Hi,
I was able to reproduce every reported error in RC1.
With LOG_BACKEND.patch, SAVE_IPSETS1.patch and SAVE_IPSETS2.patch
applied, everything seems to work.
But I am writing because I had to restart shorewall twice to get it
working, not sure if this is normal/expected:
1. I installed shorewall-4.6.4-rc1.
2. "shorewall safe-restart" failed:
> # shorewall safe-restart
> Compiling...
> Processing /etc/shorewall/params ...
> Processing /etc/shorewall/shorewall.conf...
> Loading Modules...
> ERROR: Invalid LOG Backend ()
3. I reinstalled shorewall with "LOG_BACKEND.patch" applied.
4. I called "shorewall safe-restart" again:
> # shorewall safe-restart
> Compiling...
> Processing /etc/shorewall/params ...
> Processing /etc/shorewall/shorewall.conf...
> Loading Modules...
> Compiling /etc/shorewall/zones...
> Compiling /etc/shorewall/interfaces...
> Determining Hosts in Zones...
> Locating Action Files...
> Compiling /etc/shorewall/policy...
> Running /etc/shorewall/initdone...
> Adding Anti-smurf Rules
> Compiling TCP Flags filtering...
> Compiling Kernel Route Filtering...
> Compiling Martian Logging...
> Compiling MAC Filtration -- Phase 1...
> Compiling /etc/shorewall/rules...
> Compiling MAC Filtration -- Phase 2...
> Applying Policies...
> Compiling /usr/share/shorewall/action.Reject for chain Reject...
> Compiling /usr/share/shorewall/action.Broadcast for chain Broadcast...
> Generating Rule Matrix...
> Creating iptables-restore input...
> Shorewall configuration compiled to /var/lib/shorewall/.restart
> Currently-running Configuration Saved to /var/lib/shorewall/.safe
> Usage: /var/lib/shorewall/firewall [ options ] <command>
>
> <command> is one of:
> start
> stop
> clear
> disable <interface>
> down <interface>
> enable <interface>
> reset
> refresh
> restart
> run <command> [ <parameter> ... ]
> status
> up <interface>
> version
>
> Options are:
>
> -v and -q Standard Shorewall verbosity controls
> -n Don't update routing configuration
> -p Purge Conntrack Table
> -t Timestamp progress Messages
> -V <verbosity> Set verbosity explicitly
> -R <file> Override RESTOREFILE setting
> Restarting...
> Restarting Shorewall....
> Initializing...
> Processing /etc/shorewall/init ...
> Processing /etc/shorewall/tcclear ...
> Setting up Route Filtering...
> Setting up Martian Logging...
> Setting up Proxy ARP...
> Preparing iptables-restore input...
> Running /sbin/iptables-restore...
> IPv4 Forwarding Enabled
> Processing /etc/shorewall/start ...
> Processing /etc/shorewall/started ...
> done.
> Do you want to accept the new firewall configuration? [y/n] no
> Initializing...
> Processing /etc/shorewall/init ...
> Processing /etc/shorewall/tcclear ...
> Setting up Route Filtering...
> Setting up Martian Logging...
> Setting up Proxy ARP...
> IPv4 Forwarding Enabled
> Processing /etc/shorewall/restored ...
> done.
> New configuration has been rejected and the old one restored
5. I now reinstalled shorewall with "SAVE_IPSETS1.patch"
"SAVE_IPSETS2.patch" applied and re-run "shorewall safe-restart":
> # shorewall safe-restart
> Compiling...
> Processing /etc/shorewall/params ...
> Processing /etc/shorewall/shorewall.conf...
> Loading Modules...
> Compiling /etc/shorewall/zones...
> Compiling /etc/shorewall/interfaces...
> Determining Hosts in Zones...
> Locating Action Files...
> Compiling /etc/shorewall/policy...
> Running /etc/shorewall/initdone...
> Adding Anti-smurf Rules
> Compiling TCP Flags filtering...
> Compiling Kernel Route Filtering...
> Compiling Martian Logging...
> Compiling MAC Filtration -- Phase 1...
> Compiling /etc/shorewall/rules...
> Compiling MAC Filtration -- Phase 2...
> Applying Policies...
> Compiling /usr/share/shorewall/action.Reject for chain Reject...
> Compiling /usr/share/shorewall/action.Broadcast for chain Broadcast...
> Generating Rule Matrix...
> Creating iptables-restore input...
> Shorewall configuration compiled to /var/lib/shorewall/.restart
> Currently-running Configuration Saved to /var/lib/shorewall/.safe
> WARNING: No ipsets were saved
> Restarting...
> Restarting Shorewall....
> Initializing...
> Processing /etc/shorewall/init ...
> Processing /etc/shorewall/tcclear ...
> Setting up Route Filtering...
> Setting up Martian Logging...
> Setting up Proxy ARP...
> Preparing iptables-restore input...
> Running /sbin/iptables-restore...
> IPv4 Forwarding Enabled
> Processing /etc/shorewall/start ...
> Processing /etc/shorewall/started ...
> done.
> Do you want to accept the new firewall configuration? [y/n] n
> Initializing...
> Processing /etc/shorewall/init ...
> Processing /etc/shorewall/tcclear ...
> Setting up Route Filtering...
> Setting up Martian Logging...
> Setting up Proxy ARP...
> IPv4 Forwarding Enabled
> Processing /etc/shorewall/restored ...
> done.
> New configuration has been rejected and the old one restored
I did not expect the WARNING. Thought SAVE_IPSETS{1,2}.patch have
addressed this problem. Well, because I had these patched applied, I
just re-run "shorewall safe-restart" again...
This time it was working.
I am wondering why running the same command twice had a different result.
-Thomas
------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
_______________________________________________
Shorewall-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-devel
