Shorewall devel - May 2007 - Shorewall 3.9.7

I''ve uploaded 3.9.7. I''ve actually uploaded several versions
of 3.9.7
over the last 24 hours so please verify the md5sum of the version you
download:

55b42262acc69e77002146ac70bcf299  shorewall-3.9.7-1.noarch.rpm
0a37737841ab90f216287707f52f07a9  shorewall-3.9.7.tar.bz2
ba348ee720ae145f96f49e122194f8fc  shorewall-3.9.7.tgz
2e88702d483faab7c874de6e9b1cc415  shorewall-docs-html-3.9.7.tar.bz2
92d2ac63a8d2d6124e9d27ede25ed532  shorewall-docs-html-3.9.7.tgz
8dd6f7843fb9157873c265c17d01ce03  shorewall-docs-xml-3.9.7.tar.bz2
c737e131f4ecd5b7b3125d72bdd0c042  shorewall-docs-xml-3.9.7.tgz
a9586abbc236480b9fbc55fc1f72a6ef  shorewall-lite-3.9.7-1.noarch.rpm
b58dc3d15482397c267811244b14c839  shorewall-lite-3.9.7.tar.bz2
5672b362d4b75ea7f188404e2ae63d2b  shorewall-lite-3.9.7.tgz
5cd35a3245e1f68b76509f702c390480  shorewall-perl-3.9.7-1.noarch.rpm
69ea325942a98e7c44f864a14c8ffa16  shorewall-perl-3.9.7.tar.bz2
258d6ac30c797e32e92ce6d12c87a65a  shorewall-perl-3.9.7.tgz
c08427d20b4680aae73a1738b70858c6  shorewall-shell-3.9.7-1.noarch.rpm
0f394285b27fd9f07b6169b6e7ae403f  shorewall-shell-3.9.7.tar.bz2
13661a7f8dd2a5da179161472d684f96  shorewall-shell-3.9.7.tgz

In addition to a significant number of bug fixes, 3.9.7 contains some
new features:

1)  Shorewall-perl now validates all IP addresses and addresses ranges
    in rules. DNS names are resolved and an error is issued for any
    name that cannot be resolved.

2)  Shorewall-perl now checks configuration files for the presense of
    characters that can cause problems if they are allowed into the
    generated firewall script:

    -   Double Quotes. These are prohibited except in the
        shorewall.conf and params files.

    -   Single Quotes. These are prohibited except in the
        shorewall.conf and params files and in COMMENT lines.

    -   Single back quotes. These are prohibited except in the
        shorewall.conf and params files.

    -   Backslash. Probibited except as the last character on a line to
        denote line continuation.

3)  Macros may now invoke other macros with the restriction that such
    macros may not be invoked within an action body.

    When marcros are invoked recursively, the parameter passed to an
    invocation are automatically propagated to lower level macros.

    Macro invocations may be nested to a maximum level of 5.

Happy Testing,

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Tom

I have spent most of the day testing various simple configurations that might 
be found in domestic setups.

The features that I have tested include:

	DNAT
	REDIRECT
	MASQUERADING
	SNAT
	NAT

In each case I compared the iptables rules generated by
shorewall-perl with those generated by shorewall-shell.
No problems were found.

I port scanned one configuration with nmap. The configuration included ACCEPT, 
DROP and REJECT rules. The result was as expected.

The only anomaly that I have discovered is the following messages are issued 
by shorewall-perl but not by shorewall-shell:

   WARNING: Unknown configuration option (RSH_COMMAND) 
ignored : /etc/shorewall/shorewall.conf ( line 97 )

   WARNING: Unknown configuration option (RCP_COMMAND) 
ignored : /etc/shorewall/shorewall.conf ( line 98 )



As my testing over the last few days has largely been unproductive, is there 
any area of shorewall that you would like me to concentrate my testing on?

Steven.



 

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Steven Jan Springl wrote:
> The only anomaly that I have discovered is the following messages are
issued
> by shorewall-perl but not by shorewall-shell:
> 
>    WARNING: Unknown configuration option (RSH_COMMAND) 
> ignored : /etc/shorewall/shorewall.conf ( line 97 )
> 
>    WARNING: Unknown configuration option (RCP_COMMAND) 
> ignored : /etc/shorewall/shorewall.conf ( line 98 )
> 
> 
This is corrected in revision 6338.
> 
> As my testing over the last few days has largely been unproductive, is
there
> any area of shorewall that you would like me to concentrate my testing on?
> 
How about the operational aspects (/sbin/shorewall and /sbin/shorewall-lite
commands and their options)?

Thanks again Steven for your intrepid testing efforts. Shorewall 3.9 is a
much better product than it would have been without your contribution.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Tom

Both shorewall-shell and shorewall-perl were installed and 
SHOREWALL_COMPILER=perl was set for this test.

Issuing command:
	shorewall add eth0 wan

produces the following messages:

   WARNING: Invalid option (optional) in record "wan eth1 - 
norfc1918,nosmurfs,tcpflags,optional"

   WARNING: Invalid option (optional) in record "dmz eth2 - 
nosmurfs,tcpflags,optional"

iptables v1.3.6: host/network `eth0'' not found
Try `iptables -h'' or ''iptables --help'' for more
information.
   ERROR: Can''t add eth0:eth0 to zone wan
iptables v1.3.6: host/network `eth0'' not found
Try `iptables -h'' or ''iptables --help'' for more
information.
   ERROR: Can''t add eth0:eth0 to zone wan
iptables v1.3.6: host/network `eth0'' not found
Try `iptables -h'' or ''iptables --help'' for more
information.
   ERROR: Can''t add eth0:eth0 to zone wan
iptables v1.3.6: host/network `eth0'' not found
Try `iptables -h'' or ''iptables --help'' for more
information.
   ERROR: Can''t add eth0:eth0 to zone wan
iptables v1.3.6: host/network `eth0'' not found
Try `iptables -h'' or ''iptables --help'' for more
information.
   ERROR: Can''t add eth0:eth0 to zone wan
iptables v1.3.6: host/network `eth0'' not found
Try `iptables -h'' or ''iptables --help'' for more
information.
   ERROR: Can''t add eth0:eth0 to zone wan
iptables v1.3.6: host/network `eth0'' not found
Try `iptables -h'' or ''iptables --help'' for more
information.
   ERROR: Can''t add eth0:eth0 to zone wan

Despite these messages eth0 is added to /var/lib/shorewall/zones:

	wan ipv4 eth1:0.0.0.0/0 eth0:eth0

This continues to cause errors to be produced for subsequent commands until 
eth0 is deleted:

	shorewall add eth0:192.168.0.2 wan

produces the following messages:

   WARNING: Invalid option (optional) in record "wan eth1 - 
norfc1918,nosmurfs,tcpflags,optional"

   WARNING: Invalid option (optional) in record "dmz eth2 - 
nosmurfs,tcpflags,optional"

iptables v1.3.6: host/network `eth0'' not found
Try `iptables -h'' or ''iptables --help'' for more
information.
   ERROR: Can''t add eth0:192.168.0.2 to zone wan


Steven.

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Steven Jan Springl wrote:
> Try `iptables -h'' or ''iptables --help'' for more
information.
>    ERROR: Can''t add eth0:eth0 to zone wan
> 
> Despite these messages eth0 is added to /var/lib/shorewall/zones:
> 
> 	wan ipv4 eth1:0.0.0.0/0 eth0:eth0
> 
> This continues to cause errors to be produced for subsequent commands until
> eth0 is deleted:
> 
> 	shorewall add eth0:192.168.0.2 wan
> 
> produces the following messages:
> 
>    WARNING: Invalid option (optional) in record "wan eth1 - 
> norfc1918,nosmurfs,tcpflags,optional"
> 
>    WARNING: Invalid option (optional) in record "dmz eth2 - 
> nosmurfs,tcpflags,optional"
> 
> iptables v1.3.6: host/network `eth0'' not found
> Try `iptables -h'' or ''iptables --help'' for more
information.
>    ERROR: Can''t add eth0:192.168.0.2 to zone wan
Thanks, Steven

Fixed in 6340.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Tom

If interface entry:

	lan  eth0  -

is defined, it is possible to issue command:

	shorewall delete eth0 lan

While this does not change the iptables rules, its does remove eth0 from
/var/lib/shorewall/zones

Command:

	shorewall show zones

displays lan (ipv4) without an interface.

I don''t know if this could cause any issues.


Steven.


-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Steven Jan Springl wrote:
> Tom
> 
> If interface entry:
> 
> 	lan  eth0  -
> 
> is defined, it is possible to issue command:
> 
> 	shorewall delete eth0 lan
> 
> While this does not change the iptables rules, its does remove eth0 from
> /var/lib/shorewall/zones
> 
> Command:
> 
> 	shorewall show zones
> 
> displays lan (ipv4) without an interface.
> 
> I don''t know if this could cause any issues.
I don''t think that it can (other than messing up ''shorewall
show zones'')
and I don''t believe that I''ll try to do anything about this.
Once ipsets
are included in standard kernels, they provide a much better way to
implement dynamic zones and we will scrap this current implementation
altogether.

Thanks, Steven

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Hi Tom,

Using the latest distribution (and the latest SVN 6342) Shorewall-perl has a few
problems:

1,The providers chokes on the gateway address (works if it is "detect"
or "-")
#NAME   NUMBER  MARK    DUPLICATE       INTERFACE       GATEWAY         OPTIONS 
COPY
BDSL    1       256     main            ppp1            detect  track  
eth0,eth3
ADSL    2       512     main            ppp0            -  track   eth0,eth3
CABLE   3      1024     main            eth4            84.3.248.1        track 
eth0,eth3

Can''t call method "validate_address" without a package or
object reference at /usr/share/shorewall-perl/Shorewall/Providers.pm line 190,
<$currentfile> line 16.

2,It doesn''t accept the ports field if it is a comma separated list in
the tcrules (works with single port or port range):
#MARK   SOURCE          DEST            PROTO   DEST    SOURCE  USER    TEST   
LENGTH  TOS
3        0.0.0.0/0    0.0.0.0/0         tcp     smtp,pop3
Checking /etc/shorewall/tcrules...
    ERROR: Invalid/Unknown port/service (smtp,pop3) : /etc/shorewall/tcrules (
line 21 )
or:
3        0.0.0.0/0    0.0.0.0/0         tcp     -       25,110
Checking /etc/shorewall/tcrules...
    ERROR: Invalid/Unknown port/service (25,110) : /etc/shorewall/tcrules ( line
22 )

Best,
Andras


-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Andras Sarkozy wrote:
> Hi Tom,
> 
> Using the latest distribution (and the latest SVN 6342) Shorewall-perl has
a few problems:
> 
> 1,The providers chokes on the gateway address (works if it is
"detect" or "-")
> #NAME   NUMBER  MARK    DUPLICATE       INTERFACE       GATEWAY        
OPTIONS         COPY
> BDSL    1       256     main            ppp1            detect  track  
eth0,eth3
> ADSL    2       512     main            ppp0            -  track  
eth0,eth3
> CABLE   3      1024     main            eth4            84.3.248.1       
track   eth0,eth3
> 
> Can''t call method "validate_address" without a package
or object reference at /usr/share/shorewall-perl/Shorewall/Providers.pm line
190, <$currentfile> line 16.
> 
> 2,It doesn''t accept the ports field if it is a comma separated
list in the tcrules (works with single port or port range):
> #MARK   SOURCE          DEST            PROTO   DEST    SOURCE  USER   
TEST    LENGTH  TOS
> 3        0.0.0.0/0    0.0.0.0/0         tcp     smtp,pop3
> Checking /etc/shorewall/tcrules...
>     ERROR: Invalid/Unknown port/service (smtp,pop3) :
/etc/shorewall/tcrules ( line 21 )
I couldn''t reproduce that one.
> or:
> 3        0.0.0.0/0    0.0.0.0/0         tcp     -       25,110
> Checking /etc/shorewall/tcrules...
>     ERROR: Invalid/Unknown port/service (25,110) : /etc/shorewall/tcrules (
line 22 )
But this one occured in any file when the DEST PORT(S) column is
''-'' and a
port list was given in the SOURCE PORT(S) column.

At any rate, the problems are corrected in revision 6343.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Tom Eastep wrote:
> Steven Jan Springl wrote:
>> Tom
>>
>> If interface entry:
>>
>> 	lan  eth0  -
>>
>> is defined, it is possible to issue command:
>>
>> 	shorewall delete eth0 lan
>>
>> While this does not change the iptables rules, its does remove eth0
from
>> /var/lib/shorewall/zones
>>
>> Command:
>>
>> 	shorewall show zones
>>
>> displays lan (ipv4) without an interface.
>>
>> I don''t know if this could cause any issues.
> 
> I don''t think that it can (other than messing up
''shorewall show zones'')
> and I don''t believe that I''ll try to do anything about
this. Once ipsets
> are included in standard kernels, they provide a much better way to
> implement dynamic zones and we will scrap this current implementation
> altogether.
Good afternoon, Steven

I got up this morning and decided to try to do something about this issue.
Please try revision 6344; the releasenotes.txt file explains what I did.

Thanks!

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

On Monday 14 May 2007 15:52, Tom Eastep wrote:
> Tom Eastep wrote:
> > Steven Jan Springl wrote:
> >> Tom
> >>
> >> If interface entry:
> >>
> >> 	lan  eth0  -
> >>
> >> is defined, it is possible to issue command:
> >>
> >> 	shorewall delete eth0 lan
> >>
> >> While this does not change the iptables rules, its does remove
eth0 from
> >> /var/lib/shorewall/zones
> >>
> >> Command:
> >>
> >> 	shorewall show zones
> >>
> >> displays lan (ipv4) without an interface.
> >>
> >> I don''t know if this could cause any issues.
> >
> > I don''t think that it can (other than messing up
''shorewall show zones'')
> > and I don''t believe that I''ll try to do anything
about this. Once ipsets
> > are included in standard kernels, they provide a much better way to
> > implement dynamic zones and we will scrap this current implementation
> > altogether.
>
> Good afternoon, Steven
>
> I got up this morning and decided to try to do something about this issue.
> Please try revision 6344; the releasenotes.txt file explains what I did.
>
> Thanks!
>
> -Tom
Good morning Tom,

Revision 6344 prevents the deletion of a permanent interface from  a zone.
However I can add an interface that duplicates the permanent interface, E.G.
with interface entry:

	lan  eth0 -

I can now issue command:

	shorewall add eth0 lan

/var/lib/shorewall/zones now contains:

	lan eth0:0.0.0.0/0  +eth0:0.0.0.0/0

If I try to delete eth0 from lan with the following command:
	shorewall delete eth0 lan

I get a message saying eth0 is a permanent member of zone lan
and it isn''t deleted.

Steven.

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Steven Jan Springl wrote:
> On Monday 14 May 2007 15:52, Tom Eastep wrote:
>> Tom Eastep wrote:
>>> Steven Jan Springl wrote:
>>>> Tom
>>>>
>>>> If interface entry:
>>>>
>>>> 	lan  eth0  -
>>>>
>>>> is defined, it is possible to issue command:
>>>>
>>>> 	shorewall delete eth0 lan
>>>>
>>>> While this does not change the iptables rules, its does remove
eth0 from
>>>> /var/lib/shorewall/zones
>>>>
>>>> Command:
>>>>
>>>> 	shorewall show zones
>>>>
>>>> displays lan (ipv4) without an interface.
>>>>
>>>> I don''t know if this could cause any issues.
>>> I don''t think that it can (other than messing up
''shorewall show zones'')
>>> and I don''t believe that I''ll try to do anything
about this. Once ipsets
>>> are included in standard kernels, they provide a much better way to
>>> implement dynamic zones and we will scrap this current
implementation
>>> altogether.
>> Good afternoon, Steven
>>
>> I got up this morning and decided to try to do something about this
issue.
>> Please try revision 6344; the releasenotes.txt file explains what I
did.
>>
>> Thanks!
>>
>> -Tom
> 
> Good morning Tom,
> 
> Revision 6344 prevents the deletion of a permanent interface from  a zone.
> However I can add an interface that duplicates the permanent interface,
E.G.
> with interface entry:
> 
> 	lan  eth0 -
> 
> I can now issue command:
> 
> 	shorewall add eth0 lan
> 
> /var/lib/shorewall/zones now contains:
> 
> 	lan eth0:0.0.0.0/0  +eth0:0.0.0.0/0
> 
> If I try to delete eth0 from lan with the following command:
> 	shorewall delete eth0 lan
> 
> I get a message saying eth0 is a permanent member of zone lan
> and it isn''t deleted.
Corrected in revision 6345.

Thanks,
-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Tom

zone entry:

	vpn  ipsec

generates an iptables rule with a missing white space between 84.45.199.3 
and -m :

-A OUTPUT -d 84.45.199.3-m policy --pol none --dir out -j 
DNAT --to-destination 192.168.0.3 


Steven.


-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Steven Jan Springl wrote:
> Tom
> 
> zone entry:
> 
> 	vpn  ipsec
> 
> generates an iptables rule with a missing white space between 84.45.199.3 
> and -m :
> 
> -A OUTPUT -d 84.45.199.3-m policy --pol none --dir out -j 
> DNAT --to-destination 192.168.0.3 
Steven,

What is generating the DNAT rule?

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Tom Eastep wrote:
> Steven Jan Springl wrote:
>> Tom
>>
>> zone entry:
>>
>> 	vpn  ipsec
>>
>> generates an iptables rule with a missing white space between
84.45.199.3
>> and -m :
>>
>> -A OUTPUT -d 84.45.199.3-m policy --pol none --dir out -j 
>> DNAT --to-destination 192.168.0.3 
> 
> Steven,
> 
> What is generating the DNAT rule?
> 
I think I found it -- please try 6346.

Thanks, Steven

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

On Monday 14 May 2007 20:12, Tom Eastep wrote:
> Tom Eastep wrote:
> > Steven Jan Springl wrote:
> >> Tom
> >>
> >> zone entry:
> >>
> >> 	vpn  ipsec
> >>
> >> generates an iptables rule with a missing white space between
> >> 84.45.199.3 and -m :
> >>
> >> -A OUTPUT -d 84.45.199.3-m policy --pol none --dir out -j
> >> DNAT --to-destination 192.168.0.3
> >
> > Steven,
> >
> > What is generating the DNAT rule?
>
> I think I found it -- please try 6346.
>
> Thanks, Steven
>
> -Tom
Tom

That''s fixed it.

Steven.

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Tom

With zone entry:

	vpn  ipsec

when I issue command:

	shorewall add eth0 vpn

the following messages are generated:

iptables v1.3.6: Couldn''t load target 
`vpn_frwd'':/lib/iptables/libipt_vpn_frwd.so: cannot open shared object
file:
No such file or directory

Try `iptables -h'' or ''iptables --help'' for more
information.
   ERROR: Can''t add +eth0:0.0.0.0/0 to zone vpn
iptables v1.3.6: Couldn''t load target 
`vpn_frwd'':/lib/iptables/libipt_vpn_frwd.so: cannot open shared object
file:
No such file or directory

Try `iptables -h'' or ''iptables --help'' for more
information.
   ERROR: Can''t add +eth0:0.0.0.0/0 to zone vpn
iptables v1.3.6: Couldn''t load target 
`vpn_frwd'':/lib/iptables/libipt_vpn_frwd.so: cannot open shared object
file:
No such file or directory

Try `iptables -h'' or ''iptables --help'' for more
information.
   ERROR: Can''t add +eth0:0.0.0.0/0 to zone vpn
iptables v1.3.6: Couldn''t load target 
`vpn_frwd'':/lib/iptables/libipt_vpn_frwd.so: cannot open shared object
file:
No such file or directory

Try `iptables -h'' or ''iptables --help'' for more
information.
   ERROR: Can''t add +eth0:0.0.0.0/0 to zone vpn
iptables v1.3.6: Couldn''t load target 
`vpn_frwd'':/lib/iptables/libipt_vpn_frwd.so: cannot open shared object
file:
No such file or directory

Try `iptables -h'' or ''iptables --help'' for more
information.
   ERROR: Can''t add +eth0:0.0.0.0/0 to zone vpn


Steven.

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

On Mon, 2007-05-14 at 22:15 +0100, Steven Jan Springl
wrote:
> Tom
> 
> With zone entry:
> 
> 	vpn  ipsec
> 
> when I issue command:
> 
> 	shorewall add eth0 vpn
> 
> the following messages are generated:
> 
> iptables v1.3.6: Couldn''t load target 
> `vpn_frwd'':/lib/iptables/libipt_vpn_frwd.so: cannot open shared
object file:
> No such file or directory
> 
> Try `iptables -h'' or ''iptables --help'' for more
information.
>    ERROR: Can''t add +eth0:0.0.0.0/0 to zone vpn
> iptables v1.3.6: Couldn''t load target 
> `vpn_frwd'':/lib/iptables/libipt_vpn_frwd.so: cannot open shared
object file:
> No such file or directory
> 
> Try `iptables -h'' or ''iptables --help'' for more
information.
>    ERROR: Can''t add +eth0:0.0.0.0/0 to zone vpn
> iptables v1.3.6: Couldn''t load target 
> `vpn_frwd'':/lib/iptables/libipt_vpn_frwd.so: cannot open shared
object file:
> No such file or directory
> 
> Try `iptables -h'' or ''iptables --help'' for more
information.
>    ERROR: Can''t add +eth0:0.0.0.0/0 to zone vpn
> iptables v1.3.6: Couldn''t load target 
> `vpn_frwd'':/lib/iptables/libipt_vpn_frwd.so: cannot open shared
object file:
> No such file or directory
> 
> Try `iptables -h'' or ''iptables --help'' for more
information.
>    ERROR: Can''t add +eth0:0.0.0.0/0 to zone vpn
> iptables v1.3.6: Couldn''t load target 
> `vpn_frwd'':/lib/iptables/libipt_vpn_frwd.so: cannot open shared
object file:
> No such file or directory
> 
> Try `iptables -h'' or ''iptables --help'' for more
information.
>    ERROR: Can''t add +eth0:0.0.0.0/0 to zone vpn
> 
I believe this is fixed in revision 6348.

Thanks, Steven

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key


-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

On Monday 14 May 2007 22:33, Tom Eastep wrote:
> On Mon, 2007-05-14 at 22:15 +0100, Steven Jan Springl wrote:
> > Tom
> >
> > With zone entry:
> >
> > 	vpn  ipsec
> >
> > when I issue command:
> >
> > 	shorewall add eth0 vpn
> >
> > the following messages are generated:
> >
> > iptables v1.3.6: Couldn''t load target
> > `vpn_frwd'':/lib/iptables/libipt_vpn_frwd.so: cannot open
shared object
> > file: No such file or directory
> >
> > Try `iptables -h'' or ''iptables --help'' for
more information.
> >    ERROR: Can''t add +eth0:0.0.0.0/0 to zone vpn
> > iptables v1.3.6: Couldn''t load target
> > `vpn_frwd'':/lib/iptables/libipt_vpn_frwd.so: cannot open
shared object
> > file: No such file or directory
> >
> > Try `iptables -h'' or ''iptables --help'' for
more information.
> >    ERROR: Can''t add +eth0:0.0.0.0/0 to zone vpn
> > iptables v1.3.6: Couldn''t load target
> > `vpn_frwd'':/lib/iptables/libipt_vpn_frwd.so: cannot open
shared object
> > file: No such file or directory
> >
> > Try `iptables -h'' or ''iptables --help'' for
more information.
> >    ERROR: Can''t add +eth0:0.0.0.0/0 to zone vpn
> > iptables v1.3.6: Couldn''t load target
> > `vpn_frwd'':/lib/iptables/libipt_vpn_frwd.so: cannot open
shared object
> > file: No such file or directory
> >
> > Try `iptables -h'' or ''iptables --help'' for
more information.
> >    ERROR: Can''t add +eth0:0.0.0.0/0 to zone vpn
> > iptables v1.3.6: Couldn''t load target
> > `vpn_frwd'':/lib/iptables/libipt_vpn_frwd.so: cannot open
shared object
> > file: No such file or directory
> >
> > Try `iptables -h'' or ''iptables --help'' for
more information.
> >    ERROR: Can''t add +eth0:0.0.0.0/0 to zone vpn
>
> I believe this is fixed in revision 6348.
>
> Thanks, Steven
>
> -Tom
Tom

Revision 6348 has fixed that problem, however there is another issue.

It now seems that is only possible to add 1 dynamic entry.

Zones entries:

	fw	firewall
	lan	ipv4
	wan	ipv4
	dmz	ipv4
	tst	ipv4
	vpn	ipsec

Interfaces entries:

	lan	eth0
	wan	eth1
	dmz	eth2

If I now issue the following commands:

	shorewall start
	shorewall add eth0 dmz (this works)
	shorewall add eth0 vpn  (this produces the following messages)

iptables: No chain/target/match by that name
   ERROR: Can''t add eth0:0.0.0.0/0 to zone vpn

Despite these messages eth0 has been added to both dmz and vpn zones 
in /var/lib/shorewall/zones.

If I now change the order in which eth0 is added to zones dmz and vpn:

	shorewall clear
	shorewall start
	shorewall add eth0 vpn  (this works)
	shorewall add eth0 dmz (this now fails with the same message as above)

This problem seems to happen no matter which interfaces I try to add to any 2 
or more zones.

Steven.

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Steven Jan Springl wrote:
> On Monday 14 May 2007 22:33, Tom Eastep wrote:
>> On Mon, 2007-05-14 at 22:15 +0100, Steven Jan Springl wrote:
>>> Tom
>>>
>>> With zone entry:
>>>
>>> 	vpn  ipsec
>>>
>>> when I issue command:
>>>
>>> 	shorewall add eth0 vpn
>>>
>>> the following messages are generated:
>>>
>>> iptables v1.3.6: Couldn''t load target
>>> `vpn_frwd'':/lib/iptables/libipt_vpn_frwd.so: cannot open
shared object
>>> file: No such file or directory
>>>
>>> Try `iptables -h'' or ''iptables --help''
for more information.
>>>    ERROR: Can''t add +eth0:0.0.0.0/0 to zone vpn
>>> iptables v1.3.6: Couldn''t load target
>>> `vpn_frwd'':/lib/iptables/libipt_vpn_frwd.so: cannot open
shared object
>>> file: No such file or directory
>>>
>>> Try `iptables -h'' or ''iptables --help''
for more information.
>>>    ERROR: Can''t add +eth0:0.0.0.0/0 to zone vpn
>>> iptables v1.3.6: Couldn''t load target
>>> `vpn_frwd'':/lib/iptables/libipt_vpn_frwd.so: cannot open
shared object
>>> file: No such file or directory
>>>
>>> Try `iptables -h'' or ''iptables --help''
for more information.
>>>    ERROR: Can''t add +eth0:0.0.0.0/0 to zone vpn
>>> iptables v1.3.6: Couldn''t load target
>>> `vpn_frwd'':/lib/iptables/libipt_vpn_frwd.so: cannot open
shared object
>>> file: No such file or directory
>>>
>>> Try `iptables -h'' or ''iptables --help''
for more information.
>>>    ERROR: Can''t add +eth0:0.0.0.0/0 to zone vpn
>>> iptables v1.3.6: Couldn''t load target
>>> `vpn_frwd'':/lib/iptables/libipt_vpn_frwd.so: cannot open
shared object
>>> file: No such file or directory
>>>
>>> Try `iptables -h'' or ''iptables --help''
for more information.
>>>    ERROR: Can''t add +eth0:0.0.0.0/0 to zone vpn
>> I believe this is fixed in revision 6348.
>>
>> Thanks, Steven
>>
>> -Tom
> 
> Tom
> 
> Revision 6348 has fixed that problem, however there is another issue.
> 
> It now seems that is only possible to add 1 dynamic entry.
> 
> Zones entries:
> 
> 	fw	firewall
> 	lan	ipv4
> 	wan	ipv4
> 	dmz	ipv4
> 	tst	ipv4
> 	vpn	ipsec
> 
> Interfaces entries:
> 
> 	lan	eth0
> 	wan	eth1
> 	dmz	eth2
> 
> If I now issue the following commands:
> 
> 	shorewall start
> 	shorewall add eth0 dmz (this works)
> 	shorewall add eth0 vpn  (this produces the following messages)
> 
> iptables: No chain/target/match by that name
>    ERROR: Can''t add eth0:0.0.0.0/0 to zone vpn
> 
> Despite these messages eth0 has been added to both dmz and vpn zones 
> in /var/lib/shorewall/zones.
> 
> If I now change the order in which eth0 is added to zones dmz and vpn:
> 
> 	shorewall clear
> 	shorewall start
> 	shorewall add eth0 vpn  (this works)
> 	shorewall add eth0 dmz (this now fails with the same message as above)
> 
> This problem seems to happen no matter which interfaces I try to add to any
2
> or more zones.
Wow -- that uncovered a can of worms. I think it''s all sorted out in
6352.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

On Tuesday 15 May 2007 00:15, Tom Eastep wrote:
> Steven Jan Springl wrote:
> > On Monday 14 May 2007 22:33, Tom Eastep wrote:
> >> On Mon, 2007-05-14 at 22:15 +0100, Steven Jan Springl wrote:
> >>> Tom
> >>>
> >>> With zone entry:
> >>>
> >>> 	vpn  ipsec
> >>>
> >>> when I issue command:
> >>>
> >>> 	shorewall add eth0 vpn
> >>>
> >>> the following messages are generated:
> >>>
> >>> iptables v1.3.6: Couldn''t load target
> >>> `vpn_frwd'':/lib/iptables/libipt_vpn_frwd.so: cannot
open shared object
> >>> file: No such file or directory
> >>>
> >>> Try `iptables -h'' or ''iptables
--help'' for more information.
> >>>    ERROR: Can''t add +eth0:0.0.0.0/0 to zone vpn
> >>> iptables v1.3.6: Couldn''t load target
> >>> `vpn_frwd'':/lib/iptables/libipt_vpn_frwd.so: cannot
open shared object
> >>> file: No such file or directory
> >>>
> >>> Try `iptables -h'' or ''iptables
--help'' for more information.
> >>>    ERROR: Can''t add +eth0:0.0.0.0/0 to zone vpn
> >>> iptables v1.3.6: Couldn''t load target
> >>> `vpn_frwd'':/lib/iptables/libipt_vpn_frwd.so: cannot
open shared object
> >>> file: No such file or directory
> >>>
> >>> Try `iptables -h'' or ''iptables
--help'' for more information.
> >>>    ERROR: Can''t add +eth0:0.0.0.0/0 to zone vpn
> >>> iptables v1.3.6: Couldn''t load target
> >>> `vpn_frwd'':/lib/iptables/libipt_vpn_frwd.so: cannot
open shared object
> >>> file: No such file or directory
> >>>
> >>> Try `iptables -h'' or ''iptables
--help'' for more information.
> >>>    ERROR: Can''t add +eth0:0.0.0.0/0 to zone vpn
> >>> iptables v1.3.6: Couldn''t load target
> >>> `vpn_frwd'':/lib/iptables/libipt_vpn_frwd.so: cannot
open shared object
> >>> file: No such file or directory
> >>>
> >>> Try `iptables -h'' or ''iptables
--help'' for more information.
> >>>    ERROR: Can''t add +eth0:0.0.0.0/0 to zone vpn
> >>
> >> I believe this is fixed in revision 6348.
> >>
> >> Thanks, Steven
> >>
> >> -Tom
> >
> > Tom
> >
> > Revision 6348 has fixed that problem, however there is another issue.
> >
> > It now seems that is only possible to add 1 dynamic entry.
> >
> > Zones entries:
> >
> > 	fw	firewall
> > 	lan	ipv4
> > 	wan	ipv4
> > 	dmz	ipv4
> > 	tst	ipv4
> > 	vpn	ipsec
> >
> > Interfaces entries:
> >
> > 	lan	eth0
> > 	wan	eth1
> > 	dmz	eth2
> >
> > If I now issue the following commands:
> >
> > 	shorewall start
> > 	shorewall add eth0 dmz (this works)
> > 	shorewall add eth0 vpn  (this produces the following messages)
> >
> > iptables: No chain/target/match by that name
> >    ERROR: Can''t add eth0:0.0.0.0/0 to zone vpn
> >
> > Despite these messages eth0 has been added to both dmz and vpn zones
> > in /var/lib/shorewall/zones.
> >
> > If I now change the order in which eth0 is added to zones dmz and vpn:
> >
> > 	shorewall clear
> > 	shorewall start
> > 	shorewall add eth0 vpn  (this works)
> > 	shorewall add eth0 dmz (this now fails with the same message as
above)
> >
> > This problem seems to happen no matter which interfaces I try to add
to
> > any 2 or more zones.
>
> Wow -- that uncovered a can of worms. I think it''s all sorted out
in 6352.
>
> -Tom
Tom

Yes, that seems to have fixed the problem.

Steven.

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Steven Jan Springl wrote:
>>On Tuesday 15 May 2007 00:15, Tom Eastep wrote:
>> Wow -- that uncovered a can of worms. I think it''s all sorted
out in 6352.
>>
>> -Tom
> 
> Tom
> 
> Yes, that seems to have fixed the problem.
> 
Thanks, Steven!

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

On Tuesday 15 May 2007 01:03, Tom Eastep wrote:
> Steven Jan Springl wrote:
> >>On Tuesday 15 May 2007 00:15, Tom Eastep wrote:
> >> Wow -- that uncovered a can of worms. I think it''s all
sorted out in
> >> 6352.
> >>
> >> -Tom
> >
> > Tom
> >
> > Yes, that seems to have fixed the problem.
>
> Thanks, Steven!
>
> -Tom
Good morning Tom.

WARNING..... drink two large, strong, cups of coffee before continuing.


Yesterday you mentioned a can of worms, I think it might be back.


Zones:

	fw	firewall
	lan	ipv4
	wan	ipv4
	dmz	ipv4
	tst:wan,lan,dmz	ipv4
	vpn	ipsec

Interfaces:

	lan	eth0
	wan	eth1
	-	eth2

Hosts;

	dmz	eth2:!10.0.0.0/8


When the following commands are issued:

	shorewall start
	shorewall add eth2 10.0.0.0/8 tst

the following messages are produced:

iptables v1.3.6: host/network `exclude'' not found
Try `iptables -h'' or ''iptables --help'' for more
information.
   ERROR: Can''t add eth2:10.0.0.0/8 to zone tst

iptables v1.3.6: host/network `exclude'' not found
Try `iptables -h'' or ''iptables --help'' for more
information.
   ERROR: Can''t add eth2:10.0.0.0/8 to zone tst


Steven.


-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Tom Eastep wrote:
> Andras Sarkozy wrote:
>> Hi Tom,
>>
>> Using the latest distribution (and the latest SVN 6342) Shorewall-perl
has a few problems:
>>
>> 1,The providers chokes on the gateway address (works if it is
"detect" or "-")
>> #NAME   NUMBER  MARK    DUPLICATE       INTERFACE       GATEWAY        
OPTIONS         COPY
>> BDSL    1       256     main            ppp1            detect  track  
eth0,eth3
>> ADSL    2       512     main            ppp0            -  track  
eth0,eth3
>> CABLE   3      1024     main            eth4            84.3.248.1     
track   eth0,eth3
>>
>> Can''t call method "validate_address" without a
package or object reference at /usr/share/shorewall-perl/Shorewall/Providers.pm
line 190, <$currentfile> line 16.
>>
>> 2,It doesn''t accept the ports field if it is a comma separated
list in the tcrules (works with single port or port range):
>> #MARK   SOURCE          DEST            PROTO   DEST    SOURCE  USER   
TEST    LENGTH  TOS
>> 3        0.0.0.0/0    0.0.0.0/0         tcp     smtp,pop3
>> Checking /etc/shorewall/tcrules...
>>     ERROR: Invalid/Unknown port/service (smtp,pop3) :
/etc/shorewall/tcrules ( line 21 )
> 
> I couldn''t reproduce that one.
> 
>> or:
>> 3        0.0.0.0/0    0.0.0.0/0         tcp     -       25,110
>> Checking /etc/shorewall/tcrules...
>>     ERROR: Invalid/Unknown port/service (25,110) :
/etc/shorewall/tcrules ( line 22 )
> 
> But this one occured in any file when the DEST PORT(S) column is
''-'' and a
> port list was given in the SOURCE PORT(S) column.
> 
> At any rate, the problems are corrected in revision 6343.
> 
> -Tom
Hi Tom,

Yes - it fixed both problems!

Thank you,
Andras


-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Steven Jan Springl wrote:
> On Tuesday 15 May 2007 01:03, Tom Eastep wrote:
>> Steven Jan Springl wrote:
>>>> On Tuesday 15 May 2007 00:15, Tom Eastep wrote:
>>>> Wow -- that uncovered a can of worms. I think it''s all
sorted out in
>>>> 6352.
>>>>
>>>> -Tom
>>> Tom
>>>
>>> Yes, that seems to have fixed the problem.
>> Thanks, Steven!
>>
>> -Tom
> 
> Good morning Tom.
> 
> WARNING..... drink two large, strong, cups of coffee before continuing.
> 
> 
> Yesterday you mentioned a can of worms, I think it might be back.
> 
> 
> Zones:
> 
> 	fw	firewall
> 	lan	ipv4
> 	wan	ipv4
> 	dmz	ipv4
> 	tst:wan,lan,dmz	ipv4
> 	vpn	ipsec
> 
> Interfaces:
> 
> 	lan	eth0
> 	wan	eth1
> 	-	eth2
> 
> Hosts;
> 
> 	dmz	eth2:!10.0.0.0/8
> 
> 
> When the following commands are issued:
> 
> 	shorewall start
> 	shorewall add eth2 10.0.0.0/8 tst
> 
> the following messages are produced:
> 
> iptables v1.3.6: host/network `exclude'' not found
> Try `iptables -h'' or ''iptables --help'' for more
information.
>    ERROR: Can''t add eth2:10.0.0.0/8 to zone tst
> 
> iptables v1.3.6: host/network `exclude'' not found
> Try `iptables -h'' or ''iptables --help'' for more
information.
>    ERROR: Can''t add eth2:10.0.0.0/8 to zone tst
Good afternoon, Steven.

Please try revision 6354. It worked in the limited test that I did.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

On Tuesday 15 May 2007 15:06, Tom Eastep wrote:
> Steven Jan Springl wrote:
> > On Tuesday 15 May 2007 01:03, Tom Eastep wrote:
> >> Steven Jan Springl wrote:
> >>>> On Tuesday 15 May 2007 00:15, Tom Eastep wrote:
> >>>> Wow -- that uncovered a can of worms. I think
it''s all sorted out in
> >>>> 6352.
> >>>>
> >>>> -Tom
> >>>
> >>> Tom
> >>>
> >>> Yes, that seems to have fixed the problem.
> >>
> >> Thanks, Steven!
> >>
> >> -Tom
> >
> > Good morning Tom.
> >
> > WARNING..... drink two large, strong, cups of coffee before
continuing.
> >
> >
> > Yesterday you mentioned a can of worms, I think it might be back.
> >
> >
> > Zones:
> >
> > 	fw	firewall
> > 	lan	ipv4
> > 	wan	ipv4
> > 	dmz	ipv4
> > 	tst:wan,lan,dmz	ipv4
> > 	vpn	ipsec
> >
> > Interfaces:
> >
> > 	lan	eth0
> > 	wan	eth1
> > 	-	eth2
> >
> > Hosts;
> >
> > 	dmz	eth2:!10.0.0.0/8
> >
> >
> > When the following commands are issued:
> >
> > 	shorewall start
> > 	shorewall add eth2 10.0.0.0/8 tst
> >
> > the following messages are produced:
> >
> > iptables v1.3.6: host/network `exclude'' not found
> > Try `iptables -h'' or ''iptables --help'' for
more information.
> >    ERROR: Can''t add eth2:10.0.0.0/8 to zone tst
> >
> > iptables v1.3.6: host/network `exclude'' not found
> > Try `iptables -h'' or ''iptables --help'' for
more information.
> >    ERROR: Can''t add eth2:10.0.0.0/8 to zone tst
>
> Good afternoon, Steven.
>
> Please try revision 6354. It worked in the limited test that I did.
>
> -Tom
Tom

Revision 6354 hasn''t worked. I still get the above errors.

I have attached my configuration.

Steven.



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Steven Jan Springl wrote:
> On Tuesday 15 May 2007 15:06, Tom Eastep wrote:
>> Steven Jan Springl wrote:
>>> On Tuesday 15 May 2007 01:03, Tom Eastep wrote:
>>>> Steven Jan Springl wrote:
>>>>>> On Tuesday 15 May 2007 00:15, Tom Eastep wrote:
>>>>>> Wow -- that uncovered a can of worms. I think
it''s all sorted out in
>>>>>> 6352.
>>>>>>
>>>>>> -Tom
>>>>> Tom
>>>>>
>>>>> Yes, that seems to have fixed the problem.
>>>> Thanks, Steven!
>>>>
>>>> -Tom
>>> Good morning Tom.
>>>
>>> WARNING..... drink two large, strong, cups of coffee before
continuing.
>>>
>>>
>>> Yesterday you mentioned a can of worms, I think it might be back.
>>>
>>>
>>> Zones:
>>>
>>> 	fw	firewall
>>> 	lan	ipv4
>>> 	wan	ipv4
>>> 	dmz	ipv4
>>> 	tst:wan,lan,dmz	ipv4
>>> 	vpn	ipsec
>>>
>>> Interfaces:
>>>
>>> 	lan	eth0
>>> 	wan	eth1
>>> 	-	eth2
>>>
>>> Hosts;
>>>
>>> 	dmz	eth2:!10.0.0.0/8
>>>
>>>
>>> When the following commands are issued:
>>>
>>> 	shorewall start
>>> 	shorewall add eth2 10.0.0.0/8 tst
>>>
>>> the following messages are produced:
>>>
>>> iptables v1.3.6: host/network `exclude'' not found
>>> Try `iptables -h'' or ''iptables --help''
for more information.
>>>    ERROR: Can''t add eth2:10.0.0.0/8 to zone tst
>>>
>>> iptables v1.3.6: host/network `exclude'' not found
>>> Try `iptables -h'' or ''iptables --help''
for more information.
>>>    ERROR: Can''t add eth2:10.0.0.0/8 to zone tst
>> Good afternoon, Steven.
>>
>> Please try revision 6354. It worked in the limited test that I did.
>>
>> -Tom
> 
> Tom
> 
> Revision 6354 hasn''t worked. I still get the above errors.
> 
> I have attached my configuration.
Steven,

Please forward a trace of the failure -- your configuration looks basically
the same as mine so I don''t understand why you are still seeing
failures.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Tom Eastep wrote:
> 
> Please forward a trace of the failure -- your configuration looks basically
> the same as mine so I don''t understand why you are still seeing
failures.
> 
Never mind -- I found the key difference between our configurations.
I''ve
confirmed that 6355 fixes the problem.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

On Tuesday 15 May 2007 17:09, Tom Eastep wrote:
> Tom Eastep wrote:
> > Please forward a trace of the failure -- your configuration looks
> > basically the same as mine so I don''t understand why you are
still seeing
> > failures.
>
> Never mind -- I found the key difference between our configurations.
I''ve
> confirmed that 6355 fixes the problem.
>
> -Tom
Tom

I have tried numerous different configurations with no further problems found.

Steven.

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Steven Jan Springl wrote:
> On Tuesday 15 May 2007 17:09, Tom Eastep wrote:
>> Tom Eastep wrote:
>>> Please forward a trace of the failure -- your configuration looks
>>> basically the same as mine so I don''t understand why you
are still seeing
>>> failures.
>> Never mind -- I found the key difference between our configurations.
I''ve
>> confirmed that 6355 fixes the problem.
>>
>> -Tom
> 
> Tom
> 
> I have tried numerous different configurations with no further problems
found.
> 
Thanks, Steven.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Tom Eastep wrote on 15/05/2007 15:28:35:
> Steven Jan Springl wrote:
> > On Tuesday 15 May 2007 17:09, Tom Eastep wrote:
> >> Tom Eastep wrote:
> >>> Please forward a trace of the failure -- your configuration
looks
> >>> basically the same as mine so I don''t understand why
you are still
seeing
> >>> failures.
> >> Never mind -- I found the key difference between our
configurations.
I''ve
> >> confirmed that 6355 fixes the problem.
> >>
> >> -Tom
> > 
> > Tom
> > 
> > I have tried numerous different configurations with no further 
problems found.
> > 
> 
> Thanks, Steven.
> 
> -Tom
Does this mean we''re ready to go?

I''m in the process of installing 3 new boxen with shorewall - Should I 
stay on 3.4.x or may I step into 3.9.xx?

Steve, Thanks for all the great work you are doing for the community. 


tia,


--
Eduardo Ferreira
Icatu Holding S.A.
(21) 3804-8606



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

On Tuesday 15 May 2007 19:53, Eduardo Ferreira wrote:
> Tom Eastep wrote on 15/05/2007 15:28:35:
> > Steven Jan Springl wrote:
> > > On Tuesday 15 May 2007 17:09, Tom Eastep wrote:
> > >> Tom Eastep wrote:
> > >>> Please forward a trace of the failure -- your
configuration looks
> > >>> basically the same as mine so I don''t understand
why you are still
>
> seeing
>
> > >>> failures.
> > >>
> > >> Never mind -- I found the key difference between our
configurations.
>
> I''ve
>
> > >> confirmed that 6355 fixes the problem.
> > >>
> > >> -Tom
> > >
> > > Tom
> > >
> > > I have tried numerous different configurations with no further
>
> problems found.
>
> > Thanks, Steven.
> >
> > -Tom
>
> Does this mean we''re ready to go?
>
> I''m in the process of installing 3 new boxen with shorewall -
Should I
> stay on 3.4.x or may I step into 3.9.xx?
>
> Steve, Thanks for all the great work you are doing for the community.
>
>
> tia,
>
>
> --
> Eduardo Ferreira
> Icatu Holding S.A.
> (21) 3804-8606
Tia

Stay on 3.4 for production machines. I was reffering to the ''shorewall
add''
command only.

Steven.

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Steve  wrote on 15/05/2007 16:12:17:
> 
> Stay on 3.4 for production machines. I was reffering to the
''shorewall
add'' 
> command only.
> 
But what is not tested yet? I''ve followed your tests and, from what I 
could remember, you''ve already tested zones, interfaces, hosts, policy,
rules, accounting, nat, masq, mac - and now dynamic zones.  For my 
configurations, It is almost all that I need.

Thanks In Advance,


--
Eduardo Ferreira
Icatu Holding S.A.
(21) 3804-8606



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Tom

The ''shorewall dump -m'' command, as documented on the man
shorewall page, just
displays the shorewall menu.

Steven.

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

On Tuesday 15 May 2007 20:18, Eduardo Ferreira wrote:
> Steve  wrote on 15/05/2007 16:12:17:
> > Stay on 3.4 for production machines. I was reffering to the
''shorewall
>
> add''
>
> > command only.
>
> But what is not tested yet? I''ve followed your tests and, from
what I
> could remember, you''ve already tested zones, interfaces, hosts,
policy,
> rules, accounting, nat, masq, mac - and now dynamic zones.  For my
> configurations, It is almost all that I need.
>
> Thanks In Advance,
>
>
> --
> Eduardo Ferreira
> Icatu Holding S.A.
> (21) 3804-8606
Edward

Firstly sorry for getting your name wrong before.

The testing that I have done so far has been very limited. I have been trying 
to brake shorewall by what ever means possible. 
With the exception of last weekend, I had not tried to construct any real 
firewall scenarios. Those that I had constructed were very simple, the type 
you might find in a domestic environment. I manually inspected the iptables 
rules and subjected just one configuration to a port scan.

The PC that I used for the test, has just one NIC card which means that none 
of the configurations has been subject to any ''proper'' testing
in a live
environment.

Additionally, I have not tested VPN, tunnels, providers, or traffic shaping. I 
have no experience in using those features.

In short, shorewall 3.9 needs considerably more testing before I would advise 
anybody to use it in a production environment. 

Steven.

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Steven Jan Springl wrote:
> Tom
> 
> The ''shorewall dump -m'' command, as documented on the man
shorewall page, just
> displays the shorewall menu.
Steven,

The ''lib.cli'' from revision 6360 corrects this problem.

Thanks,
-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Steven Jan Springl wrote:
> 
> In short, shorewall 3.9 needs considerably more testing before I would
advise
> anybody to use it in a production environment. 
I second that. Once Steven has completed his testing of the /sbin/shorewall
command set, I''ll produce the first 4.0.0 Beta. I am expecting the Beta
period to last throughout the summer.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Tom Eastep wrote on 15/05/2007 16:59:34:
> Steven Jan Springl wrote:
> 
> > 
> > In short, shorewall 3.9 needs considerably more testing before I would
advise 
> > anybody to use it in a production environment. 
> 
> I second that. Once Steven has completed his testing of the 
/sbin/shorewall
> command set, I''ll produce the first 4.0.0 Beta. I am expecting the
Beta
> period to last throughout the summer.
> 
> -Tom
Ok, I''ve been testing it with my production configurations and, for
what I
could see, it was creating a fairly good iptables-restore script.  But I 
didn''t test any of those features too, as I don''t really have
any use for
them now - I use OpenVPN and PPTP but I''d like it better if I put the 
rules directly into the rules file than declare a tunnel in the tunnels 
file (just an idiosyncrazy of mine :).

anyway, I''ll stick with the old (and slowwwwwwwwwwww) 3.4.x series for 
now.




-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Tom

Command:

	shorewall check -e -C shell

works.

Command:

	shorewall check -e -C perl

produces message:

	ERROR: the -e flag requires a capabilities file


There is a capabilities file in /etc/shorewall.

Steven.

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Steven Jan Springl wrote:
> Tom
> 
> Command:
> 
> 	shorewall check -e -C shell
> 
> works.
> 
> Command:
> 
> 	shorewall check -e -C perl
> 
> produces message:
> 
> 	ERROR: the -e flag requires a capabilities file
> 
> 
> There is a capabilities file in /etc/shorewall.
Are you running as root or an ordinary user? And if running as an
ordinary user, is /etc/shorewall/capabilities readable by the ordinary user?

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

On Wednesday 16 May 2007 02:24, Tom Eastep wrote:
> Steven Jan Springl wrote:
> > Tom
> >
> > Command:
> >
> > 	shorewall check -e -C shell
> >
> > works.
> >
> > Command:
> >
> > 	shorewall check -e -C perl
> >
> > produces message:
> >
> > 	ERROR: the -e flag requires a capabilities file
> >
> >
> > There is a capabilities file in /etc/shorewall.
>
> Are you running as root or an ordinary user? And if running as an
> ordinary user, is /etc/shorewall/capabilities readable by the ordinary
> user?
>
> -Tom
Tom

I am running as root.

Steven.

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Steven Jan Springl wrote:
> On Wednesday 16 May 2007 02:24, Tom Eastep wrote:
>> Steven Jan Springl wrote:
>>> Tom
>>>
>>> Command:
>>>
>>> 	shorewall check -e -C shell
>>>
>>> works.
>>>
>>> Command:
>>>
>>> 	shorewall check -e -C perl
>>>
>>> produces message:
>>>
>>> 	ERROR: the -e flag requires a capabilities file
>>>
>>>
>>> There is a capabilities file in /etc/shorewall.
>> Are you running as root or an ordinary user? And if running as an
>> ordinary user, is /etc/shorewall/capabilities readable by the ordinary
>> user?
>>
>> -Tom
> Tom
> 
> I am running as root.
Steven,

I''ll have to think about this. Exporting your /etc/shorewall
configuration makes no sense at all but I want to consider the tradeoffs.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

On Wednesday 16 May 2007 02:44, Tom Eastep wrote:
> Steven Jan Springl wrote:
> > On Wednesday 16 May 2007 02:24, Tom Eastep wrote:
> >> Steven Jan Springl wrote:
> >>> Tom
> >>>
> >>> Command:
> >>>
> >>> 	shorewall check -e -C shell
> >>>
> >>> works.
> >>>
> >>> Command:
> >>>
> >>> 	shorewall check -e -C perl
> >>>
> >>> produces message:
> >>>
> >>> 	ERROR: the -e flag requires a capabilities file
> >>>
> >>>
> >>> There is a capabilities file in /etc/shorewall.
> >>
> >> Are you running as root or an ordinary user? And if running as an
> >> ordinary user, is /etc/shorewall/capabilities readable by the
ordinary
> >> user?
> >>
> >> -Tom
> >
> > Tom
> >
> > I am running as root.
>
> Steven,
>
> I''ll have to think about this. Exporting your /etc/shorewall
> configuration makes no sense at all but I want to consider the tradeoffs.
>
> -Tom
Tom

I have just tried:

	shorewall check -e -C perl /etc/shorewall

and that works.

Steven

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Steven Jan Springl wrote:
> On Wednesday 16 May 2007 02:44, Tom Eastep wrote:
>> Steven Jan Springl wrote:
>>> On Wednesday 16 May 2007 02:24, Tom Eastep wrote:
>>>> Steven Jan Springl wrote:
>>>>> Tom
>>>>>
>>>>> Command:
>>>>>
>>>>> 	shorewall check -e -C shell
>>>>>
>>>>> works.
>>>>>
>>>>> Command:
>>>>>
>>>>> 	shorewall check -e -C perl
>>>>>
>>>>> produces message:
>>>>>
>>>>> 	ERROR: the -e flag requires a capabilities file
>>>>>
>>>>>
>>>>> There is a capabilities file in /etc/shorewall.
>>>> Are you running as root or an ordinary user? And if running as
an
>>>> ordinary user, is /etc/shorewall/capabilities readable by the
ordinary
>>>> user?
>>>>
>>>> -Tom
>>> Tom
>>>
>>> I am running as root.
>> Steven,
>>
>> I''ll have to think about this. Exporting your /etc/shorewall
>> configuration makes no sense at all but I want to consider the
tradeoffs.
>>
>> -Tom
> Tom
> 
> I have just tried:
> 
> 	shorewall check -e -C perl /etc/shorewall
> 
> and that works.
Yes. When you specify -e and don''t specify CONFIG_PATH in
/etc/shorewall/shorewall.conf, the compiler sets CONFIG_PATH such that
it doesn''t include /etc/shorewall. By adding
''/etc/shorewall'' to the
command line, you insert that directory at the front of CONFIG_PATH.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

On Wednesday 16 May 2007 02:52, Tom Eastep wrote:
> Steven Jan Springl wrote:
> > On Wednesday 16 May 2007 02:44, Tom Eastep wrote:
> >> Steven Jan Springl wrote:
> >>> On Wednesday 16 May 2007 02:24, Tom Eastep wrote:
> >>>> Steven Jan Springl wrote:
> >>>>> Tom
> >>>>>
> >>>>> Command:
> >>>>>
> >>>>> 	shorewall check -e -C shell
> >>>>>
> >>>>> works.
> >>>>>
> >>>>> Command:
> >>>>>
> >>>>> 	shorewall check -e -C perl
> >>>>>
> >>>>> produces message:
> >>>>>
> >>>>> 	ERROR: the -e flag requires a capabilities file
> >>>>>
> >>>>>
> >>>>> There is a capabilities file in /etc/shorewall.
> >>>>
> >>>> Are you running as root or an ordinary user? And if
running as an
> >>>> ordinary user, is /etc/shorewall/capabilities readable by
the ordinary
> >>>> user?
> >>>>
> >>>> -Tom
> >>>
> >>> Tom
> >>>
> >>> I am running as root.
> >>
> >> Steven,
> >>
> >> I''ll have to think about this. Exporting your
/etc/shorewall
> >> configuration makes no sense at all but I want to consider the
> >> tradeoffs.
> >>
> >> -Tom
> >
> > Tom
> >
> > I have just tried:
> >
> > 	shorewall check -e -C perl /etc/shorewall
> >
> > and that works.
>
> Yes. When you specify -e and don''t specify CONFIG_PATH in
> /etc/shorewall/shorewall.conf, the compiler sets CONFIG_PATH such that
> it doesn''t include /etc/shorewall. By adding
''/etc/shorewall'' to the
> command line, you insert that directory at the front of CONFIG_PATH.
>
> -Tom
Tom

In shorewall.conf I have:
	
	CONFIG_PATH=/etc/shorewall:/usr/share/shorewall

Steven.

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Steven Jan Springl wrote:
> Tom
> 
> In shorewall.conf I have:
> 	
> 	CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
> 
>
Okay. Please don''t wait for a response tonight -- I''m eating
dinner
right now and I need to understand how to separate -e from (user !root) in the
code.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Tom Eastep wrote:
> Steven Jan Springl wrote:
> 
>> Tom
>>
>> In shorewall.conf I have:
>> 	
>> 	CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
>>
>>
> 
> Okay. Please don''t wait for a response tonight -- I''m
eating dinner
> right now and I need to understand how to separate -e from (user !>
root) in the code.
I think I''ve got it sorted in revision 6368 -- see what you think.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Tom Eastep wrote:
> Tom Eastep wrote:
>> Steven Jan Springl wrote:
>>
>>> Tom
>>>
>>> In shorewall.conf I have:
>>> 	
>>> 	CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
>>>
>>>
>> Okay. Please don''t wait for a response tonight -- I''m
eating dinner
>> right now and I need to understand how to separate -e from (user
!>> root) in the code.
> 
> I think I''ve got it sorted in revision 6368 -- see what you think.
Correction -- make that 6369.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Tom Eastep wrote:
> Steven Jan Springl wrote:
> ...
>> As my testing over the last few days has largely been unproductive, is
there
>> any area of shorewall that you would like me to concentrate my testing
on?
>>
> ...
> Thanks again Steven for your intrepid testing efforts. Shorewall 3.9 is a
> much better product than it would have been without your contribution.
I''d also like to offer my thanks to Steven.  Your testing efforts are
greatly appreciated.

-- 
Paul
<http://paulgear.webhop.net>
--
Did you know?  The major music labels and on-line stores want to limit
your rights to listen to music you have legitimately purchased.  Find
out more: http://iownmymusic.org/



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

On Wednesday 16 May 2007 04:44, Tom Eastep wrote:
> Tom Eastep wrote:
> > Tom Eastep wrote:
> >> Steven Jan Springl wrote:
> >>> Tom
> >>>
> >>> In shorewall.conf I have:
> >>>
> >>> 	CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
> >>
> >> Okay. Please don''t wait for a response tonight --
I''m eating dinner
> >> right now and I need to understand how to separate -e from (user
!> >> root) in the code.
> >
> > I think I''ve got it sorted in revision 6368 -- see what you
think.
>
> Correction -- make that 6369.
>
> -Tom
Good morning Tom.

That''s fixed it.

I have tested it with:

	CONFIG_PATH=/etc/shorewall:/usr/share/shorewall

	CONFIG_PATH
and with CONFIG_PATH commented out.

I have tested it specifying a directory on the ''shorewall
check'' command.

I have also tested it as root and a non root user.

Steven.




-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Tom

When a ''shorewall export -C .... '' command is issued, the -C
parameter is
ignored. The value of SHOREWALL_COMPILER is always used.


Steven.

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Tom

When I issue the command:
	
	shorewall safe-start

then reply ''n'' to:

	Do you want to accept the new firewall configuration? [y/n]

the following error is displayed:

/var/lib/shorewall/.start: line 435: run_clear_exit: command not found


Steven.


-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Steven Jan Springl wrote:
> Tom
> 
> When a ''shorewall export -C .... '' command is issued, the
-C parameter is
> ignored. The value of SHOREWALL_COMPILER is always used.
> 
Good afternoon, Steven.

This is fixed in revision 6372.

Thanks,
-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Steven Jan Springl wrote:
> Tom
> 
> When I issue the command:
> 	
> 	shorewall safe-start
> 
> then reply ''n'' to:
> 
> 	Do you want to accept the new firewall configuration? [y/n]
> 
> the following error is displayed:
> 
> /var/lib/shorewall/.start: line 435: run_clear_exit: command not found
> 
> 
Should be fixed in revision 6373.

Thanks, Steven.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

On Wednesday 16 May 2007 16:13, Tom Eastep wrote:
> Steven Jan Springl wrote:
> > Tom
> >
> > When I issue the command:
> >
> > 	shorewall safe-start
> >
> > then reply ''n'' to:
> >
> > 	Do you want to accept the new firewall configuration? [y/n]
> >
> > the following error is displayed:
> >
> > /var/lib/shorewall/.start: line 435: run_clear_exit: command not found
>
> Should be fixed in revision 6373.
>
> Thanks, Steven.
>
> -Tom
Tom

Yes, it''s fixed.

Steven.

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Tom

Some documentation anomalies.

In the ''Starting and stopping Shorewall'' document:

	The syntax for safe-start and safe-restart are listed as:
	
		shorewall safe-start  [ < filename> ]
		shorewall safe-restart  [ <filename> ]

	however both commands use a configuration-directory and not a filename.

	The description of the safe-restart command states that it is only valid if
	Shorewall is running. This is not the case, a safe-restart can be issued when
	Shorewall is stopped.


In the shorewall man page under both the check and compile commands, the 
following command:

	shorewall-lite show -f capabilities > capabities

incorrectly specifies the name of the capabilities file that needs to be 
created.

Steven.


-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Steven Jan Springl wrote:
> Tom
> 
> Some documentation anomalies.
> 
> In the ''Starting and stopping Shorewall'' document:
> 
> 	The syntax for safe-start and safe-restart are listed as:
> 	
> 		shorewall safe-start  [ < filename> ]
> 		shorewall safe-restart  [ <filename> ]
> 
> 	however both commands use a configuration-directory and not a filename.
> 
> 	The description of the safe-restart command states that it is only valid
if
> 	Shorewall is running. This is not the case, a safe-restart can be issued
when
> 	Shorewall is stopped.
> 
> 
> In the shorewall man page under both the check and compile commands, the 
> following command:
> 
> 	shorewall-lite show -f capabilities > capabities
> 
> incorrectly specifies the name of the capabilities file that needs to be 
> created.

Thanks, Steven.

I''ve corrected these documentation errors.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Tom

The documentation states that with shorewall-perl a ''shorewall
refresh''
command is synonymous with ''shorewall restart''.
There are two exceptions to this;

	When Shorewall is stopped a ''shorewall restart'' command can
be used to start
	it, but a ''shorewall refresh'' command cannot be used.

	A directory can be specified on a ''shorewall restart''
command, it cannot be
	specified on ''shorewall refresh'' command.

Steven. 

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Tom

Issuing command:

	shorewall ipdecimal

produces the following error:

/usr/share/shorewall/lib.base: line 441: & 255: syntax error: operand
expected
(error token is "& 255")

Steven.

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Steven Jan Springl wrote:
> Tom
> 
> Issuing command:
> 
> 	shorewall ipdecimal
> 
> produces the following error:
> 
> /usr/share/shorewall/lib.base: line 441: & 255: syntax error: operand
expected
> (error token is "& 255")
Corrected in 6378.

Thanks, Steven.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

On Wednesday 16 May 2007 23:17, Tom Eastep wrote:
> Steven Jan Springl wrote:
> > Tom
> >
> > Issuing command:
> >
> > 	shorewall ipdecimal
> >
> > produces the following error:
> >
> > /usr/share/shorewall/lib.base: line 441: & 255: syntax error:
operand
> > expected (error token is "& 255")
>
> Corrected in 6378.
>
> Thanks, Steven.
>
> -Tom
Tom

That''s worked. 

I have just realised the problem also occurs with shorewall-lite.

Steven.

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Steven Jan Springl wrote:
> 
> Tom
> 
> That''s worked. 
> 
> I have just realised the problem also occurs with shorewall-lite.
Shorewall-lite is corrected in 6379.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Tom

I think I have found a problem with the ''shorewall try''
command.

When I issue command:
	shorewall try -C shell /etc/shorewall

the compiled configuration is written to /var/lib/shorewall/.restart
Shorewall then uses this file to restart from.

If I issue command:
	shorewall try -C perl /etc/shorewall

the compiled configuration is written to /root/compile
but Shorewall tries to restart using /var/lib/shorewall/.restart


Steven.


-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Steven Jan Springl wrote:
> Tom
> 
> I think I have found a problem with the ''shorewall try''
command.
> 
> When I issue command:
> 	shorewall try -C shell /etc/shorewall
> 
> the compiled configuration is written to /var/lib/shorewall/.restart
> Shorewall then uses this file to restart from.
> 
> If I issue command:
> 	shorewall try -C perl /etc/shorewall
> 
> the compiled configuration is written to /root/compile
> but Shorewall tries to restart using /var/lib/shorewall/.restart
Fixed in 6380.

Thanks, Steven!

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Good morning Tom.

A couple of minor issues.

Command:

	shorewall try /etc/shorewall x

produces the following error:

sleep: invalid time interval ''x''


The following commands are accepted:

	shorewall -f start
	shorewall start /etc/shorewall

but the following command is not accepted:

	shorewall -f start /etc/shorewall


Steven.




-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Steven Jan Springl wrote:
> Good morning Tom.
> 
> A couple of minor issues.
> 
> Command:
> 
> 	shorewall try /etc/shorewall x
> 
> produces the following error:
> 
> sleep: invalid time interval ''x''
I''ve fixed this in revision 6385.
> 
> 
> The following commands are accepted:
> 
> 	shorewall -f start
> 	shorewall start /etc/shorewall
> 
> but the following command is not accepted:
> 
> 	shorewall -f start /etc/shorewall
That''s correct. A directory name is not accepted with
''-f'' even if it is
/etc/shorewall. I''ve updated the documentation.

Thanks, Steven.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Tom

Command

	shorewall-lite dump -m

is not accepted.


A quick question. While I understand the purpose of the directory 
on ''shorewall start'' and ''shorewall restart''
commands,
what purpose does the directory server on ''shorewall-lite
start'' and
''shorewall-lite restart'' commands?

Steven.

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Steven Jan Springl wrote:
> Tom
> 
> Command
> 
> 	shorewall-lite dump -m
> 
> is not accepted.
It will be accepted if you install the lib.cli from Shorewall-common.
That file gets copied from Shorewall-common to Shorewall-lite during the
build process.
> 
> 
> A quick question. While I understand the purpose of the directory 
> on ''shorewall start'' and ''shorewall
restart'' commands,
> what purpose does the directory server on ''shorewall-lite
start'' and
> ''shorewall-lite restart'' commands?
> 
It''s pretty minimal -- it tells /sbin/shorewall-lite where to look for
the shorewall-lite.conf file.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Good morning Tom
> > Command
> >
> > 	shorewall-lite dump -m
> >
> > is not accepted.
>
> It will be accepted if you install the lib.cli from Shorewall-common.
> That file gets copied from Shorewall-common to Shorewall-lite during the
> build process.
That works now.
>
> > A quick question. While I understand the purpose of the directory
> > on ''shorewall start'' and ''shorewall
restart'' commands,
> > what purpose does the directory server on ''shorewall-lite
start'' and
> > ''shorewall-lite restart'' commands?
>
> It''s pretty minimal -- it tells /sbin/shorewall-lite where to look
for
> the shorewall-lite.conf file.
>
This is what I thought. However specifying directory doesn''t seem to do
anything. Even specifying a non existant directory doesn''t do anything.
I put a trace on the start/restart commands and there is no reference to the 
directory in the output. 

Steven.

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Steven Jan Springl wrote:
> Good morning Tom
> 
>>> Command
>>>
>>> 	shorewall-lite dump -m
>>>
>>> is not accepted.
>> It will be accepted if you install the lib.cli from Shorewall-common.
>> That file gets copied from Shorewall-common to Shorewall-lite during
the
>> build process.
> 
> That works now.
> 
>>> A quick question. While I understand the purpose of the directory
>>> on ''shorewall start'' and ''shorewall
restart'' commands,
>>> what purpose does the directory server on ''shorewall-lite
start'' and
>>> ''shorewall-lite restart'' commands?
>> It''s pretty minimal -- it tells /sbin/shorewall-lite where to
look for
>> the shorewall-lite.conf file.
>>
> 
> This is what I thought. However specifying directory doesn''t seem
to do
> anything. Even specifying a non existant directory doesn''t do
anything.
> I put a trace on the start/restart commands and there is no reference to
the
> directory in the output. 
After I responded, I suspected that was the case. I''ve hacked the
remaining
vestiges from /sbin/shorewall-lite. Note that shorewall-lite(8) didn''t
mention using a directory -- only "shorewall-lite help" and the
operations
document did.

The operations document (trunk/docs/starting_and_stopping_shorewall.xml)
still needs work for 4.0 -- it doesn''t discuss compiler selection at
all yet.

Thanks,
-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Tom

A ''shorewall load'' command issues a ''shorewall
restart'' command instead of
a ''shorewall start'' command and displays message
''System .. reloaded'' instead
of  ''System .. loaded''

Steven.

 

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Steven Jan Springl wrote:
> Tom
> 
> A ''shorewall load'' command issues a ''shorewall
restart'' command instead of
> a ''shorewall start'' command and displays message
''System .. reloaded'' instead
> of  ''System .. loaded''
> 
Thanks, Steven

I had copied and pasted the ''reload'' case but neglected to
modify it.

Fixed in revision 6402.

Roberto -- this should go into 3.4 as well.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

On Friday 18 May 2007 20:20, Tom Eastep wrote:
> Steven Jan Springl wrote:
> > Tom
> >
> > A ''shorewall load'' command issues a
''shorewall restart'' command instead
> > of a ''shorewall start'' command and displays message
''System .. reloaded''
> > instead of  ''System .. loaded''
>
> Thanks, Steven
>
> I had copied and pasted the ''reload'' case but neglected
to modify it.
>
> Fixed in revision 6402.
>
> Roberto -- this should go into 3.4 as well.
>
> -Tom
Tom

That works, however if ''shorewall load -s ...'' is issued and
the start fails
because the system is already started, ''shorewall-lite save''
is still issued.

Steven.


-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

On Fri, May 18, 2007 at 08:48:00PM +0100, Steven Jan Springl
wrote:
> On Friday 18 May 2007 20:20, Tom Eastep wrote:
> > Steven Jan Springl wrote:
> > > Tom
> > >
> > > A ''shorewall load'' command issues a
''shorewall restart'' command instead
> > > of a ''shorewall start'' command and displays
message ''System .. reloaded''
> > > instead of  ''System .. loaded''
> >
> > Thanks, Steven
> >
> > I had copied and pasted the ''reload'' case but
neglected to modify it.
> >
> > Fixed in revision 6402.
> >
> > Roberto -- this should go into 3.4 as well.
> >
> > -Tom
> 
> Tom
> 
> That works, however if ''shorewall load -s ...'' is issued
and the start fails
> because the system is already started, ''shorewall-lite
save'' is still issued.
> 
Should I wait for this one as well?  Then I can backport 6402 and
whatever rev this ends up being.

Regards,

-Roberto

-- 
Roberto C. Sánchez
http://people.connexer.com/~roberto
http://www.connexer.com


-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Steven Jan Springl wrote:
> 
> That works, however if ''shorewall load -s ...'' is issued
and the start fails
> because the system is already started, ''shorewall-lite
save'' is still issued.
> 
''shorewall-lite start'' doesn''t fail if Shorewall Lite
is already running. It
issues an information message and exits with status 0. This is the same with
''shorewall start''.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Roberto C. Sánchez wrote:
> On Fri, May 18, 2007 at 08:48:00PM +0100, Steven Jan Springl wrote:
>> On Friday 18 May 2007 20:20, Tom Eastep wrote:
>>> Steven Jan Springl wrote:
>>>> Tom
>>>>
>>>> A ''shorewall load'' command issues a
''shorewall restart'' command instead
>>>> of a ''shorewall start'' command and displays
message ''System .. reloaded''
>>>> instead of  ''System .. loaded''
>>> Thanks, Steven
>>>
>>> I had copied and pasted the ''reload'' case but
neglected to modify it.
>>>
>>> Fixed in revision 6402.
>>>
>>> Roberto -- this should go into 3.4 as well.
>>>
>>> -Tom
>> Tom
>>
>> That works, however if ''shorewall load -s ...'' is
issued and the start fails
>> because the system is already started, ''shorewall-lite
save'' is still issued.
>>
> Should I wait for this one as well?  Then I can backport 6402 and
> whatever rev this ends up being.
Roberto,

I''m not going to make a change for this one -- so feel free to go ahead
with
6402.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Tom Eastep wrote:
> Steven Jan Springl wrote:
> 
>> That works, however if ''shorewall load -s ...'' is
issued and the start fails
>> because the system is already started, ''shorewall-lite
save'' is still issued.
>>
> 
> ''shorewall-lite start'' doesn''t fail if Shorewall
Lite is already running. It
> issues an information message and exits with status 0. This is the same
with
> ''shorewall start''.
> 
The reason for this behavior is LSB compliance -- starting a subsystem that
is already started should not be considered an error.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Tom

Commands ''shorewall load'' and ''shorewall
reload'' ignore -C option.

Steven.
	

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Steven Jan Springl wrote:
> Tom
> 
> Commands ''shorewall load'' and ''shorewall
reload'' ignore -C option.
> 
Steven,

Please try 6403.

Sorry that I don''t have time at the moment to test it myself.

Thanks,
-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

On Friday 18 May 2007 22:35, Tom Eastep wrote:
> Steven Jan Springl wrote:
> > Tom
> >
> > Commands ''shorewall load'' and ''shorewall
reload'' ignore -C option.
>
> Steven,
>
> Please try 6403.
>
> Sorry that I don''t have time at the moment to test it myself.
>
No problem Tom.

It''s working.

Steven.

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Tom

I have now completed my testing of shorewall and shorewall-lite commands.

Is there is any other aspect of Shorewall 3.9 that needs testing or further 
testing?

Steven.

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

On Fri, May 18, 2007 at 11:47:48PM +0100, Steven Jan Springl
wrote:
> Tom
> 
> I have now completed my testing of shorewall and shorewall-lite commands.
> 
> Is there is any other aspect of Shorewall 3.9 that needs testing or further
> testing?
> 
> Steven.
> 
Steven,

Let me say that you are the man.

Regards,

-Roberto
-- 
Roberto C. Sánchez
http://people.connexer.com/~roberto
http://www.connexer.com


-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Steven Jan Springl wrote:
> Tom
> 
> I have now completed my testing of shorewall and shorewall-lite commands.
> 
> Is there is any other aspect of Shorewall 3.9 that needs testing or further
> testing?
Steven,

I rather think it is time to generate a Beta release and let a wider audience
pound on it. We need to validate that the rules do what they are supposed to
do and that will require wider participation.

I will be traveling for most of the next two weeks so I''m not going to
be able
to respond quickly to problem reports (I''ll be traveling by train for
several
days in a row so it will be a fluke if I have any Internet access).

Steven, I want to thank you for the effort that you put forth to test this
shaky new code. Everyone who uses Shorewall 4.0 and later releases certainly
owes you a debt of gratitude.

Best Regards and Thanks,
-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Good morning Tom.

Built in action rejNotSyn:
when compiled with shorewall-shell generates a
	''-j REJECT --reject-with tcp-reset''

when compile with shorewall-perl generates a
	''-j REJECT''


Steven.

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Tom

Built in action allowoutUPnP produces the following errors when compiled with 
shorewall-shell:

ipt-owner: pid, sid and command matching not supported anymore
iptables: Invalid argument
   ERROR: Command "/sbin/iptables -A allowoutUPnP -m owner --cmd-owner 
upnpd -j ACCEPT" Failed

when compiled with shorewall-perl produces the error:

ERROR: Unknown action (allowoutUPnP)


When forwardUPnP is compiled with both shorewall-shell and shorewall-perl, 
a forwardUPnP chain is created with no rules. Is this correct?


Steven.  

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Steven Jan Springl wrote:
> Good morning Tom.
> 
> Built in action rejNotSyn:
> when compiled with shorewall-shell generates a
> 	''-j REJECT --reject-with tcp-reset''
> 
> when compile with shorewall-perl generates a
> 	''-j REJECT''
Good afternoon, Steven.

I''ve fixed that problem in revision 6405.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Steven Jan Springl wrote:
> Tom
> 
> Built in action allowoutUPnP produces the following errors when compiled
with
> shorewall-shell:
> 
> ipt-owner: pid, sid and command matching not supported anymore
> iptables: Invalid argument
>    ERROR: Command "/sbin/iptables -A allowoutUPnP -m owner --cmd-owner
> upnpd -j ACCEPT" Failed
Yes. This is another one of those wonderful cases where the Netfilter team
removed a feature that Shorewall depended on.
> 
> when compiled with shorewall-perl produces the error:
> 
> ERROR: Unknown action (allowoutUPnP)
> 
Given that the thing no longer works, it seemed silly to put it in
Shorewall-perl. So I just left it out.

I''ll add it to my todo list to updated the documentation.
> 
> When forwardUPnP is compiled with both shorewall-shell and shorewall-perl, 
> a forwardUPnP chain is created with no rules. Is this correct?
Yes.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Tom Eastep wrote:
> Steven Jan Springl wrote:
>> Tom
>>
>> Built in action allowoutUPnP produces the following errors when
compiled with
>> shorewall-shell:
>>
>> ipt-owner: pid, sid and command matching not supported anymore
>> iptables: Invalid argument
>>    ERROR: Command "/sbin/iptables -A allowoutUPnP -m owner
--cmd-owner
>> upnpd -j ACCEPT" Failed
> 
> Yes. This is another one of those wonderful cases where the Netfilter team
> removed a feature that Shorewall depended on.
> 
>> when compiled with shorewall-perl produces the error:
>>
>> ERROR: Unknown action (allowoutUPnP)
>>
> 
> Given that the thing no longer works, it seemed silly to put it in
> Shorewall-perl. So I just left it out.
> 
> I''ll add it to my todo list to updated the documentation.
I''ve added this to the release notes and to the
Shorewall-perl/Shorewall-4
documentation. The UPnP documentation already instructs to not use
allowoutUPnP with kernel 2.6.14 or later.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Tom

Having never used IPSEC, I don''t know if this is a bug or I''m
missing
something.

Masq file entry:

	eth0  192.168.0.0/16  -  -  -  strict,next

produces error:

iptables-restore v1.3.6: policy match: empty policy element

Coding ''strict,next'' in the zones file works.

Steven.

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Steven Jan Springl wrote:
> Tom
> 
> Having never used IPSEC, I don''t know if this is a bug or
I''m missing
> something.
> 
> Masq file entry:
> 
> 	eth0  192.168.0.0/16  -  -  -  strict,next
> 
> produces error:
> 
> iptables-restore v1.3.6: policy match: empty policy element
> 
> Coding ''strict,next'' in the zones file works.
> 
''strict'' and ''next'' are only applicable when
multiple policies are strung
together. I''ll investigate what is going on in the zones file since
"strict,next" shouldn''t work there either.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Tom Eastep wrote:
> Steven Jan Springl wrote:
>> Tom
>>
>> Having never used IPSEC, I don''t know if this is a bug or
I''m missing
>> something.
>>
>> Masq file entry:
>>
>> 	eth0  192.168.0.0/16  -  -  -  strict,next
>>
>> produces error:
>>
>> iptables-restore v1.3.6: policy match: empty policy element
>>
>> Coding ''strict,next'' in the zones file works.
>>
> 
> ''strict'' and ''next'' are only applicable
when multiple policies are strung
> together. I''ll investigate what is going on in the zones file
since
> "strict,next" shouldn''t work there either.
Did you just use "strict,next" and nothing else in the zones file?
That
shouldn''t work either according to the rules generated.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

On Saturday 19 May 2007 15:33, Tom Eastep wrote:
> Tom Eastep wrote:
> > Steven Jan Springl wrote:
> >> Tom
> >>
> >> Having never used IPSEC, I don''t know if this is a bug or
I''m missing
> >> something.
> >>
> >> Masq file entry:
> >>
> >> 	eth0  192.168.0.0/16  -  -  -  strict,next
> >>
> >> produces error:
> >>
> >> iptables-restore v1.3.6: policy match: empty policy element
> >>
> >> Coding ''strict,next'' in the zones file works.
> >
> > ''strict'' and ''next'' are only
applicable when multiple policies are strung
> > together. I''ll investigate what is going on in the zones file
since
> > "strict,next" shouldn''t work there either.
>
> Did you just use "strict,next" and nothing else in the zones
file? That
> shouldn''t work either according to the rules generated.
>
> -Tom
Tom

My zones file is attached.

Steven.


-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Steven Jan Springl wrote:
> On Saturday 19 May 2007 15:33, Tom Eastep wrote:
>> Tom Eastep wrote:
>>> Steven Jan Springl wrote:
>>>> Tom
>>>>
>>>> Having never used IPSEC, I don''t know if this is a bug
or I''m missing
>>>> something.
>>>>
>>>> Masq file entry:
>>>>
>>>> 	eth0  192.168.0.0/16  -  -  -  strict,next
>>>>
>>>> produces error:
>>>>
>>>> iptables-restore v1.3.6: policy match: empty policy element
>>>>
>>>> Coding ''strict,next'' in the zones file works.
>>> ''strict'' and ''next'' are only
applicable when multiple policies are strung
>>> together. I''ll investigate what is going on in the zones
file since
>>> "strict,next" shouldn''t work there either.
>> Did you just use "strict,next" and nothing else in the zones
file? That
>> shouldn''t work either according to the rules generated.
>>
>> -Tom
> Tom
> 
> My zones file is attached.
> 
Are the zones non-empty?

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

On Saturday 19 May 2007 15:49, Tom Eastep wrote:
> Steven Jan Springl wrote:
> > On Saturday 19 May 2007 15:33, Tom Eastep wrote:
> >> Tom Eastep wrote:
> >>> Steven Jan Springl wrote:
> >>>> Tom
> >>>>
> >>>> Having never used IPSEC, I don''t know if this is
a bug or I''m missing
> >>>> something.
> >>>>
> >>>> Masq file entry:
> >>>>
> >>>> 	eth0  192.168.0.0/16  -  -  -  strict,next
> >>>>
> >>>> produces error:
> >>>>
> >>>> iptables-restore v1.3.6: policy match: empty policy
element
> >>>>
> >>>> Coding ''strict,next'' in the zones file
works.
> >>>
> >>> ''strict'' and ''next'' are
only applicable when multiple policies are
> >>> strung together. I''ll investigate what is going on in
the zones file
> >>> since "strict,next" shouldn''t work there
either.
> >>
> >> Did you just use "strict,next" and nothing else in the
zones file? That
> >> shouldn''t work either according to the rules generated.
> >>
> >> -Tom
> >
> > Tom
> >
> > My zones file is attached.
>
> Are the zones non-empty?
>
> -Tom
Tom

wan has an entry in the interfaces file, but vpn does not, and is reported as 
empty at shorewall startup.

Steven

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Steven Jan Springl wrote:
> On Saturday 19 May 2007 15:49, Tom Eastep wrote:
>> Steven Jan Springl wrote:
>>> On Saturday 19 May 2007 15:33, Tom Eastep wrote:
>>>> Tom Eastep wrote:
>>>>> Steven Jan Springl wrote:
>>>>>> Tom
>>>>>>
>>>>>> Having never used IPSEC, I don''t know if this
is a bug or I''m missing
>>>>>> something.
>>>>>>
>>>>>> Masq file entry:
>>>>>>
>>>>>> 	eth0  192.168.0.0/16  -  -  -  strict,next
>>>>>>
>>>>>> produces error:
>>>>>>
>>>>>> iptables-restore v1.3.6: policy match: empty policy
element
>>>>>>
>>>>>> Coding ''strict,next'' in the zones
file works.
>>>>> ''strict'' and ''next'' are
only applicable when multiple policies are
>>>>> strung together. I''ll investigate what is going on
in the zones file
>>>>> since "strict,next" shouldn''t work there
either.
>>>> Did you just use "strict,next" and nothing else in
the zones file? That
>>>> shouldn''t work either according to the rules
generated.
>>>>
>>>> -Tom
>>> Tom
>>>
>>> My zones file is attached.
>> Are the zones non-empty?
>>
>> -Tom
> Tom
> 
> wan has an entry in the interfaces file, but vpn does not, and is reported
as
> empty at shorewall startup.
Then I don''t understand why it worked. Please send me the generated
firewall
script

Thanks,
-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

On Saturday 19 May 2007 15:58, Tom Eastep wrote:
> Steven Jan Springl wrote:
> > On Saturday 19 May 2007 15:49, Tom Eastep wrote:
> >> Steven Jan Springl wrote:
> >>> On Saturday 19 May 2007 15:33, Tom Eastep wrote:
> >>>> Tom Eastep wrote:
> >>>>> Steven Jan Springl wrote:
> >>>>>> Tom
> >>>>>>
> >>>>>> Having never used IPSEC, I don''t know if
this is a bug or I''m
> >>>>>> missing something.
> >>>>>>
> >>>>>> Masq file entry:
> >>>>>>
> >>>>>> 	eth0  192.168.0.0/16  -  -  -  strict,next
> >>>>>>
> >>>>>> produces error:
> >>>>>>
> >>>>>> iptables-restore v1.3.6: policy match: empty
policy element
> >>>>>>
> >>>>>> Coding ''strict,next'' in the
zones file works.
> >>>>>
> >>>>> ''strict'' and
''next'' are only applicable when multiple policies are
> >>>>> strung together. I''ll investigate what is
going on in the zones file
> >>>>> since "strict,next" shouldn''t work
there either.
> >>>>
> >>>> Did you just use "strict,next" and nothing else
in the zones file?
> >>>> That shouldn''t work either according to the rules
generated.
> >>>>
> >>>> -Tom
> >>>
> >>> Tom
> >>>
> >>> My zones file is attached.
> >>
> >> Are the zones non-empty?
> >>
> >> -Tom
> >
> > Tom
> >
> > wan has an entry in the interfaces file, but vpn does not, and is
> > reported as empty at shorewall startup.
>
> Then I don''t understand why it worked. Please send me the
generated
> firewall script
>
> Thanks,
> -Tom
Tom

Sorry, I have messed around with the zones file since reporting the problem. 
The only zone entry that works with "strict,next" is one that is empty
(vpn).

Steven.

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Steven Jan Springl wrote:
> On Saturday 19 May 2007 15:58, Tom Eastep wrote:
>> Steven Jan Springl wrote:
>>> On Saturday 19 May 2007 15:49, Tom Eastep wrote:
>>>> Steven Jan Springl wrote:
>>>>> On Saturday 19 May 2007 15:33, Tom Eastep wrote:
>>>>>> Tom Eastep wrote:
>>>>>>> Steven Jan Springl wrote:
>>>>>>>> Tom
>>>>>>>>
>>>>>>>> Having never used IPSEC, I don''t know
if this is a bug or I''m
>>>>>>>> missing something.
>>>>>>>>
>>>>>>>> Masq file entry:
>>>>>>>>
>>>>>>>> 	eth0  192.168.0.0/16  -  -  -  strict,next
>>>>>>>>
>>>>>>>> produces error:
>>>>>>>>
>>>>>>>> iptables-restore v1.3.6: policy match: empty
policy element
>>>>>>>>
>>>>>>>> Coding ''strict,next'' in the
zones file works.
>>>>>>> ''strict'' and
''next'' are only applicable when multiple policies are
>>>>>>> strung together. I''ll investigate what is
going on in the zones file
>>>>>>> since "strict,next" shouldn''t
work there either.
>>>>>> Did you just use "strict,next" and nothing
else in the zones file?
>>>>>> That shouldn''t work either according to the
rules generated.
>>>>>>
>>>>>> -Tom
>>>>> Tom
>>>>>
>>>>> My zones file is attached.
>>>> Are the zones non-empty?
>>>>
>>>> -Tom
>>> Tom
>>>
>>> wan has an entry in the interfaces file, but vpn does not, and is
>>> reported as empty at shorewall startup.
>> Then I don''t understand why it worked. Please send me the
generated
>> firewall script
>>
>> Thanks,
>> -Tom
> 
> Tom
> 
> Sorry, I have messed around with the zones file since reporting the
problem.
> The only zone entry that works with "strict,next" is one that is
empty (vpn).
Good. Thanks, Steven.

-Tom
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Steven Jan Springl wrote:
> On Saturday 19 May 2007 15:58, Tom Eastep wrote:
>> Steven Jan Springl wrote:
>>> On Saturday 19 May 2007 15:49, Tom Eastep wrote:
>>>> Steven Jan Springl wrote:
>>>>> On Saturday 19 May 2007 15:33, Tom Eastep wrote:
>>>>>> Tom Eastep wrote:
>>>>>>> Steven Jan Springl wrote:
>>>>>>>> Tom
>>>>>>>>
>>>>>>>> Having never used IPSEC, I don''t know
if this is a bug or I''m
>>>>>>>> missing something.
>>>>>>>>
>>>>>>>> Masq file entry:
>>>>>>>>
>>>>>>>> 	eth0  192.168.0.0/16  -  -  -  strict,next
>>>>>>>>
>>>>>>>> produces error:
>>>>>>>>
>>>>>>>> iptables-restore v1.3.6: policy match: empty
policy element
>>>>>>>>
>>>>>>>> Coding ''strict,next'' in the
zones file works.
>>>>>>> ''strict'' and
''next'' are only applicable when multiple policies are
>>>>>>> strung together. I''ll investigate what is
going on in the zones file
>>>>>>> since "strict,next" shouldn''t
work there either.
>>>>>> Did you just use "strict,next" and nothing
else in the zones file?
>>>>>> That shouldn''t work either according to the
rules generated.
>>>>>>
>>>>>> -Tom
>>>>> Tom
>>>>>
>>>>> My zones file is attached.
>>>> Are the zones non-empty?
>>>>
>>>> -Tom
>>> Tom
>>>
>>> wan has an entry in the interfaces file, but vpn does not, and is
>>> reported as empty at shorewall startup.
>> Then I don''t understand why it worked. Please send me the
generated
>> firewall script
>>
>> Thanks,
>> -Tom
> 
> Tom
> 
> Sorry, I have messed around with the zones file since reporting the
problem.
> The only zone entry that works with "strict,next" is one that is
empty (vpn).
A valid sequence using ''strict'' and ''next''
would be:

proto=esp,strict,next,proto=ah

That would encapsulate in ESP then in AH.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

On Saturday 19 May 2007 16:52, Tom Eastep wrote:
> Steven Jan Springl wrote:
> > On Saturday 19 May 2007 15:58, Tom Eastep wrote:
> >> Steven Jan Springl wrote:
> >>> On Saturday 19 May 2007 15:49, Tom Eastep wrote:
> >>>> Steven Jan Springl wrote:
> >>>>> On Saturday 19 May 2007 15:33, Tom Eastep wrote:
> >>>>>> Tom Eastep wrote:
> >>>>>>> Steven Jan Springl wrote:
> >>>>>>>> Tom
> >>>>>>>>
> >>>>>>>> Having never used IPSEC, I don''t
know if this is a bug or I''m
> >>>>>>>> missing something.
> >>>>>>>>
> >>>>>>>> Masq file entry:
> >>>>>>>>
> >>>>>>>> 	eth0  192.168.0.0/16  -  -  - 
strict,next
> >>>>>>>>
> >>>>>>>> produces error:
> >>>>>>>>
> >>>>>>>> iptables-restore v1.3.6: policy match:
empty policy element
> >>>>>>>>
> >>>>>>>> Coding ''strict,next'' in
the zones file works.
> >>>>>>>
> >>>>>>> ''strict'' and
''next'' are only applicable when multiple policies are
> >>>>>>> strung together. I''ll investigate
what is going on in the zones
> >>>>>>> file since "strict,next"
shouldn''t work there either.
> >>>>>>
> >>>>>> Did you just use "strict,next" and
nothing else in the zones file?
> >>>>>> That shouldn''t work either according to
the rules generated.
> >>>>>>
> >>>>>> -Tom
> >>>>>
> >>>>> Tom
> >>>>>
> >>>>> My zones file is attached.
> >>>>
> >>>> Are the zones non-empty?
> >>>>
> >>>> -Tom
> >>>
> >>> Tom
> >>>
> >>> wan has an entry in the interfaces file, but vpn does not, and
is
> >>> reported as empty at shorewall startup.
> >>
> >> Then I don''t understand why it worked. Please send me the
generated
> >> firewall script
> >>
> >> Thanks,
> >> -Tom
> >
> > Tom
> >
> > Sorry, I have messed around with the zones file since reporting the
> > problem. The only zone entry that works with "strict,next"
is one that is
> > empty (vpn).
>
> A valid sequence using ''strict'' and
''next'' would be:
>
> proto=esp,strict,next,proto=ah
>
> That would encapsulate in ESP then in AH.
>
> -Tom
Tom

Thanks, I will use that to do some further testing.

Steven.

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/