DI Roman Fiedler
2007-Aug-29 07:34 UTC
Running shorewall with two different configurations on same host.
Hi everyone, I''m trying to setup a host with two shorewall configs, /etc/shorewall/active and /etc/shorewall/passive When I call /sbin/shorewall check /etc/shorewall/active I get /etc/shorewall/shorewall.conf does not exist! The same for: /sbin/shorewall -vv restart /etc/shorewall/active /etc/shorewall/shorewall.conf does not exist! When I do a export CONFIG_PATH=/etc/shorewall/active before invoking /sbin/shorewall check /etc/shorewall/active it works. roman.fiedler@telbiomed.at Did I make some kind of operating error? Has someone already used this, tested this? Next problem is how to include param subfiles relative to the configuration directory. I tried to put . $(find_file params-dns) into my /etc/shorewall/active/params, which caused /etc/init.d/shorewall restart /etc/shorewall/active/params: 250: find_file: not found Now I use something else that works: . $CONFIGDIR/params-dns But is this the correct method to do it? I suspect that I could run into regression problems when updating, so which method is recommended? Thanks in advance! ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
Roberto C. Sánchez
2007-Aug-29 07:41 UTC
Re: Running shorewall with two different configurations on same host.
On Wed, Aug 29, 2007 at 09:34:51AM +0200, DI Roman Fiedler wrote:> Hi everyone, > > I''m trying to setup a host with two shorewall configs, > /etc/shorewall/active and /etc/shorewall/passive > > When I call > /sbin/shorewall check /etc/shorewall/active > I get > /etc/shorewall/shorewall.conf does not exist! > > The same for: > /sbin/shorewall -vv restart /etc/shorewall/active > /etc/shorewall/shorewall.conf does not exist! > > When I do a > export CONFIG_PATH=/etc/shorewall/active > before invoking /sbin/shorewall check /etc/shorewall/active it works. > roman.fiedler@telbiomed.at > Did I make some kind of operating error? Has someone already used this, > tested this? >shorewall(8) says: -c directory Look for configuration files in directory instead of /etc/shorewall. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
DI Roman Fiedler
2007-Aug-29 08:25 UTC
Re: Running shorewall with two different configurations on same host.
Yes, the -c works for me (also file inclusion with ". $(find_file params-dns) " is ok). Thanks Roberto! PS: Perhaps one of the shorewall developer could correct the usage line 1280 in https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk/Shorewall-common/shorewall to include the -c option, currently echo "Usage: $(basename $0) [debug|trace] [nolock] [ -q ] [ -v ] [ -t ] <command>" It seems that this option is applicable to all commands but I''m not sure about that. Apart from that "shorewall version" does not want to show the version when /etc/shorewall does not exist, which is a little unexpected. You have to use # /sbin/shorewall -c /etc/shorewall/passive version 3.2.6> On Wed, Aug 29, 2007 at 09:34:51AM +0200, DI Roman Fiedler wrote: > >> Hi everyone, >> >> I''m trying to setup a host with two shorewall configs, >> /etc/shorewall/active and /etc/shorewall/passive >> >> When I call >> /sbin/shorewall check /etc/shorewall/active >> I get >> /etc/shorewall/shorewall.conf does not exist! >> >> The same for: >> /sbin/shorewall -vv restart /etc/shorewall/active >> /etc/shorewall/shorewall.conf does not exist! >> >> When I do a >> export CONFIG_PATH=/etc/shorewall/active >> before invoking /sbin/shorewall check /etc/shorewall/active it works. >> roman.fiedler@telbiomed.at >> Did I make some kind of operating error? Has someone already used this, >> tested this? >> >> > shorewall(8) says: > -c directory > > Look for configuration files in directory instead of /etc/shorewall. > > Regards, > > -Roberto > > > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Splunk Inc. > Still grepping through log files to find problems? Stop. > Now Search log events and configuration files using AJAX and a browser. > Download your FREE copy of Splunk now >> http://get.splunk.com/ > ------------------------------------------------------------------------ > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
Roberto C. Sánchez
2007-Aug-29 08:50 UTC
Re: Running shorewall with two different configurations on same host.
On Wed, Aug 29, 2007 at 10:25:27AM +0200, DI Roman Fiedler wrote:> Yes, the -c works for me (also file inclusion with ". $(find_file > params-dns) " is ok). > > Thanks Roberto! >Glad to hear it.> > PS: Perhaps one of the shorewall developer could correct the usage line > 1280 in > https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk/Shorewall-common/shorewall > to include the -c option, currently > > echo "Usage: $(basename $0) [debug|trace] [nolock] [ -q ] [ -v ] [ > -t ] <command>" > > It seems that this option is applicable to all commands but I''m not sure > about that. >Interesting. I think that you are right. However, I will defer to Tom on this. I am not sure if there is a reason for the usage messages to be specified the way that they are. Tom, if you end up deciding to change this, please let me know and I will make the change in 3.4 and/or 3.2.> Apart from that "shorewall version" does not want to show the version > when /etc/shorewall does not exist, which is a little unexpected. You > have to use > # /sbin/shorewall -c /etc/shorewall/passive version > 3.2.6 >This is corrected in the 3.4 and 4.0 branches. Basically, in shorewall 3.2, the configuration files were identified before the commands were processed. So, it did not matter what command you wanted to run, it would error out if at least a minimal configuration did not exist. Regards, -Roberto P.S. Please don''t top post. -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
Tom Eastep
2007-Aug-29 13:47 UTC
Re: Running shorewall with two different configurations on same host.
DI Roman Fiedler wrote:> Hi everyone, > > I''m trying to setup a host with two shorewall configs, > /etc/shorewall/active and /etc/shorewall/passive > > When I call > /sbin/shorewall check /etc/shorewall/active > I get > /etc/shorewall/shorewall.conf does not exist! > > The same for: > /sbin/shorewall -vv restart /etc/shorewall/active > /etc/shorewall/shorewall.conf does not exist! > > When I do a > export CONFIG_PATH=/etc/shorewall/active > before invoking /sbin/shorewall check /etc/shorewall/active it works. > roman.fiedler@telbiomed.at > Did I make some kind of operating error? Has someone already used this, > tested this?Just because you have multiple configurations does not mean that you can arbitrarily remove /etc/shorewall/shorewall.conf. For a number of reasons, Shorewall requires that file to exist. Both /etc/shorewall/shorewall.conf and the shorewall.conf file from the directory specified on the command line will be read during the processing of complex commands like ''check'', ''restart'', etc.> > > Next problem is how to include param subfiles relative to the > configuration directory. > > I tried to put > . $(find_file params-dns) > into my /etc/shorewall/active/params, which caused > /etc/init.d/shorewall restart > /etc/shorewall/active/params: 250: find_file: not found > > Now I use something else that works: > . $CONFIGDIR/params-dns > > But is this the correct method to do it? I suspect that I could run > into regression problems when updating, so which method is recommended? >Which version of Shorewall are you running? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
Tom Eastep
2007-Aug-29 16:38 UTC
Re: Running shorewall with two different configurations on same host.
DI Roman Fiedler wrote:> Yes, the -c works for me (also file inclusion with ". $(find_file > params-dns) " is ok). > > Thanks Roberto! > > > PS: Perhaps one of the shorewall developer could correct the usage line > 1280 in > https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk/Shorewall-common/shorewall > to include the -c option, currently > > echo "Usage: $(basename $0) [debug|trace] [nolock] [ -q ] [ -v ] [ > -t ] <command>" > > It seems that this option is applicable to all commands but I''m not sure > about that.The -c option has been deprecated for some time (although it is still mentioned once in the Shorewall 4.0 documentation).> > Apart from that "shorewall version" does not want to show the version > when /etc/shorewall does not exist, which is a little unexpected.What is unexpected is that someone would remove a directory installed as part of a product (together with the product''s main configuration file) and then express surprise that the product works funny without that directory (and file) being present. You> have to use > # /sbin/shorewall -c /etc/shorewall/passive version > 3.2.6 >This answers the question that I asked in my previous post. In Shorewall 3.0 and 3.2, the handling of the params file was somewhat flawed. - It is generally the case that the file is only needed during the ''compile'' phase and not during the execution phase of ''start'' and ''restart''. Later versions of Shorewall include an EXPORTPARAMS option which will suppress copying the params file into the shell script generated by the compiler. - The CONFIG_PATH setting was not transferred to the generated script so INCLUDE directives specifying relative path names in the params file didn''t work during the execution phase (note that they are unlikely to ever work when Shorewall-lite is being) -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/