Shorewall 4.5.21.2 is now available for download. Problems Corrected: 1) Previously, the AutoBL action would fail if the kernel and iptables did not support the Recent Match ''--reap'' option. A new REAP_OPTION capability has been added to work around this issue. 2) The Shorewall-core installer no longer reports an error from ''cp'' stating that it could not stat the shorewallrc file. 3) When a non-root user attempts to execute ''version -a'', the CLI no longer attempts to get the version of the compiled firewall. Previously, the command issued the following diagnostic when run by non-root: /sbin/shorewall: /var/lib/shorewall/firewall: Permission denied 4) Shorewall no longer uses ''fgrep'' thus allowing for use on systems without that utility. All uses of ''fgrep'' have been replaced by ''grep -F''. 5) Placing |<mark> in the ACTION column of the tcrules file no longer raises a fatal compilation error. 6) Support has been added to the Shorewall-core configure scripts and installer for Ubuntu Raring. Thank you for using Shorewall, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk
On Mon, 21 Oct 2013 10:11:24 -0700 Tom Eastep <teastep@shorewall.net> wrote:> Shorewall 4.5.21.2 is now available for download. > > Problems Corrected: > > <snip> > > Thank you for using Shorewall, > -TomThanks for this great app and all the work you put into it Tom! JB -- Help spread the word! Learn about Jury Nullification! Help take back our country from our corrupt: judicial system, police system and government! www.fija.org ------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
On 10/24/2013 9:53 AM, Wayne S wrote:> I would like to log to multiple outputs, one to log file, second to > PCAP file using NFLOG in ulogd. > > I noticed some developer discussions in the past and followed some > possible ways to do this in policy: For example, I changed the > policy: > > net all DROP $LOG to net all DROP:N2LOG > > actions ~~~~~~ N2LOG inline > > action.N2LOG ~~~~~~~~~ Drop NFLOG(1,0,1) NFLOG(2,0,1) > > I noticed that DROP $LOG will insert the Drop chain before the log, > which filters a lot of cruft. However, I have to manually add it if I > use DROP:N2LOG.That''s correct. ''DROP'' in the POLICY column is the same as ''DROP:Drop'', since ''Drop'' is the default action for a DROP policy.> > Is this the correct way to go about this?Yes.> It seems to be working. I tried putting the N2LOG action in the log > level, but that did not work (or macro). I was not clear on log level > option.I should add a ''shorewall-logging'' manpage. In the meantime, see http://www.shorewall.net/shorewall_logging.html> The reason for inline is so the log tag is loc2fw instead an > N2LOG chain. Is there another way to control the prefix without using > inline?''inline'' is certainly the most convenient. But within an action, the @chain and @disposition variables, together with the LOGPREFIX setting, are used to form the log prefix. So if you include this in the action body: ?set @chain @caller then the logging will be correct. Note that you don''t really gain anything by doing that; with that directive in the action body, each invocation of N2LOG will generate a separate chain. So you may as well just use ''inline''.> > Also, I noticed that the manual says NFLOG(,0,1) will default to > group 1 but in the ulogd stack it seems to go to group 0, also just > NFLOG defaults to group 0. I''m running arch linux kernel > 3.11.5-1-ARCH and ulogd Version 2.0.2 at the moment. With Arch, > though, the moment can change often.I''ll correct the documentation. Thanks, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
I would like to log to multiple outputs, one to log file, second to PCAP file using NFLOG in ulogd. I noticed some developer discussions in the past and followed some possible ways to do this in policy: For example, I changed the policy: net all DROP $LOG to net all DROP:N2LOG actions ~~~~~~ N2LOG inline action.N2LOG ~~~~~~~~~ Drop NFLOG(1,0,1) NFLOG(2,0,1) I noticed that DROP $LOG will insert the Drop chain before the log, which filters a lot of cruft. However, I have to manually add it if I use DROP:N2LOG. Is this the correct way to go about this? It seems to be working. I tried putting the N2LOG action in the log level, but that did not work (or macro). I was not clear on log level option. The reason for inline is so the log tag is loc2fw instead an N2LOG chain. Is there another way to control the prefix without using inline? Also, I noticed that the manual says NFLOG(,0,1) will default to group 1 but in the ulogd stack it seems to go to group 0, also just NFLOG defaults to group 0. I''m running arch linux kernel 3.11.5-1-ARCH and ulogd Version 2.0.2 at the moment. With Arch, though, the moment can change often. Here is the working ulogd stack: /etc/ulogd.conf ~~~~~~~~~~~ [global] logfile="/var/log/ulogd.log" loglevel=5 rmem=131071 bufsize=300000 plugin="/usr/lib/ulogd/ulogd_inppkt_NFLOG.so" plugin="/usr/lib/ulogd/ulogd_raw2packet_BASE.so" plugin="/usr/lib/ulogd/ulogd_filter_IFINDEX.so" plugin="/usr/lib/ulogd/ulogd_filter_IP2STR.so" plugin="/usr/lib/ulogd/ulogd_filter_PRINTPKT.so" plugin="/usr/lib/ulogd/ulogd_output_LOGEMU.so" plugin="/usr/lib/ulogd/ulogd_output_PCAP.so" # shorewall logging packets stack=log1:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU # capture bad packets stack=log2:NFLOG,base1:BASE,pcap1:PCAP [log1] group=1 #sync=1 [log2] group=2 [emu1] file=/var/log/ulogd.syslogemu [pcap1] ---------- Wayne S ------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
On 21/10/13 18:11, Tom Eastep wrote:> Shorewall 4.5.21.2 is now available for download.<snip/> Tom, I am sorry that I didn''t find time to test the beta. I couldn''t find a set of bz2''s to download, so assumed I would have to do a git clone - was that right? Anyway, when the 4.5.21.2 bz2''s were distributed to the mirrors, I tried to install them...> Problems Corrected:<snip/>> 6) Support has been added to the Shorewall-core configure scripts and > installer for Ubuntu Raring.I''m sorry to say the fix did not work on my ubuntu raring system. core configure and install run ok. shorewall-4 install is ok too. BUT shorewall-init install fails with the line: ERROR: Unknown BUILD environment (ubuntu) As I explained before, /etc/os-release contains two lines relevant to the failure: ID=ubuntu ID_LIKE=debian However, your script''s BUILD detection inner case section examines this file for an "ID" line, but it does not have a specific case for the string "ubuntu". I simply edited my own copy, cloned the "debian" section and made it handle "ubuntu" the same way, then the install worked. I''m not sure what should be done for the best long-term solution. Perhaps you should test for "ID_LIKE" first, and use that value if it exists, then only fall back to the bare "ID" test if a value wasn''t found? Thanks for trying, Brian ------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
On 10/24/2013 2:31 PM, Wayne S wrote:> Although this scheme works for policy and rules to generate multiple > NFLOG groups, is there a way to do this with the log level as used in > shorewall.conf parameters, such as RPFILTER_LOG_LEVEL?No. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
On 10/24/2013 10:36 AM, Brian Burch wrote:> On 21/10/13 18:11, Tom Eastep wrote: >> Shorewall 4.5.21.2 is now available for download. > <snip/> > > Tom, > > I am sorry that I didn''t find time to test the beta. I couldn''t find a > set of bz2''s to download, so assumed I would have to do a git clone - > was that right? > > Anyway, when the 4.5.21.2 bz2''s were distributed to the mirrors, I tried > to install them... > >> Problems Corrected: > <snip/> >> 6) Support has been added to the Shorewall-core configure scripts and >> installer for Ubuntu Raring. > > I''m sorry to say the fix did not work on my ubuntu raring system. > > core configure and install run ok. shorewall-4 install is ok too. > > BUT shorewall-init install fails with the line: > > ERROR: Unknown BUILD environment (ubuntu) > > > As I explained before, /etc/os-release contains two lines relevant to > the failure: > > ID=ubuntu > ID_LIKE=debian > > However, your script''s BUILD detection inner case section examines this > file for an "ID" line, but it does not have a specific case for the > string "ubuntu". I simply edited my own copy, cloned the "debian" > section and made it handle "ubuntu" the same way, then the install worked. > > I''m not sure what should be done for the best long-term solution. > Perhaps you should test for "ID_LIKE" first, and use that value if it > exists, then only fall back to the bare "ID" test if a value wasn''t found? >You reported the problem against Shorewall-core, not against Shorewall-init. I tested Shorewall-core''s configure/installer on a Raring system and installed Shorewall after that. For Shorewall-init, the following workaround is still available: BUILD=debian ./install.sh I''ll fix Shorewall-init in the next release. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
Although this scheme works for policy and rules to generate multiple NFLOG groups, is there a way to do this with the log level as used in shorewall.conf parameters, such as RPFILTER_LOG_LEVEL? Thanks Wayne S ------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
Although this scheme works for policy and rules to generate multiple NFLOG groups, is there a way to do this with the log level as used in shorewall.conf parameters, such as RPFILTER_LOG_LEVEL? Thanks Wayne S ------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
On 24/10/13 21:39, Tom Eastep wrote:> On 10/24/2013 10:36 AM, Brian Burch wrote: >> On 21/10/13 18:11, Tom Eastep wrote: >>> Shorewall 4.5.21.2 is now available for download. >> <snip/> >> >> Tom, >> >> I am sorry that I didn''t find time to test the beta. I couldn''t find a >> set of bz2''s to download, so assumed I would have to do a git clone - >> was that right? >> >> Anyway, when the 4.5.21.2 bz2''s were distributed to the mirrors, I tried >> to install them... >> >>> Problems Corrected: >> <snip/> >>> 6) Support has been added to the Shorewall-core configure scripts and >>> installer for Ubuntu Raring. >> >> I''m sorry to say the fix did not work on my ubuntu raring system. >> >> core configure and install run ok. shorewall-4 install is ok too. >> >> BUT shorewall-init install fails with the line: >> >> ERROR: Unknown BUILD environment (ubuntu) >> >> >> As I explained before, /etc/os-release contains two lines relevant to >> the failure: >> >> ID=ubuntu >> ID_LIKE=debian >> >> However, your script''s BUILD detection inner case section examines this >> file for an "ID" line, but it does not have a specific case for the >> string "ubuntu". I simply edited my own copy, cloned the "debian" >> section and made it handle "ubuntu" the same way, then the install worked. >> >> I''m not sure what should be done for the best long-term solution. >> Perhaps you should test for "ID_LIKE" first, and use that value if it >> exists, then only fall back to the bare "ID" test if a value wasn''t found? >> > > You reported the problem against Shorewall-core, not against > Shorewall-init. I tested Shorewall-core''s configure/installer on a > Raring system and installed Shorewall after that. > > For Shorewall-init, the following workaround is still available: > > BUILD=debian ./install.sh > > I''ll fix Shorewall-init in the next release. > > -TomThanks Tom. Sorry about my confusion between core and init, but even now I''m not entirely clear what is going on during my installation process. I run the recommended sequence: core/configure, core/install, shorewall-4/install, shorewall-init/install. 1. the source for configure is identical in all three bz2''s 2. configure (I think) creates ./shorewallrc in the current directory. 3. configure does not create or update ~/.shorewallrc 4. .shorewallrc is created by shorewall-4/install 5. shorewall-init/configure does not determine the value to be used as $BUILD, so does not store it in ~/.shorewallrc or ./shorewallrc 6. shorewall-init/install dynamically determines the value to be used as $BUILD This seems prone to user errors (i.e. me)... am I missing an important concept? Brian> ------------------------------------------------------------------------------ > October Webinars: Code for Performance > Free Intel webinars can help you accelerate application performance. > Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from > the latest Intel processors and coprocessors. See abstracts and register > > http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk > > > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
On 10/25/2013 2:28 AM, Brian Burch wrote:> Thanks Tom. > > Sorry about my confusion between core and init, but even now I''m not > entirely clear what is going on during my installation process. > > I run the recommended sequence: core/configure, core/install, > shorewall-4/install, shorewall-init/install. > > 1. the source for configure is identical in all three bz2''s > 2. configure (I think) creates ./shorewallrc in the current directory. > 3. configure does not create or update ~/.shorewallrcshorewall-core install.sh does that. Note that there was a defect that required that the installer be run twice to create that file; that was correcteed in 4.5.21.2.> 4. .shorewallrc is created by shorewall-4/installNo -- see above.> 5. shorewall-init/configure does not determine the value to be used as > $BUILD, so does not store it in ~/.shorewallrc or ./shorewallrcshorewall-init has no business modifying or creating a shorewallrc file.> 6. shorewall-init/install dynamically determines the value to be used as > $BUILD >And as I stated in my previous post, that is a bug. I have created 4.5.21.3 which I will release shortly. Distribution maintainers may ignore that dot release, as it only contains changes to the tarball installers. Attached is a log file of an install from scratch on a Ubuntu Raring system. Regards, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk