Shortly after I release Shorewall 3.4.2, I will be issuing the first release of the new development thread which I''m calling Shorewall4. I''m announcing the new product ahead of time so that people will have a chance to comment on the approach (and the product name) in advance of the initial release. Shorewall4 is going to be a companion product to Shorewall. It will include a new compiler, written entirely in Perl. Shorewall4 depends on Shorewall (3.4.2 or later). So if you want to use the new compiler, you must install both Shorewall and Shorewall4. Even if you install Shorewall4, you have a choice of which compiler you use. The choice is specified in the shorewall.conf file so you can select the compiler to use on a system-by-system basis when running Shorewall Lite on remote systems. I decided to make Shorewall4 a separate product for several reasons: a) Embedded applications are unlikely to adopt Shorewall4; even Mini-Perl has a substantial disk and Ram footprint. b) Because of the gross incompatibilities between the new compiler and the old (see below), migration to the new compiler must be voluntary. c) By allowing Shorewall4 to co-exist with the current Shorewall stable release (3.4), I''m hoping that the new compiler will get more testing and validation than it would if I were to package it with a new development version of Shorewall itself. d) Along the same vein, I think that users will be more likely to experiment with the new compiler if they can easily fall back to the old one if things get sticky. The good news: a) The compiler has a small disk footprint (although Perl is large). b) The compiler is very fast. c) The compiler generates a firewall script that uses iptables-restore; so the script is very fast. d) Again -- use of the Perl compiler is optional! The old slow clunky Bourne-shell compiler will still be available and will be the default compiler. The bad news: There are a number of incompatibilities between the Perl-based compiler and the Bourne-shell one. Here are some of them (I''m still in the process of cataloging them). a) The Perl-based compiler requires the following capabilities in your kernel and iptables. - addrtype match - conntrack match - extended multiport match These capabilities are available in current Linux distributions. b) BRIDGING=Yes is not supported. The kernel code necessary to support this option was removed in Linux kernel 2.6.20 so it seems silly to spend time implementing support for it in a new compiler. c) MAPOLDACTIONS=Yes is not supported. It''s time to start using Macros if you haven''t already. d) The BROADCAST column in the interfaces file is essentially unused; if you enter anything in this column but ''-'' or ''detect'', you will receive a warning (addrtype match is a much superior method if handling broadcasts and smurfs). e) Because the compiler is now written in Perl, your compile-time extension scripts from earlier versions will no longer work. New compile-time extension scripts must be written in Perl. f) Some run-time extension scripts are no longer supported because they make no sense (iptables-restore instantiates the new configuration atomically). continue initdone refresh refreshed g) The ''refresh'' command is now synonymous with ''restart''. h) Currently, support for ipsets is untested. That will change with future releases but one thing is certain -- Shorewall is now out of the ipset load/reload business. Because the Netfilter ruleset is never cleared, there is no opportunity for Shorewall to load/reload your ipsets. So: i) Your ipsets must be loaded before Shorewall starts. ii) Your ipsets may not be reloaded until Shorewall is stopped or cleared. iii) If you specify ipsets in your routestopped file then Shorewall must be cleared in order to reload your ipsets. As a consequence, scripts generated by the Perl-based compiler will ignore /etc/shorewall/ipsets and will issue a warning if you set SAVE_IPSETS=Yes in shorewall.conf. I welcome feedback and discussion, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
--- Tom Eastep <teastep@shorewall.net> wrote:> I''m announcing the new product ahead of time so that > people will have a > chance to comment on the approach (and the product > name) in advance of the > initial release.Just a thought but considering the shorewall-lite package title format one may also call it shorewall-ng or shorewall-pl. I prefer package names without numbers but that''s just my opinion. ____________________________________________________________________________________ Bored stiff? Loosen up... Download and play hundreds of games for free on Yahoo! Games. http://games.yahoo.com/games/front ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Vieri Di Paola wrote:> --- Tom Eastep <teastep@shorewall.net> wrote: > >> I''m announcing the new product ahead of time so that >> people will have a >> chance to comment on the approach (and the product >> name) in advance of the >> initial release. > > Just a thought but considering the shorewall-lite > package title format one may also call it shorewall-ng > or shorewall-pl. > I prefer package names without numbers but that''s just > my opinion.Thanks, Vieri -- I suspected that the name was going to be the most contentious part of this discussion ;-) -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Historiadores acreditam que, em Sáb 24 Mar 2007, Vieri Di Paola disse:> Just a thought but considering the shorewall-lite > package title format one may also call it shorewall-ng > or shorewall-pl. > I prefer package names without numbers but that''s just > my opinion.I agree. The current stable branch is 3.4.0. What about when it''s 4.0.0? People will get confused when you mention Shorewall4. They won''t know if you''re talking about the new generation of the compiler or about the whole Shorewall package. I vote for shorewall-ng or something similar. -- Henrique Cesar Ulbrich henrique.ulbrich@gmail.com ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Henrique Cesar Ulbrich wrote:> Historiadores acreditam que, > em Sáb 24 Mar 2007, Vieri Di Paola disse: >> Just a thought but considering the shorewall-lite >> package title format one may also call it shorewall-ng >> or shorewall-pl. >> I prefer package names without numbers but that''s just >> my opinion. > > I agree. > > The current stable branch is 3.4.0. > > What about when it''s 4.0.0? > > People will get confused when you mention Shorewall4. They won''t know if > you''re talking about the new generation of the compiler or about the whole > Shorewall package. > > I vote for shorewall-ng or something similar. >Products that end in ''-ng'' typically replace the product with the same name but without the ''-ng''. That isn''t going to happen here. So I prefer ''shorewall-pl''. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
On Sat, Mar 24, 2007 at 11:37:39AM -0700, Tom Eastep wrote:> Products that end in ''-ng'' typically replace the product with the same > name but without the ''-ng''. That isn''t going to happen here. So I prefer > ''shorewall-pl''.Language-specific names are usually a bad idea in the long run. There''s nothing about the new version that makes it fundamentally specific to perl, that''s just an implementation detail. In the (distant) future, when somebody feels a desire to rewrite it again in a different language, they will be stuck with a gratuitous name change. Perhaps ''shorewall-compiler'' or something like that? That''s the essential difference of this code, as far as I can see. ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Andrew Suffield wrote:> > Perhaps ''shorewall-compiler'' or something like that? That''s the > essential difference of this code, as far as I can see. >I disagree. Shorewall has included a compiler since Shorewall 3.2 so the fact that this product includes a compiler does not distinguish it from the original. It includes a different compiler and language in which that compiler is written is one of the key differences. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
On Sat, Mar 24, 2007 at 10:50:54AM -0700, Tom Eastep wrote:> The good news: > > a) The compiler has a small disk footprint (although Perl is large). > b) The compiler is very fast. > c) The compiler generates a firewall script that uses iptables-restore; > so the script is very fast.Now that''s nice. There''s several more though: - Shell-based parsers are, in a word, stupid. Their ability to parse anything other than character-and-newline-delimited lists is virtually non-existant, and syntax error handling is almost impossible. The new compiler can become a great deal less stupid and remove a lot of the old limits on what can be done (particularly with regards to features that happen entirely at compile-time, like macros). - The code should be hugely simpler to understand (any non-trivial program written in shell spends half the code working around the limitations of shell), which makes it much more practical for random third parties like me to make minor changes. I''ve tried doing stuff with the shell version before, and gave up because it was just too much effort. - perl -d It also occurs to me that a new approach is going to be needed to replace the old ''shorewall trace''. ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
On Sat, Mar 24, 2007 at 08:58:54PM +0000, Andrew Suffield wrote:> > Perhaps ''shorewall-compiler'' or something like that? That''s the > essential difference of this code, as far as I can see. >I don''t like it. How about northwall, ridgewall, seawall or richwall? :-) Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Andrew Suffield wrote:> On Sat, Mar 24, 2007 at 10:50:54AM -0700, Tom Eastep wrote:> > - The code should be hugely simpler to understand (any non-trivial > program written in shell spends half the code working around the > limitations of shell), which makes it much more practical for random > third parties like me to make minor changes. I''ve tried doing stuff > with the shell version before, and gave up because it was just too > much effort.It''s a lot of effort for me too and the code is getting very fragile; that makes it hard to add anything without breaking something else.> > - perl -d >Yes. Shorewall 3.4.2 supports -d (debug) and -p (profile) options to the ''compile'' command.> It also occurs to me that a new approach is going to be needed to > replace the old ''shorewall trace''.I''ve been thinking about that. I suspect that I''ll have people package up their config directory and send it to me. I''ll probably implement an /sbin/shorewall command to collect everything needed. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Tom Eastep wrote:>Shortly after I release Shorewall 3.4.2, I will be issuing the first release >of the new development thread which I''m calling Shorewall4. > >I''m announcing the new product ahead of time so that people will have a >chance to comment on the approach (and the product name) in advance of the >initial release. > >Shorewall4 is going to be a companion product to Shorewall. It will include >a new compiler, written entirely in Perl. > >Shorewall4 depends on Shorewall (3.4.2 or later). So if you want to use the >new compiler, you must install both Shorewall and Shorewall4.I''ve been thinking about this on and off, and one twisted logic process says you should call the new package Shorewall2 ! At the moment we have ''Shorewall'' version 3.4.2, the new package would be ''Shorewall2'' version 1.<something>. I don''t think that would be any less confusing than between Shorewall4 and Shorewall version 4 should the current version get a major update. I can think of a few commercial packages that have done something similar - going from ''X version 2.3'' to ''X2 version 1.0''. Better would be to avoid numeric suffixes that can be confused with version numbers, and if you don''t like ''-ng'', how about ''-new'' ? shorewall-new in the same way as we have amavis-new. new-shorewall (or any other prefix) would be bad as it then wouldn''t sort adjacent to shorewall when browsing package lists. ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Simon Hobson wrote:> > > I''ve been thinking about this on and off, and one twisted logic > process says you should call the new package Shorewall2 ! At the > moment we have ''Shorewall'' version 3.4.2, the new package would be > ''Shorewall2'' version 1.<something>. > > I don''t think that would be any less confusing than between > Shorewall4 and Shorewall version 4 should the current version get a > major update. I can think of a few commercial packages that have done > something similar - going from ''X version 2.3'' to ''X2 version 1.0''. > > > Better would be to avoid numeric suffixes that can be confused with > version numbers, and if you don''t like ''-ng'', how about ''-new'' ? > shorewall-new in the same way as we have amavis-new. new-shorewall > (or any other prefix) would be bad as it then wouldn''t sort adjacent > to shorewall when browsing package lists.One point that keeps getting lost here is that the package that we are trying to name is an add-on to Shorewall; it does not replace Shorewall and you can''t use it by itself (you must install it AND Shorewall). So something like shorewall-perl appeals to me. - The new package includes Perl modules for parsing the various Shorewall configuration files. - It includes a compiler built on top of those modules. Shorewall will still work (and continue to work in future versions) if you don''t install the new package (although most new features are likely to be added only in the new package). Eventually, I might break Shorewall into three pieces: - shorewall-common - shorewall-shell - shorewall-perl -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Tom Eastep wrote:>Eventually, I might break Shorewall into three pieces: > >- shorewall-common >- shorewall-shell >- shorewall-perlNow that does make sense. ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
I completely agree. Even if you don''t make the break out into 3 now, at
least the shorewall-perl makes more sense then trying to have
"parallel" version numbers (shorewall 3.4.2 and shorewall2 1.0
etc...).
Just my $0.02...
Joshua
--------------------------
Sent from my BlackBerry Wireless Handheld
-----Original Message-----
From: Simon Hobson <linux@thehobsons.co.uk>
Date: Wed, 28 Mar 2007 08:04:11
To:Shorewall Users <shorewall-users@lists.sourceforge.net>
Subject: Re: [Shorewall-users] Shorewall4
Tom Eastep wrote:
>Eventually, I might break Shorewall into three pieces:
>
>- shorewall-common
>- shorewall-shell
>- shorewall-perl
Now that does make sense.
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Simon Hobson wrote:> Tom Eastep wrote: > >> Eventually, I might break Shorewall into three pieces: >> >> - shorewall-common >> - shorewall-shell >> - shorewall-perl > > Now that does make sense. >As such time as I do this (maybe as early as Shorewall 4.0.0), I will be looking for someone else to take over the maintenance of shorewall-shell. Possibly one of the embedded distributions would be interested since those are likely to be the only users of the package going forward. Over the next several week, I''m going to be testing shorewall-perl under Cygwin; Shorewall + Shorewall-perl running on a PC with Shorewall-lite running on small appliance firewalls might be attractive. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ leaf-devel mailing list leaf-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-devel
Hi all, I have asked this question recently, but have received only 1 reply that I couldn''t piece together in order to achieve what I need (block an IP range). At this point I''m confused - 1) do I use the "blacklist" file to list the range I want to block or do I use another file? 2) can I specify it as (example) 192.168.5.5-192.168.5.20 ? My server is being hammered by spammers and all of connections come from the same blocks (mostly class c). I''m running Shorewall V3 on Gentoo Linux. Thanks JohnyP ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
On Wed, Mar 28, 2007 at 09:00:19AM -0700, Tom Eastep wrote:> Over the next several week, I''m going to be testing shorewall-perl under > Cygwin; Shorewall + Shorewall-perl running on a PC with Shorewall-lite > running on small appliance firewalls might be attractive.Might be nice if you can get it to run on activeperl, without any unix environment - it''s much easier than installing cygwin. But that might be a bigger job (and I''ve no idea who might use it). ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Hi Tom,
Wanted to thank you on the recent post to help me with tcrules.
I have all my firewalls with two isp''s and even the ones with one isp
working good. Voip was was my motive to learn this. Before I stuck
with the wondershaper which fit most of my needs. I have been so
busy lately, no time to read the list. I am amazed at the progress of
Shorewall and its stability over the years. The new kernels and shore
wall blows me away nowdays. I have used most all the features in
shorewall with the exception of bridging.
Anyway wanted to put my take on the name for Shorewall4
How about looking at the purpose for designing it. To me after reading post
its for more speed and stability. "Shorewall4speed" or
"Shorewall4perl"
"Shorewall4.pl" "Shorewall4gurus" "Shorewall
plus" or "Shorewall enhanced"
etc:
Thank you,
Mike
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Tom Eastep wrote:> Products that end in ''-ng'' typically replace the product with the same > name but without the ''-ng''. That isn''t going to happen here. So I prefer > ''shorewall-pl''. >I agree! And I add that: 1) extensions like "-ng" are mostly marketing extension and Shorewall does not need marketing, doesn''t it? ;-) 2) a "new generation" software become very quikly "old generation", expecially when is tied to rapidly evolving things like Iptables and Linux kernel. That said, I haven''t no new names to suggest, but please, keep marketing far away from Shorewall!!! Thank you. Paolo ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV