Re: [Shorewall-users] var in file PARAMS not read

[Tom Eastep]

On 10/4/12 3:25 PM, "Tom Eastep" <teas...@shorewall.net> wrote:
>Please send me (privately) a tarball of your /etc/shorewall directory.
>Before you create the tarball, please:
>
>       shorewall show -f capabilities > /etc/shorewall/caps
>
>Thanks,

I received the tarball and found that the rules file contains this:

    
HTTPS/REJECT    loc:!~00-0E-E8-D6-31-03,~00-0E-E8-D6-31-AA      
net:199.59.148.0/22
,199.59.149.0/22


I installed 4.4.26.1 and then compiled the configuration as firewall1.

I then added this to params:

    MAC_LIST="~00-0E-E8-D6-31-03,~00-0E-E8-D6-31-AA"

And changed the rule to this:

     HTTPS/REJECT       loc:!$MAC_LIST    net:199.59.148.0/22,199.59.149.0/22


I then compiled the configuration as firewall2 and 'diffed' the two
generated scripts:

diff -au firewall1 firewall2
--- firewall1   2012-10-04 16:28:36.000000000 -0700
+++ firewall2   2012-10-04 16:42:50.000000000 -0700
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Compiled firewall script generated by Shorewall 4.4.26.1 - Thu Oct  4
16:28:36 2012
+# Compiled firewall script generated by Shorewall 4.4.26.1 - Thu Oct  4
16:42:50 2012
 #
 #     This program is under GPL
[http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
@@ -1925,6 +1925,7 @@
     MAC_LOC_MSN=~00-1B-77-91-D5-5E,~00-0E-E8-D6-31-03
     IP_DROPBOX=199.47.216.0/22,108.160.160.0/20,205.189.0.0/24
     MAC_DBOX=~08-00-27-6D-94-E3,~00-0E-E8-D6-31-03,~00-1F-3A-30-BC-41
+    MAC_LIST=~00-0E-E8-D6-31-03,~00-0E-E8-D6-31-AA
     
NET_FACE_IP=69.171.224.13,69.171.224.11,66.220.149.11,69.171.229.11,66.220.
158.11,69.171.242.11,95.100.130.110,66.220.158.74
     MAC_LOC_TWIT=~00-11-00-00-00-00,~00-0E-E8-D6-31-03
     
IP_PORN=173.192.57.241,91.192.110.109,93.93.64.65,173.208.175.42,108.167.18
3.224
@@ -1962,7 +1963,7 @@
 
     cat >&3 << __EOF__
 #
-# Generated by Shorewall 4.4.26.1 - Thu Oct  4 16:28:36 2012
+# Generated by Shorewall 4.4.26.1 - Thu Oct  4 16:42:50 2012
 #
 *raw
 :PREROUTING ACCEPT [0:0]
@@ -2780,7 +2781,7 @@
 
     $command <<__EOF__
 #
-# Generated by Shorewall 4.4.26.1 - Thu Oct  4 16:28:36 2012
+# Generated by Shorewall 4.4.26.1 - Thu Oct  4 16:42:50 2012
 #
 *raw
 :PREROUTING ACCEPT [0:0]

Other than the timestamps and the addition of the MAC_LIST define in the
export list, the two firewall scripts are identical.


-Tom
You do not need a parachute to skydive. You only need a parachute to
skydive twice.





------------------------------------------------------------------------------
Don't let slow site performance ruin your business. Deploy New Relic APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users