Hi ! Shorewall will do no action and report that it has not run before if a ''shorewall clear'' is done on a ''virgin'' system freshly installed. Is there a way to make Shorewall think it already has run and that really we want the ''clear'' action to be taken anyways ? Thanks. ------------------------------------------------------------------------------ The Palm PDK Hot Apps Program offers developers who use the Plug-In Development Kit to bring their C/C++ apps to Palm for a share of $1 Million in cash or HP Products. Visit us here for more details: http://ad.doubleclick.net/clk;226879339;13503038;l? http://clk.atdmt.com/CRS/go/247765532/direct/01/
On 7/28/10 3:20 AM, lanas wrote:> Hi ! > > Shorewall will do no action and report that it has not run before if > a ''shorewall clear'' is done on a ''virgin'' system freshly installed. Is > there a way to make Shorewall think it already has run and that really > we want the ''clear'' action to be taken anyways ?Only if you create a configuration and compile it (''shorewall compile''). -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ The Palm PDK Hot Apps Program offers developers who use the Plug-In Development Kit to bring their C/C++ apps to Palm for a share of $1 Million in cash or HP Products. Visit us here for more details: http://p.sf.net/sfu/dev2dev-palm
On Wed, 28 Jul 2010 06:35:22 -0700, Tom Eastep <teastep@shorewall.net> wrote :>> Shorewall will do no action and report that it has not run before >> if a ''shorewall clear'' is done on a ''virgin'' system freshly >> installed. Is there a way to make Shorewall think it already has >> run and that really we want the ''clear'' action to be taken anyways ?> Only if you create a configuration and compile it (''shorewall > compile'').For a user interface that would like to always keep the same call to clear the firewall it seems that on a newly-installed system it''d be possible to have a "fake" firewall script in I think /var/lib/shorewall (not sure of the location at the moment) that would accept a clear command. Thereafter, when the suer actually configures a firewall this script would get overwritten by Shorewall with an actual firewall script (after being a .start script). It sounds reasonable to do this, so far (haven''t tried it yet). ------------------------------------------------------------------------------ The Palm PDK Hot Apps Program offers developers who use the Plug-In Development Kit to bring their C/C++ apps to Palm for a share of $1 Million in cash or HP Products. Visit us here for more details: http://p.sf.net/sfu/dev2dev-palm
On 7/28/10 4:44 PM, lanas wrote:> On Wed, 28 Jul 2010 06:35:22 -0700, > Tom Eastep <teastep@shorewall.net> wrote : > >>> Shorewall will do no action and report that it has not run before >>> if a ''shorewall clear'' is done on a ''virgin'' system freshly >>> installed. Is there a way to make Shorewall think it already has >>> run and that really we want the ''clear'' action to be taken anyways ? > >> Only if you create a configuration and compile it (''shorewall >> compile''). > > For a user interface that would like to always keep the same call to > clear the firewall it seems that on a newly-installed system it''d be > possible to have a "fake" firewall script in I think /var/lib/shorewall > (not sure of the location at the moment) that would accept a clear > command. Thereafter, when the suer actually configures a firewall this > script would get overwritten by Shorewall with an actual firewall > script (after being a .start script). It sounds reasonable to do this, > so far (haven''t tried it yet).I''m fail to understand why you need a ''clear'' command before you have ever started Shorewall. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ The Palm PDK Hot Apps Program offers developers who use the Plug-In Development Kit to bring their C/C++ apps to Palm for a share of $1 Million in cash or HP Products. Visit us here for more details: http://p.sf.net/sfu/dev2dev-palm
Le Wed, 28 Jul 2010 17:05:45 -0700, Tom Eastep <teastep@shorewall.net> a écrit :> On 7/28/10 4:44 PM, lanas wrote: > > On Wed, 28 Jul 2010 06:35:22 -0700, > > Tom Eastep <teastep@shorewall.net> wrote : > > > >>> Shorewall will do no action and report that it has not run > >>> before if a 'shorewall clear' is done on a 'virgin' system freshly > >>> installed. Is there a way to make Shorewall think it already has > >>> run and that really we want the 'clear' action to be taken > >>> anyways ? > > > >> Only if you create a configuration and compile it ('shorewall > >> compile'). > > > > For a user interface that would like to always keep the same call to > > clear the firewall it seems that on a newly-installed system it'd be > > possible to have a "fake" firewall script in I > > think /var/lib/shorewall (not sure of the location at the moment) > > that would accept a clear command. Thereafter, when the suer > > actually configures a firewall this script would get overwritten by > > Shorewall with an actual firewall script (after being a .start > > script). It sounds reasonable to do this, so far (haven't tried it > > yet). > > I'm fail to understand why you need a 'clear' command before you have > ever started Shorewall.Ah, this is because at very early in the boot sequence, everything is set to drop, apart from local traffic (to let communications between local daemons and apps). Later on, when such a high-level app comes to life, it will either install a pre-configured firewall (using a generated set of Shorewall files and shorewall restart) or, if no configuration is found, will put everything to ACCEPT, hence the clear command. That clear command can be done using straight iptables, but it could also be done using a single 'shorewall clear' command which is an available user option after all. ------------------------------------------------------------------------------ The Palm PDK Hot Apps Program offers developers who use the Plug-In Development Kit to bring their C/C++ apps to Palm for a share of $1 Million in cash or HP Products. Visit us here for more details: http://p.sf.net/sfu/dev2dev-palm _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
On 7/28/10 7:16 PM, lanas wrote:> Ah, this is because at very early in the boot sequence, everything is > set to drop, apart from local traffic (to let communications between > local daemons and apps). Later on, when such a high-level app comes to > life, it will either install a pre-configured firewall (using a > generated set of Shorewall files and shorewall restart) or, if no > configuration is found, will put everything to ACCEPT, hence the clear > command. That clear command can be done using straight iptables, but > it could also be done using a single ''shorewall clear'' command which is > an available user option after all.But at boot time, the firewall is wide open to start with! There is no need for any script! -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ The Palm PDK Hot Apps Program offers developers who use the Plug-In Development Kit to bring their C/C++ apps to Palm for a share of $1 Million in cash or HP Products. Visit us here for more details: http://p.sf.net/sfu/dev2dev-palm
On 7/28/10 7:16 PM, lanas wrote:> Ah, this is because at very early in the boot sequence, everything is > set to drop, apart from local traffic (to let communications between > local daemons and apps).Then remove whatever package is doing that on your distribution. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ The Palm PDK Hot Apps Program offers developers who use the Plug-In Development Kit to bring their C/C++ apps to Palm for a share of $1 Million in cash or HP Products. Visit us here for more details: http://p.sf.net/sfu/dev2dev-palm