I''ve uploaded 3.9.6. Problems corrected in 3.9.6. 1) Placing ''ipp2p'' in the PROTOCOL column of configuration files now works. 2) Previously, ''!'' in the TEST column of the tcrules file was not handled correctly. 3) The code generated for copying routing tables from provider file entries was previously incorrect, resulting in run-time errors. 4) Previously, using an ipset in a rule would generate invalid iptables-restore input. 5) Previously, use of CONTINUE in the tcrules file would cause generation of invalid iptables-restore input. 6) If a chain''s only reference is in the ACTION column of an accounting rule, a run-time error would occur: iptables-restore v1.3.6: Couldn''t load target `SJS'':/lib/iptables/libipt_SJS.so: cannot open shared object file: No such file or directory 7) A problem with merging the log level and tag in macro or action invocations has been corrected. 8) An empty action body no longer results in a run-time error. 9) Shorewall-perl now traps the case where an action invokes itself. 10) Shorewall-perl now traps COMMENT followed by a colon (":") and a log level. 11) COMMENT in an action body is now properly handled. 12) LOG rules in macros are now handled correctly. 13) Parsing of ''ipp2p'' rules has been corrected. 14) Inversion is now handled correctly in packet/connection mark tests. 15) Parsing errors in RATE/BURST and USER/GROUP columns have been eliminated. 16) ipsets have now been tested and several bugs in their handling have been corrected. 17) Errors in handling the SOURCE and DEST column during macro expansion have been corrected. 19) Shorewall-perl now correctly handles the COPY column in provider definitions. 20) A number of cases where Shorewall-perl did not handle undefined zones have been corrected. 21) A number of bugs relating to parsing the tunnels file have been corrected. Other changes in Shorewall 3.9.6. 1) Eariler generations of Shorewall Lite required that remote root login via ssh be enabled in order to use the ''load'' and ''reload'' commands. Beginning with this release, you may define an alternative means for accessing the remote firewall system. Two new options have been added to shorewall.conf: RSH_COMMAND RCP_COMMAND The default values for these are as follows: RSH_COMMAND: ssh ${root}@${system} ${command} RCP_COMMAND: scp ${files} ${root}@${system}:${destination} Shell variables that will be set when the commands are envoked are as follows: root - root user. Normally ''root'' but may be overridden using the ''-r'' option. system - The name/IP address of the remote firewall system. command - For RSH_COMMAND, the command to be executed on the firewall system. files - For RCP_COMMAND, a space-separated list of files to be copied to the remote firewall system. destination - The directory on the remote system that the files are to be copied into. 2) The accounting, masq, rules and tos files now have a ''MARK'' column similar to the column of the same name in the tcrules file. This column allows filtering by MARK and CONNMARK value. 3) SOURCE and DEST are now reserved zone names to avoid problems with bi-directional macro definisions which use these as names as key words. -Tom -- Tom Eastep NonStop OS & Languages NonStop[tm] Enterprise Division, Hewlett-Packard Company 206-542-7751 (Voice and Fax) tom.eastep@hp.com ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
I''ve uploaded 3.9.6. Problems corrected in 3.9.6. 1) Placing ''ipp2p'' in the PROTOCOL column of configuration files now works. 2) Previously, ''!'' in the TEST column of the tcrules file was not handled correctly. 3) The code generated for copying routing tables from provider file entries was previously incorrect, resulting in run-time errors. 4) Previously, using an ipset in a rule would generate invalid iptables-restore input. 5) Previously, use of CONTINUE in the tcrules file would cause generation of invalid iptables-restore input. 6) If a chain''s only reference is in the ACTION column of an accounting rule, a run-time error would occur: iptables-restore v1.3.6: Couldn''t load target `SJS'':/lib/iptables/libipt_SJS.so: cannot open shared object file: No such file or directory 7) A problem with merging the log level and tag in macro or action invocations has been corrected. 8) An empty action body no longer results in a run-time error. 9) Shorewall-perl now traps the case where an action invokes itself. 10) Shorewall-perl now traps COMMENT followed by a colon (":") and a log level. 11) COMMENT in an action body is now properly handled. 12) LOG rules in macros are now handled correctly. 13) Parsing of ''ipp2p'' rules has been corrected. 14) Inversion is now handled correctly in packet/connection mark tests. 15) Parsing errors in RATE/BURST and USER/GROUP columns have been eliminated. 16) ipsets have now been tested and several bugs in their handling have been corrected. 17) Errors in handling the SOURCE and DEST column during macro expansion have been corrected. 19) Shorewall-perl now correctly handles the COPY column in provider definitions. 20) A number of cases where Shorewall-perl did not handle undefined zones have been corrected. 21) A number of bugs relating to parsing the tunnels file have been corrected. Other changes in Shorewall 3.9.6. 1) Eariler generations of Shorewall Lite required that remote root login via ssh be enabled in order to use the ''load'' and ''reload'' commands. Beginning with this release, you may define an alternative means for accessing the remote firewall system. Two new options have been added to shorewall.conf: RSH_COMMAND RCP_COMMAND The default values for these are as follows: RSH_COMMAND: ssh ${root}@${system} ${command} RCP_COMMAND: scp ${files} ${root}@${system}:${destination} Shell variables that will be set when the commands are envoked are as follows: root - root user. Normally ''root'' but may be overridden using the ''-r'' option. system - The name/IP address of the remote firewall system. command - For RSH_COMMAND, the command to be executed on the firewall system. files - For RCP_COMMAND, a space-separated list of files to be copied to the remote firewall system. destination - The directory on the remote system that the files are to be copied into. 2) The accounting, masq, rules and tos files now have a ''MARK'' column similar to the column of the same name in the tcrules file. This column allows filtering by MARK and CONNMARK value. 3) SOURCE and DEST are now reserved zone names to avoid problems with bi-directional macro definisions which use these as names as key words. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Eastep wrote:> > 3) SOURCE and DEST are now reserved zone names to avoid problems with > bi-directional macro definisions which use these as names as keyWow, where did that come from? -- s/definisions/definitions/ -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Interface file entry: - eth0 - and host file entries: lan eth0:192.168.0.0/24 wan eth0:!192.168.0.0/24 produce the following error: Use of uninitialized value in concatenation (.) or string at /usr/share/shorewall-perl/Shorewall/Rules.pm line 1656. Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> Tom > > Interface file entry: > > - eth0 - > > and host file entries: > > lan eth0:192.168.0.0/24 > wan eth0:!192.168.0.0/24 > > produce the following error: > > Use of uninitialized value in concatenation (.) or string > at /usr/share/shorewall-perl/Shorewall/Rules.pm line 1656.Steve, I''m unable to reproduce that problem. And Rules.pm line 1656 doesn''t have any concatenation or qq(). Please send me a tarball of the failing configuration. Thanks, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On Sunday 06 May 2007 01:04, Tom Eastep wrote:> Steven Jan Springl wrote: > > Tom > > > > Interface file entry: > > > > - eth0 - > > > > and host file entries: > > > > lan eth0:192.168.0.0/24 > > wan eth0:!192.168.0.0/24 > > > > produce the following error: > > > > Use of uninitialized value in concatenation (.) or string > > at /usr/share/shorewall-perl/Shorewall/Rules.pm line 1656. > > Steve, > > I''m unable to reproduce that problem. And Rules.pm line 1656 doesn''t > have any concatenation or qq(). Please send me a tarball of the failing > configuration. > > Thanks, > -TomTom Configuration attached. Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> On Sunday 06 May 2007 01:04, Tom Eastep wrote: >> Steven Jan Springl wrote: >>> Tom >>> >>> Interface file entry: >>> >>> - eth0 - >>> >>> and host file entries: >>> >>> lan eth0:192.168.0.0/24 >>> wan eth0:!192.168.0.0/24 >>> >>> produce the following error: >>> >>> Use of uninitialized value in concatenation (.) or string >>> at /usr/share/shorewall-perl/Shorewall/Rules.pm line 1656. >> Steve, >> >> I''m unable to reproduce that problem. And Rules.pm line 1656 doesn''t >> have any concatenation or qq(). Please send me a tarball of the failing >> configuration. >> >> Thanks, >> -Tom > Tom > > Configuration attached.Thanks, Steven. That was a tough one :-) Fixed in revision 6254. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On Sunday 06 May 2007 02:18, Tom Eastep wrote:> Steven Jan Springl wrote: > > On Sunday 06 May 2007 01:04, Tom Eastep wrote: > >> Steven Jan Springl wrote: > >>> Tom > >>> > >>> Interface file entry: > >>> > >>> - eth0 - > >>> > >>> and host file entries: > >>> > >>> lan eth0:192.168.0.0/24 > >>> wan eth0:!192.168.0.0/24 > >>> > >>> produce the following error: > >>> > >>> Use of uninitialized value in concatenation (.) or string > >>> at /usr/share/shorewall-perl/Shorewall/Rules.pm line 1656. > >> > >> Steve, > >> > >> I''m unable to reproduce that problem. And Rules.pm line 1656 doesn''t > >> have any concatenation or qq(). Please send me a tarball of the failing > >> configuration. > >> > >> Thanks, > >> -Tom > > > > Tom > > > > Configuration attached. > > Thanks, Steven. That was a tough one :-) > > Fixed in revision 6254. > > -TomGood morning Tom. I can confirm, it compiles here too. However the iptables rules generated do not seem to work. The testing was conducted on a PC with one interface, IP address 192.168.0.4/24 gateway 192.168.0.254 To compile the rules with shorewall-shell, it is necessary to comment out the entry in tcrules. When compiled with shorewall-shell, it is possible to ping www.suse.com (195.135.220.3) from the firewall. When compiled with shorewall-perl, the following message is produced when trying to ping www.suse.com from the firewall: May 6 11:38:59 l4 kernel: Shorewall:INPUT:DROP:IN=eth0 OUT= MAC=00:40:f4:50:35:67:00:60:08:79:fd:67:08:00 SRC=195.135.220.3 DST=192.168.0.4 LEN=84 TOS=0x00 PREC=0x00 TTL=53 ID=13497 PROTO=ICMP TYPE=0 CODE=0 ID=23083 SEQ=1 Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Another problem with "!" in hosts file. :-( Interface file entry: - eth0 - and host file entries: lan eth0:192.168.0.0/24!192.168.0.10 wan eth0:!192.168.0.0/24 produces the following error: Use of uninitialized value in concatenation (.) or string at /usr/share/shorewall-perl/Shorewall/Rules.pm line 1633. Note; the rest of the configuration is the same as the one from yesterday. Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> Tom > > Another problem with "!" in hosts file. :-( > > > Interface file entry: > > - eth0 - > > and host file entries: > > lan eth0:192.168.0.0/24!192.168.0.10 > wan eth0:!192.168.0.0/24 > > produces the following error: > > Use of uninitialized value in concatenation (.) or string > at /usr/share/shorewall-perl/Shorewall/Rules.pm line 1633. > > Note; the rest of the configuration is the same as the one from yesterday.Good afternoon, Steven. I believe all of these problems are corrected in revision 6255. Thanks! -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On Sunday 06 May 2007 16:45, Tom Eastep wrote:> Steven Jan Springl wrote: > > Tom > > > > Another problem with "!" in hosts file. :-( > > > > > > Interface file entry: > > > > - eth0 - > > > > and host file entries: > > > > lan eth0:192.168.0.0/24!192.168.0.10 > > wan eth0:!192.168.0.0/24 > > > > produces the following error: > > > > Use of uninitialized value in concatenation (.) or string > > at /usr/share/shorewall-perl/Shorewall/Rules.pm line 1633. > > > > Note; the rest of the configuration is the same as the one from > > yesterday. > > Good afternoon, Steven. > > I believe all of these problems are corrected in revision 6255. > > Thanks! > > -TomTom The problems are fixed. Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Interface entry: - eth0 - Host entry: lan eth0:192.168.0.0/24 maclist Maclist entry: ACCEPT eth0 11:22:33:44:55:66 when compiled with shorewall-perl produces the following message: ERROR: No hosts on eth0 have maclist option specified. Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> Tom > > Interface entry: > > - eth0 - > > Host entry: > > lan eth0:192.168.0.0/24 maclist > > Maclist entry: > > ACCEPT eth0 11:22:33:44:55:66 > > when compiled with shorewall-perl produces the following message: > > ERROR: No hosts on eth0 have maclist option specified. >Thanks, Steven Fixed in revision 6257. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Eastep wrote:> Steven Jan Springl wrote: >> Tom >> >> Interface entry: >> >> - eth0 - >> >> Host entry: >> >> lan eth0:192.168.0.0/24 maclist >> >> Maclist entry: >> >> ACCEPT eth0 11:22:33:44:55:66 >> >> when compiled with shorewall-perl produces the following message: >> >> ERROR: No hosts on eth0 have maclist option specified. >> > > Thanks, Steven > > Fixed in revision 6257. >You will want to install revision 6258 to correct a problem introduced in 6257. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Two more issues with entries in the host file. Zones entries fw firewall lan ipv4 wan ipv4 Interface entry: - eth0 - The host file is attached. When this is compiled with shorewall-perl, the following error is produced: Not an ARRAY reference at /usr/share/shorewall-perl/Shorewall/Rules.pm line 1420. The second issue. If the last entry in the attached host file is commented out, the following error is produced: Can''t use string ("1") as a HASH ref while "strict refs" in use at /usr/share/shorewall-perl/Shorewall/Chains.pm line 330. Note; if ''ipsec'' is removed from the first entry in the host file, neither error is produced. Steven ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> Tom > > Two more issues with entries in the host file. > > Zones entries > > fw firewall > lan ipv4 > wan ipv4 > > Interface entry: > > - eth0 - > > The host file is attached. > > When this is compiled with shorewall-perl, the following error is produced: > > Not an ARRAY reference at /usr/share/shorewall-perl/Shorewall/Rules.pm line > 1420. > > > > The second issue. > > If the last entry in the attached host file is commented out, the following > error is produced: > > Can''t use string ("1") as a HASH ref while "strict refs" in use > at /usr/share/shorewall-perl/Shorewall/Chains.pm line 330. > > > Note; if ''ipsec'' is removed from the first entry in the host file, neither > error is produced.These problems seem corrected in revision 6259. Thanks, Steven, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On Sunday 06 May 2007 23:27, Tom Eastep wrote:> Steven Jan Springl wrote: > > Tom > > > > Two more issues with entries in the host file. > > > > Zones entries > > > > fw firewall > > lan ipv4 > > wan ipv4 > > > > Interface entry: > > > > - eth0 - > > > > The host file is attached. > > > > When this is compiled with shorewall-perl, the following error is > > produced: > > > > Not an ARRAY reference at /usr/share/shorewall-perl/Shorewall/Rules.pm > > line 1420. > > > > > > > > The second issue. > > > > If the last entry in the attached host file is commented out, the > > following error is produced: > > > > Can''t use string ("1") as a HASH ref while "strict refs" in use > > at /usr/share/shorewall-perl/Shorewall/Chains.pm line 330. > > > > > > Note; if ''ipsec'' is removed from the first entry in the host file, > > neither error is produced. > > These problems seem corrected in revision 6259. > > Thanks, Steven, > > -TomTom The first host file configuration above with all 3 entries present, generates the following iptables rule: -A eth0_fwd -s 192.168.0.0/24-m policy --dir in --pol ipsec -j HASH(0x8345924)->n{name} which produces the following error: Bad argument ''policy'' Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> On Sunday 06 May 2007 23:27, Tom Eastep wrote: >> Steven Jan Springl wrote: >>> Tom >>> >>> Two more issues with entries in the host file. >>> >>> Zones entries >>> >>> fw firewall >>> lan ipv4 >>> wan ipv4 >>> >>> Interface entry: >>> >>> - eth0 - >>> >>> The host file is attached. >>> >>> When this is compiled with shorewall-perl, the following error is >>> produced: >>> >>> Not an ARRAY reference at /usr/share/shorewall-perl/Shorewall/Rules.pm >>> line 1420. >>> >>> >>> >>> The second issue. >>> >>> If the last entry in the attached host file is commented out, the >>> following error is produced: >>> >>> Can''t use string ("1") as a HASH ref while "strict refs" in use >>> at /usr/share/shorewall-perl/Shorewall/Chains.pm line 330. >>> >>> >>> Note; if ''ipsec'' is removed from the first entry in the host file, >>> neither error is produced. >> These problems seem corrected in revision 6259. >> >> Thanks, Steven, >> >> -Tom > > Tom > > The first host file configuration above with all 3 entries present, generates > the following iptables rule: > > -A eth0_fwd -s 192.168.0.0/24-m policy --dir in --pol ipsec -j > HASH(0x8345924)->n{name} >Clearly, there was an extraneous ''n'' in the middle of ->{name}; fixed in revision 6260. Thanks, Steven -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On Monday 07 May 2007 00:33, Tom Eastep wrote:> Steven Jan Springl wrote: > > On Sunday 06 May 2007 23:27, Tom Eastep wrote: > >> Steven Jan Springl wrote: > >>> Tom > >>> > >>> Two more issues with entries in the host file. > >>> > >>> Zones entries > >>> > >>> fw firewall > >>> lan ipv4 > >>> wan ipv4 > >>> > >>> Interface entry: > >>> > >>> - eth0 - > >>> > >>> The host file is attached. > >>> > >>> When this is compiled with shorewall-perl, the following error is > >>> produced: > >>> > >>> Not an ARRAY reference at /usr/share/shorewall-perl/Shorewall/Rules.pm > >>> line 1420. > >>> > >>> > >>> > >>> The second issue. > >>> > >>> If the last entry in the attached host file is commented out, the > >>> following error is produced: > >>> > >>> Can''t use string ("1") as a HASH ref while "strict refs" in use > >>> at /usr/share/shorewall-perl/Shorewall/Chains.pm line 330. > >>> > >>> > >>> Note; if ''ipsec'' is removed from the first entry in the host file, > >>> neither error is produced. > >> > >> These problems seem corrected in revision 6259. > >> > >> Thanks, Steven, > >> > >> -Tom > > > > Tom > > > > The first host file configuration above with all 3 entries present, > > generates the following iptables rule: > > > > -A eth0_fwd -s 192.168.0.0/24-m policy --dir in --pol ipsec -j > > HASH(0x8345924)->n{name} > > Clearly, there was an extraneous ''n'' in the middle of ->{name}; fixed in > revision 6260. > > Thanks, Steven > > -TomTom There is also the a space missing between the IP address and ''-m''. Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> On Monday 07 May 2007 00:33, Tom Eastep wrote: >> Steven Jan Springl wrote: >>> On Sunday 06 May 2007 23:27, Tom Eastep wrote: >>>> Steven Jan Springl wrote: >>>>> Tom >>>>> >>>>> Two more issues with entries in the host file. >>>>> >>>>> Zones entries >>>>> >>>>> fw firewall >>>>> lan ipv4 >>>>> wan ipv4 >>>>> >>>>> Interface entry: >>>>> >>>>> - eth0 - >>>>> >>>>> The host file is attached. >>>>> >>>>> When this is compiled with shorewall-perl, the following error is >>>>> produced: >>>>> >>>>> Not an ARRAY reference at /usr/share/shorewall-perl/Shorewall/Rules.pm >>>>> line 1420. >>>>> >>>>> >>>>> >>>>> The second issue. >>>>> >>>>> If the last entry in the attached host file is commented out, the >>>>> following error is produced: >>>>> >>>>> Can''t use string ("1") as a HASH ref while "strict refs" in use >>>>> at /usr/share/shorewall-perl/Shorewall/Chains.pm line 330. >>>>> >>>>> >>>>> Note; if ''ipsec'' is removed from the first entry in the host file, >>>>> neither error is produced. >>>> These problems seem corrected in revision 6259. >>>> >>>> Thanks, Steven, >>>> >>>> -Tom >>> Tom >>> >>> The first host file configuration above with all 3 entries present, >>> generates the following iptables rule: >>> >>> -A eth0_fwd -s 192.168.0.0/24-m policy --dir in --pol ipsec -j >>> HASH(0x8345924)->n{name} >> Clearly, there was an extraneous ''n'' in the middle of ->{name}; fixed in >> revision 6260. >> >> Thanks, Steven >> >> -Tom > > Tom > > There is also the a space missing between the IP address and ''-m''.Steven, Sorry -- I missed that. Fixed in revision 6261. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Good morning Tom. Providers entry: sjs1 1 1 main eth0 detect balance=2 none works when compiled with shorewall-shell but produces the following messages when compiled with shorewall-perl: Error: an IP address is expected rather than "detect" ERROR: Command "ip route replace default scope global nexthop via detect dev eth0 weight 2" Failed Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> Good morning Tom. > > Providers entry: > > sjs1 1 1 main eth0 detect balance=2 none > > works when compiled with shorewall-shell but produces the following messages > when compiled with shorewall-perl: > > Error: an IP address is expected rather than "detect" > ERROR: Command "ip route replace default scope global nexthop via detect > dev eth0 weight 2" Failed >Good afternoon, Steven. This problem should be corrected in revision 6265. Thanks! -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Interface entry: lan eth0 detect maclist,tcpflags,nosmurfs,blacklist,norfc1918 when compiled with shorewall-perl, generates 2 calls to each of the maclist, tcpflags, nosmurfs, blacklist and norfc1918 chains from both eth0_in and eth0_fwd chains. This can be seen in the attached iptables-restore-input. This does not happen with the shorewall-shell compiler. Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> Tom > > Interface entry: > > lan eth0 detect maclist,tcpflags,nosmurfs,blacklist,norfc1918 > > when compiled with shorewall-perl, generates 2 calls to each of the maclist, > tcpflags, nosmurfs, blacklist and norfc1918 chains from both eth0_in and > eth0_fwd chains. > > This can be seen in the attached iptables-restore-input. > > This does not happen with the shorewall-shell compiler.Fixed in revision 6270. This bug was fall-out from the change that I made yesterday to correct ''maclist'' in the Hosts file. Thanks, Steven -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Eastep wrote:> Steven Jan Springl wrote: >> Tom >> >> Interface entry: >> >> lan eth0 detect maclist,tcpflags,nosmurfs,blacklist,norfc1918 >> >> when compiled with shorewall-perl, generates 2 calls to each of the maclist, >> tcpflags, nosmurfs, blacklist and norfc1918 chains from both eth0_in and >> eth0_fwd chains. >> >> This can be seen in the attached iptables-restore-input. >> >> This does not happen with the shorewall-shell compiler. > > Fixed in revision 6270. This bug was fall-out from the change that I made > yesterday to correct ''maclist'' in the Hosts file. >Steven, Please install 6272. It corrects a problem with 6270 in which the options in this entry in /etc/shorewall/interfaces were ignored: - eth1 - tcpflags,nosmurfs,dhcp -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom shorewall.conf entries: LOGRATE=10/second LOGBURST=10 FASTACCEPT=No zones file fw firewall lan ipv4 mss=22 rules entries: SECTION ESTABLISHED LOG:warn lan fw tcp 21 SECTION RELATED LOG:warn lan fw tcp 20 SECTION NEW ACCEPT lan fw tcp 21,22 When compiled with shorewall-perl they generate the rules in attached file iptables-perl. They look incorrect to me. When compiled with shorewall-shell they generate the rules in attached file iptables-shell. They look correct to me. Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> Tom > > shorewall.conf entries: > > LOGRATE=10/second > LOGBURST=10 > FASTACCEPT=No > > zones file > fw firewall > lan ipv4 mss=22 > > rules entries: > > SECTION ESTABLISHED > LOG:warn lan fw tcp 21 > SECTION RELATED > LOG:warn lan fw tcp 20 > SECTION NEW > ACCEPT lan fw tcp 21,22 > > When compiled with shorewall-perl they generate the rules in attached file > iptables-perl. They look incorrect to me. > > When compiled with shorewall-shell they generate the rules in attached file > iptables-shell. They look correct to me.Steven, revision 6275 should work better. Thanks, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Eastep wrote:> Steven Jan Springl wrote: >> Tom >> >> shorewall.conf entries: >> >> LOGRATE=10/second >> LOGBURST=10 >> FASTACCEPT=No >> >> zones file >> fw firewall >> lan ipv4 mss=22 >> >> rules entries: >> >> SECTION ESTABLISHED >> LOG:warn lan fw tcp 21 >> SECTION RELATED >> LOG:warn lan fw tcp 20 >> SECTION NEW >> ACCEPT lan fw tcp 21,22 >> >> When compiled with shorewall-perl they generate the rules in attached file >> iptables-perl. They look incorrect to me. >> >> When compiled with shorewall-shell they generate the rules in attached file >> iptables-shell. They look correct to me. > > Steven, > > revision 6275 should work better. >I''m still working on the MSS part.... -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On Tuesday 08 May 2007 01:49, Tom Eastep wrote:> Steven Jan Springl wrote: > > Tom > > > > shorewall.conf entries: > > > > LOGRATE=10/second > > LOGBURST=10 > > FASTACCEPT=No > > > > zones file > > fw firewall > > lan ipv4 mss=22 > > > > rules entries: > > > > SECTION ESTABLISHED > > LOG:warn lan fw tcp 21 > > SECTION RELATED > > LOG:warn lan fw tcp 20 > > SECTION NEW > > ACCEPT lan fw tcp 21,22 > > > > When compiled with shorewall-perl they generate the rules in attached > > file iptables-perl. They look incorrect to me. > > > > When compiled with shorewall-shell they generate the rules in attached > > file iptables-shell. They look correct to me. > > Steven, > > revision 6275 should work better. > > Thanks, > -TomTom I have tried a few different things and It seems to be OK. I will test it further tomorrow. Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On Tuesday 08 May 2007 01:59, Tom Eastep wrote:> Tom Eastep wrote: > > Steven Jan Springl wrote: > >> Tom > >> > >> shorewall.conf entries: > >> > >> LOGRATE=10/second > >> LOGBURST=10 > >> FASTACCEPT=No > >> > >> zones file > >> fw firewall > >> lan ipv4 mss=22 > >> > >> rules entries: > >> > >> SECTION ESTABLISHED > >> LOG:warn lan fw tcp 21 > >> SECTION RELATED > >> LOG:warn lan fw tcp 20 > >> SECTION NEW > >> ACCEPT lan fw tcp 21,22 > >> > >> When compiled with shorewall-perl they generate the rules in attached > >> file iptables-perl. They look incorrect to me. > >> > >> When compiled with shorewall-shell they generate the rules in attached > >> file iptables-shell. They look correct to me. > > > > Steven, > > > > revision 6275 should work better. > > I''m still working on the MSS part.... > > -TomTom There are also the LOGRATE a LOGBURST parameters form shorewall.conf that seem to be ignored. Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> On Tuesday 08 May 2007 01:59, Tom Eastep wrote: >> Tom Eastep wrote: >>> Steven Jan Springl wrote: >>>> Tom >>>> >>>> shorewall.conf entries: >>>> >>>> LOGRATE=10/second >>>> LOGBURST=10 >>>> FASTACCEPT=No >>>> >>>> zones file >>>> fw firewall >>>> lan ipv4 mss=22 >>>> >>>> rules entries: >>>> >>>> SECTION ESTABLISHED >>>> LOG:warn lan fw tcp 21 >>>> SECTION RELATED >>>> LOG:warn lan fw tcp 20 >>>> SECTION NEW >>>> ACCEPT lan fw tcp 21,22 >>>> >>>> When compiled with shorewall-perl they generate the rules in attached >>>> file iptables-perl. They look incorrect to me. >>>> >>>> When compiled with shorewall-shell they generate the rules in attached >>>> file iptables-shell. They look correct to me. >>> Steven, >>> >>> revision 6275 should work better. >> I''m still working on the MSS part.... >> >> -Tom > Tom > > There are also the LOGRATE a LOGBURST parameters form shorewall.conf that seem > to be ignored.Steven, I believe all of your reported problems are corrected in revision 6277. Thanks! -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Eastep wrote:> Steven Jan Springl wrote: >> On Tuesday 08 May 2007 01:59, Tom Eastep wrote: >>> Tom Eastep wrote: >>>> Steven Jan Springl wrote: >>>>> Tom >>>>> >>>>> shorewall.conf entries: >>>>> >>>>> LOGRATE=10/second >>>>> LOGBURST=10 >>>>> FASTACCEPT=No >>>>> >>>>> zones file >>>>> fw firewall >>>>> lan ipv4 mss=22 >>>>> >>>>> rules entries: >>>>> >>>>> SECTION ESTABLISHED >>>>> LOG:warn lan fw tcp 21 >>>>> SECTION RELATED >>>>> LOG:warn lan fw tcp 20 >>>>> SECTION NEW >>>>> ACCEPT lan fw tcp 21,22 >>>>> >>>>> When compiled with shorewall-perl they generate the rules in attached >>>>> file iptables-perl. They look incorrect to me. >>>>> >>>>> When compiled with shorewall-shell they generate the rules in attached >>>>> file iptables-shell. They look correct to me. >>>> Steven, >>>> >>>> revision 6275 should work better. >>> I''m still working on the MSS part.... >>> >>> -Tom >> Tom >> >> There are also the LOGRATE a LOGBURST parameters form shorewall.conf that seem >> to be ignored. > > Steven, > > I believe all of your reported problems are corrected in revision 6277. >Take that back -- I found more problems that are corrected in revision 6278. Thanks again, Steven -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Eastep wrote:> Tom Eastep wrote: >> Steven Jan Springl wrote: >>> On Tuesday 08 May 2007 01:59, Tom Eastep wrote: >>>> Tom Eastep wrote: >>>>> Steven Jan Springl wrote: >>>>>> Tom >>>>>> >>>>>> shorewall.conf entries: >>>>>> >>>>>> LOGRATE=10/second >>>>>> LOGBURST=10 >>>>>> FASTACCEPT=No >>>>>> >>>>>> zones file >>>>>> fw firewall >>>>>> lan ipv4 mss=22 >>>>>> >>>>>> rules entries: >>>>>> >>>>>> SECTION ESTABLISHED >>>>>> LOG:warn lan fw tcp 21 >>>>>> SECTION RELATED >>>>>> LOG:warn lan fw tcp 20 >>>>>> SECTION NEW >>>>>> ACCEPT lan fw tcp 21,22 >>>>>> >>>>>> When compiled with shorewall-perl they generate the rules in attached >>>>>> file iptables-perl. They look incorrect to me. >>>>>> >>>>>> When compiled with shorewall-shell they generate the rules in attached >>>>>> file iptables-shell. They look correct to me. >>>>> Steven, >>>>> >>>>> revision 6275 should work better. >>>> I''m still working on the MSS part.... >>>> >>>> -Tom >>> Tom >>> >>> There are also the LOGRATE a LOGBURST parameters form shorewall.conf that seem >>> to be ignored. >> Steven, >> >> I believe all of your reported problems are corrected in revision 6277. >> > > Take that back -- I found more problems that are corrected in revision 6278. > > Thanks again, StevenOne more change in revision 6279. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On Tuesday 08 May 2007 03:45, Tom Eastep wrote:> Tom Eastep wrote: > > Tom Eastep wrote: > >> Steven Jan Springl wrote: > >>> On Tuesday 08 May 2007 01:59, Tom Eastep wrote: > >>>> Tom Eastep wrote: > >>>>> Steven Jan Springl wrote: > >>>>>> Tom > >>>>>> > >>>>>> shorewall.conf entries: > >>>>>> > >>>>>> LOGRATE=10/second > >>>>>> LOGBURST=10 > >>>>>> FASTACCEPT=No > >>>>>> > >>>>>> zones file > >>>>>> fw firewall > >>>>>> lan ipv4 mss=22 > >>>>>> > >>>>>> rules entries: > >>>>>> > >>>>>> SECTION ESTABLISHED > >>>>>> LOG:warn lan fw tcp 21 > >>>>>> SECTION RELATED > >>>>>> LOG:warn lan fw tcp 20 > >>>>>> SECTION NEW > >>>>>> ACCEPT lan fw tcp 21,22 > >>>>>> > >>>>>> When compiled with shorewall-perl they generate the rules in > >>>>>> attached file iptables-perl. They look incorrect to me. > >>>>>> > >>>>>> When compiled with shorewall-shell they generate the rules in > >>>>>> attached file iptables-shell. They look correct to me. > >>>>> > >>>>> Steven, > >>>>> > >>>>> revision 6275 should work better. > >>>> > >>>> I''m still working on the MSS part.... > >>>> > >>>> -Tom > >>> > >>> Tom > >>> > >>> There are also the LOGRATE a LOGBURST parameters form shorewall.conf > >>> that seem to be ignored. > >> > >> Steven, > >> > >> I believe all of your reported problems are corrected in revision 6277. > > > > Take that back -- I found more problems that are corrected in revision > > 6278. > > > > Thanks again, Steven > > One more change in revision 6279. > > -TomGood morning Tom When LOGRATE and LOGBURST are set in shorewall.conf as above and also set on a rule: LOG:warn lan fw tcp 21 1000:10000 - 2:15 then an iptables rule with both sets of LOGRATEs and LOGBURSTs is generated: -A lan2fw -p 6 --dport 21 --sport 1000:10000 -m limit --limit 2 --limit-burst 15 -m state --state ESTABLISHED -m limit --limit 10/second --limit-burst 10 -j LOG --log-level 4 --log-prefix "Shorewall:lan2fw:LOG:" Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom A couple of further issues with ESTABLISHED/RELATED sections. If FASTACCEPT=Yes is set and there are rules in the ESTABLISHED section, shorewall-shell produces the following message: ERROR: Entries in the ESTABLISHED SECTION of the rules file not permitted with FASTACCEPT=Yes shorewall-perl does not produce a message, but generates iptables rules for the entries in the ESTABLISHED section. The same applies to the RELATED section. Secondly, shorewall-perl allows actions NONAT and ACCEPT+ in the ESTABLISHED/RELATED sections, shorewall-shell does not. Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> Tom > > A couple of further issues with ESTABLISHED/RELATED sections. > > If FASTACCEPT=Yes is set and there are rules in the ESTABLISHED section, > shorewall-shell produces the following message: > > ERROR: Entries in the ESTABLISHED SECTION of the rules file not permitted with > FASTACCEPT=Yes > > shorewall-perl does not produce a message, but generates iptables rules for > the entries in the ESTABLISHED section. > > The same applies to the RELATED section. > > Secondly, shorewall-perl allows actions NONAT and ACCEPT+ in the > ESTABLISHED/RELATED sections, shorewall-shell does not. >Good afternoon, Steven. I believe that all of your reported problems are corrected in revision 6283. Thanks, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On Tuesday 08 May 2007 15:17, Tom Eastep wrote:> Steven Jan Springl wrote: > > Tom > > > > A couple of further issues with ESTABLISHED/RELATED sections. > > > > If FASTACCEPT=Yes is set and there are rules in the ESTABLISHED section, > > shorewall-shell produces the following message: > > > > ERROR: Entries in the ESTABLISHED SECTION of the rules file not permitted > > with FASTACCEPT=Yes > > > > shorewall-perl does not produce a message, but generates iptables rules > > for the entries in the ESTABLISHED section. > > > > The same applies to the RELATED section. > > > > Secondly, shorewall-perl allows actions NONAT and ACCEPT+ in the > > ESTABLISHED/RELATED sections, shorewall-shell does not. > > Good afternoon, Steven. > > I believe that all of your reported problems are corrected in revision > 6283. > > Thanks, > > -TomTom The problems seem to be corrected. Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom macro.sjs: Limit:warn:test,2,8 lan lan Rule: sjs/ 192.168.0.3 10.1.1.1 tcp 23 works when compiled with shorewall-shell, but produces the following message when compiled with shorewall-perl: ERROR Unknown action (HASH(0x83451a4)) : /etc/shorewall/macro.sjs Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> Tom > > macro.sjs: > > Limit:warn:test,2,8 lan lan > > Rule: > > sjs/ 192.168.0.3 10.1.1.1 tcp 23 > > works when compiled with shorewall-shell, > but produces the following message when compiled with shorewall-perl: > > ERROR Unknown action (HASH(0x83451a4)) : /etc/shorewall/macro.sjsThanks, Steven Problem is corrected in revision 6288. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Eastep wrote:> Steven Jan Springl wrote: >> Tom >> >> macro.sjs: >> >> Limit:warn:test,2,8 lan lan >> >> Rule: >> >> sjs/ 192.168.0.3 10.1.1.1 tcp 23 >> >> works when compiled with shorewall-shell, >> but produces the following message when compiled with shorewall-perl: >> >> ERROR Unknown action (HASH(0x83451a4)) : /etc/shorewall/macro.sjs > > Thanks, Steven > > Problem is corrected in revision 6288. >Hello Steven, I''ve just fixed a problem having to do with COMMENT and/or LOG rules in conjunction with detecting addresses/routes at run-time. You may wish to upgrade to revision 6303. Thanks, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On Wednesday 09 May 2007 18:15, Tom Eastep wrote:> Tom Eastep wrote: > > Steven Jan Springl wrote: > >> Tom > >> > >> macro.sjs: > >> > >> Limit:warn:test,2,8 lan lan > >> > >> Rule: > >> > >> sjs/ 192.168.0.3 10.1.1.1 tcp 23 > >> > >> works when compiled with shorewall-shell, > >> but produces the following message when compiled with shorewall-perl: > >> > >> ERROR Unknown action (HASH(0x83451a4)) : /etc/shorewall/macro.sjs > > > > Thanks, Steven > > > > Problem is corrected in revision 6288. > > Hello Steven, > > I''ve just fixed a problem having to do with COMMENT and/or LOG rules in > conjunction with detecting addresses/routes at run-time. You may wish to > upgrade to revision 6303. > > Thanks, > -TomTom I have been following your changes. This test is based upon revision 6304. The following rules: COMMENT Rule Modification " --sport 22 " ACCEPT lan fw tcp 22 generates iptables rule: -A lan2fw -p 6 --dport 22 -j ACCEPT -m comment --comment "Rule Modification " --sport 22 "" This is accepted by iptables-restore. When an iptables-save is issued, the rule is listed as: -A lan2fw -p tcp -m tcp --sport 22 --dport 22 -m comment --comment "Rule Modification " -j ACCEPT Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> On Wednesday 09 May 2007 18:15, Tom Eastep wrote: >> Tom Eastep wrote: >>> Steven Jan Springl wrote: >>>> Tom >>>> >>>> macro.sjs: >>>> >>>> Limit:warn:test,2,8 lan lan >>>> >>>> Rule: >>>> >>>> sjs/ 192.168.0.3 10.1.1.1 tcp 23 >>>> >>>> works when compiled with shorewall-shell, >>>> but produces the following message when compiled with shorewall-perl: >>>> >>>> ERROR Unknown action (HASH(0x83451a4)) : /etc/shorewall/macro.sjs >>> Thanks, Steven >>> >>> Problem is corrected in revision 6288. >> Hello Steven, >> >> I''ve just fixed a problem having to do with COMMENT and/or LOG rules in >> conjunction with detecting addresses/routes at run-time. You may wish to >> upgrade to revision 6303. >> >> Thanks, >> -Tom > > Tom > > I have been following your changes. This test is based upon revision 6304. > > The following rules: > > COMMENT Rule Modification " --sport 22 " > ACCEPT lan fw tcp 22 > > generates iptables rule: > > -A lan2fw -p 6 --dport 22 -j ACCEPT -m comment --comment "Rule > Modification " --sport 22 "" > > This is accepted by iptables-restore. When an iptables-save is issued, the > rule is listed as: > > -A lan2fw -p tcp -m tcp --sport 22 --dport 22 -m comment --comment "Rule > Modification " -j ACCEPTHmmmm -- looks like I need to disallow double quotes in COMMENT lines. Change is in revision 6305 (Shorewall-perl only) Thanks, Steven. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On Wednesday 09 May 2007 19:23, Tom Eastep wrote:> Steven Jan Springl wrote: > > On Wednesday 09 May 2007 18:15, Tom Eastep wrote: > >> Tom Eastep wrote: > >>> Steven Jan Springl wrote: > >>>> Tom > >>>> > >>>> macro.sjs: > >>>> > >>>> Limit:warn:test,2,8 lan lan > >>>> > >>>> Rule: > >>>> > >>>> sjs/ 192.168.0.3 10.1.1.1 tcp 23 > >>>> > >>>> works when compiled with shorewall-shell, > >>>> but produces the following message when compiled with shorewall-perl: > >>>> > >>>> ERROR Unknown action (HASH(0x83451a4)) : /etc/shorewall/macro.sjs > >>> > >>> Thanks, Steven > >>> > >>> Problem is corrected in revision 6288. > >> > >> Hello Steven, > >> > >> I''ve just fixed a problem having to do with COMMENT and/or LOG rules in > >> conjunction with detecting addresses/routes at run-time. You may wish to > >> upgrade to revision 6303. > >> > >> Thanks, > >> -Tom > > > > Tom > > > > I have been following your changes. This test is based upon revision > > 6304. > > > > The following rules: > > > > COMMENT Rule Modification " --sport 22 " > > ACCEPT lan fw tcp 22 > > > > generates iptables rule: > > > > -A lan2fw -p 6 --dport 22 -j ACCEPT -m comment --comment "Rule > > Modification " --sport 22 "" > > > > This is accepted by iptables-restore. When an iptables-save is issued, > > the rule is listed as: > > > > -A lan2fw -p tcp -m tcp --sport 22 --dport 22 -m comment --comment "Rule > > Modification " -j ACCEPT > > Hmmmm -- looks like I need to disallow double quotes in COMMENT lines. > > Change is in revision 6305 (Shorewall-perl only) > > Thanks, Steven. > > -TomTom If a comment line ends with a \ followed by a white space, e.g. COMMENT hello \ ACCEPT lan fw tcp 22 Then the following iptables rule is generated: -A lan2fw -p 6 --dport 22 -j ACCEPT -m comment --comment "hello \" which produces the following error: iptables-restore V1.3.6: Unknown arg ''--comment'' Note: If the \ is not followed by a white space then following line in the rules file is appended and error doesn''t occur. If the \ is followed by a character other than a white space the problem doesn''t occur either. Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> On Wednesday 09 May 2007 19:23, Tom Eastep wrote: >> Steven Jan Springl wrote: >>> On Wednesday 09 May 2007 18:15, Tom Eastep wrote: >>>> Tom Eastep wrote: >>>>> Steven Jan Springl wrote: >>>>>> Tom >>>>>> >>>>>> macro.sjs: >>>>>> >>>>>> Limit:warn:test,2,8 lan lan >>>>>> >>>>>> Rule: >>>>>> >>>>>> sjs/ 192.168.0.3 10.1.1.1 tcp 23 >>>>>> >>>>>> works when compiled with shorewall-shell, >>>>>> but produces the following message when compiled with shorewall-perl: >>>>>> >>>>>> ERROR Unknown action (HASH(0x83451a4)) : /etc/shorewall/macro.sjs >>>>> Thanks, Steven >>>>> >>>>> Problem is corrected in revision 6288. >>>> Hello Steven, >>>> >>>> I''ve just fixed a problem having to do with COMMENT and/or LOG rules in >>>> conjunction with detecting addresses/routes at run-time. You may wish to >>>> upgrade to revision 6303. >>>> >>>> Thanks, >>>> -Tom >>> Tom >>> >>> I have been following your changes. This test is based upon revision >>> 6304. >>> >>> The following rules: >>> >>> COMMENT Rule Modification " --sport 22 " >>> ACCEPT lan fw tcp 22 >>> >>> generates iptables rule: >>> >>> -A lan2fw -p 6 --dport 22 -j ACCEPT -m comment --comment "Rule >>> Modification " --sport 22 "" >>> >>> This is accepted by iptables-restore. When an iptables-save is issued, >>> the rule is listed as: >>> >>> -A lan2fw -p tcp -m tcp --sport 22 --dport 22 -m comment --comment "Rule >>> Modification " -j ACCEPT >> Hmmmm -- looks like I need to disallow double quotes in COMMENT lines. >> >> Change is in revision 6305 (Shorewall-perl only) >> >> Thanks, Steven. >> >> -Tom > > Tom > > If a comment line ends with a \ followed by a white space, e.g. > > COMMENT hello \ > ACCEPT lan fw tcp 22 > > Then the following iptables rule is generated: > > -A lan2fw -p 6 --dport 22 -j ACCEPT -m comment --comment "hello \" > > which produces the following error: > > iptables-restore V1.3.6: Unknown arg ''--comment'' > > Note: > If the \ is not followed by a white space then following line in the rules > file is appended and error doesn''t occur. > If the \ is followed by a character other than a white space the problem > doesn''t occur either. >Steven, Revision 6308 makes such comments an error. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On Wednesday 09 May 2007 18:15, Tom Eastep wrote:> Tom Eastep wrote: > > Steven Jan Springl wrote: > >> Tom > >> > >> macro.sjs: > >> > >> Limit:warn:test,2,8 lan lan > >> > >> Rule: > >> > >> sjs/ 192.168.0.3 10.1.1.1 tcp 23 > >> > >> works when compiled with shorewall-shell, > >> but produces the following message when compiled with shorewall-perl: > >> > >> ERROR Unknown action (HASH(0x83451a4)) : /etc/shorewall/macro.sjs > > > > Thanks, Steven > > > > Problem is corrected in revision 6288. > > Hello Steven, > > I''ve just fixed a problem having to do with COMMENT and/or LOG rules in > conjunction with detecting addresses/routes at run-time. You may wish to > upgrade to revision 6303. > > Thanks, > -TomTom Rules with a log tag that contain double quotes also generate iptables-restore errors e.g.: LOG:warn:"" lan fw tcp 22 Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> On Wednesday 09 May 2007 18:15, Tom Eastep wrote: >> Tom Eastep wrote: >>> Steven Jan Springl wrote: >>>> Tom >>>> >>>> macro.sjs: >>>> >>>> Limit:warn:test,2,8 lan lan >>>> >>>> Rule: >>>> >>>> sjs/ 192.168.0.3 10.1.1.1 tcp 23 >>>> >>>> works when compiled with shorewall-shell, >>>> but produces the following message when compiled with shorewall-perl: >>>> >>>> ERROR Unknown action (HASH(0x83451a4)) : /etc/shorewall/macro.sjs >>> Thanks, Steven >>> >>> Problem is corrected in revision 6288. >> Hello Steven, >> >> I''ve just fixed a problem having to do with COMMENT and/or LOG rules in >> conjunction with detecting addresses/routes at run-time. You may wish to >> upgrade to revision 6303. >> >> Thanks, >> -Tom > Tom > > Rules with a log tag that contain double quotes also generate iptables-restore > errors e.g.: > > LOG:warn:"" lan fw tcp 22 >Revision 6311 outlaws double quotes in all of the column-oriented config files and forbids single quotes except in COMMENT lines. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On Wed, May 09, 2007 at 01:56:52PM -0700, Tom Eastep wrote:> > Rules with a log tag that contain double quotes also generate iptables-restore > > errors e.g.: > > > > LOG:warn:"" lan fw tcp 22 > > > > Revision 6311 outlaws double quotes in all of the column-oriented config > files and forbids single quotes except in COMMENT lines.You should probably do the same thing with backslashes and tabs. Eyeballing the parser, that should cover all the things that could screw up the iptables-restore format. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Andrew Suffield wrote:> On Wed, May 09, 2007 at 01:56:52PM -0700, Tom Eastep wrote: >>> Rules with a log tag that contain double quotes also generate iptables-restore >>> errors e.g.: >>> >>> LOG:warn:"" lan fw tcp 22 >>> >> Revision 6311 outlaws double quotes in all of the column-oriented config >> files and forbids single quotes except in COMMENT lines. > > You should probably do the same thing with backslashes and > tabs. Eyeballing the parser, that should cover all the things that > could screw up the iptables-restore format.Revision 6312 outlaws backslash characters. Tabs are column separators so the ''split_line()'' function in Shorewall::Config should get rid of those. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On Wednesday 09 May 2007 22:19, Tom Eastep wrote:> Andrew Suffield wrote: > > On Wed, May 09, 2007 at 01:56:52PM -0700, Tom Eastep wrote: > >>> Rules with a log tag that contain double quotes also generate > >>> iptables-restore errors e.g.: > >>> > >>> LOG:warn:"" lan fw tcp 22 > >> > >> Revision 6311 outlaws double quotes in all of the column-oriented config > >> files and forbids single quotes except in COMMENT lines. > > > > You should probably do the same thing with backslashes and > > tabs. Eyeballing the parser, that should cover all the things that > > could screw up the iptables-restore format. > > Revision 6312 outlaws backslash characters. Tabs are column separators so > the ''split_line()'' function in Shorewall::Config should get rid of those. > > -TomTom Another character that causes iptables-restore errors is the ` (a backwards slanting single quote). Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> On Wednesday 09 May 2007 22:19, Tom Eastep wrote: >> Andrew Suffield wrote: >>> On Wed, May 09, 2007 at 01:56:52PM -0700, Tom Eastep wrote: >>>>> Rules with a log tag that contain double quotes also generate >>>>> iptables-restore errors e.g.: >>>>> >>>>> LOG:warn:"" lan fw tcp 22 >>>> Revision 6311 outlaws double quotes in all of the column-oriented config >>>> files and forbids single quotes except in COMMENT lines. >>> You should probably do the same thing with backslashes and >>> tabs. Eyeballing the parser, that should cover all the things that >>> could screw up the iptables-restore format. >> Revision 6312 outlaws backslash characters. Tabs are column separators so >> the ''split_line()'' function in Shorewall::Config should get rid of those. >> >> -Tom > Tom > > Another character that causes iptables-restore errors is the ` (a backwards > slanting single quote).Added in revision 6313. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On Thursday 10 May 2007 00:22, Tom Eastep wrote:> Steven Jan Springl wrote: > > On Wednesday 09 May 2007 22:19, Tom Eastep wrote: > >> Andrew Suffield wrote: > >>> On Wed, May 09, 2007 at 01:56:52PM -0700, Tom Eastep wrote: > >>>>> Rules with a log tag that contain double quotes also generate > >>>>> iptables-restore errors e.g.: > >>>>> > >>>>> LOG:warn:"" lan fw tcp 22 > >>>> > >>>> Revision 6311 outlaws double quotes in all of the column-oriented > >>>> config files and forbids single quotes except in COMMENT lines. > >>> > >>> You should probably do the same thing with backslashes and > >>> tabs. Eyeballing the parser, that should cover all the things that > >>> could screw up the iptables-restore format. > >> > >> Revision 6312 outlaws backslash characters. Tabs are column separators > >> so the ''split_line()'' function in Shorewall::Config should get rid of > >> those. > >> > >> -Tom > > > > Tom > > > > Another character that causes iptables-restore errors is the ` (a > > backwards slanting single quote). > > Added in revision 6313. > > -TomTom It''s not working, ` characters are still allowed. Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> On Thursday 10 May 2007 00:22, Tom Eastep wrote: >> Steven Jan Springl wrote: >>> On Wednesday 09 May 2007 22:19, Tom Eastep wrote: >>>> Andrew Suffield wrote: >>>>> On Wed, May 09, 2007 at 01:56:52PM -0700, Tom Eastep wrote: >>>>>>> Rules with a log tag that contain double quotes also generate >>>>>>> iptables-restore errors e.g.: >>>>>>> >>>>>>> LOG:warn:"" lan fw tcp 22 >>>>>> Revision 6311 outlaws double quotes in all of the column-oriented >>>>>> config files and forbids single quotes except in COMMENT lines. >>>>> You should probably do the same thing with backslashes and >>>>> tabs. Eyeballing the parser, that should cover all the things that >>>>> could screw up the iptables-restore format. >>>> Revision 6312 outlaws backslash characters. Tabs are column separators >>>> so the ''split_line()'' function in Shorewall::Config should get rid of >>>> those. >>>> >>>> -Tom >>> Tom >>> >>> Another character that causes iptables-restore errors is the ` (a >>> backwards slanting single quote). >> Added in revision 6313. >> >> -Tom > > Tom > > It''s not working, ` characters are still allowed.Sorry -- fixed in revision 6314. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Rule: Limit:none:sjs,x,y lan fw tcp 22 produces the following message: Argument "x" isn''t numeric in addition (+) at /usr/share/shorewall-perl/Shorewall/Actions.pm line 595. and generates the following iptables entry: -A %Limit -m recent --name sjs --update --seconds y --hitcount 1 -j %Limit% Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom When the rule file contains just: SECTION the following errors are produced: Use of uninitialized value in hash element at /usr/share/shorewall-perl/Shorewall/Rules.pm line 1265, <$currentfile> line 14. Use of uninitialized value in concatenation (.) or string at /usr/share/shorewall-perl/Shorewall/Rules.pm line 1265, <$currentfile> line 14. ERROR: Invalid SECTION : /etc/shorewall/rules ( line 14 ) Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom When the rules file contains: ACCEPT lan $FW tcp 21 SECTION RELATED ACCEPT lan $FW tcp 20 shorewall-shell produces message: ERROR: Duplicate or out of order SECTION RELATED shorewall-perl generates the following iptables rules: -A lan2fw -m state --state ESTABLISHED,RELATED -j ACCEPT -A lan2fw -p 6 --dport 21 -j ACCEPT -A lan2fw -m state --state ESTABLISHED -j ACCEPT -A lan2fw -p 6 --dport 20 -m state --state RELATED -j ACCEPT -A lan2fw -j LOG --log-level warn --log-prefix "Shorewall:lan2fw:DROP:" -A lan2fw -j DROP Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Placing a COMMENT line in the policy file produces the following errors: Use of uninitialized value in string eq at /usr/share/shorewall-perl/Shorewall/Policy.pm line 145, <$currentfile> line 13. Use of uninitialized value in string eq at /usr/share/shorewall-perl/Shorewall/Policy.pm line 146, <$currentfile> line 13. ERROR: Undefined zone COMMENT : /etc/shorewall/policy ( line 13 ) Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> Tom > > Placing a COMMENT line in the policy file produces the following errors: > > Use of uninitialized value in string eq > at /usr/share/shorewall-perl/Shorewall/Policy.pm line 145, <$currentfile> > line 13. > > Use of uninitialized value in string eq > at /usr/share/shorewall-perl/Shorewall/Policy.pm line 146, <$currentfile> > line 13. > > ERROR: Undefined zone COMMENT : /etc/shorewall/policy ( line 13 )Good afternoon Steven, I believe all of your reported problems to be fixed in revision 6317. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On Thursday 10 May 2007 16:32, Tom Eastep wrote:> Steven Jan Springl wrote: > > Tom > > > > Placing a COMMENT line in the policy file produces the following errors: > > > > Use of uninitialized value in string eq > > at /usr/share/shorewall-perl/Shorewall/Policy.pm line 145, <$currentfile> > > line 13. > > > > Use of uninitialized value in string eq > > at /usr/share/shorewall-perl/Shorewall/Policy.pm line 146, <$currentfile> > > line 13. > > > > ERROR: Undefined zone COMMENT : /etc/shorewall/policy ( line 13 ) > > Good afternoon Steven, > > I believe all of your reported problems to be fixed in revision 6317. > > -TomGood morning Tom. That has fixed the problems that I reported today. However shorewall-perl accepts the following rules: ACCEPT lan $FW tcp 22 SECTION NEW ACCEPT lan $FW tcp 21 Shorewall-shell produces the following message: Duplicate or out of order SECTION NEW. There is also the issue that I reported last night with the following rule: Limit:none:sjs,x,y lan fw tcp 22 produces the following message: Argument "x" isn't numeric in addition (+) at /usr/share/shorewall-perl/Shorewall/Actions.pm line 595. and generates the following iptables entry: -A %Limit -m recent --name sjs --update --seconds y --hitcount 1 -j %Limit% Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ Shorewall-devel mailing list Shorewall-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-devel
Steven Jan Springl wrote:> On Thursday 10 May 2007 16:32, Tom Eastep wrote: >> Steven Jan Springl wrote: >>> Tom >>> >>> Placing a COMMENT line in the policy file produces the following errors: >>> >>> Use of uninitialized value in string eq >>> at /usr/share/shorewall-perl/Shorewall/Policy.pm line 145, <$currentfile> >>> line 13. >>> >>> Use of uninitialized value in string eq >>> at /usr/share/shorewall-perl/Shorewall/Policy.pm line 146, <$currentfile> >>> line 13. >>> >>> ERROR: Undefined zone COMMENT : /etc/shorewall/policy ( line 13 ) >> Good afternoon Steven, >> >> I believe all of your reported problems to be fixed in revision 6317. >> >> -Tom > > Good morning Tom. > > That has fixed the problems that I reported today. > > > However shorewall-perl accepts the following rules: > > ACCEPT lan $FW tcp 22 > SECTION NEW > ACCEPT lan $FW tcp 21 > > Shorewall-shell produces the following message: > > Duplicate or out of order SECTION NEW.Fixed in revision 6318.> > > There is also the issue that I reported last night with the following rule: > > Limit:none:sjs,x,y lan fw tcp 22 > > produces the following message: > > Argument "x" isn''t numeric in addition (+) > at /usr/share/shorewall-perl/Shorewall/Actions.pm line 595. > > > and generates the following iptables entry: > > > -A %Limit -m recent --name sjs --update --seconds y --hitcount 1 -j %Limit%This is also fixed in revision 6318. Note, however, that the diagnostic message doesn''t include the file name and line number of the erroneous rule; in the current implementation (both compilers), the parameters to an action aren''t examined until the action chain(s) are being generated. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom When interface eth0 has option dhcp set, the following iptables rules are generated by shorewall-shell (udp 67,68 are allowed on eth0_in & eth0_out): -A eth0_fwd -m state --state INVALID,NEW -j dynamic -A eth0_in -m state --state INVALID,NEW -j dynamic -A eth0_in -p udp -m udp --dport 67:68 -j ACCEPT -A eth0_in -j all2all -A eth0_out -p udp -m udp --dport 67:68 -j ACCEPT -A eth0_out -j all2all however when compiled with shorewall-perl, the following iptables rules are generated (upd 67,68 are allowed on eth0_fwd & eth0_in): -A eth0_fwd -m state --state NEW,INVALID -j dynamic -A eth0_fwd -p udp --dport 67:68 -j ACCEPT -A eth0_in -m state --state NEW,INVALID -j dynamic -A eth0_in -p udp --dport 67:68 -j ACCEPT -A eth0_in -j all2all -A eth0_out -j all2all Note: the policy for all2all is DROP. Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> Tom > > When interface eth0 has option dhcp set, the following iptables rules are > generated by shorewall-shell (udp 67,68 are allowed on eth0_in & eth0_out): > > -A eth0_fwd -m state --state INVALID,NEW -j dynamic > -A eth0_in -m state --state INVALID,NEW -j dynamic > -A eth0_in -p udp -m udp --dport 67:68 -j ACCEPT > -A eth0_in -j all2all > -A eth0_out -p udp -m udp --dport 67:68 -j ACCEPT > -A eth0_out -j all2all > > > however when compiled with shorewall-perl, the following iptables rules are > generated (upd 67,68 are allowed on eth0_fwd & eth0_in): > > -A eth0_fwd -m state --state NEW,INVALID -j dynamic > -A eth0_fwd -p udp --dport 67:68 -j ACCEPT > -A eth0_in -m state --state NEW,INVALID -j dynamic > -A eth0_in -p udp --dport 67:68 -j ACCEPT > -A eth0_in -j all2all > -A eth0_out -j all2all > > > Note: the policy for all2all is DROP.Corrected in revision 6322. Thanks, Steven. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Good morning Tom Shorewall-shell generates iptables rule: -A logreject -j reject while shorewall-perl generates iptables rule: -A logreject -j REJECT Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> Good morning Tom > > Shorewall-shell generates iptables rule: > > -A logreject -j reject > > while shorewall-perl generates iptables rule: > > -A logreject -j REJECTHi Steven, Please try revision 6330. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On Saturday 12 May 2007 01:37, Tom Eastep wrote:> Steven Jan Springl wrote: > > Good morning Tom > > > > Shorewall-shell generates iptables rule: > > > > -A logreject -j reject > > > > while shorewall-perl generates iptables rule: > > > > -A logreject -j REJECT > > Hi Steven, > > Please try revision 6330. > > -TomGood morning Tom That''s fixed it. Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> On Saturday 12 May 2007 01:37, Tom Eastep wrote: >> Steven Jan Springl wrote: >>> Good morning Tom >>> >>> Shorewall-shell generates iptables rule: >>> >>> -A logreject -j reject >>> >>> while shorewall-perl generates iptables rule: >>> >>> -A logreject -j REJECT >> Hi Steven, >> >> Please try revision 6330. >> >> -Tom > Good morning Tom > > That''s fixed it.Thanks, Steven -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Testing revision 6332. Rule: sjs/ lan wan macro:sjs sjs1\ REDIRECT - - produces the following errors: Use of uninitialized value in bitwise and (&) at /usr/share/shorewall-perl/Shorewall/Rules.pm line 807, <$currentfile> line 366. Use of uninitialized value in bitwise and (&) at /usr/share/shorewall-perl/Shorewall/Rules.pm line 808, <$currentfile> line 366. ERROR: Invalid Action (sjs1REDIRECT) in macro : /etc/shorewall/macro.sjs ( line 366 ) Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> Tom > > Testing revision 6332. > > Rule: > > sjs/ lan wan > > macro:sjs > > sjs1\ > REDIRECT - - > > produces the following errors: > > Use of uninitialized value in bitwise and (&) > at /usr/share/shorewall-perl/Shorewall/Rules.pm line 807, <$currentfile> line > 366. > > Use of uninitialized value in bitwise and (&) > at /usr/share/shorewall-perl/Shorewall/Rules.pm line 808, <$currentfile> line > 366. > > ERROR: Invalid Action (sjs1REDIRECT) in macro : /etc/shorewall/macro.sjs ( > line 366 )Hi Steven, The uninitialized value errors are eliminated in revision 6333. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/