Hi, After an "apt-get install shorewall" on our Debian machine I see that the 2.0 version is no more compatible with the last 1.4, good idea ! - The Webmin module is no more compatible too ! Wy don''t you make a new project with an other name and freeze the Shorewall project ? It should be nice to think about all the sysadmin they have to manage a large amount of machine before to make a release with no historical compatibility. At this time I have to downgrade to 1.4.7 to be able to manage my machines with Webmin and freeze the configuration on our customers, or let me know how to convert the 1.4 configs files to 2.0. Sam Przyswa. -- Sam Przyswa - Chef de projet Arial Concept - Intégrateur Internet 36, rue de Turin - 75008 - Paris - France Tel: 01 40 54 86 04 - Fax: 01 40 54 83 01 Web: http://www.arial-concept.com - Email: Info@arial-concept.com -- Ce message a été vérifié par MailScanner pour des virus ou des polluriels et rien de suspect n''a été trouvé. MailScanner remercie transtec pour son soutien.
On Thu, 27 May 2004 12:50:42 +0000 "Sam Przyswa" <samp@arial-concept.com> wrote:> After an "apt-get install shorewall" on our Debian machine I see that > the 2.0 version is no more compatible with the last 1.4, good idea ! - > The Webmin module is no more compatible too ! > > Wy don''t you make a new project with an other name and freeze the > Shorewall project ?Normally, before an upgrade I check the ''upgrade issues'' page. http://www.shorewall.net/upgrade_issues.htm This is standard a practise. As far as the Webmin module; Tom has nothing to do with that. You may wish to seek it''s creator. -- Paul Slinski -o) Network Administrator /\ Global IQX, Inc. _\_v The information transmitted is intended only for the addressee and may contain confidential, proprietary and/or privileged material. Any unauthorized review, distribution or other use of or the taking of any action in reliance upon this information is prohibited. If you received this in error, please contact the sender and delete or destroy this message and any copies.
Sam Przyswa wrote:> After an "apt-get install shorewall" on our Debian machine I see that the 2.0 > version is no more compatible with the last 1.4, good idea ! - The Webmin > module is no more compatible too ! > > Wy don''t you make a new project with an other name and freeze the Shorewall > project ?Why did you upgrade?> > It should be nice to think about all the sysadmin they have to manage a large > amount of machine before to make a release with no historical compatibility. > > At this time I have to downgrade to 1.4.7 to be able to manage my machines > with Webmin and freeze the configuration on our customers, or let me know how > to convert the 1.4 configs files to 2.0.a) For months before the 2.0 release, I sent messages on this list and on the Announcement list telling users how to prepare for 2.0 while they were still running 1.4. b) As always, the release notes for 2.0 gave detailed information on migration issues. c) http://www.shorewall.upgrade_issues.htm is *always* recommended reading before you do *any* Shorewall upgrade. d) The major releases are the only points at which I make incompatible changes to Shorewall. So if you don''t bother to read the release notes or upgrade issues on minor releases, you should at least read them when going from one major release to the next. e) I have no control over Webmin but I have installed and have used it with Shorewall 2.0.2 to create screenshots for an upcoming book. It certainly doesn''t role over and die with 2.0.2. I will continue to make incompatibile changes in Shorewall at major releases when I feel that it is in the best interest of the product and the community who uses it. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Paul Slinski a écrit :>On Thu, 27 May 2004 12:50:42 +0000 >"Sam Przyswa" <samp@arial-concept.com> wrote: > > > >>After an "apt-get install shorewall" on our Debian machine I see that >>the 2.0 version is no more compatible with the last 1.4, good idea ! - >>The Webmin module is no more compatible too ! >> >>Wy don''t you make a new project with an other name and freeze the >>Shorewall project ? >> >> > >Normally, before an upgrade I check the ''upgrade issues'' page. >http://www.shorewall.net/upgrade_issues.htm >This is standard a practise. > > >If the sysadmins have to check, test, all the upgrades they have to do it''s mean that they have not to trust the GPL developers and in this case the TOC of the Open Source solutions will become higher than Microsoft''s TOC. I think we have to respect a minimum policy to help the sysadmins to manage there tools and push the Open Source over Microsoft. It''s my opinion. Sam.
On Thu, 27 May 2004 16:05:43 +0200 Sam Przyswa <samp@arial-concept.com> wrote:> If the sysadmins have to check, test, all the upgrades they have to do > it''s mean that they have not to trust the GPL developers and in this > case the TOC of the Open Source solutions will become higher than > Microsoft''s TOC.If the sysadmins installed everything blindly (Windows, Unix or otherwise) there would certainly be chaos. You should always check for what the update provides. Windows, Unix, Linux, *BSD, all of them. However, this is off topic and besides, it''s common sense. -- Paul Slinski -o) Network Administrator /\ Global IQX, Inc. _\_v The information transmitted is intended only for the addressee and may contain confidential, proprietary and/or privileged material. Any unauthorized review, distribution or other use of or the taking of any action in reliance upon this information is prohibited. If you received this in error, please contact the sender and delete or destroy this message and any copies.
Hey, I second that. I''ve been studying, testing and applying this upgrade for a month now, and I''m still not over yet (only 3 out of 6 boxes done). If you don''t have the time to RTFM before upgrading, you shouldn''t be working on this field. ________________________ Eduardo Ferreira Icatu Holding S.A. Supervisor de TI (5521) 3804-8606 Paul Slinski <pauls@globaliqx.com> Sent by: shorewall-users-bounces@lists.shorewall.net 27/05/2004 11:12 Please respond to Mailing List for Shorewall Users <shorewall-users@lists.shorewall.net> To Mailing List for Shorewall Users <shorewall-users@lists.shorewall.net> cc Subject Re: [Shorewall-users] Shorewall 1.4 -> 2.0 On Thu, 27 May 2004 16:05:43 +0200 Sam Przyswa <samp@arial-concept.com> wrote:> If the sysadmins have to check, test, all the upgrades they have to do > it''s mean that they have not to trust the GPL developers and in this > case the TOC of the Open Source solutions will become higher than > Microsoft''s TOC.If the sysadmins installed everything blindly (Windows, Unix or otherwise) there would certainly be chaos. You should always check for what the update provides. Windows, Unix, Linux, *BSD, all of them. However, this is off topic and besides, it''s common sense. -- Paul Slinski -o) Network Administrator /\ Global IQX, Inc. _\_v The information transmitted is intended only for the addressee and may contain confidential, proprietary and/or privileged material. Any unauthorized review, distribution or other use of or the taking of any action in reliance upon this information is prohibited. If you received this in error, please contact the sender and delete or destroy this message and any copies. _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
I second that. If one system admin doesn''t bother to follow up with updates or patches or anything regarding the system they are monitoring or they are administering, no point of them being a system admin and why bother being in this field and you do not bother to keep yourself updated with tools or software you use and security patches or updates or new version ??? Read the manual and do some research before you point finger and accuse of the author who you claimed doesn''t make any announcement, whereas the actual fact is that you yourself never bother to. Enough said. Regards, Jason Ps : Tom... keep up the good work and we will always support you. -----Original Message----- From: shorewall-users-bounces+jason=png.cc@lists.shorewall.net [mailto:shorewall-users-bounces+jason=png.cc@lists.shorewall.net] On Behalf Of Eduardo Ferreira Sent: Thursday, May 27, 2004 10:25 PM To: Mailing List for Shorewall Users Subject: Re: [Shorewall-users] Shorewall 1.4 -> 2.0 Hey, I second that. I''ve been studying, testing and applying this upgrade for a month now, and I''m still not over yet (only 3 out of 6 boxes done). If you don''t have the time to RTFM before upgrading, you shouldn''t be working on this field. ________________________ Eduardo Ferreira Icatu Holding S.A. Supervisor de TI (5521) 3804-8606 Paul Slinski <pauls@globaliqx.com> Sent by: shorewall-users-bounces@lists.shorewall.net 27/05/2004 11:12 Please respond to Mailing List for Shorewall Users <shorewall-users@lists.shorewall.net> To Mailing List for Shorewall Users <shorewall-users@lists.shorewall.net> cc Subject Re: [Shorewall-users] Shorewall 1.4 -> 2.0 On Thu, 27 May 2004 16:05:43 +0200 Sam Przyswa <samp@arial-concept.com> wrote:> If the sysadmins have to check, test, all the upgrades they have to do > it''s mean that they have not to trust the GPL developers and in this > case the TOC of the Open Source solutions will become higher than > Microsoft''s TOC.If the sysadmins installed everything blindly (Windows, Unix or otherwise) there would certainly be chaos. You should always check for what the update provides. Windows, Unix, Linux, *BSD, all of them. However, this is off topic and besides, it''s common sense. -- Paul Slinski -o) Network Administrator /\ Global IQX, Inc. _\_v The information transmitted is intended only for the addressee and may contain confidential, proprietary and/or privileged material. Any unauthorized review, distribution or other use of or the taking of any action in reliance upon this information is prohibited. If you received this in error, please contact the sender and delete or destroy this message and any copies. _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
Tom Eastep wrote:> Sam Przyswa wrote: > >> After an "apt-get install shorewall" on our Debian machine I see that >> the 2.0 >> version is no more compatible with the last 1.4, good idea ! - The Webmin >> module is no more compatible too ! >> >> Wy don''t you make a new project with an other name and freeze the >> Shorewall >> project ?I should also point out that the decision as to whether to create a shorewall2 package or make Shorewall 2.0 a continuation of the shorewall package is the decision of the Debian maintainer. The decision that he made was consistent with a similar decision involving the migration from Samba 2 to Samba 3; that is, to keep a single package. He and I discussed this issue when Shorewall 2.0.0 was in Beta. I should also point out that when I bring out a new major release, the previous major release (in this case version 1.4) is still supported and I release bug fixes for it on the Shorewall errata page. So even if you don''t choose to upgrade via apt-get, you can still install bug fixes if needed. As I final word, I assure you that I don''t capriciously change Shorewall just to make life difficult for you. It has been my experience that a product that doesn''t correct it''s design errors when they are identified will eventually collapse under it''s own weight and that mindless adherence to upward compatibility at any cost leads to code bloat and loss of maintainability. I don''t want that to happen to Shorewall. One of the 1.4 -> 2.0 incompatibilities is due to correction of a design error in Netfilter itself; the ''unclean'' match extension was a well-intentioned mistake that has been corrected (read that "removed") in the 2.6 kernels. I have thus similarly removed the ''dropunclean'' and ''logunclean'' interface options that were based on that match extension. So these types of incompatibile changes are a fact of life and I as a software designer and developer will do my best minimize their frequency, to document them and to warn you that they are coming. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Thu, 2004-05-27 at 07:40 -0700, Tom Eastep wrote:> > As I final word, I assure you that I don''t capriciously change Shorewall > just to make life difficult for you. It has been my experience that a > product that doesn''t correct it''s design errors when they are identified > will eventually collapse under it''s own weight and that mindless > adherence to upward compatibility at any cost leads to code bloat and > loss of maintainability. I don''t want that to happen to Shorewall. >See Microsoft Windows 3.x, Windows 95, Windows 200x.> So these types of incompatibile changes are a fact of life and I as a > software designer and developer will do my best minimize their > frequency, to document them and to warn you that they are coming. >I had 0 problems upgrading all of my shorewall installations. Maybe that had something to do with following the notices that were sent out on the mailing list to help prepare and reading the upgrade notes before moving ahead. -- David T Hollis <dhollis@davehollis.com>
On Thu, 2004-05-27 at 06:49 -0700, Tom Eastep wrote:> Sam Przyswa wrote: > > > After an "apt-get install shorewall" on our Debian machine I see that the 2.0 > > version is no more compatible with the last 1.4, good idea ! - The Webmin > > module is no more compatible too ! > > > > Wy don''t you make a new project with an other name and freeze the Shorewall > > project ? > > Why did you upgrade? > > > > It should be nice to think about all the sysadmin they have to manage a large > > amount of machine before to make a release with no historical compatibility.Sam, did you read anything at all about the 2.0 versions? Upgrading *major* versions without reading any information beforehand isn''t what I would expect an admin to do.> > At this time I have to downgrade to 1.4.7 to be able to manage my machines > > with Webmin and freeze the configuration on our customers, or let me know how > > to convert the 1.4 configs files to 2.0. > > a) For months before the 2.0 release, I sent messages on this list and > on the Announcement list telling users how to prepare for 2.0 while they > were still running 1.4. > > b) As always, the release notes for 2.0 gave detailed information on > migration issues. >[...]> > I will continue to make incompatibile changes in Shorewall at major > releases when I feel that it is in the best interest of the product and > the community who uses it.Tom, don''t get upset by complaints like this. It''s simply not true. Shorewall definitely is one of the best documented projects out there, the docs and notes about changes (in advance!) are outstanding. Keep up the good work! karsten -- Davision - Atelier fuer Gestaltung / Internet / Multimedia UNIX / Linux Netzwerke und Schulungen Telefon 06151/273859 Fax 06151/273862
Jason Png a écrit :>Read the manual and do some research before you point finger and accuse of >the author who you claimed doesn''t make any announcement, whereas the actual >fact is that you yourself never bother to. Enough said. > > >I don''t accuse anybody, we are a small company who try to impose the Open Source solution vs. Microsoft, we spend a lot of time to build these solutions and maintain them. We have make the Shorewall choice because it was the best firewall assistant we have found, but we will stay in 1.4.7 does matter. Thanks for this nice piece of software, Shorewall 1.4 should be the best solution anyway. When we will have the time, we will test and upgrade our machines to 2.0. Sam.
Karsten Bräckelmann a écrit :>On Thu, 2004-05-27 at 06:49 -0700, Tom Eastep wrote: > > >>Sam Przyswa wrote: >> >> >> >>>After an "apt-get install shorewall" on our Debian machine I see that the 2.0 >>>version is no more compatible with the last 1.4, good idea ! - The Webmin >>>module is no more compatible too ! >>> >>>Wy don''t you make a new project with an other name and freeze the Shorewall >>>project ? >>> >>> >>Why did you upgrade? >> >> >> >> >>>It should be nice to think about all the sysadmin they have to manage a large >>>amount of machine before to make a release with no historical compatibility. >>> >>> > >Sam, did you read anything at all about the 2.0 versions? > >Upgrading *major* versions without reading any information beforehand >isn''t what I would expect an admin to do. > > >I just try the Debian update (apt-get install shorewall) on my own machine, *not* the productions, and I have the surprise that it don''t work. I have not lost my 1.4 config, back to this version, and loose just one hour that''s it. What the big deal. Keep cool and "c''est beau la vie" Sam.
Sam Przyswa wrote:> Karsten Bräckelmann a écrit : > >> On Thu, 2004-05-27 at 06:49 -0700, Tom Eastep wrote: >> >> >>> Sam Przyswa wrote: >>> >>> >>> >>>> After an "apt-get install shorewall" on our Debian machine I see >>>> that the 2.0 >>>> version is no more compatible with the last 1.4, good idea ! - The >>>> Webmin >>>> module is no more compatible too ! >>>> >>>> Wy don''t you make a new project with an other name and freeze the >>>> Shorewall >>>> project ? >>>> >>> >>> Why did you upgrade? >>> >>> >>> >>> >>>> It should be nice to think about all the sysadmin they have to >>>> manage a large >>>> amount of machine before to make a release with no historical >>>> compatibility. >>>> >> >> >> Sam, did you read anything at all about the 2.0 versions? >> >> Upgrading *major* versions without reading any information beforehand >> isn''t what I would expect an admin to do. >> >> >> > I just try the Debian update (apt-get install shorewall) on my own > machine, *not* the productions, and I have the surprise that it don''t work. > > I have not lost my 1.4 config, back to this version, and loose just one > hour that''s it. > > What the big deal. > > Keep cool and "c''est beau la vie" >While I haven''t tried to ''install'' over a 1.4 installation, I know that ''upgrade'' retains the 1.4 configuration and that a fresh ''install'' (where no prior version exists) does not install any files in /etc/shorewall (see the recent thread on this subject). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
I''ve been a debian user for a very long time. In certain cases, like you mentioned, when you do a fresh installation, there are no files in /etc/Shorewall And if you do an apt-get update and apt-get upgrade, where you upgrade the Shorewall from 1.4 to 2.0, it retains the old config files I''ve no problem upgrading from 1.4 to 2.0 on debian using the same old configuration file and the firewall works like a charm, just like that, without having to do any necessary modification to any file at all. I run very basic rules on firewall and I''m currently maintaining 20 shorewall boxes and all running on debian, I have no problems with either box at all. Regards, Jason -----Original Message----- From: shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of Tom Eastep Sent: Thursday, May 27, 2004 11:53 PM To: Mailing List for Shorewall Users Subject: Re: [Shorewall-users] Shorewall 1.4 -> 2.0 Sam Przyswa wrote:> Karsten Bräckelmann a écrit : > >> On Thu, 2004-05-27 at 06:49 -0700, Tom Eastep wrote: >> >> >>> Sam Przyswa wrote: >>> >>> >>> >>>> After an "apt-get install shorewall" on our Debian machine I see >>>> that the 2.0 >>>> version is no more compatible with the last 1.4, good idea ! - The >>>> Webmin >>>> module is no more compatible too ! >>>> >>>> Wy don''t you make a new project with an other name and freeze the >>>> Shorewall >>>> project ? >>>> >>> >>> Why did you upgrade? >>> >>> >>> >>> >>>> It should be nice to think about all the sysadmin they have to >>>> manage a large >>>> amount of machine before to make a release with no historical >>>> compatibility. >>>> >> >> >> Sam, did you read anything at all about the 2.0 versions? >> >> Upgrading *major* versions without reading any information beforehand >> isn''t what I would expect an admin to do. >> >> >> > I just try the Debian update (apt-get install shorewall) on my own > machine, *not* the productions, and I have the surprise that it don''twork.> > I have not lost my 1.4 config, back to this version, and loose just one > hour that''s it. > > What the big deal. > > Keep cool and "c''est beau la vie" >While I haven''t tried to ''install'' over a 1.4 installation, I know that ''upgrade'' retains the 1.4 configuration and that a fresh ''install'' (where no prior version exists) does not install any files in /etc/shorewall (see the recent thread on this subject). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
Tom Eastep a écrit :> Tom Eastep wrote: > >> Sam Przyswa wrote: >> >>> After an "apt-get install shorewall" on our Debian machine I see >>> that the 2.0 >>> version is no more compatible with the last 1.4, good idea ! - The >>> Webmin >>> module is no more compatible too ! >>> >>> Wy don''t you make a new project with an other name and freeze the >>> Shorewall >>> project ? >> > > I should also point out that the decision as to whether to create a > shorewall2 package or make Shorewall 2.0 a continuation of the > shorewall package is the decision of the Debian maintainer. The > decision that he made was consistent with a similar decision involving > the migration from Samba 2 to Samba 3; that is, to keep a single > package. He and I discussed this issue when Shorewall 2.0.0 was in Beta. >We have installed Samba 3 over Samba 2 setup without problems with one or two changes in smb.conf after some warnings at samba launch but it continue to run, shorewall no and firewalling is a critical apps on network.> I should also point out that when I bring out a new major release, the > previous major release (in this case version 1.4) is still supported > and I release bug fixes for it on the Shorewall errata page. So even > if you don''t choose to upgrade via apt-get, you can still install bug > fixes if needed.Ok, at this time we stay in 1.4 and continue to improve the Webmin Shorewall module (1.4).> As I final word, I assure you that I don''t capriciously change > Shorewall just to make life difficult for you. It has been my > experience that a product that doesn''t correct it''s design errors when > they are identified will eventually collapse under it''s own weight and > that mindless adherence to upward compatibility at any cost leads to > code bloat and loss of maintainability. I don''t want that to happen to > Shorewall. >Sure, but perhaps it''s the Debian''s maintainer fault who keep the new 2.0 package named shorewall instead of shorewall2 or anything else to avoid confusion between two major versions.> > So these types of incompatibile changes are a fact of life and I as a > software designer and developer will do my best minimize their > frequency, to document them and to warn you that they are coming. >Thanks for that and perhaps this thread help some users in upgrading or not their system. Sam.
On Thu, 27 May 2004 17:43:18 +0200 Sam Przyswa <samp@arial-concept.com> wrote:> I just try the Debian update (apt-get install shorewall) on my own > machine, not the productions, and I have the surprise that it don''t work.You didn''t even try to tell us what doesn''t work.> I have not lost my 1.4 config, back to this version, and loose just one > hour that''s it. > > What the big deal.Big deal is that your first message was quite insulting and not very encouraging for Tom. Regards, Nerijus
When I upgraded my Debian firewall box to Shorewall 2.0, I got the following (very prominent) debconf message asking if I wanted to restart the firewall. Even if I hadn''t checked for issues before upgrading (which seems ill-advised for a firewall, BTW), that definitely should have caught one''s attention. Did you check your configuration and do you want to restart Shorewall right now? This is a major release of Shorewall that introduces some changes in the configuration files. You have to check carefully your configuration before restarting your firewall to avoid failures and network blackout. The changes are listed below (or in /usr/share/doc/shorewall/upgrade_14-20.txt.gz) It was immediately followed by a list of 8 or so specific changes, which were deemed to be worth verifying. Just about everything Tom had mentioned on this list, in fact.
Nerijus Baliunas a écrit :>Big deal is that your first message was quite insulting and not very encouraging >for Tom. > > >My message was not insulting for anybody, only a remark, but if you feeled as it I can''t make anything for you. I was 21 years old when Unix is born on the AT&T labs, I begin to use newsgroups and email in early 80s, at this time the newsgroups was a democratic area where evrybody can freely speak, now I *must* be to your opinion or don''t talk, good and sorry for disturbing your quite commity. Sam.
V Pá, 28. 05. 2004 v 17:47, Sam Przyswa píše:> >Big deal is that your first message was quite insulting and not very encouraging > >for Tom. > > > My message was not insulting for anybody, only a remarkyou basically said that TCO of Shorewall is too high and that it''s Tom''s fault (quoting you: "have not to trust the GPL developers" and [author] "have to respect a minimum policy"). Considering that you got Shorewall for _free_ from Tom it sure was insulting, no doubt about it.> I was 21 years old when Unix is born on the AT&T labs...> I *must* be to your opinion or don''t talkthat''s not true. You still can express your opinion but we can express ours and so we do. Pity that you point out that you''ve been so long here but still haven''t understood that if you choose a GPL solution you should better thank to and praise those who give their very own time and energy to you _for free_ so you can run your _business_ and make money on it. Instead you blame for things that are plain wrong (Tom posted first "prepare for 2.0.0 upgrade" message to this list in February 15th, not to mention the mass of available documentation that is so exceptionally good compared to many other GPL projects, including mine :-). Petr