Shorewall users - Jul 2011 - Shorewall 4.4.22 Beta 2

Beta 2 is now ready for testing.

----------------------------------------------------------------------------
  I.  P R O B L E M S   C O R R E C T E D   I N   T H I S  R E L E A S E
----------------------------------------------------------------------------

4.4.22 Beta 2

1)  Corrected an error produced by this rule:

        Broadcast(ACCEPT)	all	all	all

2)  Corrected a problem which manifested as the following:

    	iptables-restore v1.4.11.1: Couldn''t load match `cmd'':No
such
        file or directory

The new rules implementation has been adopted in several of the Perl
modules. I don''t intend to add them more widely in 4.4.22. I think that
is 4.5 material.

Note: The release notes in the release are from Beta 1; my web site has
the updated copy which will be distributed to the mirrors shortly.

Thank you for testing,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Storage Efficiency Calculator
This modeling tool is based on patent-pending intellectual property that
has been used successfully in hundreds of IBM storage optimization engage-
ments, worldwide.  Store less, Store more with what you own, Move data to 
the right place. Try It Now! http://www.accelacomm.com/jaw/sfnl/114/51427378/

Tom

Rule:

ACCEPT  lan  fw  tcp  !987

generates the following ipatbles rule:

-A lan2fw -p 6 --dport ! 987 -j ACCEPT

which produces the following message:

Using intrapositioned negation (`--option ! this`) is deprecated in favor of 
extrapositioned (`! --option this`).

Steven.

------------------------------------------------------------------------------
10 Tips for Better Web Security
Learn 10 ways to better secure your business today. Topics covered include:
Web security, SSL, hacker attacks & Denial of Service (DoS), private keys,
security Microsoft Exchange, secure Instant Messaging, and much more.
http://www.accelacomm.com/jaw/sfnl/114/51426210/

On Wed, 2011-07-20 at 21:29 +0100, Steven Jan Springl wrote:
> Rule:
> 
> ACCEPT  lan  fw  tcp  !987
> 
> generates the following ipatbles rule:
> 
> -A lan2fw -p 6 --dport ! 987 -j ACCEPT
> 
> which produces the following message:
> 
> Using intrapositioned negation (`--option ! this`) is deprecated in favor
of
> extrapositioned (`! --option this`).
Steven,

This seems to fix it.

Thanks,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________




------------------------------------------------------------------------------
10 Tips for Better Web Security
Learn 10 ways to better secure your business today. Topics covered include:
Web security, SSL, hacker attacks & Denial of Service (DoS), private keys,
security Microsoft Exchange, secure Instant Messaging, and much more.
http://www.accelacomm.com/jaw/sfnl/114/51426210/

On Wednesday 20 July 2011 22:41:45 Tom Eastep wrote:
> On Wed, 2011-07-20 at 21:29 +0100, Steven Jan Springl wrote:
> > Rule:
> >
> > ACCEPT  lan  fw  tcp  !987
> >
> > generates the following ipatbles rule:
> >
> > -A lan2fw -p 6 --dport ! 987 -j ACCEPT
> >
> > which produces the following message:
> >
> > Using intrapositioned negation (`--option ! this`) is deprecated in
favor
> > of extrapositioned (`! --option this`).
>
> Steven,
>
> This seems to fix it.
>
> Thanks,
> -Tom
Tom

Confirmed, that''s fixed it. Thnaks.

Steven.

------------------------------------------------------------------------------
10 Tips for Better Web Security
Learn 10 ways to better secure your business today. Topics covered include:
Web security, SSL, hacker attacks & Denial of Service (DoS), private keys,
security Microsoft Exchange, secure Instant Messaging, and much more.
http://www.accelacomm.com/jaw/sfnl/114/51426210/

On 7/20/11 2:47 PM, Steven Jan Springl wrote:
> On Wednesday 20 July 2011 22:41:45 Tom Eastep wrote:
> Confirmed, that''s fixed it. Thnaks.
Thanks, Steven
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
10 Tips for Better Web Security
Learn 10 ways to better secure your business today. Topics covered include:
Web security, SSL, hacker attacks & Denial of Service (DoS), private keys,
security Microsoft Exchange, secure Instant Messaging, and much more.
http://www.accelacomm.com/jaw/sfnl/114/51426210/

On Wednesday 20 July 2011 22:50:04 Tom Eastep wrote:
> On 7/20/11 2:47 PM, Steven Jan Springl wrote:
> > On Wednesday 20 July 2011 22:41:45 Tom Eastep wrote:
> >
> > Confirmed, that''s fixed it. Thnaks.
>
Tom

Invalid rule:

ACCEPT  lan  fw  tcp !

generates iptables rule:

-A lan2fw -p 6 --dport ! -j ACCEPT

which produces the following messages:

Using intrapositioned negation (`--option ! this`) is deprecated in favor of 
extrapositioned (`! --option this`).

iptables-restore v1.4.11.1: invalid port/service `-j'' specified

Steven.


------------------------------------------------------------------------------
10 Tips for Better Web Security
Learn 10 ways to better secure your business today. Topics covered include:
Web security, SSL, hacker attacks & Denial of Service (DoS), private keys,
security Microsoft Exchange, secure Instant Messaging, and much more.
http://www.accelacomm.com/jaw/sfnl/114/51426210/

On Wed, 2011-07-20 at 23:40 +0100, Steven Jan Springl wrote:
> Invalid rule:
> 
> ACCEPT  lan  fw  tcp !
> 
> generates iptables rule:
> 
> -A lan2fw -p 6 --dport ! -j ACCEPT
> 
> which produces the following messages:
> 
> Using intrapositioned negation (`--option ! this`) is deprecated in favor
of
> extrapositioned (`! --option this`).
> 
> iptables-restore v1.4.11.1: invalid port/service `-j'' specified
Steven,

Looks like a problem in earlier versions as well.

The attached patch traps that situation.

Thanks,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________




------------------------------------------------------------------------------
10 Tips for Better Web Security
Learn 10 ways to better secure your business today. Topics covered include:
Web security, SSL, hacker attacks & Denial of Service (DoS), private keys,
security Microsoft Exchange, secure Instant Messaging, and much more.
http://www.accelacomm.com/jaw/sfnl/114/51426210/

On Wednesday 20 July 2011 23:54:49 Tom Eastep wrote:
> On Wed, 2011-07-20 at 23:40 +0100, Steven Jan Springl wrote:
> > Invalid rule:
> >
> > ACCEPT  lan  fw  tcp !
> >
> > generates iptables rule:
> >
> > -A lan2fw -p 6 --dport ! -j ACCEPT
> >
> > which produces the following messages:
> >
> > Using intrapositioned negation (`--option ! this`) is deprecated in
favor
> > of extrapositioned (`! --option this`).
> >
> > iptables-restore v1.4.11.1: invalid port/service `-j''
specified
>
> Steven,
>
> Looks like a problem in earlier versions as well.
>
> The attached patch traps that situation.
>
> Thanks,
> -Tom
Tom

Confirmed, the patch fixes the issue. Thanks

Steven.

------------------------------------------------------------------------------
10 Tips for Better Web Security
Learn 10 ways to better secure your business today. Topics covered include:
Web security, SSL, hacker attacks & Denial of Service (DoS), private keys,
security Microsoft Exchange, secure Instant Messaging, and much more.
http://www.accelacomm.com/jaw/sfnl/114/51426210/

On 7/20/11 4:05 PM, Steven Jan Springl wrote:
> On Wednesday 20 July 2011 23:54:49 Tom Eastep wrote:
> Confirmed, the patch fixes the issue. Thanks
Thanks, Steven

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
10 Tips for Better Web Security
Learn 10 ways to better secure your business today. Topics covered include:
Web security, SSL, hacker attacks & Denial of Service (DoS), private keys,
security Microsoft Exchange, secure Instant Messaging, and much more.
http://www.accelacomm.com/jaw/sfnl/114/51426210/

Tom

To get the following rule to work, I applied the LOGMARK patch that you wrote 
for Ed W.

LOG:LOGMARK(info)  lan  fw  tcp  100

If I change the rule to:

LOG:LOGMARK()  lan  fw  tcp  100

The following iptables rule is generated:

-A lan2fw -p 6 --dport 100 -m hashlimit --hashlimit-upto 
4/sec --hashlimit-burst 8 --hashlimit-name lograte --hashlimit-mode dstip -j 
LOGMARK --log-level --log-prefix "Shorewall:la:"

which produces the following messages:

Use of uninitialized value $sublevel in pattern match (m//) 
at /usr/share/shorewall/Shorewall/Config.pm line 2145, <$currentfile> line
18.

Use of uninitialized value $sublevel in concatenation (.) or string 
at /usr/share/shorewall/Shorewall/Config.pm line 2149, <$currentfile> line
18.

iptables-restore v1.4.11.1: LOGMARK: Bad value for "--log-level" 
option: "--log-prefix"

Steven.

------------------------------------------------------------------------------
10 Tips for Better Web Security
Learn 10 ways to better secure your business today. Topics covered include:
Web security, SSL, hacker attacks & Denial of Service (DoS), private keys,
security Microsoft Exchange, secure Instant Messaging, and much more.
http://www.accelacomm.com/jaw/sfnl/114/51426210/

On 7/20/11 4:14 PM, Steven Jan Springl wrote:
> To get the following rule to work, I applied the LOGMARK patch that you
wrote
> for Ed W.
> 
> LOG:LOGMARK(info)  lan  fw  tcp  100
> 
> If I change the rule to:
> 
> LOG:LOGMARK()  lan  fw  tcp  100
> 
> The following iptables rule is generated:
> 
> -A lan2fw -p 6 --dport 100 -m hashlimit --hashlimit-upto 
> 4/sec --hashlimit-burst 8 --hashlimit-name lograte --hashlimit-mode dstip
-j
> LOGMARK --log-level --log-prefix "Shorewall:la:"
> 
> which produces the following messages:
> 
> Use of uninitialized value $sublevel in pattern match (m//) 
> at /usr/share/shorewall/Shorewall/Config.pm line 2145, <$currentfile>
line
> 18.
> 
> Use of uninitialized value $sublevel in concatenation (.) or string 
> at /usr/share/shorewall/Shorewall/Config.pm line 2149, <$currentfile>
line
> 18.
> 
> iptables-restore v1.4.11.1: LOGMARK: Bad value for "--log-level" 
> option: "--log-prefix"
Steven,

I had already changed the LOGMARK implementation to make the parameter
optional (default is 6). See if this doesn''t correct that problem.

Thanks,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
10 Tips for Better Web Security
Learn 10 ways to better secure your business today. Topics covered include:
Web security, SSL, hacker attacks & Denial of Service (DoS), private keys,
security Microsoft Exchange, secure Instant Messaging, and much more.
http://www.accelacomm.com/jaw/sfnl/114/51426210/

On Thursday 21 July 2011 00:24:10 Tom Eastep wrote:
> On 7/20/11 4:14 PM, Steven Jan Springl wrote:
> > To get the following rule to work, I applied the LOGMARK patch that
you
> > wrote for Ed W.
> >
> > LOG:LOGMARK(info)  lan  fw  tcp  100
> >
> > If I change the rule to:
> >
> > LOG:LOGMARK()  lan  fw  tcp  100
> >
> > The following iptables rule is generated:
> >
> > -A lan2fw -p 6 --dport 100 -m hashlimit --hashlimit-upto
> > 4/sec --hashlimit-burst 8 --hashlimit-name lograte --hashlimit-mode
dstip
> > -j LOGMARK --log-level --log-prefix "Shorewall:la:"
> >
> > which produces the following messages:
> >
> > Use of uninitialized value $sublevel in pattern match (m//)
> > at /usr/share/shorewall/Shorewall/Config.pm line 2145,
<$currentfile>
> > line 18.
> >
> > Use of uninitialized value $sublevel in concatenation (.) or string
> > at /usr/share/shorewall/Shorewall/Config.pm line 2149,
<$currentfile>
> > line 18.
> >
> > iptables-restore v1.4.11.1: LOGMARK: Bad value for
"--log-level"
> > option: "--log-prefix"
>
> Steven,
>
> I had already changed the LOGMARK implementation to make the parameter
> optional (default is 6). See if this doesn''t correct that problem.
>
> Thanks,
> -Tom
Tom

After applying the patch, I get the following message:

ERROR: Invalid log level (LOGMARK()) : /etc/shorewallA/rules (line 18)

Steven.

------------------------------------------------------------------------------
10 Tips for Better Web Security
Learn 10 ways to better secure your business today. Topics covered include:
Web security, SSL, hacker attacks & Denial of Service (DoS), private keys,
security Microsoft Exchange, secure Instant Messaging, and much more.
http://www.accelacomm.com/jaw/sfnl/114/51426210/

On 7/20/11 4:40 PM, Steven Jan Springl wrote:
> On Thursday 21 July 2011 00:24:10 Tom Eastep wrote:
>> On 7/20/11 4:14 PM, Steven Jan Springl wrote:
>>> To get the following rule to work, I applied the LOGMARK patch that
you
>>> wrote for Ed W.
>>>
>>> LOG:LOGMARK(info)  lan  fw  tcp  100
>>>
>>> If I change the rule to:
>>>
>>> LOG:LOGMARK()  lan  fw  tcp  100
>>>
>>> The following iptables rule is generated:
>>>
>>> -A lan2fw -p 6 --dport 100 -m hashlimit --hashlimit-upto
>>> 4/sec --hashlimit-burst 8 --hashlimit-name lograte --hashlimit-mode
dstip
>>> -j LOGMARK --log-level --log-prefix "Shorewall:la:"
>>>
>>> which produces the following messages:
>>>
>>> Use of uninitialized value $sublevel in pattern match (m//)
>>> at /usr/share/shorewall/Shorewall/Config.pm line 2145,
<$currentfile>
>>> line 18.
>>>
>>> Use of uninitialized value $sublevel in concatenation (.) or string
>>> at /usr/share/shorewall/Shorewall/Config.pm line 2149,
<$currentfile>
>>> line 18.
>>>
>>> iptables-restore v1.4.11.1: LOGMARK: Bad value for
"--log-level"
>>> option: "--log-prefix"
>>
>> Steven,
>>
>> I had already changed the LOGMARK implementation to make the parameter
>> optional (default is 6). See if this doesn''t correct that
problem.
>>
>> Thanks,
>> -Tom
> 
> Tom
> 
> After applying the patch, I get the following message:
> 
> ERROR: Invalid log level (LOGMARK()) : /etc/shorewallA/rules (line 18)
That''s what I expected. The syntax shown in the manpage part of the
patch is:

	LOGMARK[(<priority>)]

where <priority> is a syslog priority. It doesn''t indicate that
<priority> is optional.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
10 Tips for Better Web Security
Learn 10 ways to better secure your business today. Topics covered include:
Web security, SSL, hacker attacks & Denial of Service (DoS), private keys,
security Microsoft Exchange, secure Instant Messaging, and much more.
http://www.accelacomm.com/jaw/sfnl/114/51426210/

On Thursday 21 July 2011 00:45:36 Tom Eastep wrote:
> On 7/20/11 4:40 PM, Steven Jan Springl wrote:
> > On Thursday 21 July 2011 00:24:10 Tom Eastep wrote:
> >> On 7/20/11 4:14 PM, Steven Jan Springl wrote:
> >>> To get the following rule to work, I applied the LOGMARK patch
that you
> >>> wrote for Ed W.
> >>>
> >>> LOG:LOGMARK(info)  lan  fw  tcp  100
> >>>
> >>> If I change the rule to:
> >>>
> >>> LOG:LOGMARK()  lan  fw  tcp  100
> >>>
> >>> The following iptables rule is generated:
> >>>
> >>> -A lan2fw -p 6 --dport 100 -m hashlimit --hashlimit-upto
> >>> 4/sec --hashlimit-burst 8 --hashlimit-name lograte
--hashlimit-mode
> >>> dstip -j LOGMARK --log-level --log-prefix
"Shorewall:la:"
> >>>
> >>> which produces the following messages:
> >>>
> >>> Use of uninitialized value $sublevel in pattern match (m//)
> >>> at /usr/share/shorewall/Shorewall/Config.pm line 2145,
<$currentfile>
> >>> line 18.
> >>>
> >>> Use of uninitialized value $sublevel in concatenation (.) or
string
> >>> at /usr/share/shorewall/Shorewall/Config.pm line 2149,
<$currentfile>
> >>> line 18.
> >>>
> >>> iptables-restore v1.4.11.1: LOGMARK: Bad value for
"--log-level"
> >>> option: "--log-prefix"
> >>
> >> Steven,
> >>
> >> I had already changed the LOGMARK implementation to make the
parameter
> >> optional (default is 6). See if this doesn't correct that
problem.
> >>
> >> Thanks,
> >> -Tom
> >
> > Tom
> >
> > After applying the patch, I get the following message:
> >
> > ERROR: Invalid log level (LOGMARK()) : /etc/shorewallA/rules (line 18)
>
> That's what I expected. The syntax shown in the manpage part of the
> patch is:
>
> 	LOGMARK[(<priority>)]
>
> where <priority> is a syslog priority. It doesn't indicate that
> <priority> is optional.
>
> -Tom
Tom

Sorry, I missed that.

If I change the rule to:

LOG:LOGMARK(1,0)  lan  fw  tcp  100

The following message are produced:

Use of uninitialized value $sublevel in pattern match (m//) 
at /usr/share/shorewall/Shorewall/Config.pm line 2152, <$currentfile> line
18.

Use of uninitialized value $sublevel in concatenation (.) or string 
at /usr/share/shorewall/Shorewall/Config.pm line 2159, <$currentfile> line
18.

iptables-restore v1.4.11.1: LOGMARK: Bad value for "--log-level" 
option: "--log-prefix"

Steven.

------------------------------------------------------------------------------
10 Tips for Better Web Security
Learn 10 ways to better secure your business today. Topics covered include:
Web security, SSL, hacker attacks & Denial of Service (DoS), private keys,
security Microsoft Exchange, secure Instant Messaging, and much more.
http://www.accelacomm.com/jaw/sfnl/114/51426210/
_______________________________________________
Shorewall-devel mailing list
Shorewall-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-devel

On 7/20/11 4:56 PM, Steven Jan Springl wrote:
> Sorry, I missed that.
> 
> If I change the rule to:
> 
> LOG:LOGMARK(1,0)  lan  fw  tcp  100
> 
> The following message are produced:
> 
> Use of uninitialized value $sublevel in pattern match (m//) 
> at /usr/share/shorewall/Shorewall/Config.pm line 2152, <$currentfile>
line
> 18.
> 
> Use of uninitialized value $sublevel in concatenation (.) or string 
> at /usr/share/shorewall/Shorewall/Config.pm line 2159, <$currentfile>
line
> 18.
> 
> iptables-restore v1.4.11.1: LOGMARK: Bad value for "--log-level" 
> option: "--log-prefix"
Steven,

The attached patch eliminates that problem.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
5 Ways to Improve & Secure Unified Communications
Unified Communications promises greater efficiencies for business. UC can 
improve internal communications as well as offer faster, more efficient ways
to interact with customers and streamline customer service. Learn more!
http://www.accelacomm.com/jaw/sfnl/114/51426253/

On Thursday 21 July 2011 01:21:42 Tom Eastep wrote:
> On 7/20/11 4:56 PM, Steven Jan Springl wrote:
> > Sorry, I missed that.
> >
> > If I change the rule to:
> >
> > LOG:LOGMARK(1,0)  lan  fw  tcp  100
> >
> > The following message are produced:
> >
> > Use of uninitialized value $sublevel in pattern match (m//)
> > at /usr/share/shorewall/Shorewall/Config.pm line 2152,
<$currentfile>
> > line 18.
> >
> > Use of uninitialized value $sublevel in concatenation (.) or string
> > at /usr/share/shorewall/Shorewall/Config.pm line 2159,
<$currentfile>
> > line 18.
> >
> > iptables-restore v1.4.11.1: LOGMARK: Bad value for
"--log-level"
> > option: "--log-prefix"
>
> Steven,
>
> The attached patch eliminates that problem.
>
> -Tom
Tom

That''s fixed it. Thanks.

Steven.

------------------------------------------------------------------------------
5 Ways to Improve & Secure Unified Communications
Unified Communications promises greater efficiencies for business. UC can 
improve internal communications as well as offer faster, more efficient ways
to interact with customers and streamline customer service. Learn more!
http://www.accelacomm.com/jaw/sfnl/114/51426253/

On 7/20/11 5:30 PM, Steven Jan Springl wrote:
> That''s fixed it. Thanks.
Thanks, Steven

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
5 Ways to Improve & Secure Unified Communications
Unified Communications promises greater efficiencies for business. UC can 
improve internal communications as well as offer faster, more efficient ways
to interact with customers and streamline customer service. Learn more!
http://www.accelacomm.com/jaw/sfnl/114/51426253/