Re: [leaf-devel] how is shorwall.lrp produced for Bering uClibc?

2005-04-12 Thread Tom Eastep 
Paul Traina wrote:

 
 Would you be willing to refresh the lrp version /etc files to match what
 you believe they should be?  I know you changed your policy on template
 stuff to reduce your support load, but the lrp versions don't represent
 that change.  I've made some guesses, but...  are you the maintainer of
 the lrp versions of these files, or is KP?

I have been maintaining the standard content while KP has been
maintaining the differences.

 
 Your install script assumes it runs as root, which may not be correct if
 we're using PREFIX.  Currently I'm using fakeroot as a wrapper to avoid
 dealing with the -o owner -g group arguments in install.  I was thinking
 of patching your install.sh script to something like:
 
 if using prefix and `id -u` != 0
 OWNERSHIP=
 else
 OWNERSHIP=-o $OWNER -g $GROUP
 fi
 
 and then replacing the explicit stuff with $OWNAGE, but I didn't want to
  have to manage that patch outside of your environment.

If you send me a patch, I'll apply it to my tree.

 
 I'll send you a patch along shortly showing you the differences between
 your LRP and what I am currently generating.
 

The differences are all in /etc/shorewall -- here is a patch that
reflects what I think they should be.

-Tom
-- 
Tom Eastep\ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA  \ [EMAIL PROTECTED]
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
diff -au /home/teastep/Shorewall/Shorewall2/interfaces ./interfaces
--- /home/teastep/Shorewall/Shorewall2/interfaces	2005-04-08 10:19:05.0 -0700
+++ ./interfaces	2005-04-11 13:03:40.0 -0700
@@ -204,4 +204,6 @@
 ##
 #ZONE	 INTERFACE	BROADCAST	OPTIONS
 #
+net eth0detect  dhcp,routefilter,norfc1918
+loc eth1detect		dhcp
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
diff -au /home/teastep/Shorewall/Shorewall2/masq ./masq
--- /home/teastep/Shorewall/Shorewall2/masq	2004-12-31 09:41:44.0 -0800
+++ ./masq	2005-02-02 13:10:52.0 -0800
@@ -197,4 +197,5 @@
 #
 ###
 #INTERFACE	SUBNET		ADDRESS		PROTO	PORT(S)	IPSEC
+eth0			eth1
 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
diff -au /home/teastep/Shorewall/Shorewall2/policy ./policy
--- /home/teastep/Shorewall/Shorewall2/policy	2005-03-30 07:03:32.0 -0800
+++ ./policy	2005-04-06 10:11:20.0 -0700
@@ -68,24 +68,24 @@
 #			and the size of an acceptable burst. If not specified,
 #			TCP connections are not limited.
 #
-#	Example:
+#	As shipped, the default policies are:
 #
 #	a) All connections from the local network to the internet are allowed
 #	b) All connections from the internet are ignored but logged at syslog
 #	   level KERNEL.INFO.
 #	d) All other connection requests are rejected and logged at level
 #	   KERNEL.INFO.
-#
-#	#SOURCE		DEST		POLICY		LOG
-#	#		LEVEL
-#	loc		net		ACCEPT
-#	net		all		DROP		info
-#	#
-#	# THE FOLLOWING POLICY MUST BE LAST
-#	#	
-#	all		all		REJECT		info 
-#
 ###
 #SOURCE		DEST		POLICY		LOG		LIMIT:BURST
 #		LEVEL
+loc		net		ACCEPT
+net		all		DROP		ULOG
+# If you want open access to the Internet from your Firewall
+# remove the comment from the following line.
+#fw net ACCEPT
+
+#
+# THE FOLLOWING POLICY MUST BE LAST
+#	
+all		all		REJECT		ULOG
 #LAST LINE -- DO NOT REMOVE
diff -au /home/teastep/Shorewall/Shorewall2/rules ./rules
--- /home/teastep/Shorewall/Shorewall2/rules	2005-03-01 10:29:15.0 -0800
+++ ./rules	2005-04-11 13:05:09.0 -0700
@@ -330,4 +330,26 @@
 
 #ACTION  SOURCE		DEST  	PROTO	DESTSOURCE	   ORIGINAL	RATE		USER/
 #   		PORTPORT(S)DEST		LIMIT		GROUP
+#  Accept DNS connections from the firewall to the network
+#
+ACCEPT  fw  net tcp 53
+ACCEPT  fw  net udp 53
+#   Accept SSH connections from the local network for administration
+#
+ACCEPT  loc fw  tcp 22
+#   Allow Ping To Firewall
+#
+ACCEPT  loc fw  icmp8
+ACCEPT  net fw  icmp8
+#
+#	Allow all ICMP types (including ping) From Firewall
+#
+ACCEPT  fw  loc icmp
+ACCEPT  fw  net icmp
+#
+# Bering specific rules:
+# allow loc to fw udp/53 for local/caching DNS servers to work
+# allow loc to fw tcp/80 for weblet to work
+ACCEPT  loc   fwudp 53
+ACCEPT  loc   fwtcp 80
 #LAST LINE

Re: [leaf-devel] how is shorwall.lrp produced for Bering uClibc?

2005-04-11 Thread K.-P. Kirchdörfer 
shorwall.lrp is usually taken from Tom's download pages.
Tom provided also a script to build from his cvs.

Am Montag, 11. April 2005 15:37 schrieb Paul Traina:
 I don't see it in buildtool?  Tom's got some changes in CVS I want
 to play with to test UPnP integration, and I wanted to see about
 making some local changes.

I think you refer to 2.2.3 - we haven't tested the 2.2 versions yet, 
but if you like to, you may download  shorewall-lrp-2.2.3.tgz from 
one of the mirrors on (www.shorewall.net).

 I realize shorewall isn't compiled per-se, but shouldn't it be
 under buildtool anyway so we can patch in local changes?

hmm, given that I'm able to commit to the LRPx repository of Tom's cvs 
tree, it is some extra work to maintain another one on sourceforge.

kp


---
SF email is sponsored by - The IT Product Guide
Read honest  candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595alloc_id=14396op=click

___
leaf-devel mailing list
leaf-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-devel

Re: [leaf-devel] how is shorwall.lrp produced for Bering uClibc?

2005-04-11 Thread Tom Eastep 
K.-P. Kirchdörfer wrote:
 shorwall.lrp is usually taken from Tom's download pages.
 Tom provided also a script to build from his cvs.
 

The script at
http://shorewall.net/pub/shorewall/contrib/makeshorewall.sh will build
any or all Shorewall packages from CVS. It is the script that I use to
build Shorewall releases.

I usually install it as /usr/local/bin/makeshorewall.

See the comments at the beginning of the script for how to select
packages to build.

For the .lrp:

makeshorewall -l version

The version determines which CVS project is used and must match the
version of the code in that project. For the .lrp, that version is
determined by the contents of /usr/share/shorewall/version.

All this having been said, I haven't yet started using the LrpN project
again since 2.2.0 as I haven't officially opened a 2.3 development
release. Also, I don't maintain the LrpN/ project in sync with the
/Shorewall2 project on a daily basis so if you need that project
updated, please let me know.

-Tom
-- 
Tom Eastep\ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA  \ [EMAIL PROTECTED]
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key


---
SF email is sponsored by - The IT Product Guide
Read honest  candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_ide95alloc_id396op=click

___
leaf-devel mailing list
leaf-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-devel

Re: [leaf-devel] how is shorwall.lrp produced for Bering uClibc?

2005-04-11 Thread Tom Eastep 
Tom Eastep wrote:

 
 All this having been said, I haven't yet started using the LrpN project
 again since 2.2.0 as I haven't officially opened a 2.3 development
 release. Also, I don't maintain the LrpN/ project in sync with the
 /Shorewall2 project on a daily basis so if you need that project
 updated, please let me know.
 

Sorry for following up my own post but I hit the send button too quickly.

One of the problems with the current Shorewall CVS is that the changes
that are unique to the .lrp are not maintained as patches that can be
applied to my released code. The Lrp*/ projects in my CVS are simply
images of the .lrp which means that when I change a file like
shorewall.conf that has an lrp-specific version then I have to manually
apply the change to the appropriate Lrp*/ project.

I have long wanted to rework that so that the .lrp could be built from
the mainline CVS project (as the .rpm is) with the lrp-specific content
and patches being the only thing kept in CVS. It would make my job a lot
easier and would make it possible for Leaf folks to build a .lrp from my
latest development code without me having to manually apply changes.

Any volunteers?

-Tom
-- 
Tom Eastep\ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA  \ [EMAIL PROTECTED]
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key


---
SF email is sponsored by - The IT Product Guide
Read honest  candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595alloc_id=14396op=click

___
leaf-devel mailing list
leaf-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-devel

Re: [leaf-devel] how is shorwall.lrp produced for Bering uClibc?

2005-04-11 Thread Paul Traina 
Actually, that's exactly what I was suggesting we do as well, although 
there's not consensus about it.

Let me take a whack at it this afternoon and see how cleanly I can do 
it.  If people like the results, great, if not, no worries.  The biggest 
problem with the way I was /intending/ to do it was that I was going to 
do it inside the Bering uClibc buildtool environment, and B-U is not the 
only lrp based distribution out there.

I'll see if I can make it generic-LEAF friendly.
Paul
---
SF email is sponsored by - The IT Product Guide
Read honest  candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595alloc_id=14396op=click
___
leaf-devel mailing list
leaf-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-devel

Re: [leaf-devel] how is shorwall.lrp produced for Bering uClibc?

2005-04-11 Thread Tom Eastep 
Paul Traina wrote:
 Actually, that's exactly what I was suggesting we do as well, although
 there's not consensus about it.
 
 Let me take a whack at it this afternoon and see how cleanly I can do
 it.  If people like the results, great, if not, no worries.  The biggest
 problem with the way I was /intending/ to do it was that I was going to
 do it inside the Bering uClibc buildtool environment, and B-U is not the
 only lrp based distribution out there.
 
 I'll see if I can make it generic-LEAF friendly.

You can certainly use the 'install.sh' script as a basis for building
and populating the directory tree. That's what is done when I build the
.rpm. Note the PREFIX environmental variable -- allows installing in a
directory other than /.

-Tom
-- 
Tom Eastep\ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA  \ [EMAIL PROTECTED]
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key


---
SF email is sponsored by - The IT Product Guide
Read honest  candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595alloc_id=14396op=click

___
leaf-devel mailing list
leaf-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-devel

Re: [leaf-devel] how is shorwall.lrp produced for Bering uClibc?

2005-04-11 Thread Paul Traina 
Tom Eastep wrote:
Paul Traina wrote:
Actually, that's exactly what I was suggesting we do as well, although
there's not consensus about it.
Let me take a whack at it this afternoon and see how cleanly I can do
it.  If people like the results, great, if not, no worries.  The biggest
problem with the way I was /intending/ to do it was that I was going to
do it inside the Bering uClibc buildtool environment, and B-U is not the
only lrp based distribution out there.
I'll see if I can make it generic-LEAF friendly.

You can certainly use the 'install.sh' script as a basis for building
and populating the directory tree. That's what is done when I build the
.rpm. Note the PREFIX environmental variable -- allows installing in a
directory other than /.
-Tom
Tom,
Would you be willing to refresh the lrp version /etc files to match what 
you believe they should be?  I know you changed your policy on template 
stuff to reduce your support load, but the lrp versions don't represent 
that change.  I've made some guesses, but...  are you the maintainer of 
the lrp versions of these files, or is KP?

Your install script assumes it runs as root, which may not be correct if 
we're using PREFIX.  Currently I'm using fakeroot as a wrapper to avoid 
dealing with the -o owner -g group arguments in install.  I was thinking 
of patching your install.sh script to something like:

if using prefix and `id -u` != 0
OWNERSHIP=
else
OWNERSHIP=-o $OWNER -g $GROUP
fi
and then replacing the explicit stuff with $OWNAGE, but I didn't want to 
 have to manage that patch outside of your environment.

I'll send you a patch along shortly showing you the differences between 
your LRP and what I am currently generating.

---
SF email is sponsored by - The IT Product Guide
Read honest  candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595alloc_id=14396op=click
___
leaf-devel mailing list
leaf-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-devel

Re: [leaf-devel] how is shorwall.lrp produced for Bering uClibc?

2005-04-11 Thread Paul Traina 
Hmm, OK, there are a couple patches in here I assume you didn't want 
anymore... based upon your changelog saying you weren't going to set up 
default stuff anymore in /etc?

Specifically:
Tom Eastep wrote:
--- /home/teastep/Shorewall/Shorewall2/interfaces   2005-04-08 
10:19:05.0 -0700
+++ ./interfaces2005-04-11 13:03:40.0 -0700
@@ -204,4 +204,6 @@
 ##
 #ZONE   INTERFACE  BROADCAST   OPTIONS
 #
+net eth0detect  dhcp,routefilter,norfc1918
+loc eth1detect dhcp
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
and

diff -au /home/teastep/Shorewall/Shorewall2/masq ./masq
--- /home/teastep/Shorewall/Shorewall2/masq 2004-12-31 09:41:44.0 
-0800
+++ ./masq  2005-02-02 13:10:52.0 -0800
@@ -197,4 +197,5 @@
 #
 ###
 #INTERFACE SUBNET  ADDRESS PROTO   PORT(S) IPSEC
+eth0   eth1
 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
and
diff -au /home/teastep/Shorewall/Shorewall2/policy ./policy
--- /home/teastep/Shorewall/Shorewall2/policy	2005-03-30 07:03:32.0 -0800
+++ ./policy	2005-04-06 10:11:20.0 -0700
@@ -68,24 +68,24 @@
 #			and the size of an acceptable burst. If not specified,
 #			TCP connections are not limited.
 #
-#	Example:
+#	As shipped, the default policies are:
 #
 #	a) All connections from the local network to the internet are allowed
 #	b) All connections from the internet are ignored but logged at syslog
 #	   level KERNEL.INFO.
 #	d) All other connection requests are rejected and logged at level
 #	   KERNEL.INFO.
-#
-#	#SOURCE		DEST		POLICY		LOG
-#	#		LEVEL
-#	loc		net		ACCEPT
-#	net		all		DROP		info
-#	#
-#	# THE FOLLOWING POLICY MUST BE LAST
-#	#	
-#	all		all		REJECT		info 
-#
 ###
 #SOURCE		DEST		POLICY		LOG		LIMIT:BURST
 #		LEVEL
+loc		net		ACCEPT
+net		all		DROP		ULOG
+# If you want open access to the Internet from your Firewall
+# remove the comment from the following line.
+#fw net ACCEPT
+
+#
+# THE FOLLOWING POLICY MUST BE LAST
+#	
+all		all		REJECT		ULOG
 #LAST LINE -- DO NOT REMOVE
and
diff -au /home/teastep/Shorewall/Shorewall2/rules ./rules
--- /home/teastep/Shorewall/Shorewall2/rules2005-03-01 10:29:15.0 
-0800
+++ ./rules 2005-04-11 13:05:09.0 -0700
@@ -330,4 +330,26 @@
 

 #ACTION  SOURCEDESTPROTO   DESTSOURCE 
ORIGINAL RATEUSER/
 #  PORTPORT(S)DEST 
LIMIT   GROUP
+#  Accept DNS connections from the firewall to the network
+#
+ACCEPT  fw  net tcp 53
+ACCEPT  fw  net udp 53
+#   Accept SSH connections from the local network for administration
+#
+ACCEPT  loc fw  tcp 22
+#   Allow Ping To Firewall
+#
+ACCEPT  loc fw  icmp8
+ACCEPT  net fw  icmp8
+#
+#  Allow all ICMP types (including ping) From Firewall
+#
+ACCEPT  fw  loc icmp
+ACCEPT  fw  net icmp
+#
+# Bering specific rules:
+# allow loc to fw udp/53 for local/caching DNS servers to work
+# allow loc to fw tcp/80 for weblet to work
+ACCEPT  loc   fwudp 53
+ACCEPT  loc   fwtcp 80
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
and
--- /home/teastep/Shorewall/Shorewall2/zones2005-02-02 07:39:59.0 
-0800
+++ ./zones 2005-02-02 13:10:52.0 -0800
@@ -11,15 +11,9 @@
 # OVERLAPPING ZONES DEFINED THROUGH /etc/shorewall/hosts.
 #
 # See http://www.shorewall.net/Documentation.htm#Nested
-#
-# Example zones:
 #
-#You have a three interface firewall with internet, local and DMZ 
interfaces.
-#
-#  #ZONE   DISPLAY COMMENTS
-#  net InternetThe big bad Internet
-#  loc Local   Local Network
-#  dmz DMZ Demilitarized zone.
-#
-#ZONE  DISPLAY COMMENTS
+#ZONE  DISPLAY COMMENTS
+netNet Internet
+locLocal   Local networks
+#dmz   DMZ Demilitarized zone
 #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
The stuff in shorewall.conf and to start and stop I assumed were ok to 
keep.  Which way do you want me to go?  Blank, or KP-style defaults?

Re: [leaf-devel] how is shorwall.lrp produced for Bering uClibc?

2005-04-11 Thread Tom Eastep 
Paul Traina wrote:
 Hmm, OK, there are a couple patches in here I assume you didn't want
 anymore... based upon your changelog saying you weren't going to set up
 default stuff anymore in /etc?
 

But KP does!!!

The differences between Standard and Leaf /etc/shorewall are:

a) Defaults configuration for two-interface firewall (standard has no
default config -- uses sample configurations which are overloaded).
b) start.d and stop.d for scripts owned by other packages.
c) shorewall.conf has different defaults.
e) start and stop run all scripts in start.d and stop.d respectively.

-Tom
-- 
Tom Eastep\ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA  \ [EMAIL PROTECTED]
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key


---
SF email is sponsored by - The IT Product Guide
Read honest  candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595alloc_id=14396op=click

___
leaf-devel mailing list
leaf-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-devel

Re: [leaf-devel] how is shorwall.lrp produced for Bering uClibc?

2005-04-11 Thread Tom Eastep 
Paul Traina wrote:
 Tom Eastep wrote:
 Paul Traina wrote:

 Tom Eastep wrote:


 Would you be willing to refresh the lrp version /etc files to match what
 you believe they should be? 


 The files in LrpN/etc/shorewall are what I think that the files should
 look like as of today's development. I've updated that project to be in
 sync with my Shorewall2/ project (plus Leaf changes).

 -Tom
 
 Great, thank you.  I will use those as reference.
 
 Here's the install.sh patch, I am also including *my* current best guess
 as to what leaf-specific patches we should keep.  I will update that
 based upon your new files.
 

Thanks -- I note that KP had added another change to the rules file in
LrpN which I hadn't included in my patch. Something to do with dnsmasq...

-Tom
-- 
Tom Eastep\ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA  \ [EMAIL PROTECTED]
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key


---
SF email is sponsored by - The IT Product Guide
Read honest  candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595alloc_id=14396op=click

___
leaf-devel mailing list
leaf-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-devel

Re: [leaf-devel] how is shorwall.lrp produced for Bering uClibc?

2005-04-11 Thread Tom Eastep 
Tom Eastep wrote:

 
 Thanks -- I note that KP had added another change to the rules file in
 LrpN which I hadn't included in my patch. Something to do with dnsmasq...
 

Ok -- I took a look at that and it has to do with DHCP -- I personally
think that a better approach is to set the 'dhcp' option on the local
interface in the interfaces file.

-Tom
-- 
Tom Eastep\ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA  \ [EMAIL PROTECTED]
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key


---
SF email is sponsored by - The IT Product Guide
Read honest  candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595alloc_id=14396op=click

___
leaf-devel mailing list
leaf-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-devel

Re: [leaf-devel] how is shorwall.lrp produced for Bering uClibc?

2005-04-11 Thread Paul Traina 
Agreed.

On Mon, Apr 11, 2005 at 01:54:10PM -0700, Tom Eastep wrote:
 Tom Eastep wrote:
 
  
  Thanks -- I note that KP had added another change to the rules file in
  LrpN which I hadn't included in my patch. Something to do with dnsmasq...
  
 
 Ok -- I took a look at that and it has to do with DHCP -- I personally
 think that a better approach is to set the 'dhcp' option on the local
 interface in the interfaces file.
 
 -Tom
 -- 
 Tom Eastep\ Nothing is foolproof to a sufficiently talented fool
 Shoreline, \ http://shorewall.net
 Washington USA  \ [EMAIL PROTECTED]
 PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
 


---
SF email is sponsored by - The IT Product Guide
Read honest  candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595alloc_id=14396op=click

___
leaf-devel mailing list
leaf-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-devel