hi, in a master shorewall-lite setup before 4.5 it was possible to out such a line into params (on the master): INCLUDE ../common/params it''s no longer possible since it gives this error: /usr/share/shorewall/lib.common: line 708: /etc/shorewall/../common/params: No such file or directory even if i try to create a symlink to ../common/params as params.common and INCLUDE params.common /usr/share/shorewall/lib.common: line 708: /etc/shorewall/params.common: No such file or directory so not even relative path neither local files can be included. imho it''s a regression since it was possible before. another note that it would be a good think in a master-lite setup to check the master and lite shorewall version and if they are not "compatible" (means whatever the "compatible"). eg: 4.5.4 and 4.5.14 are not compatible:-( -- Levente "Si vis pacem para bellum!" ------------------------------------------------------------------------------ Minimize network downtime and maximize team effectiveness. Reduce network management and security costs.Learn how to hire the most talented Cisco Certified professionals. Visit the Employer Resources Portal http://www.cisco.com/web/learning/employer_resources/index.html
On 4/8/13 11:56 AM, "Farkas Levente" <lfarkas@lfarkas.org> wrote:>hi, >in a master shorewall-lite setup before 4.5 it was possible to out such >a line into params (on the master):Which Shorewall version were you using previously?> >INCLUDE ../common/params > >it''s no longer possible since it gives this error: > >/usr/share/shorewall/lib.common: line 708: >/etc/shorewall/../common/params: No such file or directory > >even if i try to create a symlink to ../common/params as params.common and > >INCLUDE params.common > >/usr/share/shorewall/lib.common: line 708: /etc/shorewall/params.common: >No such file or directory > >so not even relative path neither local files can be included. imho it''s >a regression since it was possible before. > >another note that it would be a good think in a master-lite setup to >check the master and lite shorewall version and if they are not >"compatible" (means whatever the "compatible"). eg: 4.5.4 and 4.5.14 are >not compatible:-(I know of no incompatibility issues between versions of Shorewall and Shorewall-lite. What compatibility problem are you seeing? -Tom You do not need a parachute to skydive. You only need a parachute to skydive twice. ------------------------------------------------------------------------------ Minimize network downtime and maximize team effectiveness. Reduce network management and security costs.Learn how to hire the most talented Cisco Certified professionals. Visit the Employer Resources Portal http://www.cisco.com/web/learning/employer_resources/index.html
On 4/8/13 11:56 AM, "Farkas Levente" <lfarkas@lfarkas.org> wrote:>hi, >in a master shorewall-lite setup before 4.5 it was possible to out such >a line into params (on the master): > >INCLUDE ../common/params > >it''s no longer possible since it gives this error: > >/usr/share/shorewall/lib.common: line 708: >/etc/shorewall/../common/params: No such file or directoryWhat is the current working directory when you see this? What command did you enter? -Tom You do not need a parachute to skydive. You only need a parachute to skydive twice. ------------------------------------------------------------------------------ Minimize network downtime and maximize team effectiveness. Reduce network management and security costs.Learn how to hire the most talented Cisco Certified professionals. Visit the Employer Resources Portal http://www.cisco.com/web/learning/employer_resources/index.html
On 04/08/2013 11:56 PM, Tom Eastep wrote:> On 4/8/13 11:56 AM, "Farkas Levente" <lfarkas@lfarkas.org> wrote: > >> hi, >> in a master shorewall-lite setup before 4.5 it was possible to out such >> a line into params (on the master): > > Which Shorewall version were you using previously? > >> >> INCLUDE ../common/params >> >> it''s no longer possible since it gives this error: >> >> /usr/share/shorewall/lib.common: line 708: >> /etc/shorewall/../common/params: No such file or directory >> >> even if i try to create a symlink to ../common/params as params.common and >> >> INCLUDE params.common >> >> /usr/share/shorewall/lib.common: line 708: /etc/shorewall/params.common: >> No such file or directory >> >> so not even relative path neither local files can be included. imho it''s >> a regression since it was possible before. >> >> another note that it would be a good think in a master-lite setup to >> check the master and lite shorewall version and if they are not >> "compatible" (means whatever the "compatible"). eg: 4.5.4 and 4.5.14 are >> not compatible:-( > > I know of no incompatibility issues between versions of Shorewall and > Shorewall-lite. What compatibility problem are you seeing?different type of capabilities generated which can''t be handled by the master (lite was 4.5.14 master 4.5.4), but i assume many other things can happened. eg: tos file no longer working as in 4.4. this was my previous tos file: all all tcp - ssh 16 all all tcp ssh - 16 all all tcp - ftp 16 all all tcp ftp - 16 all all tcp ftp-data - 8 all all tcp - ftp-data 8 all all tcp rsync - 8 all all tcp - rsync 8 which now gives iptables error. etc -- Levente "Si vis pacem para bellum!" ------------------------------------------------------------------------------ Minimize network downtime and maximize team effectiveness. Reduce network management and security costs.Learn how to hire the most talented Cisco Certified professionals. Visit the Employer Resources Portal http://www.cisco.com/web/learning/employer_resources/index.html
On 04/08/2013 11:59 PM, Tom Eastep wrote:> On 4/8/13 11:56 AM, "Farkas Levente" <lfarkas@lfarkas.org> wrote: > >> hi, >> in a master shorewall-lite setup before 4.5 it was possible to out such >> a line into params (on the master): >> >> INCLUDE ../common/params >> >> it''s no longer possible since it gives this error: >> >> /usr/share/shorewall/lib.common: line 708: >> /etc/shorewall/../common/params: No such file or directory > > > What is the current working directory when you see this? What command did > you enter?the master''s directory for the lite server (which is the lite server''s hostname) and the command: /sbin/shorewall reload -s -c -T $(basename `pwd`) -- Levente "Si vis pacem para bellum!" ------------------------------------------------------------------------------ Minimize network downtime and maximize team effectiveness. Reduce network management and security costs.Learn how to hire the most talented Cisco Certified professionals. Visit the Employer Resources Portal http://www.cisco.com/web/learning/employer_resources/index.html
On 4/8/13 3:11 PM, "Farkas Levente" <lfarkas@lfarkas.org> wrote:>On 04/08/2013 11:56 PM, Tom Eastep wrote: >> On 4/8/13 11:56 AM, "Farkas Levente" <lfarkas@lfarkas.org> wrote: >> >>> hi, >>> in a master shorewall-lite setup before 4.5 it was possible to out such >>> a line into params (on the master): >> >> Which Shorewall version were you using previously? >> >>> >>> INCLUDE ../common/params >>> >>> it''s no longer possible since it gives this error: >>> >>> /usr/share/shorewall/lib.common: line 708: >>> /etc/shorewall/../common/params: No such file or directory >>> >>> even if i try to create a symlink to ../common/params as params.common >>>and >>> >>> INCLUDE params.common >>> >>> /usr/share/shorewall/lib.common: line 708: >>>/etc/shorewall/params.common: >>> No such file or directory >>> >>> so not even relative path neither local files can be included. imho >>>it''s >>> a regression since it was possible before. >>> >>> another note that it would be a good think in a master-lite setup to >>> check the master and lite shorewall version and if they are not >>> "compatible" (means whatever the "compatible"). eg: 4.5.4 and 4.5.14 >>>are >>> not compatible:-( >> >> I know of no incompatibility issues between versions of Shorewall and >> Shorewall-lite. What compatibility problem are you seeing? > >different type of capabilities generated which can''t be handled by the >master (lite was 4.5.14 master 4.5.4),Those just generate warnings -- they are not real incompatibilities.> but i assume many other things >can happened. eg: tos file no longer working as in 4.4. >this was my previous tos file: > >all all tcp - ssh 16 >all all tcp ssh - 16 >all all tcp - ftp 16 >all all tcp ftp - 16 >all all tcp ftp-data - 8 >all all tcp - ftp-data 8 >all all tcp rsync - 8 >all all tcp - rsync 8 > >which now gives iptables error. EtcI fail to see how different versions of Shorewall and Shorewall-lite have anything to do with that. -Tom You do not need a parachute to skydive. You only need a parachute to skydive twice. ------------------------------------------------------------------------------ Minimize network downtime and maximize team effectiveness. Reduce network management and security costs.Learn how to hire the most talented Cisco Certified professionals. Visit the Employer Resources Portal http://www.cisco.com/web/learning/employer_resources/index.html
On 4/8/13 3:12 PM, "Farkas Levente" <lfarkas@lfarkas.org> wrote:>On 04/08/2013 11:59 PM, Tom Eastep wrote: >> On 4/8/13 11:56 AM, "Farkas Levente" <lfarkas@lfarkas.org> wrote: >> >>> hi, >>> in a master shorewall-lite setup before 4.5 it was possible to out such >>> a line into params (on the master): >>> >>> INCLUDE ../common/params >>> >>> it''s no longer possible since it gives this error: >>> >>> /usr/share/shorewall/lib.common: line 708: >>> /etc/shorewall/../common/params: No such file or directory >> >> >> What is the current working directory when you see this? What command >>did >> you enter? > >the master''s directory for the lite server (which is the lite server''s >hostname) and the command: >/sbin/shorewall reload -s -c -T $(basename `pwd`)I''m unable to reproduce that result. teastep@gateway:~/sami$ ls common shorewall shorewall6 teastep@gateway:~/sami$ tail common/params # # The result will be the same as if the record had been written # # net eth0 130.252.100.255 routefilter,norfc1918 # ########################################################################### #### A=1 B=2 echo "A=1 and B=2" #LAST LINE -- DO NOT REMOVE teastep@gateway:~/sami$ cd shorewall teastep@gateway:~/sami/shorewall$ cat params INCLUDE ../common/params teastep@gateway:~/sami/shorewall$ ssh-agent SSH_AUTH_SOCK=/tmp/ssh-xxtibA9344/agent.9344; export SSH_AUTH_SOCK; SSH_AGENT_PID=9345; export SSH_AGENT_PID; echo Agent pid 9345; teastep@gateway:~/sami/shorewall$ SSH_AUTH_SOCK=/tmp/ssh-xxtibA9344/agent.9344; export SSH_AUTH_SOCK; teastep@gateway:~/sami/shorewall$ SSH_AGENT_PID=9345; export SSH_AGENT_PID; teastep@gateway:~/sami/shorewall$ ssh-add ~/.ssh/id_dsa Enter passphrase for /home/teastep/.ssh/id_dsa: Identity added: /home/teastep/.ssh/id_dsa (/home/teastep/.ssh/id_dsa) teastep@gateway:~/sami/shorewall$ shorewall reload -s -c -T sami A=1 and B=2 A=1 and B=2 Processing /home/teastep/sami/shorewall/params ... A=1 and B=2 Processing /home/teastep/sami/shorewall/shorewall.conf... Compiling /home/teastep/sami/shorewall/zones... Compiling /home/teastep/sami/shorewall/interfaces... Compiling /home/teastep/sami/shorewall/hosts... Determining Hosts in Zones... Locating Action Files... Compiling /home/teastep/sami/shorewall/policy... Running /home/teastep/sami/shorewall/initdone... Adding Anti-smurf Rules Adding rules for DHCP Compiling TCP Flags filtering... Compiling Kernel Route Filtering... Compiling Martian Logging... Compiling /home/teastep/sami/shorewall/providers... Compiling /home/teastep/sami/shorewall/routes... WARNING: No NULL_ROUTE_RFC1918 route added for 10.0.0.0/8; there is already a route to that network defined in the routes file at /usr/share/shorewall/Shorewall/Providers.pm line 1191 Shorewall::Providers::setup_null_routing() called at /usr/share/shorewall/Shorewall/Providers.pm line 1520 Shorewall::Providers::setup_providers() called at /usr/share/shorewall/Shorewall/Compiler.pm line 779 Shorewall::Compiler::compiler(''script'', ''./firewall'', ''directory'', ., ''verbosity'', 1, ''timestamp'', 0, ''debug'', ...) called at /usr/share/shorewall/compiler.pl line 145 Compiling /home/teastep/sami/shorewall/arprules... Compiling MAC Filtration -- Phase 1... Compiling /home/teastep/sami/shorewall/rules... Compiling /home/teastep/sami/shorewall/conntrack... Compiling /home/teastep/sami/shorewall/tunnels... Compiling MAC Filtration -- Phase 2... Applying Policies... Compiling /usr/share/shorewall/action.Reject for chain Reject... Compiling /usr/share/shorewall/action.Broadcast for chain Broadcast... Compiling /usr/share/shorewall/action.Drop for chain Drop... Compiling /home/teastep/sami/shorewall/accounting... Generating Rule Matrix... Optimizing Ruleset... Creating iptables-restore input... Shorewall configuration compiled to /home/teastep/sami/shorewall/firewall Copying /home/teastep/sami/shorewall/firewall and /home/teastep/sami/shorewall/firewall.conf to sami:/var/lib/shorewall-lite... firewall 100% 89KB 88.8KB/s 00:00 firewall.conf 100% 996 1.0KB/s 00:00 Copy complete Restarting Shorewall Lite.... Initializing... Processing init user exit ... Processing tcclear user exit ... Setting up Route Filtering... Setting up Martian Logging... Setting up Proxy ARP... Adding Providers... Null Routing the RFC 1918 subnets Preparing iptables-restore input... Running /usr/local/sbin/iptables-restore... Preparing arptables-restore input... Running /sbin/arptables-restore... IPv4 Forwarding Disabled! Processing start user exit ... Processing started user exit ... done. System sami reloaded Currently-running Configuration Saved to /var/lib/shorewall-lite/restore Configuration on system sami saved teastep@gateway:~/sami/shorewall$ What are you doing different from the above? -Tom You do not need a parachute to skydive. You only need a parachute to skydive twice. ------------------------------------------------------------------------------ Minimize network downtime and maximize team effectiveness. Reduce network management and security costs.Learn how to hire the most talented Cisco Certified professionals. Visit the Employer Resources Portal http://www.cisco.com/web/learning/employer_resources/index.html
On 04/09/2013 12:50 AM, Tom Eastep wrote:> On 4/8/13 3:12 PM, "Farkas Levente" <lfarkas@lfarkas.org> wrote: > >> On 04/08/2013 11:59 PM, Tom Eastep wrote: >>> On 4/8/13 11:56 AM, "Farkas Levente" <lfarkas@lfarkas.org> wrote: >>> >>>> hi, >>>> in a master shorewall-lite setup before 4.5 it was possible to out such >>>> a line into params (on the master): >>>> >>>> INCLUDE ../common/params >>>> >>>> it''s no longer possible since it gives this error: >>>> >>>> /usr/share/shorewall/lib.common: line 708: >>>> /etc/shorewall/../common/params: No such file or directory >>> >>> >>> What is the current working directory when you see this? What command >>> did >>> you enter? >> >> the master''s directory for the lite server (which is the lite server''s >> hostname) and the command: >> /sbin/shorewall reload -s -c -T $(basename `pwd`) > > I''m unable to reproduce that result.my dirs: shorewall/{common,host1.example.com,host2.exmaple.com} in shorewall/common/: there are a few macros and params (the common params eg: admin''s network etc). in shorewall/host1.example.com the config files and in the params the line: INCLUDE ../common/params -- Levente "Si vis pacem para bellum!" ------------------------------------------------------------------------------ Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis & visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter
On 04/09/2013 12:41 AM, Tom Eastep wrote:> On 4/8/13 3:11 PM, "Farkas Levente" <lfarkas@lfarkas.org> wrote: > >> On 04/08/2013 11:56 PM, Tom Eastep wrote: >>> On 4/8/13 11:56 AM, "Farkas Levente" <lfarkas@lfarkas.org> wrote: >>> >>>> hi, >>>> in a master shorewall-lite setup before 4.5 it was possible to out such >>>> a line into params (on the master): >>> >>> Which Shorewall version were you using previously? >>> >>>> >>>> INCLUDE ../common/params >>>> >>>> it''s no longer possible since it gives this error: >>>> >>>> /usr/share/shorewall/lib.common: line 708: >>>> /etc/shorewall/../common/params: No such file or directory >>>> >>>> even if i try to create a symlink to ../common/params as params.common >>>> and >>>> >>>> INCLUDE params.common >>>> >>>> /usr/share/shorewall/lib.common: line 708: >>>> /etc/shorewall/params.common: >>>> No such file or directory >>>> >>>> so not even relative path neither local files can be included. imho >>>> it''s >>>> a regression since it was possible before. >>>> >>>> another note that it would be a good think in a master-lite setup to >>>> check the master and lite shorewall version and if they are not >>>> "compatible" (means whatever the "compatible"). eg: 4.5.4 and 4.5.14 >>>> are >>>> not compatible:-( >>> >>> I know of no incompatibility issues between versions of Shorewall and >>> Shorewall-lite. What compatibility problem are you seeing? >> >> different type of capabilities generated which can''t be handled by the >> master (lite was 4.5.14 master 4.5.4), > > Those just generate warnings -- they are not real incompatibilities. > >> but i assume many other things >> can happened. eg: tos file no longer working as in 4.4. >> this was my previous tos file: >> >> all all tcp - ssh 16 >> all all tcp ssh - 16 >> all all tcp - ftp 16 >> all all tcp ftp - 16 >> all all tcp ftp-data - 8 >> all all tcp - ftp-data 8 >> all all tcp rsync - 8 >> all all tcp - rsync 8 >> >> which now gives iptables error. Etc > > I fail to see how different versions of Shorewall and Shorewall-lite have > anything to do with that.it''s just another example when something goes wrong (which was working in 4.4): Running /sbin/iptables-restore... iptables-restore v1.3.5: Bad TOS value `0x10/0xff'' Error occurred at line: 32 Try `iptables-restore -h'' or ''iptables-restore --help'' for more information. ERROR: iptables-restore Failed. Input is in /var/lib/shorewall-lite/.iptables-restore-input Restoring Shorewall Lite... -- Levente "Si vis pacem para bellum!" ------------------------------------------------------------------------------ Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis & visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter
On 04/09/2013 06:03 AM, Farkas Levente wrote:> On 04/09/2013 12:50 AM, Tom Eastep wrote: >> On 4/8/13 3:12 PM, "Farkas Levente" <lfarkas@lfarkas.org> wrote: >> >>> On 04/08/2013 11:59 PM, Tom Eastep wrote: >>>> On 4/8/13 11:56 AM, "Farkas Levente" <lfarkas@lfarkas.org> wrote: >>>> >>>>> hi, >>>>> in a master shorewall-lite setup before 4.5 it was possible to out such >>>>> a line into params (on the master): >>>>> >>>>> INCLUDE ../common/params >>>>> >>>>> it''s no longer possible since it gives this error: >>>>> >>>>> /usr/share/shorewall/lib.common: line 708: >>>>> /etc/shorewall/../common/params: No such file or directory >>>> >>>> >>>> What is the current working directory when you see this? What command >>>> did >>>> you enter? >>> >>> the master''s directory for the lite server (which is the lite server''s >>> hostname) and the command: >>> /sbin/shorewall reload -s -c -T $(basename `pwd`) >> >> I''m unable to reproduce that result. > > my dirs: > shorewall/{common,host1.example.com,host2.exmaple.com} > > in shorewall/common/: there are a few macros and params (the common > params eg: admin''s network etc). > > in shorewall/host1.example.com the config files and in the params the line: > INCLUDE ../common/params >Then your setup is the same as mine. In your shorewall/host1.example.com/params file, please add a ''pwd'' statement just before the INCLUDE and see what the output is. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis & visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter
On 04/09/2013 06:08 AM, Farkas Levente wrote:> On 04/09/2013 12:41 AM, Tom Eastep wrote:>>> can happened. eg: tos file no longer working as in 4.4. >>> this was my previous tos file: >>> >>> all all tcp - ssh 16 >>> all all tcp ssh - 16 >>> all all tcp - ftp 16 >>> all all tcp ftp - 16 >>> all all tcp ftp-data - 8 >>> all all tcp - ftp-data 8 >>> all all tcp rsync - 8 >>> all all tcp - rsync 8 >>> >>> which now gives iptables error. Etc >> >> I fail to see how different versions of Shorewall and Shorewall-lite have >> anything to do with that. > > it''s just another example when something goes wrong (which was working > in 4.4): > Running /sbin/iptables-restore... > iptables-restore v1.3.5: Bad TOS value `0x10/0xff'' > Error occurred at line: 32 > Try `iptables-restore -h'' or ''iptables-restore --help'' for more information. > ERROR: iptables-restore Failed. Input is in > /var/lib/shorewall-lite/.iptables-restore-input > Restoring Shorewall Lite...Okay -- but it has nothing to do with incompatible versions of Shorewall and Shorewall-lite. It rather has to do with the very old version of iptables that you are running; 0x10/0xff is accepted by later versions but not 1.3.5. I wasn''t aware of that, and hence I inadvertently broke the ''tos'' match on RHEL5-based systems. I need to add a new capability to fix that. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis & visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter
On 04/09/2013 03:44 PM, Tom Eastep wrote:> On 04/09/2013 06:03 AM, Farkas Levente wrote: >> On 04/09/2013 12:50 AM, Tom Eastep wrote: >>> On 4/8/13 3:12 PM, "Farkas Levente" <lfarkas@lfarkas.org> >>> wrote: >>> >>>> On 04/08/2013 11:59 PM, Tom Eastep wrote: >>>>> On 4/8/13 11:56 AM, "Farkas Levente" <lfarkas@lfarkas.org> >>>>> wrote: >>>>> >>>>>> hi, in a master shorewall-lite setup before 4.5 it was >>>>>> possible to out such a line into params (on the master): >>>>>> >>>>>> INCLUDE ../common/params >>>>>> >>>>>> it''s no longer possible since it gives this error: >>>>>> >>>>>> /usr/share/shorewall/lib.common: line 708: >>>>>> /etc/shorewall/../common/params: No such file or >>>>>> directory >>>>> >>>>> >>>>> What is the current working directory when you see this? >>>>> What command did you enter? >>>> >>>> the master''s directory for the lite server (which is the lite >>>> server''s hostname) and the command: /sbin/shorewall reload -s >>>> -c -T $(basename `pwd`) >>> >>> I''m unable to reproduce that result. >> >> my dirs: shorewall/{common,host1.example.com,host2.exmaple.com} >> >> in shorewall/common/: there are a few macros and params (the >> common params eg: admin''s network etc). >> >> in shorewall/host1.example.com the config files and in the params >> the line: INCLUDE ../common/params >> > > Then your setup is the same as mine. > > In your shorewall/host1.example.com/params file, please add a > ''pwd'' statement just before the INCLUDE and see what the output > is./home/lfarkas/work/lenux/shorewall/alpha.lenux.hu /usr/share/shorewall/lib.common: line 708: /etc/shorewall/../common/params: No such file or directory -- Levente "Si vis pacem para bellum!" ------------------------------------------------------------------------------ Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis & visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter
On 04/09/2013 07:56 AM, Farkas Levente wrote:> On 04/09/2013 03:44 PM, Tom Eastep wrote: >> On 04/09/2013 06:03 AM, Farkas Levente wrote: >>> On 04/09/2013 12:50 AM, Tom Eastep wrote: >>>> On 4/8/13 3:12 PM, "Farkas Levente" <lfarkas@lfarkas.org> >>>> wrote: >>>> >>>>> On 04/08/2013 11:59 PM, Tom Eastep wrote: >>>>>> On 4/8/13 11:56 AM, "Farkas Levente" <lfarkas@lfarkas.org> >>>>>> wrote: >>>>>> >>>>>>> hi, in a master shorewall-lite setup before 4.5 it was >>>>>>> possible to out such a line into params (on the master): >>>>>>> >>>>>>> INCLUDE ../common/params >>>>>>> >>>>>>> it''s no longer possible since it gives this error: >>>>>>> >>>>>>> /usr/share/shorewall/lib.common: line 708: >>>>>>> /etc/shorewall/../common/params: No such file or >>>>>>> directory >>>>>> >>>>>> >>>>>> What is the current working directory when you see this? >>>>>> What command did you enter? >>>>> >>>>> the master''s directory for the lite server (which is the lite >>>>> server''s hostname) and the command: /sbin/shorewall reload -s >>>>> -c -T $(basename `pwd`) >>>> >>>> I''m unable to reproduce that result. >>> >>> my dirs: shorewall/{common,host1.example.com,host2.exmaple.com} >>> >>> in shorewall/common/: there are a few macros and params (the >>> common params eg: admin''s network etc). >>> >>> in shorewall/host1.example.com the config files and in the params >>> the line: INCLUDE ../common/params >>> >> >> Then your setup is the same as mine. >> >> In your shorewall/host1.example.com/params file, please add a >> ''pwd'' statement just before the INCLUDE and see what the output >> is. > > /home/lfarkas/work/lenux/shorewall/alpha.lenux.hu > /usr/share/shorewall/lib.common: line 708: > /etc/shorewall/../common/params: No such file or directory >Do you have a ''cd'' command in ../common/params ? -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis & visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter
On 04/09/2013 06:45 PM, Tom Eastep wrote:> On 04/09/2013 07:56 AM, Farkas Levente wrote: >> On 04/09/2013 03:44 PM, Tom Eastep wrote: >>> On 04/09/2013 06:03 AM, Farkas Levente wrote: >>>> On 04/09/2013 12:50 AM, Tom Eastep wrote: >>>>> On 4/8/13 3:12 PM, "Farkas Levente" <lfarkas@lfarkas.org> >>>>> wrote: >>>>> >>>>>> On 04/08/2013 11:59 PM, Tom Eastep wrote: >>>>>>> On 4/8/13 11:56 AM, "Farkas Levente" >>>>>>> <lfarkas@lfarkas.org> wrote: >>>>>>> >>>>>>>> hi, in a master shorewall-lite setup before 4.5 it >>>>>>>> was possible to out such a line into params (on the >>>>>>>> master): >>>>>>>> >>>>>>>> INCLUDE ../common/params >>>>>>>> >>>>>>>> it''s no longer possible since it gives this error: >>>>>>>> >>>>>>>> /usr/share/shorewall/lib.common: line 708: >>>>>>>> /etc/shorewall/../common/params: No such file or >>>>>>>> directory >>>>>>> >>>>>>> >>>>>>> What is the current working directory when you see >>>>>>> this? What command did you enter? >>>>>> >>>>>> the master''s directory for the lite server (which is the >>>>>> lite server''s hostname) and the command: /sbin/shorewall >>>>>> reload -s -c -T $(basename `pwd`) >>>>> >>>>> I''m unable to reproduce that result. >>>> >>>> my dirs: >>>> shorewall/{common,host1.example.com,host2.exmaple.com} >>>> >>>> in shorewall/common/: there are a few macros and params (the >>>> common params eg: admin''s network etc). >>>> >>>> in shorewall/host1.example.com the config files and in the >>>> params the line: INCLUDE ../common/params >>>> >>> >>> Then your setup is the same as mine. >>> >>> In your shorewall/host1.example.com/params file, please add a >>> ''pwd'' statement just before the INCLUDE and see what the output >>> is. >> >> /home/lfarkas/work/lenux/shorewall/alpha.lenux.hu >> /usr/share/shorewall/lib.common: line 708: >> /etc/shorewall/../common/params: No such file or directory >> > > Do you have a ''cd'' command in ../common/params ?no. there are only simple ip and hostname constants. -- Levente "Si vis pacem para bellum!" ------------------------------------------------------------------------------ Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis & visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter
On 04/09/2013 02:38 PM, Farkas Levente wrote:> On 04/09/2013 06:45 PM, Tom Eastep wrote:>> >> Do you have a ''cd'' command in ../common/params ? > > no. there are only simple ip and hostname constants. >Okay -- please: 1) cd shorewall/host1.example.com 2) sh -x /sbin/shorewall compile -e . firewall 2> trace 3) Send me the ''trace'' file. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis & visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter
On 4/9/13 3:28 PM, "Farkas Levente" <lfarkas@lfarkas.org> wrote:>On 04/09/2013 11:52 PM, Tom Eastep wrote: >> On 04/09/2013 02:38 PM, Farkas Levente wrote: >>> On 04/09/2013 06:45 PM, Tom Eastep wrote: >> >>>> >>>> Do you have a ''cd'' command in ../common/params ? >>> >>> no. there are only simple ip and hostname constants. >>> >> >> Okay -- please: >> >> 1) cd shorewall/host1.example.com >> 2) sh -x /sbin/shorewall compile -e . firewall 2> trace >> 3) Send me the ''trace'' file. >> >> -TomFarkas, Is it possible for you to upgrade to 4.5.15? I believe that will resolve your issue. Thanks, -Tom You do not need a parachute to skydive. You only need a parachute to skydive twice. ------------------------------------------------------------------------------ Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis & visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter
On 04/10/2013 01:08 AM, Tom Eastep wrote:> On 4/9/13 3:28 PM, "Farkas Levente" <lfarkas@lfarkas.org> wrote: > >> On 04/09/2013 11:52 PM, Tom Eastep wrote: >>> On 04/09/2013 02:38 PM, Farkas Levente wrote: >>>> On 04/09/2013 06:45 PM, Tom Eastep wrote: >>> >>>>> >>>>> Do you have a ''cd'' command in ../common/params ? >>>> >>>> no. there are only simple ip and hostname constants. >>>> >>> >>> Okay -- please: >>> >>> 1) cd shorewall/host1.example.com >>> 2) sh -x /sbin/shorewall compile -e . firewall 2> trace >>> 3) Send me the ''trace'' file. >>> >>> -Tom > > Farkas, > > Is it possible for you to upgrade to 4.5.15? I believe that will resolve > your issue.i''d rather wait for 5.16 since 5.15 has the tos problems too than i''ll check both. -- Levente "Si vis pacem para bellum!" ------------------------------------------------------------------------------ Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis & visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter
On 04/10/2013 10:56 AM, Farkas Levente wrote:> On 04/10/2013 01:08 AM, Tom Eastep wrote:>> Farkas, >> >> Is it possible for you to upgrade to 4.5.15? I believe that will resolve >> your issue. > > i''d rather wait for 5.16 since 5.15 has the tos problems too than i''ll > check both. >Okay. I uploaded .16 Beta 2 this morning; it should correct the tos issue. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis & visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter
On 04/10/2013 10:20 PM, Tom Eastep wrote:> On 04/10/2013 10:56 AM, Farkas Levente wrote: >> On 04/10/2013 01:08 AM, Tom Eastep wrote: > >>> Farkas, >>> >>> Is it possible for you to upgrade to 4.5.15? I believe that >>> will resolve your issue. >> >> i''d rather wait for 5.16 since 5.15 has the tos problems too than >> i''ll check both. >> > > Okay. I uploaded .16 Beta 2 this morning; it should correct the tos > issue.these are normal?: Compiling /home/lfarkas/work/lenux/shorewall/alpha.lenux.hu/tos... WARNING: Use of the tos file is deprecated in favor of the TOS target in tcrules /home/lfarkas/work/lenux/shorewall/alpha.lenux.hu/tos (line 10) at /usr/share/perl5/Shorewall/Misc.pm line 77 Shorewall::Misc::__ANON__() called at /usr/share/perl5/Shorewall/Config.pm line 3030 Shorewall::Config::handle_first_entry() called at /usr/share/perl5/Shorewall/Config.pm line 3135 Shorewall::Config::read_a_line(-1) called at /usr/share/perl5/Shorewall/Misc.pm line 83 Shorewall::Misc::process_tos() called at /usr/share/perl5/Shorewall/Compiler.pm line 797 Shorewall::Compiler::compiler(''script'', ''./firewall'', ''directory'', ., ''verbosity'', 1, ''timestamp'', 0, ''debug'', ...) called at /usr/lib/shorewall/compiler.pl line 145 Compiling MAC Filtration -- Phase 1... Compiling /home/lfarkas/work/lenux/shorewall/alpha.lenux.hu/rules... WARNING: rejNotSyn is deprecated in favor of NotSyn(REJECT) /home/lfarkas/work/lenux/shorewall/alpha.lenux.hu/rules (line 17) at /usr/share/perl5/Shorewall/Rules.pm line 1519 Shorewall::Rules::rejNotSyn(''HASH(0x390d790)'', ''info'', '''', '''') called at /usr/share/perl5/Shorewall/Rules.pm line 1696 Shorewall::Rules::process_action(''HASH(0x390d790)'', ''fw2net'') called at /usr/share/perl5/Shorewall/Rules.pm line 2423 Shorewall::Rules::process_rule(undef, '''', ''rejNotSyn:info'', '''', ''fw'', ''net'', ''-'', ''-'', ''-'', ...) called at /usr/share/perl5/Shorewall/Rules.pm line 3032 Shorewall::Rules::process_raw_rule() called at /usr/share/perl5/Shorewall/Rules.pm line 3205 Shorewall::Rules::process_rules(0) called at /usr/share/perl5/Shorewall/Compiler.pm line 821 Shorewall::Compiler::compiler(''script'', ''./firewall'', ''directory'', ., ''verbosity'', 1, ''timestamp'', 0, ''debug'', ...) called at /usr/lib/shorewall/compiler.pl line 145 Compiling /home/lfarkas/work/lenux/shorewall/alpha.lenux.hu/action.Knock for chain Knock... WARNING: Empty notrack file (/home/lfarkas/work/lenux/shorewall/alpha.lenux.hu/notrack) removed at /usr/share/perl5/Shorewall/Raw.pm line 279 Shorewall::Raw::setup_conntrack() called at /usr/share/perl5/Shorewall/Compiler.pm line 825 Shorewall::Compiler::compiler(''script'', ''./firewall'', ''directory'', ., ''verbosity'', 1, ''timestamp'', 0, ''debug'', ...) called at /usr/lib/shorewall/compiler.pl line 145 -- Levente "Si vis pacem para bellum!" ------------------------------------------------------------------------------ Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis & visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter
On 04/10/2013 02:15 PM, Farkas Levente wrote:> On 04/10/2013 10:20 PM, Tom Eastep wrote: >> On 04/10/2013 10:56 AM, Farkas Levente wrote: >>> On 04/10/2013 01:08 AM, Tom Eastep wrote: >> >>>> Farkas, >>>> >>>> Is it possible for you to upgrade to 4.5.15? I believe that >>>> will resolve your issue. >>> >>> i''d rather wait for 5.16 since 5.15 has the tos problems too than >>> i''ll check both. >>> >> >> Okay. I uploaded .16 Beta 2 this morning; it should correct the tos >> issue. > > these are normal?: > > Compiling /home/lfarkas/work/lenux/shorewall/alpha.lenux.hu/tos... > WARNING: Use of the tos file is deprecated in favor of the TOS > target in tcrules > /home/lfarkas/work/lenux/shorewall/alpha.lenux.hu/tos (line 10) at > /usr/share/perl5/Shorewall/Misc.pm line 77 > Shorewall::Misc::__ANON__() called at > /usr/share/perl5/Shorewall/Config.pm line 3030 > Shorewall::Config::handle_first_entry() called at > /usr/share/perl5/Shorewall/Config.pm line 3135 > Shorewall::Config::read_a_line(-1) called at > /usr/share/perl5/Shorewall/Misc.pm line 83 > Shorewall::Misc::process_tos() called at > /usr/share/perl5/Shorewall/Compiler.pm line 797 > Shorewall::Compiler::compiler(''script'', ''./firewall'', ''directory'', ., > ''verbosity'', 1, ''timestamp'', 0, ''debug'', ...) called at > /usr/lib/shorewall/compiler.pl line 145 > Compiling MAC Filtration -- Phase 1... > Compiling /home/lfarkas/work/lenux/shorewall/alpha.lenux.hu/rules... > WARNING: rejNotSyn is deprecated in favor of NotSyn(REJECT) > /home/lfarkas/work/lenux/shorewall/alpha.lenux.hu/rules (line 17) at > /usr/share/perl5/Shorewall/Rules.pm line 1519 > Shorewall::Rules::rejNotSyn(''HASH(0x390d790)'', ''info'', '''', '''') called > at /usr/share/perl5/Shorewall/Rules.pm line 1696 > Shorewall::Rules::process_action(''HASH(0x390d790)'', ''fw2net'') called > at /usr/share/perl5/Shorewall/Rules.pm line 2423 > Shorewall::Rules::process_rule(undef, '''', ''rejNotSyn:info'', '''', ''fw'', > ''net'', ''-'', ''-'', ''-'', ...) called at > /usr/share/perl5/Shorewall/Rules.pm line 3032 > Shorewall::Rules::process_raw_rule() called at > /usr/share/perl5/Shorewall/Rules.pm line 3205 > Shorewall::Rules::process_rules(0) called at > /usr/share/perl5/Shorewall/Compiler.pm line 821 > Shorewall::Compiler::compiler(''script'', ''./firewall'', ''directory'', ., > ''verbosity'', 1, ''timestamp'', 0, ''debug'', ...) called at > /usr/lib/shorewall/compiler.pl line 145 > Compiling > /home/lfarkas/work/lenux/shorewall/alpha.lenux.hu/action.Knock for > chain Knock... > WARNING: Empty notrack file > (/home/lfarkas/work/lenux/shorewall/alpha.lenux.hu/notrack) removed at > /usr/share/perl5/Shorewall/Raw.pm line 279 > Shorewall::Raw::setup_conntrack() called at > /usr/share/perl5/Shorewall/Compiler.pm line 825 > Shorewall::Compiler::compiler(''script'', ''./firewall'', ''directory'', ., > ''verbosity'', 1, ''timestamp'', 0, ''debug'', ...) called at > /usr/lib/shorewall/compiler.pl line 145 >So you got a bunch of warnings -- any errors? -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis & visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter