Rafa³ Dutko has just discovered a potentially serious bug in version 1.3.0 and 1.3.1. In both versions, where an interface option appears on multiple interfaces, the option may only be applied to the first interface on which it appears. A corrected firewall script for 1.3.1 is available at: http://www.shorewall.net/pub/shorewall/errata/1.3.1/firewall and ftp://ftp.shorewall.net/pub/shorewall/errata/1.3.1/firewall -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
On Wed, 19 Jun 2002, Bogdan wrote:> It only works if i remove dial1, dial2 from interfaces file even with the new script. > If I remove those dial zones from interfaces will the shorewall work properly?, I can''t check if the dialin1 and 2 work, because > nobody silly enough to call in 3:00am from those groups > btw the new install removes symlink firewall, is this ok? >Yes -- that''s fine. What does your current /etc/shorewall/interfaces file look? -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
It only works if i remove dial1, dial2 from interfaces file even with the new script. If I remove those dial zones from interfaces will the shorewall work properly?, I can''t check if the dialin1 and 2 work, because nobody silly enough to call in 3:00am from those groups btw the new install removes symlink firewall, is this ok? Bogdan ----- Original Message ----- From: "Tom Eastep" <teastep@shorewall.net> To: "Bogdan" <bogdan@centre.net.au> Sent: Wednesday, June 19, 2002 1:45 AM Subject: Re: [Shorewall-users] Serious Bug found in Shorewall 1.3.x> The attached firewall script correctly detects duplicate entries in the > interfaces file; the old logic for doing that had a typo that prevented it > from working. > > -Tom > -- > Tom Eastep \ Shorewall - iptables made easy > AIM: tmeastep \ http://www.shorewall.net > ICQ: #60745924 \ teastep@shorewall.net >
interfaces file net eth0 detect norfc1918,routefilter,logunclean loc eth1 detect routestopped hosts file dial2 eth1:192.168.5.224/29 loc eth1:192.168.5.0/24 dial1 eth1:192.168.6.0/24 net eth0:0.0.0.0/0 zones net Net Internet loc Local Local networks dial1 Dial1 Dialin users zone dial2 Dial2 Dialin staff zone Will that work? whats the relation between interfaces and hosts files? I thought that you need to have every entry from zones in the interface file. Bogdan ----- Original Message ----- From: "Tom Eastep" <teastep@shorewall.net> To: "Bogdan" <bogdan@centre.net.au> Cc: "shorewall-users" <shorewall-users@shorewall.net> Sent: Wednesday, June 19, 2002 3:04 AM Subject: Re: [Shorewall-users] Serious Bug found in Shorewall 1.3.x> On Wed, 19 Jun 2002, Bogdan wrote: > > > It only works if i remove dial1, dial2 from interfaces file even with the new script. > > If I remove those dial zones from interfaces will the shorewall work properly?, I can''t check if the dialin1 and 2 work, because > > nobody silly enough to call in 3:00am from those groups > > btw the new install removes symlink firewall, is this ok? > > > > Yes -- that''s fine. > > What does your current /etc/shorewall/interfaces file look? > > -Tom > -- > Tom Eastep \ Shorewall - iptables made easy > AIM: tmeastep \ http://www.shorewall.net > ICQ: #60745924 \ teastep@shorewall.net > >
On Wed, 19 Jun 2002, Bogdan wrote:> > interfaces file > net eth0 detect norfc1918,routefilter,logunclean > loc eth1 detect routestopped > > hosts file > dial2 eth1:192.168.5.224/29 > loc eth1:192.168.5.0/24 > dial1 eth1:192.168.6.0/24 > net eth0:0.0.0.0/0 >See my last post for the correct interfaces and hosts files. Two change though -- the interfaces entry for eth1 should be: - eth1 192.168.5.233,192.168.5.255,192.168.6.255 and the hosts entry for dial2 should be as you have above.> zones > net Net Internet > loc Local Local networks > dial1 Dial1 Dialin users zone > dial2 Dial2 Dialin staff zone >Since dial2 is a subzone of loc, you need to have dial2 before loc in the zones file.> Will that work? > whats the relation between interfaces and hosts files?If you have an interface that connects to multiple zones then you enter the zone as "-" in the interfaces file and you define those zones ENTIRELY in the hosts file.> I thought that you need to have every entry from zones in the interface file. >No -- you can define zones completely in the hosts file. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net