Shorewall users - Feb 2012 - how to compare shorewall config versus live iptables rules?

Greetings,

I''m new to Shorewall but not to working with Iptables.  Shorewall is
the
simplest firewall front end I have found thus far.  I''m currently
trying
to build a Cfengine policy to maintain Shorewall configurations.  My
main problem at them moment is confirming that the running iptables
rules match what Shorewall originally built.

If I understand Shorewall correctly the file
/var/lib/shorewall/.iptables-restore-input is built by Shorewall during
a start or restart.  My goal was to have a mechanism to compare a
current iptables-save to .iptables-restore-input to see if they match.
Alas it seems that the syntax of the two files differs.

root@sol:~/inputs# iptables-save |grep 113
-A Drop -p tcp -m tcp --dport 113 -m comment --comment "Auth" -j
reject
-A Reject -p tcp -m tcp --dport 113 -m comment --comment "Auth" -j
reject

root@sol:~/inputs# grep 113 /var/lib/shorewall/.iptables-restore-input 
-A Drop -p 6 --dport 113 -j reject -m comment --comment "Auth"
-A Reject -p 6 --dport 113 -j reject -m comment --comment "Auth"

It is my hope that list members who have better Shorewall know-how might
be able to suggest a way to achieve my goal.  How can I check that
Shorewall''s rules match the current running Iptables rules?

Sincerely,
-- 
Neil Watson
Linux/UNIX Consultant
http://watson-wilson.ca

------------------------------------------------------------------------------
Virtualization & Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing 
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/

On 02/24/2012 11:16 AM, Neil Watson wrote:
> 
> It is my hope that list members who have better Shorewall know-how might
> be able to suggest a way to achieve my goal.  How can I check that
> Shorewall''s rules match the current running Iptables rules?
> 
Can''t you simply

	iptables-save > file1

using your own ruleset and

	iptables-save > file2

with the Shorewall-generated ruleset loaded, then compare file1 and file2?

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Virtualization & Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing 
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/

On Fri, Feb 24, 2012 at 01:46:40PM -0800, Tom Eastep
wrote:
>Can''t you simply
>
>	iptables-save > file1
>
>using your own ruleset and
>
>	iptables-save > file2
>
>with the Shorewall-generated ruleset loaded, then compare file1 and file2?
The counters have to be cleared and the comments remove but yes this
does work.  I was hoping for way that involved less steps.

-- 
Neil Watson
Linux/UNIX Consultant
http://watson-wilson.ca

------------------------------------------------------------------------------
Virtualization & Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing 
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/

On 02/24/2012 01:51 PM, Neil Watson wrote:
> On Fri, Feb 24, 2012 at 01:46:40PM -0800, Tom Eastep wrote:
>> Can''t you simply
>>
>> 	iptables-save > file1
>>
>> using your own ruleset and
>>
>> 	iptables-save > file2
>>
>> with the Shorewall-generated ruleset loaded, then compare file1 and
file2?
> 
> The counters have to be cleared and the comments remove but yes this
> does work.  I was hoping for way that involved less steps.
> 
If you are referring to the comments that Shorewall adds to macro
expansions, those can be disabled by setting AUTO_COMMENT=No in
shorewall.conf.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Virtualization & Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing 
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/

On 02/24/2012 02:54 PM, Tom Eastep wrote:
> On 02/24/2012 01:51 PM, Neil Watson wrote:
>> On Fri, Feb 24, 2012 at 01:46:40PM -0800, Tom Eastep wrote:
>>> Can''t you simply
>>>
>>> 	iptables-save > file1
>>>
>>> using your own ruleset and
>>>
>>> 	iptables-save > file2
>>>
>>> with the Shorewall-generated ruleset loaded, then compare file1 and
file2?
>>
>> The counters have to be cleared and the comments remove but yes this
>> does work.  I was hoping for way that involved less steps.
>>
> 
> If you are referring to the comments that Shorewall adds to macro
> expansions, those can be disabled by setting AUTO_COMMENT=No in
> shorewall.conf.
> 
And counts only appear in the output when the -c option is used.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Virtualization & Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing 
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/

Even though comments may be removed on the Shorewall side they are
always on the iptables-save side. But that is one less step.  Still some
of the command options are reversed by Shorewall (see original post) so
the cached file still does me no good.  By counters I mean the numbers
between [].

root@sol:~/inputs# iptables-save |head
# Generated by iptables-save v1.4.8 on Fri Feb 24 19:32:09 2012
*raw
:PREROUTING ACCEPT [224:21804]
:OUTPUT ACCEPT [81:9058]
COMMIT
# Completed on Fri Feb 24 19:32:09 2012
# Generated by iptables-save v1.4.8 on Fri Feb 24 19:32:09 2012
*nat
:PREROUTING ACCEPT [12:796]
:POSTROUTING ACCEPT [17:1072]

-- 
Neil Watson
Linux/UNIX Consultant
http://watson-wilson.ca

------------------------------------------------------------------------------
Virtualization & Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing 
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/

On Feb 24, 2012, at 4:35 PM, Neil Watson wrote:
> Even though comments may be removed on the Shorewall side they are
> always on the iptables-save side. But that is one less step.  Still some
> of the command options are reversed by Shorewall (see original post) so
> the cached file still does me no good.  By counters I mean the numbers
> between [].
> 
> root@sol:~/inputs# iptables-save |head
> # Generated by iptables-save v1.4.8 on Fri Feb 24 19:32:09 2012
> *raw
> :PREROUTING ACCEPT [224:21804]
> :OUTPUT ACCEPT [81:9058]
> COMMIT
> # Completed on Fri Feb 24 19:32:09 2012
> # Generated by iptables-save v1.4.8 on Fri Feb 24 19:32:09 2012
> *nat
> :PREROUTING ACCEPT [12:796]
> :POSTROUTING ACCEPT [17:1072]
Looks like someone at your site decided it would be a good idea to add an alias
like this:

alias iptables-save=''iptables-save -c''

iptables-save outputs "[0:0]" unless the -c option is present.

-Tom

Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________




------------------------------------------------------------------------------
Virtualization & Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing 
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/

I don''t see any evidence of an alias.  Further using the -c results in
more counters (for each rule by the look of it). Note the last line in
each example.

ettin:~# iptables-save |head
# Generated by iptables-save v1.4.8 on Sat Feb 25 09:21:36 2012
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:Cid4076X18542.0 - [0:0]
:Cid4731X25627.0 - [0:0]
:Cid4761X25627.0 - [0:0]
:Cid4783X25627.0 - [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 

ettin:~# iptables-save -c |head
# Generated by iptables-save v1.4.8 on Sat Feb 25 09:21:39 2012
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:Cid4076X18542.0 - [0:0]
:Cid4731X25627.0 - [0:0]
:Cid4761X25627.0 - [0:0]
:Cid4783X25627.0 - [0:0]
[906133:483803362] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 


-- 
Neil Watson
Linux/UNIX Consultant
http://watson-wilson.ca

------------------------------------------------------------------------------
Virtualization & Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing 
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/