Shorewall users - Aug 2007 - Running shorewall with two different configurations on same host.

Hi everyone,

I''m trying to setup a host with two shorewall configs,
/etc/shorewall/active and /etc/shorewall/passive

When I call
  /sbin/shorewall check /etc/shorewall/active
I get
  /etc/shorewall/shorewall.conf does not exist!

The same for:
  /sbin/shorewall -vv restart /etc/shorewall/active
  /etc/shorewall/shorewall.conf does not exist!

When I do a
  export CONFIG_PATH=/etc/shorewall/active
before invoking  /sbin/shorewall check /etc/shorewall/active it works.
roman.fiedler@telbiomed.at
Did I make some kind of operating error? Has someone already used this,
tested this?


Next problem is how to include param subfiles relative to the
configuration directory.

I tried to put
  . $(find_file params-dns)
into my /etc/shorewall/active/params, which caused
  /etc/init.d/shorewall restart
  /etc/shorewall/active/params: 250: find_file: not found

Now I use something else that works:
  . $CONFIGDIR/params-dns

But is this the correct  method to do it? I suspect that I could run
into regression problems when updating, so which method is recommended?

Thanks in advance!




-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

On Wed, Aug 29, 2007 at 09:34:51AM +0200, DI Roman Fiedler
wrote:
> Hi everyone,
> 
> I''m trying to setup a host with two shorewall configs,
> /etc/shorewall/active and /etc/shorewall/passive
> 
> When I call
>   /sbin/shorewall check /etc/shorewall/active
> I get
>   /etc/shorewall/shorewall.conf does not exist!
> 
> The same for:
>   /sbin/shorewall -vv restart /etc/shorewall/active
>   /etc/shorewall/shorewall.conf does not exist!
> 
> When I do a
>   export CONFIG_PATH=/etc/shorewall/active
> before invoking  /sbin/shorewall check /etc/shorewall/active it works.
> roman.fiedler@telbiomed.at
> Did I make some kind of operating error? Has someone already used this,
> tested this?
> 
shorewall(8) says:
  -c directory

     Look for configuration files in directory instead of /etc/shorewall.

Regards,

-Roberto

-- 
Roberto C. Sánchez
http://people.connexer.com/~roberto
http://www.connexer.com


-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

Yes, the -c works for me (also file inclusion with ". $(find_file 
params-dns) "  is ok).

Thanks Roberto!


PS: Perhaps one of the shorewall developer could correct the usage line  
1280 in
https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk/Shorewall-common/shorewall
to include the -c option, currently

    echo "Usage: $(basename $0) [debug|trace] [nolock] [ -q ] [ -v ] [ 
-t ] <command>"

It seems that this option is applicable to all commands but I''m not
sure
about that.

Apart from that "shorewall version" does not want to show the version 
when /etc/shorewall does not exist, which is a little unexpected. You 
have to use
# /sbin/shorewall -c /etc/shorewall/passive version
3.2.6

> On Wed, Aug 29, 2007 at 09:34:51AM +0200, DI Roman Fiedler wrote:
>   
>> Hi everyone,
>>
>> I''m trying to setup a host with two shorewall configs,
>> /etc/shorewall/active and /etc/shorewall/passive
>>
>> When I call
>>   /sbin/shorewall check /etc/shorewall/active
>> I get
>>   /etc/shorewall/shorewall.conf does not exist!
>>
>> The same for:
>>   /sbin/shorewall -vv restart /etc/shorewall/active
>>   /etc/shorewall/shorewall.conf does not exist!
>>
>> When I do a
>>   export CONFIG_PATH=/etc/shorewall/active
>> before invoking  /sbin/shorewall check /etc/shorewall/active it works.
>> roman.fiedler@telbiomed.at
>> Did I make some kind of operating error? Has someone already used this,
>> tested this?
>>
>>     
> shorewall(8) says:
>   -c directory
>
>      Look for configuration files in directory instead of /etc/shorewall.
>
> Regards,
>
> -Roberto
>
>   
> ------------------------------------------------------------------------
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc.
> Still grepping through log files to find problems?  Stop.
> Now Search log events and configuration files using AJAX and a browser.
> Download your FREE copy of Splunk now >>  http://get.splunk.com/
> ------------------------------------------------------------------------
>
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>   
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

On Wed, Aug 29, 2007 at 10:25:27AM +0200, DI Roman Fiedler
wrote:
> Yes, the -c works for me (also file inclusion with ". $(find_file 
> params-dns) "  is ok).
> 
> Thanks Roberto!
> 
Glad to hear it.
> 
> PS: Perhaps one of the shorewall developer could correct the usage line  
> 1280 in
>
https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk/Shorewall-common/shorewall
> to include the -c option, currently
> 
>     echo "Usage: $(basename $0) [debug|trace] [nolock] [ -q ] [ -v ] [
> -t ] <command>"
> 
> It seems that this option is applicable to all commands but I''m
not sure
> about that.
> 
Interesting.  I think that you are right.  However, I will defer to Tom
on this.  I am not sure if there is a reason for the usage messages to
be specified the way that they are.  Tom, if you end up deciding to
change this, please let me know and I will make the change in 3.4 and/or
3.2.
> Apart from that "shorewall version" does not want to show the
version
> when /etc/shorewall does not exist, which is a little unexpected. You 
> have to use
> # /sbin/shorewall -c /etc/shorewall/passive version
> 3.2.6
> 
This is corrected in the 3.4 and 4.0 branches.  Basically, in shorewall
3.2, the configuration files were identified before the commands were
processed.  So, it did not matter what command you wanted to run, it
would error out if at least a minimal configuration did not exist.

Regards,

-Roberto

P.S. Please don''t top post.

-- 
Roberto C. Sánchez
http://people.connexer.com/~roberto
http://www.connexer.com


-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

DI Roman Fiedler wrote:
> Hi everyone,
> 
> I''m trying to setup a host with two shorewall configs,
> /etc/shorewall/active and /etc/shorewall/passive
> 
> When I call
>   /sbin/shorewall check /etc/shorewall/active
> I get
>   /etc/shorewall/shorewall.conf does not exist!
> 
> The same for:
>   /sbin/shorewall -vv restart /etc/shorewall/active
>   /etc/shorewall/shorewall.conf does not exist!
> 
> When I do a
>   export CONFIG_PATH=/etc/shorewall/active
> before invoking  /sbin/shorewall check /etc/shorewall/active it works.
> roman.fiedler@telbiomed.at
> Did I make some kind of operating error? Has someone already used this,
> tested this?
Just because you have multiple configurations does not mean that you can
arbitrarily remove /etc/shorewall/shorewall.conf. For a number of reasons,
Shorewall requires that file to exist. Both /etc/shorewall/shorewall.conf
and the shorewall.conf file from the directory specified on the command line
will be read during the processing of complex commands like
''check'',
''restart'', etc.
> 
> 
> Next problem is how to include param subfiles relative to the
> configuration directory.
> 
> I tried to put
>   . $(find_file params-dns)
> into my /etc/shorewall/active/params, which caused
>   /etc/init.d/shorewall restart
>   /etc/shorewall/active/params: 250: find_file: not found
> 
> Now I use something else that works:
>   . $CONFIGDIR/params-dns
> 
> But is this the correct  method to do it? I suspect that I could run
> into regression problems when updating, so which method is recommended?
> 
Which version of Shorewall are you running?

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

DI Roman Fiedler wrote:
> Yes, the -c works for me (also file inclusion with ". $(find_file 
> params-dns) "  is ok).
> 
> Thanks Roberto!
> 
> 
> PS: Perhaps one of the shorewall developer could correct the usage line  
> 1280 in
>
https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk/Shorewall-common/shorewall
> to include the -c option, currently
> 
>     echo "Usage: $(basename $0) [debug|trace] [nolock] [ -q ] [ -v ] [
> -t ] <command>"
> 
> It seems that this option is applicable to all commands but I''m
not sure
> about that.
The -c option has been deprecated for some time (although it is still
mentioned once in the Shorewall 4.0 documentation).
> 
> Apart from that "shorewall version" does not want to show the
version
> when /etc/shorewall does not exist, which is a little unexpected.
What is unexpected is that someone would remove a directory installed as
part of a product (together with the product''s main configuration file)
and
then express surprise that the product works funny without that directory
(and file) being present.

 You
> have to use
> # /sbin/shorewall -c /etc/shorewall/passive version
> 3.2.6
> 
This answers the question that I asked in my previous post.

In Shorewall 3.0 and 3.2, the handling of the params file was somewhat flawed.

- It is generally the case that the file is only needed during the
''compile''
phase and not during the execution phase of ''start'' and
''restart''. Later
versions of Shorewall include an EXPORTPARAMS option which will suppress
copying the params file into the shell script generated by the compiler.

- The CONFIG_PATH setting was not transferred to the generated script so
INCLUDE directives specifying relative path names in the params file
didn''t
work during the execution phase (note that they are unlikely to ever work
when Shorewall-lite is being)

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/