thr3ads.net - Shorewall users - [Shorewall-users] The ''check'' command [Feb 2003]

If this information is useful, please help other people find it:
Share via:

Tom Eastep

2003-Feb-27 14:24 UTC

[Shorewall-users] The ''check'' command

I will be resurrecting the ''check'' command in 1.4.0 Beta 3
(which may be
named RC1).

a) For checking the ''rules'' file, it will use the same code
that processes
that file for the [re]start command with the exception that
''iptables''
won''t be run. While this will make the code easier to maintain, it
probably
won''t do any better job of finding errors than the old code and it may
slow
down the [re]start command by a small percentage.

b) When it starts and when it completes without error, ''check''
will print
the following:

WARNING: THE ''check'' COMMAND IS TOTALLY UNSUPPORTED AND NO
         PROBLEM REPORTS COMPLAINING OF ERRORS THAT IT DOESN''T
         CATCH WILL BE ACCEPTED

-Tom
--
Tom Eastep   \ Shorewall - iptables made easy
Shoreline,    \ http://www.shorewall.net
Washington USA \ teastep@shorewall.net

Tom Eastep

2003-Feb-28 06:57 UTC

head link

[Shorewall-users] The ''check'' command

--On Friday, February 28, 2003 10:48:20 AM +0200 Tuomo Soini 
<tis@foobar.fi> wrote:
>>
>> WARNING: THE ''check'' COMMAND IS TOTALLY UNSUPPORTED
AND NO
>>         PROBLEM REPORTS COMPLAINING OF ERRORS THAT IT DOESN''T
>>         CATCH WILL BE ACCEPTED
>
> I don''t think this warning is good idea. Some of us give customers
access
> to shorewall and I think it''s not good idea to have such warning
when
> program is run. Less shouting warning would be ok. Like:
>
> WARNING: Shorewall ''check'' command will only run
shorewall''s internal
> check for config file. It won''t guarantee that firewall rules are
> correct. See more info from documentation.
>
It''s staying the way that it is (although I''ve changed the
wording
slightly). I don''t want anyone claiming that they didn''t see
or understand
the warning. The large bold red font in the documentation has been 
invisible to a lot of otherwise intelligent people and I''m afraid that
the
subtle text that you propose would be similarly easy to ignore or to 
mis-interpret.

I didn''t want to implement the ''check'' command in the
first place because I
knew that it would be a support headache. As a compromise, I''m
providing it
''as-is'' and I don''t want any misunderstanding about
its status.

-Tom
--
Tom Eastep   \ Shorewall - iptables made easy
Shoreline,    \ http://www.shorewall.net
Washington USA \ teastep@shorewall.net

Shorewall users - Feb 2003 - The ''check'' command

[Shorewall-users] The ''check'' command

[Shorewall-users] The ''check'' command