-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 05/20/2017 02:45 AM, Thomas Deutschmann wrote: > On 2017-05-19 17:01, Tom Eastep wrote: >>> So did you really change the value by intention and want to >>> keep it in default shorewall.conf? > >> The change was intentional; it allows for longer zone names than >> the previous setting. If an existing user performs a 'shorewall >> update' and LOGFORMAT is not set in the existing .conf file, >> then the setting will be updated to use "Shorewall:%s:%s", so >> that existing filters and parsing scripts will continue to work. > > OK. I now understand the intention but I think it is always a bad > idea to ship a default configuration file which differs from the > actual default value. > > For Gentoo I think I'll change the value in shorewall.conf back to > > LOGFORMAT="Shorewall:%s:%s:" > > Idea behind this: > > 1) If we change the value, people upgrading existing installations > will be prompted to change this value in their existing > configuration as well. Users not really familiar with this setting > won't understand the impact unless they notice their firewall logs > aren't processed anymore.
I assume that it is the Gentoo packaging system that does this prompting? > > 2) Until shorewall will change the default value as well, i.e. the > value shorewall will set when the option isn't set, it will be very > confusing and packages shipping log parsers will stick with the > default value. The reason that Shorewall doesn't change the default value when changing the settings in the default .conf and/or in the samples is because that breaks configurations that don't specify a value for the option and that don't do a "shorewall update". There are actually a number of settings that have had this type of change over the years and it hasn't seemed to create any confusion. > > 3) The current limited zone names were working fine in the past, > not? So only people who actually wants longer names will change > this option. And these people will understand the impact so we can > assume they will be able to adjust syslog filters, logwatch > scripts or anything else processing their firewall logs as well. In problem reports on the users mailing list, I occasionally see warnings about the log prefix being truncated. The main point is that if people just leave their .conf file alone when they upgrade (whether they 'shorewall update' or not), there will be no problem with their current log processing. When I make a change that can impact current users, there will always be a warning or error message generated at the next [re]start. > > Am I wrong? Am I missing something? Or is that a bad idea and > would you suggest to stick with > > LOGFORMAT="%s %s " > I have no objection to Distro Maintainers changing the released .conf to meet the requirements of their target user set. So if you feel strongly that your user base is likely to modify their existing .conf file, by all means change the Gentoo file. Check the release notes, however, as in 5.1.0 there were a number of options that changed. - -Tom - -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJZIvtwAAoJEJbms/JCOk0QIB8P/23lelXq54KPbJ6azthko9cL 4kAY+5G8S1N9hUUhjOyDprbKlAbNjTYe+HfVF8T/x3GtuPj+8IiAuhKjdrUXeJSN cYtgiPyrj7a5+OtxlksmJQeQ48BtDO8nrxOVH7WYHeFswUhWivAPDLhfKg5bEkGJ c/jkzm4Es8RRLlkhIITLK/0uCPj+9hA1YGzn2HuwyvahZl8Ahs1wdR81vIKy0kE2 zN4V676Gur9zVqFk/dmmfUlYGFoAKUWQtPh8MQ8vBTMnP4aP+Nts0uG/Ln6XO2N0 JAvPQyL5E3Zl6HnkHANPGRjx6IacbQaPBAq6ecFMK6v02fBRnyMYd8jMt5Vmw0vK 2APmsT/SE+AdP5gA8hpz6ZPK9K+5hV6arZs3QlWsBCWzyDGmW0LTQtUuiaWj6g+r SibEZHAOkT/lSOD1bW9PYA/CU5GW/f/cSoryHxER7DDSrvyteZbVMlk3mE9b6bJM Kr8/wHl9D9hNLTB2QnQZPdFUJFcjYnd3mYQQ5OXn51gKN06JxQXmbFIvPB8+6BDn rT5cVV7rfBhoMiEvT5aN/+L7GeqOK2JVUBOdaprnqCZiAEjn8Q81qAbw8zIKa2OT rMGMNVUMmKsXHosNL9q6o2vbWZ6LPIWN8midNdzqR8uW5hdxSRdPFRm95a286ULs SWaYqcymFtoeCXt1FKHs =fGWT -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
