Shorewall users - Aug 2003 - (no subject)

Tom, thank you for advice. I was in
http://leaf.sourceforge.net/devel/dorus/sixwall.html.
This is what wrote there:
  "1.1. What is 6wall?
        6wall is for IPv6 what Shorewall is for IPv4
        Never heard of Shorewall? Then I suggest that you first get acquainted
with this excellent
     iptables based firewall for IPv4 at www.shorewall.net. 6wall is heavily
based on Shorewall,
     in fact most of the work on 6wall has been to convert the functionalities
for IPv4 in
     Shorewall to their IPv6 equivalent.
        6wall is a Netfilter (ip6tables) based firewall that can be used on a
dedicated firewall
     system, a multi-function gateway/router/server or on a standalone GNU/Linux
system.
        Although 6wall is Linux distribution independant, currently only a ready
to use package
     for Linux Embedded Appliance Firewalls (LEAF - http://leaf.sourceforge.net)
is available.
     It is currently distributed as part of the Bering-uClibc
    
(http://leaf.sourceforge.net/mod.php?mod=userpage&menu=910&page_id=36)
branch of LEAF.

   1.2. Limitations
        6wall is based on ip6tables, which currently doesn''t support as
many features as iptables.
     Therefore a number of options/features of Shorewall could not be converted
to their IPv6
     counterpart in 6wall. Below is an overview of the main limitations of
6wall/ip6tables compared
     to Shorewall/iptables:
         - No support for connection tracking
         - Allowed policies are ACCEPT, DROP, CONTINUE and NONE
         - Allowed actions for rules are ACCEPT, DROP, CONTINUE and LOG
         - Policies and actions REJECT, REDIRECT are not supported
         - Log target ULOG is not supported
         - Network Address Translation (SNAT and DNAT) is not available
     More detailed information on the available options/features can be found in
the 6wall
     reference manual (http://leaf.sourceforge.net/devel/dorus/sixwall6.html).
     ..."

   I ask Eric for his plan of make full package with last Shorewall features.

   And yet some proposal for new Shorewall feature. I think that will be
better (clearly and convenient) if you add separate column for rate limits
(f.e. RATE_LIMIT :-)) with same syntax, why not? IMHO command for view rate
limits state (like "shorewall show ratelimits") is very appositely
also.

   Aleks

On Fri, 2003-08-15 at 00:51, alshu@tut.by wrote:
> .
> 
>    And yet some proposal for new Shorewall feature. I think that will be
> better (clearly and convenient) if you add separate column for rate limits
> (f.e. RATE_LIMIT :-)) with same syntax, why not? IMHO command for view rate
> limits state (like "shorewall show ratelimits") is very
appositely also.
> 
Aleks,

If you don''t start putting a subject on your posts, I''m going
to have
the list manager bounce them.

The reason that I didn''t make the rate limit a separate column is:

a) To add a column, it would have had to have been to the far right.
b) This would have placed it beyond two very lightly used columns
necessitating the use of "- -" each time a rate was specified.
c) The new column would have been beyond column 80 which would have been
an inconvenience for LEAF Bering users who use an 80-column editor from
their console.
d) In my own very wide format of the rules file (see
http://shorewall.net/myfiles.htm), the new column would have been beyond
the width of an emacs window on my 1280x1024 display.

As for the "shorewall show ratelimits"

	shorewall show | grep limit

will have to do.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

On Fri, 2003-08-15 at 06:41, Tom Eastep wrote:
> 
> The reason that I didn''t make the rate limit a separate column is:
> 
> a) To add a column, it would have had to have been to the far right.
> b) This would have placed it beyond two very lightly used columns
> necessitating the use of "- -" each time a rate was specified.
> c) The new column would have been beyond column 80 which would have been
> an inconvenience for LEAF Bering users who use an 80-column editor from
> their console.
> d) In my own very wide format of the rules file (see
> http://shorewall.net/myfiles.htm), the new column would have been beyond
> the width of an emacs window on my 1280x1024 display.
> 
Since this isn''t the first request I''ve had for a separate
column, the
version in CVS now offers you a choice - you can put rate limiting in
the ACTION column as previously or you can specify it in the separate
RATE LIMIT column off to the far right.

To accommodate an HP-internal enhancement request I''m now working on, I
have to add one or two more columns so trying to keep the rules file
within 80 columns seems like a lost cause in the long run.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Will the general public be benefiting from the HP enhancements? (not that we
have to or anything, just curious)
Seeing as shorewall just needs whitespace, surely the columns will all fit
if you just use a space or a double space?

dave

----- Original Message -----
From: "Tom Eastep" <teastep@shorewall.net>
> To accommodate an HP-internal enhancement request I''m now working
on, I
> have to add one or two more columns so trying to keep the rules file
> within 80 columns seems like a lost cause in the long run.

On Fri, 2003-08-15 at 14:50, David Kempe wrote:
> Will the general public be benefiting from the HP enhancements? (not that
we
> have to or anything, just curious)
I think it will have fairly narrow application.
> Seeing as shorewall just needs whitespace, surely the columns will all fit
> if you just use a space or a double space?
If you fully-populate a rule currently it is:

AAAAAAA:lllllll zzzzz:iiiiiiii:www.zzz.yyy.zzz/mm
zzzzz:iiiiiiii:www.xxx.yyy.zzz/mm:ppppp PPPPPP ppppp ppppp
www.xxx.yyy.zzz:www.xxx.yyy.zzz

Haven''t counted but looks longer than 80 columns to me...

And that''s without including lists in any of the columns.

-Tom  
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net