> There will be 4.5.0.1 in a few days. In the meantime, there is a simple
> workaround posted in the 'Known Problems' on the web site.
>
I see that you finally came to your senses and implemented a proper
blacklisting in shorewall. Congratulations!
Any chance you could fix the init.d script bug I have raised over 18
months ago? No matter what I do I always get the crappy version of the
init.d shorewall script and the problem is in your install.sh file. In
all shorewall* packages the following "logic" is present in install.sh
(my own comments are shown with "#!"):
[ -n "$DESTDIR" ] || DESTDIR="$PREFIX"
#! so, DESTDIR is always set, no matter what
#! [...]
#
# Determine where to install the firewall script
#
if [ -n "$DESTDIR" ]; then
if [ -z "$CYGWIN" ]; then
if [ `id -u` != 0 ] ; then
echo "Not setting file owner/group permissions, not running as
root."
OWNERSHIP=""
fi
fi
install -d $OWNERSHIP -m 755 ${DESTDIR}/sbin
install -d $OWNERSHIP -m 755 ${DESTDIR}${DEST}
CYGWIN=
MAC=
else
#!
#! Since DESTDIR is ALWAYS set this branch will NEVER execute,
#! therefore arch-specific settings (DEBIAN/FEDORA/SLACKWARE/ARCHLINUX
etc) will NEVER get set,
#! triggering the rather crappy version of the init.d shorewall script
being included in the final built (see below)!
#!
if [ $PRODUCT = shorewall ]; then
#
# Verify that Perl is installed
#
if ! perl -c Perl/compiler.pl; then
echo "ERROR: $Product $VERSION requires Perl which either is not
installed or is not able to compile the $Product perl code" >&2
echo " Try perl -c $PWD/Perl/compiler.pl" >&2
exit 1
fi
else
[ -x /usr/share/shorewall/compiler.pl ] || \
{ echo " ERROR: Shorewall >= 4.3.5 is not installed" >&2; exit
1; }
fi
if [ -n "$CYGWIN" ]; then
echo "Installing Cygwin-specific configuration..."
elif [ -n "$MAC" ]; then
echo "Installing Mac-specific configuration..."
else
if [ -f /etc/debian_version ]; then
echo "Installing Debian-specific configuration..."
DEBIAN=yes
SPARSE=yes
elif [ -e /etc/redhat-release ]; then
echo "Installing Redhat/Fedora-specific configuration..."
FEDORA=yes
elif [ -f /etc/slackware-version ] ; then
echo "Installing Slackware-specific configuration..."
DEST="/etc/rc.d"
MANDIR="/usr/man"
SLACKWARE=yes
INIT="rc.firewall"
elif [ -f /etc/arch-release ] ; then
echo "Installing ArchLinux-specific configuration..."
DEST="/etc/rc.d"
INIT="$PRODUCT"
ARCHLINUX=yes
fi
fi
fi
if [ -z "$DESTDIR" ]; then
#!
#! ... and neither will this branch, thus SYSTEMD NEVER gets set!
#!
if [ -f /lib/systemd/system ]; then
SYSTEMD=Yes
fi
elif [ -n "$SYSTEMD" ]; then
mkdir -p ${DESTDIR}/lib/systemd/system
fi
#! [...]
#
# Install the Firewall Script
#
if [ -n "$DEBIAN" ]; then
#!
#! Never happening!
#!
install_file init.debian.sh ${DESTDIR}/etc/init.d/$PRODUCT 0544
elif [ -n "$FEDORA" ]; then
#!
#! Never happening!
#! Besides, the proper destination for FEDORA distribution is
${DESTDIR}${DEST},
#! particularly if ${DEST} is already set - not just hard-coded
"${DESTDIR}/etc/init.d/"!
#! If anything, it should be "${DESTDIR}/etc/rc.d/init.d/".
#!
install_file init.fedora.sh ${DESTDIR}/etc/init.d/$PRODUCT 0544
elif [ -n "$ARCHLINUX" ]; then
#!
#! Never happening!
#!
install_file init.archlinux.sh ${DESTDIR}${DEST}/$INIT 0544
elif [ -n "$SLACKWARE" -a $PRODUCT = shorewall ]; then
#!
#! Never happening!
#!
install_file init.slackware.firewall.sh
${DESTDIR}${DEST}/rc.firewall 0644
install_file init.slackware.$PRODUCT.sh
${DESTDIR}${DEST}/rc.$PRODUCT 0644
elif [ -n "$INIT" ]; then
#!
#! This is what I get installed in all cases - a rather crappy version
of the shorewall init.d script
#!
install_file init.sh ${DESTDIR}${DEST}/$INIT 0544
#!
#! BUG number 2: if any of "${DESTDIR}" or "${DEST}" have spaces in them
you are royally screwed!
#!
fi
The above is valid for all install.sh files, *except* shorewall-init -
there is a special case there - in addition to the above, we have this
little gem:
elif [ -n "$FEDORA" ]; then
install_file init.debian.sh ${DESTDIR}/etc/init.d/shorewall-init 0544
#!
#! Wrong on so many levels!
#!
While I am at it, there are a few other bugs in the newest version of
shorewall (4.5.0). I am listing them below - you could fix these, if you
are so inclined:
1. lib.cli has a hard-coded "g_libexec=/usr/share" value, which is wrong
- on my distribution at least, g_libexec is "/usr/libexec", so shorewall
should not assume anything about that directory and that value should
either be "/usr/libexec", or, better still "g_libexec=${LIBEXEC}", which
is a variable usually set prior to shorewall being built. ${LIBEXEC} is
also used in the various places in the install.sh script, but "eval sed
-i \'s\|g_libexec=.\*\|g_libexec=$LIBEXEC\|\' ${DESTDIR}/bin/$PRODUCT"
is not functioning for some reason!
2. masq
- add provision for ipsets inclusion in INTERFACE:DEST, SOURCE and PORT
columns and update the man page (there is no mention of ipsets being
allowed at all), with examples as well shown in that man page. For
example, if I have this in my masq file:
#############################################################################################
#INTERFACE:DEST SOURCE ADDRESS PROTO PORT(S)
IPSEC MARK USER/
#
GROUP
eth0::+test[dst,dst] 10.1.1.1 detect
The above is properly translated by shorewall, though this feature needs
to be documented.
- Using the above example, if I have "+test[src,src]" (which makes no
sense whatsoever) - compilation passes without even a warning and the
above statement is "translated" by shorewall to:
-A eth0_masq -s 10.1.1.1 -m set --match-set test src,src -j SNAT
--to-source $SW_ETH0_ADDRESS
That is never going to match anything and it is plainly wrong.
- Not a bug, but a feature: enable/add a separate column - SWITCH - to
allow SNAT rules to be switched on/off as desired (this feature already
exists in other places);
3. blrules conversion (blacklist ->blrules) - the "-a" option is not
shown when "shorewall" or "shorewall help" is executed (just "update [
-b ] [ -r ] [ -T ] [ <directory> ]" is presented), but the same option
is indeed documented in man shorewall.
4. Last, but not least, there are some WHITELIES in the
shorewall-blrules man page - I thought you ought to know and correct
this so that nothing but the plain truth is only shown on that page.
------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
