Hi tom,
Regarding the insserv changes made to
shorewall-init-4.5.21/install.sh script do not seem to work on
debian7!
Installing Debian-specific configuration...
Installing Shorewall Init Version 4.5.21
SysV init script init.debian.sh installed in
/etc/init.d/shorewall-init
Logrotate file installed as /etc/logrotate.d/shorewall-init
/sbin/insserv
insserv: enable: No such file or directory
WARNING: Unable to configure shorewall init to start automatically at
boot
shorewall Init Version 4.5.21 Installed
But if I modify the line in /shorewall-4.5.21/install.sh if
insserv
enable; then by
if insserv ${CONFDIR}/init.d/$PRODUCT ; then
insserv does not
complain!
Logrotate file installed as /etc/logrotate.d/shorewall-init
/sbin/insserv
Shorewall Init will start automatically at boot
Matt
On 3 Oct 2013 at 9:46, Tom Eastep wrote:
Date sent: Thu, 03 Oct 2013 09:46:48 -0700
From: Tom Eastep <[email protected]>
To: Shorewall Announcements <[email protected]>,
Shorewall Users <[email protected]>
Subject: [Shorewall-users] Shorewall 4.5.21
Send reply to: Shorewall Users <[email protected]>
<mailto:[email protected]?subject=unsubscribe>
<mailto:[email protected]?subject=subscribe>
> The Shorewall team is pleased to announce the availability of
> Shorewall 4.5.21.
>
> ----------------------------------------------------------------------
> ------
> I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S
> E
> ----------------------------------------------------------------------
> ------
>
> 1) ip[6]tables 1.4.20 introduced an incompatible change that causes
> the program to fail if there is another instance of either
> iptables or ip6tables already running. This behavior can be
> avoided if the new -w option is specified.
>
> To work around this problem, the compiler now uses the -w option
> (when available) during capabilities determination so that
> shorewall and shorewall6 compilations can proceed in parallel.
>
> 2) Previously, the Shorewall-init installer unconditionally installed
> the sysconfig file even when a different SYSCONFFILE was
> specified. (Thomas D).
>
> 3) /sbin/shorewall-init now includes the correct SYSCONFDIR name in
> its error message that reports the absense of
> ${SYSCONFDIR}/shorewall-init. (Thomas D).
>
> 4) /sbin/shorewall-init and the Shorewall-init SysV init scripts now
> honor the setting of $OPTIONS.
>
> 5) The -lite installers now look in ${SHAREDIR} for the coreversion
> file rather than in /usr/share/.
>
> 6) If a Shorewall-lite installation used an
> /etc/shorewall-lite/vardir
> file to set a non-standard state directory, the administrative
> system would send the firewall and firewall.conf files to the
> wrong directory on the firewall system.
>
> 7) Previously, the compiler verified 'monthdays' specifications in
> the
> rules TIME column, but failed to include --monthdays in the
> generated rule. That omission has been corrected.
>
> 8) The installers now use 'insserv' on Debian systems to update the
> SysV init symlinks. Previously, update-rc.d was used but that
> approach fails on Debian 7.
>
> 9) The Multicast DNS macros (mDNS and mDNSbi) now allow the entire
> non-priv port range (1024-65535) for the the dynamic unicast
> port. Previously, only the Linux 2.6+ dynamic port range
> (32768-65535) were allowed.
>
> ----------------------------------------------------------------------
> ------
> I I. K N O W N P R O B L E M S R E M A I N I N G
> ----------------------------------------------------------------------
> ------
>
> 1) On systems running Upstart, shorewall-init cannot reliably secure
> the firewall before interfaces are brought up.
>
> ----------------------------------------------------------------------
> ------
> I I I. N E W F E A T U R E S I N T H I S R E L E A S E
> ----------------------------------------------------------------------
> ------
>
> 1) When a REJECT target is specified, Shorewall normally handles the
> packet as follows:
>
> - If the destination address is a broadcast or multicast address,
> the packet is dropped.
>
> - If the protocol is IGMP (1), then the packet is dropped.
>
> - If the protocol is TCP (6) then the packet is rejected with an
> RST.
>
> - If the protocol is UDP (17) then the packet is rejected with
> a 'port-unreachable' ICMP (ICMP6).
>
> - If the protocol is ICMP (ICMP6), then the packet is rejected
> with a 'host-unreachable' ('addr-unreachable') ICMP (ICMP6).
>
> - Otherwise, the packet is rejected with a 'host-prohibited'
> (adm-prohibited) ICMP (ICMP6).
>
> Beginning with this release, this behavior may be modified using
> the new REJECT_ACTION option in shorewall.conf (shorewall6.conf).
>
> REJECT_ACTION=<action>
>
> where <action> is the name of an action that implements your
> alternative handling. The 'nolog' and 'inline' options are
> automatically assumed for the named <action>.
>
> The following action implements the standard behavior described
> above:
>
> ?format 2
> #TARGET SOURCE DEST PROTO
> Broadcast(DROP) - - -
> DROP - - 2
> INLINE - - 6 ; -j REJECT --reject-with
> tcp-reset
> ?if __ENHANCED_REJECT
> INLINE - - 17 ; -j REJECT
> ?if __IPV4
> INLINE - - 1 ; -j REJECT --reject-with
> icmp-host-unreachable
> INLINE - - - ; -j REJECT --reject-with
> icmp-host-prohibited ?else
> INLINE - - 58 ; -j REJECT --reject-with
> icmp6-addr-unreachable
> INLINE - - - ; -j REJECT --reject-with
> icmp6-adm-prohibited
> ?endif ?else INLINE - - - ; -j REJECT
> ?endif
>
> 2) In earlier versions, default log levels in shorewall.conf
> (shorewall6.conf) were not validated, making it difficult to
> determine what setting was causing the following error message:
>
> ERROR: Log level INFO requires LOG Target support in your
> kernel
> and iptables
>
> This change will make log level errors from shorewall.conf and
> shorewall6.conf easier to isolate by including the option name.
>
> Example:
>
> ERROR: Log level INFO for option SFILTER_LOG_LEVEL requires LOG
> Target support in your kernel and iptables
>
> 3) The 'shorewall dump' command now uses 'ss' rather than 'netstat'
> to
> produce socket-related information. By Martin Gignac.
>
> 4) Thomas D has provided installer support for Gentoo. Thank you
> Thomas!
>
> 5) The generated firewall script inserts a host route for each
> provider gateway into both the main routing table and into the
> provider's routing table. This is necessary on older kernels to
> avoid failure of default route insertion into the tables.
>
> It has been discovered, however, that these host routes prevent
> Zebra from being able to add routes on some distributions, most
> notably Debian 7.0. To work around this issue, two new provider
> options are now available:
>
> hostroute This is the default and causes the host routes
> described above to be inserted.
>
> nohostroute Prevents the host routes from being inserted.
>
> 6) It was previously not possible for Perl code in an action file to
> change the rule comment as is done using the ?COMMENT directive
> outside of Perl.
>
> To allow actions to manipulate the current comment, two functions
> are made available:
>
> push_comment() Clears the current rule comment and returns
> that comment to the caller.
>
> set_comment($) Sets the current rule comment to the passed
> string.
>
> Typical usage would be:
>
> ?BEGIN PERL
> use Shorewall::Config;
> ...
> my $oldcomment = push_comment(); #Save and clear current
> #current rule comment
> ...
> set_comment('This is a comment');
> add_ijump(....); #This rule will have comment
> # /* This is a comment */
> set_comment(''); #Clear current rule comment
> add_ijump(....); #This rule has no comment
> ...
> set_comment($oldcomment) #Restore caller's comment
> #if any.
> ?END PERL
>
> 7) The compiler version used to create the current firewall script is
> now displayed in the output of the 'status' and 'version -a'
> commands.
>
> Thank you for using Shorewall,
> -Tom
> --
> Tom Eastep \ When I die, I want to go like my Grandfather who
> Shoreline, \ died peacefully in his sleep. Not screaming like
> Washington, USA \ all of the passengers in his car
> http://shorewall.net \________________________________________________
>
>
------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60134791&iu=/4140/ostg.clktrk
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
