Re: [leaf-devel] Feature Request: Shorewall 2.0 LocalConfDir

[Erich Titl]

Tom

At 18:31 10.04.2004, Tom Eastep wrote:
Tom Eastep wrote:

Stijn Jonker wrote:

It works fine here after a small modification in firewall on line 5757:

Loading /usr/share/shorewall/functions...
Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf...
/usr/share/shorewall/firewall: line 5757: [: missing `]'
firewall:5757
[ -n $CONFIG_PATH] || CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
changed it to:
[ -n $CONFIG_PATH ] || CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
Maybe it has to do with the version of sh/bash:
Just a plain ordinary bug -- thanks. I've updated CVS with the correction.
Now that this feature is implemented, I would like to re-open our earlier 
discussion about how the Shorewall LRP should be structured. As a starter, 
I would be happy to release the LRP's shorewall.conf file with a special 
CONFIG_PATH. I would think though that a change in the 
/var/lib/lrcfg/shorwall.conf file would also be in order so that the 
entries pointed to a directory that wasn't overwritten when a new 
Shorewall LRP was loaded. What is unclear to me is how this directory gets 
populated initially.
As I suggested some time ago could this be solved by falling back to the 
default shorewall.conf file if the file pointed to by CONFIG_PATH did not 
exist?

Erich

THINK
Püntenstrasse 39
8143 Stallikon
mailto:[EMAIL PROTECTED]
PGP Fingerprint: BC9A 25BC 3954 3BC8 C024 8D8A B7D4 FF9D 05B8 0A16


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70alloc_id638op=click
___
leaf-devel mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-devel

Re: [leaf-devel] Feature Request: Shorewall 2.0 LocalConfDir

[Tom Eastep]

Erich Titl wrote:



As I suggested some time ago could this be solved by falling back to the 
default shorewall.conf file if the file pointed to by CONFIG_PATH did 
not exist?

Let say that for LEAF, the CONFIG_PATH is:

	/etc/shorewalluser:/etc/shorewall:/usr/share/shorewall

Shorewall continues to release its configuration files into /etc/shorewall.

a) It seems like the entries in /var/lib/lrcfg/shorwall.conf need to 
point to /etc/shorewalluser.

b) Shorewall can't release files into /etc/shorewalluser because then a 
Shorewall upgrade will overwrite those files.

So how does /etc/shorewalluser get populated initially?

-Tom
--
Tom Eastep\ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA  \ [EMAIL PROTECTED]


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
leaf-devel mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-devel

Re: [leaf-devel] Feature Request: Shorewall 2.0 LocalConfDir

[Charles Steinkuehler]

Tom Eastep wrote:
Erich Titl wrote:



As I suggested some time ago could this be solved by falling back to the 
default shorewall.conf file if the file pointed to by CONFIG_PATH did 
not exist?

Let say that for LEAF, the CONFIG_PATH is:

	/etc/shorewalluser:/etc/shorewall:/usr/share/shorewall

Shorewall continues to release its configuration files into /etc/shorewall.

a) It seems like the entries in /var/lib/lrcfg/shorwall.conf need to 
point to /etc/shorewalluser.

b) Shorewall can't release files into /etc/shorewalluser because then a 
Shorewall upgrade will overwrite those files.

So how does /etc/shorewalluser get populated initially?
I'm not sure I'm following along completely, but this sounds a lot like 
the general problem encountered when trying to update any *.lrp package: 
the configuration files are in the same package as the application, and 
the whole filesystem is re-created from scratch every boot (so there's 
no remembering the configuration data from a previously installed 
package version).

I know of two ways to work around this:

1) Put configuration data in a seperate package, ie: swconf.lrp would 
'own' files in /etc/shorewalluser (or even /etc/shorewall), so replacing 
shorewall.lrp with a new version wouldn't overwrite existing 
configuration data.

2) Use partial backups (implemented in Dachstein and Bering).  This 
isn't a real graceful solution for someone with a single boot disk, but 
can work well if you're running from CD, HDD, or can otherwise configure 
two (or more) package repositories.  One holds the unconfiugred 
distribution packages (the CDROM in my case), while the other holds 
partial backups (typically just the configuration data) that get loaded 
on top of the default configuration files provided with the base 
package.  There is a new package file in /var/lib/lrpkg 
(package.local) which defines which files are to be included or 
excluded when doing a partial backup.  If this file doesn't exist, the 
scripts default to putting any files in /etc or /var/lib/lrpkg that are 
defined in the package.list file in the partial backup.

#2 works really well for CDROM based systems (or systems that can 
configure two package storage locations).  To upgrade shorewall, ssh, or 
whatever, I simply burn a new CD containing the updated packages, insert 
it into my firewall (with it's single configuration floppy), and reboot.

Excuse the interruption if I'm not correctly understanding your 
problem...I haven't been closely monitoring this thread.

--
Charles Steinkuehler
[EMAIL PROTECTED]
---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
leaf-devel mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-devel

Re: [leaf-devel] Feature Request: Shorewall 2.0 LocalConfDir

[Tom Eastep]

Erich Titl wrote:

Does it have to be populated?
I think so if the /var/lib/lrpkg/shorwall.conf file points to it.

If Shorewall has a fallback set up which 
would be overridden by user configuration data then Shorewall would have 
a default configuration initially unless there is a user configuration 
file present. The shorewall.list would include the user configuration 
file but initially this file would be missing in the shorewall.lrp file. 
Loading a new release would thus not overwrite user configuration data. 
As soon as this configuration is saved then the newly created 
shorewall.lrp would contain the user configuration data valid at save 
time and therefore hold the complete configuration.

Is this feasible?
I think that Charles's suggestion about using two packages makes this a 
bit more friendly. The main problem that I see with that approach is 
that it doesn't allow any way for me to add a new config file in the 
future and have it reflected in the Shorewall configuration menu.

-Tom
--
Tom Eastep\ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA  \ [EMAIL PROTECTED]


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
leaf-devel mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-devel

Re: [leaf-devel] Feature Request: Shorewall 2.0 LocalConfDir

[Charles Steinkuehler]

Tom Eastep wrote:
Erich Titl wrote:

Does it have to be populated?
I think so if the /var/lib/lrpkg/shorwall.conf file points to it.

If Shorewall has a fallback set up which 
would be overridden by user configuration data then Shorewall would have 
a default configuration initially unless there is a user configuration 
file present. The shorewall.list would include the user configuration 
file but initially this file would be missing in the shorewall.lrp file. 
Loading a new release would thus not overwrite user configuration data. 
As soon as this configuration is saved then the newly created 
shorewall.lrp would contain the user configuration data valid at save 
time and therefore hold the complete configuration.

Is this feasible?
I think that Charles's suggestion about using two packages makes this a 
bit more friendly. The main problem that I see with that approach is 
that it doesn't allow any way for me to add a new config file in the 
future and have it reflected in the Shorewall configuration menu.
Are you referring to the lrcfg configuration menu, created from the 
package.conf files in /var/lib/lrpkg?

If so, I think you can 'cheat', within limits.  If both the main and 
configuration shorewall packages are distributed as a unit and always 
used as a pair (except maybe by folks who really know what they're 
doing), I don't think there would be a problem with making the *.conf 
file part of the main shorewall package, rather than the config package.

While it might seem odd to have the package.conf file in a different 
package than the actual files it's setup to edit, it really makes sense 
when you consider the second package is for actual user-modified 
configuration files, rather than being a true stand-alone package.  The 
package.conf file is *NOT* a user-modified config file, so putting it 
in the main shorewall package seems reasonable.

Essentially, this is doing with two differently named packages what I do 
with two identically named packages from different sources: Splitting 
the modifiable configuration files and 'static' content.

I've even thought of making a packaging system that would do this sort 
of thing automatically, using for example package.lrp for the released 
package, and package.cfg for the user-modified files.  This would only 
take a very slight re-working of my current backup scripts to implement.

I have not yet done anything like this because:

- I don't really need it personally (the current scripts work well for 
CD-ROM based systems, which is mainly what I run).

- I don't have a lot of time for development (8 month old twins!)

- I don't want to pull the rug out from under the new configuration 
scheme and hopefully a more full-featured packaging system.

On the other hand, support for package.cfg files would be very easy to 
add (maybe a couple hours of scripting, since the bulk of the support is 
already in place), and would be very handy for folks running on flash, 
hdd, or similar (I'm not sure if the floppy folks would have enough room 
for many extra files, especially if partial/.cfg backups of /etc include 
pretty much the whole directory as they do now (another 20+ KB)).

--
Charles Steinkuehler
[EMAIL PROTECTED]
---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
leaf-devel mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-devel

Re: [leaf-devel] Feature Request: Shorewall 2.0 LocalConfDir

[Tom Eastep]

Charles Steinkuehler wrote:



I think that Charles's suggestion about using two packages makes this 
a bit more friendly. The main problem that I see with that approach is 
that it doesn't allow any way for me to add a new config file in the 
future and have it reflected in the Shorewall configuration menu.


Are you referring to the lrcfg configuration menu, created from the 
package.conf files in /var/lib/lrpkg?
Yes.

If so, I think you can 'cheat', within limits.  If both the main and 
configuration shorewall packages are distributed as a unit and always 
used as a pair (except maybe by folks who really know what they're 
doing), I don't think there would be a problem with making the *.conf 
file part of the main shorewall package, rather than the config package.
If people always install these packages in pairs then we may as well 
just keep the single package. I suppose that when a new configuration 
file is added, we can have the user manaually copy the new file from 
/etc/shorewall to /etc/shorewalluser then back up the swuser package.

While it might seem odd to have the package.conf file in a different 
package than the actual files it's setup to edit, it really makes sense 
when you consider the second package is for actual user-modified 
configuration files, rather than being a true stand-alone package.  The 
package.conf file is *NOT* a user-modified config file, so putting it 
in the main shorewall package seems reasonable.
I agree. With the additional manual steps I've outlined above, this 
could be workable. People would just have to retrain themselves to 
backup swuser rather than shorwall.

I've even thought of making a packaging system that would do this sort 
of thing automatically, using for example package.lrp for the released 
package, and package.cfg for the user-modified files.  This would only 
take a very slight re-working of my current backup scripts to implement.

I have not yet done anything like this because:

- I don't really need it personally (the current scripts work well for 
CD-ROM based systems, which is mainly what I run).

- I don't have a lot of time for development (8 month old twins!)

- I don't want to pull the rug out from under the new configuration 
scheme and hopefully a more full-featured packaging system.
Nod.

-Tom
--
Tom Eastep\ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA  \ [EMAIL PROTECTED]


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
leaf-devel mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-devel

Re: [leaf-devel] [Fwd: Re: Mike Noyes]

[K.-P. Kirchdörfer]

Am Dienstag, 13. April 2004 13:09 schrieb Charles Steinkuehler:
 Mike Noyes has been in a bicycle accident (see message below).

 If I get any more details, I'll let everyone know.

Thx for info Charles - bad news.
Best wishes to Mike - I hope he'll be back soon and healthy again.

kp 


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click

___
leaf-devel mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-devel