hi, i create rule such action.AllowPostGrey: ----------------------------------------------- ###################################################################################### #TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ # PORT PORT(S) LIMIT GROUP ACCEPT $A_IP $PORTAL_IP tcp 10023 ACCEPT $B_IP $PORTAL_IP tcp 10023 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE ----------------------------------------------- and add one line to the rules file: ----------------------------------------------- AllowPostGrey - - ----------------------------------------------- after a shorewall check i''ve got the following error: ----------------------------------------------- Error: Undefined Client Zone in rule "AllowPostGrey - -" ----------------------------------------------- so my question: must i define a source and destination in the rules file or can I use "-"? or simple it''s not possible to define such action. thanks in advance. yours. -- Levente "Si vis pacem para bellum!"
On Fri, 17 Sep 2004, Farkas Levente wrote:> hi, > i create rule such action.AllowPostGrey: > ----------------------------------------------- > ################################################################################ > ###### > #TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ > # PORT PORT(S) LIMIT GROUP > ACCEPT $A_IP $PORTAL_IP tcp 10023 > ACCEPT $B_IP $PORTAL_IP tcp 10023 > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE > ----------------------------------------------- > and add one line to the rules file: > ----------------------------------------------- > AllowPostGrey - - > ----------------------------------------------- > after a shorewall check i''ve got the following error: > ----------------------------------------------- > Error: Undefined Client Zone in rule "AllowPostGrey - -" > ----------------------------------------------- > so my question: must i define a source and destination in the rules file or > can I use "-"? or simple it''s not possible to define such action. > thanks in advance.In the rules file, you should at least specify the source and destination zones (I assume that you know what they are ahead of time so you don''t have to use ''all''). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep wrote:> On Fri, 17 Sep 2004, Farkas Levente wrote: > > >>hi, >>i create rule such action.AllowPostGrey: >>----------------------------------------------- >>################################################################################ >>###### >>#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ >># PORT PORT(S) LIMIT GROUP >>ACCEPT $A_IP $PORTAL_IP tcp 10023 >>ACCEPT $B_IP $PORTAL_IP tcp 10023 >>#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE >>----------------------------------------------- >>and add one line to the rules file: >>----------------------------------------------- >>AllowPostGrey - - >>----------------------------------------------- >>after a shorewall check i''ve got the following error: >>----------------------------------------------- >>Error: Undefined Client Zone in rule "AllowPostGrey - -" >>----------------------------------------------- >>so my question: must i define a source and destination in the rules file or >>can I use "-"? or simple it''s not possible to define such action. >>thanks in advance. > > > In the rules file, you should at least specify the source and destination > zones (I assume that you know what they are ahead of time so you don''t > have to use ''all'').but how can i define it in this case? i understand that i can write the whole action in the rules file as (without the actions): ----------------------------------------------- ACCEPT net:$A_IP net:$PORTAL_IP tcp 10023 ACCEPT net:$B_IP net:$PORTAL_IP tcp 10023 ----------------------------------------------- or can i use the original action.AllowPostGrey and the following rules file: ----------------------------------------------- AllowPostGrey net net ----------------------------------------------- yours. -- Levente "Si vis pacem para bellum!"
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Farkas Levente wrote: | or can i use the original action.AllowPostGrey and the following rules | file: | ----------------------------------------------- | AllowPostGrey net net | ----------------------------------------------- Yes (except that AllowPostGrey is longer than 11 characters). - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBS0r8O/MAbZfjDLIRAv+EAJoD0yL24Ll6AfDoQh4eaxmG542saACeOXdC jg0nD7OBasDmCO+DprWV1wU=jr6v -----END PGP SIGNATURE-----
Tom Eastep wrote:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Farkas Levente wrote: > > | or can i use the original action.AllowPostGrey and the following rules > | file: > | ----------------------------------------------- > | AllowPostGrey net net > | ----------------------------------------------- > > Yes (except that AllowPostGrey is longer than 11 characters).is this (11 characters) documented somewhere? -- Levente "Si vis pacem para bellum!"
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Farkas Levente wrote: | Tom Eastep wrote: | |> -----BEGIN PGP SIGNED MESSAGE----- |> Hash: SHA1 |> |> Farkas Levente wrote: |> |> | or can i use the original action.AllowPostGrey and the following rules |> | file: |> | ----------------------------------------------- |> | AllowPostGrey net net |> | ----------------------------------------------- |> |> Yes (except that AllowPostGrey is longer than 11 characters). | | | is this (11 characters) documented somewhere? | The User-defined action documentation clearly states that action names must be both valid Shell variable names and valid iptables chain names. The latter have a maximum length of 11 characters. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBS3YGO/MAbZfjDLIRAq0uAJ44tH22KR2L7K9CWR0b/ITZfner+QCfdZrR 5x7Zqsgx904zU3Lujo7kzG0=u9Ef -----END PGP SIGNATURE-----
Tom Eastep wrote:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Farkas Levente wrote: > | Tom Eastep wrote: > | > |> -----BEGIN PGP SIGNED MESSAGE----- > |> Hash: SHA1 > |> > |> Farkas Levente wrote: > |> > |> | or can i use the original action.AllowPostGrey and the following rules > |> | file: > |> | ----------------------------------------------- > |> | AllowPostGrey net net > |> | ----------------------------------------------- > |> > |> Yes (except that AllowPostGrey is longer than 11 characters). > | > | > | is this (11 characters) documented somewhere? > | > > The User-defined action documentation clearly states that action names > must be both valid Shell variable names and valid iptables chain names. > The latter have a maximum length of 11 characters.it''s realy hard to find, but AFAIK it''s defined in the kernel''s IPT_FUNCTION_MAXNAMELEN in include/linux/netfilter_ipv4/ip_tables.h which is 30 (at least in our RHEL 3''s 2.4.21-15.0.4.ELsmp and FC2''s 2.6.8-1.521) ... -- Levente "Si vis pacem para bellum!"
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Farkas Levente wrote: | Tom Eastep wrote: | |> -----BEGIN PGP SIGNED MESSAGE----- |> Hash: SHA1 |> |> Farkas Levente wrote: |> | Tom Eastep wrote: |> | |> |> -----BEGIN PGP SIGNED MESSAGE----- |> |> Hash: SHA1 |> |> |> |> Farkas Levente wrote: |> |> |> |> | or can i use the original action.AllowPostGrey and the following |> rules |> |> | file: |> |> | ----------------------------------------------- |> |> | AllowPostGrey net net |> |> | ----------------------------------------------- |> |> |> |> Yes (except that AllowPostGrey is longer than 11 characters). |> | |> | |> | is this (11 characters) documented somewhere? |> | |> |> The User-defined action documentation clearly states that action names |> must be both valid Shell variable names and valid iptables chain names. |> The latter have a maximum length of 11 characters. | | | it''s realy hard to find, but AFAIK it''s defined in the kernel''s | IPT_FUNCTION_MAXNAMELEN in include/linux/netfilter_ipv4/ip_tables.h | which is 30 (at least in our RHEL 3''s 2.4.21-15.0.4.ELsmp and FC2''s | 2.6.8-1.521) ... | Ah -- now I remember where the limit of 11 comes from -- if you use the default LOGFORMAT string, you can''t log from a chain if the chain name is longer than 11 characters in length. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBS4AuO/MAbZfjDLIRAiD6AJ9CG5tyI/dIecFXQ/Q/W54qC3TPAQCaAvoc AVgyVty4wIQAkER1fJd/Hj8=0eU2 -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tom Eastep wrote: | Farkas Levente wrote: | | | | it''s realy hard to find, but AFAIK it''s defined in the kernel''s | | IPT_FUNCTION_MAXNAMELEN in include/linux/netfilter_ipv4/ip_tables.h | | which is 30 (at least in our RHEL 3''s 2.4.21-15.0.4.ELsmp and FC2''s | | 2.6.8-1.521) ... | | | | Ah -- now I remember where the limit of 11 comes from -- if you use the | default LOGFORMAT string, you can''t log from a chain if the chain name | is longer than 11 characters in length. I have updated the Docs and the next releases of both 2.0 and 2.1 will include an updated /etc/shorewall/actions file that documents the restriction properly. Thnaks for bringing this to my attention, - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBS4/wO/MAbZfjDLIRAjVSAJ9VHSPNOavl+wq8cym6Y88ipnVWvQCgucJO eefh2YSd3w2RdDqsPBMN0uc=SBJ0 -----END PGP SIGNATURE-----