Tom Eastep | 1 Oct 16:21 2011
Picon

Shorewall 4.4.24 Beta 4

Beta 4 is now available for testing.

1)  This release includes support for 'Condition Match' which is
    included in xtables-addons. Condition match allows rules to be
    predicated on the setting of a named switch in
    /proc/net/nf_condition/. 

    See
    http://www.shorewall.net/configuration_file_basics.htm#Switches
    for details.

2)  With the preceding change, the rules file now has 14 columns. That
    makes it awkward to specify the last column as you have to insert
    the correct number of '-' to get the right column.

    To make that easier, it is now allowed to terminate the
    column-oriented format with a semicolon (";"), and then specify
    addition columns using a column-name=value format. See
    http://www.shorewall.net/configuration_file_basics.htm#Pairs for
    details.

Thank you for testing,
-Tom
--

-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

(Continue reading)

Ed W | 1 Oct 18:05 2011

Re: Feature Request: Shiny new XML format?

On 29/09/2011 19:45, John Brendler wrote:
> On Wed, 28 Sep 2011 17:40:20 +0200
> Mark van Dijk <mark <at> voidzero.net> wrote:
>
>> Hi,
>>
>> On Wed, 28 Sep 2011 07:07:23 -0700
>> Tom Eastep <teastep <at> shorewall.net> wrote:
>>
>>> I'm frankly not interested in having to document and support
>>> different flavors of configuration representation. I would be
>>> willing to include hooks in the compiler for doing the conversion
>>> and for matching up filenames and line numbers in the error
>>> messages to where an error or warning occurred in the original
>>> source text, but I would prefer that these alternate configuration
>>> formats be separate products that are documented, maintained and
>>> supported by their creators.
>> Actually, I'd like to go one step further and suggest to not bring
>> this extra overhead into the project. It is a clear example of
>> putting the cart in front of the horse.
> I agree.  Shorewall is easy to configure; all xml would do is make it
> harder.  If somebody thinks this is not the case, they need to learn
> how to use an editor.  GUI is an unnecessary additional layer of
> abstraction, a potential source of errors, an expanded attack surface,
> and a maintenance burden.
>

You are missing the point that not all config files are written by
humans... To highlight the point, consider the ratio of html websites
written by humans vs database driven (or other cgi built sites).  cgi
(Continue reading)

Ed W | 1 Oct 18:18 2011

Re: Shorewall 4.4.24 Beta 4

On 01/10/2011 15:21, Tom Eastep wrote:
> 2)  With the preceding change, the rules file now has 14 columns. That
>     makes it awkward to specify the last column as you have to insert
>     the correct number of '-' to get the right column.
>
>     To make that easier, it is now allowed to terminate the
>     column-oriented format with a semicolon (";"), and then specify
>     addition columns using a column-name=value format. See
>     http://www.shorewall.net/configuration_file_basics.htm#Pairs for
>     details.
>

Before this is released could I ask you to look over the JSON syntax? eg
    http://en.wikipedia.org/wiki/JSON

If I squint a bit I can kind of see that you are doing something quite
similar here and perhaps it's possible to re-use existing formats before
we re-invent a new format?

I haven't entirely thought this through, BUT what if the config file
looked a bit like a hybrid of the existing column orientated format, but
you can drop in a json snippet at the end of the line to set/override
any params? This seems equivalent to what you are already doing, but
with just a tiny change in syntax (semicolon becomes a { } pair and =
becomes : )

A potential side benefit would seem to be that you accidentally just
added input support for JSON ...

Note, based on my previous email I might come across as having a
(Continue reading)

Simon Hobson | 1 Oct 18:20 2011
Picon

Re: Feature Request: Shiny new XML format?

Ed W wrote:

>  >> Actually, I'd like to go one step further and suggest to not bring
>>>  this extra overhead into the project. It is a clear example of
>  >> putting the cart in front of the horse.

>  > I agree.  Shorewall is easy to configure; all xml would do is make it
>>  harder.  If somebody thinks this is not the case, they need to learn
>>  how to use an editor.  GUI is an unnecessary additional layer of
>>  abstraction, a potential source of errors, an expanded attack surface,
>  > and a maintenance burden.

>You are missing the point that not all config files are written by
>humans... To highlight the point, consider the ratio of html websites
>written by humans vs database driven (or other cgi built sites).  cgi
>generated sites dominate by a massive proportion.

Actually the point hasn't been missed. The config file format is 
quite simple and easily generated from <some other system> if you 
want to do that. The suggestion above is simply to keep Shorewall as 
it is, and if someone wants something more complicated then they can 
script it.

However, for things like shorewall, I think you'll find the majority 
of configs are hand edited, and the comparison with HTML is 
completely bogus since there is no comparison whatsoever with the 
level of non-complexity found in a typical shorewall config.

>Personally I don't dig xml all that much, but sometimes it makes sense
>to store data in a particular format. eg many applications find either
(Continue reading)

Tom Eastep | 1 Oct 19:20 2011
Picon

Re: Shorewall 4.4.24 Beta 4


On Oct 1, 2011, at 9:18 AM, Ed W wrote:

> On 01/10/2011 15:21, Tom Eastep wrote:
>> 2)  With the preceding change, the rules file now has 14 columns. That
>>    makes it awkward to specify the last column as you have to insert
>>    the correct number of '-' to get the right column.
>> 
>>    To make that easier, it is now allowed to terminate the
>>    column-oriented format with a semicolon (";"), and then specify
>>    addition columns using a column-name=value format. See
>>    http://www.shorewall.net/configuration_file_basics.htm#Pairs for
>>    details.
>> 
> 
> Before this is released could I ask you to look over the JSON syntax? eg
>    http://en.wikipedia.org/wiki/JSON
> 
> 

Ed,

For the last time, I am NOT going to adopt a markup language for the Shorewall configuration. Get used to the idea.

What I have done for RC 1 is eliminate the need for the columnar format. Here is an example of a blacklist file:

;proto=udp port=1024:1033,1434,5948,23773
;proto=tcp port=57,1433,1434,2401,2745,3127,3306,3410,4899,5554,5948,6101,8081,9898,23773
;networks=221.192.199.48
;networks=61.158.162.9
(Continue reading)

Mark van Dijk | 2 Oct 01:04 2011
Picon

Re: Feature Request: Shiny new XML format?

Hi,

> >>> I'm frankly not interested in having to document and support
> >>> different flavors of configuration representation. I would be
> >>> willing to include hooks in the compiler for doing the conversion
> >>> and for matching up filenames and line numbers in the error
> >>> messages to where an error or warning occurred in the original
> >>> source text, but I would prefer that these alternate configuration
> >>> formats be separate products that are documented, maintained and
> >>> supported by their creators.  
> >> Actually, I'd like to go one step further and suggest to not bring
> >> this extra overhead into the project. It is a clear example of
> >> putting the cart in front of the horse.  
> > I agree.  Shorewall is easy to configure; all xml would do is make
> > it harder.  If somebody thinks this is not the case, they need to
> > learn how to use an editor.  GUI is an unnecessary additional layer
> > of abstraction, a potential source of errors, an expanded attack
> > surface, and a maintenance burden.
> >  
> 
> You are missing the point that not all config files are written by
> humans...

I'm not missing that point. We're talking about shorewall, which has
config files that are designed to be edited manually.

> To highlight the point, consider the ratio of html websites
> written by humans vs database driven (or other cgi built sites).  cgi
> generated sites dominate by a massive proportion.

(Continue reading)

Mark van Dijk | 2 Oct 01:15 2011
Picon

Re: Shorewall 4.4.24 Beta 4

Hi,

On Sat, 01 Oct 2011 17:18:56 +0100
Ed W <lists <at> wildgooses.com> wrote:

> Note, based on my previous email I might come across as having a
> particular preference towards json - it's not the case! This
> suggestion is purely based on the similarity with what you are doing
> and an existing config file format - reduction/re-use seems
> attractive!

This actually might be interesting, but let's not put it on Tom's
plate. Maybe you can show some kind of comparison?

In fact, you could just go ahead and fork shorewall... and when it
works as you envision you can invite list members to review it. At
least one other list member (Christ Schlacta - is that your real name?)
seems to be interested.

- Mark

------------------------------------------------------------------------------
All of the data generated in your IT infrastructure is seriously valuable.
Why? It contains a definitive record of application performance, security
threats, fraudulent activity, and more. Splunk takes this data and makes
sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-d2dcopy2
Christ Schlacta | 2 Oct 02:02 2011

Re: Shorewall 4.4.24 Beta 4

Why yes, Yes it is.  But I am happy with the current Shorewall 
modifications.  I would be willing to test it on one of my systems though :)
On 10/1/2011 16:15, Mark van Dijk wrote:
> Hi,
>
> On Sat, 01 Oct 2011 17:18:56 +0100
> Ed W<lists <at> wildgooses.com>  wrote:
>
>> Note, based on my previous email I might come across as having a
>> particular preference towards json - it's not the case! This
>> suggestion is purely based on the similarity with what you are doing
>> and an existing config file format - reduction/re-use seems
>> attractive!
> This actually might be interesting, but let's not put it on Tom's
> plate. Maybe you can show some kind of comparison?
>
> In fact, you could just go ahead and fork shorewall... and when it
> works as you envision you can invite list members to review it. At
> least one other list member (Christ Schlacta - is that your real name?)
> seems to be interested.
>
> - Mark
>
> ------------------------------------------------------------------------------
> All of the data generated in your IT infrastructure is seriously valuable.
> Why? It contains a definitive record of application performance, security
> threats, fraudulent activity, and more. Splunk takes this data and makes
> sense of it. IT sense. And common sense.
> http://p.sf.net/sfu/splunk-d2dcopy2
> _______________________________________________
(Continue reading)

Christ Schlacta | 2 Oct 02:39 2011

Shorewall et 802.1ab (lldp)

I'm trying to configure lldp on all the systems in my LAN, and they all 
run shorewall.  I'm trying to figure out what rules to add to shorewall, 
but there's no mention of it in the documentation that I can find, and I 
don't know enough about lldp to figure out what files need to be changed 
and how.  I'm not sure what information needs to be found to make it 
work with shorewall, but insofar as I know, it's a layer 2 protocol.

------------------------------------------------------------------------------
All of the data generated in your IT infrastructure is seriously valuable.
Why? It contains a definitive record of application performance, security
threats, fraudulent activity, and more. Splunk takes this data and makes
sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-d2dcopy2
Tom Eastep | 2 Oct 02:59 2011
Picon

Re: Shorewall et 802.1ab (lldp)


On Oct 1, 2011, at 5:39 PM, Christ Schlacta wrote:

> I'm trying to configure lldp on all the systems in my LAN, and they all 
> run shorewall.  I'm trying to figure out what rules to add to shorewall, 
> but there's no mention of it in the documentation 

That's because the Shorewall developer has no idea what it is :-)

-Tom

Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
All of the data generated in your IT infrastructure is seriously valuable.
Why? It contains a definitive record of application performance, security
threats, fraudulent activity, and more. Splunk takes this data and makes
sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-d2dcopy2

Gmane