Thus spoke Ewald Wasscher:
> Ewald Wasscher wrote:
>
> >
> > I'll throw it all onto a floppy, put my current shorewall configfiles
> > with it and give it a try.
>
> And it didn't work when I used my real-world configuration. These
> configuration files do work whith shorewall 1.1.0 on Trustix 1.2. Here
> is the output
>
> Processing /etc/shorewall/rules...
> Rule "ACCEPT local fw tcp ssh" added.
> Rule "ACCEPT net fw tcp ssh" added.
> Rule "ACCEPT net fw tcp auth" added.
> [: 131]: unknown operand
> Warning: Undefined Server Zone - rule "ACCEPT fw net:131.174.60.21 udp
> ntp" ignored
> [: 131]: unknown operand
> Warning: Undefined Server Zone - rule "ACCEPT fw net:131.174.60.21 udp
> domain" ignored
> [: 131]: unknown operand
> Warning: Undefined Server Zone - rule "ACCEPT fw net:131.174.64.5 udp
> domain" ignored
> [: 131]: unknown operand
> Rule "ACCEPT net:131.174.60.21 fw udp 1024:65535 domain" added.
> [: 131]: unknown operand
> Rule "ACCEPT net:131.174.64.5 fw udp 1024:65535 domain" added.
> Rule "ACCEPT local fw udp domain" added.
> Rule "ACCEPT dmz fw udp domain" added.
> [: ]: unknown operand
> Warning: Undefined Server Zone - rule "ACCEPT net fw:131.174.116.216 udp
> domain" ignored
> [: ]: unknown operand
> Warning: Undefined Server Zone - rule "ACCEPT net fw:131.174.116.216 tcp
> domain" ignored
> Rule "ACCEPT local fw udp bootps" added.
> [: 80 ¬]: unknown operand
> [: 80: unknown operand
> Warning: Undefined Server Zone - rule "ACCEPT net dmz:192.168.2.1:80 tcp
> www - 131.174.116.216" ignored
> [: 80 ¬]: unknown operand
> [: 80: unknown operand
> Warning: Undefined Server Zone - rule "ACCEPT local dmz:192.168.2.1:80
> tcp www - 131.174.116.216" ignored
> [: 25 ¬]: unknown operand
> [: 25: unknown operand
> Warning: Undefined Server Zone - rule "ACCEPT net dmz:192.168.2.1:25 tcp
> smtp - 131.174.116.216" ignored
> [: 25 ¬]: unknown operand
> [: 25: unknown operand
> Warning: Undefined Server Zone - rule "ACCEPT local dmz:192.168.2.1:25
> tcp smtp - 131.174.116.216" ignored
> [: 99 ¬]: unknown operand
> [: 993¤°]: unknown operand
> Warning: Undefined Server Zone - rule "ACCEPT net dmz:192.168.2.1:993
> tcp simap - 131.174.116.216" ignored
> [: 99 ¬]: unknown operand
> [: 993¤°]: unknown operand
> Warning: Undefined Server Zone - rule "ACCEPT local dmz:192.168.2.1:993
> tcp simap - 131.174.116.216" ignored
> [: 131]: unknown operand
> Warning: Undefined Server Zone - rule "ACCEPT dmz net:131.174.93.58 tcp
> smtp" ignored
> [: 131]: unknown operand
> Warning: Undefined Server Zone - rule "ACCEPT dmz net:131.174.93.59 tcp
> smtp" ignored
> [: 21 ¬]: unknown operand
> [: 21: unknown operand
> Warning: Undefined Server Zone - rule "ACCEPT net dmz:192.168.2.1:21 tcp
> ftp - 131.174.116.216" ignored
> [: 21 ¬]: unknown operand
> [: 21: unknown operand
> Warning: Undefined Server Zone - rule "ACCEPT local dmz:192.168.2.1:21
> tcp ftp - 131.174.116.216" ignored
> [: 194]: unknown operand
> Warning: Undefined Server Zone - rule "ACCEPT dmz net:194.229.207.17 tcp
> ssh" ignored
> [: 195]: unknown operand
> Warning: Undefined Server Zone - rule "ACCEPT fw net:195.139.104.67 tcp
> www" ignored
> [: 195]: unknown operand
> Warning: Undefined Server Zone - rule "ACCEPT fw net:195.0.209.108 tcp
> www" ignored
> [: 192]: unknown operand
> [: 195 ]: unknown operand
> Warning: Undefined Server Zone - rule "ACCEPT dmz:192.168.2.1
> net:195.162.203.182 tcp 6667" ignored
> Adding rules for DHCP
> Processing /etc/shorewall/policy...
> Policy DROP for net to fw.
>
I believe that the problem here is that Eiger2Beta uses ash for sh and
ash's handling of at least the ${<variable>%%<pattern>} shell construct is
broken:
Here's what should happen (/bin/sh from Oxygen):
# server="loc:192.168.1.1"
# echo ${server%:*}
loc
# echo ${server%%:*}
loc
#
Here's what happens with Eiger2:
[root@wookie lrp-Eiger2]# bin/sh
# server="loc:192.168.1.1"
# echo ${server%:*}
loc
# echo ${server%%:*}
lo
Without a trace, I can't say for sure if that is the only problem but it's
definitely enough of a problem to break Shorewall and accounts for the
"Undefined server zone" errors that you are seeing. The "ash" from RH7 also
shows this incorrect behavior.
If you can lay your hands on a copy of /bin/sh from oxygen and use that, I
think it will work. I wish I had time to put this together myself but
unfortunately, I don't right now...
-Tom
--
Tom Eastep \ Alt Email: [EMAIL PROTECTED]
ICQ #60745924 \ Websites: http://seawall.sourceforge.net
[EMAIL PROTECTED] \ http://seattlefirewall.dyndns.org
Shoreline, Washington USA \ http://shorewall.sourceforge.net
\_________________________________________
_______________________________________________
Leaf-devel mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-devel
