Jul 31 03:25:25 home kernel: Linux version 3.5.0-gentoo (root@home) (gcc version 4.5.3 (Gentoo 4.5.3-r2 p1.1, pie-0.4.7) ) #1 SMP Tue Jul 31 03:18:58 CEST 2012 Jul 31 05:12:13 home kernel: nf_conntrack: automatic helper assignment is deprecated and it will be removed soon. Use the iptables CT target to attach helpers instead. is shorewall ready ? -- Benny Pedersen ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On 07/31/2012 01:36 PM, Benny Pedersen wrote:> Jul 31 03:25:25 home kernel: Linux version 3.5.0-gentoo (root@home) > (gcc version 4.5.3 (Gentoo 4.5.3-r2 p1.1, pie-0.4.7) ) #1 SMP Tue Jul 31 > 03:18:58 CEST 2012 > Jul 31 05:12:13 home kernel: nf_conntrack: automatic helper assignment > is deprecated and it will be removed soon. Use the iptables CT target to > attach helpers instead. > > is shorewall ready ? >No -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
Den 2012-07-31 22:52, Tom Eastep skrev:>> Jul 31 05:12:13 home kernel: nf_conntrack: automatic helper >> assignment >> is deprecated and it will be removed soon. Use the iptables CT >> target to >> attach helpers instead.>> is shorewall ready ?> Noi see soon, so old shorewalls still work in depricated mode, as long kernel.org says soon :=) i will make a gentoo bug on this so new kernels cant be maked stable before shorewall works, olso xtables-addons fails with 3.5.0, just so other knows ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On 07/31/2012 02:17 PM, Benny Pedersen wrote:> Den 2012-07-31 22:52, Tom Eastep skrev: > >>> Jul 31 05:12:13 home kernel: nf_conntrack: automatic helper >>> assignment >>> is deprecated and it will be removed soon. Use the iptables CT >>> target to >>> attach helpers instead. > >>> is shorewall ready ? > >> No > > i see soon, so old shorewalls still work in depricated mode, as long > kernel.org says soon :=) > > i will make a gentoo bug on this so new kernels cant be maked stable > before shorewall works, olso xtables-addons fails with 3.5.0, just so > other knowsShorewall supports the iptables CT target now (see shorewall-notrack(5)); the problem is that when the deprecated mode is turned off, everyone who uses helpers (which is almost 100% of the Shorewall user base) will have to change their configuration in an unintuitive way. My challenge is to determine how to make the transition smoother. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
Benny Pedersen
2012-Jul-31 22:55 UTC
Re: linux kernel 3.5.0 (https://bugs.gentoo.org/show_bug.cgi?id=429270)
Den 2012-07-31 23:40, Tom Eastep skrev:> Shorewall supports the iptables CT target now (see > shorewall-notrack(5)); the problem is that when the deprecated mode > is > turned off, everyone who uses helpers (which is almost 100% of the > Shorewall user base) will have to change their configuration in an > unintuitive way.yes its need more dokumention before rule out, you say xtables-addons geoip module works from notrack ? since geoip is public avail in csv files it would make an php to convert it to shorewall blacklist format, much more stable for me :=)> My challenge is to determine how to make the transition smoother.changed subject if some want to follow it ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
Tom Eastep
2012-Aug-01 00:55 UTC
Re: linux kernel 3.5.0 (https://bugs.gentoo.org/show_bug.cgi?id=429270)
On 7/31/12 3:55 PM, "Benny Pedersen" <me@junc.org> wrote:>Den 2012-07-31 23:40, Tom Eastep skrev: >> Shorewall supports the iptables CT target now (see >> shorewall-notrack(5)); the problem is that when the deprecated mode >> is >> turned off, everyone who uses helpers (which is almost 100% of the >> Shorewall user base) will have to change their configuration in an >> unintuitive way. > >yes its need more dokumention before rule out, you say xtables-addons >geoip module works from notrack ?No -- and I''m unlikely to add such support, given how expensive a call to geoip is.> >since geoip is public avail in csv files it would make an php to >convert it to shorewall blacklist format, much more stable for me :=)I won''t put blacklisting in the notrack file; it''s way too expensive at runtime. -Tom You do not need a parachute to skydive. You only need a parachute to skydive twice. ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
Benny Pedersen
2012-Aug-01 03:31 UTC
Re: linux kernel 3.5.0 (https://bugs.gentoo.org/show_bug.cgi?id=429270)
Den 2012-08-01 02:55, Tom Eastep skrev:> No -- and I''m unlikely to add such support, given how expensive a > call to > geoip is.if xtables addons will not work with kernel 3.5+ i will not use it :) i ment to translate http://www.maxmind.com/app/csv into shorewall blacklist include files in php, and hope shorewall will continue to work with all future kernels without need recompile of userland kernel modules> I won''t put blacklisting in the notrack file; it''s way too expensive > at > runtime.super, i stay away from that so ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/