I have coded a fix for a problem involving ''shorewall refresh'' and multiple ISPs. Previously, ''shorewall refresh'' could damage the rules involved in connection tracking. I''ve tested the 2.5 version of the fix but I do not have a 2.4 multi-ISP testbed to test that version of the fix. If someone would be willing to test the fix under 2.4, I would very much appreciate it. Pre-2.4.5 code is available at: http://www1.shorewall.net/pub/shorewall/2.4/test ftp://ftp1.shorewall.net/pub/shorewall/2.4/test Thanks! -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
I''ll do it. I will need a couple of hours. Let you know! --john> -----Original Message----- > From: shorewall-users-admin@lists.sourceforge.net > [mailto:shorewall-users-admin@lists.sourceforge.net] On > Behalf Of Tom Eastep > Sent: Wednesday, October 05, 2005 11:12 AM > To: Shorewall Development Mailing List; Shorewall Users > Subject: [Shorewall-users] Looking for a testing volunteer > > I have coded a fix for a problem involving ''shorewall refresh'' and > multiple ISPs. Previously, ''shorewall refresh'' could damage the rules > involved in connection tracking. > > I''ve tested the 2.5 version of the fix but I do not have a > 2.4 multi-ISP > testbed to test that version of the fix. If someone would be > willing to > test the fix under 2.4, I would very much appreciate it. > > Pre-2.4.5 code is available at: > > http://www1.shorewall.net/pub/shorewall/2.4/test > ftp://ftp1.shorewall.net/pub/shorewall/2.4/test > > Thanks! > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key >-- This mail was scanned by AntiVir Milter. This product is licensed for non-commercial use. See www.antivir.de for details. ------------------------------------------------------- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl
John Hill wrote:> I''ll do it. I will need a couple of hours. > Let you know!Thanks, John! -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Had some time. This is 2.4.30 kernel. Iptables 1.3.3 It runs just fine. Refresh fails. Iptables No target match iptables -t mangle -F tcFlush failed --john> -----Original Message----- > From: shorewall-users-admin@lists.sourceforge.net > [mailto:shorewall-users-admin@lists.sourceforge.net] On > Behalf Of Tom Eastep > Sent: Wednesday, October 05, 2005 11:55 AM > To: shorewall-users@lists.sourceforge.net > Subject: Re: [Shorewall-users] Looking for a testing volunteer > > John Hill wrote: > > I''ll do it. I will need a couple of hours. > > Let you know! > > Thanks, John! > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key >-- This mail was scanned by AntiVir Milter. This product is licensed for non-commercial use. See www.antivir.de for details. ------------------------------------------------------- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl
John Hill wrote:> Had some time. > This is 2.4.30 kernel. Iptables 1.3.3 > > It runs just fine. > > Refresh fails. > Iptables No target match > iptables -t mangle -F tcFlush failed >Please edit /usr/share/shorewall/firewall and change line 3381 from [ -n "$MARK_IN_FORWARD_CHAIN" ] && run_iptables -t mangle -F tcpre to run_iptables -t mangle -F tcpre and change line 3382 from: run_iptables -t mangle -F tcFlush to run_iptables -t mangle -F tcpost Thanks, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Ok here is what we have" run_iptables -t mangle -F $chain run_iptables -t mangle -F tcpre run_iptables -t mangle -F tcout run_iptables -t mangle -F tcpost This runs and says refreshed and gives no error. --john> -----Original Message----- > From: shorewall-users-admin@lists.sourceforge.net > [mailto:shorewall-users-admin@lists.sourceforge.net] On > Behalf Of Tom Eastep > Sent: Wednesday, October 05, 2005 12:15 PM > To: shorewall-users@lists.sourceforge.net > Subject: Re: [Shorewall-users] Looking for a testing volunteer > > John Hill wrote: > > Had some time. > > This is 2.4.30 kernel. Iptables 1.3.3 > > > > It runs just fine. > > > > Refresh fails. > > Iptables No target match > > iptables -t mangle -F tcFlush failed > > > > Please edit /usr/share/shorewall/firewall and change line 3381 from > > [ -n "$MARK_IN_FORWARD_CHAIN" ] && run_iptables > -t mangle -F tcpre > > to > > run_iptables -t mangle -F tcpre > > > and change line 3382 from: > > run_iptables -t mangle -F tcFlush > > to > > run_iptables -t mangle -F tcpost > > Thanks, > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key >-- This mail was scanned by AntiVir Milter. This product is licensed for non-commercial use. See www.antivir.de for details. ------------------------------------------------------- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl
John Hill wrote:> Ok here is what we have" > > run_iptables -t mangle -F $chainLet''s change the above to run_iptables -t mangle -F tcfor> run_iptables -t mangle -F tcpre > run_iptables -t mangle -F tcout > run_iptables -t mangle -F tcpost > > This runs and says refreshed and gives no error. >Ok -- now I would like you to: a) shorewall restart b) Note the contents of "shorewall show mangle" -- in particular the rules in tcfor, tcpre, tcout and tcpost c) shorewall refresh d) The changes should be the same as in step b) except for packet and byte counts. Thanks! -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Done! Byte count was the only change. Still works. --john> -----Original Message----- > From: shorewall-users-admin@lists.sourceforge.net > [mailto:shorewall-users-admin@lists.sourceforge.net] On > Behalf Of Tom Eastep > Sent: Wednesday, October 05, 2005 12:47 PM > To: shorewall-users@lists.sourceforge.net > Subject: Re: [Shorewall-users] Looking for a testing volunteer > > John Hill wrote: > > Ok here is what we have" > > > > run_iptables -t mangle -F $chain > > Let''s change the above to > run_iptables -t mangle -F tcfor > > > run_iptables -t mangle -F tcpre > > run_iptables -t mangle -F tcout > > run_iptables -t mangle -F tcpost > > > > This runs and says refreshed and gives no error. > > > > Ok -- now I would like you to: > > a) shorewall restart > b) Note the contents of "shorewall show mangle" -- in particular the > rules in tcfor, tcpre, tcout and tcpost > c) shorewall refresh > d) The changes should be the same as in step b) except for packet and > byte counts. > > Thanks! > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key >-- This mail was scanned by AntiVir Milter. This product is licensed for non-commercial use. See www.antivir.de for details. ------------------------------------------------------- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl
John Hill wrote:> Done! Byte count was the only change. > Still works. >Thanks, John! -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
The least I could do! I''ll keep running this version with the mods. It is in production ;-) --john> -----Original Message----- > From: shorewall-users-admin@lists.sourceforge.net > [mailto:shorewall-users-admin@lists.sourceforge.net] On > Behalf Of Tom Eastep > Sent: Wednesday, October 05, 2005 1:03 PM > To: shorewall-users@lists.sourceforge.net > Subject: Re: [Shorewall-users] Looking for a testing volunteer > > John Hill wrote: > > Done! Byte count was the only change. > > Still works. > > > > Thanks, John! > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key >-- This mail was scanned by AntiVir Milter. This product is licensed for non-commercial use. See www.antivir.de for details. ------------------------------------------------------- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl