Hi, I have upgraded shorewall from 1 to 2 version. I''d like to fully disable the ACTIONS, they are a very good idea, but i prefer to fully configure my firewall in only 1 file in rules. Is it possible ? Another ting, .deb package of shorewall 2 don''t install any files in /etc/shorewall/ on Debian Sarge ( testing version ) I tried the Original Debian version and the shorewall.net .deb version and both has this problem. I tried on 2 fresh installed Debian pc and got always no files in /etc/shorewall/ Thanks
Salvatore wrote:> I have upgraded shorewall from 1 to 2 version. > I''d like to fully disable the ACTIONS, they are a very good idea, but > i prefer to fully configure my firewall in only 1 file in rules. > Is it possible ?Yes -- just don''t use them.> > Another ting, .deb package of shorewall 2 don''t install any files in /etc/shorewall/ on > Debian Sarge ( testing version ) I tried the Original Debian version and the > shorewall.net .deb version and both has this problem. I tried on 2 fresh installed > Debian pc and got always no files in /etc/shorewall/Sorry -- I forgot to publish the new installation instructions. The updated instructions can be viewed at http://shorewall.net/Install.htm. This is expected behavior with the .deb. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
If you have search through this archive, you''d have noticed and found that the files installed via apt-get or .deb , comes with sample files located in /usr/share/doc/shorewall/default-config/ -----Original Message----- From: shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of Salvatore Sent: Friday, May 28, 2004 3:23 AM To: shorewall-users@lists.shorewall.net Subject: [Shorewall-users] Disabiling Actions and .deb bug Hi, I have upgraded shorewall from 1 to 2 version. I''d like to fully disable the ACTIONS, they are a very good idea, but i prefer to fully configure my firewall in only 1 file in rules. Is it possible ? Another ting, .deb package of shorewall 2 don''t install any files in /etc/shorewall/ on Debian Sarge ( testing version ) I tried the Original Debian version and the shorewall.net .deb version and both has this problem. I tried on 2 fresh installed Debian pc and got always no files in /etc/shorewall/ Thanks _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
Tom Eastep wrote:> Salvatore wrote: > >> I have upgraded shorewall from 1 to 2 version. >> I''d like to fully disable the ACTIONS, they are a very good idea, but >> i prefer to fully configure my firewall in only 1 file in rules. >> Is it possible ? > > > Yes -- just don''t use them. >In /etc/shorewall/actions, you will have to include: :REJECT :DROP Then you get to add all the rules yourself to prevent your policies from logging crap like SMB, broadcasts, UPnP, late DNS replies... (remember that there is no ''common'' chain any more to do this for you; it is rather done by the Reject and Drop actions). Are you *sure* that you don''t want to at least use the default common actions for the REJECT and DROP policies? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
> Tom Eastep wrote:> Then you get to add all the rules yourself to prevent your policies from > logging crap like SMB, broadcasts, UPnP, late DNS replies... (remember > that there is no ''common'' chain any more to do this for you; it is > rather done by the Reject and Drop actions).What is the differenze to have the broadcast action enabled and the - nosmurfs - option in the interface file ? For the other services I need to enable/disable by myself because I need that that ports access, so I think the best choise is to disable actions. Is it correct ? Thanks
Salvatore wrote:>>Tom Eastep wrote: > > >>Then you get to add all the rules yourself to prevent your policies from >>logging crap like SMB, broadcasts, UPnP, late DNS replies... (remember >>that there is no ''common'' chain any more to do this for you; it is >>rather done by the Reject and Drop actions). > > > What is the differenze to have the broadcast action enabled and the > - nosmurfs - option in the interface file ?Smurfs are packets where the SOURCE IP is a broadcast address. The dropBcast standard action drops broadcast packets (destination IP is a broadcast address).> > For the other services I need to enable/disable by myself because > I need that that ports access, so I think the best choise is to disable > actions. Is it correct ? >With the exception of the RejectAuth entry in the standard ''Drop'' and ''Reject'' actions, *the default actions to not change anything except what gets logged.* This is exactly the same as the default ''common'' chain was in 1.4 -- *that also stopped a log of useless crap from being logged and that is all it did!!!* Look at the rules (shorewall status) -- Drop and Reject are only invoked JUST BEFORE THE PACKET IS GOING TO BE DROPPED OR REJECTED ANYWAY by a policy!!! The actions are just there to cut down on the amount of useless logging that goes on when you specify a log level for the policy. The standard actions do *NOT* give you any less control than you had before -- they are just a more user-friendly way of expressing what used to be expressed using raw iptables commands in /usr/share/shorewall/common.def. See FAQ 4 for an explaination of why auth connection requests are rejected even when the policy is Drop. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net