Re: [leaf-devel] shorewall
On 9/29/2015 11:58 PM, Erich Titl wrote: > Hi Tom > > Am 30.09.2015 um 03:36 schrieb Tom Eastep: >> On 9/29/2015 3:59 PM, Erich Titl wrote: >>> Hi Tom >>> >>> Am 30.09.2015 um 00:34 schrieb Tom Eastep: >>> ... >>> AUTOHELPERS=Yes doesn't cause helpers to be loaded automatically, unless module autoloading is enabled. It rather associates each helper with its standard protocols and ports -- see the /etc/shorewall/conntrack file. The standard /usr/share/shorewall/helpers file should cause them to be loaded however, provided that the setting of MODULE_SUFFIX in shorewall.conf is correct. >>> >>> Things look correct AFAIK, is there a way to test helper loading or see >>> if they got loaded. >> >> sh -x /usr/share/shorewall/firewall restart > trace 2>&1 > > Weird, I have no /usr/share/shorewall/firewall file, I looked in the > package and there is no such file neither. > > Ever more, I looked at the previous version 4.6.11, which is working, > and there is no /usr/share/shorewall/firewall file neither. > Sorry -- the file is /var/lib/sorewall/firewall :-( -Tom -- Tom Eastep\ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \ signature.asc Description: OpenPGP digital signature -- ___ leaf-devel mailing list leaf-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-devel
Re: [leaf-devel] shorewall
Hi Folks Am 30.09.2015 um 16:49 schrieb kp kirchdoerfer: > Am Mittwoch, 30. September 2015, 08:58:17 schrieb Erich Titl: >> Hi Tom >> >> Am 30.09.2015 um 03:36 schrieb Tom Eastep: I got it running, well partially, and as usual the culprit could be found by looking in the mirror. The problem was that I wrongly combined initrd.lrp and initmod.lrp. Most missing modules were in initmod.lrp and not copied to the combined cpio archive. Why these modules are not included in moddb beats me. Thanks ET -- ___ leaf-devel mailing list leaf-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-devel
Re: [leaf-devel] shorewall
Am Mittwoch, 30. September 2015, 08:58:17 schrieb Erich Titl: > Hi Tom > > Am 30.09.2015 um 03:36 schrieb Tom Eastep: > > On 9/29/2015 3:59 PM, Erich Titl wrote: > >> Hi Tom > >> > >> Am 30.09.2015 um 00:34 schrieb Tom Eastep: > >> ... > >> > >>> AUTOHELPERS=Yes doesn't cause helpers to be loaded automatically, unless > >>> module autoloading is enabled. It rather associates each helper with its > >>> standard protocols and ports -- see the /etc/shorewall/conntrack file. > >>> The standard /usr/share/shorewall/helpers file should cause them to be > >>> loaded however, provided that the setting of MODULE_SUFFIX in > >>> shorewall.conf is correct. > >> > >> Things look correct AFAIK, is there a way to test helper loading or see > >> if they got loaded. > > > > sh -x /usr/share/shorewall/firewall restart > trace 2>&1 Try sh -x /var/lib/firewall restart > trace 2>&1 kp > Weird, I have no /usr/share/shorewall/firewall file, I looked in the > package and there is no such file neither. > > Ever more, I looked at the previous version 4.6.11, which is working, > and there is no /usr/share/shorewall/firewall file neither. > > Thanks > > Erich > > > > > -- > > ___ > leaf-devel mailing list > leaf-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/leaf-devel -- ___ leaf-devel mailing list leaf-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-devel
Re: [leaf-devel] shorewall
Hi Tom Am 30.09.2015 um 03:36 schrieb Tom Eastep: > On 9/29/2015 3:59 PM, Erich Titl wrote: >> Hi Tom >> >> Am 30.09.2015 um 00:34 schrieb Tom Eastep: >> ... >> >>> >>> AUTOHELPERS=Yes doesn't cause helpers to be loaded automatically, unless >>> module autoloading is enabled. It rather associates each helper with its >>> standard protocols and ports -- see the /etc/shorewall/conntrack file. >>> The standard /usr/share/shorewall/helpers file should cause them to be >>> loaded however, provided that the setting of MODULE_SUFFIX in >>> shorewall.conf is correct. >>> >> >> Things look correct AFAIK, is there a way to test helper loading or see >> if they got loaded. > > sh -x /usr/share/shorewall/firewall restart > trace 2>&1 Weird, I have no /usr/share/shorewall/firewall file, I looked in the package and there is no such file neither. Ever more, I looked at the previous version 4.6.11, which is working, and there is no /usr/share/shorewall/firewall file neither. Thanks Erich -- ___ leaf-devel mailing list leaf-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-devel
Re: [leaf-devel] shorewall
On 9/29/2015 3:59 PM, Erich Titl wrote: > Hi Tom > > Am 30.09.2015 um 00:34 schrieb Tom Eastep: > ... > >> >> AUTOHELPERS=Yes doesn't cause helpers to be loaded automatically, unless >> module autoloading is enabled. It rather associates each helper with its >> standard protocols and ports -- see the /etc/shorewall/conntrack file. >> The standard /usr/share/shorewall/helpers file should cause them to be >> loaded however, provided that the setting of MODULE_SUFFIX in >> shorewall.conf is correct. >> > > Things look correct AFAIK, is there a way to test helper loading or see > if they got loaded. sh -x /usr/share/shorewall/firewall restart > trace 2>&1 The 'trace' file while show everything that happened during restart. -Tom -- Tom Eastep\ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \ signature.asc Description: OpenPGP digital signature -- ___ leaf-devel mailing list leaf-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-devel
Re: [leaf-devel] shorewall
Hi Tom Am 30.09.2015 um 00:34 schrieb Tom Eastep: ... > > AUTOHELPERS=Yes doesn't cause helpers to be loaded automatically, unless > module autoloading is enabled. It rather associates each helper with its > standard protocols and ports -- see the /etc/shorewall/conntrack file. > The standard /usr/share/shorewall/helpers file should cause them to be > loaded however, provided that the setting of MODULE_SUFFIX in > shorewall.conf is correct. > Things look correct AFAIK, is there a way to test helper loading or see if they got loaded. Thanks Erich -- ___ leaf-devel mailing list leaf-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-devel
Re: [leaf-devel] shorewall
Hi Tom Am 30.09.2015 um 00:34 schrieb Tom Eastep: > On 09/29/2015 03:17 PM, Erich Titl wrote: >> Hi Folks >> >> Am 29.09.2015 um 22:32 schrieb Erich Titl: >>> Hi Folks >>> >>> I seem to be stuck in my 5_2 attempts :-( >>> >>> shorewall refuses to start and I have difficulties understanding why. I >>> can see there are a number of iptables related modules missing >> >> I checked the sha sums of all files which I would think are relevant for >> my installation >> linux, modules.sqfs, iptables, libnetfilter stuff... >> >> They all match the ones from the 5.2 geode tarball at sourceforge, so I >> am pretty sure there is no mismatch there >> >> I am observing the following >> >> [ 46.352907] nf_conntrack version 0.5.0 (4002 buckets, 16008 max) >> [ 46.678087] xt_CT: No such helper "tftp" >> [ 46.711720] xt_CT: No such helper "tftp-0" >> [ 46.745385] xt_CT: No such helper "RAS" >> [ 46.899835] xt_CT: No such helper "snmp" >> [ 46.933877] xt_CT: No such helper "amanda" >> [ 47.025431] xt_CT: No such helper "sane" >> [ 47.060872] xt_CT: No such helper "sane-0" >> [ 47.097270] xt_CT: No such helper "netbios-ns" >> [ 47.132871] xt_CT: No such helper "irc" >> [ 47.169289] xt_CT: No such helper "irc-0" >> >> This appears to come from missing helpers for nf_conntrack. I have set >> AUTOHELPERS=Yes >> in shorewall.conf, so shorewall is supposed to load helpers when needed. >> >> Any bright ideas welcome > > AUTOHELPERS=Yes doesn't cause helpers to be loaded automatically, unless > module autoloading is enabled. It rather associates each helper with its > standard protocols and ports -- see the /etc/shorewall/conntrack file. > The standard /usr/share/shorewall/helpers file should cause them to be > loaded however, provided that the setting of MODULE_SUFFIX in > shorewall.conf is correct. MODULESDIR=/lib/modules MODULE_SUFFIX=ko ... # # Shorewall version 4 - Helpers File # # /usr/share/shorewall/helpers # # This file loads the kernel helper modules. # # THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!! You MUST load in # dependency order. i.e., if M2 depends on M1 then you must load M1 # before you load M2. # # If you need to modify this file, copy it to /etc/shorewall and modify the # copy. # ### # Helpers # loadmodule ip_conntrack_amanda loadmodule ip_conntrack_ftp loadmodule ip_conntrack_h323 loadmodule ip_conntrack_irc loadmodule ip_conntrack_netbios_ns loadmodule ip_conntrack_pptp loadmodule ip_conntrack_sip loadmodule ip_conntrack_tftp loadmodule ip_nat_amanda loadmodule ip_nat_ftp loadmodule ip_nat_h323 loadmodule ip_nat_irc loadmodule ip_nat_pptp loadmodule ip_nat_sip loadmodule ip_nat_snmp_basic loadmodule ip_nat_tftp # ... SALT# ls /usr/lib/libnetfilter_* /usr/lib/libnetfilter_acct.so /usr/lib/libnetfilter_log.so /usr/lib/libnetfilter_acct.so.1 /usr/lib/libnetfilter_log.so.1 /usr/lib/libnetfilter_acct.so.1.0.0 /usr/lib/libnetfilter_log.so.1.1.0 /usr/lib/libnetfilter_conntrack.so /usr/lib/libnetfilter_log_libipulog.so /usr/lib/libnetfilter_conntrack.so.3 /usr/lib/libnetfilter_log_libipulog.so.1 /usr/lib/libnetfilter_conntrack.so.3.5.0 /usr/lib/libnetfilter_log_libipulog.so.1.0.0 but lsmod | grep ip_conntrack yields nothing Thanks Erich -- ___ leaf-devel mailing list leaf-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-devel
Re: [leaf-devel] shorewall
On 09/29/2015 03:17 PM, Erich Titl wrote: > Hi Folks > > Am 29.09.2015 um 22:32 schrieb Erich Titl: >> Hi Folks >> >> I seem to be stuck in my 5_2 attempts :-( >> >> shorewall refuses to start and I have difficulties understanding why. I >> can see there are a number of iptables related modules missing > > I checked the sha sums of all files which I would think are relevant for > my installation > linux, modules.sqfs, iptables, libnetfilter stuff... > > They all match the ones from the 5.2 geode tarball at sourceforge, so I > am pretty sure there is no mismatch there > > I am observing the following > > [ 46.352907] nf_conntrack version 0.5.0 (4002 buckets, 16008 max) > [ 46.678087] xt_CT: No such helper "tftp" > [ 46.711720] xt_CT: No such helper "tftp-0" > [ 46.745385] xt_CT: No such helper "RAS" > [ 46.899835] xt_CT: No such helper "snmp" > [ 46.933877] xt_CT: No such helper "amanda" > [ 47.025431] xt_CT: No such helper "sane" > [ 47.060872] xt_CT: No such helper "sane-0" > [ 47.097270] xt_CT: No such helper "netbios-ns" > [ 47.132871] xt_CT: No such helper "irc" > [ 47.169289] xt_CT: No such helper "irc-0" > > This appears to come from missing helpers for nf_conntrack. I have set > AUTOHELPERS=Yes > in shorewall.conf, so shorewall is supposed to load helpers when needed. > > Any bright ideas welcome AUTOHELPERS=Yes doesn't cause helpers to be loaded automatically, unless module autoloading is enabled. It rather associates each helper with its standard protocols and ports -- see the /etc/shorewall/conntrack file. The standard /usr/share/shorewall/helpers file should cause them to be loaded however, provided that the setting of MODULE_SUFFIX in shorewall.conf is correct. -Tom -- Tom Eastep\ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \ signature.asc Description: OpenPGP digital signature -- ___ leaf-devel mailing list leaf-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-devel
Re: [leaf-devel] shorewall
Hi Folks Am 29.09.2015 um 22:32 schrieb Erich Titl: > Hi Folks > > I seem to be stuck in my 5_2 attempts :-( > > shorewall refuses to start and I have difficulties understanding why. I > can see there are a number of iptables related modules missing I checked the sha sums of all files which I would think are relevant for my installation linux, modules.sqfs, iptables, libnetfilter stuff... They all match the ones from the 5.2 geode tarball at sourceforge, so I am pretty sure there is no mismatch there I am observing the following [ 46.352907] nf_conntrack version 0.5.0 (4002 buckets, 16008 max) [ 46.678087] xt_CT: No such helper "tftp" [ 46.711720] xt_CT: No such helper "tftp-0" [ 46.745385] xt_CT: No such helper "RAS" [ 46.899835] xt_CT: No such helper "snmp" [ 46.933877] xt_CT: No such helper "amanda" [ 47.025431] xt_CT: No such helper "sane" [ 47.060872] xt_CT: No such helper "sane-0" [ 47.097270] xt_CT: No such helper "netbios-ns" [ 47.132871] xt_CT: No such helper "irc" [ 47.169289] xt_CT: No such helper "irc-0" This appears to come from missing helpers for nf_conntrack. I have set AUTOHELPERS=Yes in shorewall.conf, so shorewall is supposed to load helpers when needed. Any bright ideas welcome ET -- ___ leaf-devel mailing list leaf-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-devel
Re: [leaf-devel] Shorewall Package
Am 08.03.2012 23:34, schrieb Yves Blusseau: > Hi all, > > i resend my email because it's seems that it has not been deliver properly to > the mailing list: > > > i see that shorewall update it's stable version to 4.5.0.3. Do you think to > upgrade the leaf package to this version ? > > Another note, if i try a command like: > > # shorewall update -a > Processing /etc/shorewall/params ... > Processing /etc/shorewall/shorewall.conf... >ERROR: /usr/share/doc/shorewall/default-config/shorewall.conf.annotated > does not exist > > as you can see, it can't upgrade the configuration because it doesn't have > the default-config files. > > What do you think about building a new package with shorewall documentation > (/usr/share/doc/shorewall) like shorewall-doc.lrp or add only the > /usr/share/doc/shorewall/default-config directory (200ko) to the current > package ? Hi Yves; I've committed a first version of 4.5.0.3 setup to next branch. It's probably not too much work to backport those to master branch. If you'll try and run into pb's let us know. Note: libdigest-sha1-perl is required for shorewall 4.5.x There are no packages for shorewall(6)-lite yet. I don't if they are used at all and I don't know of anyone who is willing to test them. kp -- Virtualization & Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/ ___ leaf-devel mailing list leaf-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-devel
Re: [leaf-devel] Shorewall Package
Hi Yves; Am 08.03.2012 23:34, schrieb Yves Blusseau: > Hi all, > > i resend my email because it's seems that it has not been deliver properly to > the mailing list: > > > i see that shorewall update it's stable version to 4.5.0.3. Do you think to > upgrade the leaf package to this version ? Yes, I'm planning for a shorewall update to latest stable after Bering-uClibc 4.2 has been released/tagged, which will be done over the weekend. It worked well in the past to be a bit conservative updating to newer shorewall versions, and we usually don't include major updates in the late release cycle (rc1), if it's not for fixing annoying bugs. shorewall 4.5 is also a special case, cause it seems to require a more or less complete rework of the shorewall packages, so it will need more time and testing. > Another note, if i try a command like: > > # shorewall update -a > Processing /etc/shorewall/params ... > Processing /etc/shorewall/shorewall.conf... >ERROR: /usr/share/doc/shorewall/default-config/shorewall.conf.annotated > does not exist > > as you can see, it can't upgrade the configuration because it doesn't have > the default-config files. > > What do you think about building a new package with shorewall documentation > (/usr/share/doc/shorewall) like shorewall-doc.lrp or > add only the /usr/share/doc/shorewall/default-config directory (200ko) to the > current package ? You can update with "apkg -u", but I confess, I've overlooked the update option cause apkg -u just worked, even before shorewall update has been introduced. Anyway I do see that shorewall update will do a much better job now regarding shorewall updates. So yes, if it's possibly to add the necessary files (.annotated) with a seperate package to get the shorewall update command working, it will be a welcome improvement. kp -- Virtualization & Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/ ___ leaf-devel mailing list leaf-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-devel
Re: [leaf-devel] shorewall documentation in configfiles
Hi on 08.06.2011 19:04, KP Kirchdoerfer wrote: > Am Mittwoch, 8. Juni 2011, um 18:53:16 schrieb davidMbrooke: ... > > Hi David; > > you're not alone complaining about the changes, in the meantime Tom changed > the default in 4.4.20.1, so in the latest packages I commited yesterday > everything is as it was (at least it should be). :) > > Anyway, *I* always liked the well-documented configuration files in the early > releases (2.x), but get used myself to read the manpages instead. I personally like the documentation, it will never be as complete as in the web pages though. I am deploying routers based on shorewall as satellites and manage the complex stuff at the central location using fwbuilder which I _believe_ is a great add_on to any firewall distro. Whenever I have to modify one of the satellite systems, I am glad for the examples I find there. In the long run I might switch to fwbuilder based configurations completely as it allows a much better integration of complex networks. Shorewall is a beautiful tool for a site with few firewalls which are relatively independent as it takes the sting out of iptables. cheers Erich -- EditLive Enterprise is the world's most technically advanced content authoring tool. Experience the power of Track Changes, Inline Image Editing and ensure content is compliant with Accessibility Checking. http://p.sf.net/sfu/ephox-dev2dev ___ leaf-devel mailing list leaf-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-devel
Re: [leaf-devel] shorewall documentation in configfiles
Am Mittwoch, 8. Juni 2011, um 18:53:16 schrieb davidMbrooke: > On Sun, 2011-06-05 at 22:09 +0200, KP Kirchdoerfer wrote: > > Hello; > > > > > > in the beginning the shorewall configuration files had an exhaustive > > documentation including examples. > > > > Later the documentation has been removed to improve support > > size-constrained distros like LEAF, and was only available online or in > > the man-pages (which we never added to our packages). > > > > With the latest upstream version 4.4.20 the documentation has been > > reintroduced into the config files, though the shrinked config files are > > still around (using the -p option during install, or for our buildtoool > > setup to package *.plain). > > > > Beginning with Bering-uClibc 4.x we do not support a floppy-only setup > > any longer and size can weighted up convenience. > > > > My question is, do we want to include again the documented config files, > > or shall we stick with the shrinked versions and pointing to the online > > docs at shorewall.net? > > > > kp > > Hi kp, > > I have just looked at the "annotated" config files in the Shorewall > 4.4.20 distribution and IMHO the documentation will just get in the way > when editing the files. My /etc/shorewall/rules file is already large > enough :-) > > My vote is therefore to stay as we are, using the "plain" files, and to > clearly direct users to the online documentation at shorewall.net, > though I am happy to be outvoted if others disagree. Hi David; you're not alone complaining about the changes, in the meantime Tom changed the default in 4.4.20.1, so in the latest packages I commited yesterday everything is as it was (at least it should be). :) Anyway, *I* always liked the well-documented configuration files in the early releases (2.x), but get used myself to read the manpages instead. sorry for the noise. kp -- EditLive Enterprise is the world's most technically advanced content authoring tool. Experience the power of Track Changes, Inline Image Editing and ensure content is compliant with Accessibility Checking. http://p.sf.net/sfu/ephox-dev2dev ___ leaf-devel mailing list leaf-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-devel
Re: [leaf-devel] shorewall documentation in configfiles
On Sun, 2011-06-05 at 22:09 +0200, KP Kirchdoerfer wrote: > Hello; > > > in the beginning the shorewall configuration files had an exhaustive > documentation including examples. > > Later the documentation has been removed to improve support size-constrained > distros like LEAF, and was only available online or in the man-pages (which > we > never added to our packages). > > With the latest upstream version 4.4.20 the documentation has been > reintroduced into the config files, though the shrinked config files are > still > around (using the -p option during install, or for our buildtoool setup to > package *.plain). > > Beginning with Bering-uClibc 4.x we do not support a floppy-only setup any > longer and size can weighted up convenience. > > My question is, do we want to include again the documented config files, or > shall we stick with the shrinked versions and pointing to the online docs at > shorewall.net? > > kp Hi kp, I have just looked at the "annotated" config files in the Shorewall 4.4.20 distribution and IMHO the documentation will just get in the way when editing the files. My /etc/shorewall/rules file is already large enough :-) My vote is therefore to stay as we are, using the "plain" files, and to clearly direct users to the online documentation at shorewall.net, though I am happy to be outvoted if others disagree. dMb -- EditLive Enterprise is the world's most technically advanced content authoring tool. Experience the power of Track Changes, Inline Image Editing and ensure content is compliant with Accessibility Checking. http://p.sf.net/sfu/ephox-dev2dev ___ leaf-devel mailing list leaf-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-devel
Re: [leaf-devel] Shorewall configuration
On Mon, 2011-05-09 at 16:28 +1000, ads...@genis-x.com wrote: > Hi all, > > Just playing with the latest RC1 > Bering-uClibc_4.0-rc1_i686_syslinux_vga.tar.gz > > Prep'd a USB boot stick and booted for the first time. I have a minimum > amount of packages at the moment. > > LRP="root config etc modules mawk iptables keyboard libm perl shorwall > dropbear" > > On start up I get the following error from shorewall. > ERROR: Your kernel/iptables do not include state match support. No version > of Shorewall will run on this system > > Have a missed a config step? Or a module? > > Cheers > Adam Hi Adam, That's really a leaf-user sort of question (rather than leaf-devel) but I'll let you off this one time... :-) An unmodified Bering-uClibc_4.0-rc1_i686_syslinux_vga.tar.gz works OK and if I edit leaf.cfg to match your LRP= list it still works OK. To me it sounds like you have managed to lose some of the standard modules from moddb.lrp The ERROR message comes from /usr/share/shorewall/Shorewall/Config.pm, line 2603, so I recommend you have a look at the commands which are run there to see if that provides any clues. davidMbrooke -- WhatsUp Gold - Download Free Network Management Software The most intuitive, comprehensive, and cost-effective network management toolset available today. Delivers lowest initial acquisition cost and overall TCO of any competing solution. http://p.sf.net/sfu/whatsupgold-sd ___ leaf-devel mailing list leaf-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-devel
Re: [leaf-devel] [Shorewall-users] v3.4.x problems on Bering-uClibc
[EMAIL PROTECTED] wrote: > I am trying to setup Bering uClibc 3.1 beta 1, > > However When I try to insert some config in shorwall/tcdevices and tcclasses > shorewall check complains with these > -- > Validating /etc/shorewall/tcdevices... > sed: bad option in substitution expression > sed: bad option in substitution expression > Validating /etc/shorewall/tcclasses... > Checking /etc/shorewall/tcdevices... > sed: bad option in substitution expression > sh: 0: unknown operand > Checking /etc/shorewall/tcclasses... > sed: bad option in substitution expression > sed: bad option in substitution expression > /usr/share/shorewall/compiler: line 1: syntax error: * ( 128 / 10 ) Shorewall 3.4 uses a 'sed' command that isn't supported by Busybox sed. I've reverted the code back to the way it was in 3.2. You can download an updated lib.tc from: http://www1.shorewall.net/pub/shorewall/3.4/shorewall-3.4.4/errata/Shorewall/lib.tc And yes, it will work with Shorewall 3.4.3. Bering team: There's a patch in the errata/patches/Shorewall sub-directory. -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ leaf-devel mailing list leaf-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-devel
Re: [leaf-devel] Shorewall-perl 3.9.0
On Sun, 2007-04-01 at 17:43, Tom Eastep wrote: > This is the first development release of the new Perl-based compiler. Tom, Congratulations on the new release. :-) Everyone, Now is the time to see if we can get the new perl release working with microperl. > It may be downloaded from: > > http://www1.shorewall.net/pub/shorewall/development/3.9/shorewall-perl-3.9.0/ > ftp://ftp1.shorewall.net/pub/shorewall/development/3.9/shorewall-perl-3.9.0/ > > Release notes are attached. -- Mike Noyes http://sourceforge.net/users/mhnoyes/ SF.net Projects: leaf, sitedocs - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ leaf-devel mailing list leaf-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-devel
Re: [leaf-devel] [Shorewall-users] Shorewall4
Simon Hobson wrote: > Tom Eastep wrote: > >> Eventually, I might break Shorewall into three pieces: >> >> - shorewall-common >> - shorewall-shell >> - shorewall-perl > > Now that does make sense. > As such time as I do this (maybe as early as Shorewall 4.0.0), I will be looking for someone else to take over the maintenance of shorewall-shell. Possibly one of the embedded distributions would be interested since those are likely to be the only users of the package going forward. Over the next several week, I'm going to be testing shorewall-perl under Cygwin; Shorewall + Shorewall-perl running on a PC with Shorewall-lite running on small appliance firewalls might be attractive. -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ leaf-devel mailing list leaf-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-devel
Re: [leaf-devel] [Shorewall-devel] New Perl-based Compiler
Tom Eastep wrote: > > I forgot one step: > > e) Create a symbolic link /usr/share/shorewall/Shorewall which points to the > Directory containing the trunk/New files. On my system, I have: > > [EMAIL PROTECTED]:~/shorewall# ll /usr/share/shorewall/Shorewall > lrwxrwxrwx 1 root root 33 2007-03-15 09:37 /usr/share/shorewall/Shorewall -> > /home/teastep/shorewall/trunk/New > [EMAIL PROTECTED]:~/shorewall# > > And in my shorewall.conf copy: > > CONFIG_PATH=/etc/shorewall:/home/teastep/shorewall/trunk/New:/usr/share/shorewall After I sent this, I realized that the way I had done this was not the way I intended. Using the current contents of SVN, do it this way instead: e) Create a symbolic link /usr/share/shorewall/Shorewall which points to the Directory containing the trunk/New/Shorewall files. On my system, I have: -- [EMAIL PROTECTED]:~/shorewall# ll /usr/share/shorewall/Shorewall lrwxrwxrwx 1 root root 33 2007-03-15 09:37 /usr/share/shorewall/Shorewall -> /home/teastep/shorewall/trunk/New/Shorewall -- [EMAIL PROTECTED]:~/shorewall# And in my shorewall.conf copy: CONFIG_PATH=/etc/shorewall:/home/teastep/shorewall/trunk/New:/usr/share/shorewall -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ leaf-devel mailing list leaf-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-devel
Re: [leaf-devel] [Shorewall-devel] New Perl-based Compiler
Tom Eastep wrote: > My experimentation with a Perl-based compiler for Shorewall is beginning > to bear fruit. Here is a timing from the main firewall at shorewall.net > using the Perl-based compiler. That compiler generates a script that > uses iptables-restore to configure Netfilter. > > [EMAIL PROTECTED]:~/shorewall# shorewall restart . > Compiling... > Shorewall configuration compiled to /var/lib/shorewall/.restart > Restarting Shorewall > done. > > real0m2.403s > user0m0.604s > sys 0m0.492s > [EMAIL PROTECTED]:~/shorewall# shorewall show log > > Contrast that with the standard 3.4.1 compiler: > > [EMAIL PROTECTED]:~/shorewall# time shorewall restart > Compiling... > Shorewall configuration compiled to /var/lib/shorewall/.restart > Restarting Shorewall > done. > > real0m7.054s > user0m2.020s > sys 0m2.964s > [EMAIL PROTECTED]:~/shorewall# > > The new compiler still uses the shell as its preprocessor to process the > 'params' file, expand shell variables in configuration files and to > strip comments from those files. Approximately one second of the elapsed > time occurs before the Perl-based compiler even starts. > > The compiler is far from complete -- no 'detect' features are supported > yet. Those will cause the generated script to run quite a bit slower > because the iptables-restore input must be reprocessed in the generated > script to add the rules that result from detected addresses. > > Anyone wishing to play with it can do so as follows: > > a) Install Shorewall 3.4.1. > b) Get a copy of the trunk/New SVN files. > c) Make a copy of your /etc/shorewall directory. > d) Modify the shorewall.conf file in the copied directory as follows: > > 1- Add 'EXPERIMENTAL=Yes' > 2- Modify CONFIG_PATH to include the directory where you placed > the trunk/New files. I forgot one step: e) Create a symbolic link /usr/share/shorewall/Shorewall which points to the Directory containing the trunk/New files. On my system, I have: [EMAIL PROTECTED]:~/shorewall# ll /usr/share/shorewall/Shorewall lrwxrwxrwx 1 root root 33 2007-03-15 09:37 /usr/share/shorewall/Shorewall -> /home/teastep/shorewall/trunk/New [EMAIL PROTECTED]:~/shorewall# And in my shorewall.conf copy: CONFIG_PATH=/etc/shorewall:/home/teastep/shorewall/trunk/New:/usr/share/shorewall - -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ leaf-devel mailing list leaf-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-devel
Re: [leaf-devel] [Shorewall-devel] Future of Shorewall
Tom Eastep wrote: > Natanael Copa wrote: > >> Have you thought of lua? should give you better performance than perl >> and would still be small enough for embedded. I can't say I have been >> looking at the shorewall code, but lua is very table oriented, which >> might be good for your table based config files. > > I suspect that the parser part of Shorewall might be difficult to write > entirely in LUA (although I've only browsed the reference manual). Also, LUA > appears to be a language that may only be embedded in C -- it does not stand > on its own. So what you end up with is a C program that uses a "smart > library". > Tom, Since I was mentioned in this thread already, I'll give my $0.02. Feel free to send to /dev/null A) The Lua manual is really bad. LuaForge is a mess. I really needed Programming in Lua to make sense of the language (Ver 1 is online http://www.lua.org/pil/ Version 2 is only available in dead-tree format and was worth the cost. B) The Lua parser is surprisingly good for regex type stuff. Its just /different/ from the other "standard" regexes. C) You are right about Lua wanting to be embedded in C (or some other language) - imagine however, a tiny "C" wrapper that forked iptables-restore[1] once and then used a lua parser to send all the data to that one process instead of forking iptables 1000's of times. The C code would be minimal, just enough to instantiate a Lua VM. D) Shorewall is YOUR fun project... so none of the above need apply. ;-) [1] - Believe it or not, http://www.netfilter.org/documentation/FAQ/netfilter-faq-4.html#ss4.5 says this is the "official" way to program iptables without using system() calls. - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ leaf-devel mailing list leaf-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-devel
Re: [leaf-devel] [Shorewall-devel] Future of Shorewall
Simon Matter wrote: > My question is whether it's possible to use perl for some kind of > Shorewall-accelerator. I mean if it would be possible to create a simple > shell to perl converter which then runs perl instead of the shell and does > exactly the same, then it could be used whenever perl is available, > otherwise a shell would be used. If we look at overall performance, the compiler and the generated script need to be considered separately. I don't believe that the fact that the generated script is interpreted using a Bourne shell is a significant contributing factor to its performance. The bulk of the time is spent in fork() and exec() while launching iptables 1000s of times. So I think that we're safe in leaving that part alone. The compiler is a different issue. One problem is that some of the things needed to make Shorewall generate iptables-restore input would be very slow if implemented in the shell. Even though Perl is a somewhat quirky language, it works really well for writing the compiler part of Shorewall. But the Perl version of the compiler employs quite different algorithms from those used in the shell. My belief is that a shell->Perl translator capable of translating the current Shorewall shell code would comprise a much larger project then Shorewall itself. One example of what it would need to do: Because the shell provides exactly one hash table (it's symbol table), the current Shorewall code manufactures symbols on the fly (using 'eval') in an attempt to provide some of the same function that Perl hashes do. It would take a very smart program to see through what the current code is doing and create Perl hashes instead. Another factor concerning the current code is that it is beginning to get somewhat fragile. Today's Shorewall is doing many things that were not envisioned in the original design. The shell also tends to promote some bad programming practices, owing to the fact that all symbols are global (and I didn't start from the beginning setting the -u option). As a consequence, it is getting more and more difficult to extend the code to do new things without breaking old things. -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ leaf-devel mailing list leaf-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-devel
Re: [leaf-devel] [Shorewall-devel] Future of Shorewall
Mike Noyes wrote: > > > I'd worry when distributions start dropping Shorewall. That's an > indication of decline. > Good point. -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ leaf-devel mailing list leaf-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-devel
Re: [leaf-devel] [Shorewall-devel] Future of Shorewall
Natanael Copa wrote: > > Have you thought of lua? should give you better performance than perl > and would still be small enough for embedded. I can't say I have been > looking at the shorewall code, but lua is very table oriented, which > might be good for your table based config files. I suspect that the parser part of Shorewall might be difficult to write entirely in LUA (although I've only browsed the reference manual). Also, LUA appears to be a language that may only be embedded in C -- it does not stand on its own. So what you end up with is a C program that uses a "smart library". The change in Shorewall 3.0 which produced the compiler and Shorewall Lite was intended to pave the way toward an environment where the heavy lifting could be done on a central system and the generated firewall script exported to smaller less-powerful devices. In that model, the language in which the compiler is written is not so important for portability. The current compiler can even run under Cygwin on Windows systems (or it could the last time I tried it). I (or someone else -- any volunteers?) will probably continue to support Shorewall 3.4 for the forseeable future (although enhancements will be minimal). So those who are happy with the current state of the package can continue to use it. -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ leaf-devel mailing list leaf-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-devel
Re: [leaf-devel] [Shorewall-devel] Future of Shorewall
On Fri, 2007-02-23 at 16:02, Tom Eastep wrote: > Activity on the mailing lists and IRC channel has been steadily declining > for the last couple of years. This signals to me that the rate at which > people are adopting Shorewall is waning (I grant that the documentation has > gotten better over the years which helps lower the noise level somewhat). > While I've never had any ambitions toward dominating the OSS firewall > market, Shorewall takes a lot of work so I would prefer to spend my effort > on something that people want to use. Maybe it is still Shorewall -- maybe > it is something else. Tom, I just did a few Google searches, and I now think it's something else. Shorewall is included in most distributions (Debian, Ubuntu, OpenSUSE, Gentoo, etc.), and the website is mirrored in multiple locations. It looks like people are asking for assistance in a variety of places. Shorewall support looks distributed and successful. Example: http://gentoo-wiki.com/HOWTO_Shorewall_Firewall_IPsec_VPN_and_2.6_kernel http://gentoo-wiki.com/SECURITY_Howto_setup_a_firewall_with_shorewall I'd worry when distributions start dropping Shorewall. That's an indication of decline. -- Mike Noyes http://sourceforge.net/users/mhnoyes/ SF.net Projects: leaf, sitedocs - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ leaf-devel mailing list leaf-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-devel
Re: [leaf-devel] [Shorewall-devel] Future of Shorewall
On Fri, 23 Feb 2007 16:02:06 -0800 Tom Eastep <[EMAIL PROTECTED]> wrote: > I have begun some experimentation with rewriting the compiler in Perl and > that is looking promising. Converting to Perl will unfortunately present > migration/compatibility issues with compile-time extension scripts although > I've been able to retain shorewall.conf and /etc/shorewall/params > functionality for the most part. A Perl-based compiler would of course mean > the end of the road for Shorewall Embedded System support (at least for the > full Shorewall product) since Perl is typically not available on those > systems. Embedded Systems could still support Shorewall Lite. Have you thought of lua? should give you better performance than perl and would still be small enough for embedded. I can't say I have been looking at the shorewall code, but lua is very table oriented, which might be good for your table based config files. btw. The LEAF webconf guy, Nathan, is working on a lua based webconf framework. Natanael Copa - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ leaf-devel mailing list leaf-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-devel
Re: [leaf-devel] [Shorewall-devel] Future of Shorewall
On Sat, 2007-02-24 at 11:21, Tom Eastep wrote: > I have thought about rewriting in C or C++ but writing C/C++ code is > what I've done for a living for years. I look at Shorewall as an > opportunity to do something other than what I do in my professional life. Tom, Since, in my opinion, FOSS development is supposed to be fun, we don't want to turn it into work for you. Whatever you decide to do, thanks for the extra effort to make Shorewall work with LEAF branches. It is greatly appreciated. :-) -- Mike Noyes http://sourceforge.net/users/mhnoyes/ SF.net Projects: leaf, sitedocs - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ leaf-devel mailing list leaf-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-devel
Re: [leaf-devel] [Shorewall-devel] Future of Shorewall
Mike Noyes wrote: > Have you considered using glibc? This would address your speed issues, > and possibly allow embedded systems to compile with uclibc. > > >> I welcome your input and look forward to further discussion. > > I hope my input is useful in some way. > I have thought about rewriting in C or C++ but writing C/C++ code is what I've done for a living for years. I look at Shorewall as an opportunity to do something other than what I do in my professional life. -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ leaf-devel mailing list leaf-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-devel
Re: [leaf-devel] Shorewall 3.4.0 Beta 1
KP Kirchdoerfer wrote: > Tom, the 3.4 beta has become pretty small, a complete build is only 98kb, a > minimal but useful package with additional "modules" is just 84kb. Many > thanks for your work to reduce the size. You're welcome. > > Do you intend to make the man pages available on the shorewall.net pages? > I'll try to do that over the weekend. -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ leaf-devel mailing list leaf-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-devel
Re: [leaf-devel] Shorewall 3.4.0 Beta 1
Am Mittwoch, 10. Januar 2007 21:11 schrieb Tom Eastep: > KP Kirchdoerfer wrote: > > I've built a version a Beta 2 for LEAF in the meantime. > > > > I've found that installing shorewall within our buildtool env > > the /usr/share/shorewall/lib* files have tripled with lib*.orig and > > lib*.orig.orig > > > > Is this a shorewall problem in install.sh? > > Not that I'm aware of. The string 'orig' doesn't appear in install.sh > and there are no .orig files in the tarballs. > > How is buildtool installing Shorewall? Ok I've found the cause - it's a combination of using wildcards with stripscript.pl. This line is the culprit: "./stripscript.pl $(SHOREWALL_DIR)/lib.*" That way running new builds produces lib.*.orig and ...orig.orig, orig.orig.orig and so on. (Martin Hejl always warned us to rely on wildcards :)) Should be possible to work around. Tom, the 3.4 beta has become pretty small, a complete build is only 98kb, a minimal but useful package with additional "modules" is just 84kb. Many thanks for your work to reduce the size. Do you intend to make the man pages available on the shorewall.net pages? kp - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ leaf-devel mailing list leaf-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-devel
Re: [leaf-devel] Shorewall 3.4.0 Beta 1
KP Kirchdoerfer wrote: > I've built a version a Beta 2 for LEAF in the meantime. > > I've found that installing shorewall within our buildtool env > the /usr/share/shorewall/lib* files have tripled with lib*.orig and > lib*.orig.orig > > Is this a shorewall problem in install.sh? Not that I'm aware of. The string 'orig' doesn't appear in install.sh and there are no .orig files in the tarballs. How is buildtool installing Shorewall? -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ leaf-devel mailing list leaf-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-devel
Re: [leaf-devel] Shorewall 3.4.0 Beta 1
Am Donnerstag, 28. Dezember 2006 17:20 schrieb Tom Eastep: > I'm pleased to announce that Shorewall 3.4.0 Beta 1 is available at > ftp://shorewall.net/pub/shorewall/development/3.4/shorewall-3.4.0-Beta1 and > at mirror sites world wide. > Thx Tom; I've built a version a Beta 2 for LEAF in the meantime. I've found that installing shorewall within our buildtool env the /usr/share/shorewall/lib* files have tripled with lib*.orig and lib*.orig.orig Is this a shorewall problem in install.sh? It's more or less a cosmetic pb, cause the buildscript only uses the real files... kp - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ leaf-devel mailing list leaf-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-devel
Re: [leaf-devel] Shorewall 3.3.0
Am Dienstag, 29. August 2006 00:09 schrieb Tom Eastep: > Eric Spakman wrote: > > Hello Tom, > > > > That's great news! Thank you very much! > > You're welcome, Eric. > > Note that I'm leaving the separate packaging of the individual libraries to > the embedded distros like Bering; the packages that I release will always > contain the full set of the libraries in as much as I don't believe that > the average non-embedded Shorewall user is the least bit sensitive to the > footprint issue. Fair enough - and AFAIK it should be a one-time work to create the seperate packaging. thx for putting that much work to repsond to my concerns! kp - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 ___ leaf-devel mailing list leaf-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-devel
Re: [leaf-devel] Shorewall 3.3.0
Eric Spakman wrote: > Hello Tom, > > That's great news! Thank you very much! > You're welcome, Eric. Note that I'm leaving the separate packaging of the individual libraries to the embedded distros like Bering; the packages that I release will always contain the full set of the libraries in as much as I don't believe that the average non-embedded Shorewall user is the least bit sensitive to the footprint issue. -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 ___ leaf-devel mailing list leaf-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-devel
Re: [leaf-devel] Shorewall 3.3.0
Hello Tom, That's great news! Thank you very much! Eric Spakman > I have opened up the 3.3 development thread. > > > http://www1.shorewall.net/pub/shorewall/development/3.3/shorewall-3.3.0 > ftp://ftp1.shorewall.net/pub/shorewall/development/3.3/shorewall-3.3.0 > > > The two major changes in 3.3.0 when compared to 3.2.3 are: > > > a) I have finished the code consolidation that I began in 3.2.3. Code > that was duplicated in /usr/share/shorewall/compiler and > /usr/share/shorewall/firewall is > now moved to /usr/share/shorewall/functions. This change will also go into > 3.2.4. > > > b) To allow embedded applications to further reduce the Shorewall > footprint, I have broken off sizable pieces of code into loadable > "libraries". This will > allow a small Shorewall core footprint that may be expanded through the > addition of libraries as needed. > > Here are the libraries included in 3.3.0: > > > -rw-r--r-- 1 teastep users 5686 2006-08-27 13:22 lib.accounting > -rw-r--r-- 1 teastep users 10409 2006-08-27 11:42 lib.dynamiczones > -rw-r--r-- 1 teastep users 7004 2006-08-27 14:01 lib.maclist > -rw-r--r-- 1 teastep users 14055 2006-08-27 12:42 lib.nat > -rw-r--r-- 1 teastep users 10879 2006-08-27 12:13 lib.providers > -rw-r--r-- 1 teastep users 3519 2006-08-27 12:50 lib.proxyarp > -rw-r--r-- 1 teastep users 9466 2006-08-27 11:42 lib.tc > -rw-r--r-- 1 teastep users 8218 2006-08-27 12:28 lib.tcrules > -rw-r--r-- 1 teastep users 6881 2006-08-27 13:26 lib.tunnels > > > See the release notes for information about when each library is > required. > > Although change b) adds code to Shorewall, change a) reduced the size of > Shorewall to such an extent that 3.3.0 is still substantially smaller than > 3.2.3: > > > -rw-r--r-- 1 teastep users 234309 2006-08-26 10:54 shorewall-3.2.3.tgz > -rw-r--r-- 1 teastep users 217330 2006-08-28 12:35 shorewall-3.3.0.tgz > > > -Tom > -- > Tom Eastep\ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ [EMAIL PROTECTED] > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > > > - > Using Tomcat but need to do more? Need to support web services, > security? Get stuff done quickly with pre-integrated technology to make > your job easier Download IBM WebSphere Application Server v.1.0.1 based on > Apache Geronimo > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 > ___ > leaf-devel mailing list leaf-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/leaf-devel > > - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 ___ leaf-devel mailing list leaf-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-devel
Re: [leaf-devel] Shorewall Code Bloat
Am Sonntag, 27. August 2006 19:17 schrieb Tom Eastep: > Recently, KP sent me a private email that commented unfavorably on the > increasing size of Shorewall. In my response, I indicated that there was > some low-hanging fruit that could be picked to reduce Shorewall's overall > size. > > I made some of the changes in the just-released 3.2.3 version. I've now > completed the work and the current version in SVN (branches/3.2/Shorewall) > shows the result. Thx Tom! I had a short look, and a first build of 3.2.3 is about 4kb smaller than 3.2.2. With 7kb free on a beta1 floppy, increasing free space more than 50% is significant. > > I have experimented with modularizing Shorewall so that features like > traffic shaping, accounting, etc. can be made optional and I will continue > to pursue that approach for Shorewall 3.4. We are looking forward to that, this may open interesting options. favourable comments in public :) kp - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 ___ leaf-devel mailing list leaf-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-devel
Re: [leaf-devel] Shorewall: leaf scripting & package format
Mike Noyes wrote: I know you've expressed concerns with LEAF branch scripting (ash, busybox) limitations in the past. Any suggestions (lua, ruby, etc.) you have are welcome. Maybe even contemplating a static target build from a Shorewall host script is an option. I see this as an extension of the general problem for Linux developers that the various Linux distributions are quite incompatible with one another -- LEAF is just more imcompatible. I wasn't aware that LEAF package format was of concern too. I know K.-P. is packaging shorewall now, and you support .deb and .rpm. I'm not quite seeing the problem here. Can you clarify the issue? Thanks. The only issue there is that new Shorewall mirror admins need to modify their web server config to handle the non-standard filename extension. Not a big deal but it often gets overlooked and it is just one more case where supporting LEAF requires people to do something differently. -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] --- This SF.Net email sponsored by Black Hat Briefings & Training. Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com ___ leaf-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-devel
Re: [leaf-devel] Shorewall LEAF Support
On Tue, 2003-12-02 at 19:55, Mike Noyes wrote: > Tom posted these messages to the Shorewall users list today. > > [Shorewall-users] Re: Shorewall For Dummies > http://lists.shorewall.net/pipermail/shorewall-users/2003-December/010212.html > > [Shorewall-users] LEAF Support > http://lists.shorewall.net/pipermail/shorewall-users/2003-December/010218.html Everyone, One more message from Tom that clarifies what is transpiring with Sorewall support. [Shorewall-users] Re: Shorewall For Dummies http://lists.shorewall.net/pipermail/shorewall-users/2003-December/010230.html -- Mike Noyes http://sourceforge.net/users/mhnoyes/ SF.net Projects: ffl, leaf, phpwebsite, phpwebsite-comm, sitedocs --- This SF.net email is sponsored by OSDN's Audience Survey. Help shape OSDN's sites and tell us what you think. Take this five minute survey and you could win a $250 Gift Certificate. http://www.wrgsurveys.com/2003/osdntech03.php?site=8 ___ leaf-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-devel
Re: [Leaf-devel] Shorewall quick start guide and sampleconfigurations
On Sun, 2002-06-02 at 11:05, Mike Noyes wrote: > Tom placed the Shorewall quick start guide and sample configurations in > cvs. Please take a look at these documents. Tom could really use a hand > maintaining them. If you're willing to help please contact Tom, so he > can set you up with write access to the repository. Thanks. > > Pserver checkout instructions: > cvs -d:pserver:[EMAIL PROTECTED]:/usr/local/cvs login > cvs -d:pserver:[EMAIL PROTECTED]:/usr/local/cvs co Samples > cvs -d:pserver:[EMAIL PROTECTED]:/usr/local/cvs co > Shorewall-docs Everyone, The Shorewall repository is now browseable with CVSWeb. http://www.shorewall.net/cgi-bin/cvsweb.cgi/ -- Mike Noyes <[EMAIL PROTECTED]> http://sourceforge.net/users/mhnoyes/ http://leaf-project.org/ ___ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm ___ Leaf-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-devel
Re: [Leaf-devel] Shorewall on Eigerstein2Beta not working - Shell Problem
Thus spoke David Douthitt:
> Tom Eastep wrote:
>
> > I believe that the problem here is that Eiger2Beta uses ash for sh and
> > ash's handling of at least the ${%%} shell construct is
> > broken:
> >
> > Here's what should happen (/bin/sh from Oxygen):
>
> Well, Oxygen uses ash also
Nod -- I figured that out after I posted.
> I did try to compile (and did compile)
> a newer version of ash with patches from Erik Andersen, the chief
> busybox maintainer, and patches from others.
>
> > The "ash" from RH7 also shows this incorrect behavior.
>
> I'm surprised to hear that. I tried the ash from RH 6.2, and it
> doesn't understand ${server%:*} or ${server%%:*} syntax /bin/ash
> version 0.2 ...
>
Neither does the one from RH7 -- my mistake.
-Tom
--
Tom Eastep \ Alt Email: [EMAIL PROTECTED]
ICQ #60745924 \ Websites: http://seawall.sourceforge.net
[EMAIL PROTECTED] \ http://seattlefirewall.dyndns.org
Shoreline, Washington USA \ http://shorewall.sourceforge.net
\_
___
Leaf-devel mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-devel
Re: [Leaf-devel] Shorewall on Eigerstein2Beta not working - ShellProblem
Thus spoke Tom Eastep:
> I believe that the problem here is that Eiger2Beta uses ash for sh and
> ash's handling of at least the ${%%} shell construct is
> broken:
>
> Here's what should happen (/bin/sh from Oxygen):
>
> # server="loc:192.168.1.1"
> # echo ${server%:*}
> loc
> # echo ${server%%:*}
> loc
> #
>
> Here's what happens with Eiger2:
>
> [root@wookie lrp-Eiger2]# bin/sh
> # server="loc:192.168.1.1"
> # echo ${server%:*}
> loc
> # echo ${server%%:*}
> lo
>
> Without a trace, I can't say for sure if that is the only problem but it's
> definitely enough of a problem to break Shorewall and accounts for the
> "Undefined server zone" errors that you are seeing. The "ash" from RH7 also
> shows this incorrect behavior.
>
> If you can lay your hands on a copy of /bin/sh from oxygen and use that, I
> think it will work. I wish I had time to put this together myself but
> unfortunately, I don't right now...
>
Pardon me for following my own post but there's another ash bug here. From
a trace (graphics Removed):
+ [ dmz:192.168.2.2 = dmz 192Øì^Èì^äì^Íì^] ]
[: 192Øì^Èì^äì^Íì^]: unknown operand
The condition being evaluated here is:
if [ "$server" = "${server%:*}" ] ; then
So the ${%} construct is also broken in ash.
I have also confirmed that using /bin/sh from Oxygen-031401.ima works
flawlessly and is actually quite a bit faster than using /bin/bash from
RH7
-Tom
--
Tom Eastep \ Alt Email: [EMAIL PROTECTED]
ICQ #60745924 \ Websites: http://seawall.sourceforge.net
[EMAIL PROTECTED] \ http://seattlefirewall.dyndns.org
Shoreline, Washington USA \ http://shorewall.sourceforge.net
\_
___
Leaf-devel mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-devel
Re: [Leaf-devel] Shorewall on Eigerstein2Beta not working - Shell Problem
Tom Eastep wrote:
> I believe that the problem here is that Eiger2Beta uses ash for sh and
> ash's handling of at least the ${%%} shell construct is
> broken:
>
> Here's what should happen (/bin/sh from Oxygen):
Well, Oxygen uses ash also I did try to compile (and did compile)
a newer version of ash with patches from Erik Andersen, the chief
busybox maintainer, and patches from others.
> The "ash" from RH7 also shows this incorrect behavior.
I'm surprised to hear that. I tried the ash from RH 6.2, and it
doesn't understand ${server%:*} or ${server%%:*} syntax /bin/ash
version 0.2 ...
___
Leaf-devel mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-devel
Re: [Leaf-devel] Shorewall on Eigerstein2Beta not working
Thus spoke Ewald Wasscher: > After using dos2unix on it it seems to work. Except for this strange output: > > Starting Shorewall... > Loading Modules... > Initializing... > Determining Zones... > Zones: net local dmz gw > Determining Hosts in Zones... > Deleting user chains... > Configuring Proxy ARP and NAT > Adding Common Rules > Setting up ICMP Echo handling... > Processing /etc/shorewall/tunnels... > Processing /etc/shorewall/rules... > Adding rules for DHCP > Processing /etc/shorewall/policy... > [: ==: unknown operand > Policy DROP for net to net. > [: ==: unknown operand > Policy ACCEPT for local to net. > [: ==: unknown operand > Policy REJECT for local to local. > [: ==: unknown operand > Policy REJECT for dmz to dmz. > [: ==: unknown operand > Policy REJECT for gw to gw. > Masqueraded Subnets and Hosts: > Activating Rules... > Shorewall Started I think that I've spotted the problem. In function default_policy(), replace if [ "$chain" == "$chain1" ]; then with if [ "$chain" = "$chain1" ]; then I've been coding in C for too long I guess :=) -Tom -- Tom Eastep \ Alt Email: [EMAIL PROTECTED] ICQ #60745924 \ Websites: http://seawall.sourceforge.net [EMAIL PROTECTED] \ http://seattlefirewall.dyndns.org Shoreline, Washington USA \ http://shorewall.sourceforge.net \_ ___ Leaf-devel mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/leaf-devel
Re: [Leaf-devel] Shorewall on Eigerstein2Beta not working
Tom Eastep wrote: > Please "shorewall debug restart" 2> /tmp/trace and send me the /tmp/trace > file. Here it is. Ewald Wasscher trace.gz
Re: [Leaf-devel] Shorewall on Eigerstein2Beta not working
Thus spoke Ewald Wasscher: > Tom Eastep wrote: > > > Thus spoke Tom Eastep: > > > >> Hmmm -- This is probably because of how "grep" is defined on LRP. Please > >> try it with the attached /etc/shorewall/functions file. > >> > > > > Pardon me for following up my own post but the previously-posted functions > > file was brain-damaged. Here's one that works better... > > After using dos2unix on it it seems to work. Except for this strange output: > > Starting Shorewall... > Loading Modules... > Initializing... > Determining Zones... > Zones: net local dmz gw > Determining Hosts in Zones... > Deleting user chains... > Configuring Proxy ARP and NAT > Adding Common Rules > Setting up ICMP Echo handling... > Processing /etc/shorewall/tunnels... > Processing /etc/shorewall/rules... > Adding rules for DHCP > Processing /etc/shorewall/policy... > [: ==: unknown operand > Policy DROP for net to net. > [: ==: unknown operand > Policy ACCEPT for local to net. > [: ==: unknown operand > Policy REJECT for local to local. > [: ==: unknown operand > Policy REJECT for dmz to dmz. > [: ==: unknown operand > Policy REJECT for gw to gw. > Masqueraded Subnets and Hosts: > Activating Rules... > Shorewall Started > Please "shorewall debug restart" 2> /tmp/trace and send me the /tmp/trace file. -Tom -- Tom Eastep \ Alt Email: [EMAIL PROTECTED] ICQ #60745924 \ Websites: http://seawall.sourceforge.net [EMAIL PROTECTED] \ http://seattlefirewall.dyndns.org Shoreline, Washington USA \ http://shorewall.sourceforge.net \_ ___ Leaf-devel mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/leaf-devel
Re: [Leaf-devel] Shorewall on Eigerstein2Beta not working
Tom Eastep wrote: > Thus spoke Tom Eastep: > >> Hmmm -- This is probably because of how "grep" is defined on LRP. Please >> try it with the attached /etc/shorewall/functions file. >> > > Pardon me for following up my own post but the previously-posted functions > file was brain-damaged. Here's one that works better... After using dos2unix on it it seems to work. Except for this strange output: Starting Shorewall... Loading Modules... Initializing... Determining Zones... Zones: net local dmz gw Determining Hosts in Zones... Deleting user chains... Configuring Proxy ARP and NAT Adding Common Rules Setting up ICMP Echo handling... Processing /etc/shorewall/tunnels... Processing /etc/shorewall/rules... Adding rules for DHCP Processing /etc/shorewall/policy... [: ==: unknown operand Policy DROP for net to net. [: ==: unknown operand Policy ACCEPT for local to net. [: ==: unknown operand Policy REJECT for local to local. [: ==: unknown operand Policy REJECT for dmz to dmz. [: ==: unknown operand Policy REJECT for gw to gw. Masqueraded Subnets and Hosts: Activating Rules... Shorewall Started > > Regarding the versions of /etc/shorewall/* files, if the file's format > hasn't changed since version 1.0 then the version in the file's header > likewise hasn't changed. I see. Ewald Wasscher ___ Leaf-devel mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/leaf-devel
Re: [Leaf-devel] Shorewall on Eigerstein2Beta not working
Thus spoke Tom Eastep:
> Hmmm -- This is probably because of how "grep" is defined on LRP. Please
> try it with the attached /etc/shorewall/functions file.
>
Pardon me for following up my own post but the previously-posted functions
file was brain-damaged. Here's one that works better...
Regarding the versions of /etc/shorewall/* files, if the file's format
hasn't changed since version 1.0 then the version in the file's header
likewise hasn't changed.
-Tom
--
Tom Eastep \ Alt Email: [EMAIL PROTECTED]
ICQ #60745924 \ Websites: http://seawall.sourceforge.net
[EMAIL PROTECTED] \ http://seattlefirewall.dyndns.org
Shoreline, Washington USA \ http://shorewall.sourceforge.net
\_
#
# Shorewall 1.1 -- /etc/shorewall/functions
#
# Suppress all output for a command
#
qt()
{
"$@" >/dev/null 2>&1
}
#
# Poor Man's grep -- Some LRP systems have a grep that simply searches for
#strings rather than regular expressions. When we are
#really looking for regular expressions, we use this one
#
mygrep ()
{
local pat
pat="$1"
shift
sed "\'$pat'P" -n "$@"
}
#
# Find the zones
#
find_zones()
{
while read zone display comments; do
[ -n "$zone" ] && case "$zone" in
\#*)
;;
*)
echo $zone
;;
esac
done < /etc/shorewall/zones
}
find_display() # $1 = zone
{
mygrep ^$1 /etc/shorewall/zones | while read z display comments; do
[ "x$1" = "x$z" ] && echo $display
done
}
determine_zones()
{
if [ -f /etc/shorewall/zones ]; then
zones=`find_zones`
zones=`echo $zones` # Remove extra trash
zonepattern="^$zones"
while [ -n "`echo "$zonepattern" | mygrep ' '`" ]; do
zonepattern="`echo "$zonepattern" | sed 's/ /\\\|^/'`"
done
for zone in $zones; do
dsply=`find_display $zone`
eval ${zone}_display=\$dsply
done
else
zones="net local dmz gw"
zonepattern="^net\|^local\|^dmz\|^gw"
net_display=Net
local_display=Local
dmz_display=DMZ
gw_display=Gateway
fi
}
Re: [Leaf-devel] Shorewall on Eigerstein2Beta not working
Thus spoke Ewald Wasscher: > Tom Eastep wrote: > > > > > Hmmm -- This is probably because of how "grep" is defined on LRP. Please > > try it with the attached /etc/shorewall/functions file. > > I did and the result is: > > : not found > /etc/shorewall/functions: 29: Syntax error: expecting "in" > Sounds like you need to run "dos2unix" on the file... -Tom -- Tom Eastep \ Alt Email: [EMAIL PROTECTED] ICQ #60745924 \ Websites: http://seawall.sourceforge.net [EMAIL PROTECTED] \ http://seattlefirewall.dyndns.org Shoreline, Washington USA \ http://shorewall.sourceforge.net \_ ___ Leaf-devel mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/leaf-devel
Re: [Leaf-devel] Shorewall on Eigerstein2Beta not working
Tom Eastep wrote: > > Hmmm -- This is probably because of how "grep" is defined on LRP. Please > try it with the attached /etc/shorewall/functions file. I did and the result is: : not found /etc/shorewall/functions: 29: Syntax error: expecting "in" But as I was reading around the shorewall scripts I noticed that some files were version 1.0: /etc/shorewall/zones /etc/shorewall/functions I was using this lrp package: http://seattlefirewall.dyndns.org/pub/shorewall/shorwall-1.1.1.lrp Ewald Wasscher > > ___ Leaf-devel mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/leaf-devel
Re: [Leaf-devel] Shorewall on Eigerstein2Beta not working
Thus spoke Ewald Wasscher:
> Hello Tom and others,
>
> I've been testing the new shorewall-1.1.1.lrp package on Eigerstein2beta
> today and have run into a few problems:
>
> First there seems to be an extra space in the line for
> /etc/shorewall/policy in /var/lib/lrpkg/shorewal.conf. When I tried to
> edit /etc/shorewall/policy through the lrcfg menus ae would try to load
> "/etc/shorewall/policy ". Note there is an extra space after "policy".
> This is easily fixed.
>
> Second problem is that the /etc/shorewall/firewall script seems to enter
> an infinite loop. After displaying "Determining Zones" it doesn't show
> anymore progress.
>
> A trace (or how should I call it?) is attached.
>
Hmmm -- This is probably because of how "grep" is defined on LRP. Please
try it with the attached /etc/shorewall/functions file.
Thanks,
-Tom
--
Tom Eastep \ Alt Email: [EMAIL PROTECTED]
ICQ #60745924 \ Websites: http://seawall.sourceforge.net
[EMAIL PROTECTED] \ http://seattlefirewall.dyndns.org
Shoreline, Washington USA \ http://shorewall.sourceforge.net
\_
#
# Shorewall 1.1 -- /etc/shorewall/functions
#
# Suppress all output for a command
#
qt()
{
"$@" >/dev/null 2>&1
}
#
# Poor Man's grep -- Some LRP systems have a grep that simply searches for
#strings rather than regular expressions. When we are
#really looking for regular expressions, we use this one
#
mygrep ()
{
local pat
pat="$1"
shift
sed "\'$pat'P" -n "$@"
}
#
# Find the zones
#
find_zones()
{
while read zone display comments; do
[ -n "$zone" ] && case "$zone" in
\#*)
;;
*)
echo $zone
;;
esac
done < /etc/shorewall/zones
}
find_display() # $1 = zone
{
mygrep ^$1 /etc/shorewall/zones | while read z display comments; do
[ "x$1" = "x$z" ] && echo $display
done
}
determine_zones()
{
if [ -f /etc/shorewall/zones ]; then
zones=`find_zones`
zones=`echo $zones` # Remove extra trash
zonepattern="^$zones"
while echo "$zonepattern" | qt mygrep \' \'; do
zonepattern="`echo "$zonepattern" | sed 's/ /\\\|^/'`"
done
for zone in $zones; do
dsply=`find_display $zone`
eval ${zone}_display=\$dsply
done
else
zones="net local dmz gw"
zonepattern="^net\|^local\|^dmz\|^gw"
net_display=Net
local_display=Local
dmz_display=DMZ
gw_display=Gateway
fi
}
