Shorewall devel - Sep 2012 - various shorewall bugs and suggestions

They are all relevant to v4.5.6, haven''t checked the latest version to
see if they have been fixed, so apologies if they have...

BUGS
~~~~

1. Shorewall-lite: From an arbitrary directory where shorewall-lite files are to
be compiled (i.e. "~/shorewall-lite/dmz" for example): "shorewall
compile -T -p -e ." produces the following error:

"/etc/shorewall/shorewall.conf does not exist!". 

Well, /etc/shorewall/shorewall.conf is the config file for the HOST system and
shorewall should NOT be using this file! This is "corrected" by adding
"." at the beginning of ${SHAREDIR}/shorewall/configdir file, but then
comes the next error:

"ERROR: . is a directory". 

The correct syntax, according to shorewall, is "compile [ -e ] [ -p ] [ -t
] [ -d ] [ -T ] [ <directory name> ] [ <path name> ]", so this
should be accepted.

As a work-around, executing "shorewall compile -T -p -e . firewall"
works, but then the "firewall" file produced by "shorewall
compile -T -p -e . firewall" ignores CONFIG_PATH, CONFDIR and SHAREDIR and
uses these settings from the HOST system.

In other words, firewall::g_confdir, firewall::g_basedir, firewall::CONFIG_PATH
and firewall::VARDIR are all taken from the host system''s shorewallrc
file in the firewall::initialize function, which is wrong.

Even if I force the use of a locally-built shorewallrc file to reflect the
REMOTE system''s layout "shorewall compile -T -p -e .
firewall" fails miserably as it could not find its lib.core file.

Yeah, a classic chicken and egg scenario!

The compiled "firewall" script should take into account the layout of
the remote system (maybe by including a separate copy of shorewallrc build for
the REMOTE system) and not have all these mickey-mouse g_* variables assuming
hard-coded values, particularly as "firewall" is executable script and
could, in theory, be used where nothing else is available on the remote system -
as is the case with most embedded/resource-constrained systems where nothing
else is present.

2. Shorewall-lite: shorewall-lite produces erroneous "firewall" file
as it references VARDIR instead of VARDIR/shorewall-lite, resulting in an unholy
mess! There seems to be a great deal of inconsistency in various shorewall
products where sometimes VARDIR is assumed to be, say, "/var/lib", and
in other cases this refers to "/var/lib/$product".

With shorewall-lite, VARDIR is usually assumed to be /var/lib/shorewall-lite,
but then when I get to assign VARDIR in shorewallrc with /var/lib/shorewall-lite
I get this during start:

   ERROR: Shorewall Lite is not properly installed
          The file /opt/var/lib/shorewall-lite/shorewall-lite/firewall does not
exist

The culprit seems to be in lib.base:

VARDIR=${VARDIR}/${g_program}

So, as I mentioned above, VARDIR seems to be carrying inconsistent definitions
across shorewall products which needs to be fixed.

3. Shorewall(-lite): routestopped produces wrong firewall rules. Example:

#INTERFACE	HOST(S)				OPTIONS		PROTO	DEST		SOURCE
#									PORT(S)		PORT(S)
eth0		10.1.1.17,10.2.1.3		source		tcp	22,5432

should produce one-sided (source) rules, but I see this:

Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     tcp  --  eth0   *       10.1.1.17            0.0.0.0/0   
multiport dports 22,5432
    0     0 ACCEPT     tcp  --  eth0   *       10.2.1.3             0.0.0.0/0   
multiport dports 22,5432

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     tcp  --  *      eth0    0.0.0.0/0            10.1.1.17   
multiport dports 22,5432
    0     0 ACCEPT     tcp  --  *      eth0    0.0.0.0/0            10.2.1.3    
multiport dports 22,5432

Note "dports" in both INPUT and OUTPUT chains. If anything, thse
should change directions (dports for INPUT, sports in OUTPUT). Using different
"source" and "destination" OPTIONS makes matters worse as it
produces twice as many rules for each direction, which is madness.

4. Shorewall-lite: In systems where I use a different "PATH" (as in
the bash PATH variable for searching executables), modprobe statement in
modules.* fails to load ip_tables_raw ("modules.dep cannot be found"
error) - I suspect there is assumed path ("/sbin:/bin" etc) somewhere
within the shorewall lib files and not what I have specified in my
shorewall(-lite).conf.

I found the "path" to be hard-coded in two separate statements in
lib.cli. lib.common loads the actual kernel modules directly using
"insmod" or "modprobe" (no path!) depending on whether
"modprobe" could be found.

Also, ip_table_raw module needs to be added to
${SHAREDIR}/shorewall-lite/modules.essential so that it is loaded at startup.
The same probably goes for all other shorewall products as well.

5. Shorewall(-lite): Add a message that the ''blacklist'' option
in zones/interfaces is DEPRECATED in favour of blrules (well, at least no
''blacklist'' template file is provided), so that I
don''t get confused by adding that option and thinking that it is in any
way related to blrules, because it isn''t.

6. Shorewall(-lite): Allow for ''dhcp'' option to specify a
specific host/broadcast address(es) to be used when dhcp address is obtained. As
it stands, the current implementation presents a security risk. Suppose I have a
single interface, which gets its IP address from my ISP and needs to connect to
a specific host or use a specific broadcast addresses. By specifying the
''dhcp'' in interfaces option I get this, among other things:

-A INPUT -p udp --dport 67:68 -i eth0 -j ACCEPT
-A FORWARD -p udp --dport 67:68 -i eth0 -o eth0 -j ACCEPT
-A OUTPUT -p udp --dport 67:68 -o eth0 -j ACCEPT
[...]
-A eth0_iop -p udp --dport 67:68 -j ACCEPT

If eth0 faces the internet ANYONE could connect to my firewall (and the firewall
can connect to ANY host) on ports 67:68 as there is no restriction put in place.
This is also valid when routestopped is used, so it needs to be corrected.

Also, I do not see much difference between the first statement above and the
last, which executes in the net2fw chain, which in turn, is part of INPUT. In
other words, I have this:

-A INPUT -p udp --dport 67:68 -i eth0 -j ACCEPT
-A INPUT -i eth0 -j net2fw
[...]
-A net2fw -m conntrack --ctstate NEW,INVALID -j ~blacklist0 -m comment --comment
"BLACKLIST"
-A net2fw -i eth0 -j eth0_iop
[...]
-A eth0_iop -m conntrack --ctstate NEW,INVALID -j smurfs
-A eth0_iop -p udp --dport 67:68 -j ACCEPT

The last statement above is exactly the same as the first!

7. Shorewall-init: shorewallrc discrepancies in shorewall-init and the rest of
the shorewall products:

/etc/rc.d/init.d/shorewall-init: 

if [ -f ~/.shorewallrc ]; then
    . ~/.shorewallrc || exit 1
else
    SBINDIR=/sbin
    SYSCONFDIR=/etc/default
    VARDIR=/var/lib
fi

/etc/rc.d/init.d/shorewall:

. /usr/share/shorewall/shorewallrc

8. Shorewall-init: /etc/rc.d/init.d/shorewall-init lists its usage as
"/etc/init.d/shorewall-init {start|stop}", but "status" is
also accepted. This needs to be corrected.

9. Shorewall-init: From Fedora''s perspective (don''t know about
any other distros - this might be applicable there also) the init.d script
contains the following:

    restart|reload|force-reload)
	echo "Not implemented"
	exit 3
	;;
    condrestart|try-restart)
	echo "Not implemented"
	exit 3
        ;;

The above could be collapsed into:

restart|reload|force-reload|condrestart|try-restart)
        echo "Not implemented"
        exit 3
        ;;

Also, the "OPTIONS" variable is unused so it should be removed. Same
goes for "vardir" in both start() and stop().

Not to mention that all those "[ retval -ne 0 ]" statements are not
going to lead anywhere - "retval" should actually be
"$retval", ideally as "[[ $retval != 0 ]]" (which
incompetent idiot wrote this script?).

10. Shorewall-init: shorewall-init integration with network up/down scripts (but
NOT NetworkManager) is non-existent!

11. Shorewall: shorewall [trace|debug [nolock]] [-options] try directory
[timeout] [-options] is not explained in the shorewall man page and neither is
the "directory" parameter (which I guesed it to be the configuration
directory).


SUGGESIONS:
~~~~~~~~~~~

1. ipsets not allowed in routestopped (why?). When used, I get this:
ERROR: An ipset name (+test) is not allowed in this context

Using multi-dimensional sets isn''t allowed either (invalid set name
"+test[dst" error is given)

2. Shorewall-init: help & man pages advice for execution of "shorewall
compile" prior to executing /etc/rc.d/init.d/shorewall-init so that
${VARLIB}/$product/firewall is present. Indeed, shorewall-init checks for this
in start() and if the file is not present it does absolutely nothing.

What is the sense in that? Since shorewall-init normally starts before the
network or the shorewall "product" is brought up, how am I supposed to
compile that "firewall" script exactly?

start() should include a "shorewall compile" in one form or another,
or, at the very least execute the $product init script with "compile"
option (that new "compile" options should, of course, be implemented).

3. Shorewall: At least with the Fedora-based scripts, reload|restart etc could
be replaced with "try", particularly as stop/restart may not be needed
and can be performed "automatically" by shorewall when "try"
is specified.

4. I would like to be able to execute a bash script which *modifies* the
compiled "firewall" file before Shorewall starts or is reloaded. Is it
possible for this to be implemented somehow?

5. Allow multiple owners to be specified in the rules (and all other relevant
files), like "root,kids" for example. Currently I am unable to do that
and have to generate the same rules with different owners, which is a bit of a
pain.

6. Shorewall(-lite): The following could be optimised:

interfaces
~~~~~~~~~~
vpn eth1
arp_filter=1,arp_ignore=2,logmartians=1,nets=10.1.1.0/24,nosmurfs,routefilter=1,tcpflags
red eth2 arp_filter=1,arp_ignore=2,logmartians=1,nosmurfs,routefilter=1,tcpflags

Produces:

-A vpn2net -s 10.1.1.0/24 -m conntrack --ctstate NEW,INVALID -j smurfs
-A vpn2net -m conntrack --ctstate NEW,INVALID -j smurfs
[...]
-A vpn2net -p tcp -s 10.1.1.0/24 -j tcpflags
-A vpn2net -p tcp -j tcpflags

This could be optimised to just the second line in both statements above (I have
OPTIMIZE=15 in shorewall.conf)

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

On 09/01/2012 06:00 AM, Mr Dash Four wrote:
> They are all relevant to v4.5.6, haven''t checked the latest
version
> to see if they have been fixed, so apologies if they have...
>
> BUGS ~~~~
>
> 1. Shorewall-lite: From an arbitrary directory where shorewall-lite
> files are to be compiled (i.e. "~/shorewall-lite/dmz" for
example):
> "shorewall compile -T -p -e ." produces the following error:
>
> "/etc/shorewall/shorewall.conf does not exist!".
>
Patch CONF.patch attached.
>
> 2. Shorewall-lite: shorewall-lite produces erroneous "firewall"
file
> as it references VARDIR instead of VARDIR/shorewall-lite, resulting
> in an unholy mess! There seems to be a great deal of inconsistency in
> various shorewall products where sometimes VARDIR is assumed to be,
> say, "/var/lib", and in other cases this refers to
> "/var/lib/$product".
>
> With shorewall-lite, VARDIR is usually assumed to be
> /var/lib/shorewall-lite, but then when I get to assign VARDIR in
> shorewallrc with /var/lib/shorewall-lite I get this during start:
>
> ERROR: Shorewall Lite is not properly installed The file
> /opt/var/lib/shorewall-lite/shorewall-lite/firewall does not exist
>
> The culprit seems to be in lib.base:
>
> VARDIR=${VARDIR}/${g_program}
>
> So, as I mentioned above, VARDIR seems to be carrying inconsistent
> definitions across shorewall products which needs to be fixed.
Are you referring to the inconsistency mentioned in the release notes
''Migration Considerations'' section? If not, then I''m
not following what
problem that you are reporting.
>
> 3. Shorewall(-lite): routestopped produces wrong firewall rules.
> Example:
>
> #INTERFACE	HOST(S)				OPTIONS		PROTO	DEST		SOURCE #									PORT(S)
> PORT(S) eth0		10.1.1.17,10.2.1.3		source		tcp	22,5432
>
> should produce one-sided (source) rules, but I see this:
>
> Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target
> prot opt in     out     source               destination 0     0
> ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0
> ctstate RELATED,ESTABLISHED 0     0 ACCEPT     tcp  --  eth0   *
> 10.1.1.17            0.0.0.0/0           multiport dports 22,5432 0
> 0 ACCEPT     tcp  --  eth0   *       10.2.1.3             0.0.0.0/0
> multiport dports 22,5432
>
> Chain OUTPUT (policy DROP 0 packets, 0 bytes) pkts bytes target
> prot opt in     out     source               destination 0     0
> ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0
> ctstate RELATED,ESTABLISHED 0     0 ACCEPT     tcp  --  *      eth0
> 0.0.0.0/0            10.1.1.17           multiport dports 22,5432 0
> 0 ACCEPT     tcp  --  *      eth0    0.0.0.0/0            10.2.1.3
> multiport dports 22,5432
>
> Note "dports" in both INPUT and OUTPUT chains. If anything, thse
> should change directions (dports for INPUT, sports in OUTPUT). Using
> different "source" and "destination" OPTIONS makes
matters worse as
> it produces twice as many rules for each direction, which is
> madness.
>
Patch RTSTOPPED.patch attached.
> 4. Shorewall-lite: In systems where I use a different "PATH" (as
in
> the bash PATH variable for searching executables), modprobe statement
> in modules.* fails to load ip_tables_raw ("modules.dep cannot be
> found" error) - I suspect there is assumed path
("/sbin:/bin" etc)
> somewhere within the shorewall lib files and not what I have
> specified in my shorewall(-lite).conf.
The ''modules.dep'' file isn''t located via PATH, AFAIK.
It is assumed to
be located in /lib/modules/<current-kernel-version>.
>
> I found the "path" to be hard-coded in two separate statements in
> lib.cli. lib.common loads the actual kernel modules directly using
> "insmod" or "modprobe" (no path!) depending on whether
"modprobe"
> could be found.
>
> Also, ip_table_raw module needs to be added to
> ${SHAREDIR}/shorewall-lite/modules.essential so that it is loaded at
> startup. The same probably goes for all other shorewall products as
> well.
Done.
>
> 5. Shorewall(-lite): Add a message that the ''blacklist''
option in
> zones/interfaces is DEPRECATED in favour of blrules (well, at least
> no ''blacklist'' template file is provided), so that I
don''t get
> confused by adding that option and thinking that it is in any way
> related to blrules, because it isn''t.
>
> 6. Shorewall(-lite): Allow for ''dhcp'' option to specify a
specific
> host/broadcast address(es) to be used when dhcp address is obtained.
> As it stands, the current implementation presents a security risk.
> Suppose I have a single interface, which gets its IP address from my
> ISP and needs to connect to a specific host or use a specific
> broadcast addresses. By specifying the ''dhcp'' in
interfaces option I
> get this, among other things:
>
> -A INPUT -p udp --dport 67:68 -i eth0 -j ACCEPT
> -A FORWARD -p udp --dport 67:68 -i eth0 -o eth0 -j ACCEPT
> -A OUTPUT -p udp --dport 67:68 -o eth0 -j ACCEPT
> [...]
> -A eth0_iop -p udp --dport 67:68 -j ACCEPT
>
> If eth0 faces the internet ANYONE could connect to my firewall (and
> the firewall can connect to ANY host) on ports 67:68 as there is no
> restriction put in place. This is also valid when routestopped is
> used, so it needs to be corrected.
For those that are worried about this issue, I suggest omitting the
''dhcp'' option from the interfaces file and adding explicit
DHCP rules in
the rules and routestopped files.

I will add a warning in the manpages.
>
> Also, I do not see much difference between the first statement above
> and the last, which executes in the net2fw chain, which in turn, is
> part of INPUT. In other words, I have this:
>
> -A INPUT -p udp --dport 67:68 -i eth0 -j ACCEPT
> -A INPUT -i eth0 -j net2fw
> [...]
> -A net2fw -m conntrack --ctstate NEW,INVALID -j ~blacklist0 -m comment
--comment "BLACKLIST"
> -A net2fw -i eth0 -j eth0_iop [...]
> -A eth0_iop -m conntrack --ctstate NEW,INVALID -j smurfs
> -A eth0_iop -p udp --dport 67:68 -j ACCEPT
>
> The last statement above is exactly the same as the first!
>
I''m unable to reproduce the above result. Do you have a simple test
case?
> 7. Shorewall-init: shorewallrc discrepancies in shorewall-init and
> the rest of the shorewall products:
>
> /etc/rc.d/init.d/shorewall-init:
>
> if [ -f ~/.shorewallrc ]; then . ~/.shorewallrc || exit 1 else
> SBINDIR=/sbin SYSCONFDIR=/etc/default VARDIR=/var/lib fi
>
> /etc/rc.d/init.d/shorewall:
>
> . /usr/share/shorewall/shorewallrc
Corrected.
>
> 8. Shorewall-init: /etc/rc.d/init.d/shorewall-init lists its usage as
> "/etc/init.d/shorewall-init {start|stop}", but "status"
is also
> accepted. This needs to be corrected.
Corrected.
>
> 9. Shorewall-init: From Fedora''s perspective (don''t know
about any
> other distros - this might be applicable there also) the init.d
> script contains the following:
>
> restart|reload|force-reload) echo "Not implemented" exit 3 ;;
> condrestart|try-restart) echo "Not implemented" exit 3 ;;
>
> The above could be collapsed into:
>
> restart|reload|force-reload|condrestart|try-restart) echo "Not
> implemented" exit 3 ;;
As I understand it, the Fedora init file standards require separate entries.
>
> Also, the "OPTIONS" variable is unused so it should be removed.
Same
> goes for "vardir" in both start() and stop().
>
> Not to mention that all those "[ retval -ne 0 ]" statements are
not
> going to lead anywhere - "retval" should actually be
"$retval",
> ideally as "[[ $retval != 0 ]]" (which incompetent idiot wrote
this
> script?).
Corrected.
>
> 10. Shorewall-init: shorewall-init integration with network up/down
> scripts (but NOT NetworkManager) is non-existent!
The installer installs the ifupdown script as ${SBINDIR}/ifup-local and
${SBINDIR}/ifdown-local if those files don''t already exist.
>
> 11. Shorewall: shorewall [trace|debug [nolock]] [-options] try
> directory [timeout] [-options] is not explained in the shorewall man
> page and neither is the "directory" parameter (which I guesed it
to
> be the configuration directory).
I really should deprecate the ''try'' command as it duplicates
the
functionality of the ''safe-start'' and
''safe-restart'' commands.

[-options] is the same as in any command and is explained at the top in
the ''Options'' section.
>
>
> SUGGESIONS: ~~~~~~~~~~~
>
> 1. ipsets not allowed in routestopped (why?). When used, I get this:
> ERROR: An ipset name (+test) is not allowed in this context
>
> Using multi-dimensional sets isn''t allowed either (invalid set
name
> "+test[dst" error is given)
That''s actually a bug -- patch IPSET.patch attached.
>
> 2. Shorewall-init: help & man pages advice for execution of
> "shorewall compile" prior to executing
> /etc/rc.d/init.d/shorewall-init so that ${VARLIB}/$product/firewall
> is present. Indeed, shorewall-init checks for this in start() and if
> the file is not present it does absolutely nothing.
>
> What is the sense in that? Since shorewall-init normally starts
> before the network or the shorewall "product" is brought up, how
am I
> supposed to compile that "firewall" script exactly?
If a compiled script doesn''t exist, then there is nothing for
shorewall-init to do. The whole point of Shorewall-init is to execute a
''shorewall stop'' prior to starting networking. If there is no
compiled
script, then there is no way to issue a ''stop'' command.
>
> start() should include a "shorewall compile" in one form or
another,
> or, at the very least execute the $product init script with
"compile"
> option (that new "compile" options should, of course, be
> implemented).
I don''t see the point of that. On any system that has the Shorewall
package installed, ${VARDIR} should survive a reboot and there should be
a compiled script already present. Are you actually running the full
Shorewall package on a system where ${VARDIR} is in ram disk?
>
> 3. Shorewall: At least with the Fedora-based scripts, reload|restart
> etc could be replaced with "try", particularly as stop/restart
may
> not be needed and can be performed "automatically" by shorewall
when
> "try" is specified.
Neither reload nor restart involves a ''stop''. What can speed
up systems
that have the full Shorewall package installed is to set AUTOMAKE=Yes. 
This recompiles the firewall only if there is a file on the CONFIG_PATH 
that is newer than the compiled firewall.
>
> 4. I would like to be able to execute a bash script which *modifies*
> the compiled "firewall" file before Shorewall starts or is
reloaded.
> Is it possible for this to be implemented somehow?
There is currently no way to do that. What sort of modifications are you 
planning? Might new Shorewall features meet this need?
>
> 5. Allow multiple owners to be specified in the rules (and all other
> relevant files), like "root,kids" for example. Currently I am
unable
> to do that and have to generate the same rules with different owners,
> which is a bit of a pain.
I''ll put that on the todo list.
>
> 6. Shorewall(-lite): The following could be optimised:
>
> interfaces ~~~~~~~~~~ vpn eth1
arp_filter=1,arp_ignore=2,logmartians=1,nets=10.1.1.0/24,nosmurfs,routefilter=1,tcpflags
> red eth2
arp_filter=1,arp_ignore=2,logmartians=1,nosmurfs,routefilter=1,tcpflags
>
> Produces:
>
> -A vpn2net -s 10.1.1.0/24 -m conntrack --ctstate NEW,INVALID -j
> smurfs -A vpn2net -m conntrack --ctstate NEW,INVALID -j smurfs [...]
> -A vpn2net -p tcp -s 10.1.1.0/24 -j tcpflags -A vpn2net -p tcp -j
> tcpflags
>
> This could be optimised to just the second line in both statements
> above (I have OPTIMIZE=15 in shorewall.conf)

I''ll see what I can do.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________




------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

On 09/01/2012 10:51 AM, Tom Eastep wrote:
>
>> 6. Shorewall(-lite): The following could be optimised:
>>
>> interfaces ~~~~~~~~~~ vpn eth1
>>
arp_filter=1,arp_ignore=2,logmartians=1,nets=10.1.1.0/24,nosmurfs,routefilter=1,tcpflags
>>
>> red eth2
>> arp_filter=1,arp_ignore=2,logmartians=1,nosmurfs,routefilter=1,tcpflags
>>
>> Produces:
>>
>> -A vpn2net -s 10.1.1.0/24 -m conntrack --ctstate NEW,INVALID -j
>> smurfs -A vpn2net -m conntrack --ctstate NEW,INVALID -j smurfs [...]
>> -A vpn2net -p tcp -s 10.1.1.0/24 -j tcpflags -A vpn2net -p tcp -j
>> tcpflags
>>
>> This could be optimised to just the second line in both statements
>> above (I have OPTIMIZE=15 in shorewall.conf)
>
>
> I''ll see what I can do.
Patch attached.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

> Patch CONF.patch attached.
Will look into it when I have the time.
>> ERROR: Shorewall Lite is not properly installed The file
>> /opt/var/lib/shorewall-lite/shorewall-lite/firewall does not exist
>>
>> The culprit seems to be in lib.base:
>>
>> VARDIR=${VARDIR}/${g_program}
>>
>> So, as I mentioned above, VARDIR seems to be carrying inconsistent
>> definitions across shorewall products which needs to be fixed.
> 
> Are you referring to the inconsistency mentioned in the release notes
> ''Migration Considerations'' section? If not, then
I''m not following what
> problem that you are reporting.
No. The problem is that VARDIR has different definition, depending on what
shorewall product is deployed, which is wrong.

For example, VARDIR in shorewall is (usually) /var/lib, in shorewall-lite is
/var/lib/shorewall-lite. To top it all off (and that is particularly glaring in
shorewall-lite''s case), in some parts of the compiled firewall file
(which incorporates various custom files, like params, rules etc) VARDIR is
referred to as /var/lib, but in others it is assumed to be
/var/lib/shorewall-lite.

Also, in shorewall-lite''s case, at the very beginning of the
"firewall" execution, there was a bunch of hard-coded values of these
variables, causing me a lot of headaches, particularly as I wasn''t
using "standard" directories. What I did though (and I think this
should be the approach adopted), is to source shorewallrc and wipe out any
hard-coded values for these variables. I also had to change the
"VARDIR=${VARDIR}/${g_program}" assignment as shown above in order to
keep the consistency, otherwise I was getting the above error. Hope it is clear,
if not, I have to dig up a test case up.

> Patch RTSTOPPED.patch attached.
Will look into it when I have the time.
> 
>> 4. Shorewall-lite: In systems where I use a different "PATH"
(as in
>> the bash PATH variable for searching executables), modprobe statement
>> in modules.* fails to load ip_tables_raw ("modules.dep cannot be
>> found" error) - I suspect there is assumed path
("/sbin:/bin" etc)
>> somewhere within the shorewall lib files and not what I have
>> specified in my shorewall(-lite).conf.
> 
> The ''modules.dep'' file isn''t located via PATH,
AFAIK. It is assumed to
> be located in /lib/modules/<current-kernel-version>.
Quite right, but the "modprobe" command I was using was a bloody
busybox abomination and that was executing simply because shorewall was assuming
(or, rather, hard-coding) pre-defined paths, like /sbin and /bin.

If shorewall was honouring the path variables as I specified in my
shorewall.conf file, it would have executed *my* version of modprobe (which,
incidentally, was in /opt/sbin and compiled *specifically* to look for kernel
modules in /opt/lib/modules/<kernel-version>, together with the correct
modules.dep), thus avoiding the problem I described above.
> Done.
Thanks.
> For those that are worried about this issue, I suggest omitting the
> ''dhcp'' option from the interfaces file and adding
explicit DHCP rules in
> the rules and routestopped files.
This is precisely what I have done. I initially "trusted" this option,
though, decided to check and see what the effect of deploying it is and I am
glad I did, because I realised what was happening.
> I will add a warning in the manpages.
I am not sure that would be enough. You are opening a pinhole in the firewall
and warning users about it. There are quite a few gullible individuals out there
who either won''t pay attention to this warning or worse. My advice
would be to either remove it completely or allow it to be specified with
parameters (similar to "nets", i.e. dhcp=255.255.255.255,10.1.1.17).

>> Also, I do not see much difference between the first statement above
>> and the last, which executes in the net2fw chain, which in turn, is
>> part of INPUT. In other words, I have this:
>>
>> -A INPUT -p udp --dport 67:68 -i eth0 -j ACCEPT
>> -A INPUT -i eth0 -j net2fw
>> [...]
>> -A net2fw -m conntrack --ctstate NEW,INVALID -j ~blacklist0 -m comment
> --comment "BLACKLIST"
>> -A net2fw -i eth0 -j eth0_iop [...]
>> -A eth0_iop -m conntrack --ctstate NEW,INVALID -j smurfs
>> -A eth0_iop -p udp --dport 67:68 -j ACCEPT
>>
>> The last statement above is exactly the same as the first!
>>
> 
> I''m unable to reproduce the above result. Do you have a simple
test case?
I''ll prepare a test case when I have more time.
>> 9. Shorewall-init: From Fedora''s perspective (don''t
know about any
>> other distros - this might be applicable there also) the init.d
>> script contains the following:
>>
>> restart|reload|force-reload) echo "Not implemented" exit 3 ;;
>> condrestart|try-restart) echo "Not implemented" exit 3 ;;
>>
>> The above could be collapsed into:
>>
>> restart|reload|force-reload|condrestart|try-restart) echo "Not
>> implemented" exit 3 ;;
> 
> As I understand it, the Fedora init file standards require separate
> entries.
Separate entries for what? As it stands, all 6 conditionals are collapsed into
two equal set of statements. I don''t see a problem of going a step
further and collapsing them all into one.
> I really should deprecate the ''try'' command as it
duplicates the
> functionality of the ''safe-start'' and
''safe-restart'' commands.
Are they the same? What I like about "try" is that it starts the
firewall regardless of the state it was in (perfect when I don''t care
what that state was). Can I achieve the same with safe-start then?

> That''s actually a bug -- patch IPSET.patch attached.
Thanks, will check it when I have the time.
> If a compiled script doesn''t exist, then there is nothing for
> shorewall-init to do. The whole point of Shorewall-init is to execute a
> ''shorewall stop'' prior to starting networking. If there
is no compiled
> script, then there is no way to issue a ''stop'' command.
Quite right, but executing "shorewall stop" requires the firewall
script and since shorewall-init is usually brought up before networking and the
"standard" shorewall, there is no way for this "firewall"
script to materialise since nothing has been run prior to shorewall-init - the
point I was trying to make above.
>> start() should include a "shorewall compile" in one form or
another,
>> or, at the very least execute the $product init script with
"compile"
>> option (that new "compile" options should, of course, be
>> implemented).
> 
> I don''t see the point of that. On any system that has the
Shorewall
> package installed, ${VARDIR} should survive a reboot and there should be
> a compiled script already present. Are you actually running the full
> Shorewall package on a system where ${VARDIR} is in ram disk?
OK, let me explain my use case.

On one of my machines I have 7 interfaces, 2 of which *must* be up when the
system is brought alive (one uses dhcp to obtain its lease, the other is a vpn
to a different location), the rest of the interfaces are brought up in the
standard way (ifup).

For security and performance reasons, I have the whole disk image loaded into
ram, with the exception of the security auditing daemon, SELinux, syslog-ng logs
and some non-essential system settings, which survive the reboot. The rest is
completely lost. The whole root (/) is completely locked and even though changes
are "made" to all files, none of these survive the reboot with the
exceptions I just mentioned.

So, in order to "lock" my firewall *before* the 2 interfaces (or
anything else) are brought up, what I currently do is compile my shorewall
script (shorewall compile), then execute shorewall-init, then bring up the 2 
interfaces, bring the rest of the network up and finally start shorewall.

This is done so that between the time the 2 interfaces are brought up (and my
firewall is completely open) and the rest of the network starts, I would like
everything to be locked out and only the essential stuff to be let in.

The second reason to do this (which I can''t implement at present since
the integration with ifup/ifdown and shorewall-init seems unworkable) is if any
of the 2 interfaces changes its status (goes down, changes its IP address etc),
I have to repeat the above steps and secure the firewall first until either
these interfaces sort themselves out, or, someone logs in (via ssh) to clear the
mess.
>> 4. I would like to be able to execute a bash script which *modifies*
>> the compiled "firewall" file before Shorewall starts or is
reloaded.
>> Is it possible for this to be implemented somehow?
> 
> There is currently no way to do that. What sort of modifications are you
> planning? Might new Shorewall features meet this need?
The stuff I am trying to do is *highly* experimental and not (yet) mainstream.
I''ll email you privately with the details.


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

>> I''ll see what I can do.
> 
> Patch attached.
Thanks, I''ll look into it when time permits.


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

On 09/01/2012 07:29 PM, Mr Dash Four wrote:
>> Patch CONF.patch attached.
> Will look into it when I have the time.
> 
>>> ERROR: Shorewall Lite is not properly installed The file
>>> /opt/var/lib/shorewall-lite/shorewall-lite/firewall does not exist
>>>
>>> The culprit seems to be in lib.base:
>>>
>>> VARDIR=${VARDIR}/${g_program}
>>>
>>> So, as I mentioned above, VARDIR seems to be carrying inconsistent
>>> definitions across shorewall products which needs to be fixed.
>>
>> Are you referring to the inconsistency mentioned in the release notes
>> ''Migration Considerations'' section? If not, then
I''m not following what
>> problem that you are reporting.
> No. The problem is that VARDIR has different definition, depending on what
shorewall product is deployed, which is wrong.
> 
> For example, VARDIR in shorewall is (usually) /var/lib, in shorewall-lite
is /var/lib/shorewall-lite. To top it all off (and that is particularly glaring
in shorewall-lite''s case), in some parts of the compiled firewall file
(which incorporates various custom files, like params, rules etc) VARDIR is
referred to as /var/lib, but in others it is assumed to be
/var/lib/shorewall-lite.
> 
> Also, in shorewall-lite''s case, at the very beginning of the
"firewall" execution, there was a bunch of hard-coded values of these
variables, causing me a lot of headaches, particularly as I wasn''t
using "standard" directories. What I did though (and I think this
should be the approach adopted), is to source shorewallrc and wipe out any
hard-coded values for these variables. I also had to change the
"VARDIR=${VARDIR}/${g_program}" assignment as shown above in order to
keep the consistency, otherwise I was getting the above error. Hope it is clear,
if not, I have to dig up a test case up.
> 
> 
>> Patch RTSTOPPED.patch attached.
> Will look into it when I have the time.
> 
>>
>>> 4. Shorewall-lite: In systems where I use a different
"PATH" (as in
>>> the bash PATH variable for searching executables), modprobe
statement
>>> in modules.* fails to load ip_tables_raw ("modules.dep cannot
be
>>> found" error) - I suspect there is assumed path
("/sbin:/bin" etc)
>>> somewhere within the shorewall lib files and not what I have
>>> specified in my shorewall(-lite).conf.
>>
>> The ''modules.dep'' file isn''t located via
PATH, AFAIK. It is assumed to
>> be located in /lib/modules/<current-kernel-version>.
> Quite right, but the "modprobe" command I was using was a bloody
busybox abomination and that was executing simply because shorewall was assuming
(or, rather, hard-coding) pre-defined paths, like /sbin and /bin.
> 
> If shorewall was honouring the path variables as I specified in my
shorewall.conf file, it would have executed *my* version of modprobe (which,
incidentally, was in /opt/sbin and compiled *specifically* to look for kernel
modules in /opt/lib/modules/<kernel-version>, together with the correct
modules.dep), thus avoiding the problem I described above.
> 
>> Done.
> Thanks.
> 
>> For those that are worried about this issue, I suggest omitting the
>> ''dhcp'' option from the interfaces file and adding
explicit DHCP rules in
>> the rules and routestopped files.
> This is precisely what I have done. I initially "trusted" this
option, though, decided to check and see what the effect of deploying it is and
I am glad I did, because I realised what was happening.
> 
>> I will add a warning in the manpages.
> I am not sure that would be enough. You are opening a pinhole in the
firewall and warning users about it. There are quite a few gullible individuals
out there who either won''t pay attention to this warning or worse. My
advice would be to either remove it completely or allow it to be specified with
parameters (similar to "nets", i.e. dhcp=255.255.255.255,10.1.1.17).
> 
> 
>>> Also, I do not see much difference between the first statement
above
>>> and the last, which executes in the net2fw chain, which in turn, is
>>> part of INPUT. In other words, I have this:
>>>
>>> -A INPUT -p udp --dport 67:68 -i eth0 -j ACCEPT
>>> -A INPUT -i eth0 -j net2fw
>>> [...]
>>> -A net2fw -m conntrack --ctstate NEW,INVALID -j ~blacklist0 -m
comment
>> --comment "BLACKLIST"
>>> -A net2fw -i eth0 -j eth0_iop [...]
>>> -A eth0_iop -m conntrack --ctstate NEW,INVALID -j smurfs
>>> -A eth0_iop -p udp --dport 67:68 -j ACCEPT
>>>
>>> The last statement above is exactly the same as the first!
>>>
>>
>> I''m unable to reproduce the above result. Do you have a simple
test case?
> I''ll prepare a test case when I have more time.
> 
>>> 9. Shorewall-init: From Fedora''s perspective
(don''t know about any
>>> other distros - this might be applicable there also) the init.d
>>> script contains the following:
>>>
>>> restart|reload|force-reload) echo "Not implemented" exit
3 ;;
>>> condrestart|try-restart) echo "Not implemented" exit 3 ;;
>>>
>>> The above could be collapsed into:
>>>
>>> restart|reload|force-reload|condrestart|try-restart) echo "Not
>>> implemented" exit 3 ;;
>>
>> As I understand it, the Fedora init file standards require separate
>> entries.
> Separate entries for what? As it stands, all 6 conditionals are collapsed
into two equal set of statements. I don''t see a problem of going a step
further and collapsing them all into one.
> 
>> I really should deprecate the ''try'' command as it
duplicates the
>> functionality of the ''safe-start'' and
''safe-restart'' commands.
> Are they the same? What I like about "try" is that it starts the
firewall regardless of the state it was in (perfect when I don''t care
what that state was). Can I achieve the same with safe-start then?
> 
> 
>> That''s actually a bug -- patch IPSET.patch attached.
> Thanks, will check it when I have the time.
> 
>> If a compiled script doesn''t exist, then there is nothing for
>> shorewall-init to do. The whole point of Shorewall-init is to execute a
>> ''shorewall stop'' prior to starting networking. If
there is no compiled
>> script, then there is no way to issue a ''stop''
command.
> Quite right, but executing "shorewall stop" requires the firewall
script and since shorewall-init is usually brought up before networking and the
"standard" shorewall, there is no way for this "firewall"
script to materialise since nothing has been run prior to shorewall-init - the
point I was trying to make above.
> 
>>> start() should include a "shorewall compile" in one form
or another,
>>> or, at the very least execute the $product init script with
"compile"
>>> option (that new "compile" options should, of course, be
>>> implemented).
>>
>> I don''t see the point of that. On any system that has the
Shorewall
>> package installed, ${VARDIR} should survive a reboot and there should
be
>> a compiled script already present. Are you actually running the full
>> Shorewall package on a system where ${VARDIR} is in ram disk?
> OK, let me explain my use case.
> 
> On one of my machines I have 7 interfaces, 2 of which *must* be up when the
system is brought alive (one uses dhcp to obtain its lease, the other is a vpn
to a different location), the rest of the interfaces are brought up in the
standard way (ifup).
> 
> For security and performance reasons, I have the whole disk image loaded
into ram, with the exception of the security auditing daemon, SELinux, syslog-ng
logs and some non-essential system settings, which survive the reboot. The rest
is completely lost. The whole root (/) is completely locked and even though
changes are "made" to all files, none of these survive the reboot with
the exceptions I just mentioned.
> 
> So, in order to "lock" my firewall *before* the 2 interfaces (or
anything else) are brought up, what I currently do is compile my shorewall
script (shorewall compile), then execute shorewall-init, then bring up the 2 
interfaces, bring the rest of the network up and finally start shorewall.
> 
> This is done so that between the time the 2 interfaces are brought up (and
my firewall is completely open) and the rest of the network starts, I would like
everything to be locked out and only the essential stuff to be let in.
> 
> The second reason to do this (which I can''t implement at present
since the integration with ifup/ifdown and shorewall-init seems unworkable) is
if any of the 2 interfaces changes its status (goes down, changes its IP address
etc), I have to repeat the above steps and secure the firewall first until
either these interfaces sort themselves out, or, someone logs in (via ssh) to
clear the mess.
> 
>>> 4. I would like to be able to execute a bash script which
*modifies*
>>> the compiled "firewall" file before Shorewall starts or
is reloaded.
>>> Is it possible for this to be implemented somehow?
>>
>> There is currently no way to do that. What sort of modifications are
you
>> planning? Might new Shorewall features meet this need?
> The stuff I am trying to do is *highly* experimental and not (yet)
mainstream. I''ll email you privately with the details.
> 
> 
>
------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today''s security and 
> threat landscape has changed and how IT managers can respond. Discussions 
> will include endpoint security, mobile security and the latest in malware 
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Shorewall-devel mailing list
> Shorewall-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-devel
> 

-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

Please disregard my last post -- I inadvertently hit <send>
(haven''t had
my coffee yet this morning).

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

On 09/02/2012 07:04 AM, Tom Eastep wrote:
> On 09/01/2012 07:29 PM, Mr Dash Four wrote:
>>> Are you referring to the inconsistency mentioned in the release
>>> notes ''Migration Considerations'' section? If not,
then I''m not
>>> following what problem that you are reporting.
>> No. The problem is that VARDIR has different definition, depending
>> on what shorewall product is deployed, which is wrong.
>>
>> For example, VARDIR in shorewall is (usually) /var/lib, in
>> shorewall-lite is /var/lib/shorewall-lite. To top it all off (and
>> that is particularly glaring in shorewall-lite''s case), in
some
>> parts of the compiled firewall file (which incorporates various
>> custom files, like params, rules etc) VARDIR is referred to as
>> /var/lib, but in others it is assumed to be
>> /var/lib/shorewall-lite.
>>
>> Also, in shorewall-lite''s case, at the very beginning of the
>> "firewall" execution, there was a bunch of hard-coded values
of
>> these variables, causing me a lot of headaches, particularly as I
>> wasn''t using "standard" directories. What I did
though (and I think
>> this should be the approach adopted), is to source shorewallrc and
>> wipe out any hard-coded values for these variables. I also had to
>> change the "VARDIR=${VARDIR}/${g_program}" assignment as
shown
>> above in order to keep the consistency, otherwise I was getting the
>> above error. Hope it is clear, if not, I have to dig up a test case
>> up.
Here is a diff between two compiled scripts; ''firewall'' is
compiled for
Shorewall and ''firewall1'' is compiled for Shorewall-lite. They
used the
same shorewallrc file and capabilities:

--- firewall	2012-09-02 07:05:27.160915598 -0700
+++ firewall1	2012-09-02 07:06:17.880277969 -0700
@@ -1,6 +1,6 @@
  #!/bin/sh
  #
-# Compiled firewall script generated by Shorewall 4.5.7 - Sun Sep  2 
07:05:27 2012
+# Compiled firewall script generated by Shorewall 4.5.7 - Sun Sep  2 
07:06:17 2012
  #
  #     This program is under GPL 
[http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
  #
@@ -1963,13 +1963,13 @@
      # These variables are required by the library functions called in 
this script
      #
      g_family=4
-    g_confdir=/etc/shorewall
-    g_product=Shorewall
-    g_program=shorewall
-    g_basedir=/usr/share/shorewall
-    CONFIG_PATH="/etc/shorewall:/usr/share/shorewall"
+    g_confdir=/etc/shorewall-lite
+    g_product="Shorewall Lite"
+    g_program=shorewall-lite
+    g_basedir=/usr/share/shorewall-lite
+    CONFIG_PATH="/etc/shorewall-lite:/usr/share/shorewall-lite"
      [ -f ${g_confdir}/vardir ] && . ${g_confdir}/vardir
-    [ -n "${VARDIR:=/var/lib/shorewall}" ]
+    [ -n "${VARDIR:=/var/lib/shorewall-lite}" ]
      TEMPFILE      DISABLE_IPV6=""
      MODULESDIR=""
@@ -2035,7 +2035,7 @@

      cat >&3 << __EOF__
  #
-# Generated by Shorewall 4.5.7 - Sun Sep  2 07:05:27 2012
+# Generated by Shorewall 4.5.7 - Sun Sep  2 07:06:17 2012
  #
  *raw
  :PREROUTING ACCEPT [0:0]
@@ -2502,7 +2502,7 @@

      $command <<__EOF__
  #
-# Generated by Shorewall 4.5.7 - Sun Sep  2 07:05:27 2012
+# Generated by Shorewall 4.5.7 - Sun Sep  2 07:06:17 2012
  #
  *raw
  :PREROUTING ACCEPT [0:0]

Here''s the shorewallrc file:

#
# Created by Shorewall Core version 4.5.6-Beta3 configure.pl - Jun 21 
2012 11:26:48
#
HOST=debian
PREFIX=/usr
SHAREDIR=${PREFIX}/share
LIBEXECDIR=${PREFIX}/share
PERLLIBDIR=${PREFIX}/share/shorewall
CONFDIR=/etc
SBINDIR=/sbin
MANDIR=${PREFIX}/share/man
INITDIR=/etc/init.d
INITSOURCE=init.debian.sh
INITFILE=$PRODUCT
AUXINITSOURCEAUXINITFILESYSTEMDSYSCONFFILE=default.debian
SYSCONFDIR=/etc/default
SPARSE=Yes
ANNOTATEDVARDIR=/var/lib

As you can see, in both cases, VARDIR is set using the directory from 
shorewallrc and the product as the basename.

You do have a copy of the firewall''s shorewallrc file in it''s 
configuration directory, right?
>>
>>
>>> Patch RTSTOPPED.patch attached.
>> Will look into it when I have the time.
>>
>>>
>>>> 4. Shorewall-lite: In systems where I use a different
"PATH"
>>>> (as in the bash PATH variable for searching executables),
>>>> modprobe statement in modules.* fails to load ip_tables_raw
>>>> ("modules.dep cannot be found" error) - I suspect
there is
>>>> assumed path ("/sbin:/bin" etc) somewhere within the
shorewall
>>>> lib files and not what I have specified in my
>>>> shorewall(-lite).conf.
>>>
>>> The ''modules.dep'' file isn''t located via
PATH, AFAIK. It is
>>> assumed to be located in
/lib/modules/<current-kernel-version>.
>> Quite right, but the "modprobe" command I was using was a
bloody
>> busybox abomination and that was executing simply because shorewall
>> was assuming (or, rather, hard-coding) pre-defined paths, like
>> /sbin and /bin.
The PATH variable is set in the same area as the differences shown 
above. It is set from the value in the .conf.
>>
>> If shorewall was honouring the path variables as I specified in my
>> shorewall.conf file, it would have executed *my* version of
>> modprobe (which, incidentally, was in /opt/sbin and compiled
>> *specifically* to look for kernel modules in
>> /opt/lib/modules/<kernel-version>, together with the correct
>> modules.dep), thus avoiding the problem I described above.
>>
Which could have been accomplished using the MODULESDIR option in 
shorewall.conf.
>>> Done.
>> Thanks.
>>
>>> For those that are worried about this issue, I suggest omitting
>>> the ''dhcp'' option from the interfaces file and
adding explicit
>>> DHCP rules in the rules and routestopped files.
>> This is precisely what I have done. I initially "trusted"
this
>> option, though, decided to check and see what the effect of
>> deploying it is and I am glad I did, because I realised what was
>> happening.
>>
>>> I will add a warning in the manpages.
>> I am not sure that would be enough. You are opening a pinhole in
>> the firewall and warning users about it. There are quite a few
>> gullible individuals out there who either won''t pay attention
to
>> this warning or worse. My advice would be to either remove it
>> completely or allow it to be specified with parameters (similar to
>> "nets", i.e. dhcp=255.255.255.255,10.1.1.17).
>>
Okay -- I''ll add it to my todo list.
>>>>
>>>> The last statement above is exactly the same as the first!
>>>>
>>>
>>> I''m unable to reproduce the above result. Do you have a
simple
>>> test case?
>> I''ll prepare a test case when I have more time.
Thanks.
>>
>>>> 9. Shorewall-init: From Fedora''s perspective
(don''t know about
>>>> any other distros - this might be applicable there also) the
>>>> init.d script contains the following:
>>>>
>>>> restart|reload|force-reload) echo "Not implemented"
exit 3 ;;
>>>> condrestart|try-restart) echo "Not implemented" exit
3 ;;
>>>>
>>>> The above could be collapsed into:
>>>>
>>>> restart|reload|force-reload|condrestart|try-restart) echo
"Not
>>>> implemented" exit 3 ;;
>>>
>>> As I understand it, the Fedora init file standards require
>>> separate entries.
>> Separate entries for what? As it stands, all 6 conditionals are
>> collapsed into two equal set of statements. I don''t see a
problem
>> of going a step further and collapsing them all into one.
The Fedora Shorewall maintainer is subscribed to the list; I''ll let him
decide.
>>
>>> I really should deprecate the ''try'' command as it
duplicates the
>>> functionality of the ''safe-start'' and
''safe-restart'' commands.
>> Are they the same? What I like about "try" is that it starts
the
>> firewall regardless of the state it was in (perfect when I
don''t
>> care what that state was). Can I achieve the same with safe-start
>> then?
You can achieve the same thing with safe-restart and with just plain 
restart.
>>> I don''t see the point of that. On any system that has the
>>> Shorewall package installed, ${VARDIR} should survive a reboot
>>> and there should be a compiled script already present. Are you
>>> actually running the full Shorewall package on a system where
>>> ${VARDIR} is in ram disk?
 >>
>> OK, let me explain my use case.
>>
>> On one of my machines I have 7 interfaces, 2 of which *must* be up
>> when the system is brought alive (one uses dhcp to obtain its
>> lease, the other is a vpn to a different location), the rest of the
>> interfaces are brought up in the standard way (ifup).
>>
>> For security and performance reasons, I have the whole disk image
>> loaded into ram, with the exception of the security auditing
>> daemon, SELinux, syslog-ng logs and some non-essential system
>> settings, which survive the reboot. The rest is completely lost.
>> The whole root (/) is completely locked and even though changes are
>> "made" to all files, none of these survive the reboot with
the
>> exceptions I just mentioned.
>>
>> So, in order to "lock" my firewall *before* the 2 interfaces
(or
>> anything else) are brought up, what I currently do is compile my
>> shorewall script (shorewall compile), then execute shorewall-init,
>> then bring up the 2  interfaces, bring the rest of the network up
>> and finally start shorewall.
>>
>> This is done so that between the time the 2 interfaces are brought
>> up (and my firewall is completely open) and the rest of the network
>> starts, I would like everything to be locked out and only the
>> essential stuff to be let in.
>>
>> The second reason to do this (which I can''t implement at
present
>> since the integration with ifup/ifdown and shorewall-init seems
>> unworkable) is if any of the 2 interfaces changes its status (goes
>> down, changes its IP address etc), I have to repeat the above steps
>> and secure the firewall first until either these interfaces sort
>> themselves out, or, someone logs in (via ssh) to clear the mess.
Okay -- for Shorewall and Shorewall6, I can compile the script if it 
doesn''t exist.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

> +    g_confdir=/etc/shorewall-lite
> +    g_product="Shorewall Lite"
> +    g_program=shorewall-lite
> +    g_basedir=/usr/share/shorewall-lite
> +    CONFIG_PATH="/etc/shorewall-lite:/usr/share/shorewall-lite"
> +    [ -n "${VARDIR:=/var/lib/shorewall-lite}" ]
Exactly!

Why is g_confdir hard-coded and not set as ${CONFDIR}/shorewall-lite? Why is
g_basedir also hard-coded and not set as ${SHAREDIR}/shorewall-lite? Finally,
since VARDIR is not set yet, it would also be hard-coded to
/var/lib/shorewall-lite.

This is what I have in my "compile" make target for shorewall-lite:

# Contains one hell of an ugly hack!
compile:
	@echo "Compiling shorewall and building
''$(FIREWALL_FILE)'' and
''$(FIREWALL_CONFIG_FILE)''"
	@shorewall compile -T -p -e . $(FIREWALL_FILE)
&>>$(SCREEN_OUTPUT_FILE_NAME)
	@sed -i "s:g_family=4:g_family=4\n\t. $(SHOREWALLRC):"
$(FIREWALL_FILE) &>>$(SCREEN_OUTPUT_FILE_NAME)
	@sed -i
"s:g_confdir=/etc/shorewall-lite:g_confdir=\$${CONFDIR}/shorewall-lite:"
$(FIREWALL_FILE) &>>$(SCREEN_OUTPUT_FILE_NAME)
	@sed -i
"s:g_basedir=/usr/share/shorewall-lite:g_basedir=\$${SHAREDIR}/shorewall-lite:"
$(FIREWALL_FILE) &>>$(SCREEN_OUTPUT_FILE_NAME)
	@sed -i
"s/CONFIG_PATH=\"\/etc\/shorewall-lite:\/usr\/share\/shorewall-lite\"//"
$(FIREWALL_FILE) &>>$(SCREEN_OUTPUT_FILE_NAME)

As you can see from the above, I source shorewallrc first and then set the
appropriate directories. This isn''t done in shorewall-lite''s
"firewall" script, at least not in version 4.5.6 which is what I am
using.

> The PATH variable is set in the same area as the differences shown 
> above. It is set from the value in the .conf.
lib.cli:3106: PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
> 
>>> If shorewall was honouring the path variables as I specified in my
>>> shorewall.conf file, it would have executed *my* version of
>>> modprobe (which, incidentally, was in /opt/sbin and compiled
>>> *specifically* to look for kernel modules in
>>> /opt/lib/modules/<kernel-version>, together with the correct
>>> modules.dep), thus avoiding the problem I described above.
>>>
> 
> Which could have been accomplished using the MODULESDIR option in 
> shorewall.conf.
Except that it won''t. It would have executed the busybox modprobe with
my own (new) kernel modules directory, which would also fail. I want to execute
*my* modprobe with *my* kernel modules directory. WHen the PATH is hard-coded it
is hard to do that.
>>>> I really should deprecate the ''try'' command
as it duplicates the
>>>> functionality of the ''safe-start'' and
''safe-restart'' commands.
>>> Are they the same? What I like about "try" is that it
starts the
>>> firewall regardless of the state it was in (perfect when I
don''t
>>> care what that state was). Can I achieve the same with safe-start
>>> then?
> 
> You can achieve the same thing with safe-restart and with just plain 
> restart.
So, restart will start shorewall even if it has not been started?
That''s good if so.
> 
>>> OK, let me explain my use case.
> 
> Okay -- for Shorewall and Shorewall6, I can compile the script if it 
> doesn''t exist.
You mean shorewall-init? Please explain.


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

On 09/02/2012 08:06 AM, Mr Dash Four wrote:
>> +    g_confdir=/etc/shorewall-lite
>> +    g_product="Shorewall Lite"
>> +    g_program=shorewall-lite
>> +    g_basedir=/usr/share/shorewall-lite
>> +   
CONFIG_PATH="/etc/shorewall-lite:/usr/share/shorewall-lite"
>> +    [ -n "${VARDIR:=/var/lib/shorewall-lite}" ]
> Exactly!
>
> Why is g_confdir hard-coded and not set as ${CONFDIR}/shorewall-lite? Why
is g_basedir also hard-coded and not set as ${SHAREDIR}/shorewall-lite? Finally,
since VARDIR is not set yet, it would also be hard-coded to
/var/lib/shorewall-lite.
>
THEY ARE NOT HARD-CODED -- They come from the first
''shorewallrc'' file
encountered on your CONFIG_PATH at the time of compilation.
> This is what I have in my "compile" make target for
shorewall-lite:
>
> # Contains one hell of an ugly hack!
> compile:
> 	@echo "Compiling shorewall and building
''$(FIREWALL_FILE)'' and
''$(FIREWALL_CONFIG_FILE)''"
> 	@shorewall compile -T -p -e . $(FIREWALL_FILE)
&>>$(SCREEN_OUTPUT_FILE_NAME)
> 	@sed -i "s:g_family=4:g_family=4\n\t. $(SHOREWALLRC):"
$(FIREWALL_FILE) &>>$(SCREEN_OUTPUT_FILE_NAME)
> 	@sed -i
"s:g_confdir=/etc/shorewall-lite:g_confdir=\$${CONFDIR}/shorewall-lite:"
$(FIREWALL_FILE) &>>$(SCREEN_OUTPUT_FILE_NAME)
> 	@sed -i
"s:g_basedir=/usr/share/shorewall-lite:g_basedir=\$${SHAREDIR}/shorewall-lite:"
$(FIREWALL_FILE) &>>$(SCREEN_OUTPUT_FILE_NAME)
> 	@sed -i
"s/CONFIG_PATH=\"\/etc\/shorewall-lite:\/usr\/share\/shorewall-lite\"//"
$(FIREWALL_FILE) &>>$(SCREEN_OUTPUT_FILE_NAME)
>
> As you can see from the above, I source shorewallrc first and then set the
appropriate directories. This isn''t done in shorewall-lite''s
"firewall" script, at least not in version 4.5.6 which is what I am
using.
>
>
>> The PATH variable is set in the same area as the differences shown
>> above. It is set from the value in the .conf.
> lib.cli:3106:
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
>
That''s the default if PATH isn''t set in your 
${CONFDIR}/${g_product}.conf file. And the compiled script doesn''t use 
lib.cli.
>>
>>>> If shorewall was honouring the path variables as I specified in
my
>>>> shorewall.conf file, it would have executed *my* version of
>>>> modprobe (which, incidentally, was in /opt/sbin and compiled
>>>> *specifically* to look for kernel modules in
>>>> /opt/lib/modules/<kernel-version>, together with the
correct
>>>> modules.dep), thus avoiding the problem I described above.
>>>>
>>
>> Which could have been accomplished using the MODULESDIR option in
>> shorewall.conf.
> Except that it won''t. It would have executed the busybox modprobe
with my own (new) kernel modules directory, which would also fail. I want to
execute *my* modprobe with *my* kernel modules directory. WHen the PATH is
hard-coded it is hard to do that.
>
How have you set PATH in ${CONFDIR}/shorewall-lite/shorewall-lite.conf?

>> You can achieve the same thing with safe-restart and with just plain
>> restart.
> So, restart will start shorewall even if it has not been started?
That''s good if so.
>
Yes.
>>
>>>> OK, let me explain my use case.
>>
>> Okay -- for Shorewall and Shorewall6, I can compile the script if it
>> doesn''t exist.
> You mean shorewall-init? Please explain.
Yes -- in the shorewall-init init scripts.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

On 09/02/2012 08:44 AM, Tom Eastep wrote:
> On 09/02/2012 08:06 AM, Mr Dash Four wrote:
>>> +    g_confdir=/etc/shorewall-lite
>>> +    g_product="Shorewall Lite"
>>> +    g_program=shorewall-lite
>>> +    g_basedir=/usr/share/shorewall-lite
>>> +   
CONFIG_PATH="/etc/shorewall-lite:/usr/share/shorewall-lite"
>>> +    [ -n "${VARDIR:=/var/lib/shorewall-lite}" ]
>> Exactly!
>>
>> Why is g_confdir hard-coded and not set as ${CONFDIR}/shorewall-lite?
Why is g_basedir also hard-coded and not set as ${SHAREDIR}/shorewall-lite?
Finally, since VARDIR is not set yet, it would also be hard-coded to
/var/lib/shorewall-lite.
>>
>
> THEY ARE NOT HARD-CODED -- They come from the first
''shorewallrc'' file
> encountered on your CONFIG_PATH at the time of compilation.
And when you specify a configuration directory on the command line, the 
configuration directory becomes the first directory in $CONFIG_PATH.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

On 09/02/2012 08:06 AM, Mr Dash Four wrote:
>> The PATH variable is set in the same area as the differences shown
>> above. It is set from the value in the .conf.
> lib.cli:3106:
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
>
When you compile with -e, in addition to ''firewall'', the
compiler also
generates ''firewall.conf''. This is expected to be installed in
${VARDIR}/shorewall-lite/.

In lib.cli below 3106:

[ -f ${VARDIR}/firewall.conf ] && . ${VARDIR}/firewall.conf

[ -n "$PATH" ] || \
    PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

> THEY ARE NOT HARD-CODED -- They come from the first
''shorewallrc'' file
> encountered on your CONFIG_PATH at the time of compilation.
Ah, right, which is also wrong as they should come from the remote copy of
shorewallrc. I presume that is fixed in your (CONF.patch?) patch, right?

I also forgot to mention the different meaning of VARDIR in shorewall and
shorewall-lite. In the former, this is assumed to be /var/lib, in the latter it
is /var/lib/shorewall-lite, but I suspect you already know that.

>> lib.cli:3106:
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
>>
> 
> That''s the default if PATH isn''t set in your 
> ${CONFDIR}/${g_product}.conf file. And the compiled script doesn''t
use
> lib.cli.
I did a little experiment when discovered this bug and explicitly wrote the
existing path just before modprobe was executed. It wasn''t like what I
have specified in my .conf file at all, hence the error I was getting. I had to
alter the file in order to get it to execute my own version of modprobe with the
required modules.
>> Except that it won''t. It would have executed the busybox
modprobe with my own (new) kernel modules directory, which would also fail. I
want to execute *my* modprobe with *my* kernel modules directory. WHen the PATH
is hard-coded it is hard to do that.
>>
> 
> How have you set PATH in ${CONFDIR}/shorewall-lite/shorewall-lite.conf?
CONFIG_PATH="/opt/etc/shorewall:/opt/share/shorewall:/etc/shorewall:/usr/share/shorewall"


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

> In lib.cli below 3106:
> 
> [ -f ${VARDIR}/firewall.conf ] && . ${VARDIR}/firewall.conf
> 
> [ -n "$PATH" ] || \
>     PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
In my version of shorewall this is as:

    if [ $# -eq 0 ]; then
	usage 1
    fi

    PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
    MUTEX_TIMEOUT
    [ -f ${g_confdir}/vardir ] && . ${g_confdir}/vardir


As you can see, it is unconditionally hard-coded.

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

On 09/02/2012 09:31 AM, Mr Dash Four wrote:
>> THEY ARE NOT HARD-CODED -- They come from the first
''shorewallrc'' file
>> encountered on your CONFIG_PATH at the time of compilation.
> Ah, right, which is also wrong as they should come from the remote copy of
shorewallrc. I presume that is fixed in your (CONF.patch?) patch, right?
No -- the configuration directory is expected to contain the remote 
firewall''s shorewallrc file. This point was not previously explained in
the Shorewall-Lite article :-( It is now.
>
> I also forgot to mention the different meaning of VARDIR in shorewall and
shorewall-lite. In the former, this is assumed to be /var/lib, in the latter it
is /var/lib/shorewall-lite, but I suspect you already know that.
It''s not! The meaning of VARDIR is exactly the same.

Here''s the history:

- Originally, each of the products had their own CLI and libraries. It
   was a maintenance nightmare. Shorewall6 never had the same features
   as Shorewall and the -Lite products were always different from their
   full-featured counterparts.
- In all of these programs and libraries, VARDIR pointed to
   /var/lib/$product.
- I finally bit the bullet and unified all of the code. I retained the
   the meaning of VARDIR.
- When I created the ''shorewallrc'' file, I had to make a
decision about
   what to do with /var/lib; I could call it VARDIR or something else.
   I chose to retain the name VARDIR and have each product append the
   /<product name> to the VARDIR setting from shorewallrc.

So there is two interpretations of VARDIR -- one in the shorewallrc file 
and one in the code.
>
>
>>> lib.cli:3106:
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
>>>
>>
>> That''s the default if PATH isn''t set in your
>> ${CONFDIR}/${g_product}.conf file. And the compiled script
doesn''t use
>> lib.cli.
> I did a little experiment when discovered this bug and explicitly wrote the
existing path just before modprobe was executed. It wasn''t like what I
have specified in my .conf file at all, hence the error I was getting. I had to
alter the file in order to get it to execute my own version of modprobe with the
required modules.
>
>>> Except that it won''t. It would have executed the busybox
modprobe with my own (new) kernel modules directory, which would also fail. I
want to execute *my* modprobe with *my* kernel modules directory. WHen the PATH
is hard-coded it is hard to do that.
>>>
>>
>> How have you set PATH in ${CONFDIR}/shorewall-lite/shorewall-lite.conf?
>
CONFIG_PATH="/opt/etc/shorewall:/opt/share/shorewall:/etc/shorewall:/usr/share/shorewall"
Have you installed the firewall.conf file? What does it have for a PATH 
setting? What is the PATH setting in the initialize() function of the 
generated script?

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

On 09/02/2012 09:32 AM, Mr Dash Four wrote:
>> In lib.cli below 3106:
>>
>> [ -f ${VARDIR}/firewall.conf ] && . ${VARDIR}/firewall.conf
>>
>> [ -n "$PATH" ] || \
>>      PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
> In my version of shorewall this is as:
>
>      if [ $# -eq 0 ]; then
> 	usage 1
>      fi
>
>      PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
>      MUTEX_TIMEOUT>
>      [ -f ${g_confdir}/vardir ] && . ${g_confdir}/vardir
>
>
> As you can see, it is unconditionally hard-coded.
Okay -- you can patch it as I described in my earlier email. But that 
still doesn''t explain why loading modules from the generated script
failed.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

> So there is two interpretations of VARDIR -- one in the shorewallrc file 
> and one in the code.
In other words, VARDIR in shorewallrc is different from VARDIR everywhere else?
And you don''t find that the least bit confusing?
> Have you installed the firewall.conf file? What does it have for a PATH 
> setting?
#
# Shorewall auxiliary configuration file created by Shorewall version 4.5.6 -
Sun Sep  2 15:35:15 2012
#
[ -n
"${PATH:=/opt/sbin:/opt/bin:/opt/usr/sbin:/opt/usr/bin:/sbin:/bin:/usr/sbin:/usr/bin}"
]


> What is the PATH setting in the initialize() function of the 
> generated script?
   
PATH="/opt/sbin:/opt/bin:/opt/usr/sbin:/opt/usr/bin:/sbin:/bin:/usr/sbin:/usr/bin"


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

> Okay -- you can patch it as I described in my earlier email. But that 
> still doesn''t explain why loading modules from the generated
script failed.
Already done. I''ll diff the entire directory where various shorewall
library files are installed in my /opt/shorewall tree. I vaguely remember that I
had to make some modifications to make it work, but don''t know what
were these, so when I run a diff against a "pristine" shorewall-lite
version I am hoping to find out. So lets leave it there for the time being.

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

On 9/2/12 9:52 AM, Mr Dash Four wrote:
>> So there is two interpretations of VARDIR -- one in the shorewallrc
file
>> and one in the code.
> In other words, VARDIR in shorewallrc is different from VARDIR everywhere
else? And you don''t find that the least bit confusing?
> 
It is confusing when discussing internals. I''ll change the code someday
to use a different variable name.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

>> In other words, VARDIR in shorewallrc is different from VARDIR
everywhere else? And you don''t find that the least bit confusing?
>>     
>
> It is confusing when discussing internals. I''ll change the code
someday
> to use a different variable name.
>   
You can introduce VARLIB (new variable) in shorewallrc to point to 
"/var/lib" and in the same shorewallrc file to change the existing 
VARDIR to point to ${VARLIB}/$PRODUCT. That way, there is no confusion 
as to the meaning of these two variables and when I source shorewallrc I 
know exactly what I am getting.

As it stands though, when I am debugging the code produced by any 
shorewall product and come across VARDIR, I don''t know what the hell is
that: is it ${VARDIR}/$product or is just the original $VARDIR from 
shorewallrc.


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

On 09/02/2012 10:33 AM, Mr Dash Four wrote:
>
>>> In other words, VARDIR in shorewallrc is different from VARDIR
everywhere else? And you don''t find that the least bit confusing?
>>>
>>
>> It is confusing when discussing internals. I''ll change the
code someday
>> to use a different variable name.
>>
> You can introduce VARLIB (new variable) in shorewallrc to point to
> "/var/lib" and in the same shorewallrc file to change the
existing
> VARDIR to point to ${VARLIB}/$PRODUCT. That way, there is no confusion
> as to the meaning of these two variables and when I source shorewallrc I
> know exactly what I am getting.
>
> As it stands though, when I am debugging the code produced by any
> shorewall product and come across VARDIR, I don''t know what the
hell is
> that: is it ${VARDIR}/$product or is just the original $VARDIR from
> shorewallrc.
>
Thanks -- I''ve been thinking along the same lines.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

> Patch CONF.patch attached.
[me@test1 dmz]$ shorewall compile -T -p -e
Compiling...
   ERROR: Ordinary users may not compile the /etc/shorewall configuration
Terminated
[me@test1 dmz]$ shorewall compile -T -p -e .
   ERROR: . is a directory
[me@test1 dmz]$ shorewall compile -T -p -e . firewall
Compiling...
Processing /home/me/shorewall/dmz/params ...
Processing /home/me/shorewall/dmz/shorewall.conf...
Compiling /home/me/shorewall/dmz/zones...
Compiling /home/me/shorewall/dmz/interfaces...
Determining Hosts in Zones...
Locating Action Files...
Compiling /home/me/shorewall/dmz/action.Drop for chain Drop...
Compiling /home/me/shorewall/dmz/action.Reject for chain Reject...
Compiling /home/me/shorewall/dmz/policy...
Compiling /home/me/shorewall/dmz/notrack...
   ERROR: Unable to open /opt/share/shorewall//lib.core: No such file or
directory at /usr/share/perl5/Shorewall/Config.pm line 970
	Shorewall::Config::fatal_error(''Unable to open
/opt/share/shorewall//lib.core: No such file o...'') called at
/usr/share/perl5/Shorewall/Config.pm line 1803
	Shorewall::Config::copy(''/opt/share/shorewall//lib.core'')
called at /usr/share/perl5/Shorewall/Compiler.pm line 92
	Shorewall::Compiler::generate_script_1(''firewall'') called at
/usr/share/perl5/Shorewall/Compiler.pm line 680
	Shorewall::Compiler::compiler(''script'',
''firewall'', ''directory'',
''/home/me/shorewall/dmz'', ''verbosity'', 1,
''timestamp'', 0, ''debug'', ...) called at
/usr/libexec/shorewall/compiler.pl line 134

lib.core is copied into my current directory. My CONFIG_PATH is
CONFIG_PATH=".:/opt/etc/shorewall:/opt/share/shorewall:/etc/shorewall:/usr/share/shorewall"
(on a separate note, I think I should not have to include "." in that
path - this should be assumed automatically by shorewall, I think, as I am
compiling for a remote system).
> Patch RTSTOPPED.patch attached.
OK, there is a bit of a problem which I haven''t accounted for...

Suppose I have this:

routestopped
~~~~~~~~~~~~
eth0 +mickey-mouse-net source

This produces mickey-mouse-net src in INPUT as well as FORWARD. OUTPUT is
untouched (nothing is there).

When I have this:

eth0 +mickey-mouse-net dest

This produces mickey-mouse-net src in INPUT, mickey-mouse-net dst in FORWARD and
mickey-mouse-net dst in OUTPUT (I am not sure about that!).

Things get a bit more hairy when I use multi-dimensional sets:

eth0 +mickey-mouse-net[dst,dst]	dest

Gets me this:

 ERROR: Unknown Host (dst]) /home/me/shorewall/dmz/routestopped (line 16) at
/usr/share/perl5/Shorewall/Config.pm line 970
	Shorewall::Config::fatal_error(''Unknown Host (dst])'') called
at /usr/share/perl5/Shorewall/IPAddrs.pm line 157
	Shorewall::IPAddrs::validate_4address(''dst]'', 1) called at
/usr/share/perl5/Shorewall/IPAddrs.pm line 220
	Shorewall::IPAddrs::validate_4net(''dst]'', 1) called at
/usr/share/perl5/Shorewall/IPAddrs.pm line 780
	Shorewall::IPAddrs::validate_net(''dst]'', 1) called at
/usr/share/perl5/Shorewall/Chains.pm line 4886
	Shorewall::Chains::imatch_source_net(''dst]'') called at
/usr/share/perl5/Shorewall/Misc.pm line 577
	Shorewall::Misc::process_routestopped() called at
/usr/share/perl5/Shorewall/Misc.pm line 2356
	Shorewall::Misc::compile_stop_firewall(0, 1) called at
/usr/share/perl5/Shorewall/Compiler.pm line 848
	Shorewall::Compiler::compiler(''script'',
''firewall'', ''directory'',
''/home/me/shorewall/dmz'', ''verbosity'', 2,
''timestamp'', 0, ''debug'', ...) called at
/usr/libexec/shorewall/compiler.pl line 134

I have to say, I am not sure how this is going to be dealt with though. If I
were you, I would scrap this source/dest malarkey and have a straight
definitions as I currently use in the rules file (or blrules). Let the user
decide in what direction what rules should exist. WHen ipsets are used, there
are quite a few possible nasty twists, like
"+[set1[dst,src],set2[src,dst]]" - you get my drift. So, if you are
going to support ipsets in rulestopped, then I''d suggest to scrap the
existing format and use the exiting one from etiher rules or blrules. Any better
ideas?
>> Also, I do not see much difference between the first statement above
>> and the last, which executes in the net2fw chain, which in turn, is
>> part of INPUT. In other words, I have this:
>>
>> -A INPUT -p udp --dport 67:68 -i eth0 -j ACCEPT
>> -A INPUT -i eth0 -j net2fw
>> [...]
>> -A net2fw -m conntrack --ctstate NEW,INVALID -j ~blacklist0 -m comment
> --comment "BLACKLIST"
>> -A net2fw -i eth0 -j eth0_iop [...]
>> -A eth0_iop -m conntrack --ctstate NEW,INVALID -j smurfs
>> -A eth0_iop -p udp --dport 67:68 -j ACCEPT
>>
>> The last statement above is exactly the same as the first!
>>
> 
> I''m unable to reproduce the above result. Do you have a simple
test case?
This has to wait a bit longer though. I''ll get on it in a day or two.



------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

>>> 6. Shorewall(-lite): The following could be optimised:
>>>
>>> interfaces ~~~~~~~~~~ vpn eth1
>>>
arp_filter=1,arp_ignore=2,logmartians=1,nets=10.1.1.0/24,nosmurfs,routefilter=1,tcpflags
>>>
>>>
>>> red eth2
>>>
arp_filter=1,arp_ignore=2,logmartians=1,nosmurfs,routefilter=1,tcpflags
>>>
>>> Produces:
>>>
>>> -A vpn2net -s 10.1.1.0/24 -m conntrack --ctstate NEW,INVALID -j
>>> smurfs -A vpn2net -m conntrack --ctstate NEW,INVALID -j smurfs
[...]
>>> -A vpn2net -p tcp -s 10.1.1.0/24 -j tcpflags -A vpn2net -p tcp -j
>>> tcpflags
>>>
>>> This could be optimised to just the second line in both statements
>>> above (I have OPTIMIZE=15 in shorewall.conf)
>>
>>
>> I''ll see what I can do.
> 
> Patch attached.
Yep, that now works as expected.



------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

On 09/02/2012 06:34 PM, Mr Dash Four wrote:
>
>> Patch CONF.patch attached.
> [me@test1 dmz]$ shorewall compile -T -p -e
> Compiling...
>     ERROR: Ordinary users may not compile the /etc/shorewall configuration
> Terminated
> [me@test1 dmz]$ shorewall compile -T -p -e .
>     ERROR: . is a directory
> [me@test1 dmz]$ shorewall compile -T -p -e . firewall
> Compiling...
> Processing /home/me/shorewall/dmz/params ...
> Processing /home/me/shorewall/dmz/shorewall.conf...
> Compiling /home/me/shorewall/dmz/zones...
> Compiling /home/me/shorewall/dmz/interfaces...
> Determining Hosts in Zones...
> Locating Action Files...
> Compiling /home/me/shorewall/dmz/action.Drop for chain Drop...
> Compiling /home/me/shorewall/dmz/action.Reject for chain Reject...
> Compiling /home/me/shorewall/dmz/policy...
> Compiling /home/me/shorewall/dmz/notrack...
>     ERROR: Unable to open /opt/share/shorewall//lib.core: No such file or
directory at /usr/share/perl5/Shorewall/Config.pm line 970
> 	Shorewall::Config::fatal_error(''Unable to open
/opt/share/shorewall//lib.core: No such file o...'') called at
/usr/share/perl5/Shorewall/Config.pm line 1803
> 
Shorewall::Config::copy(''/opt/share/shorewall//lib.core'')
called at /usr/share/perl5/Shorewall/Compiler.pm line 92
> 	Shorewall::Compiler::generate_script_1(''firewall'')
called at /usr/share/perl5/Shorewall/Compiler.pm line 680
> 	Shorewall::Compiler::compiler(''script'',
''firewall'', ''directory'',
''/home/me/shorewall/dmz'', ''verbosity'', 1,
''timestamp'', 0, ''debug'', ...) called at
/usr/libexec/shorewall/compiler.pl line 134
>
> lib.core is copied into my current directory. My CONFIG_PATH is
CONFIG_PATH=".:/opt/etc/shorewall:/opt/share/shorewall:/etc/shorewall:/usr/share/shorewall"
(on a separate note, I think I should not have to include "." in that
path - this should be assumed automatically by shorewall, I think, as I am
compiling for a remote system).
>
lib.core isn''t a configuration file; it is part of the Shorewall 
installation. The compiler therefore doesn''t use CONFIG_PATH but rather
assumes that it will be installed in ${SHAREDIR}/shorewall.

I agree about including "."; it is already included when using the 
''load'', ''reload'' and
''export'' commands.
>> Patch RTSTOPPED.patch attached.
>
> OK, there is a bit of a problem which I haven''t accounted for...
>
> Suppose I have this:
>
> routestopped
> ~~~~~~~~~~~~
> eth0 +mickey-mouse-net source
>
> This produces mickey-mouse-net src in INPUT as well as FORWARD. OUTPUT is
untouched (nothing is there).
>
> When I have this:
>
> eth0 +mickey-mouse-net dest
>
> This produces mickey-mouse-net src in INPUT, mickey-mouse-net dst in
FORWARD and mickey-mouse-net dst in OUTPUT (I am not sure about that!).
>
> Things get a bit more hairy when I use multi-dimensional sets:
>
> eth0 +mickey-mouse-net[dst,dst]	dest
>
> Gets me this:
>
>   ERROR: Unknown Host (dst]) /home/me/shorewall/dmz/routestopped (line 16)
at /usr/share/perl5/Shorewall/Config.pm line 970
> 	Shorewall::Config::fatal_error(''Unknown Host (dst])'')
called at /usr/share/perl5/Shorewall/IPAddrs.pm line 157
> 	Shorewall::IPAddrs::validate_4address(''dst]'', 1) called
at /usr/share/perl5/Shorewall/IPAddrs.pm line 220
> 	Shorewall::IPAddrs::validate_4net(''dst]'', 1) called at
/usr/share/perl5/Shorewall/IPAddrs.pm line 780
> 	Shorewall::IPAddrs::validate_net(''dst]'', 1) called at
/usr/share/perl5/Shorewall/Chains.pm line 4886
> 	Shorewall::Chains::imatch_source_net(''dst]'') called at
/usr/share/perl5/Shorewall/Misc.pm line 577
> 	Shorewall::Misc::process_routestopped() called at
/usr/share/perl5/Shorewall/Misc.pm line 2356
> 	Shorewall::Misc::compile_stop_firewall(0, 1) called at
/usr/share/perl5/Shorewall/Compiler.pm line 848
> 	Shorewall::Compiler::compiler(''script'',
''firewall'', ''directory'',
''/home/me/shorewall/dmz'', ''verbosity'', 2,
''timestamp'', 0, ''debug'', ...) called at
/usr/libexec/shorewall/compiler.pl line 134
>
> I have to say, I am not sure how this is going to be dealt with though. If
I were you, I would scrap this source/dest malarkey and have a straight
definitions as I currently use in the rules file (or blrules). Let the user
decide in what direction what rules should exist. WHen ipsets are used, there
are quite a few possible nasty twists, like
"+[set1[dst,src],set2[src,dst]]" - you get my drift. So, if you are
going to support ipsets in rulestopped, then I''d suggest to scrap the
existing format and use the exiting one from etiher rules or blrules. Any better
ideas?
>
Yes -- looks like we need a FORMAT 2 routestopped file in order to 
handle multi-dimensional sets.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

On 2 September 2012 15:25, Tom Eastep <teastep@shorewall.net>
wrote:
> On 09/02/2012 07:04 AM, Tom Eastep wrote:
>> On 09/01/2012 07:29 PM, Mr Dash Four wrote:
>>>>> 9. Shorewall-init: From Fedora''s perspective
(don''t know about
>>>>> any other distros - this might be applicable there also)
the
>>>>> init.d script contains the following:
>>>>>
>>>>> restart|reload|force-reload) echo "Not
implemented" exit 3 ;;
>>>>> condrestart|try-restart) echo "Not implemented"
exit 3 ;;
>>>>>
>>>>> The above could be collapsed into:
>>>>>
>>>>> restart|reload|force-reload|condrestart|try-restart) echo
"Not
>>>>> implemented" exit 3 ;;
>>>>
>>>> As I understand it, the Fedora init file standards require
>>>> separate entries.
>>> Separate entries for what? As it stands, all 6 conditionals are
>>> collapsed into two equal set of statements. I don''t see a
problem
>>> of going a step further and collapsing them all into one.
>
> The Fedora Shorewall maintainer is subscribed to the list; I''ll
let him
> decide.
>
While the suggestion is technically correct, it''s simply a cosmetic
fix - I think it''s best just to leave it alone - after all, nothing is
broken. Also init scripts are now legacy on Fedora systems anyway.

Jonathan.

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

> lib.core isn''t a configuration file; it is part of the Shorewall 
> installation. The compiler therefore doesn''t use CONFIG_PATH but
rather
> assumes that it will be installed in ${SHAREDIR}/shorewall.
>   
True, and I presume since the remote shorewallrc is used, this throws 
the compiler off as no such file exists on the HOST system. Hmm, 
interesting this...

Can shorewall load (and use) the HOST shorewallrc for the "core 
libraries" (the ones needed for compilation for producing firewall and 
firewall.conf for remote system) and use the remote shorewallrc for 
everything else? Would that be possible? The idea is that if the core 
libraries on the host are going to be used, than it makes sense for them 
to adopt the host shorewallrc file, while the compiler uses the remote 
version of shorewallrc for building firewall and firewall.conf.

I presume apart from the lib.* files and the shorewall executable, along 
with getparams and various perl libraries there isn''t much else.
> Yes -- looks like we need a FORMAT 2 routestopped file in order to 
> handle multi-dimensional sets.
>   
I was thinking more along the lines of the approach you adopted with 
"blacklist" and "blrules" files, which I quite liked - use a
new file
(say, "rulestopped") along the old routestopped (without ipset
support)
and after a while (a couple of revisions), you deprecate the old 
routestopped in favour of rulestopped where you can grant full ipsets 
support. That way you don''t have to touch the existing routestopped at 
all and start afresh with the new rulestopped.


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

On 9/3/12 7:13 AM, Mr Dash Four wrote:
> 
>> lib.core isn''t a configuration file; it is part of the
Shorewall
>> installation. The compiler therefore doesn''t use CONFIG_PATH
but rather
>> assumes that it will be installed in ${SHAREDIR}/shorewall.
>>   
> True, and I presume since the remote shorewallrc is used, this throws 
> the compiler off as no such file exists on the HOST system. Hmm, 
> interesting this...
> 
> Can shorewall load (and use) the HOST shorewallrc for the "core 
> libraries" (the ones needed for compilation for producing firewall and
> firewall.conf for remote system) and use the remote shorewallrc for 
> everything else? Would that be possible? The idea is that if the core 
> libraries on the host are going to be used, than it makes sense for them 
> to adopt the host shorewallrc file, while the compiler uses the remote 
> version of shorewallrc for building firewall and firewall.conf.
> 
> I presume apart from the lib.* files and the shorewall executable, along 
> with getparams and various perl libraries there isn''t much else.
I''ve implemented code that works around this along with a new
''stoppedrules'' file.

I haven''t finished the manpages for the latter, but when I do finish
them, do you want me to send you early copies of the Shorewall-core,
Shorewall and Shorewall-lite tarballs?

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

> I''ve implemented code that works around this along with a new
> ''stoppedrules'' file.
>
> I haven''t finished the manpages for the latter, but when I do
finish
> them, do you want me to send you early copies of the Shorewall-core,
> Shorewall and Shorewall-lite tarballs?
>   
Please do. As always, I am a willing tester, particularly where I''ve 
reported the bugs/requested the new features, so yes, count me in, 
though with the standard caveat of "time-permitting".

I might also send you something else I came across recently, which I 
already implemented on all my systems here and which I think shorewall 
could benefit greatly, but that''s for another day...


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

> Also, I do not see much difference between the first statement above and
the last, which executes in the net2fw chain, which in turn, is part of INPUT.
In other words, I have this:
> 
> -A INPUT -p udp --dport 67:68 -i eth0 -j ACCEPT
> -A INPUT -i eth0 -j net2fw
> [...]
> -A net2fw -m conntrack --ctstate NEW,INVALID -j ~blacklist0 -m comment
--comment "BLACKLIST"
> -A net2fw -i eth0 -j eth0_iop
> [...]
> -A eth0_iop -m conntrack --ctstate NEW,INVALID -j smurfs
> -A eth0_iop -p udp --dport 67:68 -j ACCEPT
> 
> The last statement above is exactly the same as the first!
Since upgrading to 4.5.8-Beta1, I am unable to reproduce this (with the same
shorewall configuration), so I presume whatever it was that was causing this, it
has now been fixed.


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/