Shorewall users - Feb 2003 - Spaces not allowed in comma separated lists?

-----------------------------------------------------------------------------
Shorewall 1.2.12
# uname -a
Linux yoreach 2.4.18 #1 Sun Apr 21 12:50:34 CEST 2002 i686 unknown
# ip addr show
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: dummy0: <BROADCAST,NOARP> mtu 1500 qdisc noop
    link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
3: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:10:5a:e1:e3:8b brd ff:ff:ff:ff:ff:ff
    inet 64.49.72.186/30 brd 64.49.72.187 scope global eth0
    inet 216.236.142.81/32 scope global eth0
    inet 216.236.142.82/32 scope global eth0
    inet 216.236.142.83/32 scope global eth0
    inet 216.236.142.84/32 scope global eth0
    inet 216.236.142.85/32 scope global eth0
4: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:50:04:03:91:bc brd ff:ff:ff:ff:ff:ff
    inet 10.1.1.200/24 brd 10.1.1.255 scope global eth1
5: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:a0:24:57:55:be brd ff:ff:ff:ff:ff:ff
    inet 10.1.2.200/24 brd 10.1.2.200 scope global eth2
# lsmod
Module         Pages    Used by
ip_nat_ftp              2672   0 (unused)
ip_conntrack_ftp        2848   0 (unused)
3c59x                  24504   3
-----------------------------------------------------------------------------

While:

ACCEPT          net  loc:10.1.1.1               tcp smtp,2023,ftp,pop-3
works fine,

ACCEPT          net  loc:10.1.1.1               tcp smtp,2023,ftp, pop-3
seems to be a no-op:

Rule "ACCEPT net loc:10.1.1.1 tcp smtp,2023,ftp, pop-3" added.
Activating Rules...
Processing /etc/shorewall/start ...
Shorewall Restarted

But the effects are not as intended:

Feb 23 02:31:15 yoreach kernel: Shorewall:net2all:DROP:IN=eth0 OUT=eth1
SRC=66.93.190.170 DST=10.1.1.1 LEN=48 TOS=0x00 PREC=0x00 TTL=112 ID=25683 DF
PROTO=TCP SPT=3635 DPT=2023 WINDOW=8192 RES=0x00 SYN URGP=0 


I suppose I''m missing something here. If the rule is not being
processed, why
indicate that it is? And if it is a syntax error, why not just say so?

So, is this a bug or a feature?

-- 
_________________________________________
Nachman Yaakov Ziskind, EA, LLM         awacs@egps.com
Attorney and Counselor-at-Law           http://yankel.com
Economic Group Pension Services         http://egps.com
Actuaries and Employee Benefit Consultants

Nachman Yaakov Ziskind wrote:
> 
> While:
> 
> ACCEPT          net  loc:10.1.1.1               tcp smtp,2023,ftp,pop-3
> works fine,
> 
> ACCEPT          net  loc:10.1.1.1               tcp smtp,2023,ftp, pop-3
> seems to be a no-op:
It''s NOT a no-op. It says that the destination port is smtp, 2023 or
ftp
and the source port is pop-3. Nowhere in the documentation does it say 
that a comma-separated list can''t start or end with a comma.

> 
> So, is this a bug or a feature?
> 
It''s a feature -- learn to type. I have half the user base whining
about
how slow Shorewall is to start and the other half whining about archane 
syntax errors such as this one that aren''t caught. Given that Shorewall
is just a set of shell scripts, I don''t feel that it is possible to 
satisfy both camps...

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

Tom Eastep wrote:

> Given that Shorewall 
> is just a set of shell scripts, I don''t feel that it is possible
to
> satisfy both camps...
> 
My point here is that the shell has crude pattern matching capability 
and no builtin regular expression processing. This is just one example 
of why Shorewall 2.* will use a different language...

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

Tom Eastep wrote:
> 
> My point here is that the shell has crude pattern matching capability 
> and no builtin regular expression processing. This is just one example 
> of why Shorewall 2.* will use a different language...
> 
Despite my blustering, I''ve determined a cheap way to at least issue a 
warning if a comma-separated list begins or ends with ",". The change 
will be included in the next 1.4.0 Beta...

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

On Sat, 22 Feb 2003, Tom Eastep wrote:
> It''s a feature -- learn to type. I have half the user base whining
about
> how slow Shorewall is to start and the other half whining about archane
> syntax errors such as this one that aren''t caught. Given that
Shorewall
> is just a set of shell scripts, I don''t feel that it is possible
to
> satisfy both camps...
Hey!  What about that third half that never whine?  You know, the ones
that know how to type, how to read/understand the documentation, and how
to read log files?  OK, granted most of them don''t contribute
much...but
at least we don''t keep you up at night or raise your blood pressure. 
:-)

Ed

-- 
http://www.shorewall.net/  for all your firewall needs
http://www.greshko.com

Ed Greshko wrote:
> Hey!  What about that third half that never whine?  You know, the ones
> that know how to type, how to read/understand the documentation, and how
> to read log files?  OK, granted most of them don''t contribute
much...but
> at least we don''t keep you up at night or raise your blood
pressure.  :-)
Yes, you''re completely right Ed -- thanks for reminding me about the 
"silent third".

But the other two thirds contribute also -- I may rant and rave for a 
while when I get their posts but Shorewall is a better product because 
of people like Nachman that speak up when something doesn''t seem to
work
right...

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

On Sat, 22 Feb 2003, Tom Eastep wrote:
> But the other two thirds contribute also -- I may rant and rave for a
> while when I get their posts but Shorewall is a better product because
> of people like Nachman that speak up when something doesn''t seem
to work
> right...
Oooopssss.  I''ve been living outside of the US for too long!  I
didn''t
mean to imply that the first 2-halves didn''t contribute....  I meant
that
the silent ones don''t....myself certainly included.  We sit back on the
side lines and take in the action learning from other''s.  We, I do it,
see
a query we can answer but we think....that is so simple....and we don''t
take the time to respond.

So, very sorry if I have offened anyone one....I meant to take a poke at
myself.  I totally missed the mark.

Thanks Tom....

 --
http://www.shorewall.net/  for all your firewall needs

--On Sunday, February 23, 2003 12:17:21 PM +0800 Ed Greshko 
<Edward.M.Greshko@syntegra.com> wrote:
> On Sat, 22 Feb 2003, Tom Eastep wrote:
>
>> But the other two thirds contribute also -- I may rant and rave for a
>> while when I get their posts but Shorewall is a better product because
>> of people like Nachman that speak up when something doesn''t
seem to work
>> right...
>
> Oooopssss.  I''ve been living outside of the US for too long!  I
didn''t
> mean to imply that the first 2-halves didn''t contribute....  I
meant that
> the silent ones don''t....myself certainly included.  We sit back
on the
> side lines and take in the action learning from other''s.  We, I do
it, see
> a query we can answer but we think....that is so simple....and we
don''t
> take the time to respond.
>
> So, very sorry if I have offened anyone one....I meant to take a poke at
> myself.  I totally missed the mark.
>
> Thanks Tom....
Someone suggested that I should adopt a 12-hour rule -- I shouldn''t
respond
to new problem reports for twelve hours. This would:

a) Allow others to respond and thus expand the support base.
b) Allow me to cool off before I responded.

That was good advise -- I just have a hard time remembering to follow it :-)

-Tom
--
Tom Eastep   \ Shorewall - iptables made easy
Shoreline,    \ http://www.shorewall.net
Washington USA \ teastep@shorewall.net

On 22/02/2003 8:22 PM -0800 Tom Eastep wrote:
> Someone suggested that I should adopt a 12-hour rule -- I
shouldn''t
> respond to new problem reports for twelve hours. This would:
>
> a) Allow others to respond and thus expand the support base.
> b) Allow me to cool off before I responded.
>
> That was good advise -- I just have a hard time remembering to follow it
> :-)
Also:

c) If a & b fail, the user will try and sort it out themselves which is 
usually the best way to learn.. :)

Regards,
Gonzalo.

P.S: Good to see you''re using Mulberry Tom... it rocks, huh?

Tom Eastep wrote:
> Tom Eastep wrote:
> 
>>
>> My point here is that the shell has crude pattern matching capability 
>> and no builtin regular expression processing. This is just one example 
>> of why Shorewall 2.* will use a different language...
>>
> 
> Despite my blustering, I''ve determined a cheap way to at least
issue a
> warning if a comma-separated list begins or ends with ",". The
change
> will be included in the next 1.4.0 Beta...
> 
And having slept on the problem, this morning I coded up and tested a 
change whereby the warning is now the proper form of error (i.e., if it 
occurs during "shorewall [re]start", it will cause the firewall to 
transition to the stopped state, etc.

Again - the change is in CVS now and will be in the next Beta.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

/(bb|[^b]{2})/
> > Given that Shorewall 
> > is just a set of shell scripts, I don''t feel that it is
possible to
> > satisfy both camps...
> 
> My point here is that the shell has crude pattern matching capability 
> and no builtin regular expression processing. This is just one example 
> of why Shorewall 2.* will use a different language...
REs -- the best reason, to use Perl... ;-)

Besides the camel book you already have, I suggest ''Mastering Regular
Expressions'' (O''Reilly of course) to learn everything about
REs you ever
wanted and never wanna...

 karsten


-- 
Hi, I''m a signature virus. Copy me into your ~/.signature to help me
spread!