Is there any reason why the output of /usr/share/shorewall-lite/shorecap is stored on the shorewall-lite target and then scp''d to the shorewall administrative machine? Why not just capture the output of it directly to the administrative machine all in one go? i.e. rather than: if ! ssh ${root}@${system} "MODULESDIR=$MODULESDIR MODULE_SUFFIX=\"$MODULE_SUFFIX\" IPTABLES=$IPTABLES /usr/share/shorewall-lite/shorecap > ${LITEDIR}/capabilities" || \ ! scp ${root}@$system:${LITEDIR}/capabilities $directory; then fatal_error "ERROR: Capturing capabilities on system $system failed" fi Something more along the lines of: if ! ssh ${root}@${system} "MODULESDIR=$MODULESDIR MODULE_SUFFIX=\"$MODULE_SUFFIX\" IPTABLES=$IPTABLES /usr/share/shorewall-lite/shorecap'' > ${LITEDIR}/capabilities"; then fatal_error "ERROR: Capturing capabilities on system $system failed" fi Is the capabilities file on the shorewall-lite box used for anything other than copying to the administrative machine? b. -- My other computer is your Microsoft Windows server. Brian J. Murrell ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Brian J. Murrell wrote:> Is there any reason why the output of /usr/share/shorewall-lite/shorecap > is stored on the shorewall-lite target and then scp''d to the shorewall > administrative machine? Why not just capture the output of it directly > to the administrative machine all in one go?Because the implementor is an idiot, I guess. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On Mon, Apr 30, 2007 at 07:42:32AM -0700, Tom Eastep wrote:> Brian J. Murrell wrote: > > Is there any reason why the output of /usr/share/shorewall-lite/shorecap > > is stored on the shorewall-lite target and then scp''d to the shorewall > > administrative machine? Why not just capture the output of it directly > > to the administrative machine all in one go? > > Because the implementor is an idiot, I guess.If you''re taking another look at that stuff, here''s an idea: it would be nice if I could configure the commands used, say by specifying something like: RSH_COMMAND=''ssh user@$host "sudo $command"'' RCP_COMMAND=''rsync --rsync-path "sudo rsync" $from_file $host:$to_file'' Since then I could use sudo (or whatever local authentication system is in place) instead of having to permit remote root logins. Implementation would be something along the lines of: host=... command=... eval $RSH_COMMAND (I probably missed a few variables because I haven''t looked at the code, but you get the general idea) ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Brian J. Murrell
2007-Apr-30 15:06 UTC
Re: capabilities file on the shorewall-lite target?
On Mon, 2007-30-04 at 07:42 -0700, Tom Eastep wrote:> Brian J. Murrell wrote: > > Is there any reason why the output of /usr/share/shorewall-lite/shorecap > > is stored on the shorewall-lite target and then scp''d to the shorewall > > administrative machine? Why not just capture the output of it directly > > to the administrative machine all in one go? > > Because the implementor is an idiot, I guess.Tom, I am sorry if that is how I came across. I didn''t mean it that way. :-( I was being quite sincere in my question. I couldn''t find any where in shorewall-lite that that file was used directly -- other than being available to copy by shorewall (proper), but was willing to be corrected before I dove in to fix it. b. -- My other computer is your Microsoft Windows server. Brian J. Murrell ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Brian J. Murrell wrote:> On Mon, 2007-30-04 at 07:42 -0700, Tom Eastep wrote: >> Brian J. Murrell wrote: >>> Is there any reason why the output of /usr/share/shorewall-lite/shorecap >>> is stored on the shorewall-lite target and then scp''d to the shorewall >>> administrative machine? Why not just capture the output of it directly >>> to the administrative machine all in one go? >> Because the implementor is an idiot, I guess. > > Tom, I am sorry if that is how I came across. I didn''t mean it that > way. :-( I was being quite sincere in my question. I couldn''t find > any where in shorewall-lite that that file was used directly -- other > than being available to copy by shorewall (proper), but was willing to > be corrected before I dove in to fix it.There is no reason to have the capabilities file resident on the Shorewall Lite firewall system. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Brian J. Murrell
2007-Apr-30 19:01 UTC
Re: capabilities file on the shorewall-lite target?
On Mon, 2007-30-04 at 11:53 -0700, Tom Eastep wrote:> > There is no reason to have the capabilities file resident on the Shorewall > Lite firewall system.The following patch to 3.4.2 should take care of this: --- shorewall.dist 2007-04-30 14:59:14.000000000 -0400 +++ shorewall 2007-04-30 14:59:15.000000000 -0400 @@ -986,8 +986,7 @@ fi progress_message "Getting Capabilities on system $system..." - if ! ssh ${root}@${system} "MODULESDIR=$MODULESDIR MODULE_SUFFIX=\"$MODULE_SUFFIX\" IPTABLES=$IPTABLES /usr/share/shorewall-lite/shorecap > ${LITEDIR}/capabilities" || \ - ! scp ${root}@$system:${LITEDIR}/capabilities $directory; then + if ! ssh ${root}@${system} "MODULESDIR=$MODULESDIR MODULE_SUFFIX=\"$MODULE_SUFFIX\" IPTABLES=$IPTABLES /usr/share/shorewall-lite/shorecap" > $directory/capabilities; then fatal_error "ERROR: Capturing capabilities on system $system failed" fi fi Cheers, b. -- My other computer is your Microsoft Windows server. Brian J. Murrell ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Brian J. Murrell wrote:> On Mon, 2007-30-04 at 11:53 -0700, Tom Eastep wrote: >> There is no reason to have the capabilities file resident on the Shorewall >> Lite firewall system. > > The following patch to 3.4.2 should take care of this:Brian, Please send the patch as an attachment rather than embedded in the body text. Your mailer is encoding the body text (quoted-printable) with the result that the patch is completely mangled. Thanks, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Brian J. Murrell
2007-Apr-30 19:23 UTC
Re: capabilities file on the shorewall-lite target?
On Mon, 2007-30-04 at 12:06 -0700, Tom Eastep wrote:> Brian J. Murrell wrote: > > On Mon, 2007-30-04 at 11:53 -0700, Tom Eastep wrote: > >> There is no reason to have the capabilities file resident on the Shorewall > >> Lite firewall system. > > > > The following patch to 3.4.2 should take care of this: > > Brian, > > Please send the patch as an attachment rather than embedded in the body > text. Your mailer is encoding the body text (quoted-printable) with the > result that the patch is completely mangled.Crap. OK. Attached. b. -- My other computer is your Microsoft Windows server. Brian J. Murrell ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Brian J. Murrell wrote:> On Mon, 2007-30-04 at 12:06 -0700, Tom Eastep wrote: >> Brian J. Murrell wrote: >>> On Mon, 2007-30-04 at 11:53 -0700, Tom Eastep wrote: >>>> There is no reason to have the capabilities file resident on the Shorewall >>>> Lite firewall system. >>> The following patch to 3.4.2 should take care of this: >> Brian, >> >> Please send the patch as an attachment rather than embedded in the body >> text. Your mailer is encoding the body text (quoted-printable) with the >> result that the patch is completely mangled. > > Crap. OK. Attached.Applied. Thanks, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Andrew Suffield wrote:> On Mon, Apr 30, 2007 at 07:42:32AM -0700, Tom Eastep wrote: >> Brian J. Murrell wrote: >>> Is there any reason why the output of /usr/share/shorewall-lite/shorecap >>> is stored on the shorewall-lite target and then scp''d to the shorewall >>> administrative machine? Why not just capture the output of it directly >>> to the administrative machine all in one go? >> Because the implementor is an idiot, I guess. > > If you''re taking another look at that stuff, here''s an idea: it would > be nice if I could configure the commands used, say by specifying > something like: > > RSH_COMMAND=''ssh user@$host "sudo $command"'' > RCP_COMMAND=''rsync --rsync-path "sudo rsync" $from_file $host:$to_file'' > > Since then I could use sudo (or whatever local authentication system > is in place) instead of having to permit remote root logins. > > Implementation would be something along the lines of: > > host=... command=... eval $RSH_COMMAND > > (I probably missed a few variables because I haven''t looked at the > code, but you get the general idea)I''ll add this to the 3.9 wishlist. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Eastep wrote:> Andrew Suffield wrote: >> On Mon, Apr 30, 2007 at 07:42:32AM -0700, Tom Eastep wrote: >>> Brian J. Murrell wrote: >>>> Is there any reason why the output of /usr/share/shorewall-lite/shorecap >>>> is stored on the shorewall-lite target and then scp''d to the shorewall >>>> administrative machine? Why not just capture the output of it directly >>>> to the administrative machine all in one go? >>> Because the implementor is an idiot, I guess. >> If you''re taking another look at that stuff, here''s an idea: it would >> be nice if I could configure the commands used, say by specifying >> something like: >> >> RSH_COMMAND=''ssh user@$host "sudo $command"'' >> RCP_COMMAND=''rsync --rsync-path "sudo rsync" $from_file $host:$to_file'' >> >> Since then I could use sudo (or whatever local authentication system >> is in place) instead of having to permit remote root logins. >> >> Implementation would be something along the lines of: >> >> host=... command=... eval $RSH_COMMAND >> >> (I probably missed a few variables because I haven''t looked at the >> code, but you get the general idea) > > I''ll add this to the 3.9 wishlist. >This will be in 3.9.6. Here is the release notes entry: 1) Eariler generations of Shorewall Lite required that remote root login via ssh be enabled in order to use the ''load'' and ''reload'' commands. Beginning with this release, you may define an alternative means for accessing the remote firewall system. Two new options have been added to shorewall.conf: RSH_COMMAND RCP_COMMAND The default values for these are as follows: RSH_COMMAND: ssh ${root}@${system} ${command} RCP_COMMAND: scp ${files} ${root}@${system}:${destination} Shell variables that will be set when the commands are envoked are as follows: root - root user. Normally ''root'' but may be overridden using the ''-r'' option. system - The name/IP address of the remote firewall system. command - For RSH_COMMAND, the command to be executed on the firewall system. files - For RCP_COMMAND, a space-separated list of files to be copied to the remote firewall system. destination - The directory on the remote system that the files are to be copied into. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/