>> But, in the produced "/var/lib//firewall" (shouldn't that be
>> /var/lib/shorewall/firewall?) there aren't any references to the above rule!
>> Indeed when I execute shorewall stop, and then iptables -L -vn, nothing is
>> there!
> Further findings:
>
> 1. The (new) firewall file is definitely in /var/lib instead of
> /var/lib/shorewall, though the new file is executed when shorewall starts.
> Comparing the old firewall file (which is still in /var/lib/shorewall) with
> the new one, I am seeing this:
>
> @@ -2435,7 +2448,7 @@
> g_basedir=/usr/share/shorewall
> CONFIG_PATH="/etc/shorewall:/usr/share/shorewall"
> [ -f ${g_confdir}/vardir ] && . ${g_confdir}/vardir
> - [ -n "${VARDIR:=/var/lib/shorewall}" ]
> + [ -n "${VARDIR:=/var/lib/shorewall/shorewall}" ]
>
> I am not sure that's right!
OK, some good news.
It seems that when I execute "shorewall compile -T -p -e firewall" (i.e.
compilation for a remote system while specifying the name of the destination
file - "firewall" in this case) it is all flawless! I can see both the paths I
specified in the (remote version of) shorewall.conf, as well as stoppedrules -
they are all taken care of, though when both routestopped and stoppedrules are
present, shorewall takes into account both files. I could also see that ipsets
are supported in stoppedrules, so that's also good.
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Shorewall-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-devel
