Hello, The idea in using ''shorewall refresh'' would be to re-apply an existing TC configuration. In other words, ''shorewall restart'' was already executed (and included a TC config), and sometime later, a ''refresh'' would be done, using the same config files. The problem seems to be that the ''refresh'' command does nto seem to accept a directory for the config files, like the ''restart'' command does. Eg., given s set of config files in /tmp/shorewall/ : # shorewall restart /tmp/shorewall Compiling... [...] Processing /etc/shorewall/started ... done. # shorewall refresh /tmp/shorewall Compiling... Loading Modules... ERROR: The ''zones'' file does not exist or has zero size Maybe it does not take any param in this case and works with files present in /var/. The documentation surely suggests this for re-applying tcrules. # shorewall refresh Compiling... Loading Modules... ERROR: The ''zones'' file does not exist or has zero size Surely enough, if the config files ar ecopied into the standard location...: # cp /tmp/shorewall/* /etc/shorewall/ # shorewall refresh Compiling... Running iptables-restore... done. Would it be possible to have the refresh command also take a directory as a parameter ? Thanks. ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On 05/02/2012 10:24 AM, Fred Maillou wrote:> Hello, > > The idea in using ''shorewall refresh'' would be to re-apply an existing > TC configuration. In other words, ''shorewall restart'' was already > executed (and included a TC config), and sometime later, a ''refresh'' > would be done, using the same config files. The problem seems to be that > the ''refresh'' command does nto seem to accept a directory for the config > files, like the ''restart'' command does. Eg., given s set of config files > in /tmp/shorewall/ : > > # shorewall restart /tmp/shorewall > Compiling...> [...] > Processing /etc/shorewall/started ... > done. > > # shorewall refresh /tmp/shorewall > Compiling... > Loading Modules... > ERROR: The ''zones'' file does not exist or has zero sizeIf you read the shorewall manpage, you will find: shorewall [trace|debug [nolock]] [-options] refresh [chain...] So arguments to the refresh command are expected to be either chain names, table names (followed by '':''), or table-name:chain-name. To be able to unambiguously supply a directory name, we need to extend the syntax: shorewall [trace|debug [nolock]] [-options] refresh [-D directory ] [chain...] Basic patch attached: patch /usr/share/shorewall/lib.cli-std < REFRESH.patch -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> To be able to unambiguously supply a directory name, we need to > extend the syntax:> shorewall [trace|debug [nolock]] [-options] refresh [-D directory ] [chain...]> Basic patch attached:Thanks ! Will it be part of the next release as well ? ________________________________ De : Tom Eastep <teastep@shorewall.net> À : shorewall-users@lists.sourceforge.net Envoyé le : mercredi 2 mai 2012 13h57 Objet : Re: [Shorewall-users] shorewall refresh On 05/02/2012 10:24 AM, Fred Maillou wrote:> Hello, > > The idea in using ''shorewall refresh'' would be to re-apply an existing > TC configuration. In other words, ''shorewall restart'' was already > executed (and included a TC config), and sometime later, a ''refresh'' > would be done, using the same config files. The problem seems to be that > the ''refresh'' command does nto seem to accept a directory for the config > files, like the ''restart'' command does. Eg., given s set of config files > in /tmp/shorewall/ : > > # shorewall restart /tmp/shorewall > Compiling...> [...] > Processing /etc/shorewall/started ... > done. > > # shorewall refresh /tmp/shorewall > Compiling... > Loading Modules... > ERROR: The ''zones'' file does not exist or has zero sizeIf you read the shorewall manpage, you will find: shorewall [trace|debug [nolock]] [-options] refresh [chain...] So arguments to the refresh command are expected to be either chain names, table names (followed by '':''), or table-name:chain-name. To be able to unambiguously supply a directory name, we need to extend the syntax: shorewall [trace|debug [nolock]] [-options] refresh [-D directory ] [chain...] Basic patch attached: patch /usr/share/shorewall/lib.cli-std < REFRESH.patch -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On 05/02/2012 01:10 PM, Fred Maillou wrote:>> To be able to unambiguously supply a directory name, we need to >> extend the syntax: > >> shorewall [trace|debug [nolock]] [-options] refresh [-D directory ] > [chain...] > >> Basic patch attached: > > Thanks ! Will it be part of the next release as well ? >It will be in Shorewall 4.5.3 Beta 2 -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>>> shorewall [trace|debug [nolock]] [-options] refresh [-D directory ] [chain...]>>> Basic patch attached:>> Thanks ! Will it be part of the next release as well ?> It will be in Shorewall 4.5.3 Beta 2The patch works fine. Although so far it seems that ''refresh'' is not a big time saver. Which is what I''d expected since not a full compile was done. Runs of ''restart'' and ''refresh'' just about score the same time, with ''refresh'' even at time being a second slower. Is it supposed for ''refresh'' to be quicker at all ? I haven''t read that it would be I think, but I assumed it would, when the full compilation step is saved. Thanks ! ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On 5/4/12 7:16 AM, Fred Maillou wrote:>>>> shorewall [trace|debug [nolock]] [-options] refresh [-D directory ] > [chain...] > >>>> Basic patch attached: > >>> Thanks ! Will it be part of the next release as well ? > >> It will be in Shorewall 4.5.3 Beta 2 > > The patch works fine. Although so far it seems that ''refresh'' is > not a big time saver. Which is what I''d expected since not a > full compile was done. Runs of ''restart'' and ''refresh'' just > about score the same time, with ''refresh'' even at time being a > second slower. Is it supposed for ''refresh'' to be quicker at all > ? I haven''t read that it would be I think, but I assumed it > would, when the full compilation step is saved.The compilation step is the same either way. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> The compilation step is the same either way.I assumed wrongly. And yes, the documentation is rather clear. Nevertheless, is there a way to re-apply a firewall/traffic control config in such a way that it''d be quicker than the original compile ? Perhaps by using /var/lib/shorewall/firewall ? For that matter, would simply executing this file save the compilation step ? Thanks. ________________________________ De : Tom Eastep <teastep@shorewall.net> À : shorewall-users@lists.sourceforge.net Envoyé le : vendredi 4 mai 2012 11h08 Objet : Re: [Shorewall-users] Re : Re : shorewall refresh On 5/4/12 7:16 AM, Fred Maillou wrote:>>>> shorewall [trace|debug [nolock]] [-options] refresh [-D directory ] > [chain...] > >>>> Basic patch attached: > >>> Thanks ! Will it be part of the next release as well ? > >> It will be in Shorewall 4.5.3 Beta 2 > > The patch works fine. Although so far it seems that ''refresh'' is > not a big time saver. Which is what I''d expected since not a > full compile was done. Runs of ''restart'' and ''refresh'' just > about score the same time, with ''refresh'' even at time being a > second slower. Is it supposed for ''refresh'' to be quicker at all > ? I haven''t read that it would be I think, but I assumed it > would, when the full compilation step is saved.The compilation step is the same either way. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On 05/04/2012 08:33 AM, Fred Maillou wrote:> > The compilation step is the same either way. > > I assumed wrongly. And yes, the documentation is rather clear. > Nevertheless, is there a way to re-apply a firewall/traffic control config > in such a way that it''d be quicker than the original compile ? Perhaps > by using /var/lib/shorewall/firewall ? For that matter, would simply > executing this file save the compilation step ? >Yes. /var/lib/shorewall/firewall restart or /var/lib/shorewall/firewall refresh In general, you can avoid the compilation step by setting AUTOMAKE=Yes in shorewall.conf (which is what I do). Then ''start'' and ''restart'' just run /var/lib/shorewall/firewall unless something in /etc/shorewall or /usr/share/shorewall/ has changed -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/