Shorewall users - Apr 2007 - Shorewall 3.9.5

Shorewall 3.9.5 is available at
http://www1.shorewall.net/pub/shorewall/development/3.9/shorewall-3.9.5/

Lots of bugs fixed since last week. Thanks to all of you who are testing 3.9
(and a special thanks to Steven Springl).

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

On Monday 30 April 2007 23:10, Tom Eastep wrote:
> Shorewall 3.9.5 is available at
> http://www1.shorewall.net/pub/shorewall/development/3.9/shorewall-3.9.5/
>
> Lots of bugs fixed since last week. Thanks to all of you who are testing
> 3.9 (and a special thanks to Steven Springl).
Tom

You are welcome.

I have included below a bug report that I sent for 3.9.4. I am not sure of it 
went astray or not. If you had not gotten around to looking at it yet,
please accept my apology.

Steven.



The following rule:

LOG:6!  lan:192.168.0.3  $FW  udp  123

produces the following error message when compiled with
shorewall-perl:

ERROR: Invalid log level (6!)

It works when compiled with shorewall-shell.


-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Steven Jan Springl wrote:
> On Monday 30 April 2007 23:10, Tom Eastep wrote:
>> Shorewall 3.9.5 is available at
>>
http://www1.shorewall.net/pub/shorewall/development/3.9/shorewall-3.9.5/
>>
>> Lots of bugs fixed since last week. Thanks to all of you who are
testing
>> 3.9 (and a special thanks to Steven Springl).
> 
> Tom
> 
> You are welcome.
> 
> I have included below a bug report that I sent for 3.9.4. I am not sure of
it
> went astray or not. If you had not gotten around to looking at it yet,
> please accept my apology.
> 
> Steven.
> 
> 
> 
> The following rule:
> 
> LOG:6!  lan:192.168.0.3  $FW  udp  123
> 
> produces the following error message when compiled with
> shorewall-perl:
> 
> ERROR: Invalid log level (6!)
> 
> It works when compiled with shorewall-shell.
Should be fixed in revision 6167.

Thanks, Steven.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

On Tuesday 01 May 2007 01:04, Tom Eastep wrote:
> Steven Jan Springl wrote:
> > On Monday 30 April 2007 23:10, Tom Eastep wrote:
> >> Shorewall 3.9.5 is available at
> >>
http://www1.shorewall.net/pub/shorewall/development/3.9/shorewall-3.9.5/
> >>
> >> Lots of bugs fixed since last week. Thanks to all of you who are
testing
> >> 3.9 (and a special thanks to Steven Springl).
> >
> > Tom
> >
> > You are welcome.
> >
> > I have included below a bug report that I sent for 3.9.4. I am not
sure
> > of it went astray or not. If you had not gotten around to looking at
it
> > yet, please accept my apology.
> >
> > Steven.
> >
> >
> >
> > The following rule:
> >
> > LOG:6!  lan:192.168.0.3  $FW  udp  123
> >
> > produces the following error message when compiled with
> > shorewall-perl:
> >
> > ERROR: Invalid log level (6!)
> >
> > It works when compiled with shorewall-shell.
>
> Should be fixed in revision 6167.
>
> Thanks, Steven.
>
> -Tom
Tom

Yes, it works.

Steven.

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Tom

My kernel does not have ipp2p support.

When I test ipp2p, ipp2p:udp, & ipp2p:all in the protocol field of  a rule,
I
get three different messages.

ipp2p produces:

ERROR: Invalid/Unknown protocol (ipp2p)


ipp2p:udp produces:

iptables-restore v1.3.6: unknown protocol ''ipp2p:udp''
specified


ipp2p:all produces:

ERROR: PROTO = ipp2p requires IPP2P Match in your kernel and iptables



Should ipp2p and ipp2p:udp not produce the same message as ipp2p.all?


Steven.
  

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Steven Jan Springl wrote:
> Tom
> 
> My kernel does not have ipp2p support.
> 
> When I test ipp2p, ipp2p:udp, & ipp2p:all in the protocol field of  a
rule, I
> get three different messages.
> 
> ipp2p produces:
> 
> ERROR: Invalid/Unknown protocol (ipp2p)
> 
> 
> ipp2p:udp produces:
> 
> iptables-restore v1.3.6: unknown protocol ''ipp2p:udp''
specified
> 
> 
> ipp2p:all produces:
> 
> ERROR: PROTO = ipp2p requires IPP2P Match in your kernel and iptables
> 
> 
> 
> Should ipp2p and ipp2p:udp not produce the same message as ipp2p.all?
Revision 6168 seems to give more consistent results.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Top

The following rule:

REDIRECT-  lan  10  tcp  10,200  1000:100000  192.168.2.0/24

generates the following iptables rule:

-A lan_dnat -p 6 -m multiport --dports 10,200 --sport 1000:10000 -d 
192.168.2.0/24 -j REDIRECT --to-port 10 -m comment --comment "This is a
test
line"

which fails with the following message:

iptables-restore v1.3.6: multiport can only have one option.

Steven

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Steven Jan Springl wrote:
> Top
> 
> The following rule:
> 
> REDIRECT-  lan  10  tcp  10,200  1000:100000  192.168.2.0/24
> 
> generates the following iptables rule:
> 
> -A lan_dnat -p 6 -m multiport --dports 10,200 --sport 1000:10000 -d 
> 192.168.2.0/24 -j REDIRECT --to-port 10 -m comment --comment "This is
a test
> line"
> 
> which fails with the following message:
> 
> iptables-restore v1.3.6: multiport can only have one option.
If your iptables/kernel have ''Repeat match support'' then
revision 6173
should handle this correctly. Otherwise, this is a restriction of
iptables/netfilter (that I should document).

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

On Tuesday 01 May 2007 17:23, Tom Eastep wrote:
> Steven Jan Springl wrote:
> > Top
> >
> > The following rule:
> >
> > REDIRECT-  lan  10  tcp  10,200  1000:100000  192.168.2.0/24
> >
> > generates the following iptables rule:
> >
> > -A lan_dnat -p 6 -m multiport --dports 10,200 --sport 1000:10000 -d
> > 192.168.2.0/24 -j REDIRECT --to-port 10 -m comment --comment
"This is a
> > test line"
> >
> > which fails with the following message:
> >
> > iptables-restore v1.3.6: multiport can only have one option.
>
> If your iptables/kernel have ''Repeat match support'' then
revision 6173
> should handle this correctly. Otherwise, this is a restriction of
> iptables/netfilter (that I should document).
>
> -Tom
Tom

It works.

Steven.

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Tom

After applying REV 6178 I get the following errors:

Not enough arguments for Shorewall::Chains::do_test 
at /usr/share/shorewall-perl/Shorewall/Nat.pm line 172, near "$mark
if"

Compilation failed in require at /usr/share/shorewall-perl/compiler.pl line 
47.

BEGIN failed--compilation aborted at /usr/share/shorewall-perl/compiler.pl 
line 47.


Steven.

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Steven Jan Springl wrote:
> Tom
> 
> After applying REV 6178 I get the following errors:
> 
> Not enough arguments for Shorewall::Chains::do_test 
> at /usr/share/shorewall-perl/Shorewall/Nat.pm line 172, near "$mark
if"
> 
> Compilation failed in require at /usr/share/shorewall-perl/compiler.pl line
> 47.
> 
> BEGIN failed--compilation aborted at /usr/share/shorewall-perl/compiler.pl 
> line 47.
Oops -- apparantly part of my new work snuck into that version.

Try 6179 please.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

On Tuesday 01 May 2007 19:30, Tom Eastep wrote:
> Steven Jan Springl wrote:
> > Tom
> >
> > After applying REV 6178 I get the following errors:
> >
> > Not enough arguments for Shorewall::Chains::do_test
> > at /usr/share/shorewall-perl/Shorewall/Nat.pm line 172, near
"$mark if"
> >
> > Compilation failed in require at /usr/share/shorewall-perl/compiler.pl
> > line 47.
> >
> > BEGIN failed--compilation aborted at
> > /usr/share/shorewall-perl/compiler.pl line 47.
>
> Oops -- apparantly part of my new work snuck into that version.
>
> Try 6179 please.
>
> -Tom
Tom

That''s fixed it.

Steven.

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Tom


When a rule that specifies source port 0 or destination port 0 calls a macro 
the source port and destination ports in the macro are not overridden. E.G.

rule:
sjs/ACCEPT  $FW  $L3  tcp  0  0

macro sjs:
PARAM  -  -  tcp  22  10

generates iptables-rule:
-A fw2lan -p 6 --dport 22 --sport 100 -d 192.168.0.3 -j ACCEPT


Steven.



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Steven Jan Springl wrote:
> Tom
> 
> 
> When a rule that specifies source port 0 or destination port 0 calls a
macro
> the source port and destination ports in the macro are not overridden. E.G.
> 
> rule:
> sjs/ACCEPT  $FW  $L3  tcp  0  0
> 
> macro sjs:
> PARAM  -  -  tcp  22  10
> 
> generates iptables-rule:
> -A fw2lan -p 6 --dport 22 --sport 100 -d 192.168.0.3 -j ACCEPT
> 
Revision 6183 should fix it.

Thanks, Steven

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

On Tuesday 01 May 2007 22:24, Tom Eastep wrote:
> Steven Jan Springl wrote:
> > Tom
> >
> >
> > When a rule that specifies source port 0 or destination port 0 calls a
> > macro the source port and destination ports in the macro are not
> > overridden. E.G.
> >
> > rule:
> > sjs/ACCEPT  $FW  $L3  tcp  0  0
> >
> > macro sjs:
> > PARAM  -  -  tcp  22  10
> >
> > generates iptables-rule:
> > -A fw2lan -p 6 --dport 22 --sport 100 -d 192.168.0.3 -j ACCEPT
>
> Revision 6183 should fix it.
>
> Thanks, Steven
>
> -Tom
Tom 

I have just tried revision 6184. It now generates an iptables rule without 
either a source or destination port:

 -A fw2lan -p 6 -d 192.168.0.3 -j ACCEPT

Steven.

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Steven Jan Springl wrote:
> On Tuesday 01 May 2007 22:24, Tom Eastep wrote:
>> Steven Jan Springl wrote:
>>> Tom
>>>
>>>
>>> When a rule that specifies source port 0 or destination port 0
calls a
>>> macro the source port and destination ports in the macro are not
>>> overridden. E.G.
>>>
>>> rule:
>>> sjs/ACCEPT  $FW  $L3  tcp  0  0
>>>
>>> macro sjs:
>>> PARAM  -  -  tcp  22  10
>>>
>>> generates iptables-rule:
>>> -A fw2lan -p 6 --dport 22 --sport 100 -d 192.168.0.3 -j ACCEPT
>> Revision 6183 should fix it.
>>
>> Thanks, Steven
>>
>> -Tom
> Tom 
> 
> I have just tried revision 6184. It now generates an iptables rule without 
> either a source or destination port:
> 
>  -A fw2lan -p 6 -d 192.168.0.3 -j ACCEPT
Port 0 is equivalent to Port ''any'' in Netfilter/Iptables.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

On Tuesday 01 May 2007 22:49, Tom Eastep wrote:
> Steven Jan Springl wrote:
> > On Tuesday 01 May 2007 22:24, Tom Eastep wrote:
> >> Steven Jan Springl wrote:
> >>> Tom
> >>>
> >>>
> >>> When a rule that specifies source port 0 or destination port 0
calls a
> >>> macro the source port and destination ports in the macro are
not
> >>> overridden. E.G.
> >>>
> >>> rule:
> >>> sjs/ACCEPT  $FW  $L3  tcp  0  0
> >>>
> >>> macro sjs:
> >>> PARAM  -  -  tcp  22  10
> >>>
> >>> generates iptables-rule:
> >>> -A fw2lan -p 6 --dport 22 --sport 100 -d 192.168.0.3 -j ACCEPT
> >>
> >> Revision 6183 should fix it.
> >>
> >> Thanks, Steven
> >>
> >> -Tom
> >
> > Tom
> >
> > I have just tried revision 6184. It now generates an iptables rule
> > without either a source or destination port:
> >
> >  -A fw2lan -p 6 -d 192.168.0.3 -j ACCEPT
>
> Port 0 is equivalent to Port ''any'' in Netfilter/Iptables.
>
> -Tom
Tom

I have just tried the following:

rule:
DROP  lan  $FW  tcp  22

drops port 22

rule:
DROP  lan  $FW  tcp  0

does not drop port 22.

If I have understood your comment correctly, then second rule should have 
dropped port 22.

Am I missing something here?

Steven.

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Steven Jan Springl wrote:
> On Tuesday 01 May 2007 22:49, Tom Eastep wrote:
>> Steven Jan Springl wrote:
>>> On Tuesday 01 May 2007 22:24, Tom Eastep wrote:
>>>> Steven Jan Springl wrote:
>>>>> Tom
>>>>>
>>>>>
>>>>> When a rule that specifies source port 0 or destination
port 0 calls a
>>>>> macro the source port and destination ports in the macro
are not
>>>>> overridden. E.G.
>>>>>
>>>>> rule:
>>>>> sjs/ACCEPT  $FW  $L3  tcp  0  0
>>>>>
>>>>> macro sjs:
>>>>> PARAM  -  -  tcp  22  10
>>>>>
>>>>> generates iptables-rule:
>>>>> -A fw2lan -p 6 --dport 22 --sport 100 -d 192.168.0.3 -j
ACCEPT
>>>> Revision 6183 should fix it.
>>>>
>>>> Thanks, Steven
>>>>
>>>> -Tom
>>> Tom
>>>
>>> I have just tried revision 6184. It now generates an iptables rule
>>> without either a source or destination port:
>>>
>>>  -A fw2lan -p 6 -d 192.168.0.3 -j ACCEPT
>> Port 0 is equivalent to Port ''any'' in
Netfilter/Iptables.
>>
>> -Tom
> Tom
> 
> I have just tried the following:
> 
> rule:
> DROP  lan  $FW  tcp  22
> 
> drops port 22
> 
> rule:
> DROP  lan  $FW  tcp  0
> 
> does not drop port 22.
> 
> If I have understood your comment correctly, then second rule should have 
> dropped port 22.
> 
> Am I missing something here?
No -- I was (my mind).

Try 6185.

Thanks,
-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

On Wednesday 02 May 2007 00:10, Tom Eastep wrote:
> Steven Jan Springl wrote:
> > On Tuesday 01 May 2007 22:49, Tom Eastep wrote:
> >> Steven Jan Springl wrote:
> >>> On Tuesday 01 May 2007 22:24, Tom Eastep wrote:
> >>>> Steven Jan Springl wrote:
> >>>>> Tom
> >>>>>
> >>>>>
> >>>>> When a rule that specifies source port 0 or
destination port 0 calls
> >>>>> a macro the source port and destination ports in the
macro are not
> >>>>> overridden. E.G.
> >>>>>
> >>>>> rule:
> >>>>> sjs/ACCEPT  $FW  $L3  tcp  0  0
> >>>>>
> >>>>> macro sjs:
> >>>>> PARAM  -  -  tcp  22  10
> >>>>>
> >>>>> generates iptables-rule:
> >>>>> -A fw2lan -p 6 --dport 22 --sport 100 -d 192.168.0.3
-j ACCEPT
> >>>>
> >>>> Revision 6183 should fix it.
> >>>>
> >>>> Thanks, Steven
> >>>>
> >>>> -Tom
> >>>
> >>> Tom
> >>>
> >>> I have just tried revision 6184. It now generates an iptables
rule
> >>> without either a source or destination port:
> >>>
> >>>  -A fw2lan -p 6 -d 192.168.0.3 -j ACCEPT
> >>
> >> Port 0 is equivalent to Port ''any'' in
Netfilter/Iptables.
> >>
> >> -Tom
> >
> > Tom
> >
> > I have just tried the following:
> >
> > rule:
> > DROP  lan  $FW  tcp  22
> >
> > drops port 22
> >
> > rule:
> > DROP  lan  $FW  tcp  0
> >
> > does not drop port 22.
> >
> > If I have understood your comment correctly, then second rule should
have
> > dropped port 22.
> >
> > Am I missing something here?
>
> No -- I was (my mind).
>
> Try 6185.
>
> Thanks,
> -Tom
Tom

It works now.

Steven.

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Tom

When rule:

sjs/ACCEPT  $FW  $L3  tcp  1  0  -  -  0:0

calls macro:

PARAM  -  -  tcp  22  100

the following iptables rule is generated:

-A fw2lan -p 6 --dport 1  -sport 0 -m owner -d 192.168.0.3 -j accept

which produces the following error:

iptables-restore v1.3.6: OWNER match: You must specify one or more options

Steven.

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Steven Jan Springl wrote:
> Tom
> 
> When rule:
> 
> sjs/ACCEPT  $FW  $L3  tcp  1  0  -  -  0:0
> 
> calls macro:
> 
> PARAM  -  -  tcp  22  100
> 
> the following iptables rule is generated:
> 
> -A fw2lan -p 6 --dport 1  -sport 0 -m owner -d 192.168.0.3 -j accept
> 
> which produces the following error:
> 
> iptables-restore v1.3.6: OWNER match: You must specify one or more options
> 
Steven,

Revision 6188 should fix this.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

On Wednesday 02 May 2007 01:34, Tom Eastep wrote:
> Steven Jan Springl wrote:
> > Tom
> >
> > When rule:
> >
> > sjs/ACCEPT  $FW  $L3  tcp  1  0  -  -  0:0
> >
> > calls macro:
> >
> > PARAM  -  -  tcp  22  100
> >
> > the following iptables rule is generated:
> >
> > -A fw2lan -p 6 --dport 1  -sport 0 -m owner -d 192.168.0.3 -j accept
> >
> > which produces the following error:
> >
> > iptables-restore v1.3.6: OWNER match: You must specify one or more
> > options
>
> Steven,
>
> Revision 6188 should fix this.
>
> -Tom
Tom

It''s working.

Steven.

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Tom

Rule:

LOG:warn  lan:192.168.0.3  $FW  udp  123,245:1000,2333,10000:15000 
1000:10000,20000,25000:30000

when compiled shorewall-shell generates:

+ /sbin/iptables -A lan2fw -p udp -m multiport -s 192.168.0.3 --sports 
1000:10000,20000,25000:30000 --dports 123,245:1000,2333,10000:15000 --match 
limit --limit 10/second --limit-burst 10 -j LOG --log-level warn --log-prefix 
Shorewall:lan2fw:LOG:


which produces the following error:

iptables v1.3.6: multiport can only have one option

Steven.

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Steven Jan Springl wrote:
> Tom
> 
> Rule:
> 
> LOG:warn  lan:192.168.0.3  $FW  udp  123,245:1000,2333,10000:15000 
> 1000:10000,20000,25000:30000
> 
> when compiled shorewall-shell generates:
> 
> + /sbin/iptables -A lan2fw -p udp -m multiport -s 192.168.0.3 --sports 
> 1000:10000,20000,25000:30000 --dports 123,245:1000,2333,10000:15000 --match
> limit --limit 10/second --limit-burst 10 -j LOG --log-level warn
--log-prefix
> Shorewall:lan2fw:LOG:
> 
> 
> which produces the following error:
> 
> iptables v1.3.6: multiport can only have one option
I probably won''t change this in Shorewall-shell since it is "day
one"
behavior -- I would have to fix it in a dozen different places. This is an
example of why I felt that I had to rewrite the compiler; the shell-based
compiler is just getting too hard to maintain.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Tom

A couple of issues with log tag.

Rule:

ACCEPT:warn:mail  $FW  lan:192.168.0.3  tcp  25

generates iptables rule:

-A fw2lan -p 6 --dport 25 -d 192.168.0.3 -j LOG --log-level 
4 --log-prefix "Shorewall:mail:ACCEPT:"

The documentation states that log tag is appended to the end of LOGPREFIX
which should give --log-prefix:

"Shorewall:fw2lan:ACCEPT:mail:"


The second issue.

The log level is passed to macros but the log tag is not.

rule:

sjs/ACCEPT:warn:test  $FW  lan:192.168.0.3

macro sjs:

PARAM  -  -  tcp  22

generates rule:

-A fw2lan -p 6 --dport 22 -d 192.168.0.3 -j LOG --log-level 
4 --log-prefix "Shorewall:fw2lan:ACCEPT:"

If the rule is changed (! is added) to:

sjs/ACCEPT:warn!:test  $FW  $L3

then the log tag is passed to macros.

Steven.

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Steven Jan Springl wrote:
> Tom
> 
> A couple of issues with log tag.
> 
> Rule:
> 
> ACCEPT:warn:mail  $FW  lan:192.168.0.3  tcp  25
> 
> generates iptables rule:
> 
> -A fw2lan -p 6 --dport 25 -d 192.168.0.3 -j LOG --log-level 
> 4 --log-prefix "Shorewall:mail:ACCEPT:"
> 
> The documentation states that log tag is appended to the end of LOGPREFIX
> which should give --log-prefix:
> 
> "Shorewall:fw2lan:ACCEPT:mail:"
I''m not seeing that here:

-A fw2lan -p 6 --dport 25 -d 192.168.0.3 -j LOG  --log-level 4 --log-prefix
"Shorewall:fw2lan:ACCEPT:mail "
> 
> 
> The second issue.
> 
> The log level is passed to macros but the log tag is not.
> 
> rule:
> 
> sjs/ACCEPT:warn:test  $FW  lan:192.168.0.3
> 
> macro sjs:
> 
> PARAM  -  -  tcp  22
> 
> generates rule:
> 
> -A fw2lan -p 6 --dport 22 -d 192.168.0.3 -j LOG --log-level 
> 4 --log-prefix "Shorewall:fw2lan:ACCEPT:"
> 
> If the rule is changed (! is added) to:
> 
> sjs/ACCEPT:warn!:test  $FW  $L3
> 
> then the log tag is passed to macros.
Fixed in revision 6191.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

On Wednesday 02 May 2007 16:40, Tom Eastep wrote:
> Steven Jan Springl wrote:
> > Tom
> >
> > A couple of issues with log tag.
> >
> > Rule:
> >
> > ACCEPT:warn:mail  $FW  lan:192.168.0.3  tcp  25
> >
> > generates iptables rule:
> >
> > -A fw2lan -p 6 --dport 25 -d 192.168.0.3 -j LOG --log-level
> > 4 --log-prefix "Shorewall:mail:ACCEPT:"
> >
> > The documentation states that log tag is appended to the end of
LOGPREFIX
> > which should give --log-prefix:
> >
> > "Shorewall:fw2lan:ACCEPT:mail:"
>
> I''m not seeing that here:
>
> -A fw2lan -p 6 --dport 25 -d 192.168.0.3 -j LOG  --log-level 4 --log-prefix
> "Shorewall:fw2lan:ACCEPT:mail "
>
> > The second issue.
> >
> > The log level is passed to macros but the log tag is not.
> >
> > rule:
> >
> > sjs/ACCEPT:warn:test  $FW  lan:192.168.0.3
> >
> > macro sjs:
> >
> > PARAM  -  -  tcp  22
> >
> > generates rule:
> >
> > -A fw2lan -p 6 --dport 22 -d 192.168.0.3 -j LOG --log-level
> > 4 --log-prefix "Shorewall:fw2lan:ACCEPT:"
> >
> > If the rule is changed (! is added) to:
> >
> > sjs/ACCEPT:warn!:test  $FW  $L3
> >
> > then the log tag is passed to macros.
>
> Fixed in revision 6191.
>
> -Tom
Tom

I am sorry for wasting your time.

The first issue was caused by LOGTAGONLY=Yes 
in shorewall.conf. 

In my defence, I had read the shorewall.conf man page, but
LOGTAGONLY is not listed.

Steven.



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Steven Jan Springl wrote:
> 
> In my defence, I had read the shorewall.conf man page, but
> LOGTAGONLY is not listed.
> 
>
I''ve updated the man page.

Thanks, Steven

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Tom

Would it be worth adding DEST to the list of reserved zone names.

When DEST is used in a rule it behaves like any other zone name, but in a 
macro it has special significance. This might lead to confusion for some 
users.

Steven.

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Steven Jan Springl wrote:
> Tom
> 
> Would it be worth adding DEST to the list of reserved zone names.
> 
> When DEST is used in a rule it behaves like any other zone name, but in a 
> macro it has special significance. This might lead to confusion for some 
> users.
Good idea -- SOURCE also.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

On Wednesday 02 May 2007 19:42, Tom Eastep wrote:
> Steven Jan Springl wrote:
> > Tom
> >
> > Would it be worth adding DEST to the list of reserved zone names.
> >
> > When DEST is used in a rule it behaves like any other zone name, but
in a
> > macro it has special significance. This might lead to confusion for
some
> > users.
>
> Good idea -- SOURCE also.
>
> -Tom
Tom

SOURCE is too long and gets rejected anyway.

Steven.

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Steven Jan Springl wrote:
> On Wednesday 02 May 2007 19:42, Tom Eastep wrote:
>> Steven Jan Springl wrote:
>>> Tom
>>>
>>> Would it be worth adding DEST to the list of reserved zone names.
>>>
>>> When DEST is used in a rule it behaves like any other zone name,
but in a
>>> macro it has special significance. This might lead to confusion for
some
>>> users.
>> Good idea -- SOURCE also.
>>
>> -Tom
> Tom
> 
> SOURCE is too long and gets rejected anyway.
> 
The maximum zone name length is dependent on LOGFORMAT.

Change is in rev 6197 (Shorewall-perl).

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Tom Eastep wrote:
> Steven Jan Springl wrote:
>> On Wednesday 02 May 2007 19:42, Tom Eastep wrote:
>>> Steven Jan Springl wrote:
>>>> Tom
>>>>
>>>> Would it be worth adding DEST to the list of reserved zone
names.
>>>>
>>>> When DEST is used in a rule it behaves like any other zone
name, but in a
>>>> macro it has special significance. This might lead to confusion
for some
>>>> users.
>>> Good idea -- SOURCE also.
>>>
>>> -Tom
>> Tom
>>
>> SOURCE is too long and gets rejected anyway.
>>
> 
> The maximum zone name length is dependent on LOGFORMAT.
> 
> Change is in rev 6197 (Shorewall-perl).
And in 6198 for shorewall-shell.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Tom

Creating an action (sjsact) that branches to itself:

sjsact  eth0  eth0

when compiled with shorewall-perl generates iptables rule:

-A sjsact -i eth0 -o eth0 -j sjsact

and produces error message:

iptables: loop hook 1 pos ....

However when compiled with shorewall-shell, no rule is generated and no 
message produced.

Steven.

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Steven Jan Springl wrote:
> Tom
> 
> Creating an action (sjsact) that branches to itself:
> 
> sjsact  eth0  eth0
> 
> when compiled with shorewall-perl generates iptables rule:
> 
> -A sjsact -i eth0 -o eth0 -j sjsact
> 
> and produces error message:
> 
> iptables: loop hook 1 pos ....
Fixed in revision 6199.
> 
> However when compiled with shorewall-shell, no rule is generated and no 
> message produced.
> 
When I try this, I get an error message:

/etc/shorewall/actions

	tme

/etc/shorewall/actions.tme

	tme	eth0	eth0

teastep@wookie:~/Springl/shorewall$ shorewall check -C shell .
Checking...
   WARNING: Invalid option (optional) in record "lan eth0 -
blacklist,maclist,optional,detectnets"
   ERROR: Invalid TARGET in rule "tme eth0 eth0     "
Terminated
teastep@wookie:~/Springl/shorewall$

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

On Wednesday 02 May 2007 22:25, Tom Eastep wrote:
> Steven Jan Springl wrote:
> > Tom
> >
> > Creating an action (sjsact) that branches to itself:
> >
> > sjsact  eth0  eth0
> >
> > when compiled with shorewall-perl generates iptables rule:
> >
> > -A sjsact -i eth0 -o eth0 -j sjsact
> >
> > and produces error message:
> >
> > iptables: loop hook 1 pos ....
>
> Fixed in revision 6199.
>
> > However when compiled with shorewall-shell, no rule is generated and
no
> > message produced.
>
> When I try this, I get an error message:
>
> /etc/shorewall/actions
>
> 	tme
>
> /etc/shorewall/actions.tme
>
> 	tme	eth0	eth0
>
> teastep@wookie:~/Springl/shorewall$ shorewall check -C shell .
> Checking...
>    WARNING: Invalid option (optional) in record "lan eth0 -
> blacklist,maclist,optional,detectnets"
>    ERROR: Invalid TARGET in rule "tme eth0 eth0     "
> Terminated
> teastep@wookie:~/Springl/shorewall$
>
> -Tom
Tom

Remove detectnets from interface eth0 and try compiling it with 
shorewall-shell again.

Steven.

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Tom Eastep wrote:
> Steven Jan Springl wrote:
> 
>> However when compiled with shorewall-shell, no rule is generated and no
>> message produced.
>>
> 
> When I try this, I get an error message:
> 
> /etc/shorewall/actions
> 
> 	tme
> 
> /etc/shorewall/actions.tme
> 
> 	tme	eth0	eth0
> 
> teastep@wookie:~/Springl/shorewall$ shorewall check -C shell .
> Checking...
>    WARNING: Invalid option (optional) in record "lan eth0 -
> blacklist,maclist,optional,detectnets"
>    ERROR: Invalid TARGET in rule "tme eth0 eth0     "
> Terminated
> teastep@wookie:~/Springl/shorewall$
> 
>
In revision 6200, I restructured the code to be more like the Shell version.
It now produces a similar error:

teastep@wookie:~/Springl/shorewall$ shorewall check .
Checking...
   WARNING: *** lan is an EMPTY ZONE ***
   ERROR: Invalid TARGET (tme) : /home/teastep/Springl/shorewall/action.tme
( line 1 )
teastep@wookie:~/Springl/shorewall$

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Tom Eastep wrote:
> Tom Eastep wrote:
>> Steven Jan Springl wrote:
>>
>>> However when compiled with shorewall-shell, no rule is generated
and no
>>> message produced.
>>>
>> When I try this, I get an error message:
>>
>> /etc/shorewall/actions
>>
>> 	tme
>>
>> /etc/shorewall/actions.tme
>>
>> 	tme	eth0	eth0
>>
>> teastep@wookie:~/Springl/shorewall$ shorewall check -C shell .
>> Checking...
>>    WARNING: Invalid option (optional) in record "lan eth0 -
>> blacklist,maclist,optional,detectnets"
>>    ERROR: Invalid TARGET in rule "tme eth0 eth0     "
>> Terminated
>> teastep@wookie:~/Springl/shorewall$
>>
>>
> 
> In revision 6200, I restructured the code to be more like the Shell
version.
> It now produces a similar error:
> 
> teastep@wookie:~/Springl/shorewall$ shorewall check .
> Checking...
>    WARNING: *** lan is an EMPTY ZONE ***
>    ERROR: Invalid TARGET (tme) : /home/teastep/Springl/shorewall/action.tme
> ( line 1 )
> teastep@wookie:~/Springl/shorewall$
> 
I reverted the code do to other problems.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Steven Jan Springl wrote:
>>
>>> However when compiled with shorewall-shell, no rule is generated
and no
>>> message produced.
>> When I try this, I get an error message:
>>
>> /etc/shorewall/actions
>>
>> 	tme
>>
>> /etc/shorewall/actions.tme
>>
>> 	tme	eth0	eth0
>>
>> teastep@wookie:~/Springl/shorewall$ shorewall check -C shell .
>> Checking...
>>    WARNING: Invalid option (optional) in record "lan eth0 -
>> blacklist,maclist,optional,detectnets"
>>    ERROR: Invalid TARGET in rule "tme eth0 eth0     "
>> Terminated
>> teastep@wookie:~/Springl/shorewall$
>>
>> -Tom
> Tom
> 
> Remove detectnets from interface eth0 and try compiling it with 
> shorewall-shell again.
Same result.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

On Wednesday 02 May 2007 23:00, Tom Eastep wrote:
> Steven Jan Springl wrote:
> >>> However when compiled with shorewall-shell, no rule is
generated and no
> >>> message produced.
> >>
> >> When I try this, I get an error message:
> >>
> >> /etc/shorewall/actions
> >>
> >> 	tme
> >>
> >> /etc/shorewall/actions.tme
> >>
> >> 	tme	eth0	eth0
> >>
> >> teastep@wookie:~/Springl/shorewall$ shorewall check -C shell .
> >> Checking...
> >>    WARNING: Invalid option (optional) in record "lan eth0 -
> >> blacklist,maclist,optional,detectnets"
> >>    ERROR: Invalid TARGET in rule "tme eth0 eth0     "
> >> Terminated
> >> teastep@wookie:~/Springl/shorewall$
> >>
> >> -Tom
> >
> > Tom
> >
> > Remove detectnets from interface eth0 and try compiling it with
> > shorewall-shell again.
>
> Same result.
>
> -Tom
Tom

Sorry, more time wasting.

I hadn''t hit return at the end of the line in action.sjsact.
Shorewall-perl accepted the line, but shorewall-shell ignored the line.

Steven.

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Tom

Action sjsact:

ACCEPT  eth0  eth0:192.168.0.3

When it''s compiled with shorewall-perl the following iptables rule is 
generated:

-A sjsact -i eth0 -o eth0 -d 192.168.0.3 -j ACCEPT

when the action is compiled with shorewall-shell the following iptables rule 
is generated:

-A sjsact -p all -i eth0 -d eth0:192.168.0.3 -j ACCEPT

which produces the error message:

iptables v1.3.6: host/network "eth0:192.168.0.3" not found


Steven.

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Steven Jan Springl wrote:
> Tom
> 
> Action sjsact:
> 
> ACCEPT  eth0  eth0:192.168.0.3
> 
> When it''s compiled with shorewall-perl the following iptables rule
is
> generated:
> 
> -A sjsact -i eth0 -o eth0 -d 192.168.0.3 -j ACCEPT
> 
> when the action is compiled with shorewall-shell the following iptables
rule
> is generated:
> 
> -A sjsact -p all -i eth0 -d eth0:192.168.0.3 -j ACCEPT
> 
> which produces the error message:
> 
> iptables v1.3.6: host/network "eth0:192.168.0.3" not found
Steve,

Please see if 6202 doesn''t fix the problem.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

On Thursday 03 May 2007 01:12, Tom Eastep wrote:
> Steven Jan Springl wrote:
> > Tom
> >
> > Action sjsact:
> >
> > ACCEPT  eth0  eth0:192.168.0.3
> >
> > When it''s compiled with shorewall-perl the following iptables
rule is
> > generated:
> >
> > -A sjsact -i eth0 -o eth0 -d 192.168.0.3 -j ACCEPT
> >
> > when the action is compiled with shorewall-shell the following
iptables
> > rule is generated:
> >
> > -A sjsact -p all -i eth0 -d eth0:192.168.0.3 -j ACCEPT
> >
> > which produces the error message:
> >
> > iptables v1.3.6: host/network "eth0:192.168.0.3" not found
>
> Steve,
>
> Please see if 6202 doesn''t fix the problem.
>
> -Tom
Tom

I now get the following error:

  ERROR: Invalid comma-separated list "-o eth0 -d 192.168.0.3"

/sbin/shorewall: line 310: 19372 Terminated              $command 
$SHOREWALL_SHELL $sc $@


Steven.

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Steven Jan Springl wrote:
> On Thursday 03 May 2007 01:12, Tom Eastep wrote:
>> Steven Jan Springl wrote:
>>> Tom
>>>
>>> Action sjsact:
>>>
>>> ACCEPT  eth0  eth0:192.168.0.3
>>>
>>> When it''s compiled with shorewall-perl the following
iptables rule is
>>> generated:
>>>
>>> -A sjsact -i eth0 -o eth0 -d 192.168.0.3 -j ACCEPT
>>>
>>> when the action is compiled with shorewall-shell the following
iptables
>>> rule is generated:
>>>
>>> -A sjsact -p all -i eth0 -d eth0:192.168.0.3 -j ACCEPT
>>>
>>> which produces the error message:
>>>
>>> iptables v1.3.6: host/network "eth0:192.168.0.3" not
found
>> Steve,
>>
>> Please see if 6202 doesn''t fix the problem.
>>
>> -Tom
> Tom
> 
> I now get the following error:
> 
>   ERROR: Invalid comma-separated list "-o eth0 -d 192.168.0.3"
> 
> /sbin/shorewall: line 310: 19372 Terminated              $command 
> $SHOREWALL_SHELL $sc $@
> 
Steve,

Please try revision 6203.

Thanks,
-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

On Thursday 03 May 2007 01:33, Tom Eastep wrote:
> Steven Jan Springl wrote:
> > On Thursday 03 May 2007 01:12, Tom Eastep wrote:
> >> Steven Jan Springl wrote:
> >>> Tom
> >>>
> >>> Action sjsact:
> >>>
> >>> ACCEPT  eth0  eth0:192.168.0.3
> >>>
> >>> When it''s compiled with shorewall-perl the following
iptables rule is
> >>> generated:
> >>>
> >>> -A sjsact -i eth0 -o eth0 -d 192.168.0.3 -j ACCEPT
> >>>
> >>> when the action is compiled with shorewall-shell the following
iptables
> >>> rule is generated:
> >>>
> >>> -A sjsact -p all -i eth0 -d eth0:192.168.0.3 -j ACCEPT
> >>>
> >>> which produces the error message:
> >>>
> >>> iptables v1.3.6: host/network "eth0:192.168.0.3" not
found
> >>
> >> Steve,
> >>
> >> Please see if 6202 doesn''t fix the problem.
> >>
> >> -Tom
> >
> > Tom
> >
> > I now get the following error:
> >
> >   ERROR: Invalid comma-separated list "-o eth0 -d
192.168.0.3"
> >
> > /sbin/shorewall: line 310: 19372 Terminated              $command
> > $SHOREWALL_SHELL $sc $@
>
> Steve,
>
> Please try revision 6203.
>
> Thanks,
> -Tom
Tom

It works now.

Steven.

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Tom

Action:

LOG:warn  eth0  eth0:192.168.0.3

when compiled with shorewall-perl produces the following error:

Internal Error at /usr/share/shorewall-perl/Shorewall/Actions.pm line 414, 
<$currentfile> line 5.

Steven.

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Steven Jan Springl wrote:
> Tom
> 
> Action:
> 
> LOG:warn  eth0  eth0:192.168.0.3
> 
> when compiled with shorewall-perl produces the following error:
> 
> Internal Error at /usr/share/shorewall-perl/Shorewall/Actions.pm line 414, 
> <$currentfile> line 5.
Should be fixed in revision 6205.

Thanks, Steven

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

On Thursday 03 May 2007 02:00, Tom Eastep wrote:
> Steven Jan Springl wrote:
> > Tom
> >
> > Action:
> >
> > LOG:warn  eth0  eth0:192.168.0.3
> >
> > when compiled with shorewall-perl produces the following error:
> >
> > Internal Error at /usr/share/shorewall-perl/Shorewall/Actions.pm line
> > 414, <$currentfile> line 5.
>
> Should be fixed in revision 6205.
>
> Thanks, Steven
>
> -Tom
Tom

Yes, it''s fixed.

However if the logging level is missed off:

LOG  eth0  eth0:192.168.0.3

the following message is produced:

iptables-restore v1.3.6: Couldn''t load target 
`sjsact'':/lib/iptables/libipt_sjsact.so: cannot open shared object
file: No
such file or directory


Compiling it with shorewall-shell works.

I will look at this again tomorrow, I am off to bed.

Steven.

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Steven Jan Springl wrote:
> On Thursday 03 May 2007 02:00, Tom Eastep wrote:
>> Steven Jan Springl wrote:
>>> Tom
>>>
>>> Action:
>>>
>>> LOG:warn  eth0  eth0:192.168.0.3
>>>
>>> when compiled with shorewall-perl produces the following error:
>>>
>>> Internal Error at /usr/share/shorewall-perl/Shorewall/Actions.pm
line
>>> 414, <$currentfile> line 5.
>> Should be fixed in revision 6205.
>>
>> Thanks, Steven
>>
>> -Tom
> Tom
> 
> Yes, it''s fixed.
> 
> However if the logging level is missed off:
> 
> LOG  eth0  eth0:192.168.0.3
> 
> the following message is produced:
> 
> iptables-restore v1.3.6: Couldn''t load target 
> `sjsact'':/lib/iptables/libipt_sjsact.so: cannot open shared object
file: No
> such file or directory
> 
> 
> Compiling it with shorewall-shell works.
> 
> I will look at this again tomorrow, I am off to bed.
Revision 6206 should produce a compilation error message.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Tom Eastep wrote:
> Steven Jan Springl wrote:
>> On Thursday 03 May 2007 02:00, Tom Eastep wrote:
>>> Steven Jan Springl wrote:
>>>> Tom
>>>>
>>>> Action:
>>>>
>>>> LOG:warn  eth0  eth0:192.168.0.3
>>>>
>>>> when compiled with shorewall-perl produces the following error:
>>>>
>>>> Internal Error at
/usr/share/shorewall-perl/Shorewall/Actions.pm line
>>>> 414, <$currentfile> line 5.
>>> Should be fixed in revision 6205.
>>>
>>> Thanks, Steven
>>>
>>> -Tom
>> Tom
>>
>> Yes, it''s fixed.
>>
>> However if the logging level is missed off:
>>
>> LOG  eth0  eth0:192.168.0.3
>>
>> the following message is produced:
>>
>> iptables-restore v1.3.6: Couldn''t load target 
>> `sjsact'':/lib/iptables/libipt_sjsact.so: cannot open shared
object file: No
>> such file or directory
>>
>>
>> Compiling it with shorewall-shell works.
>>
>> I will look at this again tomorrow, I am off to bed.
> 
> Revision 6206 should produce a compilation error message.
> 
But shorewall-shell produces grotesque failures...

shift: 1: can''t shift that many
   ERROR: Undefined Server Zone in rule " fw lan      "
Terminated
teastep@tipper:~/Springl/shorewall$

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

On Thursday 03 May 2007 03:08, Tom Eastep wrote:
> Steven Jan Springl wrote:
> > On Thursday 03 May 2007 02:00, Tom Eastep wrote:
> >> Steven Jan Springl wrote:
> >>> Tom
> >>>
> >>> Action:
> >>>
> >>> LOG:warn  eth0  eth0:192.168.0.3
> >>>
> >>> when compiled with shorewall-perl produces the following
error:
> >>>
> >>> Internal Error at
/usr/share/shorewall-perl/Shorewall/Actions.pm line
> >>> 414, <$currentfile> line 5.
> >>
> >> Should be fixed in revision 6205.
> >>
> >> Thanks, Steven
> >>
> >> -Tom
> >
> > Tom
> >
> > Yes, it''s fixed.
> >
> > However if the logging level is missed off:
> >
> > LOG  eth0  eth0:192.168.0.3
> >
> > the following message is produced:
> >
> > iptables-restore v1.3.6: Couldn''t load target
> > `sjsact'':/lib/iptables/libipt_sjsact.so: cannot open shared
object file:
> > No such file or directory
> >
> >
> > Compiling it with shorewall-shell works.
> >
> > I will look at this again tomorrow, I am off to bed.
>
> Revision 6206 should produce a compilation error message.
>
> -Tom
Tom

That works.

However, if sjsact is empty or just contains comments, the error message is 
still produced.

Steven.

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

On Thursday 03 May 2007 04:09, Tom Eastep wrote:
> Tom Eastep wrote:
> > Steven Jan Springl wrote:
> >> On Thursday 03 May 2007 02:00, Tom Eastep wrote:
> >>> Steven Jan Springl wrote:
> >>>> Tom
> >>>>
> >>>> Action:
> >>>>
> >>>> LOG:warn  eth0  eth0:192.168.0.3
> >>>>
> >>>> when compiled with shorewall-perl produces the following
error:
> >>>>
> >>>> Internal Error at
/usr/share/shorewall-perl/Shorewall/Actions.pm line
> >>>> 414, <$currentfile> line 5.
> >>>
> >>> Should be fixed in revision 6205.
> >>>
> >>> Thanks, Steven
> >>>
> >>> -Tom
> >>
> >> Tom
> >>
> >> Yes, it''s fixed.
> >>
> >> However if the logging level is missed off:
> >>
> >> LOG  eth0  eth0:192.168.0.3
> >>
> >> the following message is produced:
> >>
> >> iptables-restore v1.3.6: Couldn''t load target
> >> `sjsact'':/lib/iptables/libipt_sjsact.so: cannot open
shared object file:
> >> No such file or directory
> >>
> >>
> >> Compiling it with shorewall-shell works.
> >>
> >> I will look at this again tomorrow, I am off to bed.
> >
> > Revision 6206 should produce a compilation error message.
>
> But shorewall-shell produces grotesque failures...
>
> shift: 1: can''t shift that many
>    ERROR: Undefined Server Zone in rule " fw lan      "
> Terminated
> teastep@tipper:~/Springl/shorewall$
>
> -Tom
Tom

I am unable to reproduce this error.

The rule that I tried is:

sjsact  fw  lan

and the action:

LOG eth0  eth0:192.168.0.3

The message that I get is:

ERROR: log requires log level.

Steven.

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Steven Jan Springl wrote:
>
> 
> That works.
> 
> However, if sjsact is empty or just contains comments, the error message is
> still produced.
> 
Good afternoon, Steven

The empty action problem should be fixed in revision 6207.

Thanks,
-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Steven Jan Springl wrote:
> On Thursday 03 May 2007 04:09, Tom Eastep wrote:
>> Tom Eastep wrote:
>>> Steven Jan Springl wrote:
>>>> On Thursday 03 May 2007 02:00, Tom Eastep wrote:
>>>>> Steven Jan Springl wrote:
>>>>>> Tom
>>>>>>
>>>>>> Action:
>>>>>>
>>>>>> LOG:warn  eth0  eth0:192.168.0.3
>>>>>>
>>>>>> when compiled with shorewall-perl produces the
following error:
>>>>>>
>>>>>> Internal Error at
/usr/share/shorewall-perl/Shorewall/Actions.pm line
>>>>>> 414, <$currentfile> line 5.
>>>>> Should be fixed in revision 6205.
>>>>>
>>>>> Thanks, Steven
>>>>>
>>>>> -Tom
>>>> Tom
>>>>
>>>> Yes, it''s fixed.
>>>>
>>>> However if the logging level is missed off:
>>>>
>>>> LOG  eth0  eth0:192.168.0.3
>>>>
>>>> the following message is produced:
>>>>
>>>> iptables-restore v1.3.6: Couldn''t load target
>>>> `sjsact'':/lib/iptables/libipt_sjsact.so: cannot open
shared object file:
>>>> No such file or directory
>>>>
>>>>
>>>> Compiling it with shorewall-shell works.
>>>>
>>>> I will look at this again tomorrow, I am off to bed.
>>> Revision 6206 should produce a compilation error message.
>> But shorewall-shell produces grotesque failures...
>>
>> shift: 1: can''t shift that many
>>    ERROR: Undefined Server Zone in rule " fw lan      "
>> Terminated
>> teastep@tipper:~/Springl/shorewall$
>>
>> -Tom
> Tom
> 
> I am unable to reproduce this error.
> 
> The rule that I tried is:
> 
> sjsact  fw  lan
> 
> and the action:
> 
> LOG eth0  eth0:192.168.0.3
> 
> The message that I get is:
> 
> ERROR: log requires log level.
I get the same thing on my desktop; my laptop has a questionable combination
of versions installed at the moment.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Steven Jan Springl wrote:
> Tom
> 
> I am unable to reproduce this error.
> 
> The rule that I tried is:
> 
> sjsact  fw  lan
> 
> and the action:
> 
> LOG eth0  eth0:192.168.0.3
> 
> The message that I get is:
> 
> ERROR: log requires log level.
> 
FYI -- revision 6208 fixes COMMENT in action files.

Steven, we are generating a lot of uninteresting chatter here on the users
list. Let''s move our interaction to the development list.

Thanks,
-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

On Thursday 03 May 2007 15:01, Tom Eastep wrote:
> Steven Jan Springl wrote:
> > That works.
> >
> > However, if sjsact is empty or just contains comments, the error
message
> > is still produced.
>
> Good afternoon, Steven
>
> The empty action problem should be fixed in revision 6207.
>
> Thanks,
> -Tom
Good morning Tom.

Yes, that''s fixed it.

Steven.

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Tom

When the following action is compiled:

COMMENT:warn  eth0  eth0:192.168.0.3

the following errors are produced:

Use of uninitialized value in numeric eq (==) 
at /usr/share/shorewall-perl/Shorewall/Actions.pm line 416, <$currentfile>
line 2.

Use of uninitialized value in bitwise and (&) 
at /usr/share/shorewall-perl/Shorewall/Actions.pm line 417, <$currentfile>
line 2.

Use of uninitialized value in numeric eq (==) 
at /usr/share/shorewall-perl/Shorewall/Actions.pm line 420, <$currentfile>
line 2.

Use of uninitialized value in bitwise and (&) 
at /usr/share/shorewall-perl/Shorewall/Actions.pm line 420, <$currentfile>
line 2.

Steven.

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Steven Jan Springl wrote:
> Tom
> 
> When the following action is compiled:
> 
> COMMENT:warn  eth0  eth0:192.168.0.3
> 
> the following errors are produced:
> 
> Use of uninitialized value in numeric eq (==) 
> at /usr/share/shorewall-perl/Shorewall/Actions.pm line 416,
<$currentfile>
> line 2.
> 
> Use of uninitialized value in bitwise and (&) 
> at /usr/share/shorewall-perl/Shorewall/Actions.pm line 417,
<$currentfile>
> line 2.
> 
> Use of uninitialized value in numeric eq (==) 
> at /usr/share/shorewall-perl/Shorewall/Actions.pm line 420,
<$currentfile>
> line 2.
> 
> Use of uninitialized value in bitwise and (&) 
> at /usr/share/shorewall-perl/Shorewall/Actions.pm line 420,
<$currentfile>
> line 2.
> 
Fixed in revision 6209.

Thanks, Steven.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Tom Eastep wrote:
> Steven Jan Springl wrote:
>> Tom
>>
>> When the following action is compiled:
>>
>> COMMENT:warn  eth0  eth0:192.168.0.3
>>
>> the following errors are produced:
>>
>> Use of uninitialized value in numeric eq (==) 
>> at /usr/share/shorewall-perl/Shorewall/Actions.pm line 416,
<$currentfile>
>> line 2.
>>
>> Use of uninitialized value in bitwise and (&) 
>> at /usr/share/shorewall-perl/Shorewall/Actions.pm line 417,
<$currentfile>
>> line 2.
>>
>> Use of uninitialized value in numeric eq (==) 
>> at /usr/share/shorewall-perl/Shorewall/Actions.pm line 420,
<$currentfile>
>> line 2.
>>
>> Use of uninitialized value in bitwise and (&) 
>> at /usr/share/shorewall-perl/Shorewall/Actions.pm line 420,
<$currentfile>
>> line 2.
>>
> 
> Fixed in revision 6209.
> 
Revision 6210 makes a similar change to shorewall-shell.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Tom

Rule:

DROP  lan  $FW  tcp  25  -  -  1

when compiled with shorewall-shell, the following message is produced:

ERROR: Rate Limiting not available with DROP

when compiled with shorewall-perl, the following iptables rule is generated:

-A lan2fw -p 6 --dport 25 -m limit --limit 1 -j DROP


Just out of interest, what would happen to a connection that failed the above 
rate limit check?

Steven.

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Steven Jan Springl wrote:
> Tom
> 
> Rule:
> 
> DROP  lan  $FW  tcp  25  -  -  1
> 
> when compiled with shorewall-shell, the following message is produced:
> 
> ERROR: Rate Limiting not available with DROP
> 
> when compiled with shorewall-perl, the following iptables rule is
generated:
> 
> -A lan2fw -p 6 --dport 25 -m limit --limit 1 -j DROP
Revision 6215 disallows rate limiting with both DROP and REJECT (in both
compilers).
> 
> 
> Just out of interest, what would happen to a connection that failed the
above
> rate limit check?
> 
It is passed on to the next rule.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Tom

When DNAT, DNAT-, SAME, SAME-, REDIRECT, and REDIRECT- are used in a macro and  
compiled with shorewall-perl they produce messsages such as:

ERROR: Invalid Action (DNAT)

DNAT works with shorewall-shell, I haven''t tried the others yet.

Steven.
 

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Steven Jan Springl wrote:
> Tom
> 
> When DNAT, DNAT-, SAME, SAME-, REDIRECT, and REDIRECT- are used in a macro
and
> compiled with shorewall-perl they produce messsages such as:
> 
> ERROR: Invalid Action (DNAT)
> 
> DNAT works with shorewall-shell, I haven''t tried the others yet.
Should be corrected in revision 6221.

Thanks, Steven.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

On Thursday 03 May 2007 19:57, Tom Eastep wrote:
> Steven Jan Springl wrote:
> > Tom
> >
> > When DNAT, DNAT-, SAME, SAME-, REDIRECT, and REDIRECT- are used in a
> > macro and compiled with shorewall-perl they produce messsages such as:
> >
> > ERROR: Invalid Action (DNAT)
> >
> > DNAT works with shorewall-shell, I haven''t tried the others
yet.
>
> Should be corrected in revision 6221.
>
> Thanks, Steven.
>
> -Tom
Tom

Yes, it works now.

However, when DNAT-, and SAME- are used in a macro and compiled with 
shorewall-shell, the following messages are produced:

/var/lib/shorewall/.restart: line 873: syntax error near unexpected token
`}''
/var/lib/shorewall/.restart: line 873: `}''


Steven. 


-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Steven Jan Springl wrote:
> On Thursday 03 May 2007 19:57, Tom Eastep wrote:
>> Steven Jan Springl wrote:
>>> Tom
>>>
>>> When DNAT, DNAT-, SAME, SAME-, REDIRECT, and REDIRECT- are used in
a
>>> macro and compiled with shorewall-perl they produce messsages such
as:
>>>
>>> ERROR: Invalid Action (DNAT)
>>>
>>> DNAT works with shorewall-shell, I haven''t tried the
others yet.
>> Should be corrected in revision 6221.
>>
>> Thanks, Steven.
>>
>> -Tom
> Tom
> 
> Yes, it works now.
> 
> However, when DNAT-, and SAME- are used in a macro and compiled with 
> shorewall-shell, the following messages are produced:
> 
> /var/lib/shorewall/.restart: line 873: syntax error near unexpected token
`}''
> /var/lib/shorewall/.restart: line 873: `}''
Please send me the .restart file. Thanks,

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

On Thursday 03 May 2007 21:33, Tom Eastep wrote:
> Steven Jan Springl wrote:
> > On Thursday 03 May 2007 19:57, Tom Eastep wrote:
> >> Steven Jan Springl wrote:
> >>> Tom
> >>>
> >>> When DNAT, DNAT-, SAME, SAME-, REDIRECT, and REDIRECT- are
used in a
> >>> macro and compiled with shorewall-perl they produce messsages
such as:
> >>>
> >>> ERROR: Invalid Action (DNAT)
> >>>
> >>> DNAT works with shorewall-shell, I haven''t tried the
others yet.
> >>
> >> Should be corrected in revision 6221.
> >>
> >> Thanks, Steven.
> >>
> >> -Tom
> >
> > Tom
> >
> > Yes, it works now.
> >
> > However, when DNAT-, and SAME- are used in a macro and compiled with
> > shorewall-shell, the following messages are produced:
> >
> > /var/lib/shorewall/.restart: line 873: syntax error near unexpected
token
> > `}'' /var/lib/shorewall/.restart: line 873: `}''
>
> Please send me the .restart file. Thanks,
>
> -Tom
Tom .restart file attached.

Steven.


-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Steven Jan Springl wrote:
> On Thursday 03 May 2007 21:33, Tom Eastep wrote:
>> Steven Jan Springl wrote:
>>> On Thursday 03 May 2007 19:57, Tom Eastep wrote:
>>>> Steven Jan Springl wrote:
>>>>> Tom
>>>>>
>>>>> When DNAT, DNAT-, SAME, SAME-, REDIRECT, and REDIRECT- are
used in a
>>>>> macro and compiled with shorewall-perl they produce
messsages such as:
>>>>>
>>>>> ERROR: Invalid Action (DNAT)
>>>>>
>>>>> DNAT works with shorewall-shell, I haven''t tried
the others yet.
>>>> Should be corrected in revision 6221.
>>>>
>>>> Thanks, Steven.
>>>>
>>>> -Tom
>>> Tom
>>>
>>> Yes, it works now.
>>>
>>> However, when DNAT-, and SAME- are used in a macro and compiled
with
>>> shorewall-shell, the following messages are produced:
>>>
>>> /var/lib/shorewall/.restart: line 873: syntax error near unexpected
token
>>> `}'' /var/lib/shorewall/.restart: line 873: `}''
>> Please send me the .restart file. Thanks,
>>
>> -Tom
> 
> Tom .restart file attached.
Turns out that the critical factor was not the macro association but the
fact that you had DETECT_DNAT_ADDRS=Yes.

Fixed in 6223

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Tom

Rule:

sjsact/  -  -

and action sjsact:

ACCEPT  lan  lan:192.168.0.3  udp  12345

are allowed by shorewall-shell but shorewall-perl produces the following 
message:

ERROR: Invalid rules file entry.

Steven.

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Steven Jan Springl wrote:
> Tom
> 
> Rule:
> 
> sjsact/  -  -
> 
> and action sjsact:
> 
> ACCEPT  lan  lan:192.168.0.3  udp  12345
> 
> are allowed by shorewall-shell but shorewall-perl produces the following 
> message:
> 
> ERROR: Invalid rules file entry.
That''s actually a bug in shorewall-shell but I don''t think
I''m going to
try to fix it (note that an action. file doesn''t permit zone names in
the SOURCE or DEST column).

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Tom Eastep wrote:
> Steven Jan Springl wrote:
>> Tom
>>
>> Rule:
>>
>> sjsact/  -  -
>>
>> and action sjsact:
>>
>> ACCEPT  lan  lan:192.168.0.3  udp  12345
>>
>> are allowed by shorewall-shell but shorewall-perl produces the
following
>> message:
>>
>> ERROR: Invalid rules file entry.
> 
> That''s actually a bug in shorewall-shell but I don''t
think I''m going to
> try to fix it (note that an action. file doesn''t permit zone names
in
> the SOURCE or DEST column).
Ah! I suspect that sjsact was a macro not an action. If it is an action,
this results:

teastep@tipper:~/Springl/shorewall$ shorewall check -C shell .
Checking...
   ERROR: Invalid Action in rule "sjsact - -       "
Terminated
teastep@tipper:

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Tom Eastep wrote:
> Tom Eastep wrote:
>> Steven Jan Springl wrote:
>>> Tom
>>>
>>> Rule:
>>>
>>> sjsact/  -  -
>>>
>>> and action sjsact:
>>>
>>> ACCEPT  lan  lan:192.168.0.3  udp  12345
>>>
>>> are allowed by shorewall-shell but shorewall-perl produces the
following
>>> message:
>>>
>>> ERROR: Invalid rules file entry.
>> That''s actually a bug in shorewall-shell but I don''t
think I''m going to
>> try to fix it (note that an action. file doesn''t permit zone
names in
>> the SOURCE or DEST column).
> 
> Ah! I suspect that sjsact was a macro not an action. If it is an action,
> this results:
> 
> teastep@tipper:~/Springl/shorewall$ shorewall check -C shell .
> Checking...
>    ERROR: Invalid Action in rule "sjsact - -       "
> Terminated
> teastep@tipper:
> 
Shorewall-perl now also accepts these rules: revision 6228

Thanks, Steven

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Tom Eastep wrote:
> Tom Eastep wrote:
>> Tom Eastep wrote:
>>> Steven Jan Springl wrote:
>>>> Tom
>>>>
>>>> Rule:
>>>>
>>>> sjsact/  -  -
>>>>
>>>> and action sjsact:
>>>>
>>>> ACCEPT  lan  lan:192.168.0.3  udp  12345
>>>>
>>>> are allowed by shorewall-shell but shorewall-perl produces the
following
>>>> message:
>>>>
>>>> ERROR: Invalid rules file entry.
>>> That''s actually a bug in shorewall-shell but I
don''t think I''m going to
>>> try to fix it (note that an action. file doesn''t permit
zone names in
>>> the SOURCE or DEST column).
>> Ah! I suspect that sjsact was a macro not an action. If it is an
action,
>> this results:
>>
>> teastep@tipper:~/Springl/shorewall$ shorewall check -C shell .
>> Checking...
>>    ERROR: Invalid Action in rule "sjsact - -       "
Actually, the error message is:

ERROR: Undefined Client Zone in rule "ACCEPT - -       "

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

On Friday 04 May 2007 01:55, Tom Eastep wrote:
> Tom Eastep wrote:
> > Steven Jan Springl wrote:
> >> Tom
> >>
> >> Rule:
> >>
> >> sjsact/  -  -
> >>
> >> and action sjsact:
> >>
> >> ACCEPT  lan  lan:192.168.0.3  udp  12345
> >>
> >> are allowed by shorewall-shell but shorewall-perl produces the
following
> >> message:
> >>
> >> ERROR: Invalid rules file entry.
> >
> > That''s actually a bug in shorewall-shell but I don''t
think I''m going to
> > try to fix it (note that an action. file doesn''t permit zone
names in
> > the SOURCE or DEST column).
>
> Ah! I suspect that sjsact was a macro not an action. If it is an action,
> this results:
>
> teastep@tipper:~/Springl/shorewall$ shorewall check -C shell .
> Checking...
>    ERROR: Invalid Action in rule "sjsact - -       "
> Terminated
> teastep@tipper:
>
> -Tom
Good morning Tom.

You are correct, it was a macro. I must have been half asleep when I typed it. 

Steven.

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Tom

Rule:

DNAT  all  all  tcp  12345

when compiled with shorewall-shell, it produces the following message:

ERROR: DNAT rules requires a server address

when compiled with shorewall-perl, it generates the following iptables rule:

-A OUTPUT -p 6 --dport 12345 -j DNAT --to-destination 0.0.0.0/0

which produces error:

iptables-restore v1.3.6: Bad IP address ''0.0.0.0/0''

Steven. 



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Steven Jan Springl wrote:
> Tom
> 
> Rule:
> 
> DNAT  all  all  tcp  12345
> 
> when compiled with shorewall-shell, it produces the following message:
> 
> ERROR: DNAT rules requires a server address
> 
> when compiled with shorewall-perl, it generates the following iptables
rule:
> 
> -A OUTPUT -p 6 --dport 12345 -j DNAT --to-destination 0.0.0.0/0
> 
> which produces error:
> 
> iptables-restore v1.3.6: Bad IP address ''0.0.0.0/0''
Good afternoon, Steven

There is a tested fix in revision 6229.

Thanks,
-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Tom Eastep wrote:
>>
>> iptables-restore v1.3.6: Bad IP address ''0.0.0.0/0''
> 
> Good afternoon, Steven
> 
> There is a tested fix in revision 6229.
Revision 6229 didn''t fix the problem for the SAME target. Revision 6230
corrects that (and changes the text of the error message).

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Tom

Rule: 

REDIRECT  all  12340  tcp  80  1000:10000  192.168.1.0/24

when compiled with shorewall-shell generates the following rules:

-A OUTPUT -d 192.168.1.0/255.255.255.0 -p tcp -m tcp --sport 
1000:10000 --dport 80 -j REDIRECT --to-ports 12340 

-A lan_dnat -d 192.168.1.0/255.255.255.0 -p tcp -m tcp --sport 
1000:10000 --dport 80 -j REDIRECT --to-ports 12340 

-A fw2fw -p tcp -m tcp --sport 1000:10000 --dport 12340 -j ACCEPT 
-A lan2fw -p tcp -m tcp --sport 1000:10000 --dport 12340 -j ACCEPT 


when compiled with shorewall-perl it produces the following the following 
error:

ERROR: Unknown destination zone (12340)


Steven.



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Steven Jan Springl wrote:
> Tom
> 
> Rule: 
> 
> REDIRECT  all  12340  tcp  80  1000:10000  192.168.1.0/24
> 
> when compiled with shorewall-shell generates the following rules:
> 
> -A OUTPUT -d 192.168.1.0/255.255.255.0 -p tcp -m tcp --sport 
> 1000:10000 --dport 80 -j REDIRECT --to-ports 12340 
Note that the above is actually an error -- it should only be generated when
the source zone is ''all+''.
> 
> -A lan_dnat -d 192.168.1.0/255.255.255.0 -p tcp -m tcp --sport 
> 1000:10000 --dport 80 -j REDIRECT --to-ports 12340 
> 
> -A fw2fw -p tcp -m tcp --sport 1000:10000 --dport 12340 -j ACCEPT 
> -A lan2fw -p tcp -m tcp --sport 1000:10000 --dport 12340 -j ACCEPT 
> 
> 
> when compiled with shorewall-perl it produces the following the following 
> error:
> 
> ERROR: Unknown destination zone (12340)
Thanks, Steven.

Fixed in Revision 6237.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Tom

Tunnels entry:

ipsec  lan  192.168.0.253

produces error:

Use of uninitialized value in string eq 
at /usr/share/shorewall-perl/Shorewall/Tunnels.pm line 73, <$currentfile> 
line 12.

ERROR: Invalid zone (-) : /etc/shorewall/tunnels ( line 12 )


Steven.




-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Steven Jan Springl wrote:
> Tom
> 
> Tunnels entry:
> 
> ipsec  lan  192.168.0.253
> 
> produces error:
> 
> Use of uninitialized value in string eq 
> at /usr/share/shorewall-perl/Shorewall/Tunnels.pm line 73,
<$currentfile>
> line 12.
> 
> ERROR: Invalid zone (-) : /etc/shorewall/tunnels ( line 12 )
> 
> 
Corrected in revision 6238.

Thanks, Steven.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

On Friday 04 May 2007 19:56, Tom Eastep wrote:
> Steven Jan Springl wrote:
> > Tom
> >
> > Tunnels entry:
> >
> > ipsec  lan  192.168.0.253
> >
> > produces error:
> >
> > Use of uninitialized value in string eq
> > at /usr/share/shorewall-perl/Shorewall/Tunnels.pm line 73,
<$currentfile>
> > line 12.
> >
> > ERROR: Invalid zone (-) : /etc/shorewall/tunnels ( line 12 )
>
> Corrected in revision 6238.
>
> Thanks, Steven.
>
> -Tom
Tom

It now generates iptables rule:

-A fw2lan -p udp -d 192.168.0.253   --dport 500 -m   --state NEW -j ACCEPT

which produces error message:

iptables-restore v1.3.6: Couldn''t load match 
`--state'':/lib/iptables/libipt_--state.so: cannot open shared object
file: No
such file or directory

Steven.


-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Steven Jan Springl wrote:
> On Friday 04 May 2007 19:56, Tom Eastep wrote:
>> Steven Jan Springl wrote:
>>> Tom
>>>
>>> Tunnels entry:
>>>
>>> ipsec  lan  192.168.0.253
>>>
>>> produces error:
>>>
>>> Use of uninitialized value in string eq
>>> at /usr/share/shorewall-perl/Shorewall/Tunnels.pm line 73,
<$currentfile>
>>> line 12.
>>>
>>> ERROR: Invalid zone (-) : /etc/shorewall/tunnels ( line 12 )
>> Corrected in revision 6238.
>>
>> Thanks, Steven.
>>
>> -Tom
> Tom
> 
> It now generates iptables rule:
> 
> -A fw2lan -p udp -d 192.168.0.253   --dport 500 -m   --state NEW -j ACCEPT
> 
> which produces error message:
> 
> iptables-restore v1.3.6: Couldn''t load match 
> `--state'':/lib/iptables/libipt_--state.so: cannot open shared
object file: No
> such file or directory
Silly typo is fixed in revision 6239.

Thanks, Steven

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

On Friday 04 May 2007 20:57, Tom Eastep wrote:
> Steven Jan Springl wrote:
> > On Friday 04 May 2007 19:56, Tom Eastep wrote:
> >> Steven Jan Springl wrote:
> >>> Tom
> >>>
> >>> Tunnels entry:
> >>>
> >>> ipsec  lan  192.168.0.253
> >>>
> >>> produces error:
> >>>
> >>> Use of uninitialized value in string eq
> >>> at /usr/share/shorewall-perl/Shorewall/Tunnels.pm line 73,
> >>> <$currentfile> line 12.
> >>>
> >>> ERROR: Invalid zone (-) : /etc/shorewall/tunnels ( line 12 )
> >>
> >> Corrected in revision 6238.
> >>
> >> Thanks, Steven.
> >>
> >> -Tom
> >
> > Tom
> >
> > It now generates iptables rule:
> >
> > -A fw2lan -p udp -d 192.168.0.253   --dport 500 -m   --state NEW -j
> > ACCEPT
> >
> > which produces error message:
> >
> > iptables-restore v1.3.6: Couldn''t load match
> > `--state'':/lib/iptables/libipt_--state.so: cannot open shared
object
> > file: No such file or directory
>
> Silly typo is fixed in revision 6239.
>
> Thanks, Steven
>
> -Tom
Tom

It now generates iptables rule:

-A lan2fw -p udp -s 192.168.0.253 --dport -m state --state NEW -j ACCEPT

which produces error:

iptables-restore v1.3.6: invalid port/service ''-m'' specified

Steven.

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Steven Jan Springl wrote:
> On Friday 04 May 2007 20:57, Tom Eastep wrote:
>> Steven Jan Springl wrote:
>>> On Friday 04 May 2007 19:56, Tom Eastep wrote:
>>>> Steven Jan Springl wrote:
>>>>> Tom
>>>>>
>>>>> Tunnels entry:
>>>>>
>>>>> ipsec  lan  192.168.0.253
>>>>>
>>>>> produces error:
>>>>>
>>>>> Use of uninitialized value in string eq
>>>>> at /usr/share/shorewall-perl/Shorewall/Tunnels.pm line 73,
>>>>> <$currentfile> line 12.
>>>>>
>>>>> ERROR: Invalid zone (-) : /etc/shorewall/tunnels ( line 12
)
>>>> Corrected in revision 6238.
>>>>
>>>> Thanks, Steven.
>>>>
>>>> -Tom
>>> Tom
>>>
>>> It now generates iptables rule:
>>>
>>> -A fw2lan -p udp -d 192.168.0.253   --dport 500 -m   --state NEW -j
>>> ACCEPT
>>>
>>> which produces error message:
>>>
>>> iptables-restore v1.3.6: Couldn''t load match
>>> `--state'':/lib/iptables/libipt_--state.so: cannot open
shared object
>>> file: No such file or directory
>> Silly typo is fixed in revision 6239.
>>
>> Thanks, Steven
>>
>> -Tom
> Tom
> 
> It now generates iptables rule:
> 
> -A lan2fw -p udp -s 192.168.0.253 --dport -m state --state NEW -j ACCEPT
> 
> which produces error:
> 
> iptables-restore v1.3.6: invalid port/service ''-m''
specified
> 
Grrr -- another silly typo fixed in revision 6240.

Thanks, Steven

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Tom

Tunnels entry:

ipip  lan  192.168.0.253  lan

generates the following iptables rule:

-A lan2fw -p -d 192.168.0.253 -j ACCEPT

and produces the following errors:

Use of uninitialized value in concatenation (.) or string 
at /usr/share/shorewall-perl/Shorewall/Tunnels.pm line 102, <$currentfile>
line 12.

Use of uninitialized value in concatenation (.) or string 
at /usr/share/shorewall-perl/Shorewall/Tunnels.pm line 103, <$currentfile>
line 12.

iptables-restore v1.3.6: unknown protocol `-d'' specified

Steven.


-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Steven Jan Springl wrote:
> Tom
> 
> Tunnels entry:
> 
> ipip  lan  192.168.0.253  lan
> 
> generates the following iptables rule:
> 
> -A lan2fw -p -d 192.168.0.253 -j ACCEPT
> 
> and produces the following errors:
> 
> Use of uninitialized value in concatenation (.) or string 
> at /usr/share/shorewall-perl/Shorewall/Tunnels.pm line 102,
<$currentfile>
> line 12.
> 
> Use of uninitialized value in concatenation (.) or string 
> at /usr/share/shorewall-perl/Shorewall/Tunnels.pm line 103,
<$currentfile>
> line 12.
> 
> iptables-restore v1.3.6: unknown protocol `-d'' specified
Should be fixed in revision 6241. Also corrects a similar problem in GRE and
6in4 tunnels.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

On Friday 04 May 2007 23:32, Tom Eastep wrote:
> Steven Jan Springl wrote:
> > Tom
> >
> > Tunnels entry:
> >
> > ipip  lan  192.168.0.253  lan
> >
> > generates the following iptables rule:
> >
> > -A lan2fw -p -d 192.168.0.253 -j ACCEPT
> >
> > and produces the following errors:
> >
> > Use of uninitialized value in concatenation (.) or string
> > at /usr/share/shorewall-perl/Shorewall/Tunnels.pm line 102,
> > <$currentfile> line 12.
> >
> > Use of uninitialized value in concatenation (.) or string
> > at /usr/share/shorewall-perl/Shorewall/Tunnels.pm line 103,
> > <$currentfile> line 12.
> >
> > iptables-restore v1.3.6: unknown protocol `-d'' specified
>
> Should be fixed in revision 6241. Also corrects a similar problem in GRE
> and 6in4 tunnels.
>
> -Tom
Tom

Yes, that''s fixed it.

Steven.

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Tom

Tunnels entry:

openvpnserver:22  lan  192.168.0.253  lan

when compiled with shorewall-shell generates:

-A fw2lan -p udp -d 192.168.0.253 --sport 22 -j ACCEPT

when compiled with shorewall-perl it generates:

-A fw2lan -p 22 -d 192.168.0.253 --sport 1194 -j ACCEPT

which produces error:

iptables-restore v1.3.6: Unknown arg ''--sport''

Steven.

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Steven Jan Springl wrote:
> Tom
> 
> Tunnels entry:
> 
> openvpnserver:22  lan  192.168.0.253  lan
> 
> when compiled with shorewall-shell generates:
> 
> -A fw2lan -p udp -d 192.168.0.253 --sport 22 -j ACCEPT
> 
> when compiled with shorewall-perl it generates:
> 
> -A fw2lan -p 22 -d 192.168.0.253 --sport 1194 -j ACCEPT
> 
> which produces error:
> 
> iptables-restore v1.3.6: Unknown arg ''--sport''
I have fixed a similar bug in the other two openvpn types but overlooked
openvpn server. Fixed in 6242.

Thanks, Steven

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

On Saturday 05 May 2007 00:05, Tom Eastep wrote:
> Steven Jan Springl wrote:
> > Tom
> >
> > Tunnels entry:
> >
> > openvpnserver:22  lan  192.168.0.253  lan
> >
> > when compiled with shorewall-shell generates:
> >
> > -A fw2lan -p udp -d 192.168.0.253 --sport 22 -j ACCEPT
> >
> > when compiled with shorewall-perl it generates:
> >
> > -A fw2lan -p 22 -d 192.168.0.253 --sport 1194 -j ACCEPT
> >
> > which produces error:
> >
> > iptables-restore v1.3.6: Unknown arg ''--sport''
>
> I have fixed a similar bug in the other two openvpn types but overlooked
> openvpn server. Fixed in 6242.
>
> Thanks, Steven
>
> -Tom
Tom

That works.

However if the port is changed to 0:

openvpnserver:0  lan  192.168.0.253  lan

then it generates iptables rules:

-A fw2lan -p udp -d 192.168.0.253 --dport 1194 -j ACCEPT
-A lan2fw -p udp -s 192.168.0.253 --dport 1194 -j ACCEPT

Steven.

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Steven Jan Springl wrote:
> On Saturday 05 May 2007 00:05, Tom Eastep wrote:
>> Steven Jan Springl wrote:
>>> Tom
>>>
>>> Tunnels entry:
>>>
>>> openvpnserver:22  lan  192.168.0.253  lan
>>>
>>> when compiled with shorewall-shell generates:
>>>
>>> -A fw2lan -p udp -d 192.168.0.253 --sport 22 -j ACCEPT
>>>
>>> when compiled with shorewall-perl it generates:
>>>
>>> -A fw2lan -p 22 -d 192.168.0.253 --sport 1194 -j ACCEPT
>>>
>>> which produces error:
>>>
>>> iptables-restore v1.3.6: Unknown arg ''--sport''
>> I have fixed a similar bug in the other two openvpn types but
overlooked
>> openvpn server. Fixed in 6242.
>>
>> Thanks, Steven
>>
>> -Tom
> Tom
> 
> That works.
> 
> However if the port is changed to 0:
> 
> openvpnserver:0  lan  192.168.0.253  lan
> 
> then it generates iptables rules:
> 
> -A fw2lan -p udp -d 192.168.0.253 --dport 1194 -j ACCEPT
> -A lan2fw -p udp -s 192.168.0.253 --dport 1194 -j ACCEPT
> 
Please try revision 6243.

Thanks, Steven

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

On Saturday 05 May 2007 01:04, Tom Eastep wrote:
> Steven Jan Springl wrote:
> > On Saturday 05 May 2007 00:05, Tom Eastep wrote:
> >> Steven Jan Springl wrote:
> >>> Tom
> >>>
> >>> Tunnels entry:
> >>>
> >>> openvpnserver:22  lan  192.168.0.253  lan
> >>>
> >>> when compiled with shorewall-shell generates:
> >>>
> >>> -A fw2lan -p udp -d 192.168.0.253 --sport 22 -j ACCEPT
> >>>
> >>> when compiled with shorewall-perl it generates:
> >>>
> >>> -A fw2lan -p 22 -d 192.168.0.253 --sport 1194 -j ACCEPT
> >>>
> >>> which produces error:
> >>>
> >>> iptables-restore v1.3.6: Unknown arg
''--sport''
> >>
> >> I have fixed a similar bug in the other two openvpn types but
overlooked
> >> openvpn server. Fixed in 6242.
> >>
> >> Thanks, Steven
> >>
> >> -Tom
> >
> > Tom
> >
> > That works.
> >
> > However if the port is changed to 0:
> >
> > openvpnserver:0  lan  192.168.0.253  lan
> >
> > then it generates iptables rules:
> >
> > -A fw2lan -p udp -d 192.168.0.253 --dport 1194 -j ACCEPT
> > -A lan2fw -p udp -s 192.168.0.253 --dport 1194 -j ACCEPT
>
> Please try revision 6243.
>
> Thanks, Steven
>
> -Tom
Tom

It is still generating the same iptables rules.

Steven.

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Steven Jan Springl wrote:
> On Saturday 05 May 2007 01:04, Tom Eastep wrote:
>> Steven Jan Springl wrote:
>>> On Saturday 05 May 2007 00:05, Tom Eastep wrote:
>>>> Steven Jan Springl wrote:
>>>>> Tom
>>>>>
>>>>> Tunnels entry:
>>>>>
>>>>> openvpnserver:22  lan  192.168.0.253  lan
>>>>>
>>>>> when compiled with shorewall-shell generates:
>>>>>
>>>>> -A fw2lan -p udp -d 192.168.0.253 --sport 22 -j ACCEPT
>>>>>
>>>>> when compiled with shorewall-perl it generates:
>>>>>
>>>>> -A fw2lan -p 22 -d 192.168.0.253 --sport 1194 -j ACCEPT
>>>>>
>>>>> which produces error:
>>>>>
>>>>> iptables-restore v1.3.6: Unknown arg
''--sport''
>>>> I have fixed a similar bug in the other two openvpn types but
overlooked
>>>> openvpn server. Fixed in 6242.
>>>>
>>>> Thanks, Steven
>>>>
>>>> -Tom
>>> Tom
>>>
>>> That works.
>>>
>>> However if the port is changed to 0:
>>>
>>> openvpnserver:0  lan  192.168.0.253  lan
>>>
>>> then it generates iptables rules:
>>>
>>> -A fw2lan -p udp -d 192.168.0.253 --dport 1194 -j ACCEPT
>>> -A lan2fw -p udp -s 192.168.0.253 --dport 1194 -j ACCEPT
>> Please try revision 6243.
>>
>> Thanks, Steven
>>
>> -Tom
> Tom
> 
> It is still generating the same iptables rules.
> 
6244 is generating the proper (but completely silly) rules.

Thanks, Steven

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

On Saturday 05 May 2007 01:20, Tom Eastep wrote:
> Steven Jan Springl wrote:
> > On Saturday 05 May 2007 01:04, Tom Eastep wrote:
> >> Steven Jan Springl wrote:
> >>> On Saturday 05 May 2007 00:05, Tom Eastep wrote:
> >>>> Steven Jan Springl wrote:
> >>>>> Tom
> >>>>>
> >>>>> Tunnels entry:
> >>>>>
> >>>>> openvpnserver:22  lan  192.168.0.253  lan
> >>>>>
> >>>>> when compiled with shorewall-shell generates:
> >>>>>
> >>>>> -A fw2lan -p udp -d 192.168.0.253 --sport 22 -j ACCEPT
> >>>>>
> >>>>> when compiled with shorewall-perl it generates:
> >>>>>
> >>>>> -A fw2lan -p 22 -d 192.168.0.253 --sport 1194 -j
ACCEPT
> >>>>>
> >>>>> which produces error:
> >>>>>
> >>>>> iptables-restore v1.3.6: Unknown arg
''--sport''
> >>>>
> >>>> I have fixed a similar bug in the other two openvpn types
but
> >>>> overlooked openvpn server. Fixed in 6242.
> >>>>
> >>>> Thanks, Steven
> >>>>
> >>>> -Tom
> >>>
> >>> Tom
> >>>
> >>> That works.
> >>>
> >>> However if the port is changed to 0:
> >>>
> >>> openvpnserver:0  lan  192.168.0.253  lan
> >>>
> >>> then it generates iptables rules:
> >>>
> >>> -A fw2lan -p udp -d 192.168.0.253 --dport 1194 -j ACCEPT
> >>> -A lan2fw -p udp -s 192.168.0.253 --dport 1194 -j ACCEPT
> >>
> >> Please try revision 6243.
> >>
> >> Thanks, Steven
> >>
> >> -Tom
> >
> > Tom
> >
> > It is still generating the same iptables rules.
>
> 6244 is generating the proper (but completely silly) rules.
>
> Thanks, Steven
>
> -Tom
Tom

I totally agree port 0 is silly. But I didn''t like the idea of having
port
1194 open when it hadn''t been requested.

Steven.

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Tom

A couple of problems with tunnels if the zone name is not defined 
in /etc/shorewall/zones.

Tunnels entry:

ipsec  tan  192.168.0.253  lan

produces the following error:

Use of uninitialized value in string eq 
at /usr/share/shorewall-perl/Shorewall/Tunnels.pm line 212, <$currentfile>
line 15.

ERROR: Invalid zone (tan) : /etc/shorewall/tunnels ( line 15 )


The second problem.

Tunnels entry:

ipsec  lan  192.168.0.253  tan

prodcues the following error:

se of uninitialized value in string eq 
at /usr/share/shorewall-perl/Shorewall/Tunnels.pm line 74, <$currentfile> 
line 15.

ERROR: Invalid zone (tan) : /etc/shorewall/tunnels ( line 15 )


Steven.


-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Steven Jan Springl wrote:
> Tom
> 
> A couple of problems with tunnels if the zone name is not defined 
> in /etc/shorewall/zones.
> 
> Tunnels entry:
> 
> ipsec  tan  192.168.0.253  lan
> 
> produces the following error:
> 
> Use of uninitialized value in string eq 
> at /usr/share/shorewall-perl/Shorewall/Tunnels.pm line 212,
<$currentfile>
> line 15.
> 
> ERROR: Invalid zone (tan) : /etc/shorewall/tunnels ( line 15 )
> 
> 
> The second problem.
> 
> Tunnels entry:
> 
> ipsec  lan  192.168.0.253  tan
> 
> prodcues the following error:
> 
> se of uninitialized value in string eq 
> at /usr/share/shorewall-perl/Shorewall/Tunnels.pm line 74,
<$currentfile>
> line 15.
> 
> ERROR: Invalid zone (tan) : /etc/shorewall/tunnels ( line 15 )
> 
Revision 6245 should do the trick.

Thanks, Steven

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

On Saturday 05 May 2007 01:48, Tom Eastep wrote:
> Steven Jan Springl wrote:
> > Tom
> >
> > A couple of problems with tunnels if the zone name is not defined
> > in /etc/shorewall/zones.
> >
> > Tunnels entry:
> >
> > ipsec  tan  192.168.0.253  lan
> >
> > produces the following error:
> >
> > Use of uninitialized value in string eq
> > at /usr/share/shorewall-perl/Shorewall/Tunnels.pm line 212,
> > <$currentfile> line 15.
> >
> > ERROR: Invalid zone (tan) : /etc/shorewall/tunnels ( line 15 )
> >
> >
> > The second problem.
> >
> > Tunnels entry:
> >
> > ipsec  lan  192.168.0.253  tan
> >
> > prodcues the following error:
> >
> > se of uninitialized value in string eq
> > at /usr/share/shorewall-perl/Shorewall/Tunnels.pm line 74,
<$currentfile>
> > line 15.
> >
> > ERROR: Invalid zone (tan) : /etc/shorewall/tunnels ( line 15 )
>
> Revision 6245 should do the trick.
>
> Thanks, Steven
>
> -Tom
Tom

The first problem above is fixed.

For the second problem, the wrong zone name is being displayed in the erorr 
message:

ERROR: Unknown zone (lan) 

is being produced instead of:

ERROR: Unknown zone (tan)

Steven.

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Steven Jan Springl wrote:
> On Saturday 05 May 2007 01:48, Tom Eastep wrote:
>> Steven Jan Springl wrote:
>>> Tom
>>>
>>> A couple of problems with tunnels if the zone name is not defined
>>> in /etc/shorewall/zones.
>>>
>>> Tunnels entry:
>>>
>>> ipsec  tan  192.168.0.253  lan
>>>
>>> produces the following error:
>>>
>>> Use of uninitialized value in string eq
>>> at /usr/share/shorewall-perl/Shorewall/Tunnels.pm line 212,
>>> <$currentfile> line 15.
>>>
>>> ERROR: Invalid zone (tan) : /etc/shorewall/tunnels ( line 15 )
>>>
>>>
>>> The second problem.
>>>
>>> Tunnels entry:
>>>
>>> ipsec  lan  192.168.0.253  tan
>>>
>>> prodcues the following error:
>>>
>>> se of uninitialized value in string eq
>>> at /usr/share/shorewall-perl/Shorewall/Tunnels.pm line 74,
<$currentfile>
>>> line 15.
>>>
>>> ERROR: Invalid zone (tan) : /etc/shorewall/tunnels ( line 15 )
>> Revision 6245 should do the trick.
>>
>> Thanks, Steven
>>
>> -Tom
> Tom
> 
> The first problem above is fixed.
> 
> For the second problem, the wrong zone name is being displayed in the erorr
> message:
> 
> ERROR: Unknown zone (lan) 
> 
> is being produced instead of:
> 
> ERROR: Unknown zone (tan)
I shouldn''t try to make patches when I''m going out the door to
dinner. I
believe that 6246 is correct now.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Good morning Tom.

Accounting rule:

SJS  OUTPUT  -  eth0  tcp  22

generates iptables rule:

-A OUTPUT -p 6 --dport 22 -o eth0 -j SJS

which produces error:

iptables-restore v1.3.6: Couldn''t load target 
`SJS'':/lib/iptables/libipt_SJS.so: cannot open shared object file: No
such
file or directory

Steven.


-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Steven Jan Springl wrote:
> Good morning Tom.
> 
> Accounting rule:
> 
> SJS  OUTPUT  -  eth0  tcp  22
> 
> generates iptables rule:
> 
> -A OUTPUT -p 6 --dport 22 -o eth0 -j SJS
> 
> which produces error:
> 
> iptables-restore v1.3.6: Couldn''t load target 
> `SJS'':/lib/iptables/libipt_SJS.so: cannot open shared object file:
No such
> file or directory
> 
Good afternoon, Steven

This bug is fixed in revision 6247.

Thanks,

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Tom

Tos rule:

lan  all  tcp  -  22  16

compiles with shorewall-shell but produces the following error when compiled 
with shorewall-perl:

ERROR: Unknown Interface (lan): "lan		all		tcp		-	22	16" :
/etc/shorewall/tos
( line 9 )


Note, the following tos rule also produces the same error:

all  lan  tcp  -  22  16


Steven.

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Steven Jan Springl wrote:
> Tom
> 
> Tos rule:
> 
> lan  all  tcp  -  22  16
> 
> compiles with shorewall-shell but produces the following error when
compiled
> with shorewall-perl:
> 
> ERROR: Unknown Interface (lan): "lan		all		tcp		-	22	16" :
/etc/shorewall/tos
> ( line 9 )
> 
> 
> Note, the following tos rule also produces the same error:
> 
Steven,

This is expected -- see the Shorewall-perl documentation.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Tom Eastep wrote:
> Steven Jan Springl wrote:
>> Tom
>>
>> Tos rule:
>>
>> lan  all  tcp  -  22  16
>>
>> compiles with shorewall-shell but produces the following error when
compiled
>> with shorewall-perl:
>>
>> ERROR: Unknown Interface (lan): "lan		all		tcp		-	22	16" :
/etc/shorewall/tos
>> ( line 9 )
>>
>>
>> Note, the following tos rule also produces the same error:
>>
> 
> Steven,
> 
> This is expected -- see the Shorewall-perl documentation.
In particular, this item from the release notes:

    h) The /etc/shorewall/tos file now has zone-independent SOURCE and
       DEST columns as do all other files except the rules and policy
       files.

       The SOURCE column may be one of the following:

           [all:]<address>[,...]
           [all:]<interface>[:<address>[,...]]
           $FW[:<address>[,...]]

       The DEST column may be one of the following:

           [all:]<address>[,...]
           [all:]<interface>[:<address>[,...]]

       This is a permanent change. The old zone-based rules have never
       worked right and this is a good time to replace them. I''ve tried
       to make the new syntax cover the most common cases without
       requiring change to existing files. In particular, it will
       handle the tos file released with Shorewall 1.4 and earlier.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

On Saturday 05 May 2007 15:18, Tom Eastep wrote:
> Tom Eastep wrote:
> > Steven Jan Springl wrote:
> >> Tom
> >>
> >> Tos rule:
> >>
> >> lan  all  tcp  -  22  16
> >>
> >> compiles with shorewall-shell but produces the following error
when
> >> compiled with shorewall-perl:
> >>
> >> ERROR: Unknown Interface (lan): "lan		all		tcp		-	22	16"
:
> >> /etc/shorewall/tos ( line 9 )
> >>
> >>
> >> Note, the following tos rule also produces the same error:
> >
> > Steven,
> >
> > This is expected -- see the Shorewall-perl documentation.
>
> In particular, this item from the release notes:
>
>     h) The /etc/shorewall/tos file now has zone-independent SOURCE and
>        DEST columns as do all other files except the rules and policy
>        files.
>
>        The SOURCE column may be one of the following:
>
>            [all:]<address>[,...]
>            [all:]<interface>[:<address>[,...]]
>            $FW[:<address>[,...]]
>
>        The DEST column may be one of the following:
>
>            [all:]<address>[,...]
>            [all:]<interface>[:<address>[,...]]
>
>        This is a permanent change. The old zone-based rules have never
>        worked right and this is a good time to replace them. I''ve
tried
>        to make the new syntax cover the most common cases without
>        requiring change to existing files. In particular, it will
>        handle the tos file released with Shorewall 1.4 and earlier.
>
> -Tom
Tom

Sorry, I have based most of the testing on the content of the man pages, only 
going elsewhere when I have needed further clarification.

Changing the rule to:

eth0  all  tcp  -  22  16

generates the following iptables rule

-A OUTPUT -j outtos

which produces the following error:

iptables-restore v1.3.6: Couldn''t load target 
`outtos'':/lib/iptables/libipt_outtos.so: cannot open shared object
file: No
such file or directory

Steven.

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Steven Jan Springl wrote:
> On Saturday 05 May 2007 15:18, Tom Eastep wrote:
>> Tom Eastep wrote:
>>> Steven Jan Springl wrote:
>>>> Tom
>>>>
>>>> Tos rule:
>>>>
>>>> lan  all  tcp  -  22  16
>>>>
>>>> compiles with shorewall-shell but produces the following error
when
>>>> compiled with shorewall-perl:
>>>>
>>>> ERROR: Unknown Interface (lan): "lan		all		tcp		-	22
16" :
>>>> /etc/shorewall/tos ( line 9 )
>>>>
>>>>
>>>> Note, the following tos rule also produces the same error:
>>> Steven,
>>>
>>> This is expected -- see the Shorewall-perl documentation.
>> In particular, this item from the release notes:
>>
>>     h) The /etc/shorewall/tos file now has zone-independent SOURCE and
>>        DEST columns as do all other files except the rules and policy
>>        files.
>>
>>        The SOURCE column may be one of the following:
>>
>>            [all:]<address>[,...]
>>            [all:]<interface>[:<address>[,...]]
>>            $FW[:<address>[,...]]
>>
>>        The DEST column may be one of the following:
>>
>>            [all:]<address>[,...]
>>            [all:]<interface>[:<address>[,...]]
>>
>>        This is a permanent change. The old zone-based rules have never
>>        worked right and this is a good time to replace them.
I''ve tried
>>        to make the new syntax cover the most common cases without
>>        requiring change to existing files. In particular, it will
>>        handle the tos file released with Shorewall 1.4 and earlier.
>>
>> -Tom
> Tom
> 
> Sorry, I have based most of the testing on the content of the man pages,
only
> going elsewhere when I have needed further clarification.
> 
> Changing the rule to:
> 
> eth0  all  tcp  -  22  16
> 
> generates the following iptables rule
> 
> -A OUTPUT -j outtos
> 
> which produces the following error:
> 
> iptables-restore v1.3.6: Couldn''t load target 
> `outtos'':/lib/iptables/libipt_outtos.so: cannot open shared object
file: No
> such file or directory
Fixed in 6249.

Thanks, Steven

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/