http://www1.shorewall.net/pub/shorewall/development/3.9/shorewall-3.9.3/ Large number of bugs fixed (thanks to Steven Springl for finding them!). Some new features too: 1) An ''optional'' option has been added to /etc/shorewall/interfaces. When ''optional'' is specified for an interface, Shorewall will be silent when: - a /proc/sys/net/ipv4/conf/ entry for the interface cannot be modified (including for proxy ARP). - The first address of the interface cannot be obtained. I specify ''optional'' on interfaces to Xen virtual machines that may or may not be running when Shorewall is [re]started. 2) The treatment of the following interface options has changed under Shorewall-perl. - arp_filter - routefilter - logmartians - proxy_arp - sourceroute With the Shorewall-shell compiler, Shorewall resets these options on all interfaces then sets the option on those interfaces for which the option is defined in /etc/shorewall/interfaces. Under Shorewall-perl, these options can be specified with the value 0 or 1 (e.g., proxy_arp=0). If no value is specified, the value 1 is assumed. Shorewall will modify only the setting of those interfaces for which the option is specified and will set the option to the given value. A fatal compilation error is also generated if you specify one of these options with a wildcard interface (one ending with ''+''). 3) Thanks to Paul Gear, an IPPServer macro has been added. Be sure to read the comments in the macro file before trying to use this macro. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom The tcp/udp port 0 bug is back. Rule: ACCEPT lan:192.168.0.3 $FW udp 0 0 produces: -A lan2fw -p udp -s 192.168.0.3 -j ACCEPT A patch is attached. Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> Tom > > The tcp/udp port 0 bug is back.Ouch! Thanks, Steven Fixed in REV 6040. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Interface entry: lan eth0 - logmartians=0 sets: /proc/sys/net/ipv4/conf/all/log_martians to 1 /proc/sys/net/ipv4/conf/eth0/log_martians to 1 Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> Tom > > Interface entry: > > lan eth0 - logmartians=0 > > sets: > > /proc/sys/net/ipv4/conf/all/log_martians to 1 > /proc/sys/net/ipv4/conf/eth0/log_martians to 1Thanks, Steven Fixed in rev 6042. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Setting LOG_MARTIANS=Yes in shorewall.conf sets: /proc/sys/net/ipv4/conf/all/log_martians to 0 (should this not be 1?) /proc/sys/net/ipv4/conf/default/log_martians to 1 Then setting LOG_MARTIANS=No does not change these settings. Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> Tom > > Setting LOG_MARTIANS=Yes in shorewall.conf sets: > > /proc/sys/net/ipv4/conf/all/log_martians to 0 (should this not be 1?)Yes -- I should have read shorewall.conf(5) before I made that change.> /proc/sys/net/ipv4/conf/default/log_martians to 1 > > Then setting LOG_MARTIANS=No does not change these settings.I guess that I should reset that for compatibility with previous versions. Both problems are corrected in Rev 6049 (although the fix for the first one is in REV 6046). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> Tom > > Setting LOG_MARTIANS=Yes in shorewall.conf sets: > > /proc/sys/net/ipv4/conf/all/log_martians to 0 (should this not be 1?) > /proc/sys/net/ipv4/conf/default/log_martians to 1 > > Then setting LOG_MARTIANS=No does not change these settings.There are some additional /proc bug fixes in REV 6050. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On Saturday 21 April 2007 17:28, Tom Eastep wrote:> > There are some additional /proc bug fixes in REV 6050. > > -TomTom Setting LOG_MARTIANS=Yes in shorewall.conf works. However setting LOG_MARTIANS=No only works if there is an entry in /etc/interfaces with either logmartians logmartians=0 or logmartians=1. If there are no entries in /etc/interfaces with logmartians logamrtians=0 or logmartians=1 then LOG_MARTIANS=No is ignored (there are no statements in /var/lib/shorewall/*.restart to set or unset martian logging). I am using REV 6051. Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> On Saturday 21 April 2007 17:28, Tom Eastep wrote: > >> There are some additional /proc bug fixes in REV 6050. >> >> -Tom > Tom > > Setting LOG_MARTIANS=Yes in shorewall.conf works. > > However setting LOG_MARTIANS=No only works if there is an entry > in /etc/interfaces with either logmartians logmartians=0 or logmartians=1. > > If there are no entries in /etc/interfaces with logmartians logamrtians=0 or > logmartians=1 then LOG_MARTIANS=No is ignored (there are no statements in > /var/lib/shorewall/*.restart to set or unset martian logging). > > I am using REV 6051.That''s exactly how earlier versions work. If you don''t set anything regarding martian logging (LOG_MARTIANS=No is the default) then Shorewall doesn''t touch it''s configuration. If I didn''t take that approach then it would be impossible to control martian logging completely outside Shorewall. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Setting arp_ignore on an interface produces the following message: ERROR: Internal Error in validate_interfaces_file Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> Tom > > Setting arp_ignore on an interface produces the following message: > > ERROR: Internal Error in validate_interfaces_file >Ok -- I have the Proc.pm module torn up on the floor at the moment so I''ll fix that at the same time. Thanks, Steven -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Eastep wrote:> Steven Jan Springl wrote: >> Tom >> >> Setting arp_ignore on an interface produces the following message: >> >> ERROR: Internal Error in validate_interfaces_file >> > > Ok -- I have the Proc.pm module torn up on the floor at the moment so > I''ll fix that at the same time. >The ROUTE_FILTER and LOG_MARTIANS options are now tri-valued (Yes/No/Keep). And I fixed the arp_ignore problem. REV 6052. And my continuing thanks ,Steven, for all the work you are doing to test the code. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On Saturday 21 April 2007 22:26, Tom Eastep wrote:> Tom Eastep wrote: > > Steven Jan Springl wrote: > >> Tom > >> > >> Setting arp_ignore on an interface produces the following message: > >> > >> ERROR: Internal Error in validate_interfaces_file > > > > Ok -- I have the Proc.pm module torn up on the floor at the moment so > > I''ll fix that at the same time. > > The ROUTE_FILTER and LOG_MARTIANS options are now tri-valued > (Yes/No/Keep). And I fixed the arp_ignore problem. > > REV 6052. > > And my continuing thanks ,Steven, for all the work you are doing to test > the code. > > -TomTom Your welcome. I am actually quite enjoying doing the testing. The speed of the new compiler makes it far easier. Compile times are about 2 to 3 seconds. With the old (3.0) shell compiler about 10 times longer. I am still having a problem with arp_ignore. Interface entry: lan eth0 - arp_ignore produces the following errors: Use of uninitialized value in pattern match (m//) at /usr/share/shorewall-perl/Shorewall/Interfaces.pm line 212, <$currentfile> line 11. Use of uninitialized value in concatenation (.) or string at /usr/share/shorewall-perl/Shorewall/Interfaces.pm line 215, <$currentfile> line 11. ERROR: Invalid value () for arp_ignore : /etc/shorewall/interfaces ( line 11 ) Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> On Saturday 21 April 2007 22:26, Tom Eastep wrote: >> Tom Eastep wrote: >>> Steven Jan Springl wrote: >>>> Tom >>>> >>>> Setting arp_ignore on an interface produces the following message: >>>> >>>> ERROR: Internal Error in validate_interfaces_file >>> Ok -- I have the Proc.pm module torn up on the floor at the moment so >>> I''ll fix that at the same time. >> The ROUTE_FILTER and LOG_MARTIANS options are now tri-valued >> (Yes/No/Keep). And I fixed the arp_ignore problem. >> >> REV 6052. >> >> And my continuing thanks ,Steven, for all the work you are doing to test >> the code. >> >> -Tom > Tom > > Your welcome. I am actually quite enjoying doing the testing. The speed of the > new compiler makes it far easier. Compile times are about 2 to 3 seconds. > With the old (3.0) shell compiler about 10 times longer. > > I am still having a problem with arp_ignore. > > Interface entry: > > lan eth0 - arp_ignore > > produces the following errors: > > Use of uninitialized value in pattern match (m//) > at /usr/share/shorewall-perl/Shorewall/Interfaces.pm line 212, <$currentfile> > line 11. > > Use of uninitialized value in concatenation (.) or string > at /usr/share/shorewall-perl/Shorewall/Interfaces.pm line 215, <$currentfile> > line 11. > > ERROR: Invalid value () for arp_ignore : /etc/shorewall/interfaces ( line > 11 )Fixed in 6053. That REV contains other changes -- hopefully I didn''t break anything. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom arp_ignore now works. I will test ROUTE_FILTER and LOG_MARTIANS tomorrow. Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Interface option detectnets is accepted by the compiler but no iptables rules are generated to support it. Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> Tom > > Interface option detectnets is accepted by the compiler but no iptables rules > are generated to support it. >Fixed in 6054. Thanks, Steven. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Eastep wrote:> Steven Jan Springl wrote: >> Tom >> >> Interface option detectnets is accepted by the compiler but no iptables rules >> are generated to support it. >> > > Fixed in 6054.Please test with 6055. It includes some cleanup of the -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On Sunday 22 April 2007 01:44, Tom Eastep wrote:> Tom Eastep wrote: > > Steven Jan Springl wrote: > >> Tom > >> > >> Interface option detectnets is accepted by the compiler but no iptables > >> rules are generated to support it. > > > > Fixed in 6054. > > Please test with 6055. It includes some cleanup of theTom It works. Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Entering options reqid spi proto mode tunnel-dst tunnel-src mss without a value, results the following error: Zone entry: lan ipsec tunnel-src produces: Use of uninitialized value in pattern match (m//) at /usr/share/shorewall-perl/Shorewall/Zones.pm line 162, <$currentfile> line 14. Use of uninitialized value in concatenation (.) or string at /usr/share/shorewall-perl/Shorewall/Zones.pm line 162, <$currentfile> line 14. ERROR: Invalid value () for option "tunnel-src" : /etc/shorewall/zones ( line 14 ) Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Invalid interface entry: - eth0 routeback produces: Use of uninitialized value in string eq at /usr/share/shorewall-perl/Shorewall/Interfaces.pm line 91, <$currentfile> line 11. Use of uninitialized value in string eq at /usr/share/shorewall-perl/Shorewall/Interfaces.pm line 91, <$currentfile> line 11. ERROR: Duplicate Host Group (eth0:0.0.0.0/0) in zone : /etc/shorewall/interfaces ( line 11 ) Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom I sent this email about 90 minutes ago, but it seems to have vanished. Entering options reqid spi proto mode tunnel-dst tunnel-src mss without a value, results the following error: Zone entry: lan ipsec tunnel-src produces: Use of uninitialized value in pattern match (m//) at /usr/share/shorewall-perl/Shorewall/Zones.pm line 162, <$currentfile> line 14. Use of uninitialized value in concatenation (.) or string at /usr/share/shorewall-perl/Shorewall/Zones.pm line 162, <$currentfile> line 14. ERROR: Invalid value () for option "tunnel-src" : /etc/shorewall/zones ( line 14 ) Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
On Sunday 22 April 2007 13:40, Steven Jan Springl wrote:> Tom > > Invalid interface entry: > > - eth0 routeback > > produces: > > Use of uninitialized value in string eq > at /usr/share/shorewall-perl/Shorewall/Interfaces.pm line 91, > <$currentfile> line 11. > > Use of uninitialized value in string eq > at /usr/share/shorewall-perl/Shorewall/Interfaces.pm line 91, > <$currentfile> line 11. > > ERROR: Duplicate Host Group (eth0:0.0.0.0/0) in > zone : /etc/shorewall/interfaces ( line 11 ) > > > Steven.Tom An update on this problem, it occurs with the following interface entry: - eth0 Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> On Sunday 22 April 2007 13:40, Steven Jan Springl wrote: >> Tom >> >> Invalid interface entry: >> >> - eth0 routeback >> >> produces: >> >> Use of uninitialized value in string eq >> at /usr/share/shorewall-perl/Shorewall/Interfaces.pm line 91, >> <$currentfile> line 11. >> >> Use of uninitialized value in string eq >> at /usr/share/shorewall-perl/Shorewall/Interfaces.pm line 91, >> <$currentfile> line 11. >> >> ERROR: Duplicate Host Group (eth0:0.0.0.0/0) in >> zone : /etc/shorewall/interfaces ( line 11 ) >> >> >> Steven. > Tom > > An update on this problem, it occurs with the following interface entry: > > - eth0 >Fixed in revision 6057. It was collateral damage from my fix for ''detectnets'' :-( -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> Tom > > Entering options reqid spi proto mode tunnel-dst tunnel-src mss > without a value, results the following error: > > Zone entry: > > lan ipsec tunnel-src > > produces: > > Use of uninitialized value in pattern match (m//) > at /usr/share/shorewall-perl/Shorewall/Zones.pm line 162, <$currentfile> line > 14. > > Use of uninitialized value in concatenation (.) or string > at /usr/share/shorewall-perl/Shorewall/Zones.pm line 162, <$currentfile> line > 14. > > ERROR: Invalid value () for option "tunnel-src" : /etc/shorewall/zones ( > line 14 ) >Fixed in revision 6058. Also fixed a similar problem in the Nat.pm module. Thanks, Steven -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Interface entry: - eth0 - routeback is accepted by the compiler, but the the documentation states that it is invalid. Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> Tom > > Interface entry: > > - eth0 - routeback > > is accepted by the compiler, but the the documentation states that it is > invalid. >Fixed in revision 6060. Thanks again, Steven. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom The shorewall-zones man page states that, with the exception of mss, all options only apply to ipsec zones. However the compiler accepts any of the options on both firewall and ipv4 type zones. Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom REV 6061 to Rules.pm causes the following problem: Interface entry: lan eth0 - routeback,detectnets prodcues error: Can''t locate object method "out_chain" via package "eth0" (perhaps you forgot to load "eth0"?) at /usr/share/shorewall-perl/Shorewall/Rules.pm line 1499. Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> Tom > > The shorewall-zones man page states that, with the exception of mss, all > options only apply to ipsec zones. > > However the compiler accepts any of the options on both firewall and ipv4 type > zones.Fixed in revision 6062. Thanks, Steven. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> Tom > > REV 6061 to Rules.pm causes the following problem: > > Interface entry: > > lan eth0 - routeback,detectnets > > prodcues error: > > Can''t locate object method "out_chain" via package "eth0" (perhaps you forgot > to load "eth0"?) at /usr/share/shorewall-perl/Shorewall/Rules.pm line 1499. >Oops. That illustrates the hazard of translating shell->perl verbatim. I changed ''out_chain'' to ''output_chain'' in the perl compiler. Fixed in revision 6063. Thanks. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On Sunday 22 April 2007 16:44, Tom Eastep wrote:> Steven Jan Springl wrote: > > Tom > > > > REV 6061 to Rules.pm causes the following problem: > > > > Interface entry: > > > > lan eth0 - routeback,detectnets > > > > prodcues error: > > > > Can''t locate object method "out_chain" via package "eth0" (perhaps you > > forgot to load "eth0"?) at /usr/share/shorewall-perl/Shorewall/Rules.pm > > line 1499. > > Oops. That illustrates the hazard of translating shell->perl verbatim. I > changed ''out_chain'' to ''output_chain'' in the perl compiler. > > Fixed in revision 6063. > > Thanks. > > -TomTom I am still getting this error: Can''t locate object method "filter_table" via package "eth0_out" (perhaps you forgot to load "eth0_out"?) at /usr/share/shorewall-perl/Shorewall/Rules.pm line 1499. Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> On Sunday 22 April 2007 16:44, Tom Eastep wrote: >> Steven Jan Springl wrote: >>> Tom >>> >>> REV 6061 to Rules.pm causes the following problem: >>> >>> Interface entry: >>> >>> lan eth0 - routeback,detectnets >>> >>> prodcues error: >>> >>> Can''t locate object method "out_chain" via package "eth0" (perhaps you >>> forgot to load "eth0"?) at /usr/share/shorewall-perl/Shorewall/Rules.pm >>> line 1499. >> Oops. That illustrates the hazard of translating shell->perl verbatim. I >> changed ''out_chain'' to ''output_chain'' in the perl compiler. >> >> Fixed in revision 6063. >> >> Thanks. >> >> -Tom > Tom > > I am still getting this error: > > Can''t locate object method "filter_table" via package "eth0_out" (perhaps you > forgot to load "eth0_out"?) at /usr/share/shorewall-perl/Shorewall/Rules.pm > line 1499. >*Tested* fix in revision 6064. Apologies for the marathon fixes for this. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Blacklisting seems to work except when: FASTACCEPT=Yes BLACKLISTNEWONLY=No which produces iptables rules: -A INPUT -m --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -i eth0 -j eth0-in . -A FORWARD -m --state ESTABLISHED,RELATED -j ACCEPT -A FORWARD -i eth0 -j eth0-fwd . . . -A eth0-in -j dynamic -A eth0-in -j blacklist . -A eth0-fwd -j dynamic -A eth0-fwd -j blacklist The blacklist check only takes place after the test for RELATED,ESTABLISHED so packets in those states will not be checked against the blacklist. Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> > The blacklist check only takes place after the test for RELATED,ESTABLISHED so > packets in those states will not be checked against the blacklist.Hmmm -- this works the same way using the shorewall-shell compiler. And I''m not inclined to change it. So I think I''ll change the shorewall-perl compiler to reject this combination of options. Thanks, Steven -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Eastep wrote:> Steven Jan Springl wrote: > >> The blacklist check only takes place after the test for RELATED,ESTABLISHED so >> packets in those states will not be checked against the blacklist. > > Hmmm -- this works the same way using the shorewall-shell compiler. And > I''m not inclined to change it. So I think I''ll change the shorewall-perl > compiler to reject this combination of options. >Change is in revision 6068. Thanks! -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Testing routeback. interface: lan eth0 routeback,detectnets policy: lan lan DROP produces the following iptables rules: -A eth0-fwd -o eth0 -s 192.168.0.0/24 -d 192.168.0.0/24 -j lan2lan . . -A lan2lan -j Drop -A lan2lan -j ACCEPT <<<< should this not be -j DROP ? Steven ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> Tom > > Testing routeback. > > interface: > > lan eth0 routeback,detectnets > > policy: > > lan lan DROP > > produces the following iptables rules: > > -A eth0-fwd -o eth0 -s 192.168.0.0/24 -d 192.168.0.0/24 -j lan2lan > . > . > -A lan2lan -j Drop > -A lan2lan -j ACCEPT <<<< should this not be -j DROP ?Yes, it should. Fixed in revision 6072. Thanks, Steven -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Interface entry: lan eth0 maclist produces -A eth0-fwd -m state --statue NEW -j eth0-mac <<<<< should be --status Steven ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> Tom > > Interface entry: > > lan eth0 maclist > > produces > > -A eth0-fwd -m state --statue NEW -j eth0-mac <<<<< should be --status >Actually, it should be ''state''. Fixed in revision 6074. Thanks, Steven -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Eastep wrote:> Steven Jan Springl wrote: >> Tom >> >> Interface entry: >> >> lan eth0 maclist >> >> produces >> >> -A eth0-fwd -m state --statue NEW -j eth0-mac <<<<< should be --status >> > > Actually, it should be ''state''. Fixed in revision 6074.There was another factor as well. The problem did not occur with MACLIST_TABLE=mangle. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Interface entries: lan eth0 - maclist tan eth1 - maclist # This nic does not exist produces the messages in the attached file. Adding ''optional'' to the interface does not affect the messages. Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> Tom > > Interface entries: > > lan eth0 - maclist > tan eth1 - maclist # This nic does not exist > > produces the messages in the attached file. > > Adding ''optional'' to the interface does not affect the messages.The messages are normal (although REV 6076 suppresses the ''does not exist'' message from /sbin/ip). REV 6076 also allows ''optional'' to eliminate the fatal error. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom If entries are missing from shorewall.conf it can lead to various errors eg if CLAMPMSS= is missing the following error is produced: Use of uninitialized value in pattern match (m//) at /usr/share/shorewall-perl/Shorewall/Config.pm line 821. Do you want me to persue this line of testing? Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> Tom > > If entries are missing from shorewall.conf it can lead to various errors eg > if CLAMPMSS= is missing the following error is produced: > > Use of uninitialized value in pattern match (m//) > at /usr/share/shorewall-perl/Shorewall/Config.pm line 821. > > Do you want me to persue this line of testing?Let me take a look -- it is probably just one problem. Thanks, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Eastep wrote:> Steven Jan Springl wrote: >> Tom >> >> If entries are missing from shorewall.conf it can lead to various errors eg >> if CLAMPMSS= is missing the following error is produced: >> >> Use of uninitialized value in pattern match (m//) >> at /usr/share/shorewall-perl/Shorewall/Config.pm line 821. >> >> Do you want me to persue this line of testing? > > Let me take a look -- it is probably just one problem.Turned out to be several things. Should be fixed in revision 6089. Thanks, Steven. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On Monday 23 April 2007 20:49, Tom Eastep wrote:> Tom Eastep wrote: > > Steven Jan Springl wrote: > >> Tom > >> > >> If entries are missing from shorewall.conf it can lead to various errors > >> eg if CLAMPMSS= is missing the following error is produced: > >> > >> Use of uninitialized value in pattern match (m//) > >> at /usr/share/shorewall-perl/Shorewall/Config.pm line 821. > >> > >> Do you want me to persue this line of testing? > > > > Let me take a look -- it is probably just one problem. > > Turned out to be several things. Should be fixed in revision 6089. > > Thanks, Steven. > > -TomTom Except for PATH= that has cured the problem. If PATH= is missing the following error is displayed: Use of uninitialized value in concatenation (.) or string at /usr/share/shorewall-perl/compiler.pl line 142. Then the following errors are displayed: usr/share/shorewall/lib.base: line 265: uname: No such file or directory /usr/share/shorewall/lib.base: line 265: uname: No such file or directory Processing /etc/shorewall//init ... /var/lib/shorewall/.restart: line 372: rm: No such file or directory The script then seems to go into a loop producing the following errors repeatedly. /var/lib/shorewall/.restart: line 466: ip: No such file or directory ERROR: Command "ip link list" Failed /var/lib/shorewall/.restart: line 226: logger: No such file or directory /usr/share/shorewall/lib.base: line 947: date: No such file or directory /var/lib/shorewall/.restart: line 211: rm: No such file or directory /var/lib/shorewall/.restart: line 321: rm: No such file or directory /var/lib/shorewall/.restart: line 466: ip: No such file or directory ERROR: Command "ip link list" Failed /var/lib/shorewall/.restart: line 226: logger: No such file or directory /usr/share/shorewall/lib.base: line 947: date: No such file or directory /var/lib/shorewall/.restart: line 211: rm: No such file or directory /var/lib/shorewall/.restart: line 321: rm: No such file or directory /var/lib/shorewall/.restart: line 466: ip: No such file or directory Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> On Monday 23 April 2007 20:49, Tom Eastep wrote: >> Tom Eastep wrote: >>> Steven Jan Springl wrote: >>>> Tom >>>> >>>> If entries are missing from shorewall.conf it can lead to various errors >>>> eg if CLAMPMSS= is missing the following error is produced: >>>> >>>> Use of uninitialized value in pattern match (m//) >>>> at /usr/share/shorewall-perl/Shorewall/Config.pm line 821. >>>> >>>> Do you want me to persue this line of testing? >>> Let me take a look -- it is probably just one problem. >> Turned out to be several things. Should be fixed in revision 6089. >> >> Thanks, Steven. >> >> -Tom > > Tom > > Except for PATH= that has cured the problem. > If PATH= is missing the following error is displayed: > > Use of uninitialized value in concatenation (.) or string > at /usr/share/shorewall-perl/compiler.pl line 142. > > Then the following errors are displayed: > > usr/share/shorewall/lib.base: line 265: uname: No such file or directory > /usr/share/shorewall/lib.base: line 265: uname: No such file or directory > Processing /etc/shorewall//init ... > /var/lib/shorewall/.restart: line 372: rm: No such file or directory > > The script then seems to go into a loop producing the following errors > repeatedly. > > /var/lib/shorewall/.restart: line 466: ip: No such file or directory > ERROR: Command "ip link list" Failed > /var/lib/shorewall/.restart: line 226: logger: No such file or directory > /usr/share/shorewall/lib.base: line 947: date: No such file or directory > /var/lib/shorewall/.restart: line 211: rm: No such file or directory > /var/lib/shorewall/.restart: line 321: rm: No such file or directory > /var/lib/shorewall/.restart: line 466: ip: No such file or directory > ERROR: Command "ip link list" Failed > /var/lib/shorewall/.restart: line 226: logger: No such file or directory > /usr/share/shorewall/lib.base: line 947: date: No such file or directory > /var/lib/shorewall/.restart: line 211: rm: No such file or directory > /var/lib/shorewall/.restart: line 321: rm: No such file or directory > /var/lib/shorewall/.restart: line 466: ip: No such file or directory >Fixed in revision 6090 (when I tested the last revision, I only used the ''check'' command so this problem didn''t show itself). Thanks, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/