PGNd | 5 Oct 01:34 2014
Picon

checking dependency of -lite products on 'full' products

When installing tarball builds on a remote, the installer seems perfectly happy to install ONLY the

	shorewall-core shorewall-lite shorewall6-lite shorewall-init

products.

Nothing in the installer output that I've noticed, nor any output of cursory checks of

	shorewall-lite version

etc, indicate that the 'full' shorewall/shorewall6 must be installed.

I've noticed, at least on openSUSE, that distro packaging does require prerequisites of

	shorewall shorewall6

to successfully install

	shorewall-lite shorewall6-lite

What's actually the design-intended dependency set by upstream SW?

Does any part of a remote-only install -- products = shorewall-core shorewall-lite shorewall6-lite
shorewall-init -- require the install of the full products as well?

------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
(Continue reading)

PGNd | 3 Oct 21:24 2014
Picon

./isntall.sh in /shorewall-init fails 1st time through; succeeds 2nd time

missed this one earlier :=/

installing from tarballs

	rm -rf /usr/local/shorewall-custom

	cd ./shorewall-core-4.6.4-Beta2-22-g8a5e71a
	./install.sh shorewallrc.suse

	cd ../shorewall-4.6.4-Beta2-22-g8a5e71a
	./install.sh -n shorewallrc.suse 

	cd ../shorewall-init-4.6.4-Beta2-22-g8a5e71a
	mkdir -p /usr/local/shorewall-custom/etc/sysconfig/network/if-{up,down}.d/

a FIRST install of shorewall-init fails

	./install.sh -n shorewallrc.suse 
		Installing SuSE-specific configuration...
		Installing Shorewall Init Version 4.6.4-Beta2-22-g8a5e71a
		SysV init script init.suse.sh installed in /usr/local/shorewall-custom/etc/init.d/shorewall-init
		Service file shorewall-init.service installed as /usr/local/shorewall-custom/etc/systemd/shorewall-init.service
		CLI installed as /usr/local/shorewall-custom/usr/sbin/shorewall-init
		sysconfig installed in /usr/local/shorewall-custom/etc/sysconfig/shorewall-init
!!!		Failed to execute operation: No such file or directory
		shorewall Init Version 4.6.4-Beta2-22-g8a5e71a Installed

but an IMMEDIATE re-attempt succeeds

	./install.sh -n shorewallrc.suse 
(Continue reading)

PGNd | 3 Oct 15:35 2014
Picon

tarball's ./install.sh installs bins with incorrect paths, ignores shorewallrc's DESTDIR=

starting from an extracted tarball build's dir

	cd shorewall-lite-4.6.4-Beta2-19-g205dd6e/

with

	cat shorewall-core-4.6.4-Beta2-19-g205dd6e/shorewallrc.suse
		HOST=suse
		PREFIX=/usr
		SHAREDIR=${PREFIX}/share
		LIBEXECDIR=${PREFIX}/lib
		PERLLIBDIR=${PREFIX}/lib/perl5
		CONFDIR=/etc
		SBINDIR=/usr/sbin
		MANDIR=${PREFIX}/man/
		INITDIR=/etc/init.d
		INITSOURCE=init.suse.sh
		INITFILE=${PRODUCT}
		AUXINITSOURCE=
		AUXINITFILE=
		SYSTEMD=/etc/systemd
		SERVICEFILE=${PRODUCT}.service
		SYSCONFFILE=sysconfig
		SYSCONFDIR=/etc/sysconfig
		SPARSE=
		ANNOTATED=
		VARLIB=/var/lib
		VARDIR=${VARLIB}/${PRODUCT}
		DESTDIR=/usr/local/shorewall-custom

(Continue reading)

PGNd | 3 Oct 03:25 2014
Picon

Re: ./install.sh for PRODUCT != shorewall fails to create shorewallrc-specified init.d DIR unless PRODUCT == shorewall is installed first

>>  I have to now recollect why I chose NOT to do that. There WAS a 'very valid' reason a couple of eves ago ... 

> I am interested in your reason -- I would prefer to hack up that path rather than risk breaking live installs.

That, if I'm playing back my notes correctly, is exactly the reason I chose this route.

I'm bundling up tarball'd installs for remote deploy (atm, using DIY scripts; eventually, Puppet etc).

With $PREFIX 'hard-coded' on my dev/compile box, it's quite difficult to clobber an existing install by
accidentally omitting DESTDIR= (either by my own doing, or that of a remote admin).

In an env with fewer hands and just local keyboards, DESTDIR= is a fine option.

------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
Alan McKay | 3 Oct 02:38 2014
Picon

VOIP stops working after Ubuntu 13.10 --> 14.04 upgrade

Hi guys and gals,

I completely blew away my firewall but saved my shorewall directory.
Went from Ubuntu 13.10 to 14.04 and whatever the cooresponding versions
of Shorewall are on each.

My interfaces changed names so I had a few things to fiddle with regarding
that but I am certain I have that right now.

NAT works for everything else from my home network out.

I run tcpdump on the external interface and I can see my Cisco router trying
to get out.  But I get no dial tone.  Here is a capture going to toronto.voip.ms

You see it still has my internal IP and no mention of my external one.

Anyone have any idea here?

20:30:59.407819 IP (tos 0x68, ttl 63, id 0, offset 0, flags [DF],
proto UDP (17), length 592)
    172.30.99.5.sip > 184-75-215-106.amanah.com.sip: SIP, length: 564
REGISTER sip:184.75.215.106 SIP/2.0
Via: SIP/2.0/UDP 172.30.99.5:5060;branch=z9hG4bK-854a97cc
From: "Alan McKay" <sip:XXXX <at> 184.75.215.106>;tag=6e9831344cbda01co0
To: "Alan McKay" <sip:XXXXX <at> 184.75.215.106>
Call-ID: f48848f0-1c380a75 <at> 172.30.99.5
CSeq: 23635 REGISTER
Max-Forwards: 70
Contact: "Alan McKay" <sip:153478 <at> 172.30.99.5:5060>;expires=180
User-Agent: Cisco/SPA112-1.3.3(015)
(Continue reading)

jonetsu@teksavvy.com | 3 Oct 02:30 2014

IPv6 NAT support ?

Hello,

  Although by its nature IPv6 renders nat obsolete, it seems that in
practice many small setups prefers to use NAT instead of an extended
(seemingly too complicated) IPv6 proper configuration.  I was told that
a recent ip6tables now supports NAT.  If this is true, will there be
also IPv6 NAT support in Shorewall ?

As always, thanks.

------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
PGNd | 2 Oct 22:42 2014
Picon

./install.sh for PRODUCT != shorewall fails to create shorewallrc-specified init.d DIR unless PRODUCT == shorewall is installed first

I'm doing manual installs of tarball builds

 <at>  exec of

	cd shorewall-4.6.4-Beta2-19-g205dd6e
	./install.sh shorewallrc.suse

where

	cat shorewallrc.suse
		...
		HOST=suse
		PREFIX=/usr/local/shorewall-custom
		SHAREDIR=${PREFIX}/share
		LIBEXECDIR=${PREFIX}/lib
		PERLLIBDIR=${PREFIX}/lib/perl5
		CONFDIR=${PREFIX}/etc
		SBINDIR=${PREFIX}/usr/sbin
		MANDIR=${PREFIX}/man/
		INITDIR=${PREFIX}/etc/init.d
		INITSOURCE=init.suse.sh
		INITFILE=${PRODUCT}
		AUXINITSOURCE=
		AUXINITFILE=
		SYSTEMD=${PREFIX}/etc/systemd
		SERVICEFILE=${PRODUCT}.service
		SYSCONFFILE=sysconfig
		SYSCONFDIR=${PREFIX}/etc/sysconfig
		SPARSE=
		ANNOTATED=
(Continue reading)

PGNd | 2 Oct 22:20 2014
Picon

tarball's ./install.sh script symlinks/enables incorrect systemd .service

I'm doing manual installs of tarball builds

 <at>  exec of

	cd shorewall-4.6.4-Beta2-19-g205dd6e
	./install.sh shorewallrc.suse

where

	cat shorewallrc.suse
		...
		HOST=suse
		PREFIX=/usr/local/shorewall-custom
		SHAREDIR=${PREFIX}/share
		LIBEXECDIR=${PREFIX}/lib
		PERLLIBDIR=${PREFIX}/lib/perl5
		CONFDIR=${PREFIX}/etc
		SBINDIR=${PREFIX}/usr/sbin
		MANDIR=${PREFIX}/man/
		INITDIR=${PREFIX}/etc/init.d
		INITSOURCE=init.suse.sh
		INITFILE=${PRODUCT}
		AUXINITSOURCE=
		AUXINITFILE=
		SYSTEMD=${PREFIX}/etc/systemd
		SERVICEFILE=${PRODUCT}.service
		SYSCONFFILE=sysconfig
		SYSCONFDIR=${PREFIX}/etc/sysconfig
		SPARSE=
		ANNOTATED=
(Continue reading)

James Andrewartha | 2 Oct 07:29 2014
Picon

USE_DEFAULT_RT changed to Yes

Hi,

I see that in 4.6.0 [1], USE_DEFAULT_RT was changed to Yes by default. I
couldn't find any documentation of this change in the release notes. I
can see why this change was made, however I want to use quagga for
routing, which inserts routes into the main routing table. Although it
looks like zebra (part of quagga) can be configured to use a different
table [2]. I also have a VPN with a subnet routed behind it.

The main thing for me is that policy routing needs to keep working, so
#5 at [3] indicates that just setting USE_DEFAULT_RT=No is the quick
fix. However you've indicated that you want to deprecate it, so what
other options are there? Should I just set zebra to drop its routes into
the balance table? Will they get removed when restarting shorewall?

[1]
http://sourceforge.net/p/shorewall/code/ci/cea237620a136b5f75415f62449d885eaf9e6c3d/
[2] http://www.nongnu.org/quagga/docs/docs-info.html#Static-Route-Commands
[3] http://shorewall.net/MultiISP.html#USE_DEFAULT_RT

Thanks,

--

-- 
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877

(Continue reading)

jonetsu@teksavvy.com | 2 Oct 02:01 2014

Using Shorewall IPv6

Hello,

  Thanks for your preceeding two replies - much appreciated !

I have three questions regarding running an IPv6 configuration which
could surely benefit from your experience, since they are not directly
related to Shorewall, but happens when using the IPv6 portion.

1) When shorewall6 is run, the following is logged.  Since broadcast
is not supported in Ipv6, logging this is a bit puzzling:

Oct 1 13:04:39 deb kernel: [ 9570.619744] xt_addrtype: ipv6 does not
support BROADCAST matching

2) Once shorewall6 has established a firewall (a very simple one to
start with) there is no netfilter subdirectory in /proc/sys/net/ipv6.
There is in ipv4/, with a few conntrack options.

The following IPv6 modules are loaded:

  nf_conntrack_ipv6      13124  11 
  nf_defrag_ipv6         12720  2 xt_TPROXY,nf_conntrack_ipv6

3) When I use 'ip6tables -L' to verify, ip6tables lists a few things,
then seems to wait for something before displaying more.  Why is that
so ?

Thanks.

------------------------------------------------------------------------------
(Continue reading)

jonetsu@teksavvy.com | 1 Oct 00:27 2014

Missing DropSmurfs action file

Hello.  Using Shorewall6 4.5.5.3 (Debian) and having the firewall
config files in /tmp/shorewall6/ I get: 'ERROR: Missing Action
File (/tmp/shorewall6/action.DropSmurfs)'.  But I did not ask for
any smurf actions to be taken.

This is a very simple test firewall.  Interfaces has no options
declared.

And I removed the action from SMURF_DISPOSITION= in
shorewall6.conf

Also, on this Debian system, the action.DropSmurfs file is only
in the shorewall /usr/share directory, not shorewall6.  Although
I did not ask for any smurf action anyways.

In the Shorewall6 4.5.21.10 upstream source package the DropSmurfs
action is set as 'noinline'.  Does that mean that the workings are now
internal to Shorewall ? Also, 4.5.21.10 does not have any
action.DropSmurfs file.

Thanks.

------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk

Gmane