Beta 2 is now ready for testing. ---------------------------------------------------------------------------- I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- 4.4.22 Beta 2 1) Corrected an error produced by this rule: Broadcast(ACCEPT) all all all 2) Corrected a problem which manifested as the following: iptables-restore v1.4.11.1: Couldn''t load match `cmd'':No such file or directory The new rules implementation has been adopted in several of the Perl modules. I don''t intend to add them more widely in 4.4.22. I think that is 4.5 material. Note: The release notes in the release are from Beta 1; my web site has the updated copy which will be distributed to the mirrors shortly. Thank you for testing, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Storage Efficiency Calculator This modeling tool is based on patent-pending intellectual property that has been used successfully in hundreds of IBM storage optimization engage- ments, worldwide. Store less, Store more with what you own, Move data to the right place. Try It Now! http://www.accelacomm.com/jaw/sfnl/114/51427378/
Tom Rule: ACCEPT lan fw tcp !987 generates the following ipatbles rule: -A lan2fw -p 6 --dport ! 987 -j ACCEPT which produces the following message: Using intrapositioned negation (`--option ! this`) is deprecated in favor of extrapositioned (`! --option this`). Steven. ------------------------------------------------------------------------------ 10 Tips for Better Web Security Learn 10 ways to better secure your business today. Topics covered include: Web security, SSL, hacker attacks & Denial of Service (DoS), private keys, security Microsoft Exchange, secure Instant Messaging, and much more. http://www.accelacomm.com/jaw/sfnl/114/51426210/
On Wed, 2011-07-20 at 21:29 +0100, Steven Jan Springl wrote:> Rule: > > ACCEPT lan fw tcp !987 > > generates the following ipatbles rule: > > -A lan2fw -p 6 --dport ! 987 -j ACCEPT > > which produces the following message: > > Using intrapositioned negation (`--option ! this`) is deprecated in favor of > extrapositioned (`! --option this`).Steven, This seems to fix it. Thanks, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ 10 Tips for Better Web Security Learn 10 ways to better secure your business today. Topics covered include: Web security, SSL, hacker attacks & Denial of Service (DoS), private keys, security Microsoft Exchange, secure Instant Messaging, and much more. http://www.accelacomm.com/jaw/sfnl/114/51426210/
On Wednesday 20 July 2011 22:41:45 Tom Eastep wrote:> On Wed, 2011-07-20 at 21:29 +0100, Steven Jan Springl wrote: > > Rule: > > > > ACCEPT lan fw tcp !987 > > > > generates the following ipatbles rule: > > > > -A lan2fw -p 6 --dport ! 987 -j ACCEPT > > > > which produces the following message: > > > > Using intrapositioned negation (`--option ! this`) is deprecated in favor > > of extrapositioned (`! --option this`). > > Steven, > > This seems to fix it. > > Thanks, > -TomTom Confirmed, that''s fixed it. Thnaks. Steven. ------------------------------------------------------------------------------ 10 Tips for Better Web Security Learn 10 ways to better secure your business today. Topics covered include: Web security, SSL, hacker attacks & Denial of Service (DoS), private keys, security Microsoft Exchange, secure Instant Messaging, and much more. http://www.accelacomm.com/jaw/sfnl/114/51426210/
On 7/20/11 2:47 PM, Steven Jan Springl wrote:> On Wednesday 20 July 2011 22:41:45 Tom Eastep wrote:> Confirmed, that''s fixed it. Thnaks.Thanks, Steven -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ 10 Tips for Better Web Security Learn 10 ways to better secure your business today. Topics covered include: Web security, SSL, hacker attacks & Denial of Service (DoS), private keys, security Microsoft Exchange, secure Instant Messaging, and much more. http://www.accelacomm.com/jaw/sfnl/114/51426210/
On Wednesday 20 July 2011 22:50:04 Tom Eastep wrote:> On 7/20/11 2:47 PM, Steven Jan Springl wrote: > > On Wednesday 20 July 2011 22:41:45 Tom Eastep wrote: > > > > Confirmed, that''s fixed it. Thnaks. >Tom Invalid rule: ACCEPT lan fw tcp ! generates iptables rule: -A lan2fw -p 6 --dport ! -j ACCEPT which produces the following messages: Using intrapositioned negation (`--option ! this`) is deprecated in favor of extrapositioned (`! --option this`). iptables-restore v1.4.11.1: invalid port/service `-j'' specified Steven. ------------------------------------------------------------------------------ 10 Tips for Better Web Security Learn 10 ways to better secure your business today. Topics covered include: Web security, SSL, hacker attacks & Denial of Service (DoS), private keys, security Microsoft Exchange, secure Instant Messaging, and much more. http://www.accelacomm.com/jaw/sfnl/114/51426210/
On Wed, 2011-07-20 at 23:40 +0100, Steven Jan Springl wrote:> Invalid rule: > > ACCEPT lan fw tcp ! > > generates iptables rule: > > -A lan2fw -p 6 --dport ! -j ACCEPT > > which produces the following messages: > > Using intrapositioned negation (`--option ! this`) is deprecated in favor of > extrapositioned (`! --option this`). > > iptables-restore v1.4.11.1: invalid port/service `-j'' specifiedSteven, Looks like a problem in earlier versions as well. The attached patch traps that situation. Thanks, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ 10 Tips for Better Web Security Learn 10 ways to better secure your business today. Topics covered include: Web security, SSL, hacker attacks & Denial of Service (DoS), private keys, security Microsoft Exchange, secure Instant Messaging, and much more. http://www.accelacomm.com/jaw/sfnl/114/51426210/
On Wednesday 20 July 2011 23:54:49 Tom Eastep wrote:> On Wed, 2011-07-20 at 23:40 +0100, Steven Jan Springl wrote: > > Invalid rule: > > > > ACCEPT lan fw tcp ! > > > > generates iptables rule: > > > > -A lan2fw -p 6 --dport ! -j ACCEPT > > > > which produces the following messages: > > > > Using intrapositioned negation (`--option ! this`) is deprecated in favor > > of extrapositioned (`! --option this`). > > > > iptables-restore v1.4.11.1: invalid port/service `-j'' specified > > Steven, > > Looks like a problem in earlier versions as well. > > The attached patch traps that situation. > > Thanks, > -TomTom Confirmed, the patch fixes the issue. Thanks Steven. ------------------------------------------------------------------------------ 10 Tips for Better Web Security Learn 10 ways to better secure your business today. Topics covered include: Web security, SSL, hacker attacks & Denial of Service (DoS), private keys, security Microsoft Exchange, secure Instant Messaging, and much more. http://www.accelacomm.com/jaw/sfnl/114/51426210/
On 7/20/11 4:05 PM, Steven Jan Springl wrote:> On Wednesday 20 July 2011 23:54:49 Tom Eastep wrote:> Confirmed, the patch fixes the issue. ThanksThanks, Steven -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ 10 Tips for Better Web Security Learn 10 ways to better secure your business today. Topics covered include: Web security, SSL, hacker attacks & Denial of Service (DoS), private keys, security Microsoft Exchange, secure Instant Messaging, and much more. http://www.accelacomm.com/jaw/sfnl/114/51426210/
Tom To get the following rule to work, I applied the LOGMARK patch that you wrote for Ed W. LOG:LOGMARK(info) lan fw tcp 100 If I change the rule to: LOG:LOGMARK() lan fw tcp 100 The following iptables rule is generated: -A lan2fw -p 6 --dport 100 -m hashlimit --hashlimit-upto 4/sec --hashlimit-burst 8 --hashlimit-name lograte --hashlimit-mode dstip -j LOGMARK --log-level --log-prefix "Shorewall:la:" which produces the following messages: Use of uninitialized value $sublevel in pattern match (m//) at /usr/share/shorewall/Shorewall/Config.pm line 2145, <$currentfile> line 18. Use of uninitialized value $sublevel in concatenation (.) or string at /usr/share/shorewall/Shorewall/Config.pm line 2149, <$currentfile> line 18. iptables-restore v1.4.11.1: LOGMARK: Bad value for "--log-level" option: "--log-prefix" Steven. ------------------------------------------------------------------------------ 10 Tips for Better Web Security Learn 10 ways to better secure your business today. Topics covered include: Web security, SSL, hacker attacks & Denial of Service (DoS), private keys, security Microsoft Exchange, secure Instant Messaging, and much more. http://www.accelacomm.com/jaw/sfnl/114/51426210/
On 7/20/11 4:14 PM, Steven Jan Springl wrote:> To get the following rule to work, I applied the LOGMARK patch that you wrote > for Ed W. > > LOG:LOGMARK(info) lan fw tcp 100 > > If I change the rule to: > > LOG:LOGMARK() lan fw tcp 100 > > The following iptables rule is generated: > > -A lan2fw -p 6 --dport 100 -m hashlimit --hashlimit-upto > 4/sec --hashlimit-burst 8 --hashlimit-name lograte --hashlimit-mode dstip -j > LOGMARK --log-level --log-prefix "Shorewall:la:" > > which produces the following messages: > > Use of uninitialized value $sublevel in pattern match (m//) > at /usr/share/shorewall/Shorewall/Config.pm line 2145, <$currentfile> line > 18. > > Use of uninitialized value $sublevel in concatenation (.) or string > at /usr/share/shorewall/Shorewall/Config.pm line 2149, <$currentfile> line > 18. > > iptables-restore v1.4.11.1: LOGMARK: Bad value for "--log-level" > option: "--log-prefix"Steven, I had already changed the LOGMARK implementation to make the parameter optional (default is 6). See if this doesn''t correct that problem. Thanks, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ 10 Tips for Better Web Security Learn 10 ways to better secure your business today. Topics covered include: Web security, SSL, hacker attacks & Denial of Service (DoS), private keys, security Microsoft Exchange, secure Instant Messaging, and much more. http://www.accelacomm.com/jaw/sfnl/114/51426210/
On Thursday 21 July 2011 00:24:10 Tom Eastep wrote:> On 7/20/11 4:14 PM, Steven Jan Springl wrote: > > To get the following rule to work, I applied the LOGMARK patch that you > > wrote for Ed W. > > > > LOG:LOGMARK(info) lan fw tcp 100 > > > > If I change the rule to: > > > > LOG:LOGMARK() lan fw tcp 100 > > > > The following iptables rule is generated: > > > > -A lan2fw -p 6 --dport 100 -m hashlimit --hashlimit-upto > > 4/sec --hashlimit-burst 8 --hashlimit-name lograte --hashlimit-mode dstip > > -j LOGMARK --log-level --log-prefix "Shorewall:la:" > > > > which produces the following messages: > > > > Use of uninitialized value $sublevel in pattern match (m//) > > at /usr/share/shorewall/Shorewall/Config.pm line 2145, <$currentfile> > > line 18. > > > > Use of uninitialized value $sublevel in concatenation (.) or string > > at /usr/share/shorewall/Shorewall/Config.pm line 2149, <$currentfile> > > line 18. > > > > iptables-restore v1.4.11.1: LOGMARK: Bad value for "--log-level" > > option: "--log-prefix" > > Steven, > > I had already changed the LOGMARK implementation to make the parameter > optional (default is 6). See if this doesn''t correct that problem. > > Thanks, > -TomTom After applying the patch, I get the following message: ERROR: Invalid log level (LOGMARK()) : /etc/shorewallA/rules (line 18) Steven. ------------------------------------------------------------------------------ 10 Tips for Better Web Security Learn 10 ways to better secure your business today. Topics covered include: Web security, SSL, hacker attacks & Denial of Service (DoS), private keys, security Microsoft Exchange, secure Instant Messaging, and much more. http://www.accelacomm.com/jaw/sfnl/114/51426210/
On 7/20/11 4:40 PM, Steven Jan Springl wrote:> On Thursday 21 July 2011 00:24:10 Tom Eastep wrote: >> On 7/20/11 4:14 PM, Steven Jan Springl wrote: >>> To get the following rule to work, I applied the LOGMARK patch that you >>> wrote for Ed W. >>> >>> LOG:LOGMARK(info) lan fw tcp 100 >>> >>> If I change the rule to: >>> >>> LOG:LOGMARK() lan fw tcp 100 >>> >>> The following iptables rule is generated: >>> >>> -A lan2fw -p 6 --dport 100 -m hashlimit --hashlimit-upto >>> 4/sec --hashlimit-burst 8 --hashlimit-name lograte --hashlimit-mode dstip >>> -j LOGMARK --log-level --log-prefix "Shorewall:la:" >>> >>> which produces the following messages: >>> >>> Use of uninitialized value $sublevel in pattern match (m//) >>> at /usr/share/shorewall/Shorewall/Config.pm line 2145, <$currentfile> >>> line 18. >>> >>> Use of uninitialized value $sublevel in concatenation (.) or string >>> at /usr/share/shorewall/Shorewall/Config.pm line 2149, <$currentfile> >>> line 18. >>> >>> iptables-restore v1.4.11.1: LOGMARK: Bad value for "--log-level" >>> option: "--log-prefix" >> >> Steven, >> >> I had already changed the LOGMARK implementation to make the parameter >> optional (default is 6). See if this doesn''t correct that problem. >> >> Thanks, >> -Tom > > Tom > > After applying the patch, I get the following message: > > ERROR: Invalid log level (LOGMARK()) : /etc/shorewallA/rules (line 18)That''s what I expected. The syntax shown in the manpage part of the patch is: LOGMARK[(<priority>)] where <priority> is a syslog priority. It doesn''t indicate that <priority> is optional. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ 10 Tips for Better Web Security Learn 10 ways to better secure your business today. Topics covered include: Web security, SSL, hacker attacks & Denial of Service (DoS), private keys, security Microsoft Exchange, secure Instant Messaging, and much more. http://www.accelacomm.com/jaw/sfnl/114/51426210/
On Thursday 21 July 2011 00:45:36 Tom Eastep wrote:> On 7/20/11 4:40 PM, Steven Jan Springl wrote: > > On Thursday 21 July 2011 00:24:10 Tom Eastep wrote: > >> On 7/20/11 4:14 PM, Steven Jan Springl wrote: > >>> To get the following rule to work, I applied the LOGMARK patch that you > >>> wrote for Ed W. > >>> > >>> LOG:LOGMARK(info) lan fw tcp 100 > >>> > >>> If I change the rule to: > >>> > >>> LOG:LOGMARK() lan fw tcp 100 > >>> > >>> The following iptables rule is generated: > >>> > >>> -A lan2fw -p 6 --dport 100 -m hashlimit --hashlimit-upto > >>> 4/sec --hashlimit-burst 8 --hashlimit-name lograte --hashlimit-mode > >>> dstip -j LOGMARK --log-level --log-prefix "Shorewall:la:" > >>> > >>> which produces the following messages: > >>> > >>> Use of uninitialized value $sublevel in pattern match (m//) > >>> at /usr/share/shorewall/Shorewall/Config.pm line 2145, <$currentfile> > >>> line 18. > >>> > >>> Use of uninitialized value $sublevel in concatenation (.) or string > >>> at /usr/share/shorewall/Shorewall/Config.pm line 2149, <$currentfile> > >>> line 18. > >>> > >>> iptables-restore v1.4.11.1: LOGMARK: Bad value for "--log-level" > >>> option: "--log-prefix" > >> > >> Steven, > >> > >> I had already changed the LOGMARK implementation to make the parameter > >> optional (default is 6). See if this doesn't correct that problem. > >> > >> Thanks, > >> -Tom > > > > Tom > > > > After applying the patch, I get the following message: > > > > ERROR: Invalid log level (LOGMARK()) : /etc/shorewallA/rules (line 18) > > That's what I expected. The syntax shown in the manpage part of the > patch is: > > LOGMARK[(<priority>)] > > where <priority> is a syslog priority. It doesn't indicate that > <priority> is optional. > > -TomTom Sorry, I missed that. If I change the rule to: LOG:LOGMARK(1,0) lan fw tcp 100 The following message are produced: Use of uninitialized value $sublevel in pattern match (m//) at /usr/share/shorewall/Shorewall/Config.pm line 2152, <$currentfile> line 18. Use of uninitialized value $sublevel in concatenation (.) or string at /usr/share/shorewall/Shorewall/Config.pm line 2159, <$currentfile> line 18. iptables-restore v1.4.11.1: LOGMARK: Bad value for "--log-level" option: "--log-prefix" Steven. ------------------------------------------------------------------------------ 10 Tips for Better Web Security Learn 10 ways to better secure your business today. Topics covered include: Web security, SSL, hacker attacks & Denial of Service (DoS), private keys, security Microsoft Exchange, secure Instant Messaging, and much more. http://www.accelacomm.com/jaw/sfnl/114/51426210/ _______________________________________________ Shorewall-devel mailing list Shorewall-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-devel
On 7/20/11 4:56 PM, Steven Jan Springl wrote:> Sorry, I missed that. > > If I change the rule to: > > LOG:LOGMARK(1,0) lan fw tcp 100 > > The following message are produced: > > Use of uninitialized value $sublevel in pattern match (m//) > at /usr/share/shorewall/Shorewall/Config.pm line 2152, <$currentfile> line > 18. > > Use of uninitialized value $sublevel in concatenation (.) or string > at /usr/share/shorewall/Shorewall/Config.pm line 2159, <$currentfile> line > 18. > > iptables-restore v1.4.11.1: LOGMARK: Bad value for "--log-level" > option: "--log-prefix"Steven, The attached patch eliminates that problem. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ 5 Ways to Improve & Secure Unified Communications Unified Communications promises greater efficiencies for business. UC can improve internal communications as well as offer faster, more efficient ways to interact with customers and streamline customer service. Learn more! http://www.accelacomm.com/jaw/sfnl/114/51426253/
On Thursday 21 July 2011 01:21:42 Tom Eastep wrote:> On 7/20/11 4:56 PM, Steven Jan Springl wrote: > > Sorry, I missed that. > > > > If I change the rule to: > > > > LOG:LOGMARK(1,0) lan fw tcp 100 > > > > The following message are produced: > > > > Use of uninitialized value $sublevel in pattern match (m//) > > at /usr/share/shorewall/Shorewall/Config.pm line 2152, <$currentfile> > > line 18. > > > > Use of uninitialized value $sublevel in concatenation (.) or string > > at /usr/share/shorewall/Shorewall/Config.pm line 2159, <$currentfile> > > line 18. > > > > iptables-restore v1.4.11.1: LOGMARK: Bad value for "--log-level" > > option: "--log-prefix" > > Steven, > > The attached patch eliminates that problem. > > -TomTom That''s fixed it. Thanks. Steven. ------------------------------------------------------------------------------ 5 Ways to Improve & Secure Unified Communications Unified Communications promises greater efficiencies for business. UC can improve internal communications as well as offer faster, more efficient ways to interact with customers and streamline customer service. Learn more! http://www.accelacomm.com/jaw/sfnl/114/51426253/
On 7/20/11 5:30 PM, Steven Jan Springl wrote:> That''s fixed it. Thanks.Thanks, Steven -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ 5 Ways to Improve & Secure Unified Communications Unified Communications promises greater efficiencies for business. UC can improve internal communications as well as offer faster, more efficient ways to interact with customers and streamline customer service. Learn more! http://www.accelacomm.com/jaw/sfnl/114/51426253/