Shorewall devel - Aug 2011 - Shorewall 4.4.23 Beta 3

Beta 3 is now available for testing.

New Features:

1)  The generated script now detects and removes stale lock files.

2)  Steven Underwood has contributed Fedora/Redhat init script and
    .service files. The .service files are used with systemd which
    manages the startup sequence in Fedora 16.

    When installing using the install scripts:

    a) If /lib/systemd/system exists, the .service files are installed
       there and are activated using /sbin/systemctl. When installing
       into a directory, setting the SYSTEMD environmental variable to
       a non-empty value will also trigger this behavior.

    b) If /etc/redhat-release exists, the Fedora/Redhat init script
       will be installed in /etc/init.d. When installing into a
       directory, setting the FEDORA environmental variable to a
       non-empty value will also trigger this behavior.

3)  Previously, when a provider interface went ''soft down'' (UP
and
    configured but not usable) or came back up from being ''soft
down'',
    the firewall had to be reloaded (''/var/lib/shorewall/firewall
    restart'') to disable or enable the interface.

    Beginning with this release, the compiled IPv4 script supports two
    new commands:

    -	disable <interface>
    -	enable <interface>

    The ''disable'' command removes all policy routing added as
a result
    of the interface''s entry in /etc/shorewall/providers. The
''enable''
    command restores that policy routing.

Thank you for testing,

-Tom

Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
EMC VNX: the world''s simplest storage, starting under $10K
The only unified storage solution that offers unified management 
Up to 160% more powerful than alternatives and 25% more efficient. 
Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev

Just a small point, but I''m Jonathan, not Steven :) (Steven is far more
helpful to this project than me!)

sent from my phone.
On 26 Aug 2011 01:50, "Tom Eastep" <teastep@shorewall.net>
wrote:
> Beta 3 is now available for testing.
>
> New Features:
>
> 1) The generated script now detects and removes stale lock files.
>
> 2) Steven Underwood has contributed Fedora/Redhat init script and
> .service files. The .service files are used with systemd which
> manages the startup sequence in Fedora 16.
>
> When installing using the install scripts:
>
> a) If /lib/systemd/system exists, the .service files are installed
> there and are activated using /sbin/systemctl. When installing
> into a directory, setting the SYSTEMD environmental variable to
> a non-empty value will also trigger this behavior.
>
> b) If /etc/redhat-release exists, the Fedora/Redhat init script
> will be installed in /etc/init.d. When installing into a
> directory, setting the FEDORA environmental variable to a
> non-empty value will also trigger this behavior.
>
> 3) Previously, when a provider interface went ''soft down''
(UP and
> configured but not usable) or came back up from being ''soft
down'',
> the firewall had to be reloaded (''/var/lib/shorewall/firewall
> restart'') to disable or enable the interface.
>
> Beginning with this release, the compiled IPv4 script supports two
> new commands:
>
> - disable <interface>
> - enable <interface>
>
> The ''disable'' command removes all policy routing added as
a result
> of the interface''s entry in /etc/shorewall/providers. The
''enable''
> command restores that policy routing.
>
> Thank you for testing,
>
> -Tom
>
> Tom Eastep \ When I die, I want to go like my Grandfather who
> Shoreline, \ died peacefully in his sleep. Not screaming like
> Washington, USA \ all of the passengers in his car
> http://shorewall.net \________________________________________________
>
>
>
>
------------------------------------------------------------------------------
> EMC VNX: the world''s simplest storage, starting under $10K
> The only unified storage solution that offers unified management
> Up to 160% more powerful than alternatives and 25% more efficient.
> Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev
> _______________________________________________
> Shorewall-devel mailing list
> Shorewall-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-devel

------------------------------------------------------------------------------
EMC VNX: the world''s simplest storage, starting under $10K
The only unified storage solution that offers unified management 
Up to 160% more powerful than alternatives and 25% more efficient. 
Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev

My humble apologies.

-Tom

On Aug 25, 2011, at 6:01 PM, Jonathan Underwood wrote:
> Just a small point, but I''m Jonathan, not Steven :) (Steven is far
more helpful to this project than me!)
> 
> sent from my phone.
> 
> On 26 Aug 2011 01:50, "Tom Eastep" <teastep@shorewall.net>
wrote:
> > Beta 3 is now available for testing.
> > 
> > New Features:
> > 
> > 1) The generated script now detects and removes stale lock files.
> > 
> > 2) Steven Underwood has contributed Fedora/Redhat init script and
> > .service files. The .service files are used with systemd which
> > manages the startup sequence in Fedora 16.
> > 
> > When installing using the install scripts:
> > 
> > a) If /lib/systemd/system exists, the .service files are installed
> > there and are activated using /sbin/systemctl. When installing
> > into a directory, setting the SYSTEMD environmental variable to
> > a non-empty value will also trigger this behavior.
> > 
> > b) If /etc/redhat-release exists, the Fedora/Redhat init script
> > will be installed in /etc/init.d. When installing into a
> > directory, setting the FEDORA environmental variable to a
> > non-empty value will also trigger this behavior.
> > 
> > 3) Previously, when a provider interface went ''soft
down'' (UP and
> > configured but not usable) or came back up from being ''soft
down'',
> > the firewall had to be reloaded (''/var/lib/shorewall/firewall
> > restart'') to disable or enable the interface.
> > 
> > Beginning with this release, the compiled IPv4 script supports two
> > new commands:
> > 
> > -	disable <interface>
> > -	enable <interface>
> > 
> > The ''disable'' command removes all policy routing
added as a result
> > of the interface''s entry in /etc/shorewall/providers. The
''enable''
> > command restores that policy routing.
> > 
> > Thank you for testing,
> > 
> > -Tom
> > 
> > Tom Eastep \ When I die, I want to go like my Grandfather who
> > Shoreline, \ died peacefully in his sleep. Not screaming like
> > Washington, USA \ all of the passengers in his car
> > http://shorewall.net \________________________________________________
> > 
> > 
> > 
> >
------------------------------------------------------------------------------
> > EMC VNX: the world''s simplest storage, starting under $10K
> > The only unified storage solution that offers unified management 
> > Up to 160% more powerful than alternatives and 25% more efficient. 
> > Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev
> > _______________________________________________
> > Shorewall-devel mailing list
> > Shorewall-devel@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/shorewall-devel
>
------------------------------------------------------------------------------
> EMC VNX: the world''s simplest storage, starting under $10K
> The only unified storage solution that offers unified management 
> Up to 160% more powerful than alternatives and 25% more efficient. 
> Guaranteed.
http://p.sf.net/sfu/emc-vnx-dev2dev_______________________________________________
> Shorewall-devel mailing list
> Shorewall-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-devel
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________




------------------------------------------------------------------------------
EMC VNX: the world''s simplest storage, starting under $10K
The only unified storage solution that offers unified management 
Up to 160% more powerful than alternatives and 25% more efficient. 
Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev

Tom

Trying to install shorewall-lite-4.4.23-Beta3 produces the following messages:

install: cannot create regular file `etc/init.d/shorewall-lite'': No
such file
or directory

ERROR: Failed to install -T -o root -g root -m 0544 init.debian.sh 
etc/init.d/shorewall-lite

Steven.

------------------------------------------------------------------------------
EMC VNX: the world''s simplest storage, starting under $10K
The only unified storage solution that offers unified management 
Up to 160% more powerful than alternatives and 25% more efficient. 
Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev

On Fri, 2011-08-26 at 15:12 +0100, Steven Jan Springl wrote:
> Trying to install shorewall-lite-4.4.23-Beta3 produces the following
messages:
> 
> install: cannot create regular file `etc/init.d/shorewall-lite'':
No such file
> or directory
> 
> ERROR: Failed to install -T -o root -g root -m 0544 init.debian.sh 
> etc/init.d/shorewall-lite
Here''s a patch for the installer.

Thanks Steven,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________




------------------------------------------------------------------------------
EMC VNX: the world''s simplest storage, starting under $10K
The only unified storage solution that offers unified management 
Up to 160% more powerful than alternatives and 25% more efficient. 
Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev

On Friday 26 August 2011 19:01:55 Tom Eastep wrote:
> On Fri, 2011-08-26 at 15:12 +0100, Steven Jan Springl wrote:
> > Trying to install shorewall-lite-4.4.23-Beta3 produces the following
> > messages:
> >
> > install: cannot create regular file
`etc/init.d/shorewall-lite'': No such
> > file or directory
> >
> > ERROR: Failed to install -T -o root -g root -m 0544 init.debian.sh
> > etc/init.d/shorewall-lite
>
> Here''s a patch for the installer.
>
> Thanks Steven,
> -Tom
Tom

Confirmed, the patch has fixed the issue.

Thanks.

Steven.

------------------------------------------------------------------------------
EMC VNX: the world''s simplest storage, starting under $10K
The only unified storage solution that offers unified management 
Up to 160% more powerful than alternatives and 25% more efficient. 
Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev

Tom

The following shorewall6 message is produced after recreating the capabilities 
file:

WARNING: Unknown capability (QUOTA_MATCH) 
ignored : /etc/shorewall66/capabilities (line 55)

Steven.

------------------------------------------------------------------------------
EMC VNX: the world''s simplest storage, starting under $10K
The only unified storage solution that offers unified management 
Up to 160% more powerful than alternatives and 25% more efficient. 
Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev

On Fri, 2011-08-26 at 19:32 +0100, Steven Jan Springl wrote:
> The following shorewall6 message is produced after recreating the
capabilities
> file:
> 
> WARNING: Unknown capability (QUOTA_MATCH) 
> ignored : /etc/shorewall66/capabilities (line 55)
Hmmm -- I should have checked Shorewall6 when I corrected a similar
defect in Shorewall.

Patch attached.

Thanks, Steven

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________




------------------------------------------------------------------------------
EMC VNX: the world''s simplest storage, starting under $10K
The only unified storage solution that offers unified management 
Up to 160% more powerful than alternatives and 25% more efficient. 
Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev

On Friday 26 August 2011 19:55:53 Tom Eastep wrote:
> On Fri, 2011-08-26 at 19:32 +0100, Steven Jan Springl wrote:
> > The following shorewall6 message is produced after recreating the
> > capabilities file:
> >
> > WARNING: Unknown capability (QUOTA_MATCH)
> > ignored : /etc/shorewall66/capabilities (line 55)
>
> Hmmm -- I should have checked Shorewall6 when I corrected a similar
> defect in Shorewall.
>
> Patch attached.
>
> Thanks, Steven
>
> -Tom
Tom

Confirmed, the patch fixed the problem.

Thanks.

Steven.


------------------------------------------------------------------------------
EMC VNX: the world''s simplest storage, starting under $10K
The only unified storage solution that offers unified management 
Up to 160% more powerful than alternatives and 25% more efficient. 
Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev

On Fri, 2011-08-26 at 20:22 +0100, Steven Jan Springl wrote:
> 
> Confirmed, the patch fixed the problem.
> 
Thanks, Steven

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
EMC VNX: the world''s simplest storage, starting under $10K
The only unified storage solution that offers unified management 
Up to 160% more powerful than alternatives and 25% more efficient. 
Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev

Tom

Issuing the command ''/var/lib/shorewall/firewall disable eth1''
produces the
following message:

var/lib/shorewall/firewall: 38411: shorewal_is_started: not found

Steven.

------------------------------------------------------------------------------
EMC VNX: the world''s simplest storage, starting under $10K
The only unified storage solution that offers unified management 
Up to 160% more powerful than alternatives and 25% more efficient. 
Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev

On Fri, 2011-08-26 at 20:55 +0100, Steven Jan Springl wrote:
> Tom
> 
> Issuing the command ''/var/lib/shorewall/firewall disable
eth1'' produces the
> following message:
> 
> var/lib/shorewall/firewall: 38411: shorewal_is_started: not found

Crap -- added that test after I had completed testing enable/disable
and, wouldn''t you know it, there is a typo in it.

Patch attached.

Thanks, Steven
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________





------------------------------------------------------------------------------
EMC VNX: the world''s simplest storage, starting under $10K
The only unified storage solution that offers unified management 
Up to 160% more powerful than alternatives and 25% more efficient. 
Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev

On Friday 26 August 2011 21:53:58 Tom Eastep wrote:
> On Fri, 2011-08-26 at 20:55 +0100, Steven Jan Springl wrote:
> > Tom
> >
> > Issuing the command ''/var/lib/shorewall/firewall disable
eth1'' produces
> > the following message:
> >
> > var/lib/shorewall/firewall: 38411: shorewal_is_started: not found
>
> Crap -- added that test after I had completed testing enable/disable
> and, wouldn''t you know it, there is a typo in it.
>
> Patch attached.
>
> Thanks, Steven
> -Tom
Tom

Confirmed, the patch fixes the issue.

Thanks.

Steven.

------------------------------------------------------------------------------
EMC VNX: the world''s simplest storage, starting under $10K
The only unified storage solution that offers unified management 
Up to 160% more powerful than alternatives and 25% more efficient. 
Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev

On Aug 26, 2011, at 2:34 PM, Steven Jan Springl wrote:
> 
> Confirmed, the patch fixes the issue.

Thanks, Steven

-Tom

Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
EMC VNX: the world''s simplest storage, starting under $10K
The only unified storage solution that offers unified management 
Up to 160% more powerful than alternatives and 25% more efficient. 
Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev

Tom

In the attached config. eth1 is defined as logical interface.
Issuing command /var/lib/shorewall/firewall disable eth1
produces the following message:

ERROR: eth1 is not an optional provider interface: Firewall state not changed

Is this expected?

Steven. 


------------------------------------------------------------------------------
EMC VNX: the world''s simplest storage, starting under $10K
The only unified storage solution that offers unified management 
Up to 160% more powerful than alternatives and 25% more efficient. 
Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev

On Aug 26, 2011, at 4:03 PM, Steven Jan Springl wrote:
> In the attached config. eth1 is defined as logical interface.
> Issuing command /var/lib/shorewall/firewall disable eth1
> produces the following message:
> 
> ERROR: eth1 is not an optional provider interface: Firewall state not
changed
> 
> Is this expected?

Yes -- The ''enable'' and ''disable'' commands
accept physical names, not logical names. Monitoring software like LSM know
nothing about Shorewall logical names.

Thanks,
-Tom

Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
EMC VNX: the world''s simplest storage, starting under $10K
The only unified storage solution that offers unified management 
Up to 160% more powerful than alternatives and 25% more efficient. 
Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev

On Fri, 2011-08-26 at 13:53 -0700, Tom Eastep wrote:
> On Fri, 2011-08-26 at 20:55 +0100, Steven Jan Springl wrote: 
> > Tom
> > 
> > Issuing the command ''/var/lib/shorewall/firewall disable
eth1'' produces the
> > following message:
> > 
> > var/lib/shorewall/firewall: 38411: shorewal_is_started: not found
> 
> Crap -- added that test after I had completed testing enable/disable
> and, wouldn''t you know it, there is a typo in it.
Just discovered another rather bad bug. The entries
in /etc/shorewall/routing_rules are being applied twice while those
in /etc/shorewall/routes are not being applied at all.

Patch attached.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________




------------------------------------------------------------------------------
EMC VNX: the world''s simplest storage, starting under $10K
The only unified storage solution that offers unified management 
Up to 160% more powerful than alternatives and 25% more efficient. 
Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev

On Sunday 28 August 2011 15:59:52 Tom Eastep wrote:
> On Fri, 2011-08-26 at 13:53 -0700, Tom Eastep wrote:
> > On Fri, 2011-08-26 at 20:55 +0100, Steven Jan Springl wrote:
> > > Tom
> > >
> > > Issuing the command ''/var/lib/shorewall/firewall disable
eth1'' produces
> > > the following message:
> > >
> > > var/lib/shorewall/firewall: 38411: shorewal_is_started: not found
> >
> > Crap -- added that test after I had completed testing enable/disable
> > and, wouldn''t you know it, there is a typo in it.
>
> Just discovered another rather bad bug. The entries
> in /etc/shorewall/routing_rules are being applied twice while those
> in /etc/shorewall/routes are not being applied at all.
>
> Patch attached.
>
> -Tom
Tom

I have recreated the problem and can confirm the patch corrects it.

Thanks.

Steven.



------------------------------------------------------------------------------
EMC VNX: the world''s simplest storage, starting under $10K
The only unified storage solution that offers unified management 
Up to 160% more powerful than alternatives and 25% more efficient. 
Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev

On Aug 28, 2011, at 2:57 PM, Steven Jan Springl wrote:
> 
> I have recreated the problem and can confirm the patch corrects it.

Thanks, Steven.

-Tom

Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
EMC VNX: the world''s simplest storage, starting under $10K
The only unified storage solution that offers unified management 
Up to 160% more powerful than alternatives and 25% more efficient. 
Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev

On Sun, 2011-08-28 at 22:57 +0100, Steven Jan Springl
wrote:
> On Sunday 28 August 2011 15:59:52 Tom Eastep wrote:
> > Just discovered another rather bad bug. The entries
> > in /etc/shorewall/routing_rules are being applied twice while those
> > in /etc/shorewall/routes are not being applied at all.
> >
> > Patch attached.
> 
> I have recreated the problem and can confirm the patch corrects it.
> 
I''ve discovered another oversight; routing_rules and routes entries for
the main and default tables are not being added. Patch attached.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________




------------------------------------------------------------------------------
EMC VNX: the world''s simplest storage, starting under $10K
The only unified storage solution that offers unified management 
Up to 160% more powerful than alternatives and 25% more efficient. 
Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev

On Monday 29 August 2011 14:51:12 Tom Eastep wrote:
> I''ve discovered another oversight; routing_rules and routes
entries for
> the main and default tables are not being added. Patch attached.
>
> -Tom
Tom

I have recreated the problem and can confirm the patch corrects the issue.

Thanks.

Steven.



------------------------------------------------------------------------------
Special Offer -- Download ArcSight Logger for FREE!
Finally, a world-class log management solution at an even better 
price-free! And you''ll get a free "Love Thy Logs" t-shirt
when you
download Logger. Secure your free ArcSight Logger TODAY!
http://p.sf.net/sfu/arcsisghtdev2dev

On Mon, 2011-08-29 at 23:34 +0100, Steven Jan Springl wrote:
> I have recreated the problem and can confirm the patch corrects the issue.
Thanks, Steven.

I corrected an additional problem in Beta 4 that could leave stale rules
and/or routes after ''disable''.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Special Offer -- Download ArcSight Logger for FREE!
Finally, a world-class log management solution at an even better 
price-free! And you''ll get a free "Love Thy Logs" t-shirt
when you
download Logger. Secure your free ArcSight Logger TODAY!
http://p.sf.net/sfu/arcsisghtdev2dev