Tom Eastep wrote: > Tom Eastep wrote: >> Phil Cordier wrote: >>> Hi Tom - thanks much for the patch - has done the trick (and greetings >>> from Shoreline, we're neighbors). >> Cool! (On both counts). >> >>> It only happened with the startup error, ie when there was a CONTINUE >>> policy, or IMPLICIT_CONTINUE=Yes was set in shorewall.conf - there's >>> nothing in my stop file... >> Hmmm -- that's worrisome since I can't reproduce it under those same >> circumstances. I'll try again. > > I'll bet you have critical hosts defined in /etc/shorewall/routestopped! >
Attached is a patch to /usr/share/shorewall/compiler which corrects this problem. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Index: compiler
===================================================================
--- compiler (revision 5526)
+++ compiler (working copy)
@@ -3073,6 +3073,8 @@
REJECT)
run_iptables -A $1 -j reject
;;
+ CONTINUE)
+ ;;
*)
run_iptables -A $1 -j $target
;;
@@ -4657,13 +4659,17 @@
deleteallchains
- for host in $CRITICALHOSTS; do
- interface=\${host%:*}
- networks=\${host#*:}
- \$IPTABLES -A INPUT -i \$interface \$(source_ip_range \$networks) -j ACCEPT
- \$IPTABLES -A OUTPUT -o \$interface \$(dest_ip_range \$networks) -j ACCEPT
- done
+__EOF__
+ for host in $CRITICALHOSTS; do
+ interface=${host%:*}
+ networks=${host#*:}
+ do_iptables -A INPUT -i $interface $(source_ip_range $networks) -j ACCEPT
+ do_iptables -A OUTPUT -o $interface $(dest_ip_range $networks) -j ACCEPT
+ done
+
+ cat >&3 << __EOF__
+
for chain in INPUT OUTPUT; do
setpolicy \$chain DROP
done
@@ -4680,13 +4686,16 @@
deleteallchains
- for host in $CRITICALHOSTS; do
- interface=\${host%:*}
- networks=\${host#*:}
- \$IPTABLES -A INPUT -i \$interface \$(source_ip_range \$networks) -j ACCEPT
- \$IPTABLES -A OUTPUT -o \$interface \$(dest_ip_range \$networks) -j ACCEPT
- done
+__EOF__
+ for host in $CRITICALHOSTS; do
+ interface=${host%:*}
+ networks=${host#*:}
+ do_iptables -A INPUT -i $interface $(source_ip_range $networks) -j ACCEPT
+ do_iptables -A OUTPUT -o $interface $(dest_ip_range $networks) -j ACCEPT
+ done
+ cat >&3 << __EOF__
+
setpolicy INPUT DROP
for chain in INPUT FORWARD; do
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
