Shorewall users - Nov 2003 - A problem with a policy of NONE.

Tom;
         If a policy of NONE is specified when the source or destination is 
fw, then on a start/restart shorewall terminates with an iptables error. 
Eg the policy "wan  fw  NONE"  causes Shorewall to terminate with the 
following message:

iptables v1.2.8: Couldn''t load target 
`wan2fw'':/usr/lib/iptables-1.2.8/iptables/libipt_wan2fw.so: cannot open
shared object file: No such file or directory

This problem occurs on Shorewall versions 1.4.7c  1.4.8-rc1 & 1.4.8-rc2.
I have not tried it on other versions.
I have attached my shorewall configuration and the output of a "shorewall 
debug start" command.

If you need any further information, please let me know.

Steven.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: shorewall.tgz
Type: application/x-tgz
Size: 22328 bytes
Desc: not available
Url :
http://lists.shorewall.net/pipermail/shorewall-users/attachments/20031101/ee15abc8/shorewall-0001.bin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: wan2fw.zip
Type: application/x-zip
Size: 39354 bytes
Desc: not available
Url :
http://lists.shorewall.net/pipermail/shorewall-users/attachments/20031101/ee15abc8/wan2fw-0001.bin

On Sat, 1 Nov 2003, Steven Jan Springl wrote:
> Tom;
>          If a policy of NONE is specified when the source or destination is
> fw, then on a start/restart shorewall terminates with an iptables error.
> Eg the policy "wan  fw  NONE"  causes Shorewall to terminate with
the
> following message:
>
> iptables v1.2.8: Couldn''t load target
> `wan2fw'':/usr/lib/iptables-1.2.8/iptables/libipt_wan2fw.so: cannot
open
> shared object file: No such file or directory
>
I had no intention of supporting a policy of NONE in those cases. The NONE
policy is intended to prevent Shorewall from generating rules for cases
that can''t possibly occur. Traffic to/from the firewall
doesn''t qualify...

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Hello,

One other thing .. Is wan defined in Zones ???

Francesca
At 06:00 PM 11/1/2003, you wrote:
>     If a policy of NONE is specified when the source or destination is
>fw, then on a start/restart shorewall terminates with an iptables error.
>Eg the policy "wan  fw  NONE"  causes Shorewall to terminate with
the
>following message:
"No Problems Only Solutions"
Francesca C. Smith
Lady Linux Internet Services
fsmith@ladylinux.com

On Sunday 02 November 2003 00:20, Francesca C Smith
wrote:
> Hello,
>
> One other thing .. Is wan defined in Zones ???
>
> Francesca
Francesca;
                  Yes wan is defined in Zones. The policy had previously be 
DROP which worked.
I should also have mentioned in my initial report that I was only testing 
1.4.8-rc2, therefore Toms'' reply is perfectly acceptable. If others
wish to
persue the problem then I am willing to provide what ever assistance I can.

Steven.
>
> At 06:00 PM 11/1/2003, you wrote:
> >     If a policy of NONE is specified when the source or destination is
> >fw, then on a start/restart shorewall terminates with an iptables
error.
> >Eg the policy "wan  fw  NONE"  causes Shorewall to terminate
with the
> >following message:
>
> "No Problems Only Solutions"
> Francesca C. Smith
> Lady Linux Internet Services
> fsmith@ladylinux.com
>
>
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
> https://lists.shorewall.net/mailman/listinfo/shorewall-users Support:
> http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm

On Sun, 2 Nov 2003, Steven Jan Springl wrote:
>
> Francesca;
>                   Yes wan is defined in Zones. The policy had previously be
> DROP which worked.
> I should also have mentioned in my initial report that I was only testing
> 1.4.8-rc2, therefore Toms'' reply is perfectly acceptable. If
others wish to
> persue the problem then I am willing to provide what ever assistance I can.
>
I think that the solution is for the firewall script to raise an error if
NONE is specified for z->fw or fw->z.

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Hiya,

At 09:49 PM 11/1/2003, you wrote:
>I think that the solution is for the firewall script to raise an error if
>NONE is specified for z->fw or fw->z.
>
>-Tom
Yep .. I pretty much concur .. maybe the zone docs need some updating ..


Francesca

"No Problems Only Solutions"
Francesca C. Smith
Lady Linux Internet Services
fsmith@ladylinux.com