On 01/03/2018 03:16 AM, Matt Darfeuille wrote: > On 12/17/2017 6:47 PM, Matt Darfeuille wrote: >> On 12/17/2017 6:01 PM, Tom Eastep wrote: >>> On 12/16/2017 10:50 AM, Matt Darfeuille wrote: >>>> Hi, >>>> >>>> If I set in /etc/shorewall/params: >>>> >>>> NET_IF=enp2s0 >>>> >>>> and in /etc/shorewall/stoppedrules: >>>> >>>> ACCEPT net $FW:&$NET_IF tcp 22 >>>> >>>> I get the folloing error while stopping Shorewall: >>>> >>>> $ shorewall debug stop >>>> Stopping Shorewall.... >>>> Preparing iptables-restore input... >>>> Running debug_restore_input... >>>> Bad argument `6' >>>> Try `iptables -h' or 'iptables --help' for more information. >>>> ERROR: Command "/sbin/iptables --wait -t filter -A INPUT -s >>>> 172.17.211.254 -d -p 6 --dport 22 -i enp2s0 -j ACCEPT" Failed >>>> Terminated >>>> >>>> The address for the --destination option is missing. >>> >>> The real problem here is that the compiler should flag 'net' as invalid. >>> Zone names (other than $FW) aren't allowed in the stoppedrules file. >>> Or is 'net' actually the name of an interface? >>> >>> In my test case: >>> >>> Checking /home/teastep/test/stoppedrules... >>> ERROR: Unknown Interface (net) /home/teastep/test/stoppedrules (line 17) >>> teastep@debianvm:~/test$ >>> >> >> What I meant was: >> >> ACCEPT $NET_IF $FW:&$NET_IF tcp 22 >> >> I mixed up the syntax with the rules file, sorry!!! :) >> > > Hi Tom, > > My understanding, is that, it is allowed to specify in the firewall zone > an interface name in the stoppedrules file. > > E.G.: > > ACCEPT enp2s0 $FW:&enp2s0 tcp 22 > > If yes, '$FW:&enp2s0' needs to also be specified in the rules file: > > ACCEPT net $FW:&enp2s0 tcp 22 > > If I do 'shorewall start/reload' followed by stop it works as expected > but if I do: > > $shorewall debug clear > Clearing Shorewall.... > Preparing iptables-restore input... > Running debug_restore_input... > Bad argument `6' > Try `iptables -h' or 'iptables --help' for more information. > ERROR: Command "/sbin/iptables --wait -t filter -A INPUT -s > 172.17.211.254 -d -p 6 --dport 22 -i enp2s0 -j ACCEPT" Failed > Terminated > > In other words: is there some restrictions using '$FW:&intname' in the > dest column of the stoppedrules file. >
It's actually a problem with the implementation of the 'clear' command. Patch attached. -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
diff --git a/Shorewall/Perl/lib.runtime b/Shorewall/Perl/lib.runtime
index 4b294e673..b84d39f2d 100644
--- a/Shorewall/Perl/lib.runtime
+++ b/Shorewall/Perl/lib.runtime
@@ -1056,6 +1056,7 @@ delete_proxyarp() {
# Remove all Shorewall-added rules
#
clear_firewall() {
+ detect_configuration
stop_firewall
setpolicy INPUT ACCEPT
@@ -1366,6 +1367,7 @@ delete_proxyndp() {
# Remove all Shorewall-added rules
#
clear_firewall() {
+ detect_configuration
stop_firewall
setpolicy INPUT ACCEPT
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
