Paul Gear
2004-Jan-31 17:29 UTC
[Shorewall-devel] Re: [Shorewall-announce] Shorewall 2.0.0 Alpha 1
Tom Eastep wrote:> ... > Issues when migrating from Shorewall to Shorewall2: > > 1) The ''dropunclean'' and ''logunclean'' interface options are no longer > supported. If either option is specified in > /etc/shorewall2/interfaces, an error message will be generated and > Shorewall2 will fail to start.May i suggest that this feature does not follow the principle of least surprise? I am presently running a 1.4.x firewall on 1.3.x configs (because i haven''t had a chance to go through & clean them up), and i have a working config because 1.4.x warns me about the 1.3.x directives, but ignores them and continues to work.> ... > 3) The HAVEROUTE column has been removed from > /etc/shorewall2/proxyarp. Shorewall2 will no longer automatically add > routes for Proxy ARP hosts. Use your distribution''s static route > capability to add these routes instead.I know that conceptually this is a good idea, but may i also suggest that it is in conflict with shorewall''s goal of "making iptables easy"? Since it is necessary to have both iptables entries and route entries for proxyarp, it is reasonable from the user perspective to have shorewall add routes. If you aren''t convinced by this argument, some working examples of this in the doco would be a good idea. Even though i go back to kernel 0.97, i have never added a proxyarp route, and might need some pointers. :-) (I know,: i should read the shorewall 1.4.x source and RTFM and work it out, but i''m trying to think of it from the point of view of a less experienced firewall maintainer.) -- Paul http://paulgear.webhop.net -- A: Because we read from top to bottom, left to right. Q: Why should i start my email reply *below* the quoted text? -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: OpenPGP digital signature Url : http://lists.shorewall.net/pipermail/shorewall-devel/attachments/20040201/dcf2cc0a/signature.bin
http://shorewall.net/pub/shorewall/Alpha/shorewall-2.0.0 ftp://shorewall.net/pub/shorewall/Alpha/shorewall-2.0.0 -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Hmmm - those were sure Alpha-quality release notes. Let''s try again :-) (and please send corrections). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep
2004-Jan-31 20:23 UTC
[Shorewall-devel] Re: [Shorewall-announce] Shorewall 2.0.0 Alpha 1
On Sun, 1 Feb 2004, Paul Gear wrote:> Tom Eastep wrote: > > ... > > Issues when migrating from Shorewall to Shorewall2: > > > > 1) The ''dropunclean'' and ''logunclean'' interface options are no longer > > supported. If either option is specified in > > /etc/shorewall2/interfaces, an error message will be generated and > > Shorewall2 will fail to start. > > May i suggest that this feature does not follow the principle of least > surprise? I am presently running a 1.4.x firewall on 1.3.x configs > (because i haven''t had a chance to go through & clean them up), and i > have a working config because 1.4.x warns me about the 1.3.x directives, > but ignores them and continues to work. >Remove them from your files -- it would have taken you much less time than it did to type the above paragraph. ''logdrop'' and ''logunclean'' were both brain dead to start with and now that netfilter support for them has been removed in the 2.6 kernels they should be allowed to die quietly.> > ... > > 3) The HAVEROUTE column has been removed from > > /etc/shorewall2/proxyarp. Shorewall2 will no longer automatically add > > routes for Proxy ARP hosts. Use your distribution''s static route > > capability to add these routes instead. > > I know that conceptually this is a good idea, but may i also suggest > that it is in conflict with shorewall''s goal of "making iptables easy"? > Since it is necessary to have both iptables entries and route entries > for proxyarp, it is reasonable from the user perspective to have > shorewall add routes. >> If you aren''t convinced by this argument, some working examples of this > in the doco would be a good idea. Even though i go back to kernel 0.97, > i have never added a proxyarp route, and might need some pointers. :-) > (I know,: i should read the shorewall 1.4.x source and RTFM and work it > out, but i''m trying to think of it from the point of view of a less > experienced firewall maintainer.)I will of course document how to add the appropriate route in RedHat, Mandrake, SuSE and Debian (the distros that I currently have access to). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep
2004-Feb-01 08:44 UTC
[Shorewall-devel] Re: [Shorewall-announce] Shorewall 2.0.0 Alpha 1
On Saturday 31 January 2004 08:23 pm, Tom Eastep wrote:> On Sun, 1 Feb 2004, Paul Gear wrote: > > Tom Eastep wrote: > > > ... > > > 3) The HAVEROUTE column has been removed from > > > /etc/shorewall2/proxyarp. Shorewall2 will no longer automatically > > > add routes for Proxy ARP hosts. Use your distribution''s static route > > > capability to add these routes instead. > > > > I know that conceptually this is a good idea, but may i also suggest > > that it is in conflict with shorewall''s goal of "making iptables easy"? > > Since it is necessary to have both iptables entries and route entries > > for proxyarp, it is reasonable from the user perspective to have > > shorewall add routes. > > > > > > If you aren''t convinced by this argument, some working examples of this > > in the doco would be a good idea. Even though i go back to kernel 0.97, > > i have never added a proxyarp route, and might need some pointers. :-) > > (I know,: i should read the shorewall 1.4.x source and RTFM and work it > > out, but i''m trying to think of it from the point of view of a less > > experienced firewall maintainer.) > > I will of course document how to add the appropriate route in RedHat, > Mandrake, SuSE and Debian (the distros that I currently have access to). >You can place the following in your /etc/shorewall[2]/start file: while read address interface external; do expandv address interface external run_ip route replace $address dev $interface done < $TMP_DIR/proxyarp This will add/replace "proxy arp routes" for all entries in your proxyarp file. Note: When the firewall script first processed the proxyarp file, it expanded all INCLUDE statements then stripped out all comments and placed the result in $TMP_DIR/proxyarp. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep
2004-Feb-01 09:06 UTC
[Shorewall-devel] Re: [Shorewall-announce] Shorewall 2.0.0 Alpha 1
On Sunday 01 February 2004 08:44 am, Tom Eastep wrote:> > > > I will of course document how to add the appropriate route in RedHat, > > Mandrake, SuSE and Debian (the distros that I currently have access to). > > You can place the following in your /etc/shorewall[2]/start file: > > while read address interface external; do > expandv address interface external > run_ip route replace $address dev $interface > done < $TMP_DIR/proxyarp > > This will add/replace "proxy arp routes" for all entries in your proxyarp > file. Note: When the firewall script first processed the proxyarp file, it > expanded all INCLUDE statements then stripped out all comments and placed > the result in $TMP_DIR/proxyarp. >After I posted this it occurred to me that there may be another approach to this problem. The biggest objection that I have to the 1.4 implementation is that a "shorewall stop" causes the proxy arp routes to be deleted. What if I added a new shorewall.conf option which supports a setting such that once a proxy ARP route is added, Shorewall won''t touch it? While I still think that adding routes should be a function of bringing up a device and should not be associated with starting the firewall (you should be able to restart a device without having to restart the firewall), I can live with this alternative approach. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net