Re: [Shorewall-users] configuration files

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

David Mohr wrote:
> On 10/26/06, Vieri Di Paola <vie...@ya...> wrote:
>> I was wondering if there could be a slight change to
>> the Shorewall configuration files.
>>
>> It's a Gentoo-specific issue but some other
>> distributions might find some interest in this.
>>
>> Basically, whenever a Gentoo user updates his/her
>> shorewall from portage via
>>
>> # emerge shorewall
>>
>> the ebuild asks the user to update the config files in
>> /etc/shorewall and proposes going through diffs.
>> The problem is that most of the time the user just has
>> to update the header (i.e. documentation) of each
>> config file. The user entries (e.g. shorewall rules)
>> are usually left untouched unless there's a new column
>> in the new version, etc.
>=20
> I don't really see the point of updating the headers of the files, but
> not the content. AFAIK shorewall is usually able to run with 'older'
> config files by assuming reasonable defaults. What you are proposing
> would be very confusing, because the rules that follow the header
> might not match the documentation in the header anymore. If you update
> one, you should also update the other, and the rules can't be updated
> automatically, so it's better to do this by hand alltogether.
>=20
>> So maybe if the Shorewall config files could
>> source/include other "custom" config files then the
>> upgrade process would be a lot easier.
>> For example, default shorewall installation puts the
>> rules file in /etc/shorewall. If the default rules
>> file could contain a statement such as ".
>> rules_custom" or "include rules_custom" the only real
>> "diff" that the user would have to worry about is
>> uncommenting this line in the new version.
>>
>> Of course one could define a different config file
>> path in shorewall.conf and point to something like
>> /etc/shorewall_custom.
>> But by upgrading for example from 3.0 to 3.2 the user
>> would have to deal with more than just file content.
>> One would have to move over new files such as
>> route_rules, etc.
>> In other words the Gentoo emerge procedure would be to
>> my understanding a lot simpler if the default
>> configuration files could include custom files.
>> I believe FreePBX/Asterisk does something of the sort
>> (e.g. sip.conf can include sip_custom.conf).
>=20
> Debian I believe does not do automatic updates of shorewall
> configuration files, for the reason mentioned above.

Debian only populates /etc/shorewall with shorewall.conf and Makefile.
shorewall.conf has been an ongoing headache because people blindly update=
 it
with the new options and their values then wonder why their Shorewall
configuration suddenly stopped working.

I've given up trying to change Shorewall's default behavior over time by
changing shorewall.conf -- from now on, any additions that I make to that=
 file
will set all new options to preserve the existing behavior rather than to=

produce the new more desirable behavior. In 3.4, I will start including a=

modified shorewall.conf in the sample configuration so that new users wil=
l get
the new behavior while existing users will stop shooting themselves in th=
e foot
each time that they upgrade.

-Tom
--=20
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ te...@sh...
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key