> 1) When the new shorewallrc file was installed (such as from the RPM),
> VARDIR was being interpreted the same as VARLIB in the CLI. In
> a generated script, VARDIR was being set to $VARDIR/$PRODUCT.
This now works as expected. However, when I execute "shorewall compile" or
"shorewall compile test" both routestopped and stoppedrules files are ignored.
In the resulting filrewall script I have this instead:
#
# Generated by Shorewall 4.5.8-Beta2 - Tue Sep 4 22:49:20 2012
#
*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
COMMIT
Again, I *do* have rules in the new stoppedrules file, though my routestopped
file is non-existent. My config path is
"${CONFDIR}/shorewall:${SHAREDIR}/shorewall" (routestopped isn't present in
either of these locations, only stoppedrules is in ${CONFDIR}/shorewall).
> 2) If the CONFIG_PATH setting required variable expansion and the
> "-e" compiler option was specified, the settings in the export
> shorewallrc were being used rather than those from the local
> shorewallrc.
That works as expected when your patch is applied.
> 3) The new stoppedrules files contained a bogus 'FORMAT 2' directive
> that caused compilation to fail.
That's also fixed.
> Known Issues:
>
> 1) Both the "routestopped" and "stoppedrules" file are being processed
> currently and in that order. It would be more appropriate to
> process "stoppedrules" first and then process "routestopped" only
> if "stoppedrules" contained no rules.
That is indeed the case, with a bit of a twist! For the purpose of testing
this, I have the following files:
routestopped
~~~~~~~~~~~~
eth0 10.1.1.1 - tcp 22
stoppedrules
~~~~~~~~~~~~
ACCEPT $FW:+source-port +mickey-mouse-net[dst,dst]
ACCEPT +destination-port $FW:+my-net[dst,dst]
In the resulting script, I see the following section:
#
# Generated by Shorewall 4.5.8-Beta2 - Tue Sep 4 22:58:34 2012
#
*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p 6 --dport 22 -s 10.1.1.1 -i eth0 -j ACCEPT
-A INPUT -m set --match-set destination-port src -m set --match-set my-net
dst,dst -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -m set --match-set source-port src -m set --match-set
mickey-mouse-net dst,dst -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
COMMIT
What is interesting here (apart from the fact that both files were processed)
is that for routestopped only INPUT was altered even though I specified a dash
(-) - is that how it is supposed to work?
My own opinion is that you should adopt the same approach you did with
blacklist/blrules - issue a warning if both files are present (and process only
stoppedrules) or simply process routestopped if stoppedrules isn't present.
> New Features:
>
> When "-e" is specified and no output script is named on the
> run-line, the default script is now "firewall" in the current
> working directory.
That's also functional.
Apart from the above issues, from my previous list, I am not sure whether issue
5 has been fixed.
The outstanding issues are how you decide to tackle the 'dhcp' option in
interfaces, specifying multiple UIDs separated with commas within a rule, as
well as including an option in shorewall-init to compile the shorewall script
prior to executing it. I think that's about it. Have I missed anything?
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Shorewall-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-devel
