-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I''m using Shorewall 1.2.12, from the Woody Debian package. Right there in the /etc/shorewall/rules file, is embedded documentation: # DNAT net dmz:192.168.2.3 tcp ssh,http Um, and it''s wrong. However, /usr/share/doc/shorewall-doc/html/Documentation.htm#Rules, offers examples like: ACCEPT net loc:192.168.1.3 tcp ssh - all and that worked just fine. So it looks like the documentation package contradicts what''s in the actual conf file itself... and the docs are more correct than the conf file itself. The version of Shorewall that I have, absolutely refused to accept a "DNAT" result. I lost several days on this one, trying what''s right there in the docs, over and over again, and cursing at it when it puked. It looks like the three-interface conf files I''d grabbed, are from a radically different version of Shorewall than. Anyway, all''s well now. I''m a little queasy about this, though. The DNAT makes more sense to me than "ACCEPT". How else does Shorewall distinguish between those ports that I want to categorically dnat, regardless of what host they''re destined for (i.e. a transparent proxy to port 3128), versus those that I just want to allow, IFF they''re destined for that specific host? - -ken - -- - --------------- The world''s most affordable web hosting. http://www.nearlyfreespeech.net -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) iD8DBQE+tMjYe8HF+6xeOIcRAhIqAJ9p6voLa/HMJftQxQmtEQ7RyUdHOwCgqaXJ 9w5DroK/j2RNPTCDMwm/OI8=e7ep -----END PGP SIGNATURE-----
On Sun, 4 May 2003 01:01:28 -0700, Ken Restivo <ken@restivo.org> wrote:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > I''m using Shorewall 1.2.12, from the Woody Debian package. > > Right there in the /etc/shorewall/rules file, is embedded documentation: > # DNAT net dmz:192.168.2.3 tcp ssh,http > > Um, and it''s wrong. However, /usr/share/doc/shorewall- > doc/html/Documentation.htm#Rules, offers examples like: > ACCEPT net loc:192.168.1.3 tcp ssh - all and that > worked just fine. > > So it looks like the documentation package contradicts what''s in the > actual conf file itself... and the docs are more correct than the conf > file itself. The version of Shorewall that I have, absolutely refused to > accept a "DNAT" result. >a) The configuration files that you are using don''t match the version of Shorewall that you are running (the DNAT target type wasn''t introduced until a Shorewall 1.3 Beta). This can happen if you download a version of the Sample configurations that doesn''t match the version of the software that you are running. I probably should try to make it clearer what version of the software each version of the Samples applies to. b) Shoreall 1.2 hasn''t been supported since Shorewall 1.4 was introduced. ? -Tom PS -- I inadvertently responded earlier to this post with the "Reply" button rather than the "Reply All" button. I thus also missed the fact that Ken had sent this to this list rather than to me personally. My apologies to Ken for missing that. -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep wrote:>> I''m using Shorewall 1.2.12, from the Woody Debian package.> b) Shoreall 1.2 hasn''t been supported since Shorewall 1.4 was introduced.I can recommend this line in the sources.list file: deb http://security.dsi.unimi.it/~lorenzo/debian ./ It will give you up-to-date Shorewall pakcages in your woody system. PS. I AM wondering how a unsupported package can ever be a ''stable'' candidate, especially when it is a firewall? This is not at all your fault Tom, but merely due to the way Debian works i gues... P.
Pieter Ennes said:> Tom Eastep wrote: > >>> I''m using Shorewall 1.2.12, from the Woody Debian package. > >> b) Shoreall 1.2 hasn''t been supported since Shorewall 1.4 was >> introduced. > > I can recommend this line in the sources.list file: > > deb http://security.dsi.unimi.it/~lorenzo/debian ./ > > It will give you up-to-date Shorewall pakcages in your woody system. > > PS. I AM wondering how a unsupported package can ever be a ''stable'' > candidate, especially when it is a firewall?Well, that''s easy - at the time that "woody" (aka Debian v3.0) was declared to be the new official "stable" Debian release, Shorewall 1.2 *was* a supported version. Debian "stable" releases never upgrade included package versions, except for bug fixes/security fixes. That''s what makes them "stable". They may backport some security fixes, but not just include newer releases in a "stable" build. If you want more recent stuff, you run the "testing" distribution, or the "unstable", depending on exactly how recent and current you wish to be. -- PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF Member, LEAF Project <http://leaf.sourceforge.net> AIM: MikeLeone Public Key - <http://www.mike-leone.com/~turgon/turgon-public-key.asc> Registered Linux user# 201348