Nachman Yaakov Ziskind
2003-Feb-22 18:41 UTC
[Shorewall-users] Spaces not allowed in comma separated lists?
----------------------------------------------------------------------------- Shorewall 1.2.12 # uname -a Linux yoreach 2.4.18 #1 Sun Apr 21 12:50:34 CEST 2002 i686 unknown # ip addr show 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 brd 127.255.255.255 scope host lo 2: dummy0: <BROADCAST,NOARP> mtu 1500 qdisc noop link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff 3: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:10:5a:e1:e3:8b brd ff:ff:ff:ff:ff:ff inet 64.49.72.186/30 brd 64.49.72.187 scope global eth0 inet 216.236.142.81/32 scope global eth0 inet 216.236.142.82/32 scope global eth0 inet 216.236.142.83/32 scope global eth0 inet 216.236.142.84/32 scope global eth0 inet 216.236.142.85/32 scope global eth0 4: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:50:04:03:91:bc brd ff:ff:ff:ff:ff:ff inet 10.1.1.200/24 brd 10.1.1.255 scope global eth1 5: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:a0:24:57:55:be brd ff:ff:ff:ff:ff:ff inet 10.1.2.200/24 brd 10.1.2.200 scope global eth2 # lsmod Module Pages Used by ip_nat_ftp 2672 0 (unused) ip_conntrack_ftp 2848 0 (unused) 3c59x 24504 3 ----------------------------------------------------------------------------- While: ACCEPT net loc:10.1.1.1 tcp smtp,2023,ftp,pop-3 works fine, ACCEPT net loc:10.1.1.1 tcp smtp,2023,ftp, pop-3 seems to be a no-op: Rule "ACCEPT net loc:10.1.1.1 tcp smtp,2023,ftp, pop-3" added. Activating Rules... Processing /etc/shorewall/start ... Shorewall Restarted But the effects are not as intended: Feb 23 02:31:15 yoreach kernel: Shorewall:net2all:DROP:IN=eth0 OUT=eth1 SRC=66.93.190.170 DST=10.1.1.1 LEN=48 TOS=0x00 PREC=0x00 TTL=112 ID=25683 DF PROTO=TCP SPT=3635 DPT=2023 WINDOW=8192 RES=0x00 SYN URGP=0 I suppose I''m missing something here. If the rule is not being processed, why indicate that it is? And if it is a syntax error, why not just say so? So, is this a bug or a feature? -- _________________________________________ Nachman Yaakov Ziskind, EA, LLM awacs@egps.com Attorney and Counselor-at-Law http://yankel.com Economic Group Pension Services http://egps.com Actuaries and Employee Benefit Consultants
Tom Eastep
2003-Feb-22 19:26 UTC
[Shorewall-users] Spaces not allowed in comma separated lists?
Nachman Yaakov Ziskind wrote:> > While: > > ACCEPT net loc:10.1.1.1 tcp smtp,2023,ftp,pop-3 > works fine, > > ACCEPT net loc:10.1.1.1 tcp smtp,2023,ftp, pop-3 > seems to be a no-op:It''s NOT a no-op. It says that the destination port is smtp, 2023 or ftp and the source port is pop-3. Nowhere in the documentation does it say that a comma-separated list can''t start or end with a comma.> > So, is this a bug or a feature? >It''s a feature -- learn to type. I have half the user base whining about how slow Shorewall is to start and the other half whining about archane syntax errors such as this one that aren''t caught. Given that Shorewall is just a set of shell scripts, I don''t feel that it is possible to satisfy both camps... -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep
2003-Feb-22 19:38 UTC
[Shorewall-users] Spaces not allowed in comma separated lists?
Tom Eastep wrote:> Given that Shorewall > is just a set of shell scripts, I don''t feel that it is possible to > satisfy both camps... >My point here is that the shell has crude pattern matching capability and no builtin regular expression processing. This is just one example of why Shorewall 2.* will use a different language... -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep
2003-Feb-22 20:05 UTC
[Shorewall-users] Spaces not allowed in comma separated lists?
Tom Eastep wrote:> > My point here is that the shell has crude pattern matching capability > and no builtin regular expression processing. This is just one example > of why Shorewall 2.* will use a different language... >Despite my blustering, I''ve determined a cheap way to at least issue a warning if a comma-separated list begins or ends with ",". The change will be included in the next 1.4.0 Beta... -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
Ed Greshko
2003-Feb-22 20:07 UTC
[Shorewall-users] Spaces not allowed in comma separated lists?
On Sat, 22 Feb 2003, Tom Eastep wrote:> It''s a feature -- learn to type. I have half the user base whining about > how slow Shorewall is to start and the other half whining about archane > syntax errors such as this one that aren''t caught. Given that Shorewall > is just a set of shell scripts, I don''t feel that it is possible to > satisfy both camps...Hey! What about that third half that never whine? You know, the ones that know how to type, how to read/understand the documentation, and how to read log files? OK, granted most of them don''t contribute much...but at least we don''t keep you up at night or raise your blood pressure. :-) Ed -- http://www.shorewall.net/ for all your firewall needs http://www.greshko.com
Tom Eastep
2003-Feb-22 20:13 UTC
[Shorewall-users] Spaces not allowed in comma separated lists?
Ed Greshko wrote:> Hey! What about that third half that never whine? You know, the ones > that know how to type, how to read/understand the documentation, and how > to read log files? OK, granted most of them don''t contribute much...but > at least we don''t keep you up at night or raise your blood pressure. :-)Yes, you''re completely right Ed -- thanks for reminding me about the "silent third". But the other two thirds contribute also -- I may rant and rave for a while when I get their posts but Shorewall is a better product because of people like Nachman that speak up when something doesn''t seem to work right... -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
Ed Greshko
2003-Feb-22 20:17 UTC
[Shorewall-users] Spaces not allowed in comma separated lists?
On Sat, 22 Feb 2003, Tom Eastep wrote:> But the other two thirds contribute also -- I may rant and rave for a > while when I get their posts but Shorewall is a better product because > of people like Nachman that speak up when something doesn''t seem to work > right...Oooopssss. I''ve been living outside of the US for too long! I didn''t mean to imply that the first 2-halves didn''t contribute.... I meant that the silent ones don''t....myself certainly included. We sit back on the side lines and take in the action learning from other''s. We, I do it, see a query we can answer but we think....that is so simple....and we don''t take the time to respond. So, very sorry if I have offened anyone one....I meant to take a poke at myself. I totally missed the mark. Thanks Tom.... -- http://www.shorewall.net/ for all your firewall needs
Tom Eastep
2003-Feb-22 20:22 UTC
[Shorewall-users] Spaces not allowed in comma separated lists?
--On Sunday, February 23, 2003 12:17:21 PM +0800 Ed Greshko <Edward.M.Greshko@syntegra.com> wrote:> On Sat, 22 Feb 2003, Tom Eastep wrote: > >> But the other two thirds contribute also -- I may rant and rave for a >> while when I get their posts but Shorewall is a better product because >> of people like Nachman that speak up when something doesn''t seem to work >> right... > > Oooopssss. I''ve been living outside of the US for too long! I didn''t > mean to imply that the first 2-halves didn''t contribute.... I meant that > the silent ones don''t....myself certainly included. We sit back on the > side lines and take in the action learning from other''s. We, I do it, see > a query we can answer but we think....that is so simple....and we don''t > take the time to respond. > > So, very sorry if I have offened anyone one....I meant to take a poke at > myself. I totally missed the mark. > > Thanks Tom....Someone suggested that I should adopt a 12-hour rule -- I shouldn''t respond to new problem reports for twelve hours. This would: a) Allow others to respond and thus expand the support base. b) Allow me to cool off before I responded. That was good advise -- I just have a hard time remembering to follow it :-) -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
Gonzalo Servat
2003-Feb-22 21:12 UTC
[Shorewall-users] Spaces not allowed in comma separated lists?
On 22/02/2003 8:22 PM -0800 Tom Eastep wrote:> Someone suggested that I should adopt a 12-hour rule -- I shouldn''t > respond to new problem reports for twelve hours. This would: > > a) Allow others to respond and thus expand the support base. > b) Allow me to cool off before I responded. > > That was good advise -- I just have a hard time remembering to follow it > :-)Also: c) If a & b fail, the user will try and sort it out themselves which is usually the best way to learn.. :) Regards, Gonzalo. P.S: Good to see you''re using Mulberry Tom... it rocks, huh?
Tom Eastep
2003-Feb-23 06:15 UTC
[Shorewall-users] Spaces not allowed in comma separated lists?
Tom Eastep wrote:> Tom Eastep wrote: > >> >> My point here is that the shell has crude pattern matching capability >> and no builtin regular expression processing. This is just one example >> of why Shorewall 2.* will use a different language... >> > > Despite my blustering, I''ve determined a cheap way to at least issue a > warning if a comma-separated list begins or ends with ",". The change > will be included in the next 1.4.0 Beta... >And having slept on the problem, this morning I coded up and tested a change whereby the warning is now the proper form of error (i.e., if it occurs during "shorewall [re]start", it will cause the firewall to transition to the stopped state, etc. Again - the change is in CVS now and will be in the next Beta. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
/(bb|[^b]{2})/> > Given that Shorewall > > is just a set of shell scripts, I don''t feel that it is possible to > > satisfy both camps... > > My point here is that the shell has crude pattern matching capability > and no builtin regular expression processing. This is just one example > of why Shorewall 2.* will use a different language...REs -- the best reason, to use Perl... ;-) Besides the camel book you already have, I suggest ''Mastering Regular Expressions'' (O''Reilly of course) to learn everything about REs you ever wanted and never wanna... karsten -- Hi, I''m a signature virus. Copy me into your ~/.signature to help me spread!