6aB6M58xBpRaaECjXvFpjIQT+w1nbN3p/0T
nFoOFZ6TW7P5teea3J02GIbwxgzKGMZO8lCTSKnLyLqXYXzSPnWLFofilI5OT47P7QKjZ4MI
CMAJfFvEWlAjhn9au4y5Bd6Ec6A4KiZKG9VOZx6ZcMo++R0HzWsEtGhZr0dy8Y6+JH5NlPM7
XHEsnLjY0UpKhl2RGPjs904L4X33Gp6ZuoyKvbmEBCecxzZlewmnzu4x3j64v1ZupQevaOkx
rvIKk9i5tMXt28D8GsLfiZhnbm8RwkqucDULodW/r2XocTl+ggLG73URdi9P3pwgBppkwtqW
rEHU25koIrfCkPMCw1KpW8/UOi5XTz4CQWYEBEjmVj6SvPYFSQWioHd8+f3xpbMYOMGJTeYg
00fBvF1AZeZQ9s+01ML7LYzd0EziXvLhxh2k780WsKKI6lk45/5q7DtpEm4fMl3w2PFrjNUJ
AmFdDRkcR9+KUZ7Jgj6zdkuJ087iZuY7PbuYS3i0hv7b0QqekqViIr6Xi8JHeuJy0n1OFIVG
r0BZYu0fj4wonC9motHRJUhlU07P7D0KbG8yi0ElxtThBT1NWcIb00HnJTg/JM/adB70zvoX
Vggx6wtzemeuPdLnz2RBixGHNy6JYvQnFHmiewS/WaFW4sbXfyMDwJrIwkihEzALNV4QDAKQ
6yrp7Xzqj0NtcqS8pTe0EBDVWCiOFeY35xuylH6dlT9H9F46aLf/Xzn+FXRAxkEUyGgUTI/0
poGj9WlirIdIFBra+L4pK4Wkzru7oqv1JtEHsVBSWLI8odb7xyIeAr9MVBXJKq5CxLpaqo3v
1BUDnRXqmGA8Yuep/RutM2N2xXupNGgqSF0gUyVoVv6S7aPdRBi0FRfb8hVGWnkmmqwpblS9
ved0XPEdIo+fLluPeRJVvpZGlQcWIb+xZCXSswO5i9QsHN7jX0/yybCSDvCXJcUyAiylBBQm
Bga1ZOb56rxXfO/buRIn0pnkwKlqQJgRrCyiZQUX2u52wQNQYPHBr2mv8L663ZWmclziQYCR
bTKt2gdf0OoP4WyRPtCaxPUpbNB7lm+z13v7a0ZKgRGGt3ECUqCGjlwy2Hb7V9X/A/Xr4Ypz
48rVXWu36423/f5Fr7azs83SyftocBYntRa6r+uFjWM8I4drLKEqH4a26Qa00KBaqROv8KJF
PAShY7gZLuY3tVZLOjCbXm0CTZrp7HPx2K3VWpv3Mzjx7Qe/fai90dre/Vr8xLf2aJflS0qB
T//RE4CuwH/s7uTzf7Zb5f3/Jykl/qPEf5T4jxL/UeI/SvxHif8o8R8l/qPEf5T4jxL/UeI/
SvxHif8o8R8l/qPEf5T4jxL/UeI/SvxHif8o8R8l/qPEf/x58B9lpICHJMTHauNh/297f2c3
F/+l3Srjvz5JeeyNHDysdATfs2v56IZMBL6a7iQVnmBNnDKGUn2l0XxBJ2PAUqCGqcTwL2TW
eXNxGvzohMC8ThaIY9i8mkzvMfbJ5vV0vHEzv/3JsAenNnJZWxsVqVsF/if+onZVBzb+/Hmj
DYsX/6+F/9eGQfXhvDgO4cicBrV5RH/8jxeKs/7ofBM6dN45Ow66r4FNHQev4fh7j4nLfwB+
xU8loY939JN1Gz2xkpwlYsPwiP4iL6iEikEBN7luBGujO9A9M0FhXr9/Mbrj3G29dy97H3r9
4zPMjv4ddOOUW+9FYkFR8JzTGwwMzJSPfpmyRRB0fZrtOImhV5QdJxXnAApCb8O56EB2rjZh
0SAU6hN6uUFecdZb0E2CV9EgDhO07UAVma9g488j933W5v3mRbdH7cJ0OG1gZc7Q1ijDUpWp
gBR4sbxbQrC3XZkpIBocS53LD0Gv3+kfByzBdC8/SEhW1vhI6iJBcDK7F2yDN6Vo3kTrFEYy
QjUYvbyzWxbR7m4IwiEGLhH4qMPYIjQo3Y0H2W5CB7vv4bQ7xfeCo+75+fGRTUrtzi5F/icz
LOUCiJ1kfhI/f8oybIGsiiA1DdXkGFY1S4FBjkSeEisZvdRjpM0x4k0afA0a0TCch/53YrVJ
Q85CQHmRxNJiPqU+RWnkqc0Ks7COmcB4gcg1yt0g06So/VAPLG9MWDS3NmnJfpW30DD+CqeG
KC+EfwG05fngzD/BWffVu9PsUtHVmxjzzSeUWsfoPqHm2IICqrVdSJyJCIiPebppAcjLmz8v
aK82Zz9vcjWbGEo4nn7e2bQNEMlsBip0yzmVq51K2fqGCSIlA+jR0kMKSKsb1arzhIeMiYcu
cWNQ3qGT8zcmVDHZyeZ3E+fccHOVw1RSAOPJmCE2t5NFMtdMW5PFfLrA7jrZuqAlaihrt1Z/
g+fFhIbUpgG1/LzJZof1RgB/38bJYh7B3z9vAseZwR+wPn7eHIb360G6GI3iX9hXVpRtC+OM
4/4N54KicN2AJs0Y2WomV1eLGXWbkjG5GfgYgaoJvJCfxeGYU3Jxui7ab2rxYaQH7QvkasT6
vZRbUNfncLwg1r1rPkMqFwQHEzK+aG0JIfg36uOLXV2qL7v9t87EkW1e2+Z1hb0iBVfdgOg9
AtI0nSRhVW2salqQVYOpqgJQdN6/PTl6G/S7tI7W350fnR53zteDi87Rd8f9nuWx2pUMFSWP
l5mNsxBNpMPNkwQIEtsg7Nh/JiNUaNPLrWPY4AVwgihMCgLeG06kjNT0gg5h5B1EDya+IM9g
IDKMF0G9sbRHOkvYAwpsZ+K62zj7ZlL9xin+/BfRAerLU8KlA/zyMBnm1B3uAEsadhmmkT+q
dO4tXIUoreOZt27xSVWHUpRwzPATlE9QUungWVawBubReMzD3kwHcWIZtA2PrqH4x5MJY9cd
a2HgZARMbQq8SFJBFolYzuRi516srdXFPK8SzvWm1piLzfe+c3kOjPGQ5lRqsINJY9ib986Y
1s1w1nPjcZXp/NDsoE7mIBhBV1AZdrmsaxkakdxmCk+kJctrwiJYKSUcAFOGY/ROUocii2oA
uRh86pWloe5fd/4Xhfxno/AfezT/RMwcBXklHJ93XgKh0BzSe3eBtgH6+QNsSCDLgIzVJMDA
8cu5E0GihN+ugQndhfdskR1OcPawDjxaE0SBzW4bwTj+hMu4Bw8aZHC5DVMQdmbhkORpssqR
YYggG3AEbqh06kklOL/w9Ufu6iv063h9P+ucv4F/ud0vFm7sFNIOciCYGQlkPmF1CDNnYKok
Zb5yhvDZgacVuYo41SPZBVGNJoMkrnEMpkkypp+oeYOIS+JRlNCnVA+5aB2BsT8L4ZC8gk6H
UksNlkHQP1I6sGOTvM5MgaUEOrkIXncvYYO8UsnBpU83YZF1kiidTi6+3wkuGAop5mjqXSod
HirPRn5KVYxGUgf80VAU5ch+avhwnEoFSIM7mmtyMVmhVV4pqESowxIcUHpMNLOTitsHezSH
OQvHqN2J/ZvVOkNZ8pUIdRUX5bk6TO4wMV5qxlSQeDBRW6x5TR46uNa+i6IpE+UT/pVbfUkU
M3ZWVwEsxuWDxwZPLj7aaXzRTUQ7edfvngEPPwJh+QOZ73CnYWI3dqge93Iz7iUqK94bGfD5
cOilnKHk4pJIGFuLNDGb2sFJssL20LNTIOIDc3Q1EKhPc6BxRjSjQGDLzDNh24WIm4RHCiSD
EX4EonROTzowTLvs8yTpPS1Nev8WUZA7PhJVsAOGLucTjxv0LzuvX58cgfbduSjiB0WUyDAj
hxWo+9Nyt5MRczyuzRmAKJdSVWqrQtaa4Sy6KeRtslvw+4YINyFScUphkX9s/6Q8AbpUww6t
xVOGAK7Nr9aCBUhLwLujtM44VFuNNCQ7zrBigwi0DNcQ8uUpCM6nJ6BtvDrpXXR7J0aC6hWx
AlK85LKGLgG1CUxBCISzkjBwIt0xrDp4OYb/ltROzI9Sm6WabhIQWg/R7EukK5Yd8Qodvu3L
S2YIH50hvMAXs0M0OW8fHiBD7gUYnxnnQIdixmi0hNogIm8niN+vuj1OQ/gpRa8yaFw4D+R/
ShewqUQVqrujxfTT+gBqg1rybZGGmPqDhkHRmERROuv1gqPTzpnZD4XDzOwMz7pzE1GG6LWj
MSiBVB98cHHWf4cWQ5XwSb7m/8DpoIs6nKMd+AnagWLEb5EgISY4c3/Ry6pJOAfqGevyFxcX
Qe3iok9LAv5jclynA9YaPyilOO+Yo+7565M3yDfPX3/kpFIfoevY5VTvx/z4Wr1+UsFNNJ4e
qgjqDgM4EdoGfuYa1kEWml3jtIjajqYCYk5syhJzCVeDLRrdC4nX+3Cuk9bIGi5Uiye9Hfms
GFqgOLa02iJdEHMm7Zi4C+0EoibwiWuSUw0t19MAZohrQS09DXa2JD29DtOJrI6Xua6Q8lcz
qF1gHDMCVIZwFPQuUpvkPmUCcEWU/S04OToDMWwWXlv8xHkUeZgLUl3Se9i2k9tUNVKuA2Xx
MYgy5FHFzQXbbHYPz1G4omRzFPaddguN9hTG8wt/q6yZI8jPGowchHOK9NpBBP8eIqHQbpRg
vejqZtfEGKdTesC9PLRqSKuOd4Axu9hdikOWiRAjIlbAeHTYomR+xHtlcPIRcClo14Perdhs
x84QuHfUboBwVVDXsCb6ZrtOiIjsy+nVlN6BhTjCFaaWHhTb4NSQy3HBT3rSURR44BPJp4bD
Lf2jlqAoZqe6BxTUQqwClq85EChhKCrU/ePLf5eFyE6TXLRkWhREAqvTZtWmeA1rHjfT6WQy
wlduozBdzKK6EUr9ZqX/6t9IdcA4RMeyImlovWMi8LGh2FdcJGx6kIOzoMN4CeBzPFy42YBT
GkKRsuUMDHWujWqVyPmRyWlojCKV+KIv0Tha9S9t3iDACTVLA7Gy+f3QGQASB9bANudBNELN
zyqgJGOj1ZEMsCqDsH6CWiwjGnFjR4JSGuJGKpb8gYxfPRXsP3DmgjRgHv9HGr+IuxbvSLBe
gqc5dnBZVU76SOCleLTK9QD0LfI6x8PYOxtAgj56+9FUXxf5k5I182jm68QdxSzwnoExxLHs
1lExEXSnlBM/83fM+XNbgq2nrbpOAZ3ktxPleq1dgUmSCd/gxCMHw0qgzCDngaWZzSthk7nB
zFmyKEGwGmQw9KrayHMwSyP1R8CgIz6R6b8FK4hGJOgYcrC2GZdMCBq2LVa8VgwOr8vG4bqw
zS8aR34IXNEXjUOHQIyt0GbCO4tcmRxsQreiZ9+aiDvETXYaPx7Hqlr0L/ENRqlaxS94ddxn
5x3zFEn8yTKXpWmUXKGfBA813zmPg+QlugzFRkEkDjh0RSx0FxZDQg4R82CrOGCFwKs8fBTI
+G9A5T/F3ouD28Prwh+EGpIRipQJp3r4OWbqQR3Q2ucoISA2CU93yM7CFBrn0YR1NT/PbXQX
R+i8IQ/Q8D4Jb4GRWrW3YdelccJyCtHFTNyuSACqLUJIr0HPWeguinA3DqB8AH2ByQdZFY/+
zwQmnZhaI4PGtfBVc/+UayNPrxxSoXsb1Y1ig7eJ0FhH98ZHYgfk7w3SzRO6B2Qogm02VdcB
/Kg5eg258XgkzwHJ2iGQ8pquDgbRaATTrVZ+Pc/9VpDKyutwq3jjnBvKoWYayGHlL7AiCCQL
EII3sOnr8SaMupyRp4tv6Q7/mwaWxoqxDV5a3s375yOufjgmcM3RQdSQg5UUNYEacz/ZcjKd
YnZdNvXJ/RsD9F2Co+Q7OvFtOLv3oheMqB4DoHCkB+ACk6uYTgJzD1LgxnSvFAMJmKAEdEyJ
zsUxCZyaVKe1H8uSWUztCrYgUezuj7PoJ1lQG0G1WkQnlWTOjkHpCjBRT8+CRFD0d+QXu6Jk
nBluy3eZidviqhlEUaIqEdEXxmgeds4/BHzLixizjEeHwVe7xa6glz3JKjmHAY7vdYPZFjeM
aiRcsgmkW8S0zAmtHApAneqZRhPMBkw6q2gxaW5ZEUk+Ekl4OYW8EWzFWXrY7oijTO1H73Hq
c/WZkaJSSRd4c8NCY/+M9odF/Zu3YZGC2jew9q5VQqzrEQ56KJml6nCOmDlkbmc56xhpaLrF
HNom0xKOjUcPppWCPxHnS+n+4O9mZTqd/hd9QTew+WV8A38/9ON1wJO72Sd+8pfsI3SpZUl5
Pmn4ZJHJWIcG1uUitqKL/s42h4JmH5ojU7PWU1AFZxiHAR+aTF2PrflUM52TjQtqyf8F/ZOz
Y1BQVvmPM65jvSg6krsZYg4W1yMyIz4pw5iPaIqykNKWorxt2m8rpBgk1kbQGYllRZphU5g2
dDWZcWSZoZyl86W9bpgOCeMmgug5QS7wMDW9xrpuJmO+80TdGcbCfNGLCdwDZAw9fPG5UYvy
xsrcnIS2i3tbQQ3+kfHUc67fToInzGwCxwVKs/wdG4kQJQky7i1Ohl2b8zsOKIMe/eQa1iLS
IbYDRatR+InN6tZxZ+7ST1S3hE6uWbc4XoWBA2CN9ZKExVFYMR9lxbzY2zLed5Df3gTr59Ed
kaL34XwdPv87nN1pgSeejs0bvvLMcgSfQufH78+7ffgYNiZ7B61L8BnrYyELnRLWBMdGHmts
1DAhtLuNxuE1TYVeYescfUd/XyJCnB7DQoL5FLzTIhmLUKKVM6VJawiTJXC1hiMU0zXovxvI
Y9aH4NlWU31XLccNll3Q4wpNAz0NKXx7NIEQMqgNt+Jbhf34/Nqt8MUwGiyuq+RItz/yROpd
nbULWOVrurjFSYfGZIfpsJ5LfT6+uplo7Kegxh/XXewI+5LkwkSWONWq04BlTqZvS3nhMkNX
8tBSgbq+aLE8tFSqz75osbhLRQA8Qgykjw0k+PBofYsbrxmUUj0wDUu/UJNpR3XmaUh9t17i
hHRGFr6FDWj0reAd2UFJ+AyDt6DAN8PPYTwOB+h8umf8tsimoIHpENb5yMfTE91EZIgifQuz
uMMHiomAAdkF+AHtVG576f0tcLkZqGdokSO7ILkQSRuRO7dQxxi5h19NNai6nKSauRHyp7vt
kS8Z9MfVb5EBckX+3+2t1k7m/sf2/nZ5/+NJim9K9uP/qev7SLxRD8cDlLXDt+rggzgbE5AU
I8N8WKsEHfeTomxvozBhLbdyBbJWGo/uRYK6ZZFGuqPOMbqWP46v7nXbL41wd9a5/I7vJGN7
IiXxkUi3qU24i2vyobBVheySrWZ7lzCrEussMMHORP6XAHPLQ3fYUBom3lHa8OATDTcaU5QG
buAuib9F/I4CDcVus2pJwPhHE72RXxA7zqteFd7pDDTeX9RioPG3YIo4rMrS8FtGVMjHqDJx
TioVN7pJhlSUwDgoJpRLlyBDg+rXB4vBwxDjxUhdEnqi8mcMxfKbBVPhYCgUKeWRY6n8wSOC
PPLVLmZahu3wtuLlrxTyCVZeZy3LF5cc+vc3aGOF/Nfea+1n5b+t/a1S/nuK4st/JPc1CzDh
xJ/tXVk2lqfi+hixLYs0rz6cQkGXIyqipanW7yJnKpDLTPRYvaJqoi6C9DdbHv+1wUe4nucg
FDkhkFCbNRHh4FHjV0SfMZFQE8+9F7piGYUYkuDMS8INyHUuDSopRkkdW+LEXcwKUq4ftS2B
Ib6N1Pa7nAoK56yBuz0q/xpCqrRjREY3dDEdnT0V6Rk5MHNwCSRd0L0flAobGpg2E9Cv5wmQ
v7oW3lPdHshquGnIbE2bxoJdHW+fEcAOZdSVsziJb+N/Rs1X0RgoW2vt1eUBIgbxQZ+NN1OQ
8GoH2YeX0ThW80xtp56p8wgRmrW2/MxogabZ1Fu0pR9Z4JEpcQQdnDZvohySA+GqQNMK/kPI
g0qzgjF0KpXWXuYB/doseAC/jebTggf0a9EX8KCJiD58eFBYGz8+yApjwyFb1CPRjNlF/O1F
sAynXyRJNH5i+097bz93/u/vlfkfnqQUnP+5458XxRIR4OSid3zUCN6AZhFS3DVg3PKF5GW4
kABy+Io8MceZwbYMswGoNuWaXWCiJ1eoKdhBw+kkdgJRq+d+WQUTClJLVh5GnpjwYBsypkgU
ZUc46X+4oChDsEUr1FlycOFBKDo1RfUmu0M8TaMrMjnIrafrWcTMHaNwaCV9dcOrNeTmPsX7
NA4IRm3tAqBGaw6Ry1i+0CIfpRaEkCiIK4OZhy8lnDj8/abTP37f+eD2wwOVsLUruiWECLcn
lLOQHYp4S29cR3OkKbrkErTjoyiiddUuJ+EweB/OZvFkVldzlBshINKqUUoxLmyvnxS6BPqp
yr+5HaxfiisyF4VwfhPPOMy6tXqE7pU4CoA9V6imziO7GKrZEMdupBJBjYgbmKpB+su1BrdJ
jhnJ6Q7Qwskr1tsOKq0ELT3I4aXoSl7iANBKa90BabCzsb298fz5Rqu9Y6LJO/Nms5qo+PPc
YBnQfIQrlHATTj1+b9raG3cOg9ppOO1PphYrJT4qxu2FyT3dG+aptkFJ1q7v1phozh2CWYQh
FaJk7qw3+o6b2Mh11SyPyvWd39dt7StFxHdJk51yWSvSa0lR8DkOSR7HlnTFZ3J0KX+g2cAJ
576RQZsGdn2X77DTEelyQFyE2YBuQ2+df3uTTYFU/winil9WnP9bu/stPP93t/e32q29Np7/
O63t8vx/ipI//4sUPYvMkLPfAHw05AzhXOndjbymTxuAwrXOc4wVFamT3sUpbo1XcTpFVabg
naPu2Rnsil4FvQcEk+J4AfaV6jNqxlSmX1Rxb55jFkaTygNBYZj+YcxZIExavLTK+QADzR1o
Su8mnE31195pc3cXc/Q5mze/dzsvYYM6W/dbS/rFpWCynzj/G+z/3VYu/9tWu9z/T1H+E/d/
8AADwBjFr85+QJ/gLdpGwln8T8kC9afY72UpS1nKUpaylKUsZSlLWcpSlrKUpSxlKUtZylKW
spSlLGUpS1nKUpaylKUsZSlLWcpSlj9H+X8rnj2BAGgBAA=--------------040200040609050204020409--
--------------enig05F2F5838E1DC28DCA5557B7
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQE9r42TFDKdgiilqPIRAgv5AJ0Z26IxI/r4h8ZMG2BcDgqHBuYFTACeItXI
ZNM5EozibdbYGdn0s7ylYpw=3p61
-----END PGP SIGNATURE-----
--------------enig05F2F5838E1DC28DCA5557B7--
Tom Eastep
2002-Oct-18 14:09 UTC
[Shorewall-users] Potential serious problem with Shorewall.
Sebastien Routier wrote:> Hi, > > Using Mandrake 9.0 and Shorewall 1.3.8 > > First of all let me specify that since I had trouble seting up the > firewall and the Internet connection sharing using Mandrake Control > Center and the wizards I decided to do it all manually. Attached you > will find my configuration files which I beleive demonstrated the problem. > > My PC has two or three NIC: > - eth0 connected to my cable modem. > - eth1 connected to my hub. > - usb0 connected to my Zaurus, this interface is not permanent, it is > there when the Zaurus is turn on and plug in the PC through a USB port. > But as soon as you un-plug the Zaurus the interface disapear. > > It was all working fine until I decided to connect my PDA (SHARP Zaurus > SL-5500) on the network using usbdnet. Initially it worked fine but I > eventually removed my PDA from the docking station and turned off the > PC. Next time I booted the PC Shorewall failed with this error: > > -------------------- Shorewall restart ouput START --------------------- > [root@hydrogen shorewall]# service shorewall restart > Processing /etc/shorewall/shorewall.conf ... > Processing /etc/shorewall/params ... > Shorewall Not Currently Running > Starting Shorewall... > Loading Modules... > Initializing... > Determining Zones... > Zones: net loc zaurus > Validating interfaces file... > Validating hosts file... > Validating Policy file... > Determining Hosts in Zones... > Net Zone: eth0:0.0.0.0/0 > Local Zone: eth1:0.0.0.0/0 > Zaurus Zone: usb0:0.0.0.0/0 > Deleting user chains... > Creating input Chains... > Configuring Proxy ARP > Setting up NAT... > Adding Common Rules > Adding rules for DHCP > Enabling RFC1918 Filtering > Setting up Blacklisting... > Blacklisting enabled on eth0 > Setting up Kernel Route Filtering... > IP Forwarding Enabled > Processing /etc/shorewall/tunnels... > Processing /etc/shorewall/rules... > Rule "ACCEPT fw net tcp 53" added. > Rule "ACCEPT fw net udp 53" added. > Rule "ACCEPT loc fw tcp 53" added. > Rule "ACCEPT loc fw udp 53" added. > Rule "ACCEPT zaurus fw tcp 53" added. > Rule "ACCEPT zaurus fw udp 53" added. > Rule "ACCEPT loc fw tcp 22" added. > Rule "ACCEPT zaurus fw tcp 22" added. > Rule "ACCEPT net fw tcp 22,443,10000" added. > Rule "DROP net fw tcp 113,135" added. > Setting up ICMP Echo handling... > Processing /etc/shorewall/policy... > Policy ACCEPT for fw to net using chain fw2net > Policy DROP for net to fw using chain net2all > Policy ACCEPT for loc to fw using chain all2all > Policy ACCEPT for loc to net using chain loc2net > Policy ACCEPT for zaurus to fw using chain all2all > Policy ACCEPT for zaurus to net using chain zaurus2net > Masqueraded Subnets and Hosts: > To 0.0.0.0/0 from eth1 through eth0 > Device "usb0" does not exist. > /sbin/service: line 148: 23899 Terminated $debug > $servicedir/$service $options > -------------------- Shorewall restart ouput END --------------------- > > Shorewall complains about a inexistent usb0 device!?!? Well of course > since my Zarus was not connected ?!?! It failed leaving my system wide > open ?!? That is not good....Your system was NOT wide open. Shorewall is designed to leave your system in a safe state if it dies during startup.> > Does any body know of a way to configure an optional interface in > Shorewall, or would you have anyother idea to prevent Shorewall from > failing if an interface does not exists? >Yes RTFM -- If you put a device name in the SUBNET column in /etc/shorewall/masq then that device must be started before Shorewall will start. If there is a possibility (as in your case) that the interface will not be started then you will have to place an address (host or subnet) in that column. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Sebastien Routier
2002-Oct-19 18:13 UTC
[Shorewall-users] Re: **SOLVED** Potential serious problem with Shorewall.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tom Eastep wrote: | | | Sebastien Routier wrote: | |> Hi, |> |> Using Mandrake 9.0 and Shorewall 1.3.8 |> ... |> |> My PC has two or three NIC: |> - eth0 connected to my cable modem. |> - eth1 connected to my hub. |> - usb0 connected to my Zaurus, this interface is not permanent, it is |> there when the Zaurus is turn on and plug in the PC through a USB |> port. But as soon as you un-plug the Zaurus the interface disapear. |> |> It was all working fine until I decided to connect my PDA (SHARP |> Zaurus SL-5500) on the network using usbdnet. Initially it worked fine |> but I eventually removed my PDA from the docking station and turned |> off the PC. Next time I booted the PC Shorewall failed with this error: |> |> -------------------- Shorewall restart ouput START --------------------- |> [root@hydrogen shorewall]# service shorewall restart |> Processing /etc/shorewall/shorewall.conf ... |> Processing /etc/shorewall/params ... |> Shorewall Not Currently Running |> Starting Shorewall... ... |> Policy ACCEPT for zaurus to net using chain zaurus2net |> Masqueraded Subnets and Hosts: |> To 0.0.0.0/0 from eth1 through eth0 |> Device "usb0" does not exist. |> /sbin/service: line 148: 23899 Terminated $debug |> $servicedir/$service $options |> -------------------- Shorewall restart ouput END --------------------- |> |> Shorewall complains about a inexistent usb0 device!?!? Well of course |> since my Zarus was not connected ?!?! It failed leaving my system wide |> open ?!? That is not good.... | | | Your system was NOT wide open. Shorewall is designed to leave your | system in a safe state if it dies during startup. After a few other tests, it looks like your are right, I jumped to conclusion here, sorry if I made you jump out of your seat... | |> |> Does any body know of a way to configure an optional interface in |> Shorewall, or would you have anyother idea to prevent Shorewall from |> failing if an interface does not exists? |> | | Yes RTFM -- If you put a device name in the SUBNET column in | /etc/shorewall/masq then that device must be started before Shorewall | will start. If there is a possibility (as in your case) that the | interface will not be started then you will have to place an address | (host or subnet) in that column. | | -Tom Thanks Tom.... Yes RTFM was the answer, it all works like a charm (almost) now. To go from a 2 NIC PC to a 2 NIC with the Zaurus the only thing I had to do was modify the file /etc/shorewall/masq by adding a single line: eth0 192.168.129.0/24 Now the only issue is that if the Zaurus is both connected and turned on before and while the PC boots, the usb0 interface is not configured properly. I suspect this to be a minor problem with hotplug. Once the PC has finished booting if I turn off the Zaurus and turn it back on, hotplug configures the usb0 interface properly and every thing else works fine. Shorewall side of things seam to work fine. Thanks. /Sebast. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE9saC5FDKdgiilqPIRArMRAJ9AKMuQ1geM/EmglYe21sZN2fHOfwCggcrs cebQeCDqSdWigXluvHcpwDs=xO7N -----END PGP SIGNATURE-----
Tom Eastep
2002-Oct-20 22:11 UTC
[Shorewall-users] Re: **SOLVED** Potential serious problem with Shorewall.
Hello Sebastien, Sebastien Routier wrote:> > Now the only issue is that if the Zaurus is both connected and turned on > before and while the PC boots, the usb0 interface is not configured > properly. I suspect this to be a minor problem with hotplug. Once the PC > has finished booting if I turn off the Zaurus and turn it back on, > hotplug configures the usb0 interface properly and every thing else > works fine. Shorewall side of things seam to work fine. >Glad to hear it is working for you. One more thing that I want to clear In my original post, I asserted that Shorewall will be in a safe state after a start failure. I neglected to include that the state is determined by how the user has configured the "routestopped" file. So my assertion that the firewall couldn''t have been wide open after the failed start attempt assumes that you had not enabled access from the internet in "routestopped". I certainly recommend against configuring Shorewall with access from the internet enabled in routestopped but there is nothing to prevent a user from doing that. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net