Paul Traina wrote: > > Would you be willing to refresh the lrp version /etc files to match what > you believe they should be? I know you changed your policy on template > stuff to reduce your support load, but the lrp versions don't represent > that change. I've made some guesses, but... are you the maintainer of > the lrp versions of these files, or is KP?
I have been maintaining the standard content while KP has been maintaining the differences. > > Your install script assumes it runs as root, which may not be correct if > we're using PREFIX. Currently I'm using fakeroot as a wrapper to avoid > dealing with the -o owner -g group arguments in install. I was thinking > of patching your install.sh script to something like: > > if using prefix and `id -u` != 0 > OWNERSHIP="" > else > OWNERSHIP="-o $OWNER -g $GROUP" > fi > > and then replacing the explicit stuff with $OWNAGE, but I didn't want to > have to manage that patch outside of your environment. If you send me a patch, I'll apply it to my tree. > > I'll send you a patch along shortly showing you the differences between > your LRP and what I am currently generating. > The differences are all in /etc/shorewall -- here is a patch that reflects what I think they should be. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
diff -au /home/teastep/Shorewall/Shorewall2/interfaces ./interfaces --- /home/teastep/Shorewall/Shorewall2/interfaces 2005-04-08 10:19:05.000000000 -0700 +++ ./interfaces 2005-04-11 13:03:40.000000000 -0700 @@ -204,4 +204,6 @@ ############################################################################## #ZONE INTERFACE BROADCAST OPTIONS # +net eth0 detect dhcp,routefilter,norfc1918 +loc eth1 detect dhcp #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff -au /home/teastep/Shorewall/Shorewall2/masq ./masq --- /home/teastep/Shorewall/Shorewall2/masq 2004-12-31 09:41:44.000000000 -0800 +++ ./masq 2005-02-02 13:10:52.000000000 -0800 @@ -197,4 +197,5 @@ # ############################################################################### #INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC +eth0 eth1 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE diff -au /home/teastep/Shorewall/Shorewall2/policy ./policy --- /home/teastep/Shorewall/Shorewall2/policy 2005-03-30 07:03:32.000000000 -0800 +++ ./policy 2005-04-06 10:11:20.000000000 -0700 @@ -68,24 +68,24 @@ # and the size of an acceptable burst. If not specified, # TCP connections are not limited. # -# Example: +# As shipped, the default policies are: # # a) All connections from the local network to the internet are allowed # b) All connections from the internet are ignored but logged at syslog # level KERNEL.INFO. # d) All other connection requests are rejected and logged at level # KERNEL.INFO. -# -# #SOURCE DEST POLICY LOG -# # LEVEL -# loc net ACCEPT -# net all DROP info -# # -# # THE FOLLOWING POLICY MUST BE LAST -# # -# all all REJECT info -# ############################################################################### #SOURCE DEST POLICY LOG LIMIT:BURST # LEVEL +loc net ACCEPT +net all DROP ULOG +# If you want open access to the Internet from your Firewall +# remove the comment from the following line. +#fw net ACCEPT + +# +# THE FOLLOWING POLICY MUST BE LAST +# +all all REJECT ULOG #LAST LINE -- DO NOT REMOVE diff -au /home/teastep/Shorewall/Shorewall2/rules ./rules --- /home/teastep/Shorewall/Shorewall2/rules 2005-03-01 10:29:15.000000000 -0800 +++ ./rules 2005-04-11 13:05:09.000000000 -0700 @@ -330,4 +330,26 @@ #################################################################################################### #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ # PORT PORT(S) DEST LIMIT GROUP +# Accept DNS connections from the firewall to the network +# +ACCEPT fw net tcp 53 +ACCEPT fw net udp 53 +# Accept SSH connections from the local network for administration +# +ACCEPT loc fw tcp 22 +# Allow Ping To Firewall +# +ACCEPT loc fw icmp 8 +ACCEPT net fw icmp 8 +# +# Allow all ICMP types (including ping) From Firewall +# +ACCEPT fw loc icmp +ACCEPT fw net icmp +# +# Bering specific rules: +# allow loc to fw udp/53 for local/caching DNS servers to work +# allow loc to fw tcp/80 for weblet to work +ACCEPT loc fw udp 53 +ACCEPT loc fw tcp 80 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff -au /home/teastep/Shorewall/Shorewall2/shorewall.conf ./shorewall.conf --- /home/teastep/Shorewall/Shorewall2/shorewall.conf 2005-04-11 13:09:13.000000000 -0700 +++ ./shorewall.conf 2005-04-11 13:11:08.000000000 -0700 @@ -67,7 +67,7 @@ # # http://www.shorewall.net/shorewall_logging.html -LOGFILE=/var/log/messages +LOGFILE=/var/log/shorewall.log # # LOG FORMAT @@ -175,7 +175,7 @@ # Example: LOGNEWNOTSYN=debug -LOGNEWNOTSYN=info +LOGNEWNOTSYN=ULOG # # MAC List Log Level @@ -187,7 +187,7 @@ # See the comment at the top of this section for a description of log levels # -MACLIST_LOG_LEVEL=info +MACLIST_LOG_LEVEL=ULOG # # TCP FLAGS Log Level @@ -199,7 +199,7 @@ # See the comment at the top of this section for a description of log levels # -TCP_FLAGS_LOG_LEVEL=info +TCP_FLAGS_LOG_LEVEL=ULOG # # RFC1918 Log Level @@ -211,7 +211,7 @@ # See the comment at the top of this section for a description of log levels # -RFC1918_LOG_LEVEL=info +RFC1918_LOG_LEVEL=ULOG # # SMURF Log Level @@ -225,7 +225,7 @@ # See the comment at the top of this section for a description of log levels # -SMURF_LOG_LEVEL=info +SMURF_LOG_LEVEL=ULOG # # BOGON Log Level @@ -239,7 +239,7 @@ # See the comment at the top of this section for a description of log levels # -BOGON_LOG_LEVEL=info +BOGON_LOG_LEVEL=ULOG # # MARTIAN LOGGING @@ -284,7 +284,7 @@ # use lock files, set this to "". # -SUBSYSLOCK=/var/lock/subsys/shorewall +SUBSYSLOCK=/var/run/shorewall # # SHOREWALL TEMPORARY STATE DIRECTORY @@ -293,7 +293,7 @@ # it is running # -STATEDIR=/var/lib/shorewall +STATEDIR=/var/state/shorewall # # KERNEL MODULE DIRECTORY @@ -472,7 +472,7 @@ # # Example: # -# CLAMPMSS=1400 +# CLAMPMSS=1400 # CLAMPMSS=No @@ -671,8 +671,9 @@ # exploited by users who do. Setting DISABLE_IPV6=Yes will cause # Shorewall to disable IPV6 traffic to/from and through your # firewall system. This requires that you have ip6tables installed. +# Should be set to "No" for LEAF/LRP -DISABLE_IPV6=Yes +DISABLE_IPV6=No # # BRIDGING diff -au /home/teastep/Shorewall/Shorewall2/start ./start --- /home/teastep/Shorewall/Shorewall2/start 2005-04-08 12:57:31.000000000 -0700 +++ ./start 2005-02-02 13:10:52.000000000 -0800 @@ -4,3 +4,7 @@ # Add commands below that you want to be executed after shorewall has # been started or restarted. # +for file in /etc/shorewall/start.d/* ; do + run_user_exit $file +done + diff -au /home/teastep/Shorewall/Shorewall2/stop ./stop --- /home/teastep/Shorewall/Shorewall2/stop 2004-10-26 08:35:49.000000000 -0700 +++ ./stop 2005-02-02 13:10:52.000000000 -0800 @@ -4,3 +4,7 @@ # Add commands below that you want to be executed at the beginning of a # "shorewall stop" command. # +for file in /etc/shorewall/stop.d/* ; do + run_user_exit $file +done + diff -au /home/teastep/Shorewall/Shorewall2/zones ./zones --- /home/teastep/Shorewall/Shorewall2/zones 2005-02-02 07:39:59.000000000 -0800 +++ ./zones 2005-02-02 13:10:52.000000000 -0800 @@ -11,15 +11,9 @@ # OVERLAPPING ZONES DEFINED THROUGH /etc/shorewall/hosts. # # See http://www.shorewall.net/Documentation.htm#Nested -#-------------------------------------------------------------------------------- -# Example zones: # -# You have a three interface firewall with internet, local and DMZ interfaces. -# -# #ZONE DISPLAY COMMENTS -# net Internet The big bad Internet -# loc Local Local Network -# dmz DMZ Demilitarized zone. -# -#ZONE DISPLAY COMMENTS +#ZONE DISPLAY COMMENTS +net Net Internet +loc Local Local networks +#dmz DMZ Demilitarized zone #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
