I''ve uploaded Beta 6.
Problems corrected in 4.0.0 Beta 6.
1) With Shorewall-perl, an invalid DISPOSITION in an
/etc/shorewall/maclist entry would cause Perl error messages to be
issued.
2) Shorewall-perl now catches invalid interface names in the
/etc/shorewall/routestopped file.
3) DYNAMIC_ZONES=Yes can now coexist with Shorewall-perl''s
''bport''
zones. Those zones themselves may not be dynamically modified but
the presence of bport zones no longer causes the ''shorewall
add''
command to fail.
Other changes in Shorewall 4.0.0 Beta 6
1) When a Shorewall release includes detection of an additional
capability, existing capabilities files become out of
date. Previously, this condition was not detected.
Beginning with this release, each generated capabilities file
contains a CAPVERSION specification which defines the capabilities
version of the file. If the CAPVERSION in a capabilities file is
less than the current CAPVERSION, then Shorewall will issue the
following message:
WARNING: <file> is out of date -- it does not contain all of
the capabilities defined by Shorewall version <version>
where
<file> is the name of the capabilities file.
<version> is the current Shorewall version.
Existing capabilities files contain no CAPVERSION. When such a file
is read, Shorewall will issue this message:
WARNING: <file> may not contain all of the capabilities defined
by Shorewall version <version>
2) When a directory is specified in a command such as ''start''
or
''compile'', Shorewall now reads the shorewall.conf file (if
any) in
that directory before deciding which compiler to use. So if
SHOREWALL_COMPILER is not specified in
/etc/shorewall/shorewall.conf and the -C option was not specified
on the run-line, then if both Shorewall-shell and Shorewall-perl
are installed, the additional shorewall.conf file is read to see if
it specifies a SHOREWALL_COMPILER.
3) Previously, Shorewall-perl read /etc/protocols and /etc/services
during compiler startup to build internal protocol and service
tables. This had a fixed cost of up to one half second or more,
depending on the speed of the system and the distribution
(The /etc/services released with OpenSuSE 10.2 is over 14,000
lines!!) These tables are now initialized by the Perl compiler
which speeds up compilation considerably.
During installation, Shorewall generates the Perl module
/usr/share/shorewall-perl/Shorewall/Ports.pm, using your
/etc/protocols and /etc/services as input.
To re-generate the module from those two files:
1. Backup your current /usr/share/shorewall-perl/Shorewall/Ports.pm
file.
2. /usr/share/shorewall-perl/buildports.pl > \
/usr/share/shorewall-perl/Shorewall/Ports.pm
Note: If the buildports.pl program fails to run to a successful
completion during installation, a fallback version of
module will be installed. That fallback module was generated from
the /etc/protocols and /etc/services shipped with Ubuntu Feisty
Fawn.
Even if the buildports.pl program runs successfully, the fallback
module is also installed as
/usr/share/shorewall-perl/Shorewall/FallbackPorts.pm. So if you
encounter problems with the generated module, simply copy the
fallback module to /usr/share/shorewall-perl/Shorewall/Ports.pm.
-Tom
--
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ teastep@shorewall.net
PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
Good morning Tom. I am trying to test Shorewall with iptables 1.3.8. I have installed iptables, iptables-restore and iptables-save in /usr/local/sbin I can tell Shorewall where to locate iptables using the IPTABLES parameter in shorewall.conf. Is there a way of telling Shorewall where to look for iptables-restore and iptables-save. Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On Monday 25 June 2007 15:19, Steven Jan Springl wrote:> Good morning Tom. > > I am trying to test Shorewall with iptables 1.3.8. I have installed > iptables, iptables-restore and iptables-save in /usr/local/sbin > > I can tell Shorewall where to locate iptables using the IPTABLES parameter > in shorewall.conf. Is there a way of telling Shorewall where to look for > iptables-restore and iptables-save. > > Steven.Tom Forget it. I have found it myself. Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> On Monday 25 June 2007 15:19, Steven Jan Springl wrote: >> Good morning Tom. >> >> I am trying to test Shorewall with iptables 1.3.8. I have installed >> iptables, iptables-restore and iptables-save in /usr/local/sbin >> >> I can tell Shorewall where to locate iptables using the IPTABLES parameter >> in shorewall.conf. Is there a way of telling Shorewall where to look for >> iptables-restore and iptables-save. >> >> Steven. > > Tom > > Forget it. I have found it myself.I''ve just checked in 6669 which sets the name of the iptables-restore utility based on the setting of IPTABLES. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On Monday 25 June 2007 18:04, Tom Eastep wrote:> Steven Jan Springl wrote: > > On Monday 25 June 2007 15:19, Steven Jan Springl wrote: > >> Good morning Tom. > >> > >> I am trying to test Shorewall with iptables 1.3.8. I have installed > >> iptables, iptables-restore and iptables-save in /usr/local/sbin > >> > >> I can tell Shorewall where to locate iptables using the IPTABLES > >> parameter in shorewall.conf. Is there a way of telling Shorewall where > >> to look for iptables-restore and iptables-save. > >> > >> Steven. > > > > Tom > > > > Forget it. I have found it myself. > > I''ve just checked in 6669 which sets the name of the iptables-restore > utility based on the setting of IPTABLES. > > -TomTom Good idea. I always thought the old way was inconsistent. Both R6669 & 6670 are working. Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> > Good idea. I always thought the old way was inconsistent. > > Both R6669 & 6670 are working.Thanks, Steven -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom ''shorewall add'' command with an invalid IP address: shorewall add eth0:192.168.1.555 lan produces the following messages: iptables v1.3.8: host/network `192.168.1.555'' not found Try `iptables -h'' or ''iptables --help'' for more information. ERROR: Can''t add eth0:192.168.1.555 to zone lan iptables v1.3.8: host/network `192.168.1.555'' not found Try `iptables -h'' or ''iptables --help'' for more information. ERROR: Can''t add eth0:192.168.1.555 to zone lan iptables v1.3.8: host/network `192.168.1.555'' not found Try `iptables -h'' or ''iptables --help'' for more information. ERROR: Can''t add eth0:192.168.1.555 to zone lan iptables v1.3.8: host/network `192.168.1.555'' not found Try `iptables -h'' or ''iptables --help'' for more information. ERROR: Can''t add eth0:192.168.1.555 to zone lan iptables v1.3.8: host/network `192.168.1.555'' not found Try `iptables -h'' or ''iptables --help'' for more information. ERROR: Can''t add eth0:192.168.1.555 to zone lan iptables v1.3.8: host/network `192.168.1.555'' not found Try `iptables -h'' or ''iptables --help'' for more information. ERROR: Can''t add eth0:192.168.1.555 to zone lan iptables v1.3.8: host/network `192.168.1.555'' not found Try `iptables -h'' or ''iptables --help'' for more information. ERROR: Can''t add eth0:192.168.1.555 to zone lan iptables v1.3.8: host/network `192.168.1.555'' not found Try `iptables -h'' or ''iptables --help'' for more information. ERROR: Can''t add eth0:192.168.1.555 to zone lan iptables v1.3.8: host/network `192.168.1.555'' not found Try `iptables -h'' or ''iptables --help'' for more information. ERROR: Can''t add eth0:192.168.1.555 to zone lan but still adds ''eth0:192.168.1.555'' to /var/lib/shorewall/zones: fw firewall p1 bport4:br0 eth0:192.168.0.0/16 exclude eth0:192.168.1.1 p3 ipv4 dmz ipv4 eth2:0.0.0.0/0 p2 bport4:br0 eth1:0.0.0.0/0 lan ipv4 br0:0.0.0.0/0 +eth0:192.168.1.555 Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Steven Jan Springl wrote:> Tom > > ''shorewall add'' command with an invalid IP address: > > shorewall add eth0:192.168.1.555 lan > > produces the following messages: > > iptables v1.3.8: host/network `192.168.1.555'' not found > Try `iptables -h'' or ''iptables --help'' for more information. > ERROR: Can''t add eth0:192.168.1.555 to zone lan > iptables v1.3.8: host/network `192.168.1.555'' not found > Try `iptables -h'' or ''iptables --help'' for more information. > ERROR: Can''t add eth0:192.168.1.555 to zone lan > iptables v1.3.8: host/network `192.168.1.555'' not found > Try `iptables -h'' or ''iptables --help'' for more information. > ERROR: Can''t add eth0:192.168.1.555 to zone lan > iptables v1.3.8: host/network `192.168.1.555'' not found > Try `iptables -h'' or ''iptables --help'' for more information. > ERROR: Can''t add eth0:192.168.1.555 to zone lan > iptables v1.3.8: host/network `192.168.1.555'' not found > Try `iptables -h'' or ''iptables --help'' for more information. > ERROR: Can''t add eth0:192.168.1.555 to zone lan > iptables v1.3.8: host/network `192.168.1.555'' not found > Try `iptables -h'' or ''iptables --help'' for more information. > ERROR: Can''t add eth0:192.168.1.555 to zone lan > iptables v1.3.8: host/network `192.168.1.555'' not found > Try `iptables -h'' or ''iptables --help'' for more information. > ERROR: Can''t add eth0:192.168.1.555 to zone lan > iptables v1.3.8: host/network `192.168.1.555'' not found > Try `iptables -h'' or ''iptables --help'' for more information. > ERROR: Can''t add eth0:192.168.1.555 to zone lan > iptables v1.3.8: host/network `192.168.1.555'' not found > Try `iptables -h'' or ''iptables --help'' for more information. > ERROR: Can''t add eth0:192.168.1.555 to zone lan > > but still adds ''eth0:192.168.1.555'' to /var/lib/shorewall/zones:Steven, That''s day-one behavior for the ''add'' command and I don''t intend to change it. I consider the current dynamic zones implementation to be a stop-gap measure until ipsets are in the standard distributions. Although the bogus entry gets added to /var/lib/shorewall/zones, a corresponding ''delete'' command will remove it again (while generating many more iptables errors). Thanks, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/