Re: regression in 4.5

On 4/9/13 3:28 PM, "Farkas Levente" <lfarkas <at> lfarkas.org> wrote:

>On 04/09/2013 11:52 PM, Tom Eastep wrote:
>> On 04/09/2013 02:38 PM, Farkas Levente wrote:
>>> On 04/09/2013 06:45 PM, Tom Eastep wrote:
>> 
>>>>
>>>> Do you have a 'cd' command in ../common/params ?
>>>
>>> no. there are only simple ip and hostname constants.
>>>
>> 
>> Okay -- please:
>> 
>> 1) cd shorewall/host1.example.com
>> 2) sh -x /sbin/shorewall compile -e . firewall 2> trace
>> 3) Send me the 'trace' file.
>> 
>> -Tom

Farkas,

Is it possible for you to upgrade to 4.5.15? I believe that will resolve
your issue.

Thanks,
-Tom
You do not need a parachute to skydive. You only need a parachute to
skydive twice.

Exporting current rules from Shorewall in dry-run style?

------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter

------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter

MultiISP

Hi folks!

I used Shorewall Multi ISP manual 
(http://www.shorewall.net/MultiISP.html) to configure a dual link 
firewall in one of our clients. When the primary link fails, remote 
conections using the secondary remains working. However, from LAN, they 
can't access the Internet. It seems like shorewall is not using the 
secondary as an alternative route. I'm using the following configuration:

/etc/shorewall/providers
#NAME         NUMBER  MARK    DUPLICATE       INTERFACE GATEWAY         
OPTIONS         COPY
Primary Link         1       1       main    eth0    200.175.xxx.xxx 
track,balance=1 eth2,eth3
secundary Link     2       2       main    eth1    201.14.xxx.xxx 
track,balance=2 eth2,eth3

/etc/shorewall/masq
#INTERFACE              SOURCE          ADDRESS         PROTO PORT(S) 
IPSEC   MARK
eth0    0.0.0.0/0       200.175.xxx.xxx
eth1    0.0.0.0/0       201.14.xxx.xxx

I don't have any tcrules configuration. There is no gateway 
configuration on /etc/network/interfaces file.

I did a route -n and noticed that there is a external route just for the 
primary link.

Destination     Gateway         Genmask         Flags Metric Ref Use Iface
200.175.xxx.xxx 0.0.0.0         255.255.255.248 U     0 0        0 eth0
201.14.xxx.xxx   0.0.0.0         255.255.255.248 U     0 0        0 eth1
192.168.3.0     192.168.2.1     255.255.255.0   UG    0 0        0 eth3
192.168.2.0     0.0.0.0         255.255.255.0   U     0 0        0 eth3
192.168.0.0     0.0.0.0         255.255.255.0   U     0 0        0 eth2
0.0.0.0         200.175.xxx.xxx 0.0.0.0         UG    0 0        0 eth0

Is this correct? Can anyone help me?

Thanks!

João K.

------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter

Multi ISP strange behaviour

Hi List,
I get a funny problem when I use Multiple ISP setup from the shorewall 
documentation.

I use it for failover between two different carriers.
I use lsm as described and are using shorewall version 4.5.5.1 on a 
centos 6.4 box.

My issue is routing, when lsm change to the backup my browsing is using 
the backup IF, Fine ...

But if I set a continuous ping on a PC behind the firewall these pings 
want change IF??
So if I start a ping when the backup is active it want switch over to 
the normal isp when it is restored, but browsing does.

I assume this is easy when you know but I don't and it bugs me

Regards Gh

------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter

How to make internal NAT

------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter

------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter

Squid (transparent) Running in the local network, tproxy/ipv6

------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter

------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter

regression in 4.5

hi,
in a master shorewall-lite setup before 4.5 it was possible to out such
a line into params (on the master):

INCLUDE ../common/params

it's no longer possible since it gives this error:

/usr/share/shorewall/lib.common: line 708:
/etc/shorewall/../common/params: No such file or directory

even if i try to create a symlink to ../common/params as params.common and

INCLUDE params.common

/usr/share/shorewall/lib.common: line 708: /etc/shorewall/params.common:
No such file or directory

so not even relative path neither local files can be included. imho it's
a regression since it was possible before.

another note that it would be a good think in a master-lite setup to
check the master and lite shorewall version and if they are not
"compatible" (means whatever the "compatible"). eg: 4.5.4 and 4.5.14 are
not compatible

--

-- 
  Levente                               "Si vis pacem para bellum!"

------------------------------------------------------------------------------
Minimize network downtime and maximize team effectiveness.
Reduce network management and security costs.Learn how to hire 
the most talented Cisco Certified professionals. Visit the 
Employer Resources Portal
http://www.cisco.com/web/learning/employer_resources/index.html

Fedora 18 when shorewall rpm should be used

Hi,

Using Fedora 18 32-bit.

On the shorewall site it says to use
http://www.invoca.ch/pub/packages/shorewall/RPMS/

In there, there are a number of folders: ils-3, ils-4, ils-5, ils-6.

What are ils-* and which should I be using for my version of Fedora.

Thanks

------------------------------------------------------------------------------
Minimize network downtime and maximize team effectiveness.
Reduce network management and security costs.Learn how to hire 
the most talented Cisco Certified professionals. Visit the 
Employer Resources Portal
http://www.cisco.com/web/learning/employer_resources/index.html

Internet not working after PPP connection drops

Hi,

Using shorewall v4.5.12
3 Interface
PPPOE

If my adsl connection drops in have no internet connection after it comes
back up.
I need to restart shorewall for it to work again.

Is there something I need to change, so that shorewall restarts
automatically when the adsl connection comes back up.

Thanks

------------------------------------------------------------------------------
Minimize network downtime and maximize team effectiveness.
Reduce network management and security costs.Learn how to hire 
the most talented Cisco Certified professionals. Visit the 
Employer Resources Portal
http://www.cisco.com/web/learning/employer_resources/index.html

Shorewall 4.5.15

The Shorewall team is pleased to announce the availability of Shorewall
4.5.15.

----------------------------------------------------------------------------
  I.  P R O B L E M S   C O R R E C T E D   I N   T H I S  R E L E A S E
----------------------------------------------------------------------------

1)  Previously, the Shorewall and Shorewall6 install.sh scripts did two
    things wrong with respect to the /etc/shorewall[6]/routes file:

    - The existing file was unconditionally removed.
    - A skeleton file was not installed when SPARSE was not set in
      the shorewallrc file.

    Additionally, the installer would remove /etc/shorewall[6]/tcstart.

2)  The Shorewall-init install.sh script previously refused to replace
    /sbin/ifup-local and /sbin/ifdown-local when those files has been
    installed by an earlier version of Shorewall-init.

3)  Previously, Shorewall-init's integration with NetworkManager was
    incomplete on SuSE with the result that NetworkManager interface
    change events were not processed. That has been corrected.

4)  Beginning with Shorewall 4.5.8, Shorewall6 has interpreted /32
    networks as hosts (/128). /32 IPv6 networks are once again handled
    correctly.

5)  Using service class names such as such as EF, BE, CS1, ... for DSCP
    didn't work previously. Thibaut Chèze has provided a fix.

6)  An incorrect range test prevented DSCP classes CS6 and CS7 from
    being accepted. The test has been corrected and those classes are
    now allowed.

----------------------------------------------------------------------------
           I I.  K N O W N   P R O B L E M S   R E M A I N I N G
----------------------------------------------------------------------------

1)  On systems running Upstart, shorewall-init cannot reliably secure
    the firewall before interfaces are brought up.

----------------------------------------------------------------------------
      I I I.  N E W   F E A T U R E S   I N   T H I S  R E L E A S E
----------------------------------------------------------------------------

1)  Prior to this release, Shorewall has only supported blackhole null
    routing in the /etc/shorewall[6]/routes file and in the
    NULL_ROUTE_RFC1918 option.

    Beginning with this release, Shorewall also supports 'unreachable'
    and 'prohibit' routes.

    In /etc/shorewall/routes, the GATEWAY column may contain
    'blackhole', 'unreachable' or 'prohibit'.

    NULL_ROUTE_RFC1918 can also assume those values, in addition to
    'Yes' and 'No' (case-insensitive). 'Yes' is equivalent to
    'blackhole' for backward compatibility.

    Please see http://www.shorewall.net/MultiISP.html#null_routing for
    details. That section was provided by Mr Dash Four.

2)  The 'ifupdown' script installed by Shorewall-init is now
    distribution-specific. Previously, the script determined the
    distribution at run-time.

3)  The ${VARDIR}/undo_<provider>_routing scripts no longer invoke
    a Shorewall internal function so that they may be processed
    directly by a shell.

4)  The compiler now detects multiple entries in
    /etc/shorewall[6]/routes with the same PROVIDER and DEST and raises
    an error. If an entry for the 'main' table in /etc/shorewall/routes
    has one of the RFC1918 networks as the DEST and if
    NULL_ROUTE_RFC1918=Yes, then a warning message is issued and the
    entry in /etc/shorewall/routes is used.

5)  Prior to now, the generated shell script has always used routing
    table (provider) numbers rather than names. To make the script more
    readable and to aid in debugging, a new USE_RT_NAMES option has
    been added to shorewall[6].conf.

    When set to 'Yes', Shorewall will use routing table (provider)
    names in the generated script rather than table numbers. When set
    to 'No' (the default), routing table numbers will be used.

    Caution

    If you set USE_RT_NAMES=Yes and KEEP_RT_TABLES=Yes, then you must
    insure that all of your providers have entries in
    /etc/iproute2/rt_tables as well as the following entries:

        255 local
	254 main
	253 default
	250 balance
	0 unspec

    Without these entries, the firewall will fail to start.

Thank you for using Shorewall,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Own the Future-Intel® Level Up Game Demo Contest 2013
Rise to greatness in Intel's independent game demo contest.
Compete for recognition, cash, and the chance to get your game 
on Steam. $5K grand prize plus 10 genre and skill prizes. 
Submit your demo by 6/6/13. http://p.sf.net/sfu/intel_levelupd2d

------------------------------------------------------------------------------
Own the Future-Intel® Level Up Game Demo Contest 2013
Rise to greatness in Intel's independent game demo contest.
Compete for recognition, cash, and the chance to get your game 
on Steam. $5K grand prize plus 10 genre and skill prizes. 
Submit your demo by 6/6/13. http://p.sf.net/sfu/intel_levelupd2d

logging to mysql - advice ?

shorewall is working fine with log set to "info "on all rules.

i'm using ulogd, but it's not working. here's the steps i've taken so far:

- apt-get install ulogd # installed successfully as well as ulogd-mysql
- ulogd-mysql.sql (downloaded from their site project) imported into 
ulogd database.
- ulogd dB granted necessary privileges;
- updated etc/ulogd.conf with mysql credentials
- uncommented mysql.so in etc/ulogd.conf
- sed -i 's/info/NFLOG/g' /etc/shorewall/*
- shorewall restart;/etc/init.d/ulogd restart

checking mysqladmin proc, shows that ulogd is connected, but it's at 
sleep state.
i did a couple of selects on ulog table, it's still empty even though i 
generate a fair enough of logs at any given moment.

Any advice ?

------------------------------------------------------------------------------
Own the Future-Intel(R) Level Up Game Demo Contest 2013
Rise to greatness in Intel's independent game demo contest. Compete 
for recognition, cash, and the chance to get your game on Steam. 
$5K grand prize plus 10 genre and skill prizes. Submit your demo 
by 6/6/13. http://altfarm.mediaplex.com/ad/ck/12124-176961-30367-2