Shorewall devel - Jan 2004 - Shorewall 2.0.0 Alpha 1

Tom Eastep wrote:
> ...
> Issues when migrating from Shorewall to Shorewall2:
> 
> 1) The ''dropunclean'' and ''logunclean''
interface options are no longer
>    supported. If either option is specified in
>    /etc/shorewall2/interfaces, an error message will be generated and
>    Shorewall2 will fail to start.
May i suggest that this feature does not follow the principle of least
surprise?  I am presently running a 1.4.x firewall on 1.3.x configs
(because i haven''t had a chance to go through & clean them up), and
i
have a working config because 1.4.x warns me about the 1.3.x directives,
but ignores them and continues to work.
> ...
> 3) The HAVEROUTE column has been removed from
>    /etc/shorewall2/proxyarp. Shorewall2 will no longer automatically add
>    routes for Proxy ARP hosts. Use your distribution''s static
route
>    capability to add these routes instead.
I know that conceptually this is a good idea, but may i also suggest
that it is in conflict with shorewall''s goal of "making iptables
easy"?
 Since it is necessary to have both iptables entries and route entries
for proxyarp, it is reasonable from the user perspective to have
shorewall add routes.

If you aren''t convinced by this argument, some working examples of this
in the doco would be a good idea.  Even though i go back to kernel 0.97,
i have never added a proxyarp route, and might need some pointers.  :-)
 (I know,: i should read the shorewall 1.4.x source and RTFM and work it
out, but i''m trying to think of it from the point of view of a less
experienced firewall maintainer.)
-- 
Paul
http://paulgear.webhop.net
-- 
A: Because we read from top to bottom, left to right.
Q: Why should i start my email reply *below* the quoted text?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: OpenPGP digital signature
Url :
http://lists.shorewall.net/pipermail/shorewall-devel/attachments/20040201/dcf2cc0a/signature.bin

http://shorewall.net/pub/shorewall/Alpha/shorewall-2.0.0
ftp://shorewall.net/pub/shorewall/Alpha/shorewall-2.0.0

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Hmmm - those were sure Alpha-quality release notes. Let''s try again :-)
(and
please send corrections).

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

On Sun, 1 Feb 2004, Paul Gear wrote:
> Tom Eastep wrote:
> > ...
> > Issues when migrating from Shorewall to Shorewall2:
> >
> > 1) The ''dropunclean'' and
''logunclean'' interface options are no longer
> >    supported. If either option is specified in
> >    /etc/shorewall2/interfaces, an error message will be generated and
> >    Shorewall2 will fail to start.
>
> May i suggest that this feature does not follow the principle of least
> surprise?  I am presently running a 1.4.x firewall on 1.3.x configs
> (because i haven''t had a chance to go through & clean them
up), and i
> have a working config because 1.4.x warns me about the 1.3.x directives,
> but ignores them and continues to work.
>
Remove them from your files -- it would have taken you much less time than
it did to type the above paragraph.

''logdrop'' and ''logunclean'' were both brain
dead to start with and now that
netfilter support for them has been removed in the 2.6 kernels they should
be allowed to die quietly.
> > ...
> > 3) The HAVEROUTE column has been removed from
> >    /etc/shorewall2/proxyarp. Shorewall2 will no longer automatically
add
> >    routes for Proxy ARP hosts. Use your distribution''s static
route
> >    capability to add these routes instead.
>
> I know that conceptually this is a good idea, but may i also suggest
> that it is in conflict with shorewall''s goal of "making
iptables easy"?
>  Since it is necessary to have both iptables entries and route entries
> for proxyarp, it is reasonable from the user perspective to have
> shorewall add routes.
>
> If you aren''t convinced by this argument, some working examples of
this
> in the doco would be a good idea.  Even though i go back to kernel 0.97,
> i have never added a proxyarp route, and might need some pointers.  :-)
>  (I know,: i should read the shorewall 1.4.x source and RTFM and work it
> out, but i''m trying to think of it from the point of view of a
less
> experienced firewall maintainer.)
I will of course document how to add the appropriate route in RedHat,
Mandrake, SuSE and Debian (the distros that I currently have access to).

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

On Saturday 31 January 2004 08:23 pm, Tom Eastep wrote:
> On Sun, 1 Feb 2004, Paul Gear wrote:
> > Tom Eastep wrote:
> > > ...
> > > 3) The HAVEROUTE column has been removed from
> > >    /etc/shorewall2/proxyarp. Shorewall2 will no longer
automatically
> > > add routes for Proxy ARP hosts. Use your distribution''s
static route
> > > capability to add these routes instead.
> >
> > I know that conceptually this is a good idea, but may i also suggest
> > that it is in conflict with shorewall''s goal of "making
iptables easy"?
> >  Since it is necessary to have both iptables entries and route entries
> > for proxyarp, it is reasonable from the user perspective to have
> > shorewall add routes.
> >
> >
> > If you aren''t convinced by this argument, some working
examples of this
> > in the doco would be a good idea.  Even though i go back to kernel
0.97,
> > i have never added a proxyarp route, and might need some pointers. 
:-)
> >  (I know,: i should read the shorewall 1.4.x source and RTFM and work
it
> > out, but i''m trying to think of it from the point of view of
a less
> > experienced firewall maintainer.)
>
> I will of course document how to add the appropriate route in RedHat,
> Mandrake, SuSE and Debian (the distros that I currently have access to).
>
You can place the following in your /etc/shorewall[2]/start file:

	while read address interface external; do
    		expandv address interface external
    		run_ip route replace $address dev $interface
	done < $TMP_DIR/proxyarp

This will add/replace "proxy arp routes" for all entries in your
proxyarp
file. Note: When the firewall script first processed the proxyarp file, it 
expanded all INCLUDE statements then stripped out all comments and placed the 
result in $TMP_DIR/proxyarp.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

On Sunday 01 February 2004 08:44 am, Tom Eastep wrote:
> >
> > I will of course document how to add the appropriate route in RedHat,
> > Mandrake, SuSE and Debian (the distros that I currently have access
to).
>
> You can place the following in your /etc/shorewall[2]/start file:
>
> 	while read address interface external; do
>     		expandv address interface external
>     		run_ip route replace $address dev $interface
> 	done < $TMP_DIR/proxyarp
>
> This will add/replace "proxy arp routes" for all entries in your
proxyarp
> file. Note: When the firewall script first processed the proxyarp file, it
> expanded all INCLUDE statements then stripped out all comments and placed
> the result in $TMP_DIR/proxyarp.
>
After I posted this it occurred to me that there may be another approach to 
this problem. The biggest objection that I have to the 1.4 implementation is 
that a "shorewall stop" causes the proxy arp routes to be deleted.
What if I
added a new shorewall.conf option which supports a setting such that once a 
proxy ARP route is added, Shorewall won''t touch it?

While I still think that adding routes should be a function of bringing up a 
device and should not be associated with starting the firewall (you should be 
able to restart a device without having to restart the firewall), I can live 
with this alternative approach.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net