Includes several bug fixes:
1) The ''Modules'' output of the ''shorewall[-lite]
dump command now
works correctly with 2.6.20 and later Kernels.
2) Setting FW in shorewall.conf to something other than ''fw''
now works
again with IPSECFILE=ipsec.
3) Wildcard entries in /etc/shorewall/rules (those with ''all''
in the
SOURCE and/or DEST column) were previously attempting to override
NONE policies, resulting in a compilation error (Shorewall-perl only).
-Tom
--
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ teastep@shorewall.net
PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
Tom The shorewall-accounting man page states that ''all'' and ''any'' are valid in the source, destination, source port, and dest port columns, and that ''any'' is valid in the protocol column. However shorewall-perl does not allow them. Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> The shorewall-accounting man page states that ''all'' and ''any'' are valid in the > source, destination, source port, and dest port columns, > and that ''any'' is valid in the protocol column. > However shorewall-perl does not allow them.Thanks Steven. Should be fixed in 6467. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Good morning Tom. After applying revision 6468, policy: lan tst NONE warn produces error: iptables-restore v1.3.3: Couldn''t load target `NONE'':/lib/iptables/libipt_NONE.so: cannot open shared object file: No such file or directory Note, both lan and tst zones are defined as ipv4. Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> Good morning Tom. > > After applying revision 6468, policy: > > lan tst NONE warn > > produces error: > > iptables-restore v1.3.3: Couldn''t load target > `NONE'':/lib/iptables/libipt_NONE.so: cannot open shared object file: No such > file or directory > > Note, both lan and tst zones are defined as ipv4.Good afternoon, Steven. Don''t know why that didn''t show up in my testing but it didn''t. I''ve fixed that problem and also fixed another bad bug. Please try 6469. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On Wednesday 06 June 2007 14:51, Tom Eastep wrote:> Steven Jan Springl wrote: > > Good morning Tom. > > > > After applying revision 6468, policy: > > > > lan tst NONE warn > > > > produces error: > > > > iptables-restore v1.3.3: Couldn''t load target > > `NONE'':/lib/iptables/libipt_NONE.so: cannot open shared object file: No > > such file or directory > > > > Note, both lan and tst zones are defined as ipv4. > > Good afternoon, Steven. > > Don''t know why that didn''t show up in my testing but it didn''t. I''ve fixed > that problem and also fixed another bad bug. > > Please try 6469. > > -TomTom That''s fixed it. Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom When zones contains: fw firewall lan ipv4 tst ipv4 a:tst bport b:tst bport and interfaces contains: lan eth0 - nosmurfs,tcpflags tst eth1 - nosmurfs,tcpflags and hosts is empty, the following messages are produced: Use of uninitialized value in hash element at /usr/share/shorewall-perl/Shorewall/Zones.pm line 239, <$currentfile> line 14. Use of uninitialized value in concatenation (.) or string at /usr/share/shorewall-perl/Shorewall/Zones.pm line 240, <$currentfile> line 14. ERROR: Parent Zone tst is not associated with device : /etc/shorewall/zones ( line 14 ) Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> Tom > > When zones contains: > > fw firewall > lan ipv4 > tst ipv4 > a:tst bport > b:tst bport > > and interfaces contains: > > lan eth0 - nosmurfs,tcpflags > tst eth1 - nosmurfs,tcpflags > > and hosts is empty, the following messages are produced: > > Use of uninitialized value in hash element > at /usr/share/shorewall-perl/Shorewall/Zones.pm line 239, <$currentfile> line > 14. > > Use of uninitialized value in concatenation (.) or string > at /usr/share/shorewall-perl/Shorewall/Zones.pm line 240, <$currentfile> line > 14. > > ERROR: Parent Zone tst is not associated with > device : /etc/shorewall/zones ( line 14 )The bridge port stuff is not ready for testing yet. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Eastep wrote:> Steven Jan Springl wrote: >> Tom >> >> When zones contains: >> >> fw firewall >> lan ipv4 >> tst ipv4 >> a:tst bport >> b:tst bport >> >> and interfaces contains: >> >> lan eth0 - nosmurfs,tcpflags >> tst eth1 - nosmurfs,tcpflags >> >> and hosts is empty, the following messages are produced: >> >> Use of uninitialized value in hash element >> at /usr/share/shorewall-perl/Shorewall/Zones.pm line 239, <$currentfile> line >> 14. >> >> Use of uninitialized value in concatenation (.) or string >> at /usr/share/shorewall-perl/Shorewall/Zones.pm line 240, <$currentfile> line >> 14. >> >> ERROR: Parent Zone tst is not associated with >> device : /etc/shorewall/zones ( line 14 ) > > The bridge port stuff is not ready for testing yet.Please give 6470 a try. Thanks! -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On Wednesday 06 June 2007 16:36, Tom Eastep wrote:> Tom Eastep wrote: > > Steven Jan Springl wrote: > >> Tom > >> > >> When zones contains: > >> > >> fw firewall > >> lan ipv4 > >> tst ipv4 > >> a:tst bport > >> b:tst bport > >> > >> and interfaces contains: > >> > >> lan eth0 - nosmurfs,tcpflags > >> tst eth1 - nosmurfs,tcpflags > >> > >> and hosts is empty, the following messages are produced: > >> > >> Use of uninitialized value in hash element > >> at /usr/share/shorewall-perl/Shorewall/Zones.pm line 239, <$currentfile> > >> line 14. > >> > >> Use of uninitialized value in concatenation (.) or string > >> at /usr/share/shorewall-perl/Shorewall/Zones.pm line 240, <$currentfile> > >> line 14. > >> > >> ERROR: Parent Zone tst is not associated with > >> device : /etc/shorewall/zones ( line 14 ) > > > > The bridge port stuff is not ready for testing yet. > > Please give 6470 a try. > > Thanks! > > -TomTom That''s fixed it. Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> On Wednesday 06 June 2007 16:36, Tom Eastep wrote: >> Tom Eastep wrote: >>> Steven Jan Springl wrote: >>>> Tom >>>> >>>> When zones contains: >>>> >>>> fw firewall >>>> lan ipv4 >>>> tst ipv4 >>>> a:tst bport >>>> b:tst bport >>>> >>>> and interfaces contains: >>>> >>>> lan eth0 - nosmurfs,tcpflags >>>> tst eth1 - nosmurfs,tcpflags >>>> >>>> and hosts is empty, the following messages are produced: >>>> >>>> Use of uninitialized value in hash element >>>> at /usr/share/shorewall-perl/Shorewall/Zones.pm line 239, <$currentfile> >>>> line 14. >>>> >>>> Use of uninitialized value in concatenation (.) or string >>>> at /usr/share/shorewall-perl/Shorewall/Zones.pm line 240, <$currentfile> >>>> line 14. >>>> >>>> ERROR: Parent Zone tst is not associated with >>>> device : /etc/shorewall/zones ( line 14 ) >>> The bridge port stuff is not ready for testing yet. >> Please give 6470 a try. >> >> Thanks! >> >> -Tom > Tom > > That''s fixed it.I recommend using r6474 for testing the new Bridge code. I just fixed a rather bad bug. -Tom (who must do some real work now). -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom When zones contains: fw firewall lan ipv4 tst ipv4 p1:tst port p2:tst port interfaces contains: lan eth0 - nosmurfs,tcpflags tst br0 - routeback,bridge,optional,tcpflags,rosmurfs p1 br0:eth1 p2 br0:eth2 and policy contains: fw all accept lan p2 accept all all drop the following iptables rule is created: -A lan2p2 -j ACCEPT but nothing points to the lan2p2 chain. Should it be possible to have a policy from a zone that is not part of a bridge to a bridge port (line 2 of the policy file above)? Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> Tom > > When zones contains: > > fw firewall > lan ipv4 > tst ipv4 > p1:tst port > p2:tst port > > interfaces contains: > > lan eth0 - nosmurfs,tcpflags > tst br0 - routeback,bridge,optional,tcpflags,rosmurfs > p1 br0:eth1 > p2 br0:eth2 > > and policy contains: > > fw all accept > lan p2 accept > all all drop > > the following iptables rule is created: > > -A lan2p2 -j ACCEPT > > but nothing points to the lan2p2 chain. > > Should it be possible to have a policy from a zone that is not part of a > bridge to a bridge port (line 2 of the policy file above)?I have this covered in one of my earlier experiments but forgot it in the current one. Fixed in r6477. Thanks, Steven -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On Thursday 07 June 2007 00:41, Tom Eastep wrote:> Steven Jan Springl wrote: > > Tom > > > > When zones contains: > > > > fw firewall > > lan ipv4 > > tst ipv4 > > p1:tst port > > p2:tst port > > > > interfaces contains: > > > > lan eth0 - nosmurfs,tcpflags > > tst br0 - routeback,bridge,optional,tcpflags,rosmurfs > > p1 br0:eth1 > > p2 br0:eth2 > > > > and policy contains: > > > > fw all accept > > lan p2 accept > > all all drop > > > > the following iptables rule is created: > > > > -A lan2p2 -j ACCEPT > > > > but nothing points to the lan2p2 chain. > > > > Should it be possible to have a policy from a zone that is not part of a > > bridge to a bridge port (line 2 of the policy file above)? > > I have this covered in one of my earlier experiments but forgot it in > the current one. Fixed in r6477. > > Thanks, Steven > -TomTom Should it be possible to have a policy from the bridge to a port on the same bridge e.g. using the above zone and interface definitions: tst p2 ACCEPT Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> On Thursday 07 June 2007 00:41, Tom Eastep wrote: >> Steven Jan Springl wrote: >>> Tom >>> >>> When zones contains: >>> >>> fw firewall >>> lan ipv4 >>> tst ipv4 >>> p1:tst port >>> p2:tst port >>> >>> interfaces contains: >>> >>> lan eth0 - nosmurfs,tcpflags >>> tst br0 - routeback,bridge,optional,tcpflags,rosmurfs >>> p1 br0:eth1 >>> p2 br0:eth2 >>> >>> and policy contains: >>> >>> fw all accept >>> lan p2 accept >>> all all drop >>> >>> the following iptables rule is created: >>> >>> -A lan2p2 -j ACCEPT >>> >>> but nothing points to the lan2p2 chain. >>> >>> Should it be possible to have a policy from a zone that is not part of a >>> bridge to a bridge port (line 2 of the policy file above)? >> I have this covered in one of my earlier experiments but forgot it in >> the current one. Fixed in r6477. >> >> Thanks, Steven >> -Tom > Tom > > Should it be possible to have a policy from the bridge to a port on the same > bridge e.g. using the above zone and interface definitions:In principle, such a policy (or rule) is not a problem but I haven''t been able to come up with a good way to detect that case yet. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Eastep wrote:> Steven Jan Springl wrote: >> On Thursday 07 June 2007 00:41, Tom Eastep wrote: >>> Steven Jan Springl wrote: >>>> Tom >>>> >>>> When zones contains: >>>> >>>> fw firewall >>>> lan ipv4 >>>> tst ipv4 >>>> p1:tst port >>>> p2:tst port >>>> >>>> interfaces contains: >>>> >>>> lan eth0 - nosmurfs,tcpflags >>>> tst br0 - routeback,bridge,optional,tcpflags,rosmurfs >>>> p1 br0:eth1 >>>> p2 br0:eth2 >>>> >>>> and policy contains: >>>> >>>> fw all accept >>>> lan p2 accept >>>> all all drop >>>> >>>> the following iptables rule is created: >>>> >>>> -A lan2p2 -j ACCEPT >>>> >>>> but nothing points to the lan2p2 chain. >>>> >>>> Should it be possible to have a policy from a zone that is not part of a >>>> bridge to a bridge port (line 2 of the policy file above)? >>> I have this covered in one of my earlier experiments but forgot it in >>> the current one. Fixed in r6477. >>> >>> Thanks, Steven >>> -Tom >> Tom >> >> Should it be possible to have a policy from the bridge to a port on the same >> bridge e.g. using the above zone and interface definitions: > > In principle, such a policy (or rule) is not a problem but I haven''t > been able to come up with a good way to detect that case yet.This area is imperfect. For the policy/rule to be accepted, the source zone must be associated with the bridge and only the bridge. Please try r6478. Thanks, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On Thursday 07 June 2007 03:23, Tom Eastep wrote:> Tom Eastep wrote: > > Steven Jan Springl wrote: > >> On Thursday 07 June 2007 00:41, Tom Eastep wrote: > >>> Steven Jan Springl wrote: > >>>> Tom > >>>> > >>>> When zones contains: > >>>> > >>>> fw firewall > >>>> lan ipv4 > >>>> tst ipv4 > >>>> p1:tst port > >>>> p2:tst port > >>>> > >>>> interfaces contains: > >>>> > >>>> lan eth0 - nosmurfs,tcpflags > >>>> tst br0 - routeback,bridge,optional,tcpflags,rosmurfs > >>>> p1 br0:eth1 > >>>> p2 br0:eth2 > >>>> > >>>> and policy contains: > >>>> > >>>> fw all accept > >>>> lan p2 accept > >>>> all all drop > >>>> > >>>> the following iptables rule is created: > >>>> > >>>> -A lan2p2 -j ACCEPT > >>>> > >>>> but nothing points to the lan2p2 chain. > >>>> > >>>> Should it be possible to have a policy from a zone that is not part of > >>>> a bridge to a bridge port (line 2 of the policy file above)? > >>> > >>> I have this covered in one of my earlier experiments but forgot it in > >>> the current one. Fixed in r6477. > >>> > >>> Thanks, Steven > >>> -Tom > >> > >> Tom > >> > >> Should it be possible to have a policy from the bridge to a port on the > >> same bridge e.g. using the above zone and interface definitions: > > > > In principle, such a policy (or rule) is not a problem but I haven''t > > been able to come up with a good way to detect that case yet. > > This area is imperfect. For the policy/rule to be accepted, the source > zone must be associated with the bridge and only the bridge. Please try > r6478. > > Thanks, > -TomGood morning Tom. This works now. Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> On Thursday 07 June 2007 03:23, Tom Eastep wrote: >> Tom Eastep wrote: >>> Steven Jan Springl wrote: >>>> Should it be possible to have a policy from the bridge to a port on the >>>> same bridge e.g. using the above zone and interface definitions: >>> In principle, such a policy (or rule) is not a problem but I haven''t >>> been able to come up with a good way to detect that case yet. >> This area is imperfect. For the policy/rule to be accepted, the source >> zone must be associated with the bridge and only the bridge. Please try >> r6478. > Good morning Tom. > > This works now.Thanks, Steven. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom
Specifying the maclist option on a host file entry that defines a bport e.g.
p1 eth1:10.1.1.0/24 maclist
produces the following error:
ERROR: Unable to determine the IP address(es) of eth1
Note, eth1 is bound to br0 and the output from the "ip addr show"
command is
below:
1: lo: <LOOPBACK,UP,10000> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast qlen
1000
link/ether 00:10:5a:6f:c3:10 brd ff:ff:ff:ff:ff:ff
inet 192.168.0.24/24 brd 192.168.0.255 scope global eth0
inet6 fe80::210:5aff:fe6f:c310/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast
qlen
1000
link/ether 00:50:da:50:c4:a1 brd ff:ff:ff:ff:ff:ff
4: sit0: <NOARP> mtu 1480 qdisc noop
link/sit 0.0.0.0 brd 0.0.0.0
8: br0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc noqueue
link/ether 00:50:da:50:c4:a1 brd ff:ff:ff:ff:ff:ff
inet 10.1.1.1/24 brd 10.1.1.255 scope global br0
inet6 fe80::250:daff:fe50:c4a1/64 scope link
valid_lft forever preferred_lft forever
Steven.
-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> Tom > > Specifying the maclist option on a host file entry that defines a bport e.g. > > p1 eth1:10.1.1.0/24 maclist > > produces the following error: > > ERROR: Unable to determine the IP address(es) of eth1Please test with r6479 (sorry that I don''t have time to set up a test case). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On Thursday 07 June 2007 15:47, Tom Eastep wrote:> Steven Jan Springl wrote: > > Tom > > > > Specifying the maclist option on a host file entry that defines a bport > > e.g. > > > > p1 eth1:10.1.1.0/24 maclist > > > > produces the following error: > > > > ERROR: Unable to determine the IP address(es) of eth1 > > Please test with r6479 (sorry that I don''t have time to set up a test > case). > > -TomTom I have tested the maclist option when specified on a bridge in the interfaces file and on a bridge port when specified in the hosts file. Provided the bridge has an IP address, then it works. I have not been able to test it when the bridge (br0) does not have an IP address, as "shorewall start" produces the following error: ERROR: Unable to determine the IP address(es) of br0 Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> On Thursday 07 June 2007 15:47, Tom Eastep wrote: >> Steven Jan Springl wrote: >>> Tom >>> >>> Specifying the maclist option on a host file entry that defines a bport >>> e.g. >>> >>> p1 eth1:10.1.1.0/24 maclist >>> >>> produces the following error: >>> >>> ERROR: Unable to determine the IP address(es) of eth1 >> Please test with r6479 (sorry that I don''t have time to set up a test >> case). >> >> -Tom > > Tom > > I have tested the maclist option when specified on a bridge in the interfaces > file and on a bridge port when specified in the hosts file. > Provided the bridge has an IP address, then it works. > > I have not been able to test it when the bridge (br0) does not have an IP > address, as "shorewall start" produces the following error: > > ERROR: Unable to determine the IP address(es) of br0 >I don''t believe that configuration works with Shorewall-shell either - have you tried it? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Eastep wrote:> Steven Jan Springl wrote: >> On Thursday 07 June 2007 15:47, Tom Eastep wrote: >>> Steven Jan Springl wrote: >>>> Tom >>>> >>>> Specifying the maclist option on a host file entry that defines a bport >>>> e.g. >>>> >>>> p1 eth1:10.1.1.0/24 maclist >>>> >>>> produces the following error: >>>> >>>> ERROR: Unable to determine the IP address(es) of eth1 >>> Please test with r6479 (sorry that I don''t have time to set up a test >>> case). >>> >>> -Tom >> Tom >> >> I have tested the maclist option when specified on a bridge in the interfaces >> file and on a bridge port when specified in the hosts file. >> Provided the bridge has an IP address, then it works. >> >> I have not been able to test it when the bridge (br0) does not have an IP >> address, as "shorewall start" produces the following error: >> >> ERROR: Unable to determine the IP address(es) of br0 >> > > I don''t believe that configuration works with Shorewall-shell either - have > you tried it?Also, please try Shorewall-shell with the ''optional'' option specified on the bridge device. Thanks! -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Eastep wrote:> Tom Eastep wrote: >> Steven Jan Springl wrote: >>> On Thursday 07 June 2007 15:47, Tom Eastep wrote: >>>> Steven Jan Springl wrote: >>>>> Tom >>>>> >>>>> Specifying the maclist option on a host file entry that defines a bport >>>>> e.g. >>>>> >>>>> p1 eth1:10.1.1.0/24 maclist >>>>> >>>>> produces the following error: >>>>> >>>>> ERROR: Unable to determine the IP address(es) of eth1 >>>> Please test with r6479 (sorry that I don''t have time to set up a test >>>> case). >>>> >>>> -Tom >>> Tom >>> >>> I have tested the maclist option when specified on a bridge in the interfaces >>> file and on a bridge port when specified in the hosts file. >>> Provided the bridge has an IP address, then it works. >>> >>> I have not been able to test it when the bridge (br0) does not have an IP >>> address, as "shorewall start" produces the following error: >>> >>> ERROR: Unable to determine the IP address(es) of br0 >>> >> I don''t believe that configuration works with Shorewall-shell either - have >> you tried it? > > Also, please try Shorewall-shell with the ''optional'' option specified on theMake that ''...please try Shorewall-perl...'' -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On Thursday 07 June 2007 19:40, Tom Eastep wrote:> Tom Eastep wrote: > > Tom Eastep wrote: > >> Steven Jan Springl wrote: > >>> On Thursday 07 June 2007 15:47, Tom Eastep wrote: > >>>> Steven Jan Springl wrote: > >>>>> Tom > >>>>> > >>>>> Specifying the maclist option on a host file entry that defines a > >>>>> bport e.g. > >>>>> > >>>>> p1 eth1:10.1.1.0/24 maclist > >>>>> > >>>>> produces the following error: > >>>>> > >>>>> ERROR: Unable to determine the IP address(es) of eth1 > >>>> > >>>> Please test with r6479 (sorry that I don''t have time to set up a test > >>>> case). > >>>> > >>>> -Tom > >>> > >>> Tom > >>> > >>> I have tested the maclist option when specified on a bridge in the > >>> interfaces file and on a bridge port when specified in the hosts file. > >>> Provided the bridge has an IP address, then it works. > >>> > >>> I have not been able to test it when the bridge (br0) does not have an > >>> IP address, as "shorewall start" produces the following error: > >>> > >>> ERROR: Unable to determine the IP address(es) of br0 > >> > >> I don''t believe that configuration works with Shorewall-shell either - > >> have you tried it? > > > > Also, please try Shorewall-shell with the ''optional'' option specified on > > the > > Make that ''...please try Shorewall-perl...'' > > -TomTom The ''optional'' option works. I will test the ''maclist'' option and shorewall-shell and get back to you. Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> The ''optional'' option works. > I will test the ''maclist'' option and shorewall-shell and get back to you.Thanks! -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On Thursday 07 June 2007 21:16, Tom Eastep wrote:> Steven Jan Springl wrote: > > The ''optional'' option works. > > I will test the ''maclist'' option and shorewall-shell and get back to you. > > Thanks! > -TomTom The ''maclist'' option works with a bridge that does not have an IP address. When the bridge does not have an IP address, shorewall-shell produces the following message: ERROR: Interface br0 must be up before Shorewall can start. Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> > The ''maclist'' option works with a bridge that does not have an IP address. > > When the bridge does not have an IP address, shorewall-shell produces the > following message: > > ERROR: Interface br0 must be up before Shorewall can start. >I suspected as much. Should be corrected in r6482. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On Thursday 07 June 2007 22:31, Steven Jan Springl wrote:> On Thursday 07 June 2007 21:16, Tom Eastep wrote: > > Steven Jan Springl wrote: > > > The ''optional'' option works. > > > I will test the ''maclist'' option and shorewall-shell and get back to > > > you. > > > > Thanks! > > -Tom > > Tom > > The ''maclist'' option works with a bridge that does not have an IP address. > > When the bridge does not have an IP address, shorewall-shell produces the > following message: > > ERROR: Interface br0 must be up before Shorewall can start. > > Steven. > >Tom An update to the above. When bridge br0 does not have an IP address and interfaces contains the following entry: lan br0 - bridge,optional,maclist Shorewall-perl works. Adding the option ''detectnets'' produces the following error: ERROR: No hosts on br0 have the maclist option specified : /etc/shorewall/maclist ( line 11 ) This does not happen when br0 has an IP address. Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> On Thursday 07 June 2007 22:31, Steven Jan Springl wrote: >> On Thursday 07 June 2007 21:16, Tom Eastep wrote: >>> Steven Jan Springl wrote: >>>> The ''optional'' option works. >>>> I will test the ''maclist'' option and shorewall-shell and get back to >>>> you. >>> Thanks! >>> -Tom >> Tom >> >> The ''maclist'' option works with a bridge that does not have an IP address. >> >> When the bridge does not have an IP address, shorewall-shell produces the >> following message: >> >> ERROR: Interface br0 must be up before Shorewall can start. >> >> Steven. >> >> > Tom > > An update to the above. > > When bridge br0 does not have an IP address and interfaces contains the > following entry: > > lan br0 - bridge,optional,maclist > > Shorewall-perl works. Adding the option ''detectnets'' produces the following > error: > > ERROR: No hosts on br0 have the maclist option > specified : /etc/shorewall/maclist ( line 11 ) > > This does not happen when br0 has an IP address.A rather odd-ball case. ''detectnets'' is never going to work right on an interface with no IP address. Nevertheless, I''ve hacked around it (untested) in r6483. Note that there will be *no* MAC verification performed with this silly combination of configuration and options. Thanks. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Eastep wrote:> Steven Jan Springl wrote: >> On Thursday 07 June 2007 22:31, Steven Jan Springl wrote: >>> On Thursday 07 June 2007 21:16, Tom Eastep wrote: >>>> Steven Jan Springl wrote: >>>>> The ''optional'' option works. >>>>> I will test the ''maclist'' option and shorewall-shell and get back to >>>>> you. >>>> Thanks! >>>> -Tom >>> Tom >>> >>> The ''maclist'' option works with a bridge that does not have an IP address. >>> >>> When the bridge does not have an IP address, shorewall-shell produces the >>> following message: >>> >>> ERROR: Interface br0 must be up before Shorewall can start. >>> >>> Steven. >>> >>> >> Tom >> >> An update to the above. >> >> When bridge br0 does not have an IP address and interfaces contains the >> following entry: >> >> lan br0 - bridge,optional,maclist >> >> Shorewall-perl works. Adding the option ''detectnets'' produces the following >> error: >> >> ERROR: No hosts on br0 have the maclist option >> specified : /etc/shorewall/maclist ( line 11 ) >> >> This does not happen when br0 has an IP address. > > A rather odd-ball case. ''detectnets'' is never going to work right on an > interface with no IP address. Nevertheless, I''ve hacked around it (untested) > in r6483. > > Note that there will be *no* MAC verification performed with this silly > combination of configuration and options.Note that there is another configuration problem here. If the bridge is not going to have an IP address, then it makes no sense to have a zone (lan) in the ZONE column. In the absense of an IP address, no IP traffic can flow to/from the firewall or any of its interfaces to/from that bridge. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On Thursday 07 June 2007 23:35, Tom Eastep wrote:> Steven Jan Springl wrote: > > On Thursday 07 June 2007 22:31, Steven Jan Springl wrote: > >> On Thursday 07 June 2007 21:16, Tom Eastep wrote: > >>> Steven Jan Springl wrote: > >>>> The ''optional'' option works. > >>>> I will test the ''maclist'' option and shorewall-shell and get back to > >>>> you. > >>> > >>> Thanks! > >>> -Tom > >> > >> Tom > >> > >> The ''maclist'' option works with a bridge that does not have an IP > >> address. > >> > >> When the bridge does not have an IP address, shorewall-shell produces > >> the following message: > >> > >> ERROR: Interface br0 must be up before Shorewall can start. > >> > >> Steven. > > > > Tom > > > > An update to the above. > > > > When bridge br0 does not have an IP address and interfaces contains the > > following entry: > > > > lan br0 - bridge,optional,maclist > > > > Shorewall-perl works. Adding the option ''detectnets'' produces the > > following error: > > > > ERROR: No hosts on br0 have the maclist option > > specified : /etc/shorewall/maclist ( line 11 ) > > > > This does not happen when br0 has an IP address. > > A rather odd-ball case. ''detectnets'' is never going to work right on an > interface with no IP address. Nevertheless, I''ve hacked around it > (untested) in r6483. > > Note that there will be *no* MAC verification performed with this silly > combination of configuration and options. > > Thanks. > -TomTom I agree ''detectnets'' is silly on interface with no IP address. I was expecting you to flag it as invalid in the same way that you do if the default route is on the interface. I have tested revision 6484. Shorewall-perl now starts. If ''routeback'' is added to the interface then the following iptables rules are generated: without ''detectnets'' -A br0_fwd -m state --state INVALID,NEW -j dynamic -A br0_fwd -m state --state NEW -j br0_mac -A br0_fwd -j ACCEPT with ''detectnets'' -A br0_fwd -m state --state INVALID,NEW -j dynamic Should the ''-A br0_fwd -j ACCEPT'' rule not be generated when ''detectnets'' is specified. Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On Thursday 07 June 2007 22:58, Tom Eastep wrote:> Steven Jan Springl wrote: > > The ''maclist'' option works with a bridge that does not have an IP > > address. > > > > When the bridge does not have an IP address, shorewall-shell produces the > > following message: > > > > ERROR: Interface br0 must be up before Shorewall can start. > > I suspected as much. Should be corrected in r6482. > > -TomTom Shorewall-shell now works. Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> Shorewall-shell now works.Thanks, Steven. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Good morning Tom. When the hosts file contains: p1 eth0:192.168.0.0/24!192.168.0.7 the following error is produced: Undefined subroutine &Shorewall::Rules::match_source_interface called at /usr/share/shorewall-perl/Shorewall/Rules.pm line 1431. Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> Good morning Tom. > > When the hosts file contains: > > p1 eth0:192.168.0.0/24!192.168.0.7 > > the following error is produced: > > Undefined subroutine &Shorewall::Rules::match_source_interface called > at /usr/share/shorewall-perl/Shorewall/Rules.pm line 1431.Hmmm -- I thought I caught all of those. Corrected in r6487 Thanks, Steven -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Hosts file entry: p1 eth0:192.168.0.0/24!192.168.0.5-192.168.0.7 generates the following iptables rule: -A p1_frwd -i br0 -m physdev --physdev-in eth0 -s 192.168.0.5-192.168.0.7 -j RETURN which produces the following error: iptables-restore v1.3.6: host/network ''192.168.0.5-192.168.0.7'' not found Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> Tom > > Hosts file entry: > > p1 eth0:192.168.0.0/24!192.168.0.5-192.168.0.7 > > generates the following iptables rule: > > -A p1_frwd -i br0 -m physdev --physdev-in eth0 -s 192.168.0.5-192.168.0.7 -j > RETURN > > which produces the following error: > > iptables-restore v1.3.6: host/network ''192.168.0.5-192.168.0.7'' not foundPlease post an archive of the /etc/shorewall directory that produces this error. Thanks, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Eastep wrote:> > > Please post an archive of the /etc/shorewall directory that produces this error. >But first please see if r6488 corrects the problem. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On Friday 08 June 2007 17:09, Tom Eastep wrote:> Tom Eastep wrote: > > Please post an archive of the /etc/shorewall directory that produces this > > error. > > But first please see if r6488 corrects the problem. > > -TomTom That''s fixed it. Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> On Friday 08 June 2007 17:09, Tom Eastep wrote: >> Tom Eastep wrote: >>> Please post an archive of the /etc/shorewall directory that produces this >>> error. >> But first please see if r6488 corrects the problem. >> >> -Tom > Tom > > That''s fixed it.Thanks, Steven. That test case also pointed out a serious problem with host file exclusion that is independent of the new bridge code. Guess I''ll release Beta 4 tomorrow. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/