I made a boo boo in my config and put in this rule #PPTP DNAT net:213.67.241.162/217.209.46.204/32 loc:192.168.221.200 tcp 1723 DNAT net:213.67.241.162/32,217.209.46.204/32 loc:192.168.221.200 47 - And the the following happened.. and I wonder why it didn''t complain? I am sure I am just misunderstanding some doc which tells me why this happened? argus:~# shorewall check Processing /etc/shorewall/params ... Verifying Configuration... Loading Modules... Determining Zones... Zones: net loc dmz dmb Validating interfaces file... Validating hosts file... Determining Hosts in Zones... Net Zone: eth0:0.0.0.0/0 Local Zone: eth1:0.0.0.0/0 DMZ Zone: eth2:0.0.0.0/0 DMB Zone: eth3:0.0.0.0/0 Validating rules file... Rule "DNAT loc dmz:213.212.33.20 tcp smtp - 192.168.221.7" validated. Rule "ACCEPT fw net tcp time" validated. Rule "ACCEPT loc fw tcp ssh,www" validated. Rule "ACCEPT fw net tcp domain,www" validated. Rule "ACCEPT fw net udp domain" validated. Rule "ACCEPT fw dmz:213.212.33.20 tcp smtp" validated. Rule "ACCEPT fw loc udp snmp,snmp-trap" validated. Rule "ACCEPT dmz net tcp domain,www,https,smtp,auth,ftp,time,81" validated. Rule "ACCEPT dmz net udp domain,www,https,time" validated. Rule "ACCEPT dmz loc udp domain" validated. Rule "ACCEPT dmz loc tcp domain" validated. Rule "ACCEPT net dmz:213.212.33.20 tcp smtp" validated. Rule "ACCEPT net:213.67.31.0/24 dmz:213.212.33.20 tcp smtp" validated. Rule "ACCEPT loc dmz:213.212.33.20 tcp smtp" validated. Rule "ACCEPT dmz:213.212.33.20 loc:192.168.221.202 tcp smtp" validated. Rule "DNAT net:217.28.207.0/24,195.100.170.0/24,213.67.31.0/24 loc:192.168.221.202 tcp pop3" validated. Rule "DNAT net:195.84.194.0/24 loc:192.168.221.6 tcp 5631" validated. Rule "DNAT net:195.84.194.0/24 loc:192.168.221.6 udp 5632" validated. Rule "DNAT net loc:192.168.221.6 tcp 5631" validated. Rule "DNAT net loc:192.168.221.6 udp 5632" validated. Rule "ACCEPT loc dmz tcp www,ssh,https,81" validated. Rule "ACCEPT net dmz:213.212.33.20 tcp www" validated. Rule "ACCEPT net dmz:213.212.33.23 tcp www,https,81,ssh,pop3,pop3s,smtp,ftp" validated. Rule "ACCEPT dmz:213.212.33.23 net tcp 110,109" validated. Rule "DNAT net:213.67.241.162/217.209.46.204/32 loc:192.168.221.200 tcp 1723" validated. Rule "DNAT net:213.67.241.162/32,217.209.46.204/32 loc:192.168.221.200 47 -" validated. Rule "ACCEPT dmz:213.212.33.22/32 net:131.107.1.10/32,192.43.244.18/32 udp 123" validated. Rule "ACCEPT net dmz:213.212.33.22 all" validated. Rule "ACCEPT dmz:213.212.33.22 net all" validated. Validating policy file... Policy for loc to net is ACCEPT Policy for loc to loc is ACCEPT Policy for fw to net is ACCEPT Policy for fw to loc is ACCEPT Policy for fw to dmz is ACCEPT Policy for fw to dmb is ACCEPT Policy for fw to fw is ACCEPT Policy for net to net is DROP Policy for net to loc is DROP Policy for net to dmz is DROP Policy for net to dmb is DROP Policy for net to fw is DROP Policy for loc to dmz is REJECT Policy for loc to dmb is REJECT Policy for loc to fw is REJECT Policy for dmz to net is REJECT Policy for dmz to loc is REJECT Policy for dmz to dmz is REJECT Policy for dmz to dmb is REJECT Policy for dmz to fw is REJECT Policy for dmb to net is REJECT Policy for dmb to loc is REJECT Policy for dmb to dmz is REJECT Policy for dmb to dmb is REJECT Policy for dmb to fw is REJECT Configuration Validated argus:~# shorewall restart Processing /etc/shorewall/params ... Restarting Shorewall... Loading Modules... Initializing... Determining Zones... Zones: net loc dmz dmb Validating interfaces file... Validating hosts file... Validating Policy file... Determining Hosts in Zones... Net Zone: eth0:0.0.0.0/0 Local Zone: eth1:0.0.0.0/0 DMZ Zone: eth2:0.0.0.0/0 DMB Zone: eth3:0.0.0.0/0 Processing /etc/shorewall/init ... Deleting user chains... Creating input Chains... Configuring Proxy ARP Host 213.212.33.20 connected to eth2 added to ARP on eth0 Host 213.212.33.22 connected to eth2 added to ARP on eth0 Host 213.212.33.23 connected to eth2 added to ARP on eth0 Setting up NAT... Adding Common Rules Adding rules for DHCP Enabling RFC1918 Filtering Setting up TCP Flags checking... IP Forwarding Enabled Processing /etc/shorewall/tunnels... Processing /etc/shorewall/rules... Rule "DNAT loc dmz:213.212.33.20 tcp smtp - 192.168.221.7" added. Rule "ACCEPT fw net tcp time" added. Rule "ACCEPT loc fw tcp ssh,www" added. Rule "ACCEPT fw net tcp domain,www" added. Rule "ACCEPT fw net udp domain" added. Rule "ACCEPT fw dmz:213.212.33.20 tcp smtp" added. Rule "ACCEPT fw loc udp snmp,snmp-trap" added. Rule "ACCEPT dmz net tcp domain,www,https,smtp,auth,ftp,time,81" added. Rule "ACCEPT dmz net udp domain,www,https,time" added. Rule "ACCEPT dmz loc udp domain" added. Rule "ACCEPT dmz loc tcp domain" added. Rule "ACCEPT net dmz:213.212.33.20 tcp smtp" added. Rule "ACCEPT net:213.67.31.0/24 dmz:213.212.33.20 tcp smtp" added. Rule "ACCEPT loc dmz:213.212.33.20 tcp smtp" added. Rule "ACCEPT dmz:213.212.33.20 loc:192.168.221.202 tcp smtp" added. Rule "DNAT net:217.28.207.0/24,195.100.170.0/24,213.67.31.0/24 loc:192.168.221.202 tcp pop3" added. Rule "DNAT net:195.84.194.0/24 loc:192.168.221.6 tcp 5631" added. Rule "DNAT net:195.84.194.0/24 loc:192.168.221.6 udp 5632" added. Rule "DNAT net loc:192.168.221.6 tcp 5631" added. Rule "DNAT net loc:192.168.221.6 udp 5632" added. Rule "ACCEPT loc dmz tcp www,ssh,https,81" added. Rule "ACCEPT net dmz:213.212.33.20 tcp www" added. Rule "ACCEPT net dmz:213.212.33.23 tcp www,https,81,ssh,pop3,pop3s,smtp,ftp" added. Rule "ACCEPT dmz:213.212.33.23 net tcp 110,109" added. iptables v1.2.6a: host/network `213.67.241.162/217.209.46.204'' not found Try `iptables -h'' or ''iptables --help'' for more information. Processing /etc/shorewall/stop ...
--On Monday, February 24, 2003 05:40:44 PM +0100 Jan Johansson <jan.johansson@nwl.se> wrote:> I made a boo boo in my config and put in this rule >Jan -- sorry to do this but I''ve had it with the "check" command. It will be removed from 1.4.0 and will not be included in 2.0. And any one who wants a "shorewall check" command can write and maintain the damned thing - AND FIELD ALL OF THE PROBLEM REPORTS. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
Cant find it at the minute but somewhere in the documentation it explains that the check command is not exhaustive and may not pick up all configuration errors. Mark On Monday, February 24, 2003, at 04:40 pm, Jan Johansson wrote:> I made a boo boo in my config and put in this rule > > > > > > #PPTP > > DNAT net:213.67.241.162/217.209.46.204/32 > loc:192.168.221.200 tcp 1723 > > DNAT net:213.67.241.162/32,217.209.46.204/32 > loc:192.168.221.200 47 - > > > > And the the following happened.. and I wonder why it didn''t complain? I > am sure I am just misunderstanding some doc which tells me why this > happened? > > > > argus:~# shorewall check > > Processing /etc/shorewall/params ... > > Verifying Configuration... > > Loading Modules... > > Determining Zones... > > Zones: net loc dmz dmb > > Validating interfaces file... > > Validating hosts file... > > Determining Hosts in Zones... > > Net Zone: eth0:0.0.0.0/0 > > Local Zone: eth1:0.0.0.0/0 > > DMZ Zone: eth2:0.0.0.0/0 > > DMB Zone: eth3:0.0.0.0/0 > > Validating rules file... > > Rule "DNAT loc dmz:213.212.33.20 tcp smtp - 192.168.221.7" > validated. > > Rule "ACCEPT fw net tcp time" validated. > > Rule "ACCEPT loc fw tcp ssh,www" validated. > > Rule "ACCEPT fw net tcp domain,www" validated. > > Rule "ACCEPT fw net udp domain" validated. > > Rule "ACCEPT fw dmz:213.212.33.20 tcp smtp" validated. > > Rule "ACCEPT fw loc udp snmp,snmp-trap" validated. > > Rule "ACCEPT dmz net tcp domain,www,https,smtp,auth,ftp,time,81" > validated. > > Rule "ACCEPT dmz net udp domain,www,https,time" validated. > > Rule "ACCEPT dmz loc udp domain" validated. > > Rule "ACCEPT dmz loc tcp domain" validated. > > Rule "ACCEPT net dmz:213.212.33.20 tcp smtp" validated. > > Rule "ACCEPT net:213.67.31.0/24 dmz:213.212.33.20 tcp smtp" > validated. > > Rule "ACCEPT loc dmz:213.212.33.20 tcp smtp" validated. > > Rule "ACCEPT dmz:213.212.33.20 loc:192.168.221.202 tcp smtp" > validated. > > Rule "DNAT net:217.28.207.0/24,195.100.170.0/24,213.67.31.0/24 > loc:192.168.221.202 tcp pop3" validated. > > Rule "DNAT net:195.84.194.0/24 loc:192.168.221.6 tcp 5631" > validated. > > Rule "DNAT net:195.84.194.0/24 loc:192.168.221.6 udp 5632" > validated. > > Rule "DNAT net loc:192.168.221.6 tcp 5631" validated. > > Rule "DNAT net loc:192.168.221.6 udp 5632" validated. > > Rule "ACCEPT loc dmz tcp www,ssh,https,81" validated. > > Rule "ACCEPT net dmz:213.212.33.20 tcp www" validated. > > Rule "ACCEPT net dmz:213.212.33.23 tcp > www,https,81,ssh,pop3,pop3s,smtp,ftp" validated. > > Rule "ACCEPT dmz:213.212.33.23 net tcp 110,109" validated. > > Rule "DNAT net:213.67.241.162/217.209.46.204/32 loc:192.168.221.200 > tcp 1723" validated. > > Rule "DNAT net:213.67.241.162/32,217.209.46.204/32 > loc:192.168.221.200 47 -" validated. > > Rule "ACCEPT dmz:213.212.33.22/32 > net:131.107.1.10/32,192.43.244.18/32 udp 123" validated. > > Rule "ACCEPT net dmz:213.212.33.22 all" validated. > > Rule "ACCEPT dmz:213.212.33.22 net all" validated. > > Validating policy file... > > Policy for loc to net is ACCEPT > > Policy for loc to loc is ACCEPT > > Policy for fw to net is ACCEPT > > Policy for fw to loc is ACCEPT > > Policy for fw to dmz is ACCEPT > > Policy for fw to dmb is ACCEPT > > Policy for fw to fw is ACCEPT > > Policy for net to net is DROP > > Policy for net to loc is DROP > > Policy for net to dmz is DROP > > Policy for net to dmb is DROP > > Policy for net to fw is DROP > > Policy for loc to dmz is REJECT > > Policy for loc to dmb is REJECT > > Policy for loc to fw is REJECT > > Policy for dmz to net is REJECT > > Policy for dmz to loc is REJECT > > Policy for dmz to dmz is REJECT > > Policy for dmz to dmb is REJECT > > Policy for dmz to fw is REJECT > > Policy for dmb to net is REJECT > > Policy for dmb to loc is REJECT > > Policy for dmb to dmz is REJECT > > Policy for dmb to dmb is REJECT > > Policy for dmb to fw is REJECT > > Configuration Validated > > argus:~# shorewall restart > > Processing /etc/shorewall/params ... > > Restarting Shorewall... > > Loading Modules... > > Initializing... > > Determining Zones... > > Zones: net loc dmz dmb > > Validating interfaces file... > > Validating hosts file... > > Validating Policy file... > > Determining Hosts in Zones... > > Net Zone: eth0:0.0.0.0/0 > > Local Zone: eth1:0.0.0.0/0 > > DMZ Zone: eth2:0.0.0.0/0 > > DMB Zone: eth3:0.0.0.0/0 > > Processing /etc/shorewall/init ... > > Deleting user chains... > > Creating input Chains... > > Configuring Proxy ARP > > Host 213.212.33.20 connected to eth2 added to ARP on eth0 > > Host 213.212.33.22 connected to eth2 added to ARP on eth0 > > Host 213.212.33.23 connected to eth2 added to ARP on eth0 > > Setting up NAT... > > Adding Common Rules > > Adding rules for DHCP > > Enabling RFC1918 Filtering > > Setting up TCP Flags checking... > > IP Forwarding Enabled > > Processing /etc/shorewall/tunnels... > > Processing /etc/shorewall/rules... > > Rule "DNAT loc dmz:213.212.33.20 tcp smtp - 192.168.221.7" added. > > Rule "ACCEPT fw net tcp time" added. > > Rule "ACCEPT loc fw tcp ssh,www" added. > > Rule "ACCEPT fw net tcp domain,www" added. > > Rule "ACCEPT fw net udp domain" added. > > Rule "ACCEPT fw dmz:213.212.33.20 tcp smtp" added. > > Rule "ACCEPT fw loc udp snmp,snmp-trap" added. > > Rule "ACCEPT dmz net tcp domain,www,https,smtp,auth,ftp,time,81" > added. > > Rule "ACCEPT dmz net udp domain,www,https,time" added. > > Rule "ACCEPT dmz loc udp domain" added. > > Rule "ACCEPT dmz loc tcp domain" added. > > Rule "ACCEPT net dmz:213.212.33.20 tcp smtp" added. > > Rule "ACCEPT net:213.67.31.0/24 dmz:213.212.33.20 tcp smtp" added. > > Rule "ACCEPT loc dmz:213.212.33.20 tcp smtp" added. > > Rule "ACCEPT dmz:213.212.33.20 loc:192.168.221.202 tcp smtp" added. > > Rule "DNAT net:217.28.207.0/24,195.100.170.0/24,213.67.31.0/24 > loc:192.168.221.202 tcp pop3" added. > > Rule "DNAT net:195.84.194.0/24 loc:192.168.221.6 tcp 5631" added. > > Rule "DNAT net:195.84.194.0/24 loc:192.168.221.6 udp 5632" added. > > Rule "DNAT net loc:192.168.221.6 tcp 5631" added. > > Rule "DNAT net loc:192.168.221.6 udp 5632" added. > > Rule "ACCEPT loc dmz tcp www,ssh,https,81" added. > > Rule "ACCEPT net dmz:213.212.33.20 tcp www" added. > > Rule "ACCEPT net dmz:213.212.33.23 tcp > www,https,81,ssh,pop3,pop3s,smtp,ftp" added. > > Rule "ACCEPT dmz:213.212.33.23 net tcp 110,109" added. > > iptables v1.2.6a: host/network `213.67.241.162/217.209.46.204'' not > found > > Try `iptables -h'' or ''iptables --help'' for more information. > > Processing /etc/shorewall/stop ... > > > > > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > http://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >
ok. me think it is better too. I have my problems checking too, and stopped using it. Alternatively, couldn''t we have some configuration option or something other than the try command (which I use always, when I remember) option? That variable could be used to tell shorewall to issue an iptables-save and, if the restart is not successfull, shorewall would issue an iptables-restore. Does shorewall returns an exit status in a case like that bellow? cheers, Eduardo Ferreira shorewall-users-bounces@lists.shorewall.net wrote on 24/02/2003 13:48:20:> > > --On Monday, February 24, 2003 05:40:44 PM +0100 Jan Johansson > <jan.johansson@nwl.se> wrote: > > > I made a boo boo in my config and put in this rule > > > > Jan -- sorry to do this but I''ve had it with the "check" command. Itwill> be removed from 1.4.0 and will not be included in 2.0. > > And any one who wants a "shorewall check" command can write and maintain> the damned thing - AND FIELD ALL OF THE PROBLEM REPORTS. > > -Tom > -- > Tom Eastep \ Shorewall - iptables made easy > Shoreline, \ http://www.shorewall.net > Washington USA \ teastep@shorewall.net > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: http://lists.shorewall. > net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm
--On Monday, February 24, 2003 01:59:46 PM -0300 Eduardo Ferreira <duda@icatu.com.br> wrote:> ok. me think it is better too. I have my problems checking too, and > stopped using it. > > Alternatively, couldn''t we have some configuration option or something > other than the try command (which I use always, when I remember) option? > That variable could be used to tell shorewall to issue an iptables-save > and, if the restart is not successfull, shorewall would issue an > iptables-restore. Does shorewall returns an exit status in a case like > that bellow? >You can code the above yourself easily -- /sbin/shorewall does return an exit status of 2 when it fails. It is not generally applicable (and I won''t implement it) because Shorewall can do more during [re]start than just configure iptables. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
thanks, I will try it. shorewall-users-bounces@lists.shorewall.net wrote on 24/02/2003 14:10:52:> > > --On Monday, February 24, 2003 01:59:46 PM -0300 Eduardo Ferreira > <duda@icatu.com.br> wrote: > > > ok. me think it is better too. I have my problems checking too, and > > stopped using it. > > > > Alternatively, couldn''t we have some configuration option or something > > other than the try command (which I use always, when I remember)option?> > That variable could be used to tell shorewall to issue aniptables-save> > and, if the restart is not successfull, shorewall would issue an > > iptables-restore. Does shorewall returns an exit status in a caselike> > that bellow? > > > > You can code the above yourself easily -- /sbin/shorewall does return an> exit status of 2 when it fails. It is not generally applicable (and Iwon''t> implement it) because Shorewall can do more during [re]start than just > configure iptables. > > -Tom > -- > Tom Eastep \ Shorewall - iptables made easy > Shoreline, \ http://www.shorewall.net > Washington USA \ teastep@shorewall.net > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: http://lists.shorewall. > net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm