On Wednesday 29 January 2003 05:14 pm, you wrote: > I read somewhere that Shorewall was not capable of being removed from > Bering. Unfortunately I couldn't locate this post in a quick few minutes. > I checked the Bering documentation and didn't find a reference, therefore > I'm pretty sure this was found through Google (archive of this mailing > list?). I hope knowing what was on my mind re:shorewall package you > understand where I was coming from a little more.
It is removable the same as any add-on package.... the FAQ's cover this, so this isn't a problem. > I am thinking of using an lrp located at > http://leaf.sourceforge.net/devel/jnilo/bering/latest/contrib/; the > iptables save & restore functionality. Does anyone know if this lrp > provides an init.d startup of old iptables rules? If it doesn't I would > imagine I'll have to create a seperate "iptstart.lrp" or something similar. IIRC, it doesn't have any default scripts, so you'll have to add your own and modify the package file(s) to save them. > I am in process of creating/submitting a package that provides VRRP > functionality for LRP called Keepalived (http://www.keepalived.org/), so > yes I know lrp's aren't easy. I'm sure Shorewall is great for most people, > but I'm looking for something to use in BGP linux routers booting off of > CF-IDE/flash media. CF-IDE is the same as any IDE drive.... Bering has instructions on doing this in the Users Manual. I'm sure Shorewall isn't used much for iptables, but running a dynamic routing protocol is quite strange to filter period (I imagine). There is a Zebra package available. > I'll submit what I have when I have completed it. If people find it useful > and have suggestions I'll try to help in whatever way I can. It would be > nice to have such fame that 1000's of people would download it but I bet > the only one that downloads it is me and a few other linux flash router > people. ;) It would be a nice image to have available for BGP or any other routing protocol. Load-balancing would be a nice add-on as well, but as I said before you'll likely need to use one of the images floating around that use a newer glibc (or possibly uClibc). > Lol. Well it is very important for my company to use existing setups & > concepts where possible. I looked at Shorewall and it doesn't seem to > offer any significant advantage for my company other than being > pre-integrated into LRP. Why should I learn a new firewall system if we > already have iptables working and "under the belt"? Probably not until someone has different filtering needs that your ruleset does not have built-in. AFAIK, most people do not understand how to write their own iptables scripts and generally Shorewall is _much_ easier to understand for these people (as you later agree too). I think Tom would have understood this if use of routing protocols had been in the post. > More importantly why > should I create documentation for the rest of the people here and then > force them to learn this system? It seems that in my case Shorewall is a > program that introduces a very good potential for human error and adds > complexity to a project that doesn't need more complexity. In this project > KISS is my motto. Again, we're talking about in my case only. I'm sure > 99.9999% of the people are different and Shorewall is good for them. Absolutely, if you don't want to use Shorewall (for any reason) don't feel as if anyone is going to attempt to stop you. It makes sense in your situation and with the migration you are establishing. > Thank you very much for your response & time! Your very welcome, we can be a little harsh when new ideas, requests, and suggestions come with vague reasoning for the additions. I believe there could be a lot of suggestions towards helping you accomplish your goals once you familiarize yourself with the LEAF system, which is quite different on many levels due to the embedded environment, and explain everything your trying to accomplish. We've had requests for adding an X-environment to LEAF, however that never gets very far due to _huge_ amount of work required for something most of us would never consider putting on a firewall. When you jump up and say that 'I need a kernel and a heavy dependancy app compiled, but I don't know how to get rid of a package' many of us simply ignore it. This shouldn't be the case, but understanding the scope and requirements of what your asking and making a clear request for help will bring you a lot more positive feedback. What I am seeing is along the lines of this: glibc 2.2 > OpenSSL LVS-patched kernel Zebra keepalived other outside dependancies I don't have any of this available on my system, but there are a couple of glibc-2.2 versions of LEAF floating around somewhere (as one has already been noted). Does anyone have any other and/or better suggestions for accomplishing this??? -- ~Lynn Avants Linux Embedded Firewall Project developer http://leaf.sourceforge.net ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html