I''ve uploaded 3.9.7. I''ve actually uploaded several versions of 3.9.7 over the last 24 hours so please verify the md5sum of the version you download: 55b42262acc69e77002146ac70bcf299 shorewall-3.9.7-1.noarch.rpm 0a37737841ab90f216287707f52f07a9 shorewall-3.9.7.tar.bz2 ba348ee720ae145f96f49e122194f8fc shorewall-3.9.7.tgz 2e88702d483faab7c874de6e9b1cc415 shorewall-docs-html-3.9.7.tar.bz2 92d2ac63a8d2d6124e9d27ede25ed532 shorewall-docs-html-3.9.7.tgz 8dd6f7843fb9157873c265c17d01ce03 shorewall-docs-xml-3.9.7.tar.bz2 c737e131f4ecd5b7b3125d72bdd0c042 shorewall-docs-xml-3.9.7.tgz a9586abbc236480b9fbc55fc1f72a6ef shorewall-lite-3.9.7-1.noarch.rpm b58dc3d15482397c267811244b14c839 shorewall-lite-3.9.7.tar.bz2 5672b362d4b75ea7f188404e2ae63d2b shorewall-lite-3.9.7.tgz 5cd35a3245e1f68b76509f702c390480 shorewall-perl-3.9.7-1.noarch.rpm 69ea325942a98e7c44f864a14c8ffa16 shorewall-perl-3.9.7.tar.bz2 258d6ac30c797e32e92ce6d12c87a65a shorewall-perl-3.9.7.tgz c08427d20b4680aae73a1738b70858c6 shorewall-shell-3.9.7-1.noarch.rpm 0f394285b27fd9f07b6169b6e7ae403f shorewall-shell-3.9.7.tar.bz2 13661a7f8dd2a5da179161472d684f96 shorewall-shell-3.9.7.tgz In addition to a significant number of bug fixes, 3.9.7 contains some new features: 1) Shorewall-perl now validates all IP addresses and addresses ranges in rules. DNS names are resolved and an error is issued for any name that cannot be resolved. 2) Shorewall-perl now checks configuration files for the presense of characters that can cause problems if they are allowed into the generated firewall script: - Double Quotes. These are prohibited except in the shorewall.conf and params files. - Single Quotes. These are prohibited except in the shorewall.conf and params files and in COMMENT lines. - Single back quotes. These are prohibited except in the shorewall.conf and params files. - Backslash. Probibited except as the last character on a line to denote line continuation. 3) Macros may now invoke other macros with the restriction that such macros may not be invoked within an action body. When marcros are invoked recursively, the parameter passed to an invocation are automatically propagated to lower level macros. Macro invocations may be nested to a maximum level of 5. Happy Testing, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom I have spent most of the day testing various simple configurations that might be found in domestic setups. The features that I have tested include: DNAT REDIRECT MASQUERADING SNAT NAT In each case I compared the iptables rules generated by shorewall-perl with those generated by shorewall-shell. No problems were found. I port scanned one configuration with nmap. The configuration included ACCEPT, DROP and REJECT rules. The result was as expected. The only anomaly that I have discovered is the following messages are issued by shorewall-perl but not by shorewall-shell: WARNING: Unknown configuration option (RSH_COMMAND) ignored : /etc/shorewall/shorewall.conf ( line 97 ) WARNING: Unknown configuration option (RCP_COMMAND) ignored : /etc/shorewall/shorewall.conf ( line 98 ) As my testing over the last few days has largely been unproductive, is there any area of shorewall that you would like me to concentrate my testing on? Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> The only anomaly that I have discovered is the following messages are issued > by shorewall-perl but not by shorewall-shell: > > WARNING: Unknown configuration option (RSH_COMMAND) > ignored : /etc/shorewall/shorewall.conf ( line 97 ) > > WARNING: Unknown configuration option (RCP_COMMAND) > ignored : /etc/shorewall/shorewall.conf ( line 98 ) > >This is corrected in revision 6338.> > As my testing over the last few days has largely been unproductive, is there > any area of shorewall that you would like me to concentrate my testing on? >How about the operational aspects (/sbin/shorewall and /sbin/shorewall-lite commands and their options)? Thanks again Steven for your intrepid testing efforts. Shorewall 3.9 is a much better product than it would have been without your contribution. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Both shorewall-shell and shorewall-perl were installed and SHOREWALL_COMPILER=perl was set for this test. Issuing command: shorewall add eth0 wan produces the following messages: WARNING: Invalid option (optional) in record "wan eth1 - norfc1918,nosmurfs,tcpflags,optional" WARNING: Invalid option (optional) in record "dmz eth2 - nosmurfs,tcpflags,optional" iptables v1.3.6: host/network `eth0'' not found Try `iptables -h'' or ''iptables --help'' for more information. ERROR: Can''t add eth0:eth0 to zone wan iptables v1.3.6: host/network `eth0'' not found Try `iptables -h'' or ''iptables --help'' for more information. ERROR: Can''t add eth0:eth0 to zone wan iptables v1.3.6: host/network `eth0'' not found Try `iptables -h'' or ''iptables --help'' for more information. ERROR: Can''t add eth0:eth0 to zone wan iptables v1.3.6: host/network `eth0'' not found Try `iptables -h'' or ''iptables --help'' for more information. ERROR: Can''t add eth0:eth0 to zone wan iptables v1.3.6: host/network `eth0'' not found Try `iptables -h'' or ''iptables --help'' for more information. ERROR: Can''t add eth0:eth0 to zone wan iptables v1.3.6: host/network `eth0'' not found Try `iptables -h'' or ''iptables --help'' for more information. ERROR: Can''t add eth0:eth0 to zone wan iptables v1.3.6: host/network `eth0'' not found Try `iptables -h'' or ''iptables --help'' for more information. ERROR: Can''t add eth0:eth0 to zone wan Despite these messages eth0 is added to /var/lib/shorewall/zones: wan ipv4 eth1:0.0.0.0/0 eth0:eth0 This continues to cause errors to be produced for subsequent commands until eth0 is deleted: shorewall add eth0:192.168.0.2 wan produces the following messages: WARNING: Invalid option (optional) in record "wan eth1 - norfc1918,nosmurfs,tcpflags,optional" WARNING: Invalid option (optional) in record "dmz eth2 - nosmurfs,tcpflags,optional" iptables v1.3.6: host/network `eth0'' not found Try `iptables -h'' or ''iptables --help'' for more information. ERROR: Can''t add eth0:192.168.0.2 to zone wan Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> Try `iptables -h'' or ''iptables --help'' for more information. > ERROR: Can''t add eth0:eth0 to zone wan > > Despite these messages eth0 is added to /var/lib/shorewall/zones: > > wan ipv4 eth1:0.0.0.0/0 eth0:eth0 > > This continues to cause errors to be produced for subsequent commands until > eth0 is deleted: > > shorewall add eth0:192.168.0.2 wan > > produces the following messages: > > WARNING: Invalid option (optional) in record "wan eth1 - > norfc1918,nosmurfs,tcpflags,optional" > > WARNING: Invalid option (optional) in record "dmz eth2 - > nosmurfs,tcpflags,optional" > > iptables v1.3.6: host/network `eth0'' not found > Try `iptables -h'' or ''iptables --help'' for more information. > ERROR: Can''t add eth0:192.168.0.2 to zone wanThanks, Steven Fixed in 6340. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom If interface entry: lan eth0 - is defined, it is possible to issue command: shorewall delete eth0 lan While this does not change the iptables rules, its does remove eth0 from /var/lib/shorewall/zones Command: shorewall show zones displays lan (ipv4) without an interface. I don''t know if this could cause any issues. Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> Tom > > If interface entry: > > lan eth0 - > > is defined, it is possible to issue command: > > shorewall delete eth0 lan > > While this does not change the iptables rules, its does remove eth0 from > /var/lib/shorewall/zones > > Command: > > shorewall show zones > > displays lan (ipv4) without an interface. > > I don''t know if this could cause any issues.I don''t think that it can (other than messing up ''shorewall show zones'') and I don''t believe that I''ll try to do anything about this. Once ipsets are included in standard kernels, they provide a much better way to implement dynamic zones and we will scrap this current implementation altogether. Thanks, Steven -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Hi Tom, Using the latest distribution (and the latest SVN 6342) Shorewall-perl has a few problems: 1,The providers chokes on the gateway address (works if it is "detect" or "-") #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY BDSL 1 256 main ppp1 detect track eth0,eth3 ADSL 2 512 main ppp0 - track eth0,eth3 CABLE 3 1024 main eth4 84.3.248.1 track eth0,eth3 Can''t call method "validate_address" without a package or object reference at /usr/share/shorewall-perl/Shorewall/Providers.pm line 190, <$currentfile> line 16. 2,It doesn''t accept the ports field if it is a comma separated list in the tcrules (works with single port or port range): #MARK SOURCE DEST PROTO DEST SOURCE USER TEST LENGTH TOS 3 0.0.0.0/0 0.0.0.0/0 tcp smtp,pop3 Checking /etc/shorewall/tcrules... ERROR: Invalid/Unknown port/service (smtp,pop3) : /etc/shorewall/tcrules ( line 21 ) or: 3 0.0.0.0/0 0.0.0.0/0 tcp - 25,110 Checking /etc/shorewall/tcrules... ERROR: Invalid/Unknown port/service (25,110) : /etc/shorewall/tcrules ( line 22 ) Best, Andras ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Andras Sarkozy wrote:> Hi Tom, > > Using the latest distribution (and the latest SVN 6342) Shorewall-perl has a few problems: > > 1,The providers chokes on the gateway address (works if it is "detect" or "-") > #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY > BDSL 1 256 main ppp1 detect track eth0,eth3 > ADSL 2 512 main ppp0 - track eth0,eth3 > CABLE 3 1024 main eth4 84.3.248.1 track eth0,eth3 > > Can''t call method "validate_address" without a package or object reference at /usr/share/shorewall-perl/Shorewall/Providers.pm line 190, <$currentfile> line 16. > > 2,It doesn''t accept the ports field if it is a comma separated list in the tcrules (works with single port or port range): > #MARK SOURCE DEST PROTO DEST SOURCE USER TEST LENGTH TOS > 3 0.0.0.0/0 0.0.0.0/0 tcp smtp,pop3 > Checking /etc/shorewall/tcrules... > ERROR: Invalid/Unknown port/service (smtp,pop3) : /etc/shorewall/tcrules ( line 21 )I couldn''t reproduce that one.> or: > 3 0.0.0.0/0 0.0.0.0/0 tcp - 25,110 > Checking /etc/shorewall/tcrules... > ERROR: Invalid/Unknown port/service (25,110) : /etc/shorewall/tcrules ( line 22 )But this one occured in any file when the DEST PORT(S) column is ''-'' and a port list was given in the SOURCE PORT(S) column. At any rate, the problems are corrected in revision 6343. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Eastep wrote:> Steven Jan Springl wrote: >> Tom >> >> If interface entry: >> >> lan eth0 - >> >> is defined, it is possible to issue command: >> >> shorewall delete eth0 lan >> >> While this does not change the iptables rules, its does remove eth0 from >> /var/lib/shorewall/zones >> >> Command: >> >> shorewall show zones >> >> displays lan (ipv4) without an interface. >> >> I don''t know if this could cause any issues. > > I don''t think that it can (other than messing up ''shorewall show zones'') > and I don''t believe that I''ll try to do anything about this. Once ipsets > are included in standard kernels, they provide a much better way to > implement dynamic zones and we will scrap this current implementation > altogether.Good afternoon, Steven I got up this morning and decided to try to do something about this issue. Please try revision 6344; the releasenotes.txt file explains what I did. Thanks! -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On Monday 14 May 2007 15:52, Tom Eastep wrote:> Tom Eastep wrote: > > Steven Jan Springl wrote: > >> Tom > >> > >> If interface entry: > >> > >> lan eth0 - > >> > >> is defined, it is possible to issue command: > >> > >> shorewall delete eth0 lan > >> > >> While this does not change the iptables rules, its does remove eth0 from > >> /var/lib/shorewall/zones > >> > >> Command: > >> > >> shorewall show zones > >> > >> displays lan (ipv4) without an interface. > >> > >> I don''t know if this could cause any issues. > > > > I don''t think that it can (other than messing up ''shorewall show zones'') > > and I don''t believe that I''ll try to do anything about this. Once ipsets > > are included in standard kernels, they provide a much better way to > > implement dynamic zones and we will scrap this current implementation > > altogether. > > Good afternoon, Steven > > I got up this morning and decided to try to do something about this issue. > Please try revision 6344; the releasenotes.txt file explains what I did. > > Thanks! > > -TomGood morning Tom, Revision 6344 prevents the deletion of a permanent interface from a zone. However I can add an interface that duplicates the permanent interface, E.G. with interface entry: lan eth0 - I can now issue command: shorewall add eth0 lan /var/lib/shorewall/zones now contains: lan eth0:0.0.0.0/0 +eth0:0.0.0.0/0 If I try to delete eth0 from lan with the following command: shorewall delete eth0 lan I get a message saying eth0 is a permanent member of zone lan and it isn''t deleted. Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> On Monday 14 May 2007 15:52, Tom Eastep wrote: >> Tom Eastep wrote: >>> Steven Jan Springl wrote: >>>> Tom >>>> >>>> If interface entry: >>>> >>>> lan eth0 - >>>> >>>> is defined, it is possible to issue command: >>>> >>>> shorewall delete eth0 lan >>>> >>>> While this does not change the iptables rules, its does remove eth0 from >>>> /var/lib/shorewall/zones >>>> >>>> Command: >>>> >>>> shorewall show zones >>>> >>>> displays lan (ipv4) without an interface. >>>> >>>> I don''t know if this could cause any issues. >>> I don''t think that it can (other than messing up ''shorewall show zones'') >>> and I don''t believe that I''ll try to do anything about this. Once ipsets >>> are included in standard kernels, they provide a much better way to >>> implement dynamic zones and we will scrap this current implementation >>> altogether. >> Good afternoon, Steven >> >> I got up this morning and decided to try to do something about this issue. >> Please try revision 6344; the releasenotes.txt file explains what I did. >> >> Thanks! >> >> -Tom > > Good morning Tom, > > Revision 6344 prevents the deletion of a permanent interface from a zone. > However I can add an interface that duplicates the permanent interface, E.G. > with interface entry: > > lan eth0 - > > I can now issue command: > > shorewall add eth0 lan > > /var/lib/shorewall/zones now contains: > > lan eth0:0.0.0.0/0 +eth0:0.0.0.0/0 > > If I try to delete eth0 from lan with the following command: > shorewall delete eth0 lan > > I get a message saying eth0 is a permanent member of zone lan > and it isn''t deleted.Corrected in revision 6345. Thanks, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom zone entry: vpn ipsec generates an iptables rule with a missing white space between 84.45.199.3 and -m : -A OUTPUT -d 84.45.199.3-m policy --pol none --dir out -j DNAT --to-destination 192.168.0.3 Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> Tom > > zone entry: > > vpn ipsec > > generates an iptables rule with a missing white space between 84.45.199.3 > and -m : > > -A OUTPUT -d 84.45.199.3-m policy --pol none --dir out -j > DNAT --to-destination 192.168.0.3Steven, What is generating the DNAT rule? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Eastep wrote:> Steven Jan Springl wrote: >> Tom >> >> zone entry: >> >> vpn ipsec >> >> generates an iptables rule with a missing white space between 84.45.199.3 >> and -m : >> >> -A OUTPUT -d 84.45.199.3-m policy --pol none --dir out -j >> DNAT --to-destination 192.168.0.3 > > Steven, > > What is generating the DNAT rule? >I think I found it -- please try 6346. Thanks, Steven -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On Monday 14 May 2007 20:12, Tom Eastep wrote:> Tom Eastep wrote: > > Steven Jan Springl wrote: > >> Tom > >> > >> zone entry: > >> > >> vpn ipsec > >> > >> generates an iptables rule with a missing white space between > >> 84.45.199.3 and -m : > >> > >> -A OUTPUT -d 84.45.199.3-m policy --pol none --dir out -j > >> DNAT --to-destination 192.168.0.3 > > > > Steven, > > > > What is generating the DNAT rule? > > I think I found it -- please try 6346. > > Thanks, Steven > > -TomTom That''s fixed it. Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom With zone entry: vpn ipsec when I issue command: shorewall add eth0 vpn the following messages are generated: iptables v1.3.6: Couldn''t load target `vpn_frwd'':/lib/iptables/libipt_vpn_frwd.so: cannot open shared object file: No such file or directory Try `iptables -h'' or ''iptables --help'' for more information. ERROR: Can''t add +eth0:0.0.0.0/0 to zone vpn iptables v1.3.6: Couldn''t load target `vpn_frwd'':/lib/iptables/libipt_vpn_frwd.so: cannot open shared object file: No such file or directory Try `iptables -h'' or ''iptables --help'' for more information. ERROR: Can''t add +eth0:0.0.0.0/0 to zone vpn iptables v1.3.6: Couldn''t load target `vpn_frwd'':/lib/iptables/libipt_vpn_frwd.so: cannot open shared object file: No such file or directory Try `iptables -h'' or ''iptables --help'' for more information. ERROR: Can''t add +eth0:0.0.0.0/0 to zone vpn iptables v1.3.6: Couldn''t load target `vpn_frwd'':/lib/iptables/libipt_vpn_frwd.so: cannot open shared object file: No such file or directory Try `iptables -h'' or ''iptables --help'' for more information. ERROR: Can''t add +eth0:0.0.0.0/0 to zone vpn iptables v1.3.6: Couldn''t load target `vpn_frwd'':/lib/iptables/libipt_vpn_frwd.so: cannot open shared object file: No such file or directory Try `iptables -h'' or ''iptables --help'' for more information. ERROR: Can''t add +eth0:0.0.0.0/0 to zone vpn Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On Mon, 2007-05-14 at 22:15 +0100, Steven Jan Springl wrote:> Tom > > With zone entry: > > vpn ipsec > > when I issue command: > > shorewall add eth0 vpn > > the following messages are generated: > > iptables v1.3.6: Couldn''t load target > `vpn_frwd'':/lib/iptables/libipt_vpn_frwd.so: cannot open shared object file: > No such file or directory > > Try `iptables -h'' or ''iptables --help'' for more information. > ERROR: Can''t add +eth0:0.0.0.0/0 to zone vpn > iptables v1.3.6: Couldn''t load target > `vpn_frwd'':/lib/iptables/libipt_vpn_frwd.so: cannot open shared object file: > No such file or directory > > Try `iptables -h'' or ''iptables --help'' for more information. > ERROR: Can''t add +eth0:0.0.0.0/0 to zone vpn > iptables v1.3.6: Couldn''t load target > `vpn_frwd'':/lib/iptables/libipt_vpn_frwd.so: cannot open shared object file: > No such file or directory > > Try `iptables -h'' or ''iptables --help'' for more information. > ERROR: Can''t add +eth0:0.0.0.0/0 to zone vpn > iptables v1.3.6: Couldn''t load target > `vpn_frwd'':/lib/iptables/libipt_vpn_frwd.so: cannot open shared object file: > No such file or directory > > Try `iptables -h'' or ''iptables --help'' for more information. > ERROR: Can''t add +eth0:0.0.0.0/0 to zone vpn > iptables v1.3.6: Couldn''t load target > `vpn_frwd'':/lib/iptables/libipt_vpn_frwd.so: cannot open shared object file: > No such file or directory > > Try `iptables -h'' or ''iptables --help'' for more information. > ERROR: Can''t add +eth0:0.0.0.0/0 to zone vpn >I believe this is fixed in revision 6348. Thanks, Steven -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On Monday 14 May 2007 22:33, Tom Eastep wrote:> On Mon, 2007-05-14 at 22:15 +0100, Steven Jan Springl wrote: > > Tom > > > > With zone entry: > > > > vpn ipsec > > > > when I issue command: > > > > shorewall add eth0 vpn > > > > the following messages are generated: > > > > iptables v1.3.6: Couldn''t load target > > `vpn_frwd'':/lib/iptables/libipt_vpn_frwd.so: cannot open shared object > > file: No such file or directory > > > > Try `iptables -h'' or ''iptables --help'' for more information. > > ERROR: Can''t add +eth0:0.0.0.0/0 to zone vpn > > iptables v1.3.6: Couldn''t load target > > `vpn_frwd'':/lib/iptables/libipt_vpn_frwd.so: cannot open shared object > > file: No such file or directory > > > > Try `iptables -h'' or ''iptables --help'' for more information. > > ERROR: Can''t add +eth0:0.0.0.0/0 to zone vpn > > iptables v1.3.6: Couldn''t load target > > `vpn_frwd'':/lib/iptables/libipt_vpn_frwd.so: cannot open shared object > > file: No such file or directory > > > > Try `iptables -h'' or ''iptables --help'' for more information. > > ERROR: Can''t add +eth0:0.0.0.0/0 to zone vpn > > iptables v1.3.6: Couldn''t load target > > `vpn_frwd'':/lib/iptables/libipt_vpn_frwd.so: cannot open shared object > > file: No such file or directory > > > > Try `iptables -h'' or ''iptables --help'' for more information. > > ERROR: Can''t add +eth0:0.0.0.0/0 to zone vpn > > iptables v1.3.6: Couldn''t load target > > `vpn_frwd'':/lib/iptables/libipt_vpn_frwd.so: cannot open shared object > > file: No such file or directory > > > > Try `iptables -h'' or ''iptables --help'' for more information. > > ERROR: Can''t add +eth0:0.0.0.0/0 to zone vpn > > I believe this is fixed in revision 6348. > > Thanks, Steven > > -TomTom Revision 6348 has fixed that problem, however there is another issue. It now seems that is only possible to add 1 dynamic entry. Zones entries: fw firewall lan ipv4 wan ipv4 dmz ipv4 tst ipv4 vpn ipsec Interfaces entries: lan eth0 wan eth1 dmz eth2 If I now issue the following commands: shorewall start shorewall add eth0 dmz (this works) shorewall add eth0 vpn (this produces the following messages) iptables: No chain/target/match by that name ERROR: Can''t add eth0:0.0.0.0/0 to zone vpn Despite these messages eth0 has been added to both dmz and vpn zones in /var/lib/shorewall/zones. If I now change the order in which eth0 is added to zones dmz and vpn: shorewall clear shorewall start shorewall add eth0 vpn (this works) shorewall add eth0 dmz (this now fails with the same message as above) This problem seems to happen no matter which interfaces I try to add to any 2 or more zones. Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> On Monday 14 May 2007 22:33, Tom Eastep wrote: >> On Mon, 2007-05-14 at 22:15 +0100, Steven Jan Springl wrote: >>> Tom >>> >>> With zone entry: >>> >>> vpn ipsec >>> >>> when I issue command: >>> >>> shorewall add eth0 vpn >>> >>> the following messages are generated: >>> >>> iptables v1.3.6: Couldn''t load target >>> `vpn_frwd'':/lib/iptables/libipt_vpn_frwd.so: cannot open shared object >>> file: No such file or directory >>> >>> Try `iptables -h'' or ''iptables --help'' for more information. >>> ERROR: Can''t add +eth0:0.0.0.0/0 to zone vpn >>> iptables v1.3.6: Couldn''t load target >>> `vpn_frwd'':/lib/iptables/libipt_vpn_frwd.so: cannot open shared object >>> file: No such file or directory >>> >>> Try `iptables -h'' or ''iptables --help'' for more information. >>> ERROR: Can''t add +eth0:0.0.0.0/0 to zone vpn >>> iptables v1.3.6: Couldn''t load target >>> `vpn_frwd'':/lib/iptables/libipt_vpn_frwd.so: cannot open shared object >>> file: No such file or directory >>> >>> Try `iptables -h'' or ''iptables --help'' for more information. >>> ERROR: Can''t add +eth0:0.0.0.0/0 to zone vpn >>> iptables v1.3.6: Couldn''t load target >>> `vpn_frwd'':/lib/iptables/libipt_vpn_frwd.so: cannot open shared object >>> file: No such file or directory >>> >>> Try `iptables -h'' or ''iptables --help'' for more information. >>> ERROR: Can''t add +eth0:0.0.0.0/0 to zone vpn >>> iptables v1.3.6: Couldn''t load target >>> `vpn_frwd'':/lib/iptables/libipt_vpn_frwd.so: cannot open shared object >>> file: No such file or directory >>> >>> Try `iptables -h'' or ''iptables --help'' for more information. >>> ERROR: Can''t add +eth0:0.0.0.0/0 to zone vpn >> I believe this is fixed in revision 6348. >> >> Thanks, Steven >> >> -Tom > > Tom > > Revision 6348 has fixed that problem, however there is another issue. > > It now seems that is only possible to add 1 dynamic entry. > > Zones entries: > > fw firewall > lan ipv4 > wan ipv4 > dmz ipv4 > tst ipv4 > vpn ipsec > > Interfaces entries: > > lan eth0 > wan eth1 > dmz eth2 > > If I now issue the following commands: > > shorewall start > shorewall add eth0 dmz (this works) > shorewall add eth0 vpn (this produces the following messages) > > iptables: No chain/target/match by that name > ERROR: Can''t add eth0:0.0.0.0/0 to zone vpn > > Despite these messages eth0 has been added to both dmz and vpn zones > in /var/lib/shorewall/zones. > > If I now change the order in which eth0 is added to zones dmz and vpn: > > shorewall clear > shorewall start > shorewall add eth0 vpn (this works) > shorewall add eth0 dmz (this now fails with the same message as above) > > This problem seems to happen no matter which interfaces I try to add to any 2 > or more zones.Wow -- that uncovered a can of worms. I think it''s all sorted out in 6352. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On Tuesday 15 May 2007 00:15, Tom Eastep wrote:> Steven Jan Springl wrote: > > On Monday 14 May 2007 22:33, Tom Eastep wrote: > >> On Mon, 2007-05-14 at 22:15 +0100, Steven Jan Springl wrote: > >>> Tom > >>> > >>> With zone entry: > >>> > >>> vpn ipsec > >>> > >>> when I issue command: > >>> > >>> shorewall add eth0 vpn > >>> > >>> the following messages are generated: > >>> > >>> iptables v1.3.6: Couldn''t load target > >>> `vpn_frwd'':/lib/iptables/libipt_vpn_frwd.so: cannot open shared object > >>> file: No such file or directory > >>> > >>> Try `iptables -h'' or ''iptables --help'' for more information. > >>> ERROR: Can''t add +eth0:0.0.0.0/0 to zone vpn > >>> iptables v1.3.6: Couldn''t load target > >>> `vpn_frwd'':/lib/iptables/libipt_vpn_frwd.so: cannot open shared object > >>> file: No such file or directory > >>> > >>> Try `iptables -h'' or ''iptables --help'' for more information. > >>> ERROR: Can''t add +eth0:0.0.0.0/0 to zone vpn > >>> iptables v1.3.6: Couldn''t load target > >>> `vpn_frwd'':/lib/iptables/libipt_vpn_frwd.so: cannot open shared object > >>> file: No such file or directory > >>> > >>> Try `iptables -h'' or ''iptables --help'' for more information. > >>> ERROR: Can''t add +eth0:0.0.0.0/0 to zone vpn > >>> iptables v1.3.6: Couldn''t load target > >>> `vpn_frwd'':/lib/iptables/libipt_vpn_frwd.so: cannot open shared object > >>> file: No such file or directory > >>> > >>> Try `iptables -h'' or ''iptables --help'' for more information. > >>> ERROR: Can''t add +eth0:0.0.0.0/0 to zone vpn > >>> iptables v1.3.6: Couldn''t load target > >>> `vpn_frwd'':/lib/iptables/libipt_vpn_frwd.so: cannot open shared object > >>> file: No such file or directory > >>> > >>> Try `iptables -h'' or ''iptables --help'' for more information. > >>> ERROR: Can''t add +eth0:0.0.0.0/0 to zone vpn > >> > >> I believe this is fixed in revision 6348. > >> > >> Thanks, Steven > >> > >> -Tom > > > > Tom > > > > Revision 6348 has fixed that problem, however there is another issue. > > > > It now seems that is only possible to add 1 dynamic entry. > > > > Zones entries: > > > > fw firewall > > lan ipv4 > > wan ipv4 > > dmz ipv4 > > tst ipv4 > > vpn ipsec > > > > Interfaces entries: > > > > lan eth0 > > wan eth1 > > dmz eth2 > > > > If I now issue the following commands: > > > > shorewall start > > shorewall add eth0 dmz (this works) > > shorewall add eth0 vpn (this produces the following messages) > > > > iptables: No chain/target/match by that name > > ERROR: Can''t add eth0:0.0.0.0/0 to zone vpn > > > > Despite these messages eth0 has been added to both dmz and vpn zones > > in /var/lib/shorewall/zones. > > > > If I now change the order in which eth0 is added to zones dmz and vpn: > > > > shorewall clear > > shorewall start > > shorewall add eth0 vpn (this works) > > shorewall add eth0 dmz (this now fails with the same message as above) > > > > This problem seems to happen no matter which interfaces I try to add to > > any 2 or more zones. > > Wow -- that uncovered a can of worms. I think it''s all sorted out in 6352. > > -TomTom Yes, that seems to have fixed the problem. Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:>>On Tuesday 15 May 2007 00:15, Tom Eastep wrote: >> Wow -- that uncovered a can of worms. I think it''s all sorted out in 6352. >> >> -Tom > > Tom > > Yes, that seems to have fixed the problem. >Thanks, Steven! -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On Tuesday 15 May 2007 01:03, Tom Eastep wrote:> Steven Jan Springl wrote: > >>On Tuesday 15 May 2007 00:15, Tom Eastep wrote: > >> Wow -- that uncovered a can of worms. I think it''s all sorted out in > >> 6352. > >> > >> -Tom > > > > Tom > > > > Yes, that seems to have fixed the problem. > > Thanks, Steven! > > -TomGood morning Tom. WARNING..... drink two large, strong, cups of coffee before continuing. Yesterday you mentioned a can of worms, I think it might be back. Zones: fw firewall lan ipv4 wan ipv4 dmz ipv4 tst:wan,lan,dmz ipv4 vpn ipsec Interfaces: lan eth0 wan eth1 - eth2 Hosts; dmz eth2:!10.0.0.0/8 When the following commands are issued: shorewall start shorewall add eth2 10.0.0.0/8 tst the following messages are produced: iptables v1.3.6: host/network `exclude'' not found Try `iptables -h'' or ''iptables --help'' for more information. ERROR: Can''t add eth2:10.0.0.0/8 to zone tst iptables v1.3.6: host/network `exclude'' not found Try `iptables -h'' or ''iptables --help'' for more information. ERROR: Can''t add eth2:10.0.0.0/8 to zone tst Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Eastep wrote:> Andras Sarkozy wrote: >> Hi Tom, >> >> Using the latest distribution (and the latest SVN 6342) Shorewall-perl has a few problems: >> >> 1,The providers chokes on the gateway address (works if it is "detect" or "-") >> #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY >> BDSL 1 256 main ppp1 detect track eth0,eth3 >> ADSL 2 512 main ppp0 - track eth0,eth3 >> CABLE 3 1024 main eth4 84.3.248.1 track eth0,eth3 >> >> Can''t call method "validate_address" without a package or object reference at /usr/share/shorewall-perl/Shorewall/Providers.pm line 190, <$currentfile> line 16. >> >> 2,It doesn''t accept the ports field if it is a comma separated list in the tcrules (works with single port or port range): >> #MARK SOURCE DEST PROTO DEST SOURCE USER TEST LENGTH TOS >> 3 0.0.0.0/0 0.0.0.0/0 tcp smtp,pop3 >> Checking /etc/shorewall/tcrules... >> ERROR: Invalid/Unknown port/service (smtp,pop3) : /etc/shorewall/tcrules ( line 21 ) > > I couldn''t reproduce that one. > >> or: >> 3 0.0.0.0/0 0.0.0.0/0 tcp - 25,110 >> Checking /etc/shorewall/tcrules... >> ERROR: Invalid/Unknown port/service (25,110) : /etc/shorewall/tcrules ( line 22 ) > > But this one occured in any file when the DEST PORT(S) column is ''-'' and a > port list was given in the SOURCE PORT(S) column. > > At any rate, the problems are corrected in revision 6343. > > -TomHi Tom, Yes - it fixed both problems! Thank you, Andras ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> On Tuesday 15 May 2007 01:03, Tom Eastep wrote: >> Steven Jan Springl wrote: >>>> On Tuesday 15 May 2007 00:15, Tom Eastep wrote: >>>> Wow -- that uncovered a can of worms. I think it''s all sorted out in >>>> 6352. >>>> >>>> -Tom >>> Tom >>> >>> Yes, that seems to have fixed the problem. >> Thanks, Steven! >> >> -Tom > > Good morning Tom. > > WARNING..... drink two large, strong, cups of coffee before continuing. > > > Yesterday you mentioned a can of worms, I think it might be back. > > > Zones: > > fw firewall > lan ipv4 > wan ipv4 > dmz ipv4 > tst:wan,lan,dmz ipv4 > vpn ipsec > > Interfaces: > > lan eth0 > wan eth1 > - eth2 > > Hosts; > > dmz eth2:!10.0.0.0/8 > > > When the following commands are issued: > > shorewall start > shorewall add eth2 10.0.0.0/8 tst > > the following messages are produced: > > iptables v1.3.6: host/network `exclude'' not found > Try `iptables -h'' or ''iptables --help'' for more information. > ERROR: Can''t add eth2:10.0.0.0/8 to zone tst > > iptables v1.3.6: host/network `exclude'' not found > Try `iptables -h'' or ''iptables --help'' for more information. > ERROR: Can''t add eth2:10.0.0.0/8 to zone tstGood afternoon, Steven. Please try revision 6354. It worked in the limited test that I did. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On Tuesday 15 May 2007 15:06, Tom Eastep wrote:> Steven Jan Springl wrote: > > On Tuesday 15 May 2007 01:03, Tom Eastep wrote: > >> Steven Jan Springl wrote: > >>>> On Tuesday 15 May 2007 00:15, Tom Eastep wrote: > >>>> Wow -- that uncovered a can of worms. I think it''s all sorted out in > >>>> 6352. > >>>> > >>>> -Tom > >>> > >>> Tom > >>> > >>> Yes, that seems to have fixed the problem. > >> > >> Thanks, Steven! > >> > >> -Tom > > > > Good morning Tom. > > > > WARNING..... drink two large, strong, cups of coffee before continuing. > > > > > > Yesterday you mentioned a can of worms, I think it might be back. > > > > > > Zones: > > > > fw firewall > > lan ipv4 > > wan ipv4 > > dmz ipv4 > > tst:wan,lan,dmz ipv4 > > vpn ipsec > > > > Interfaces: > > > > lan eth0 > > wan eth1 > > - eth2 > > > > Hosts; > > > > dmz eth2:!10.0.0.0/8 > > > > > > When the following commands are issued: > > > > shorewall start > > shorewall add eth2 10.0.0.0/8 tst > > > > the following messages are produced: > > > > iptables v1.3.6: host/network `exclude'' not found > > Try `iptables -h'' or ''iptables --help'' for more information. > > ERROR: Can''t add eth2:10.0.0.0/8 to zone tst > > > > iptables v1.3.6: host/network `exclude'' not found > > Try `iptables -h'' or ''iptables --help'' for more information. > > ERROR: Can''t add eth2:10.0.0.0/8 to zone tst > > Good afternoon, Steven. > > Please try revision 6354. It worked in the limited test that I did. > > -TomTom Revision 6354 hasn''t worked. I still get the above errors. I have attached my configuration. Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> On Tuesday 15 May 2007 15:06, Tom Eastep wrote: >> Steven Jan Springl wrote: >>> On Tuesday 15 May 2007 01:03, Tom Eastep wrote: >>>> Steven Jan Springl wrote: >>>>>> On Tuesday 15 May 2007 00:15, Tom Eastep wrote: >>>>>> Wow -- that uncovered a can of worms. I think it''s all sorted out in >>>>>> 6352. >>>>>> >>>>>> -Tom >>>>> Tom >>>>> >>>>> Yes, that seems to have fixed the problem. >>>> Thanks, Steven! >>>> >>>> -Tom >>> Good morning Tom. >>> >>> WARNING..... drink two large, strong, cups of coffee before continuing. >>> >>> >>> Yesterday you mentioned a can of worms, I think it might be back. >>> >>> >>> Zones: >>> >>> fw firewall >>> lan ipv4 >>> wan ipv4 >>> dmz ipv4 >>> tst:wan,lan,dmz ipv4 >>> vpn ipsec >>> >>> Interfaces: >>> >>> lan eth0 >>> wan eth1 >>> - eth2 >>> >>> Hosts; >>> >>> dmz eth2:!10.0.0.0/8 >>> >>> >>> When the following commands are issued: >>> >>> shorewall start >>> shorewall add eth2 10.0.0.0/8 tst >>> >>> the following messages are produced: >>> >>> iptables v1.3.6: host/network `exclude'' not found >>> Try `iptables -h'' or ''iptables --help'' for more information. >>> ERROR: Can''t add eth2:10.0.0.0/8 to zone tst >>> >>> iptables v1.3.6: host/network `exclude'' not found >>> Try `iptables -h'' or ''iptables --help'' for more information. >>> ERROR: Can''t add eth2:10.0.0.0/8 to zone tst >> Good afternoon, Steven. >> >> Please try revision 6354. It worked in the limited test that I did. >> >> -Tom > > Tom > > Revision 6354 hasn''t worked. I still get the above errors. > > I have attached my configuration.Steven, Please forward a trace of the failure -- your configuration looks basically the same as mine so I don''t understand why you are still seeing failures. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Eastep wrote:> > Please forward a trace of the failure -- your configuration looks basically > the same as mine so I don''t understand why you are still seeing failures. >Never mind -- I found the key difference between our configurations. I''ve confirmed that 6355 fixes the problem. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On Tuesday 15 May 2007 17:09, Tom Eastep wrote:> Tom Eastep wrote: > > Please forward a trace of the failure -- your configuration looks > > basically the same as mine so I don''t understand why you are still seeing > > failures. > > Never mind -- I found the key difference between our configurations. I''ve > confirmed that 6355 fixes the problem. > > -TomTom I have tried numerous different configurations with no further problems found. Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> On Tuesday 15 May 2007 17:09, Tom Eastep wrote: >> Tom Eastep wrote: >>> Please forward a trace of the failure -- your configuration looks >>> basically the same as mine so I don''t understand why you are still seeing >>> failures. >> Never mind -- I found the key difference between our configurations. I''ve >> confirmed that 6355 fixes the problem. >> >> -Tom > > Tom > > I have tried numerous different configurations with no further problems found. >Thanks, Steven. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Eastep wrote on 15/05/2007 15:28:35:> Steven Jan Springl wrote: > > On Tuesday 15 May 2007 17:09, Tom Eastep wrote: > >> Tom Eastep wrote: > >>> Please forward a trace of the failure -- your configuration looks > >>> basically the same as mine so I don''t understand why you are stillseeing> >>> failures. > >> Never mind -- I found the key difference between our configurations.I''ve> >> confirmed that 6355 fixes the problem. > >> > >> -Tom > > > > Tom > > > > I have tried numerous different configurations with no furtherproblems found.> > > > Thanks, Steven. > > -TomDoes this mean we''re ready to go? I''m in the process of installing 3 new boxen with shorewall - Should I stay on 3.4.x or may I step into 3.9.xx? Steve, Thanks for all the great work you are doing for the community. tia, -- Eduardo Ferreira Icatu Holding S.A. (21) 3804-8606 ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On Tuesday 15 May 2007 19:53, Eduardo Ferreira wrote:> Tom Eastep wrote on 15/05/2007 15:28:35: > > Steven Jan Springl wrote: > > > On Tuesday 15 May 2007 17:09, Tom Eastep wrote: > > >> Tom Eastep wrote: > > >>> Please forward a trace of the failure -- your configuration looks > > >>> basically the same as mine so I don''t understand why you are still > > seeing > > > >>> failures. > > >> > > >> Never mind -- I found the key difference between our configurations. > > I''ve > > > >> confirmed that 6355 fixes the problem. > > >> > > >> -Tom > > > > > > Tom > > > > > > I have tried numerous different configurations with no further > > problems found. > > > Thanks, Steven. > > > > -Tom > > Does this mean we''re ready to go? > > I''m in the process of installing 3 new boxen with shorewall - Should I > stay on 3.4.x or may I step into 3.9.xx? > > Steve, Thanks for all the great work you are doing for the community. > > > tia, > > > -- > Eduardo Ferreira > Icatu Holding S.A. > (21) 3804-8606Tia Stay on 3.4 for production machines. I was reffering to the ''shorewall add'' command only. Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steve wrote on 15/05/2007 16:12:17:> > Stay on 3.4 for production machines. I was reffering to the ''shorewalladd''> command only. >But what is not tested yet? I''ve followed your tests and, from what I could remember, you''ve already tested zones, interfaces, hosts, policy, rules, accounting, nat, masq, mac - and now dynamic zones. For my configurations, It is almost all that I need. Thanks In Advance, -- Eduardo Ferreira Icatu Holding S.A. (21) 3804-8606 ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom The ''shorewall dump -m'' command, as documented on the man shorewall page, just displays the shorewall menu. Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On Tuesday 15 May 2007 20:18, Eduardo Ferreira wrote:> Steve wrote on 15/05/2007 16:12:17: > > Stay on 3.4 for production machines. I was reffering to the ''shorewall > > add'' > > > command only. > > But what is not tested yet? I''ve followed your tests and, from what I > could remember, you''ve already tested zones, interfaces, hosts, policy, > rules, accounting, nat, masq, mac - and now dynamic zones. For my > configurations, It is almost all that I need. > > Thanks In Advance, > > > -- > Eduardo Ferreira > Icatu Holding S.A. > (21) 3804-8606Edward Firstly sorry for getting your name wrong before. The testing that I have done so far has been very limited. I have been trying to brake shorewall by what ever means possible. With the exception of last weekend, I had not tried to construct any real firewall scenarios. Those that I had constructed were very simple, the type you might find in a domestic environment. I manually inspected the iptables rules and subjected just one configuration to a port scan. The PC that I used for the test, has just one NIC card which means that none of the configurations has been subject to any ''proper'' testing in a live environment. Additionally, I have not tested VPN, tunnels, providers, or traffic shaping. I have no experience in using those features. In short, shorewall 3.9 needs considerably more testing before I would advise anybody to use it in a production environment. Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> Tom > > The ''shorewall dump -m'' command, as documented on the man shorewall page, just > displays the shorewall menu.Steven, The ''lib.cli'' from revision 6360 corrects this problem. Thanks, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> > In short, shorewall 3.9 needs considerably more testing before I would advise > anybody to use it in a production environment.I second that. Once Steven has completed his testing of the /sbin/shorewall command set, I''ll produce the first 4.0.0 Beta. I am expecting the Beta period to last throughout the summer. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Eastep wrote on 15/05/2007 16:59:34:> Steven Jan Springl wrote: > > > > > In short, shorewall 3.9 needs considerably more testing before I wouldadvise> > anybody to use it in a production environment. > > I second that. Once Steven has completed his testing of the/sbin/shorewall> command set, I''ll produce the first 4.0.0 Beta. I am expecting the Beta > period to last throughout the summer. > > -TomOk, I''ve been testing it with my production configurations and, for what I could see, it was creating a fairly good iptables-restore script. But I didn''t test any of those features too, as I don''t really have any use for them now - I use OpenVPN and PPTP but I''d like it better if I put the rules directly into the rules file than declare a tunnel in the tunnels file (just an idiosyncrazy of mine :). anyway, I''ll stick with the old (and slowwwwwwwwwwww) 3.4.x series for now. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Command: shorewall check -e -C shell works. Command: shorewall check -e -C perl produces message: ERROR: the -e flag requires a capabilities file There is a capabilities file in /etc/shorewall. Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> Tom > > Command: > > shorewall check -e -C shell > > works. > > Command: > > shorewall check -e -C perl > > produces message: > > ERROR: the -e flag requires a capabilities file > > > There is a capabilities file in /etc/shorewall.Are you running as root or an ordinary user? And if running as an ordinary user, is /etc/shorewall/capabilities readable by the ordinary user? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On Wednesday 16 May 2007 02:24, Tom Eastep wrote:> Steven Jan Springl wrote: > > Tom > > > > Command: > > > > shorewall check -e -C shell > > > > works. > > > > Command: > > > > shorewall check -e -C perl > > > > produces message: > > > > ERROR: the -e flag requires a capabilities file > > > > > > There is a capabilities file in /etc/shorewall. > > Are you running as root or an ordinary user? And if running as an > ordinary user, is /etc/shorewall/capabilities readable by the ordinary > user? > > -TomTom I am running as root. Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> On Wednesday 16 May 2007 02:24, Tom Eastep wrote: >> Steven Jan Springl wrote: >>> Tom >>> >>> Command: >>> >>> shorewall check -e -C shell >>> >>> works. >>> >>> Command: >>> >>> shorewall check -e -C perl >>> >>> produces message: >>> >>> ERROR: the -e flag requires a capabilities file >>> >>> >>> There is a capabilities file in /etc/shorewall. >> Are you running as root or an ordinary user? And if running as an >> ordinary user, is /etc/shorewall/capabilities readable by the ordinary >> user? >> >> -Tom > Tom > > I am running as root.Steven, I''ll have to think about this. Exporting your /etc/shorewall configuration makes no sense at all but I want to consider the tradeoffs. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On Wednesday 16 May 2007 02:44, Tom Eastep wrote:> Steven Jan Springl wrote: > > On Wednesday 16 May 2007 02:24, Tom Eastep wrote: > >> Steven Jan Springl wrote: > >>> Tom > >>> > >>> Command: > >>> > >>> shorewall check -e -C shell > >>> > >>> works. > >>> > >>> Command: > >>> > >>> shorewall check -e -C perl > >>> > >>> produces message: > >>> > >>> ERROR: the -e flag requires a capabilities file > >>> > >>> > >>> There is a capabilities file in /etc/shorewall. > >> > >> Are you running as root or an ordinary user? And if running as an > >> ordinary user, is /etc/shorewall/capabilities readable by the ordinary > >> user? > >> > >> -Tom > > > > Tom > > > > I am running as root. > > Steven, > > I''ll have to think about this. Exporting your /etc/shorewall > configuration makes no sense at all but I want to consider the tradeoffs. > > -TomTom I have just tried: shorewall check -e -C perl /etc/shorewall and that works. Steven ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> On Wednesday 16 May 2007 02:44, Tom Eastep wrote: >> Steven Jan Springl wrote: >>> On Wednesday 16 May 2007 02:24, Tom Eastep wrote: >>>> Steven Jan Springl wrote: >>>>> Tom >>>>> >>>>> Command: >>>>> >>>>> shorewall check -e -C shell >>>>> >>>>> works. >>>>> >>>>> Command: >>>>> >>>>> shorewall check -e -C perl >>>>> >>>>> produces message: >>>>> >>>>> ERROR: the -e flag requires a capabilities file >>>>> >>>>> >>>>> There is a capabilities file in /etc/shorewall. >>>> Are you running as root or an ordinary user? And if running as an >>>> ordinary user, is /etc/shorewall/capabilities readable by the ordinary >>>> user? >>>> >>>> -Tom >>> Tom >>> >>> I am running as root. >> Steven, >> >> I''ll have to think about this. Exporting your /etc/shorewall >> configuration makes no sense at all but I want to consider the tradeoffs. >> >> -Tom > Tom > > I have just tried: > > shorewall check -e -C perl /etc/shorewall > > and that works.Yes. When you specify -e and don''t specify CONFIG_PATH in /etc/shorewall/shorewall.conf, the compiler sets CONFIG_PATH such that it doesn''t include /etc/shorewall. By adding ''/etc/shorewall'' to the command line, you insert that directory at the front of CONFIG_PATH. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On Wednesday 16 May 2007 02:52, Tom Eastep wrote:> Steven Jan Springl wrote: > > On Wednesday 16 May 2007 02:44, Tom Eastep wrote: > >> Steven Jan Springl wrote: > >>> On Wednesday 16 May 2007 02:24, Tom Eastep wrote: > >>>> Steven Jan Springl wrote: > >>>>> Tom > >>>>> > >>>>> Command: > >>>>> > >>>>> shorewall check -e -C shell > >>>>> > >>>>> works. > >>>>> > >>>>> Command: > >>>>> > >>>>> shorewall check -e -C perl > >>>>> > >>>>> produces message: > >>>>> > >>>>> ERROR: the -e flag requires a capabilities file > >>>>> > >>>>> > >>>>> There is a capabilities file in /etc/shorewall. > >>>> > >>>> Are you running as root or an ordinary user? And if running as an > >>>> ordinary user, is /etc/shorewall/capabilities readable by the ordinary > >>>> user? > >>>> > >>>> -Tom > >>> > >>> Tom > >>> > >>> I am running as root. > >> > >> Steven, > >> > >> I''ll have to think about this. Exporting your /etc/shorewall > >> configuration makes no sense at all but I want to consider the > >> tradeoffs. > >> > >> -Tom > > > > Tom > > > > I have just tried: > > > > shorewall check -e -C perl /etc/shorewall > > > > and that works. > > Yes. When you specify -e and don''t specify CONFIG_PATH in > /etc/shorewall/shorewall.conf, the compiler sets CONFIG_PATH such that > it doesn''t include /etc/shorewall. By adding ''/etc/shorewall'' to the > command line, you insert that directory at the front of CONFIG_PATH. > > -TomTom In shorewall.conf I have: CONFIG_PATH=/etc/shorewall:/usr/share/shorewall Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> Tom > > In shorewall.conf I have: > > CONFIG_PATH=/etc/shorewall:/usr/share/shorewall > >Okay. Please don''t wait for a response tonight -- I''m eating dinner right now and I need to understand how to separate -e from (user !root) in the code. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Eastep wrote:> Steven Jan Springl wrote: > >> Tom >> >> In shorewall.conf I have: >> >> CONFIG_PATH=/etc/shorewall:/usr/share/shorewall >> >> > > Okay. Please don''t wait for a response tonight -- I''m eating dinner > right now and I need to understand how to separate -e from (user !> root) in the code.I think I''ve got it sorted in revision 6368 -- see what you think. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Eastep wrote:> Tom Eastep wrote: >> Steven Jan Springl wrote: >> >>> Tom >>> >>> In shorewall.conf I have: >>> >>> CONFIG_PATH=/etc/shorewall:/usr/share/shorewall >>> >>> >> Okay. Please don''t wait for a response tonight -- I''m eating dinner >> right now and I need to understand how to separate -e from (user !>> root) in the code. > > I think I''ve got it sorted in revision 6368 -- see what you think.Correction -- make that 6369. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Eastep wrote:> Steven Jan Springl wrote: > ... >> As my testing over the last few days has largely been unproductive, is there >> any area of shorewall that you would like me to concentrate my testing on? >> > ... > Thanks again Steven for your intrepid testing efforts. Shorewall 3.9 is a > much better product than it would have been without your contribution.I''d also like to offer my thanks to Steven. Your testing efforts are greatly appreciated. -- Paul <http://paulgear.webhop.net> -- Did you know? The major music labels and on-line stores want to limit your rights to listen to music you have legitimately purchased. Find out more: http://iownmymusic.org/ ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On Wednesday 16 May 2007 04:44, Tom Eastep wrote:> Tom Eastep wrote: > > Tom Eastep wrote: > >> Steven Jan Springl wrote: > >>> Tom > >>> > >>> In shorewall.conf I have: > >>> > >>> CONFIG_PATH=/etc/shorewall:/usr/share/shorewall > >> > >> Okay. Please don''t wait for a response tonight -- I''m eating dinner > >> right now and I need to understand how to separate -e from (user !> >> root) in the code. > > > > I think I''ve got it sorted in revision 6368 -- see what you think. > > Correction -- make that 6369. > > -TomGood morning Tom. That''s fixed it. I have tested it with: CONFIG_PATH=/etc/shorewall:/usr/share/shorewall CONFIG_PATH and with CONFIG_PATH commented out. I have tested it specifying a directory on the ''shorewall check'' command. I have also tested it as root and a non root user. Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom When a ''shorewall export -C .... '' command is issued, the -C parameter is ignored. The value of SHOREWALL_COMPILER is always used. Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom When I issue the command: shorewall safe-start then reply ''n'' to: Do you want to accept the new firewall configuration? [y/n] the following error is displayed: /var/lib/shorewall/.start: line 435: run_clear_exit: command not found Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> Tom > > When a ''shorewall export -C .... '' command is issued, the -C parameter is > ignored. The value of SHOREWALL_COMPILER is always used. >Good afternoon, Steven. This is fixed in revision 6372. Thanks, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> Tom > > When I issue the command: > > shorewall safe-start > > then reply ''n'' to: > > Do you want to accept the new firewall configuration? [y/n] > > the following error is displayed: > > /var/lib/shorewall/.start: line 435: run_clear_exit: command not found > >Should be fixed in revision 6373. Thanks, Steven. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On Wednesday 16 May 2007 16:13, Tom Eastep wrote:> Steven Jan Springl wrote: > > Tom > > > > When I issue the command: > > > > shorewall safe-start > > > > then reply ''n'' to: > > > > Do you want to accept the new firewall configuration? [y/n] > > > > the following error is displayed: > > > > /var/lib/shorewall/.start: line 435: run_clear_exit: command not found > > Should be fixed in revision 6373. > > Thanks, Steven. > > -TomTom Yes, it''s fixed. Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Some documentation anomalies. In the ''Starting and stopping Shorewall'' document: The syntax for safe-start and safe-restart are listed as: shorewall safe-start [ < filename> ] shorewall safe-restart [ <filename> ] however both commands use a configuration-directory and not a filename. The description of the safe-restart command states that it is only valid if Shorewall is running. This is not the case, a safe-restart can be issued when Shorewall is stopped. In the shorewall man page under both the check and compile commands, the following command: shorewall-lite show -f capabilities > capabities incorrectly specifies the name of the capabilities file that needs to be created. Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> Tom > > Some documentation anomalies. > > In the ''Starting and stopping Shorewall'' document: > > The syntax for safe-start and safe-restart are listed as: > > shorewall safe-start [ < filename> ] > shorewall safe-restart [ <filename> ] > > however both commands use a configuration-directory and not a filename. > > The description of the safe-restart command states that it is only valid if > Shorewall is running. This is not the case, a safe-restart can be issued when > Shorewall is stopped. > > > In the shorewall man page under both the check and compile commands, the > following command: > > shorewall-lite show -f capabilities > capabities > > incorrectly specifies the name of the capabilities file that needs to be > created.Thanks, Steven. I''ve corrected these documentation errors. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom The documentation states that with shorewall-perl a ''shorewall refresh'' command is synonymous with ''shorewall restart''. There are two exceptions to this; When Shorewall is stopped a ''shorewall restart'' command can be used to start it, but a ''shorewall refresh'' command cannot be used. A directory can be specified on a ''shorewall restart'' command, it cannot be specified on ''shorewall refresh'' command. Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Issuing command: shorewall ipdecimal produces the following error: /usr/share/shorewall/lib.base: line 441: & 255: syntax error: operand expected (error token is "& 255") Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> Tom > > Issuing command: > > shorewall ipdecimal > > produces the following error: > > /usr/share/shorewall/lib.base: line 441: & 255: syntax error: operand expected > (error token is "& 255")Corrected in 6378. Thanks, Steven. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On Wednesday 16 May 2007 23:17, Tom Eastep wrote:> Steven Jan Springl wrote: > > Tom > > > > Issuing command: > > > > shorewall ipdecimal > > > > produces the following error: > > > > /usr/share/shorewall/lib.base: line 441: & 255: syntax error: operand > > expected (error token is "& 255") > > Corrected in 6378. > > Thanks, Steven. > > -TomTom That''s worked. I have just realised the problem also occurs with shorewall-lite. Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> > Tom > > That''s worked. > > I have just realised the problem also occurs with shorewall-lite.Shorewall-lite is corrected in 6379. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom I think I have found a problem with the ''shorewall try'' command. When I issue command: shorewall try -C shell /etc/shorewall the compiled configuration is written to /var/lib/shorewall/.restart Shorewall then uses this file to restart from. If I issue command: shorewall try -C perl /etc/shorewall the compiled configuration is written to /root/compile but Shorewall tries to restart using /var/lib/shorewall/.restart Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> Tom > > I think I have found a problem with the ''shorewall try'' command. > > When I issue command: > shorewall try -C shell /etc/shorewall > > the compiled configuration is written to /var/lib/shorewall/.restart > Shorewall then uses this file to restart from. > > If I issue command: > shorewall try -C perl /etc/shorewall > > the compiled configuration is written to /root/compile > but Shorewall tries to restart using /var/lib/shorewall/.restartFixed in 6380. Thanks, Steven! -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Good morning Tom. A couple of minor issues. Command: shorewall try /etc/shorewall x produces the following error: sleep: invalid time interval ''x'' The following commands are accepted: shorewall -f start shorewall start /etc/shorewall but the following command is not accepted: shorewall -f start /etc/shorewall Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> Good morning Tom. > > A couple of minor issues. > > Command: > > shorewall try /etc/shorewall x > > produces the following error: > > sleep: invalid time interval ''x''I''ve fixed this in revision 6385.> > > The following commands are accepted: > > shorewall -f start > shorewall start /etc/shorewall > > but the following command is not accepted: > > shorewall -f start /etc/shorewallThat''s correct. A directory name is not accepted with ''-f'' even if it is /etc/shorewall. I''ve updated the documentation. Thanks, Steven. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Command shorewall-lite dump -m is not accepted. A quick question. While I understand the purpose of the directory on ''shorewall start'' and ''shorewall restart'' commands, what purpose does the directory server on ''shorewall-lite start'' and ''shorewall-lite restart'' commands? Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> Tom > > Command > > shorewall-lite dump -m > > is not accepted.It will be accepted if you install the lib.cli from Shorewall-common. That file gets copied from Shorewall-common to Shorewall-lite during the build process.> > > A quick question. While I understand the purpose of the directory > on ''shorewall start'' and ''shorewall restart'' commands, > what purpose does the directory server on ''shorewall-lite start'' and > ''shorewall-lite restart'' commands? >It''s pretty minimal -- it tells /sbin/shorewall-lite where to look for the shorewall-lite.conf file. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Good morning Tom> > Command > > > > shorewall-lite dump -m > > > > is not accepted. > > It will be accepted if you install the lib.cli from Shorewall-common. > That file gets copied from Shorewall-common to Shorewall-lite during the > build process.That works now.> > > A quick question. While I understand the purpose of the directory > > on ''shorewall start'' and ''shorewall restart'' commands, > > what purpose does the directory server on ''shorewall-lite start'' and > > ''shorewall-lite restart'' commands? > > It''s pretty minimal -- it tells /sbin/shorewall-lite where to look for > the shorewall-lite.conf file. >This is what I thought. However specifying directory doesn''t seem to do anything. Even specifying a non existant directory doesn''t do anything. I put a trace on the start/restart commands and there is no reference to the directory in the output. Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> Good morning Tom > >>> Command >>> >>> shorewall-lite dump -m >>> >>> is not accepted. >> It will be accepted if you install the lib.cli from Shorewall-common. >> That file gets copied from Shorewall-common to Shorewall-lite during the >> build process. > > That works now. > >>> A quick question. While I understand the purpose of the directory >>> on ''shorewall start'' and ''shorewall restart'' commands, >>> what purpose does the directory server on ''shorewall-lite start'' and >>> ''shorewall-lite restart'' commands? >> It''s pretty minimal -- it tells /sbin/shorewall-lite where to look for >> the shorewall-lite.conf file. >> > > This is what I thought. However specifying directory doesn''t seem to do > anything. Even specifying a non existant directory doesn''t do anything. > I put a trace on the start/restart commands and there is no reference to the > directory in the output.After I responded, I suspected that was the case. I''ve hacked the remaining vestiges from /sbin/shorewall-lite. Note that shorewall-lite(8) didn''t mention using a directory -- only "shorewall-lite help" and the operations document did. The operations document (trunk/docs/starting_and_stopping_shorewall.xml) still needs work for 4.0 -- it doesn''t discuss compiler selection at all yet. Thanks, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom A ''shorewall load'' command issues a ''shorewall restart'' command instead of a ''shorewall start'' command and displays message ''System .. reloaded'' instead of ''System .. loaded'' Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> Tom > > A ''shorewall load'' command issues a ''shorewall restart'' command instead of > a ''shorewall start'' command and displays message ''System .. reloaded'' instead > of ''System .. loaded'' >Thanks, Steven I had copied and pasted the ''reload'' case but neglected to modify it. Fixed in revision 6402. Roberto -- this should go into 3.4 as well. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On Friday 18 May 2007 20:20, Tom Eastep wrote:> Steven Jan Springl wrote: > > Tom > > > > A ''shorewall load'' command issues a ''shorewall restart'' command instead > > of a ''shorewall start'' command and displays message ''System .. reloaded'' > > instead of ''System .. loaded'' > > Thanks, Steven > > I had copied and pasted the ''reload'' case but neglected to modify it. > > Fixed in revision 6402. > > Roberto -- this should go into 3.4 as well. > > -TomTom That works, however if ''shorewall load -s ...'' is issued and the start fails because the system is already started, ''shorewall-lite save'' is still issued. Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On Fri, May 18, 2007 at 08:48:00PM +0100, Steven Jan Springl wrote:> On Friday 18 May 2007 20:20, Tom Eastep wrote: > > Steven Jan Springl wrote: > > > Tom > > > > > > A ''shorewall load'' command issues a ''shorewall restart'' command instead > > > of a ''shorewall start'' command and displays message ''System .. reloaded'' > > > instead of ''System .. loaded'' > > > > Thanks, Steven > > > > I had copied and pasted the ''reload'' case but neglected to modify it. > > > > Fixed in revision 6402. > > > > Roberto -- this should go into 3.4 as well. > > > > -Tom > > Tom > > That works, however if ''shorewall load -s ...'' is issued and the start fails > because the system is already started, ''shorewall-lite save'' is still issued. >Should I wait for this one as well? Then I can backport 6402 and whatever rev this ends up being. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> > That works, however if ''shorewall load -s ...'' is issued and the start fails > because the system is already started, ''shorewall-lite save'' is still issued. >''shorewall-lite start'' doesn''t fail if Shorewall Lite is already running. It issues an information message and exits with status 0. This is the same with ''shorewall start''. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Roberto C. Sánchez wrote:> On Fri, May 18, 2007 at 08:48:00PM +0100, Steven Jan Springl wrote: >> On Friday 18 May 2007 20:20, Tom Eastep wrote: >>> Steven Jan Springl wrote: >>>> Tom >>>> >>>> A ''shorewall load'' command issues a ''shorewall restart'' command instead >>>> of a ''shorewall start'' command and displays message ''System .. reloaded'' >>>> instead of ''System .. loaded'' >>> Thanks, Steven >>> >>> I had copied and pasted the ''reload'' case but neglected to modify it. >>> >>> Fixed in revision 6402. >>> >>> Roberto -- this should go into 3.4 as well. >>> >>> -Tom >> Tom >> >> That works, however if ''shorewall load -s ...'' is issued and the start fails >> because the system is already started, ''shorewall-lite save'' is still issued. >> > Should I wait for this one as well? Then I can backport 6402 and > whatever rev this ends up being.Roberto, I''m not going to make a change for this one -- so feel free to go ahead with 6402. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Eastep wrote:> Steven Jan Springl wrote: > >> That works, however if ''shorewall load -s ...'' is issued and the start fails >> because the system is already started, ''shorewall-lite save'' is still issued. >> > > ''shorewall-lite start'' doesn''t fail if Shorewall Lite is already running. It > issues an information message and exits with status 0. This is the same with > ''shorewall start''. >The reason for this behavior is LSB compliance -- starting a subsystem that is already started should not be considered an error. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Commands ''shorewall load'' and ''shorewall reload'' ignore -C option. Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> Tom > > Commands ''shorewall load'' and ''shorewall reload'' ignore -C option. >Steven, Please try 6403. Sorry that I don''t have time at the moment to test it myself. Thanks, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On Friday 18 May 2007 22:35, Tom Eastep wrote:> Steven Jan Springl wrote: > > Tom > > > > Commands ''shorewall load'' and ''shorewall reload'' ignore -C option. > > Steven, > > Please try 6403. > > Sorry that I don''t have time at the moment to test it myself. >No problem Tom. It''s working. Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom I have now completed my testing of shorewall and shorewall-lite commands. Is there is any other aspect of Shorewall 3.9 that needs testing or further testing? Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On Fri, May 18, 2007 at 11:47:48PM +0100, Steven Jan Springl wrote:> Tom > > I have now completed my testing of shorewall and shorewall-lite commands. > > Is there is any other aspect of Shorewall 3.9 that needs testing or further > testing? > > Steven. >Steven, Let me say that you are the man. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> Tom > > I have now completed my testing of shorewall and shorewall-lite commands. > > Is there is any other aspect of Shorewall 3.9 that needs testing or further > testing?Steven, I rather think it is time to generate a Beta release and let a wider audience pound on it. We need to validate that the rules do what they are supposed to do and that will require wider participation. I will be traveling for most of the next two weeks so I''m not going to be able to respond quickly to problem reports (I''ll be traveling by train for several days in a row so it will be a fluke if I have any Internet access). Steven, I want to thank you for the effort that you put forth to test this shaky new code. Everyone who uses Shorewall 4.0 and later releases certainly owes you a debt of gratitude. Best Regards and Thanks, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Good morning Tom. Built in action rejNotSyn: when compiled with shorewall-shell generates a ''-j REJECT --reject-with tcp-reset'' when compile with shorewall-perl generates a ''-j REJECT'' Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Built in action allowoutUPnP produces the following errors when compiled with shorewall-shell: ipt-owner: pid, sid and command matching not supported anymore iptables: Invalid argument ERROR: Command "/sbin/iptables -A allowoutUPnP -m owner --cmd-owner upnpd -j ACCEPT" Failed when compiled with shorewall-perl produces the error: ERROR: Unknown action (allowoutUPnP) When forwardUPnP is compiled with both shorewall-shell and shorewall-perl, a forwardUPnP chain is created with no rules. Is this correct? Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> Good morning Tom. > > Built in action rejNotSyn: > when compiled with shorewall-shell generates a > ''-j REJECT --reject-with tcp-reset'' > > when compile with shorewall-perl generates a > ''-j REJECT''Good afternoon, Steven. I''ve fixed that problem in revision 6405. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> Tom > > Built in action allowoutUPnP produces the following errors when compiled with > shorewall-shell: > > ipt-owner: pid, sid and command matching not supported anymore > iptables: Invalid argument > ERROR: Command "/sbin/iptables -A allowoutUPnP -m owner --cmd-owner > upnpd -j ACCEPT" FailedYes. This is another one of those wonderful cases where the Netfilter team removed a feature that Shorewall depended on.> > when compiled with shorewall-perl produces the error: > > ERROR: Unknown action (allowoutUPnP) >Given that the thing no longer works, it seemed silly to put it in Shorewall-perl. So I just left it out. I''ll add it to my todo list to updated the documentation.> > When forwardUPnP is compiled with both shorewall-shell and shorewall-perl, > a forwardUPnP chain is created with no rules. Is this correct?Yes. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Eastep wrote:> Steven Jan Springl wrote: >> Tom >> >> Built in action allowoutUPnP produces the following errors when compiled with >> shorewall-shell: >> >> ipt-owner: pid, sid and command matching not supported anymore >> iptables: Invalid argument >> ERROR: Command "/sbin/iptables -A allowoutUPnP -m owner --cmd-owner >> upnpd -j ACCEPT" Failed > > Yes. This is another one of those wonderful cases where the Netfilter team > removed a feature that Shorewall depended on. > >> when compiled with shorewall-perl produces the error: >> >> ERROR: Unknown action (allowoutUPnP) >> > > Given that the thing no longer works, it seemed silly to put it in > Shorewall-perl. So I just left it out. > > I''ll add it to my todo list to updated the documentation.I''ve added this to the release notes and to the Shorewall-perl/Shorewall-4 documentation. The UPnP documentation already instructs to not use allowoutUPnP with kernel 2.6.14 or later. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Having never used IPSEC, I don''t know if this is a bug or I''m missing something. Masq file entry: eth0 192.168.0.0/16 - - - strict,next produces error: iptables-restore v1.3.6: policy match: empty policy element Coding ''strict,next'' in the zones file works. Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> Tom > > Having never used IPSEC, I don''t know if this is a bug or I''m missing > something. > > Masq file entry: > > eth0 192.168.0.0/16 - - - strict,next > > produces error: > > iptables-restore v1.3.6: policy match: empty policy element > > Coding ''strict,next'' in the zones file works. >''strict'' and ''next'' are only applicable when multiple policies are strung together. I''ll investigate what is going on in the zones file since "strict,next" shouldn''t work there either. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Eastep wrote:> Steven Jan Springl wrote: >> Tom >> >> Having never used IPSEC, I don''t know if this is a bug or I''m missing >> something. >> >> Masq file entry: >> >> eth0 192.168.0.0/16 - - - strict,next >> >> produces error: >> >> iptables-restore v1.3.6: policy match: empty policy element >> >> Coding ''strict,next'' in the zones file works. >> > > ''strict'' and ''next'' are only applicable when multiple policies are strung > together. I''ll investigate what is going on in the zones file since > "strict,next" shouldn''t work there either.Did you just use "strict,next" and nothing else in the zones file? That shouldn''t work either according to the rules generated. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On Saturday 19 May 2007 15:33, Tom Eastep wrote:> Tom Eastep wrote: > > Steven Jan Springl wrote: > >> Tom > >> > >> Having never used IPSEC, I don''t know if this is a bug or I''m missing > >> something. > >> > >> Masq file entry: > >> > >> eth0 192.168.0.0/16 - - - strict,next > >> > >> produces error: > >> > >> iptables-restore v1.3.6: policy match: empty policy element > >> > >> Coding ''strict,next'' in the zones file works. > > > > ''strict'' and ''next'' are only applicable when multiple policies are strung > > together. I''ll investigate what is going on in the zones file since > > "strict,next" shouldn''t work there either. > > Did you just use "strict,next" and nothing else in the zones file? That > shouldn''t work either according to the rules generated. > > -TomTom My zones file is attached. Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> On Saturday 19 May 2007 15:33, Tom Eastep wrote: >> Tom Eastep wrote: >>> Steven Jan Springl wrote: >>>> Tom >>>> >>>> Having never used IPSEC, I don''t know if this is a bug or I''m missing >>>> something. >>>> >>>> Masq file entry: >>>> >>>> eth0 192.168.0.0/16 - - - strict,next >>>> >>>> produces error: >>>> >>>> iptables-restore v1.3.6: policy match: empty policy element >>>> >>>> Coding ''strict,next'' in the zones file works. >>> ''strict'' and ''next'' are only applicable when multiple policies are strung >>> together. I''ll investigate what is going on in the zones file since >>> "strict,next" shouldn''t work there either. >> Did you just use "strict,next" and nothing else in the zones file? That >> shouldn''t work either according to the rules generated. >> >> -Tom > Tom > > My zones file is attached. >Are the zones non-empty? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On Saturday 19 May 2007 15:49, Tom Eastep wrote:> Steven Jan Springl wrote: > > On Saturday 19 May 2007 15:33, Tom Eastep wrote: > >> Tom Eastep wrote: > >>> Steven Jan Springl wrote: > >>>> Tom > >>>> > >>>> Having never used IPSEC, I don''t know if this is a bug or I''m missing > >>>> something. > >>>> > >>>> Masq file entry: > >>>> > >>>> eth0 192.168.0.0/16 - - - strict,next > >>>> > >>>> produces error: > >>>> > >>>> iptables-restore v1.3.6: policy match: empty policy element > >>>> > >>>> Coding ''strict,next'' in the zones file works. > >>> > >>> ''strict'' and ''next'' are only applicable when multiple policies are > >>> strung together. I''ll investigate what is going on in the zones file > >>> since "strict,next" shouldn''t work there either. > >> > >> Did you just use "strict,next" and nothing else in the zones file? That > >> shouldn''t work either according to the rules generated. > >> > >> -Tom > > > > Tom > > > > My zones file is attached. > > Are the zones non-empty? > > -TomTom wan has an entry in the interfaces file, but vpn does not, and is reported as empty at shorewall startup. Steven ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> On Saturday 19 May 2007 15:49, Tom Eastep wrote: >> Steven Jan Springl wrote: >>> On Saturday 19 May 2007 15:33, Tom Eastep wrote: >>>> Tom Eastep wrote: >>>>> Steven Jan Springl wrote: >>>>>> Tom >>>>>> >>>>>> Having never used IPSEC, I don''t know if this is a bug or I''m missing >>>>>> something. >>>>>> >>>>>> Masq file entry: >>>>>> >>>>>> eth0 192.168.0.0/16 - - - strict,next >>>>>> >>>>>> produces error: >>>>>> >>>>>> iptables-restore v1.3.6: policy match: empty policy element >>>>>> >>>>>> Coding ''strict,next'' in the zones file works. >>>>> ''strict'' and ''next'' are only applicable when multiple policies are >>>>> strung together. I''ll investigate what is going on in the zones file >>>>> since "strict,next" shouldn''t work there either. >>>> Did you just use "strict,next" and nothing else in the zones file? That >>>> shouldn''t work either according to the rules generated. >>>> >>>> -Tom >>> Tom >>> >>> My zones file is attached. >> Are the zones non-empty? >> >> -Tom > Tom > > wan has an entry in the interfaces file, but vpn does not, and is reported as > empty at shorewall startup.Then I don''t understand why it worked. Please send me the generated firewall script Thanks, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On Saturday 19 May 2007 15:58, Tom Eastep wrote:> Steven Jan Springl wrote: > > On Saturday 19 May 2007 15:49, Tom Eastep wrote: > >> Steven Jan Springl wrote: > >>> On Saturday 19 May 2007 15:33, Tom Eastep wrote: > >>>> Tom Eastep wrote: > >>>>> Steven Jan Springl wrote: > >>>>>> Tom > >>>>>> > >>>>>> Having never used IPSEC, I don''t know if this is a bug or I''m > >>>>>> missing something. > >>>>>> > >>>>>> Masq file entry: > >>>>>> > >>>>>> eth0 192.168.0.0/16 - - - strict,next > >>>>>> > >>>>>> produces error: > >>>>>> > >>>>>> iptables-restore v1.3.6: policy match: empty policy element > >>>>>> > >>>>>> Coding ''strict,next'' in the zones file works. > >>>>> > >>>>> ''strict'' and ''next'' are only applicable when multiple policies are > >>>>> strung together. I''ll investigate what is going on in the zones file > >>>>> since "strict,next" shouldn''t work there either. > >>>> > >>>> Did you just use "strict,next" and nothing else in the zones file? > >>>> That shouldn''t work either according to the rules generated. > >>>> > >>>> -Tom > >>> > >>> Tom > >>> > >>> My zones file is attached. > >> > >> Are the zones non-empty? > >> > >> -Tom > > > > Tom > > > > wan has an entry in the interfaces file, but vpn does not, and is > > reported as empty at shorewall startup. > > Then I don''t understand why it worked. Please send me the generated > firewall script > > Thanks, > -TomTom Sorry, I have messed around with the zones file since reporting the problem. The only zone entry that works with "strict,next" is one that is empty (vpn). Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> On Saturday 19 May 2007 15:58, Tom Eastep wrote: >> Steven Jan Springl wrote: >>> On Saturday 19 May 2007 15:49, Tom Eastep wrote: >>>> Steven Jan Springl wrote: >>>>> On Saturday 19 May 2007 15:33, Tom Eastep wrote: >>>>>> Tom Eastep wrote: >>>>>>> Steven Jan Springl wrote: >>>>>>>> Tom >>>>>>>> >>>>>>>> Having never used IPSEC, I don''t know if this is a bug or I''m >>>>>>>> missing something. >>>>>>>> >>>>>>>> Masq file entry: >>>>>>>> >>>>>>>> eth0 192.168.0.0/16 - - - strict,next >>>>>>>> >>>>>>>> produces error: >>>>>>>> >>>>>>>> iptables-restore v1.3.6: policy match: empty policy element >>>>>>>> >>>>>>>> Coding ''strict,next'' in the zones file works. >>>>>>> ''strict'' and ''next'' are only applicable when multiple policies are >>>>>>> strung together. I''ll investigate what is going on in the zones file >>>>>>> since "strict,next" shouldn''t work there either. >>>>>> Did you just use "strict,next" and nothing else in the zones file? >>>>>> That shouldn''t work either according to the rules generated. >>>>>> >>>>>> -Tom >>>>> Tom >>>>> >>>>> My zones file is attached. >>>> Are the zones non-empty? >>>> >>>> -Tom >>> Tom >>> >>> wan has an entry in the interfaces file, but vpn does not, and is >>> reported as empty at shorewall startup. >> Then I don''t understand why it worked. Please send me the generated >> firewall script >> >> Thanks, >> -Tom > > Tom > > Sorry, I have messed around with the zones file since reporting the problem. > The only zone entry that works with "strict,next" is one that is empty (vpn).Good. Thanks, Steven. -Tom Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> On Saturday 19 May 2007 15:58, Tom Eastep wrote: >> Steven Jan Springl wrote: >>> On Saturday 19 May 2007 15:49, Tom Eastep wrote: >>>> Steven Jan Springl wrote: >>>>> On Saturday 19 May 2007 15:33, Tom Eastep wrote: >>>>>> Tom Eastep wrote: >>>>>>> Steven Jan Springl wrote: >>>>>>>> Tom >>>>>>>> >>>>>>>> Having never used IPSEC, I don''t know if this is a bug or I''m >>>>>>>> missing something. >>>>>>>> >>>>>>>> Masq file entry: >>>>>>>> >>>>>>>> eth0 192.168.0.0/16 - - - strict,next >>>>>>>> >>>>>>>> produces error: >>>>>>>> >>>>>>>> iptables-restore v1.3.6: policy match: empty policy element >>>>>>>> >>>>>>>> Coding ''strict,next'' in the zones file works. >>>>>>> ''strict'' and ''next'' are only applicable when multiple policies are >>>>>>> strung together. I''ll investigate what is going on in the zones file >>>>>>> since "strict,next" shouldn''t work there either. >>>>>> Did you just use "strict,next" and nothing else in the zones file? >>>>>> That shouldn''t work either according to the rules generated. >>>>>> >>>>>> -Tom >>>>> Tom >>>>> >>>>> My zones file is attached. >>>> Are the zones non-empty? >>>> >>>> -Tom >>> Tom >>> >>> wan has an entry in the interfaces file, but vpn does not, and is >>> reported as empty at shorewall startup. >> Then I don''t understand why it worked. Please send me the generated >> firewall script >> >> Thanks, >> -Tom > > Tom > > Sorry, I have messed around with the zones file since reporting the problem. > The only zone entry that works with "strict,next" is one that is empty (vpn).A valid sequence using ''strict'' and ''next'' would be: proto=esp,strict,next,proto=ah That would encapsulate in ESP then in AH. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On Saturday 19 May 2007 16:52, Tom Eastep wrote:> Steven Jan Springl wrote: > > On Saturday 19 May 2007 15:58, Tom Eastep wrote: > >> Steven Jan Springl wrote: > >>> On Saturday 19 May 2007 15:49, Tom Eastep wrote: > >>>> Steven Jan Springl wrote: > >>>>> On Saturday 19 May 2007 15:33, Tom Eastep wrote: > >>>>>> Tom Eastep wrote: > >>>>>>> Steven Jan Springl wrote: > >>>>>>>> Tom > >>>>>>>> > >>>>>>>> Having never used IPSEC, I don''t know if this is a bug or I''m > >>>>>>>> missing something. > >>>>>>>> > >>>>>>>> Masq file entry: > >>>>>>>> > >>>>>>>> eth0 192.168.0.0/16 - - - strict,next > >>>>>>>> > >>>>>>>> produces error: > >>>>>>>> > >>>>>>>> iptables-restore v1.3.6: policy match: empty policy element > >>>>>>>> > >>>>>>>> Coding ''strict,next'' in the zones file works. > >>>>>>> > >>>>>>> ''strict'' and ''next'' are only applicable when multiple policies are > >>>>>>> strung together. I''ll investigate what is going on in the zones > >>>>>>> file since "strict,next" shouldn''t work there either. > >>>>>> > >>>>>> Did you just use "strict,next" and nothing else in the zones file? > >>>>>> That shouldn''t work either according to the rules generated. > >>>>>> > >>>>>> -Tom > >>>>> > >>>>> Tom > >>>>> > >>>>> My zones file is attached. > >>>> > >>>> Are the zones non-empty? > >>>> > >>>> -Tom > >>> > >>> Tom > >>> > >>> wan has an entry in the interfaces file, but vpn does not, and is > >>> reported as empty at shorewall startup. > >> > >> Then I don''t understand why it worked. Please send me the generated > >> firewall script > >> > >> Thanks, > >> -Tom > > > > Tom > > > > Sorry, I have messed around with the zones file since reporting the > > problem. The only zone entry that works with "strict,next" is one that is > > empty (vpn). > > A valid sequence using ''strict'' and ''next'' would be: > > proto=esp,strict,next,proto=ah > > That would encapsulate in ESP then in AH. > > -TomTom Thanks, I will use that to do some further testing. Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/