Hi all, I''m working on a patch for shorewall to make it run with a Crossbeam X40 machine (www.crossbeamsystems.com) and I would like to know where to send it, is this list the correct location?. The patch is necesary because of Crossbeam X series running mode: when you make a shorewall start, restart or clear, there are a packet dropping until shorewall is Started or cleaned. At this moment the CPM Crossbeam module send a reset signal to the APM module (where the Linux system is running shorewall). With this patch, if you declare CROSSBEAM=yes in shorewall.conf, first shorewall will set main policies to ACCEPT, then setcontinue in chains INPUT, FORWARD and OUTPUT, insert particular rules for Crossbeam backbone, and finally set main policies to DROP. Also, some of our clients need to permit all new traffic during iptables compilling (shorewall start or restart) because they have a great number of zones and rules, so I have had to add a new configuration variable POLICY_ACCEPT_STARTING. If it is set to ''Yes'', then DROP default policy will be added at the end of compilling period. Regards. cheer up, Tom! -- Juan Jes?s Prieto - Consultor?a TI jjprieto@eneotecnologia.com http://www.eneotecnologia.com --------------------------------------- fingerprint: BFC2 0370 7708 F800 0BEC 60A4 EC71 4BB1 CC85 99F5 http://pgp.rediris.es:11371/pks/lookup?op=get&search=0xCC8599F5
Juan J. Prieto wrote:> I''m working on a patch for shorewall to make it run with a Crossbeam > X40 machine (www.crossbeamsystems.com) and I would like to know where to > send it, is this list the correct location?. >Yes, Thanks, Juan -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Hi, Here is the patch for shorewall-2.0 and 2.2. Regards. El vie, 20-05-2005 a las 10:25 -0700, Tom Eastep escribi?:> Juan J. Prieto wrote: > > > I''m working on a patch for shorewall to make it run with a Crossbeam > > X40 machine (www.crossbeamsystems.com) and I would like to know where to > > send it, is this list the correct location?. > > > > Yes, > > Thanks, Juan > -Tom-- Juan Jes?s Prieto - Consultor?a TI jjprieto@eneotecnologia.com http://www.eneotecnologia.com --------------------------------------- fingerprint: BFC2 0370 7708 F800 0BEC 60A4 EC71 4BB1 CC85 99F5 http://pgp.rediris.es:11371/pks/lookup?op=get&search=0xCC8599F5 -------------- next part -------------- A non-text attachment was scrubbed... Name: firewall-shorewall-2.0.17-20050504.patch Type: text/x-patch Size: 4985 bytes Desc: not available Url : http://lists.shorewall.net/pipermail/shorewall-devel/attachments/20050520/01f741a0/firewall-shorewall-2.0.17-20050504.bin -------------- next part -------------- A non-text attachment was scrubbed... Name: firewall-shorewall-2.2.5-20050520.patch Type: text/x-patch Size: 5632 bytes Desc: not available Url : http://lists.shorewall.net/pipermail/shorewall-devel/attachments/20050520/01f741a0/firewall-shorewall-2.2.5-20050520.bin
Juan J. Prieto wrote:> Hi, > > Here is the patch for shorewall-2.0 and 2.2. > > Regards.Thanks, Juan Guys: I''ll put Juan''s patch in 2.4.0 and I''ll let you decide if you want to release it in 2.0 and 2.2. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Juan J. Prieto wrote:> Hi, > > Here is the patch for shorewall-2.0 and 2.2. >Juan -- Isn''t a patch required for shorewall.conf also? Or do you want this feature to be undocumented? Thanks, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Hi Tom, El vie, 20-05-2005 a las 10:57 -0700, Tom Eastep escribi?:> Juan J. Prieto wrote: > > Hi, > > > > Here is the patch for shorewall-2.0 and 2.2. > > > > Juan -- Isn''t a patch required for shorewall.conf also? Or do you want > this feature to be undocumented?Ok (sorry ;-)), I''ll make a patch for shorewall.conf. Regards. -- Juan Jes?s Prieto - Consultor?a TI jjprieto@eneotecnologia.com http://www.eneotecnologia.com --------------------------------------- fingerprint: BFC2 0370 7708 F800 0BEC 60A4 EC71 4BB1 CC85 99F5 http://pgp.rediris.es:11371/pks/lookup?op=get&search=0xCC8599F5
Hi, Here is the shorewall.conf patch. Enjoy ;-) ! El vie, 20-05-2005 a las 10:57 -0700, Tom Eastep escribi?:> Juan J. Prieto wrote: > > Hi, > > > > Here is the patch for shorewall-2.0 and 2.2. > > > > Juan -- Isn''t a patch required for shorewall.conf also? Or do you want > this feature to be undocumented? > > Thanks, > -Tom-- Juan Jes?s Prieto - Consultor?a TI jjprieto@eneotecnologia.com http://www.eneotecnologia.com --------------------------------------- fingerprint: BFC2 0370 7708 F800 0BEC 60A4 EC71 4BB1 CC85 99F5 http://pgp.rediris.es:11371/pks/lookup?op=get&search=0xCC8599F5 -------------- next part -------------- A non-text attachment was scrubbed... Name: shorewall.conf-shorewall-2.2.5-20050520.patch Type: text/x-patch Size: 1973 bytes Desc: not available Url : http://lists.shorewall.net/pipermail/shorewall-devel/attachments/20050520/4ccb5f92/shorewall.conf-shorewall-2.2.5-20050520-0001.bin
Juan J. Prieto wrote:> Hi, > > Here is the shorewall.conf patch. >Thanks, Juan! -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Juan J. Prieto wrote:> > > Also, some of our clients need to permit all new traffic during > iptables compilling (shorewall start or restart) because they have a > great number of zones and rules, so I have had to add a new > configuration variable POLICY_ACCEPT_STARTING. If it is set to ''Yes'', > then DROP default policy will be added at the end of compilling period. >I have added the CROSSBEAM patch to 2.4.0 but I''m withholding the POLICY_ACCEPT_STARTING patch for now. I really don''t like the idea of an option that opens the firewall completely like this one does. I suspect that an option in shorewall.conf that works in conjunction with /etc/shorewall/routestopped would be more appropriate for both the 2.2 and 2.4 series (since 2.2.3, communication *between* hosts listed in routestopped is now enabled during [re]start). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:> ... > Thanks, Juan > > Guys: I''ll put Juan''s patch in 2.4.0 and I''ll let you decide if you want > to release it in 2.0 and 2.2. > ... > I have added the CROSSBEAM patch to 2.4.0 but I''m withholding the > POLICY_ACCEPT_STARTING patch for now. I really don''t like the idea of > an option that opens the firewall completely like this one does. > > I suspect that an option in shorewall.conf that works in conjunction > with /etc/shorewall/routestopped would be more appropriate for both > the 2.2 and 2.4 series (since 2.2.3, communication *between* hosts > listed in routestopped is now enabled during [re]start).It seems to me that both of these are very similar circumstances to my issue a few weeks/months back about restarting shorewall on a high-availability firewall running heartbeat. In that case, it seems that a more general approach that works in conjunction with routestopped would be warranted. Once we get CVS converted over to sf.net, i''ll do a bit of work on integrating them. -- Paul <http://paulgear.webhop.net> -- Did you know? Most email-borne viruses use a false sender address, so you cannot track down the sender using that address. Instead, keep your virus scanning software up-to-date and just delete any suspicious emails you receive. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 256 bytes Desc: OpenPGP digital signature Url : http://lists.shorewall.net/pipermail/shorewall-devel/attachments/20050523/25ba2d08/signature.bin
Paul Gear wrote:> Tom Eastep wrote: >>... >>Thanks, Juan >> >>Guys: I''ll put Juan''s patch in 2.4.0 and I''ll let you decide if you want >>to release it in 2.0 and 2.2. >>... >>I have added the CROSSBEAM patch to 2.4.0 but I''m withholding the >>POLICY_ACCEPT_STARTING patch for now. I really don''t like the idea of >> an option that opens the firewall completely like this one does. >> >>I suspect that an option in shorewall.conf that works in conjunction >>with /etc/shorewall/routestopped would be more appropriate for both >>the 2.2 and 2.4 series (since 2.2.3, communication *between* hosts >>listed in routestopped is now enabled during [re]start). > > It seems to me that both of these are very similar circumstances to my > issue a few weeks/months back about restarting shorewall on a > high-availability firewall running heartbeat. In that case, it seems > that a more general approach that works in conjunction with routestopped > would be warranted. Once we get CVS converted over to sf.net, i''ll do a > bit of work on integrating them. >In -RC1, I extended the routestopped options to include ''source'' and ''dest'' to indicate that all traffic from or to a host or set of hosts respectively should be accepted. I''m not sure that my changes solve the entire problem that Juan''s customers are seeing but I think that it is in the right direction. If folks on the list disagree, I''ll back out that change in -RC2 and the new maintainers can decide how best to address this issue. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Hi, El vie, 20-05-2005 a las 12:48 -0700, Tom Eastep escribi?:> Juan J. Prieto wrote: > > > > > > Also, some of our clients need to permit all new traffic during > > iptables compilling (shorewall start or restart) because they have a > > great number of zones and rules, so I have had to add a new > > configuration variable POLICY_ACCEPT_STARTING. If it is set to ''Yes'', > > then DROP default policy will be added at the end of compilling period. > > > > I have added the CROSSBEAM patch to 2.4.0 but I''m withholding the > POLICY_ACCEPT_STARTING patch for now. I really don''t like the idea of an > option that opens the firewall completely like this one does.Ok, I understand and I agree with you. In fact, I warned my clients that it is a security hole, so they use it at their own risk. But they insist in such feature. Anyway, I agree in not include such feature in standard shorewall distribution. Tom, do you need I give you a hand in some development line? Regards. -- Juan Jes?s Prieto - Consultor?a TI jjprieto@eneotecnologia.com http://www.eneotecnologia.com --------------------------------------- fingerprint: BFC2 0370 7708 F800 0BEC 60A4 EC71 4BB1 CC85 99F5 http://pgp.rediris.es:11371/pks/lookup?op=get&search=0xCC8599F5
Juan J. Prieto wrote:> > Tom, do you need I give you a hand in some development line? >Juan, Once I deliver 2.4.0 final, I will be out of the Shorewall project completely. It is up to you if you wish to help the other folks on this list continue to develop Shorewall. Thanks, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key