David Mohr wrote: > On 10/26/06, Vieri Di Paola <[EMAIL PROTECTED]> wrote: >> I was wondering if there could be a slight change to >> the Shorewall configuration files. >> >> It's a Gentoo-specific issue but some other >> distributions might find some interest in this. >> >> Basically, whenever a Gentoo user updates his/her >> shorewall from portage via >> >> # emerge shorewall >> >> the ebuild asks the user to update the config files in >> /etc/shorewall and proposes going through diffs. >> The problem is that most of the time the user just has >> to update the header (i.e. documentation) of each >> config file. The user entries (e.g. shorewall rules) >> are usually left untouched unless there's a new column >> in the new version, etc. > > I don't really see the point of updating the headers of the files, but > not the content. AFAIK shorewall is usually able to run with 'older' > config files by assuming reasonable defaults. What you are proposing > would be very confusing, because the rules that follow the header > might not match the documentation in the header anymore. If you update > one, you should also update the other, and the rules can't be updated > automatically, so it's better to do this by hand alltogether. > >> So maybe if the Shorewall config files could >> source/include other "custom" config files then the >> upgrade process would be a lot easier. >> For example, default shorewall installation puts the >> rules file in /etc/shorewall. If the default rules >> file could contain a statement such as ". >> rules_custom" or "include rules_custom" the only real >> "diff" that the user would have to worry about is >> uncommenting this line in the new version. >> >> Of course one could define a different config file >> path in shorewall.conf and point to something like >> /etc/shorewall_custom. >> But by upgrading for example from 3.0 to 3.2 the user >> would have to deal with more than just file content. >> One would have to move over new files such as >> route_rules, etc. >> In other words the Gentoo emerge procedure would be to >> my understanding a lot simpler if the default >> configuration files could include custom files. >> I believe FreePBX/Asterisk does something of the sort >> (e.g. sip.conf can include sip_custom.conf). > > Debian I believe does not do automatic updates of shorewall > configuration files, for the reason mentioned above.
Debian only populates /etc/shorewall with shorewall.conf and Makefile. shorewall.conf has been an ongoing headache because people blindly update it with the new options and their values then wonder why their Shorewall configuration suddenly stopped working. I've given up trying to change Shorewall's default behavior over time by changing shorewall.conf -- from now on, any additions that I make to that file will set all new options to preserve the existing behavior rather than to produce the new more desirable behavior. In 3.4, I will start including a modified shorewall.conf in the sample configuration so that new users will get the new behavior while existing users will stop shooting themselves in the foot each time that they upgrade. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
