Tom Eastep
2004-Apr-09 13:38 UTC
[Shorewall-devel] Re: [Shorewall-users] Feature Request: Shorewall 2.0 LocalConfDir
Tom Eastep wrote:> Stijn Jonker wrote: > >> Tom, >> >> But when heavily using actions, it still means a somewhat cluttered >> shorewall directory, the following files are modified on my install >> (rpm -q --verify shorewall) >> >> S.5....T c /etc/shorewall/actions >> S.5....T c /etc/shorewall/interfaces >> S.5....T c /etc/shorewall/masq >> S.5....T c /etc/shorewall/modules >> S.5....T c /etc/shorewall/params >> S.5....T c /etc/shorewall/policy >> S.5....T c /etc/shorewall/routestopped >> S.5....T c /etc/shorewall/rules >> S.5....T c /etc/shorewall/shorewall.conf >> S.5....T c /etc/shorewall/tunnels >> S.5....T c /etc/shorewall/zones >> >> Now add the 18 Actions (Services in my case) and rfc1918 (need to >> exclude one /24 in 192.168), bogons (stupid allocation in friendly >> net) would still leave me with 31 config files in /etc/shorewall maybe >> both is an option? (or /etc/shorewall/actions) only? >> > > Ok -- how about a CONFIG_SEARCH option in shorewall.conf: > > For compatibilty, the default value is: > > $SHOREWALL_DIR:/etc/shorewall/:/usr/share/shorewall > > SHOREWALL_DIR is the configuration directory specified by the -c command > option or named explicitly in the ''try'' command. >To those of you on the Development list that are not on the user''s list. The question under discussion is whether there should be another directory such as /etc/shorewall/userconfig that is searched for Shorewall configuration files. I have proposed that Shorewall releases would package all configuration files in /usr/share/shorewall and any modifications to those files should be accomplished by first copying the file to /etc/shorewall. Stijn countered with the post quoted above. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Hello Thomas & others, I recently upgrade from an ancient shorewall to 2.0.1, and I must see the upgrade was almost flawless. One of the greatest new features in 2.0 is the actions, I really like it, as a result I created about 15 actions for diffrent services etc. My /etc/shorewall directory is now somewhat clutterd, next to this i have a slightly modified rfc1918 and nobogons. I think it would be usefull to have an config option in shorewall.conf for a local config dir, which off course defaults to /etc/shorewall/ but I would like to set it to /etc/shorewall/localconfig/ so I can put the rfc1918, bogons and actions there. What do you all think, is this an usefull addition? If so i''ll see if i can get a patch ready over the (long easter) weekend. -- Met Vriendelijke groet/Yours Sincerely Stijn Jonker <SJCJonker@sjc.nl>
Stijn Jonker wrote:> > What do you all think, is this an usefull addition? If so i''ll see if i > can get a patch ready over the (long easter) weekend. >I favor a different approach and would have done it if I would have thought of it before 2.0.0-RC1 was out. We discussed it on the LEAF development list recently so I''m including that list in my post. I think that all of the shorewall configuration files should be released into /usr/share/shorewall and that only those that the user modifies go in /etc/shorewall/. I''m willing to do that but it would mean that 2.1 would come out hot on the heals of 2.0 (it''s a *big* change in the documentation so it would have to be a major releae). I''d also be willing to wave the 2 major release support rule and continue to support 1.4 until 2.2 is released. Opinions? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Friday 09 April 2004 15:50, Tom Eastep wrote:> > I''m willing to do that but it would mean that 2.1 would come out hot on > the heals of 2.0 (it''s a *big* change in the documentation so it would > have to be a major releae). I''d also be willing to wave the 2 major > release support rule and continue to support 1.4 until 2.2 is released. > > Opinions? > > -TomTom, Well .. Then ... <Ducking> you would have to support three branches of Shorewall .. shorewall-legacy project anyone ??? .. (Could Not Help That) :-) But the idea is well worth merit .. and certainly I would support it .. Francesca -- "No Problems Only Solutions" Lady Linux Internet Services Baltimore Maryland 21217
Francesca C. Smith wrote:> > Well .. Then ... <Ducking> you would have to support three branches of > Shorewall ..Yes -- given that 2.0 would consist of only 2.0.0 and 2.0.1, I think that I could bring myself to support 1.4, 2.0 and 2.1 :-)> > shorewall-legacy project anyone ??? .. (Could Not Help That) :-) >:-)> But the idea is well worth merit .. and certainly I would support it ..Thanks, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom, But when heavily using actions, it still means a somewhat cluttered shorewall directory, the following files are modified on my install (rpm -q --verify shorewall) S.5....T c /etc/shorewall/actions S.5....T c /etc/shorewall/interfaces S.5....T c /etc/shorewall/masq S.5....T c /etc/shorewall/modules S.5....T c /etc/shorewall/params S.5....T c /etc/shorewall/policy S.5....T c /etc/shorewall/routestopped S.5....T c /etc/shorewall/rules S.5....T c /etc/shorewall/shorewall.conf S.5....T c /etc/shorewall/tunnels S.5....T c /etc/shorewall/zones Now add the 18 Actions (Services in my case) and rfc1918 (need to exclude one /24 in 192.168), bogons (stupid allocation in friendly net) would still leave me with 31 config files in /etc/shorewall maybe both is an option? (or /etc/shorewall/actions) only? Tom Eastep said the following on 09-04-04 21:50:> Stijn Jonker wrote: > > >> >> What do you all think, is this an usefull addition? If so i''ll see if >> i can get a patch ready over the (long easter) weekend. >> > > I favor a different approach and would have done it if I would have > thought of it before 2.0.0-RC1 was out. We discussed it on the LEAF > development list recently so I''m including that list in my post. > > I think that all of the shorewall configuration files should be released > into /usr/share/shorewall and that only those that the user modifies go > in /etc/shorewall/. > > I''m willing to do that but it would mean that 2.1 would come out hot on > the heals of 2.0 (it''s a *big* change in the documentation so it would > have to be a major releae). I''d also be willing to wave the 2 major > release support rule and continue to support 1.4 until 2.2 is released. > > Opinions? > > -Tom-- Met Vriendelijke groet/Yours Sincerely Stijn Jonker <SJCJonker@sjc.nl>
Stijn Jonker wrote:> Tom, > > But when heavily using actions, it still means a somewhat cluttered > shorewall directory, the following files are modified on my install (rpm > -q --verify shorewall) > > S.5....T c /etc/shorewall/actions > S.5....T c /etc/shorewall/interfaces > S.5....T c /etc/shorewall/masq > S.5....T c /etc/shorewall/modules > S.5....T c /etc/shorewall/params > S.5....T c /etc/shorewall/policy > S.5....T c /etc/shorewall/routestopped > S.5....T c /etc/shorewall/rules > S.5....T c /etc/shorewall/shorewall.conf > S.5....T c /etc/shorewall/tunnels > S.5....T c /etc/shorewall/zones > > Now add the 18 Actions (Services in my case) and rfc1918 (need to > exclude one /24 in 192.168), bogons (stupid allocation in friendly net) > would still leave me with 31 config files in /etc/shorewall maybe both > is an option? (or /etc/shorewall/actions) only? >Ok -- how about a CONFIG_SEARCH option in shorewall.conf: For compatibilty, the default value is: $SHOREWALL_DIR:/etc/shorewall/:/usr/share/shorewall SHOREWALL_DIR is the configuration directory specified by the -c command option or named explicitly in the ''try'' command. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom, sounds wonderfull to me! Tom Eastep said the following on 09-04-04 22:34:> Stijn Jonker wrote: > >> Tom, >> >> But when heavily using actions, it still means a somewhat cluttered >> shorewall directory, the following files are modified on my install >> (rpm -q --verify shorewall) >> >> S.5....T c /etc/shorewall/actions >> S.5....T c /etc/shorewall/interfaces >> S.5....T c /etc/shorewall/masq >> S.5....T c /etc/shorewall/modules >> S.5....T c /etc/shorewall/params >> S.5....T c /etc/shorewall/policy >> S.5....T c /etc/shorewall/routestopped >> S.5....T c /etc/shorewall/rules >> S.5....T c /etc/shorewall/shorewall.conf >> S.5....T c /etc/shorewall/tunnels >> S.5....T c /etc/shorewall/zones >> >> Now add the 18 Actions (Services in my case) and rfc1918 (need to >> exclude one /24 in 192.168), bogons (stupid allocation in friendly >> net) would still leave me with 31 config files in /etc/shorewall maybe >> both is an option? (or /etc/shorewall/actions) only? >> > > Ok -- how about a CONFIG_SEARCH option in shorewall.conf: > > For compatibilty, the default value is: > > $SHOREWALL_DIR:/etc/shorewall/:/usr/share/shorewall > > SHOREWALL_DIR is the configuration directory specified by the -c command > option or named explicitly in the ''try'' command. > > -Tom-- Met Vriendelijke groet/Yours Sincerely Stijn Jonker <SJCJonker@sjc.nl>
On Friday 09 April 2004 15:50, Tom Eastep wrote:> I''d also be willing to wave the 2 major > release support rule and continue to support 1.4 until 2.2 is released.Of Course I never read the whole post .. Just run to the Jokes ... Happy Easter .. And Passover .. I Had Better Stay Away From Computers Francesca -- "No Problems Only Solutions" Lady Linux Internet Services Baltimore Maryland 21217
Tom Eastep
2004-Apr-09 20:42 UTC
Re: [Shorewall-users] Feature Request: Shorewall 2.0 LocalConfDir
Tom Eastep wrote:>> > > Ok -- how about a CONFIG_SEARCH option in shorewall.conf: > > For compatibilty, the default value is: > > $SHOREWALL_DIR:/etc/shorewall/:/usr/share/shorewall > > SHOREWALL_DIR is the configuration directory specified by the -c command > option or named explicitly in the ''try'' command. >The nice thing about this proposal is that I could implement it now in a minor release and we could hold off until next year to implement the more radical proposal (no files released directly to /etc/shorewall). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
Tom Eastep
2004-Apr-10 02:53 UTC
Re: [Shorewall-devel] Re: Feature Request: Shorewall 2.0 LocalConfDir
Tom Eastep wrote:> > The nice thing about this proposal is that I could implement it now in a > minor release and we could hold off until next year to implement the > more radical proposal (no files released directly to /etc/shorewall). >The code in CVS (Shorewall2/) supports this notion. Be sure to check the release notes since the implementation is slightly different from what I originally proposed. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Stijn Jonker
2004-Apr-10 09:09 UTC
Re: [Shorewall-devel] Re: Feature Request: Shorewall 2.0 LocalConfDir
Tom and others, Tom Eastep said the following on 10-04-04 04:53:> Tom Eastep wrote: > >> >> The nice thing about this proposal is that I could implement it now in >> a minor release and we could hold off until next year to implement the >> more radical proposal (no files released directly to /etc/shorewall).That''s true off course, and saves you from maintaining too many versions.>> > > The code in CVS (Shorewall2/) supports this notion. Be sure to check the > release notes since the implementation is slightly different from what I > originally proposed.It works fine here after a small modification in "firewall" on line 5757: Loading /usr/share/shorewall/functions... Processing /etc/shorewall/params ... Processing /etc/shorewall/shorewall.conf... /usr/share/shorewall/firewall: line 5757: [: missing `]'' firewall:5757 [ -n "$CONFIG_PATH"] || CONFIG_PATH=/etc/shorewall:/usr/share/shorewall changed it to: [ -n "$CONFIG_PATH" ] || CONFIG_PATH=/etc/shorewall:/usr/share/shorewall Maybe it has to do with the version of sh/bash: sh --version GNU bash, version 2.05b.0(1)-release (i386-redhat-linux-gnu) Copyright (C) 2002 Free Software Foundation, Inc. This is on fedora core #1 all updates applied. thanks for the quick update. Stijn> -Tom-- Met Vriendelijke groet/Yours Sincerely Stijn Jonker <SJCJonker@sjc.nl>
Tom Eastep
2004-Apr-10 14:28 UTC
Re: [Shorewall-devel] Re: Feature Request: Shorewall 2.0 LocalConfDir
Stijn Jonker wrote:> > It works fine here after a small modification in "firewall" on line 5757: > > Loading /usr/share/shorewall/functions... > Processing /etc/shorewall/params ... > Processing /etc/shorewall/shorewall.conf... > /usr/share/shorewall/firewall: line 5757: [: missing `]'' > > firewall:5757 > [ -n "$CONFIG_PATH"] || CONFIG_PATH=/etc/shorewall:/usr/share/shorewall > changed it to: > [ -n "$CONFIG_PATH" ] || CONFIG_PATH=/etc/shorewall:/usr/share/shorewall > > Maybe it has to do with the version of sh/bash:Just a plain ordinary bug -- thanks. I''ve updated CVS with the correction. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net