Shorewall users - Nov 2009 - initial SW config, failing the "shorewall check"

I''m following the document;

<http://flurdy.com/docs/postfix/>,

and

SSH only

By default Shorewall in Ubuntu has an empty set up. You can find the
default values for Shorewall in
/usr/share/doc/shorwall-common/default-config. And examples in
/usr/share/doc/shorwall-common/examples. We will create a basic set up.

First configure which network adapters we are accessing the net.
cp /usr/share/doc/shorewall-common/default-config/interfaces
/etc/shorewall/
vi /etc/shorewall/interfaces net eth0 detect 	
	dhcp,tcpflags,logmartians,nosmurfs

Then we will configure network zones
cp /usr/share/doc/shorewall-common/default-config/zones /etc/shorewall/
vi /etc/shorewall/zones
Add the firewall if not there and the internet as a zone. fw firewall
	# loc ipv4 net ipv4

Then if needed to specify hosts you can do it in this file. E.g. If you
wanto specify what is your home IP etc.
cp /usr/share/doc/shorewall-common/default-config/hosts /etc/shorewall/
vi /etc/shorewall/hosts
	# loc eth0:192.168.0.0/24

Then set what is the default policy for firewall access.
cp /usr/share/doc/shorewall-common/default-config/policy /etc/shorewall/
vi /etc/shorewall/policy
	$FW net ACCEPT net
	$FW DROP info net all DROP info
	# The FOLLOWING POLICY MUST BE LAST
	all all REJECT info

For safety in case it goes down.
cp /usr/share/doc/shorewall-common/default-config/routestopped
/etc/shorewall/
vi /etc/shorewall/routestopped
	eth0 0.0.0.0 routeback You may put in a netmask of your ip range if you
are more concerned.

Now for the main firewall rules. You can find predetermined macro rules
for Shorewall in /usr/share/shorewall.
cp /usr/share/doc/shorewall-common/default-config/rules /etc/shorewall/
vi /etc/shorewall/rules
	SSH/ACCEPT net $FW


Open for business

Once your server is working come back to this step and open up SMTP and
Web access to others.
vi /etc/shorewall/rules
	Ping/ACCEPT net $FW
	# Permit all ICMP traffic FROM the firewall TO the net zone ACCEPT
	$FW net icmp
	# mail lines
	SMTP/ACCEPT net $FW
	SMTPS/ACCEPT net $FW
	Submission/ACCEPT net $FW
	IMAP/ACCEPT net $FW
	IMAPS/ACCEPT net $FW
	#web
	Web/ACCEPT net $FW

I get finished with the "Open For Business" section, and I run the
command;

sudo shorewall check

and I''m getting this error message;

Validating Policy File....
ERROR: undefined zone ]


I''m not sitting in front of that machine, so I''m transcribing
the error
message.

I''ve double and triple checked all previous edits, and they all appear
to be correct.

Any other pointers that would help out.


-- 
Rodney D. Myers <rod_dmyers@fastmail.fm>
ICQ#:         AIM#:            YAHOO:
18002350      mailman452       mailman42_5

They that can give up essential liberty to obtain a
little temporary safety deserve neither liberty nor safety.
        Ben Franklin - 1759



------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what''s new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july

Rodney D. Myers wrote:
> 
> and I''m getting this error message;
> 
> Validating Policy File....
> ERROR: undefined zone ]
First of all, you appear to be using the deprecated shell-based
compiler. So the first thing that I suggest is that you install
shorewall-perl and set SHOREWALL_COMPILER=Perl in shorewall.conf. That
will give you much faster compilation with very much better diagnostics.

Then, look for the character '']'' in /etc/shorewall/policy.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what''s new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july

On Tuesday 24 November 2009, Tom Eastep said something
like:
> Rodney D. Myers wrote:
> > and I''m getting this error message;
> >
> > Validating Policy File....
> > ERROR: undefined zone ]
>
> First of all, you appear to be using the deprecated shell-based
> compiler. So the first thing that I suggest is that you install
> shorewall-perl and set SHOREWALL_COMPILER=Perl in shorewall.conf.
> That will give you much faster compilation with very much better
> diagnostics.
>
> Then, look for the character '']'' in
/etc/shorewall/policy.
>
> -Tom
1. Ubuntu is stuck at 4.0.15 for Jaunty, and 4.2.10 for the most recent 
release.  4.2.10 is also the one going into the next LTS release. I 
really hope that gets upgraded to 4.4.x before release if they are 
going to be supporting it for the next five years.

2. Ubuntu (and I assume Debian as well) defaults to not using the Perl 
compiler.

j

-- 
Joshua Kugler
Part-Time System Admin/Programmer
http://www.eeinternet.com
PGP Key: http://pgp.mit.edu/  ID 0x14EA086E


------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what''s new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july

On Tue, Nov 24, 2009 at 12:49:53PM -0900, Joshua J. Kugler
wrote:
> 
> 1. Ubuntu is stuck at 4.0.15 for Jaunty, and 4.2.10 for the most recent 
> release.  4.2.10 is also the one going into the next LTS release. I 
> really hope that gets upgraded to 4.4.x before release if they are 
> going to be supporting it for the next five years.
> 
You can probably submit a bug asking for that.  I do not keep track of
the Ubuntu releases, but I know that they go through an import freeze,
where packages are imported from Debian only by exception.
> 2. Ubuntu (and I assume Debian as well) defaults to not using the Perl 
> compiler.
> 
That is not entirely accurate.  In the pre-4.4 package structure, the
shorewall package was a dummy package that depended on shorewall-shell.
That was primarily so that people upgrading from old releases where
shorewall was the old shell-based compiler, would not encounter a forced
upgrade to the perl-based compiler.  Nowadays, the shorewall package has
been transformed so that it is the perl-based compiler.  So, on a new
Debian installation (Squeeze or Sid), if you run ''apt-get install
shorewall'' you will end up with the perl-based compiler, as the
shell-based compiler is not available in 4.4.

Regards,

-Roberto

-- 
Roberto C. Sánchez
http://people.connexer.com/~roberto
http://www.connexer.com


------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what''s new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july

Roberto C. Sánchez wrote:
> Nowadays, the shorewall package has been transformed so that it is
> the perl-based compiler.  So, on a new Debian installation (Squeeze
> or Sid), if you run ''apt-get install shorewall'' you will
end up with
> the perl-based compiler, as the shell-based compiler is not available
> in 4.4.
And there is an article about upgrading from Lenny to Squeeze/Sid at
http://www1.shorewall.net/LennyToSqueeze.html.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what''s new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july

Tom Eastep wrote:
> Roberto C. Sánchez wrote:
> 
>> Nowadays, the shorewall package has been transformed so that it is
>> the perl-based compiler.  So, on a new Debian installation (Squeeze
>> or Sid), if you run ''apt-get install shorewall'' you
will end up with
>> the perl-based compiler, as the shell-based compiler is not available
>> in 4.4.
> 
> And there is an article about upgrading from Lenny to Squeeze/Sid at
> http://www1.shorewall.net/LennyToSqueeze.html.
A copy with faster access is at
http://www.shorewall.net/LennyToSqueeze.html.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what''s new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july

Tom Eastep wrote:
> Rodney D. Myers wrote:
> 
>> and I''m getting this error message;
>>
>> Validating Policy File....
>> ERROR: undefined zone ]
> 
> First of all, you appear to be using the deprecated shell-based
> compiler. So the first thing that I suggest is that you install
> shorewall-perl and set SHOREWALL_COMPILER=Perl in shorewall.conf. That
> will give you much faster compilation with very much better diagnostics.
> 
> Then, look for the character '']'' in
/etc/shorewall/policy.
> 
> -Tom
> 
> 
> ------------------------------------------------------------------------
> 
>
------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
> trial. Simplify your report design, integration and deployment - and focus
on
> what you do best, core application coding. Discover what''s new
with
> Crystal Reports now.  http://p.sf.net/sfu/bobj-july
Found the problem. In the beginning, I was using a real flakey keyboard,
which would add extra characters when I was not looking, and in looking
through the policy file, found the stray [ at the very beginning of the
file.

THanks.


-- 
Rodney D. Myers <rod_dmyers@fastmail.fm>
ICQ#:         AIM#:            YAHOO:
18002350      mailman452       mailman42_5

They that can give up essential liberty to obtain a
little temporary safety deserve neither liberty nor safety.
        Ben Franklin - 1759



------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what''s new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july

On Tuesday 24 November 2009, Roberto C. Sánchez said something
like:
> On Tue, Nov 24, 2009 at 12:49:53PM -0900, Joshua J. Kugler wrote:
> > 1. Ubuntu is stuck at 4.0.15 for Jaunty, and 4.2.10 for the most
> > recent release.  4.2.10 is also the one going into the next LTS
> > release. I really hope that gets upgraded to 4.4.x before release
> > if they are going to be supporting it for the next five years.
>
> You can probably submit a bug asking for that.  I do not keep track
> of the Ubuntu releases, but I know that they go through an import
> freeze, where packages are imported from Debian only by exception.
Reported.

https://bugs.launchpad.net/ubuntu/+source/shorewall-common/+bug/489480
> > 2. Ubuntu (and I assume Debian as well) defaults to not using the
> > Perl compiler.
>
> That is not entirely accurate.  In the pre-4.4 package structure, the
> shorewall package was a dummy package that depended on
> shorewall-shell. That was primarily so that people upgrading from old
> releases where shorewall was the old shell-based compiler, would not
> encounter a forced upgrade to the perl-based compiler.  Nowadays, the
> shorewall package has been transformed so that it is the perl-based
> compiler.  So, on a new Debian installation (Squeeze or Sid), if you
> run ''apt-get install shorewall'' you will end up with the
perl-based
> compiler, as the shell-based compiler is not available in 4.4.
Hmm...I thought I did an ''apt-get install shorewall'' and still
got just
the shell compiler. At least the config file said I''d use the shell 
compiler if I didn''t put "perl" on the compiler line.

j


-- 
Joshua Kugler
Part-Time System Admin/Programmer
http://www.eeinternet.com
PGP Key: http://pgp.mit.edu/  ID 0x14EA086E


------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what''s new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july

Joshua J. Kugler wrote:
> On Tuesday 24 November 2009, Roberto C. Sánchez said something like:
>> So, on a new Debian installation (Squeeze or Sid), if you
>> run ''apt-get install shorewall'' you will end up with
the perl-based
>> compiler, as the shell-based compiler is not available in 4.4.
> 
> Hmm...I thought I did an ''apt-get install shorewall'' and
still got just
> the shell compiler. At least the config file said I''d use the
shell
> compiler if I didn''t put "perl" on the compiler line.
Roberto is talking about Shorewall 4.4 which is included in Squeeze and
Sid. As he says, in earlier versions (4.0 and 4.2), installing
''shorewall'' results in ''shorewall-common''
and ''shorewall-shell'' being
installed.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what''s new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july

On Saturday 28 November 2009, Tom Eastep said something
like:
> Joshua J. Kugler wrote:
> > Hmm...I thought I did an ''apt-get install shorewall''
and still got
> > just the shell compiler. At least the config file said I''d
use the
> > shell compiler if I didn''t put "perl" on the
compiler line.
>
> Roberto is talking about Shorewall 4.4 which is included in Squeeze
> and Sid. As he says, in earlier versions (4.0 and 4.2), installing
> ''shorewall'' results in
''shorewall-common'' and ''shorewall-shell''
being
> installed.
Oh, I must have missed that. Sorry. 

j

-- 
Joshua Kugler
Part-Time System Admin/Programmer
http://www.eeinternet.com
PGP Key: http://pgp.mit.edu/  ID 0x14EA086E


------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what''s new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july