I''ve uploaded 3.9.2. ftp://shorewall.net/pub/shorewall/development/3.9/shorewall-3.9.2/ With 3.9.1, I tried managing the Development branch just like it was a stable branch; patches, known_problems.txt updated with patch instructions, etc. Given the volume of problems being found in this early code, the amount of work that this approach generated was just too much. So I''m going to start issuing frequent full 3.9 releases and the known_problems.txt file will just refer the reader to the appropriate SVN revision where the problem is fixed. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Eastep
2007-Apr-17 17:53 UTC
Re: [Shorewall-users] Please Disregard Shorewall-3.9.2 announcement
Tom Eastep wrote:> I''ve uploaded 3.9.2.Please disregard this announcement -- it was premature. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl
2007-Apr-17 18:54 UTC
Re: Please Disregard Shorewall-3.9.2 announcement
On Tuesday 17 April 2007 18:53, Tom Eastep wrote:> Tom Eastep wrote: > > I''ve uploaded 3.9.2. > > Please disregard this announcement -- it was premature. > > -TomTom I am putting the final touches to a patch to Chains.pm for 3.9.2. Should I hold off submitting for the moment. Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> On Tuesday 17 April 2007 18:53, Tom Eastep wrote: >> Tom Eastep wrote: >>> I''ve uploaded 3.9.2. >> Please disregard this announcement -- it was premature. >> >> -Tom > Tom > > I am putting the final touches to a patch to Chains.pm for 3.9.2. Should I > hold off submitting for the moment.The ''real'' 3.9.2 is now available. So please check your patch against that version, Steven. Thanks, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Hello, In the documentation it is writen that Shorewall doesn''t support multi-network bridges. Is it a limitation in the kernel, in iptable or in Shorewall? Is there a plan to support it? Here is our problem: Our provider route us 2 class B and 3 class C. We want to put a bridge as a frontend from our provider''s router and ours. For the moment we use FreeBSD and ipfw. These are very old versions. It supports multi-net bridge but we want to use a firewall on Linux and something that we already know as Shorewall. Thank you for your help. Yves ----- Message d''origine ----- De : "Tom Eastep" <teastep@shorewall.net> À : "Shorewall Users" <shorewall-users@lists.sourceforge.net> Envoyé : 17 avril 2007 15:18 Objet : Re: [Shorewall-users] Please Disregard Shorewall-3.9.2 announcement> ------------------------------------------------------------------------- > This SF.net email is sponsored by DB2 Express > Download DB2 Express C - the FREE version of DB2 express and take > control of your XML. No limits. Just data. Click to get it now. > http://sourceforge.net/powerbar/db2/--------------------------------------------------------------------------------> _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Yves Bélanger wrote:> Hello, > > In the documentation it is writen that Shorewall > doesn''t support multi-network bridges. >What document are you referring to? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
I''ve uploaded 3.9.2 (again). ftp://shorewall.net/pub/shorewall/development/3.9/shorewall-3.9.2/ If you downloaded earlier, please check the md5 sums to be sure that you have the correct code: 576291efa43130004f5f16c5193b1267 shorewall-3.9.2-1.noarch.rpm 9da962081651ee8002812f258171906d shorewall-3.9.2.tar.bz2 7cc712fd031ce895f2f84255fb124af4 shorewall-3.9.2.tgz 60a60338e63dc2e643fdcaf5e040f67f shorewall-docs-html-3.9.2.tar.bz2 aa78c4bc6eef2c4c8b6677c0b42e49cb shorewall-docs-html-3.9.2.tgz b1fe621dbf44cabba94cff0e24aca233 shorewall-docs-xml-3.9.2.tar.bz2 790a5e1d75d5ebe3ac9b8c7b36b00307 shorewall-docs-xml-3.9.2.tgz e14330cd52e71d46ecb940d45732ab8f shorewall-lite-3.9.2-1.noarch.rpm 0ffda3cb7dd41f5066828b606e593ce8 shorewall-lite-3.9.2.tar.bz2 41c5d7ed239826f8050400f49dd637bc shorewall-lite-3.9.2.tgz 2562447ab9b439ef495cebdb05645f69 shorewall-perl-3.9.2-1.noarch.rpm 1aeef18372e8ff8b719e1e54733d7b30 shorewall-perl-3.9.2.tar.bz2 567c5db6a41f4063e50cd070e95dac77 shorewall-perl-3.9.2.tgz 250abc86c8342130f210fc53176969c4 shorewall-shell-3.9.2-1.noarch.rpm baf716742aab0cfc45798167290a6a78 shorewall-shell-3.9.2.tar.bz2 806dad236c4db0058dae6ac7110e4743 shorewall-shell-3.9.2.tgz With 3.9.1, I tried managing the Development branch just like it was a stable branch; patches, known_problems.txt updated with patch instructions, etc. Given the volume of problems being found in this early code, the amount of work that this approach generated was just too much. So I''m going to start issuing frequent full 3.9 releases and the known_problems.txt file will just refer the reader to the appropriate SVN revision where the problem is fixed. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
http://www.shorewall.net/NewBridge.html Sorry if I even badly read the book... ============================There are a several key differences in this setup and a normal Shorewall configuration: a.. The Shorewall system (the Bridge/Firewall) has only a single IP address even though it has two ethernet interfaces! The IP address is configured on the bridge itself, rather than on either of the network cards. b.. The systems connected to the LAN are configured with the router''s IP address (192.168.1.254 in the above diagram) as their default gateway. c.. traceroute doesn''t detect the Bridge/Firewall as an intermediate router. d.. If the router runs a DHCP server, the hosts connected to the LAN can use that server without having dhcrelay running on the Bridge/Firewall. Warning Inserting a bridge/firewall between a router and a set of local hosts only works if those local hosts form a single IP network. In the above diagram, all of the hosts in the loc zone are in the 192.168.1.0/24 network. If the router is routing between several local networks through the same physical interface (there are multiple IP networks sharing the same LAN), then inserting a bridge/firewall between the router and the local LAN won''t work. There are other possibilities here -- there could be a hub or switch between the router and the Bridge/Firewall and there could be other systems connected to that switch. All of the systems on the local side of the router would still be configured with IP addresses in 192.168.1.0/24 as shown below. ============================ . . . . . . Yves Belanger, ift.a.u. : Administrateur de systèmes : : Darius Technologies : . . . ----- Message d''origine ----- De : "Tom Eastep" <teastep@shorewall.net> À : "Shorewall Users" <shorewall-users@lists.sourceforge.net> Cc : <belanger@dariustech.qc.ca> Envoyé : 17 avril 2007 15:50 Objet : Re: [Shorewall-users] Multi-network bridge ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Yves Bélanger wrote:> > http://www.shorewall.net/NewBridge.html >It''s a consequence of the way that IP over LANs interacts with the bridge. ROUTER<-------->BRIDGE/FW<----->(hosts in 10.0.0.0/8 and in 192.168.1.0/24) When a host in 10.0.0.0/8 sends a request to a host in 192.168.1.0/24, both the request and the reply traverse the bridge twice, once in one direction and once in the other. This might actually work using the new bridging technique -- it can''t possibly work using physdev (or at least firewalling becomes impossible using physdev). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On Tuesday 17 April 2007 21:02, Tom Eastep wrote:> I''ve uploaded 3.9.2 (again).Tom Testing of 3.9.2 has shown the following problems: If a rule specifies a source or destination port of 0 for TCP or UDP it is ignored. The test for the presence of a source or destination port if the protocol is not specified also ignores port 0. A patch to fix these problems is attached. The patch also adds a check for the presence of source or destinations ports if the protocol is not TCP, UDP or ICMP. Steven ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> On Tuesday 17 April 2007 21:02, Tom Eastep wrote: >> I''ve uploaded 3.9.2 (again). > Tom > > Testing of 3.9.2 has shown the following problems: > > If a rule specifies a source or destination port of 0 for TCP or UDP it is > ignored. > > The test for the presence of a source or destination port if the protocol is > not specified also ignores port 0. > > A patch to fix these problems is attached. The patch also adds a check for the > presence of source or destinations ports if the protocol is not TCP, UDP or > ICMP.Thanks, Steven. Applied. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom The following rule: ACCEPT $FW lan tcp 22 - - - 10/15 The following iptables rule is generated: -A fw2lan -p tcp --dport 22 -m owner--uid-owner 10/15 -j ACCEPT The space between owner and --uid-owner is missing. Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom If the following rule is defined: ACCEPT $FW lan tcp 22 - - - 0 The following iptables rule is generated: -A fw2lan -p tcp --dport 22 -j ACCEPT The -m owner is missing. Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> Tom > > The following rule: > > ACCEPT $FW lan tcp 22 - - - 10/15 > > The following iptables rule is generated: > > -A fw2lan -p tcp --dport 22 -m owner--uid-owner 10/15 -j ACCEPT > > The space between owner and --uid-owner is missing.Thanks! Fix commited to SVN in rev 5995. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> Tom > > If the following rule is defined: > > ACCEPT $FW lan tcp 22 - - - 0 > > The following iptables rule is generated: > > -A fw2lan -p tcp --dport 22 -j ACCEPT > > The -m owner is missing.Thanks. Fix commited to SVN in rev 5996. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On Wednesday 18 April 2007 16:49, Tom Eastep wrote:> Steven Jan Springl wrote: > > Tom > > > > The following rule: > > > > ACCEPT $FW lan tcp 22 - - - 10/15 > > > > The following iptables rule is generated: > > > > -A fw2lan -p tcp --dport 22 -m owner--uid-owner 10/15 -j ACCEPT > > > > The space between owner and --uid-owner is missing. > > Thanks! > > Fix commited to SVN in rev 5995. > > -TomTom It works now. Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On Wednesday 18 April 2007 16:51, Tom Eastep wrote:> Steven Jan Springl wrote: > > Tom > > > > If the following rule is defined: > > > > ACCEPT $FW lan tcp 22 - - - 0 > > > > The following iptables rule is generated: > > > > -A fw2lan -p tcp --dport 22 -j ACCEPT > > > > The -m owner is missing. > > Thanks. Fix commited to SVN in rev 5996. > > -TomTom It works now, However the following rule: ACCEPT lan:192.168.0.2 $FW udp 0 0 produces the following iptables rule: -A lan2fw -p udp -s 192.168.0.3 -j ACCEPT both source and destination ports are missing. Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Hello, As I said, our provider gives us 2 class B and 3 class C networks. Here is the configuration we want to have: +-----+ ClassB1/24 +------------+ | | +-----------+ | | | ISP +------+ Shorewall +-------+ Backbone | | | .1 +-----------+ .254 | Router | +-----+ | | +------------+ ClassB1/16 ClassB2/16 ClassC1/24 ClassC2/24 ClassC3/24 So, there are no system on both sides with the same subnet except for ClassB1 that is used to route the other subnets. Will it work then? Thank you very much. . . . . . . Yves Belanger, ift.a.u. : Administrateur de systèmes : : Darius Technologies : . . . ----- Message d''origine ----- De : "Tom Eastep" <teastep@shorewall.net> À : "Shorewall Users" <shorewall-users@lists.sourceforge.net> Envoyé : 17 avril 2007 16:16 Objet : Re: [Shorewall-users] Multi-network bridge> ------------------------------------------------------------------------- > This SF.net email is sponsored by DB2 Express > Download DB2 Express C - the FREE version of DB2 express and take > control of your XML. No limits. Just data. Click to get it now. > http://sourceforge.net/powerbar/db2/--------------------------------------------------------------------------------> _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Yves Bélanger wrote:> Hello, > > As I said, our provider gives us 2 class B and 3 class C > networks. > > Here is the configuration we want to have: > > > +-----+ ClassB1/24 +------------+ > | | +-----------+ | | > | ISP +------+ Shorewall +-------+ Backbone | > | | .1 +-----------+ .254 | Router | > +-----+ | | > +------------+ > ClassB1/16 > ClassB2/16 > ClassC1/24 > ClassC2/24 > ClassC3/24 > > So, there are no system on both sides with the same > subnet except for ClassB1 that is used to route > the other subnets. > > Will it work then?Yes, it should work. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Both %dropInvalid and dropInvalid built in chains specify -j REJECT instead of -j DROP. Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> Tom > > Both %dropInvalid and dropInvalid built in chains specify -j REJECT instead > of -j DROP. >Thanks, Steven Fix is in SVN rev 6005. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Just reading through this thread, it struck me that perhaps it would be a good idea to write unit tests for Shorewall, especially with the advent of the shorewall-perl version. Perhaps it''d be a good idea to specify what behavior is expected from each rule in a machine-checkable way, so that it''s easy to verify that changes in one area don''t affect other functions. Test::Unit might be a good choice for this. I''d be interested in helping with this some after May is over, when I''m on summer vacation. Anyways, just a thought. Let me know what you think. Will ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Will Murnane wrote:> Just reading through this thread, it struck me that perhaps it would > be a good idea to write unit tests for Shorewall, especially with the > advent of the shorewall-perl version. Perhaps it''d be a good idea to > specify what behavior is expected from each rule in a > machine-checkable way, so that it''s easy to verify that changes in one > area don''t affect other functions.I agree, Will. I have gathered a set of configurations which I run new versions of the compiler against (and compare the output) but my testing is neither systematic nor complete.> Test::Unit might be a good choice > for this. I''d be interested in helping with this some after May is > over, when I''m on summer vacation. > >I would welcome your help. Thanks! -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom The following rule: ACCEPT:warn lan:~00-11-22-33-44-55 $FW tcp 23 produces the following error: Use of uninitialized value in concatenation (.) or string at /usr/share/shorewall-perl/Shorewall/Chains.pm line 857, <$currentfile> line 22. I am using Chains.pm REV 6009. Steven ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> Tom > > The following rule: > > ACCEPT:warn lan:~00-11-22-33-44-55 $FW tcp 23 > > produces the following error: > > Use of uninitialized value in concatenation (.) or string > at /usr/share/shorewall-perl/Shorewall/Chains.pm line 857, <$currentfile> > line 22. > > I am using Chains.pm REV 6009.Fixed in REV 6010. Thanks, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom The following rules: CONTINUE lan:192.168.0.0/24,!192.168.0.3 $FW tcp 23 ACCEPT lan:192.168.0.0/24 $FW tcp 21 produces the following iptables rules: -A lan2fw -p tcp --dport 23 -s 192.168.0.0/24 -j exc10 -A lan2fw -p tcp -dport 21 -j ACCEPT -A exc10 -s 192.168.0.3 -j RETURN -A exc10 -j RETURN It appears to me that no matter what the source IP address is, the CONTINUE is not performed, as both iptables rules in the exc10 chain will return to the lan2fw chain. The policy file contains: fw all ACCEPT: all all DROP warn The zones file contains: fw firewall lan ipv4 Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On Wed, Apr 18, 2007 at 02:11:54PM -0700, Tom Eastep wrote:> Will Murnane wrote: > > Just reading through this thread, it struck me that perhaps it would > > be a good idea to write unit tests for Shorewall, especially with the > > advent of the shorewall-perl version. Perhaps it''d be a good idea to > > specify what behavior is expected from each rule in a > > machine-checkable way, so that it''s easy to verify that changes in one > > area don''t affect other functions. > > I agree, Will. I have gathered a set of configurations which I run new > versions of the compiler against (and compare the output) but my testing is > neither systematic nor complete.That much at least is easily improved - at least the systematic part. In my past experiences with writing compiler-like things, I have found a simple automatic diff-based testing mechanism to make an excellent first cut - it may not be as precise as unit testing, but it''s disgustingly easy and catches a lot of regressions, for a very small expenditure of effort compared to any other methods of testing. Quickly hacked-together implementation attached, running inside the shorewall-perl source tree. Stick all your test configurations in directories named t/*.t (I''ve included the sample one-interface configuration here), and edit shorewall.conf to set CONFIG_PATH=${TEST_DIR}:${TEST_ROOT}/etc rather than the default. Then run ./run-tests in t/. The first time it sees a directory, it''ll save compiler.pl''s output as firewall.baseline and firewall.conf.baseline. Otherwise, it checks that the new output matches the baseline, and fails with a diff if it doesn''t. If the changes are expected, simply delete the relevant baseline and run it again. I did a few basic hacks to ignore changes to prog.*, lib.*, and comments. It runs independently of shorewall itself - only the perl compiler is under test here, so everything else is replaced with stub files located in t/sharedir and t/etc. (I spent less than 30 minutes on this, so it''s not very pretty, but the point of this sort of testing is minimum-effort) ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> Tom > > The following rules: > > CONTINUE lan:192.168.0.0/24,!192.168.0.3 $FW tcp 23That is actually an invalid rule -- the shell compiler flags it. The valid rule would be: CONTINUE lan:192.168.0.0/24!192.168.0.3 $FW tcp 23> ACCEPT lan:192.168.0.0/24 $FW tcp 21 > > produces the following iptables rules: > > -A lan2fw -p tcp --dport 23 -s 192.168.0.0/24 -j exc10 > -A lan2fw -p tcp -dport 21 -j ACCEPT > > -A exc10 -s 192.168.0.3 -j RETURN > -A exc10 -j RETURN > > > It appears to me that no matter what the source IP address is, the CONTINUE is > not performed, as both iptables rules in the exc10 chain will return to the > lan2fw chain.The shorewall-shell compiler generates similar code. Neither compiler can deal with exclusion in a CONTINUE rule :-( -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Andrew Suffield wrote:> > (I spent less than 30 minutes on this, so it''s not very pretty, but > the point of this sort of testing is minimum-effort) >Unfortunately, it will take me a lot longer than than to understand it. I''ll try to get to it this weekend... Thanks, Andrew... -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Eastep wrote:> > That is actually an invalid rule -- the shell compiler flags it. The > valid rule would be: > > CONTINUE lan:192.168.0.0/24!192.168.0.3 $FW tcp 23 > > The shorewall-shell compiler generates similar code. Neither compiler > can deal with exclusion in a CONTINUE rule :-(And without new support from iptables (-j RETURN --level n), this rule is not possible to implement. So I''ve added logic to generate a fatal error on CONTINUE rules with non-trivial exclusion. Change in rev 6014. Thanks again, Steven -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Eastep wrote:> > Change in rev 6014. >And updated in 6015. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Rule: NONAT lan:192.168.0.3 $FW tcp 10 produces iptables rule: -A lan2fw -p tcp --dport 10 -s 192.168.0.3 -j NONAT which generates the follow error message: couldn''t load target ''NONAT'' :/lib/iptables/libipt_NONAT.so: .......... Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Steven Jan Springl wrote:> Tom > > Rule: > > NONAT lan:192.168.0.3 $FW tcp 10 > > produces iptables rule: > > -A lan2fw -p tcp --dport 10 -s 192.168.0.3 -j NONAT > > which generates the follow error message: > > couldn''t load target ''NONAT'' :/lib/iptables/libipt_NONAT.so: ..........Thanks, Steven Fixed in REV 6023 - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFGJ5fAO/MAbZfjDLIRAtAaAJ9NT9+Q/etKnFvIPi4v3iwf0Eet2gCeL/R9 PYmcXCf7ueIVHx0qyL+UUuY=QxPz -----END PGP SIGNATURE----- ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Rule: SAME- all lan:192.168.0.3 tcp 80 - 84.45.199.1 produces iptables rules: -A PREROUTING -i eth0 -j lan_dnat -A OUTPUT -p tcp --dport 80 -d 84.45.199.1 -j SAME 192.168.0.3 -A lan_dnat -p tcp --dport 80 -d 84.45.199.1 -j SAME 192.168.0.3 which produces the error message: iptables: SAME target: bad hook_mask 8 Changing ''all'' to ''all-'': SAME- all- lan:192.168.0.3 tcp 80 - 84.45.199.1 produces iptables rules: -A PREROUTING -i eth0 -j lan_dnat -A lan_dnat -p tcp --dport 80 -d 84.45.199.1 -j SAME 192.168.0.3 which does not produce any errors. Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Rule: ACCEPT none $FW icmp 8 produces error message: ERROR: Unknown source zone (none) : ..... The problem also occurs if ''none'' is entered in the ''destination'' column. Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Rule: ACCEPT lan:192.168.0.3 $FW tcp:syn 22 produces error message: ERROR: SOURCE/DEST PORT(S) not allowed with PROTO tcp:syn Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Steven Jan Springl wrote:> Tom > > Rule: > > ACCEPT lan:192.168.0.3 $FW tcp:syn 22 > > produces error message: > > ERROR: SOURCE/DEST PORT(S) not allowed with PROTO tcp:synFixed in rev 6024. Thanks, - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFGJ9vEO/MAbZfjDLIRAmKGAJ4/gE0L3qWO9G5UoG4sQDeSVFutUQCfcfV1 Kf9+4RxIgYXx4mkRKAkaj6c=TF4v -----END PGP SIGNATURE----- ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Steven Jan Springl wrote:> Tom > > Rule: > > SAME- all lan:192.168.0.3 tcp 80 - 84.45.199.1 > > produces iptables rules: > > -A PREROUTING -i eth0 -j lan_dnat > -A OUTPUT -p tcp --dport 80 -d 84.45.199.1 -j SAME 192.168.0.3 > -A lan_dnat -p tcp --dport 80 -d 84.45.199.1 -j SAME 192.168.0.3 > > which produces the error message: > > iptables: SAME target: bad hook_mask 8I''ve made this a Shorewall error rather than letting iptables-restore catch it. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFGJ9vuO/MAbZfjDLIRAimfAJ416Zkb0NgFluCvehNrJSOTRcVsLACght3t rrLnGrhsQAkE06rSMBb9Azs=YioY -----END PGP SIGNATURE----- ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Steven Jan Springl wrote:> Tom > > Rule: > > ACCEPT none $FW icmp 8 > > produces error message: > > ERROR: Unknown source zone (none) : ..... > > The problem also occurs if ''none'' is entered in the ''destination'' column. >Fixed in 6025. Thanks, - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFGJ94pO/MAbZfjDLIRAudnAKCFYrgUyUBPYAEWgzNcP9BwTW/tqwCfULeu oOqiWZiZbFS4ej5FgD6Z8uQ=F6zh -----END PGP SIGNATURE----- ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom The following reserved zone names can be defined: all ipv4 none ipv4 then you can define rules such as: ACCEPT lan all:!192.168.0.3 icmp 8 Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Steven Jan Springl wrote:> Tom > > The following reserved zone names can be defined: > > all ipv4 > none ipv4 > > then you can define rules such as: > > ACCEPT lan all:!192.168.0.3 icmp 8 >Thanks, Steven. Fixed in REV 6035 - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFGKMrxO/MAbZfjDLIRAstEAKDD7n7QvCMQ7O8TwL85pnKdh7m6awCeIzE2 z30ADxKNWBQuSFxe32z4v1A=Uyuo -----END PGP SIGNATURE----- ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom If zones contains (no firewall zone): fw ipv4 lan ipv4 and rules contains: ACCEPT all lan tcp 80 ACCEPT lan:192.168.0.3 $FW tcp 22 produces the following error messages: Use of uninitialized value in string eq at /usr/share/shorewall-perl/Shorewall/Rules.pm line 946, <$currentfile> line 1. Use of uninitialized value in string eq at /usr/share/shorewall-perl/Shorewall/Rules.pm line 949, <$currentfile> line 1. Use of uninitialized value in string eq at /usr/share/shorewall-perl/Shorewall/Rules.pm line 946, <$currentfile> line 1. Use of uninitialized value in string eq at /usr/share/shorewall-perl/Shorewall/Rules.pm line 949, <$currentfile> line 1. ERROR: Unknown destination zone (tcp) : /etc/shorewall/rules ( line 2 ) Rules.pm is rev 6034. Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Steven Jan Springl wrote:> Tom > > If zones contains (no firewall zone): > > fw ipv4 > lan ipv4 > > and rules contains: > > ACCEPT all lan tcp 80 > ACCEPT lan:192.168.0.3 $FW tcp 22 > > produces the following error messages: > > Use of uninitialized value in string eq > at /usr/share/shorewall-perl/Shorewall/Rules.pm line 946, <$currentfile> line > 1. > > Use of uninitialized value in string eq > at /usr/share/shorewall-perl/Shorewall/Rules.pm line 949, <$currentfile> line > 1. > > Use of uninitialized value in string eq > at /usr/share/shorewall-perl/Shorewall/Rules.pm line 946, <$currentfile> line > 1. > > Use of uninitialized value in string eq > at /usr/share/shorewall-perl/Shorewall/Rules.pm line 949, <$currentfile> line > 1. > > ERROR: Unknown destination zone (tcp) : /etc/shorewall/rules ( line 2 )Fixed in REV 6036. Thanks, Steven - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFGKNUmO/MAbZfjDLIRAtDVAKCq6JwumD5T/TBIwB9LO5KCjOgNZACgoDXX qBQewjef6jkWe0OvGpbUua8=UtIC -----END PGP SIGNATURE----- ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Zones: fw firewall fwln ipv4 and rules: ACCEPT all lan tcp 80 produces the following error messages: Use of uninitialized value in string ne at /usr/share/shorewall-perl/Shorewall/Rules.pm line 1192, <$currentfile> line 1. ERROR: Unknown destination zone (lan) : /etc/shorewall/rules ( line 1 ) Rules.pm is rev 6034. Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Steven Jan Springl wrote:> Tom > > Zones: > > fw firewall > fwln ipv4 > > and rules: > > ACCEPT all lan tcp 80 > > produces the following error messages: > > Use of uninitialized value in string ne > at /usr/share/shorewall-perl/Shorewall/Rules.pm line 1192, <$currentfile> > line 1. > > ERROR: Unknown destination zone (lan) : /etc/shorewall/rules ( line 1 ) > > Rules.pm is rev 6034.Thanks, Steven Fixed in REV 6037. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFGKO6mO/MAbZfjDLIRAkpoAJ4uTW+bO7WrZpHSKObICf5FAjvLHgCff+p4 xc2ftIQMek1TzMRJDZnsFCI=ju2O -----END PGP SIGNATURE----- ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/