jwall-developers — Anything pertinent to all developers

[Jwall-developers] JWall Help Wanted

[govindaraj <raj...@re...>]

 =A0Hello Friends,=0ARecently I downloaded JWall and find difficult to work=
 with it. Can anyone help me in working with JWall. Documentation is more w=
elocomed.What are the Kernel and iptables version it supports and also sshd=
. Urgent. pls do reply immediately.=0A=0AThanking You,=0Agovindaraj.=0A=0A=
=0ADon't walk behind me, I may not lead. Don't walk in front of me, I may n=
ot follow. Just walk beside me and be my friend.=0D=0Agovindaraj

[Jwall-developers] JWall Help Wanted

[govindaraj <raj...@re...>]

 =C2=A0 =0AHello Friends, =0ARecently i downloaded and worked with jwall an=
d when i rebooted the =0Asystem it says there is a problem in ethernet card=
. what r the kernel =0Aversion it supports. is there any documentation for =
working with =0Ajwall. i need to boot the Red Hat 11 machine. pls do help m=
e? =0A =0AThanking You, =0AGovindaraj. =0A=0ADon't walk behind me, I may no=
t lead. Don't walk in front of me, I may not follow. Just walk beside me an=
d be my friend.=0D=0Agovindaraj

[Jwall-developers] Re: Status of JWall

[zack <za...@th...>]

Jorg,

Thanks for asking.  I redid the file structure in CVS which caused a lot 
of problems as far as paths and such goes.  I thought it would at least 
compile, so try deleting your current local copy and doing a full 
checkout from cvs and see if that helps.  As far as fixing any issues 
that might exist, I have been having some serious personal issues that 
haven't allowed my to work on jwall for weeks.  So, it is still active, 
but I might not be doing any more work on it for the next few weeks. 
 Hopefully then I can get any issues sorted out.

Until next time,

Zack


Jörg Schütter wrote:

>Hello Zack
>
>Can you please inform me of the status of the jwall project? Is it still
>active?
>Since a few weeks there is no update in the cvs repository and compiling
>the source code results in 100 compiling errors.
>
>Jörg
>
>  
>

[Jwall-developers] CVS Hierarchy

[zack <za...@th...>]

OK everyone, the CVS dir structure has finally changed.  Hopefully it is 
pretty apparent where everything is, as it has not changed much.   Also, 
hopefully everything is there, is it has taken me a few days to re-add 
all the different parts.

If you see anything missing, please tell me.  Otherwise, re checkout and 
continue on.  This change should have made it a little easier for 
different IDEs, so hopefully I accomplished that.

Later,

Zack

Re: [Jwall-developers] Icon loading

[Zachary L. <za...@th...>]

There are new image files, so a cvs update won't do.  Try a checkout, and
that should give you everything.

Zack


<quote who="Dirk Dittert">
> Hi folks,
>
> a Happy New Year to everybody out there!
>
> I just tried to start working on jwall again and had some problems with
> icon loading (mainly NullPointerExceptions). Is there anything special
> that I need to know about that code? I have an img subfolder in the
> directory, where I keep the compiled classes but that didn't help...
>
> Dirk Dittert
> --
> Use a Single Editor Well
> The editor should be an extension of your hand; make sure your editor
> is configurable, extensible and programmable.
>      The Pragmatic Programmer
>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: IBM Linux Tutorials.
> Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
> Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
> Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
> _______________________________________________
> Jwall-developers mailing list
> Jwa...@li...
> https://lists.sourceforge.net/lists/listinfo/jwall-developers
>

[Jwall-developers] Re: Icon loading

[Dirk D. <di...@de...>]

Am 06.01.2004 um 16:24 schrieb Dirk Dittert:

Please do NOT reply to "di...@te..."! This is not a valid 
e-mail address from me! I need to investigate how this e-mail-address 
ended up in my e-mail to the list. I just checked all my settings and 
they are definitely correct. Please use "di...@de..." or the 
list address for replies!

Thank you!

Dirk Dittert
-- 
Think! About Your Work
Turn off the autopilot and take control. Constantly critique and 
appraise your work.
     The Pragmatic Programmer

[Jwall-developers] Icon loading

[Dirk D. <di...@de...>]

Hi folks,

a Happy New Year to everybody out there!

I just tried to start working on jwall again and had some problems with 
icon loading (mainly NullPointerExceptions). Is there anything special 
that I need to know about that code? I have an img subfolder in the 
directory, where I keep the compiled classes but that didn't help...

Dirk Dittert
-- 
Use a Single Editor Well
The editor should be an extension of your hand; make sure your editor 
is configurable, extensible and programmable.
     The Pragmatic Programmer

Re: [Jwall-developers] Re: [ jwall-Bugs-830438 ] Missing INPUT/OUTPUT if fw is in src. ordst.

[Zachary L. <za...@th...>]

My mistake, I think that is fixed now, but you will still probably have to
delete your bad settings.xml.  But you should only have to that once. 
There are some window size problems still, but that should corrected soon.

Zack




<quote who="Jörg Schütter">
> Hello List
>
> On Sun, 30 Nov 2003 14:12:16 -0800
> "SourceForge.net" <no...@so...> wrote:
>
>> Bugs item #830438, was opened at 2003-10-26 06:41
> [...]
>>
>> Comment By: Zack Link (zacklink)
>> Date: 2003-10-27 17:20
>>
>> Message:
>> Logged In: YES
>> user_id=140148
>>
>> In a quick try, I could not duplicate the error.
>>
>> I tried this by inserting a new rule with fw and network as
>> src, and any as the dest, and any for service.
>>
>> It correctly made an INPUT rule for the fw, and an INPUT and
>> FORWARD rule for the network.
>>
>> So how did you do it when you saw this error?
>
> I can't start jwall due to the following errors:
>
> Exception in thread "main" org.jwall.prefs.PreferenceException:
> org.xml.sax.SAXParseException: Document root element is missing.
>         at
> org.jwall.prefs.XMLFilePreferenceManager.loadPreferences(Unknown
> Source)
>         at org.jwall.gui.JWallMain.<init>(Unknown Source)
>         at org.jwall.Launcher.showSplash(Unknown Source)
>         at org.jwall.Launcher.main(Unknown Source)
> Caused by: org.xml.sax.SAXParseException: Document root element is
> missing.
>         at org.apache.crimson.parser.Parser2.fatal(Parser2.java:3182)
>         at org.apache.crimson.parser.Parser2.fatal(Parser2.java:3170)
>         at
> org.apache.crimson.parser.Parser2.parseInternal(Parser2.java:501)
>         at org.apache.crimson.parser.Parser2.parse(Parser2.java:305)
>         at
> org.apache.crimson.parser.XMLReaderImpl.parse(XMLReaderImpl.java:442)
>        at
> org.apache.crimson.jaxp.DocumentBuilderImpl.parse(DocumentBuilderImpl.java:185)
>         at
> javax.xml.parsers.DocumentBuilder.parse(DocumentBuilder.java:151)
>         ... 4 more
>
>
> Jörg
>
> --
> Jörg Schütter           http://www.lug-untermain.de/
> jo...@sc...     http://www.schuetter.org/joerg/
> ICQ: 298982789          http://mypenguin.bei.t-online.de/
>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: SF.net Giveback Program.
> Does SourceForge.net help you be more productive?  Does it
> help you create better code?  SHARE THE LOVE, and help us help
> YOU!  Click Here: http://sourceforge.net/donate/
> _______________________________________________
> Jwall-developers mailing list
> Jwa...@li...
> https://lists.sourceforge.net/lists/listinfo/jwall-developers
>

Re: [Jwall-developers] Re: [ jwall-Bugs-830438 ] Missing INPUT/OUTPUT if fw is in src. ordst.

[Zachary L. <za...@th...>]

Yes, there is a lot of stuff in flux right now.  Delete
<home>/.jwall/settings.xml.  That will allow you to start jwall, although
you'll need to do it every time you start if your settings.xml isn't
saving correctly.  This should be fixed in the next day or 2.

Thanks,

Zack




<quote who="Jörg Schütter">
> Hello List
>
> On Sun, 30 Nov 2003 14:12:16 -0800
> "SourceForge.net" <no...@so...> wrote:
>
>> Bugs item #830438, was opened at 2003-10-26 06:41
> [...]
>>
>> Comment By: Zack Link (zacklink)
>> Date: 2003-10-27 17:20
>>
>> Message:
>> Logged In: YES
>> user_id=140148
>>
>> In a quick try, I could not duplicate the error.
>>
>> I tried this by inserting a new rule with fw and network as
>> src, and any as the dest, and any for service.
>>
>> It correctly made an INPUT rule for the fw, and an INPUT and
>> FORWARD rule for the network.
>>
>> So how did you do it when you saw this error?
>
> I can't start jwall due to the following errors:
>
> Exception in thread "main" org.jwall.prefs.PreferenceException:
> org.xml.sax.SAXParseException: Document root element is missing.
>         at
> org.jwall.prefs.XMLFilePreferenceManager.loadPreferences(Unknown
> Source)
>         at org.jwall.gui.JWallMain.<init>(Unknown Source)
>         at org.jwall.Launcher.showSplash(Unknown Source)
>         at org.jwall.Launcher.main(Unknown Source)
> Caused by: org.xml.sax.SAXParseException: Document root element is
> missing.
>         at org.apache.crimson.parser.Parser2.fatal(Parser2.java:3182)
>         at org.apache.crimson.parser.Parser2.fatal(Parser2.java:3170)
>         at
> org.apache.crimson.parser.Parser2.parseInternal(Parser2.java:501)
>         at org.apache.crimson.parser.Parser2.parse(Parser2.java:305)
>         at
> org.apache.crimson.parser.XMLReaderImpl.parse(XMLReaderImpl.java:442)
>        at
> org.apache.crimson.jaxp.DocumentBuilderImpl.parse(DocumentBuilderImpl.java:185)
>         at
> javax.xml.parsers.DocumentBuilder.parse(DocumentBuilder.java:151)
>         ... 4 more
>
>
> Jörg
>
> --
> Jörg Schütter           http://www.lug-untermain.de/
> jo...@sc...     http://www.schuetter.org/joerg/
> ICQ: 298982789          http://mypenguin.bei.t-online.de/
>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: SF.net Giveback Program.
> Does SourceForge.net help you be more productive?  Does it
> help you create better code?  SHARE THE LOVE, and help us help
> YOU!  Click Here: http://sourceforge.net/donate/
> _______________________________________________
> Jwall-developers mailing list
> Jwa...@li...
> https://lists.sourceforge.net/lists/listinfo/jwall-developers
>

[Jwall-developers] Re: [ jwall-Bugs-830438 ] Missing INPUT/OUTPUT if fw is in src. or dst.

[<jw...@sc...>]

Hello List

On Sun, 30 Nov 2003 14:12:16 -0800
"SourceForge.net" <no...@so...> wrote:

> Bugs item #830438, was opened at 2003-10-26 06:41
[...]
>=20
> Comment By: Zack Link (zacklink)
> Date: 2003-10-27 17:20
>=20
> Message:
> Logged In: YES=20
> user_id=3D140148
>=20
> In a quick try, I could not duplicate the error.
>=20
> I tried this by inserting a new rule with fw and network as
> src, and any as the dest, and any for service.
>=20
> It correctly made an INPUT rule for the fw, and an INPUT and
> FORWARD rule for the network.
>=20
> So how did you do it when you saw this error?

I can't start jwall due to the following errors:

Exception in thread "main" org.jwall.prefs.PreferenceException: org.xml.sax=
.SAXParseException: Document root element is missing.
        at org.jwall.prefs.XMLFilePreferenceManager.loadPreferences(Unknown=
 Source)
        at org.jwall.gui.JWallMain.<init>(Unknown Source)
        at org.jwall.Launcher.showSplash(Unknown Source)
        at org.jwall.Launcher.main(Unknown Source)
Caused by: org.xml.sax.SAXParseException: Document root element is missing.
        at org.apache.crimson.parser.Parser2.fatal(Parser2.java:3182)
        at org.apache.crimson.parser.Parser2.fatal(Parser2.java:3170)
        at org.apache.crimson.parser.Parser2.parseInternal(Parser2.java:501)
        at org.apache.crimson.parser.Parser2.parse(Parser2.java:305)
        at org.apache.crimson.parser.XMLReaderImpl.parse(XMLReaderImpl.java=
:442)        at org.apache.crimson.jaxp.DocumentBuilderImpl.parse(DocumentB=
uilderImpl.java:185)
        at javax.xml.parsers.DocumentBuilder.parse(DocumentBuilder.java:151)
        ... 4 more


J=F6rg

--=20
J=F6rg Sch=FCtter           http://www.lug-untermain.de/
jo...@sc...     http://www.schuetter.org/joerg/
ICQ: 298982789          http://mypenguin.bei.t-online.de/

[Jwall-developers] Logging

[Zachary L. <za...@th...>]

There were some discussions about logging not too long ago, but I don't
think we ever settled anything.

So how it stands now, we are using java logging everywhere.  But,
Christian started writing a logger that would support encrypted files.  If
I remember correctly, Christian, you had the basics done, and encryption
was the next step.  Is that correct?

Do we have any opinions one way or the other if this is a good way to go? 
If not, then I suggest we all migrate logging over to Christian's logger,
or let's bring up all the pros and cons and decide on a direction.

Thanks,

Zack

Re: [Jwall-developers] problems with nat

[<jw...@sc...>]

Hello zack,

On Fri, 21 Nov 2003 18:30:26 -0500
zack <za...@th...> wrote:

> I think I have this NAT issue fixed, but I haven't had a chance to test=20
> it yet.  But, I ran into a problem.  I was looking to do all port NATing=
=20
> in the PRE chains, but as far as I could tell from the man page on=20
> iptables, I cannot switch ports without switching IP,

you can do it.
iptables -t nat -A PREROUTING -s 10.0.0.1 -d 10.0.0.2 --proto tcp \
    --destination-port 80 -j DNAT --to-dest :8080

> so SNATs will do=20
> port forwarding in the POST table, DNATs will do port forwarding in the=20
> PRE table, and if it is a double NAT, the port forwarding should happen=20
> in the PRE table (whereas before it moistakenly tried to port forward in=
=20
> both PRE and POST).


J=F6rg

--=20
J=F6rg Sch=FCtter           http://www.lug-untermain.de/
jo...@sc...     http://www.schuetter.org/joerg/
ICQ: 298982789          http://mypenguin.bei.t-online.de/

Re: [Jwall-developers] problems with nat

[<jw...@sc...>]

Hello zack,

On Tue, 18 Nov 2003 00:59:43 -0500
zack <za...@th...> wrote:

> So, I am thinking this through a bit, and I wanted to pass it by you=20
> before I go ahead and code it...
>=20
> So here are some example rules with port address translation, with what=20
> goes into the PRE and POST chains after
>=20
> Src    Dest   Serv <-Xlated-> Src    Dest    Serv
> ---------------------------------------------------
>=20
> SNAT:
> A       B      80 <-Xlated->   A2     B       443
>  =20
> PRE:   =20
> match A  ->  B -> 80  -->  NAT:  80 to 443
> POST: =20
> match A  ->  B -> 443 --> NAT: A to A2
looks good.

> ---------------------------------------------------
>=20
> DNAT:
> A        B      80 <-XLated->   A     B2      443
>=20
> PRE:
> match A  ->  B  -> 80  --> NAT: B to B2, 80 to 443
also looks good.
> ----------------------------------------------------
>=20
> SNAT and DNAT:
> A        B      80 <-XLated->  A2      B2     443
>=20
> PRE:   =20
> match A  ->  B -> 80  -->  NAT: B to B2, 80 to 443
> POST: =20
> match A  ->  B2 -> 443 --> NAT: A to A2
looks good.
> ----------------------------------------------------
>=20
> So, for a sanity check, does this make sense to you?  Any suggestions?

In the actual coding regarding nat there is an error. The POSTROUTING
has a destination address "172.16.0.2:23" instead of destination
"172.16.0.2" and destination port "23".


J=F6rg

--=20
J=F6rg Sch=FCtter           http://www.lug-untermain.de/
jo...@sc...     http://www.schuetter.org/joerg/
ICQ: 298982789          http://mypenguin.bei.t-online.de/

Re: [Jwall-developers] Re: need some help...

[zack <za...@th...>]

> Thanks, that helps a lot. Now I just need to find an explanation of 
> the meaning of each parameter somewhere. Zack said that rp_filter 
> should be handled on a per interface basis. I got two questions about 
> that:
> - how does this handle alias-interfaces? Is there a 
> /conf/eth0.0/rp_filter file (I am curious about the directory) 

Actually, I meant to say that it should be handled seperately from the 
other ip tweaks, not that it should be per interface.  But now that you 
mention it...  In general I think that you would set it for all 
interfaces, but there might be certain situations where you might need 
to turn it off on a couple of interfaces, so having that flexibility 
would certainly be good.  And as far as sub-interfaces go, I will have 
to check that out, as I don't know off the top of my head.

> - Is there a list of valid parameters? I couldn't find one without 
> getting too much into searching.

0 - Off
1 - Locally Connected Nets Only
2 - Full/On

[Jwall-developers] Re: need some help...

[Dirk D. <di...@de...>]

Am 16.11.2003 um 12:08 schrieb J=F6rg Sch=FCtter:

> /bin/echo 1 > /proc/sys/net/ipv4/ip_forward
> /bin/echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter
> /bin/echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
> /bin/echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
> /bin/echo 0 > /proc/sys/net/ipv4/tcp_timestamps
> /bin/echo 1 > /proc/sys/net/ipv4/tcp_syncookies
> /bin/echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
> /bin/echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
> /bin/echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
> /bin/echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
> /bin/echo 2400 > /proc/sys/net/ipv4/tcp_keepalive_time
> /bin/echo 0 > /proc/sys/net/ipv4/tcp_window_scaling
> /bin/echo 0 > /proc/sys/net/ipv4/tcp_sack

Thanks, that helps a lot. Now I just need to find an explanation of the=20=

meaning of each parameter somewhere. Zack said that rp_filter should be=20=

handled on a per interface basis. I got two questions about that:

- how does this handle alias-interfaces? Is there a=20
/conf/eth0.0/rp_filter file (I am curious about the directory)

- Is there a list of valid parameters? I couldn't find one without=20
getting too much into searching.

Can anyone on Linux send me a copy of:

"In the meantime you may want to have a look at the Linux-Kernel=20
sources; read the file Documentation/filesystems/proc.txt. Most of the=20=

features are explained there."

I guess that'll help quite a lot...

Dirk=

[Jwall-developers] Re: need some help...

[<jw...@sc...>]

Hello Dirk,

On Sun, 16 Nov 2003 02:25:30 +0100
Dirk Dittert <di...@de...> wrote:

> Hi Zack,
>=20
> I am currently working on ManagedFirewall and I got some problems. I=20
> need default values for the ip stack settings in the dialog. I found=20
> the following constants:
>=20
>      public final static int IP_FORWARD =3D 0;
>      public final static int RP_FILTER =3D 1;
>      public final static int ICMP_ECHO_IGNORE_BROADCASTS =3D 2;
>      public final static int ACCEPT_SOURCE_ROUTES =3D 3;
>      public final static int TCP_TIMESTAMPS =3D 4;
>      public final static int TCP_SYNCOOKIES =3D 5;
>      public final static int ACCEPT_REDIRECTS =3D 6;
>      public final static int ICMP_IGNORE_BOGUS_ERROR_RESPONSES =3D 7;
>      public final static int LOG_MARTIANS =3D 8;
>      public final static int TCP_FIN_TIMEOUT =3D 9;
>      public final static int TCP_KEEPALIV_TIME =3D 10;
>      public final static int TCP_WINDOW_SCALING =3D 11;
>      public final static int TCP_SACK =3D 12;
>=20
>=20
> And I guess these are the defaults:
>=20
>      public String[] netParamsData =3D {
>          "1",
>          "2",
>          "1",
>          "0",
>          "0",
>          "1",
>          "0",
>          "1",
>          "1",
>          "30",
>          "2400",
>          "0",
>          "0"
>      };
>=20
> Do you know where to get the following data for each entry:
> - name
> - description
> - defaultValue (I guess I already got that one)
> - path (/proc/...)

Here are the values from the generated script, hth.

/bin/echo 1 > /proc/sys/net/ipv4/ip_forward
/bin/echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter
/bin/echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
/bin/echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
/bin/echo 0 > /proc/sys/net/ipv4/tcp_timestamps
/bin/echo 1 > /proc/sys/net/ipv4/tcp_syncookies
/bin/echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
/bin/echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
/bin/echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
/bin/echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
/bin/echo 2400 > /proc/sys/net/ipv4/tcp_keepalive_time
/bin/echo 0 > /proc/sys/net/ipv4/tcp_window_scaling
/bin/echo 0 > /proc/sys/net/ipv4/tcp_sack

> - setValue (does JWall want to set this value by default
>=20
> You said that there is one entry that might need to be removed. Which=20
> one?
>=20
> Dirk
>=20


J=F6rg

--=20
J=F6rg Sch=FCtter           http://www.lug-untermain.de/
jo...@sc...     http://www.schuetter.org/joerg/
ICQ: 298982789          http://mypenguin.bei.t-online.de/

[Jwall-developers] Re: problems with nat

[<jw...@sc...>]

Hallo Developers

On Tue, 11 Nov 2003 17:33:44 +0100
J=F6rg Sch=FCtter <jw...@sc...> wrote:

> Hy all
>=20
> I discovered a problem with the nat rules, but I'm not sure what the
> best solution for this problem is.
> Assume we have the following situation (this situation is more academic
> than real):
> We have a NAT rule which says:
> Orig Source: A1 (10.0.0.1)
> Orig Dest: A2 (10.0.0.2)
> Orig Service: http
> Xlated Source: B1 (192.168.0.1)
> Xlated Dest: B2 (192.168.0.2)
> Xlated service: telnet
>=20
> The script lines generated by jwall are:
> /sbin/iptables -t nat -A POSTROUTING -s 10.0.0.1 -d 10.0.0.2 -p 6 \
>     --destination-port 80 -j SNAT --to-source 172.16.0.1:23
> /sbin/iptables -t nat -A PREROUTING -s 10.0.0.1 -d 10.0.0.2 -p 6 \
>     --destination-port 80 -j DNAT --to-dest 172.16.0.2:23
>=20
> The destination port must only modified once. Which is the best place
> for doing this? I think this depends on the access rule which controls
> this traffic.
> What do you think would be the source, the destination and the service
> of such a rule?

I should reread my mails before sending them to the world.
Since the filter table is checked after the PREROUTING and before the
POSTROUTING chain we only have options 3 and 4.
>=20
>         Source          Destination             Service
> [3]     10.0.0.1        192.168.0.2             80
> [4]     10.0.0.1        192.168.0.2             23

What do you think would be the choice of an user when selecting the
service to permit.

Instead of building the nat rules based on ip parameters, we could also
build these rules on MARK flags. In the mangle table of the PREROUTING
chain we could mark these packets (the mark value is an 16 bit integer).
I think we can also use this mark value in the filter chain, but I don't
have any idea how to make this feature transparent to the user in the
gui.


J=F6rg

--=20
J=F6rg Sch=FCtter           http://www.lug-untermain.de/
jo...@sc...     http://www.schuetter.org/joerg/
ICQ: 298982789          http://mypenguin.bei.t-online.de/

Re: [Jwall-developers] problems with nat

[<jw...@sc...>]

Hallo zack,

On Tue, 11 Nov 2003 22:28:12 -0500
zack <za...@th...> wrote:

> I don't understand.  I am probably missing something you are saying, but=
=20
> it hasn't hit me yet.  But I've had a couple beers, so it might be=20
> obvious to everyone but me... :-)
>=20
> If for some reason you are doing a double NAT (BOTH src and dest),=20
> theoretical of course, but I have had to do that in production before,=20
> then I don't see the problem with the dport being modified twice.  If=20
> either the SNAT or the DNAT modify it, or both, the dport is still 80.=20

After modifying the destination port in the PREROUTING chain, the
POSTROUTING chain will never match since it looks for the unchanged
destination port.

>  My point is that if I change x =3D 80, then I change x =3D 80, it is sti=
ll 80.
>=20
> Perhaps this will add some overhead to iptables and the NAT state table.=
=20
>  I could definitely see that happening, as it is one more thing to=20
> track.  But I have yet to see a linux firewall cpu or memory bound.

This is very unlikely to happen. My firewall is a P133 with 64MB memory
and the system is 90% idle.
>=20
> J=F6rg Sch=FCtter wrote:
>=20
> >Hy all
> >
> >I discovered a problem with the nat rules, but I'm not sure what the
> >best solution for this problem is.
> >Assume we have the following situation (this situation is more academic
> >than real):
> >We have a NAT rule which says:
> >Orig Source: A1 (10.0.0.1)
> >Orig Dest: A2 (10.0.0.2)
> >Orig Service: http
> >Xlated Source: B1 (192.168.0.1)
> >Xlated Dest: B2 (192.168.0.2)
> >Xlated service: telnet
> >
> >The script lines generated by jwall are:
> >/sbin/iptables -t nat -A POSTROUTING -s 10.0.0.1 -d 10.0.0.2 -p 6 \
> >    --destination-port 80 -j SNAT --to-source 172.16.0.1:23
> >/sbin/iptables -t nat -A PREROUTING -s 10.0.0.1 -d 10.0.0.2 -p 6 \
> >    --destination-port 80 -j DNAT --to-dest 172.16.0.2:23
> >
> >The destination port must only modified once. Which is the best place
> >for doing this? I think this depends on the access rule which controls
> >this traffic.
> >What do you think would be the source, the destination and the service
> >of such a rule?
> >
> >        Source          Destination             Service
> >[1]     10.0.0.1        10.0.0.2                80
> >[2]     10.0.0.1        10.0.0.2                23
> >[3]     10.0.0.1        192.168.0.2             80
> >[4]     10.0.0.1        192.168.0.2             23
> >[5]     192.168.0.1     10.0.0.2                80
> >[6]     192.168.0.1     10.0.0.2                23
> >[7]     192.168.0.1     192.168.0.2             80
> >[8]     192.168.0.1     192.168.0.2             23
> >
> >
> >J=F6rg
> >
> > =20
> >
>=20
>=20


J=F6rg

--=20
J=F6rg Sch=FCtter           http://www.lug-untermain.de/
jo...@sc...     http://www.schuetter.org/joerg/
ICQ: 298982789          http://mypenguin.bei.t-online.de/

[Jwall-developers] problems with nat

[<jw...@sc...>]

Hy all

I discovered a problem with the nat rules, but I'm not sure what the
best solution for this problem is.
Assume we have the following situation (this situation is more academic
than real):
We have a NAT rule which says:
Orig Source: A1 (10.0.0.1)
Orig Dest: A2 (10.0.0.2)
Orig Service: http
Xlated Source: B1 (192.168.0.1)
Xlated Dest: B2 (192.168.0.2)
Xlated service: telnet

The script lines generated by jwall are:
/sbin/iptables -t nat -A POSTROUTING -s 10.0.0.1 -d 10.0.0.2 -p 6 \
    --destination-port 80 -j SNAT --to-source 172.16.0.1:23
/sbin/iptables -t nat -A PREROUTING -s 10.0.0.1 -d 10.0.0.2 -p 6 \
    --destination-port 80 -j DNAT --to-dest 172.16.0.2:23

The destination port must only modified once. Which is the best place
for doing this? I think this depends on the access rule which controls
this traffic.
What do you think would be the source, the destination and the service
of such a rule?

        Source          Destination             Service
[1]     10.0.0.1        10.0.0.2                80
[2]     10.0.0.1        10.0.0.2                23
[3]     10.0.0.1        192.168.0.2             80
[4]     10.0.0.1        192.168.0.2             23
[5]     192.168.0.1     10.0.0.2                80
[6]     192.168.0.1     10.0.0.2                23
[7]     192.168.0.1     192.168.0.2             80
[8]     192.168.0.1     192.168.0.2             23


J=F6rg

--=20
J=F6rg Sch=FCtter           http://www.lug-untermain.de/
jo...@sc...     http://www.schuetter.org/joerg/
ICQ: 298982789          http://mypenguin.bei.t-online.de/

[Jwall-developers] logging

[zack <za...@th...>]

Dirk and Christian, did you guys talk about logging some more?

Just wanted to know the best way to go forward with that, whether to use 
what Christian was working on for all logging, or just for the secure 
logging (auditing), or if it is better to change the implementation?

Thoughts?

Zack

[Jwall-developers] Code cleanup

[Zachary L. <za...@th...>]

Dirk made some good suggestions and so I am posting them to the list. 
Everyone, please do your best to follow these recommendations, as it will
make it easier for all of us to work on this together...
PS - The CVS restructure won't be happening until the code settles down a
bit.  Hopefully in the next week or 2.
ZL


Hi folks,

as you might have noticed, there is a lot of code cleanup and reorganization
in progress. And we need your help for that.

Step one is should take just a few minutes of your time. Right now there are
many //todo: comments spread all over the place. Some IDEs (IntelliJ,
Eclipse) support the programmer and add them into a special view that makes
theam easily accessible. In IntelliJ it is also possible to define
additional markers.

I'd like to propose the usage of the following markers:

(1) // todo (username)
(2) // fixme (username)
(3) // lang (username)
(4) // res (username)

Please do append your username. It makes filtering for your own todos a lot
easier. Other programmers also know that somebody wanted to work on that
part of the code.

Explanation:

(1) stands for missing functionality. Example: You'd put a todo marker into
an actionPerformed method because it does not handle all buttons

(2) stands for broken functionality. You use that marker if there is some
code but you are not 100% sure whether it really works in all cases.

(3) the right way is to add an entry in the resource file whenever you use a
string. But that's tedious work... But if you don't do it right away you'll
forget about it. Please, do add at least this marker so that we can fix
those problems from time to time.
   This needs to be done for every string that is visible on screen! Nothing
looks worse than a translation that is only halfway complete! Don't forget
things like "(unsaved)" that is added to the title bar if something was
modified and so on. You can also add the name of the property after the
marker. That makes it easier for the person doing the translation later on
because he doesn't need to search through your code to find which names you
use for your resources.
   Please note: Your functionality _must not_ depend on strings (e.g. check
which button was pressed by checking for its name) as those change because
of localization.

(4) resource loading will change! Please mark all places on your code where
you need images! That'll make it easier to find broken code.

After marking all problems we'll then try to solve as many of them after the
reorganization of the code.

Thank you for your cooperation! Feel free to ask Zack or myself if there are
any questions.

[Jwall-developers] new lib

[zack <za...@th...>]

There is a new lib being used with the latest code.  Forms-1.0.2.jar. 
 Dirk is using it to give us some new gui and layout options that should 
speed development, and improve the look.

Make sure you get it out of CVS (it's in the jwall module), and update 
your classpath, or IDE settings etc.  Also, the ant build file hasn't 
been updated yet, so the ant built jar's won't work.  I will correct 
that in a few minutes, so when you get up to date it will work.

Thanks,

Zack

Re: [Jwall-developers] reverse rules

[zack <za...@th...>]

This has been fixed.

Zack


Jörg Schütter wrote:

>Hallo List
>
>On Wed, 29 Oct 2003 19:19:40 +0100
>Jörg Schütter <jw...@sc...> wrote:
>
>  
>
>>Hallo Zachary,
>>
>>On Tue, 28 Oct 2003 18:03:28 -0500 (EST)
>>"Zachary Link" <za...@th...> wrote:
>>
>>    
>>
>>>>To prevent someone to send garbage as the first tcp packet, we
>>>>should add the match "--tcp-flags ALL SYN"
>>>>        
>>>>
>>>Isn't that the same as -state NEW  ?  So it looks like we can either
>>>add -state NEW OR add --tcp-flags ALL SYN to the rule, but both
>>>would be redundant.  I will probably try to incorporate the -state
>>>NEW, just as it looks a little cleaner.
>>>      
>>>
>>You are right. A tcp packet without a SYN flag can never be in state
>>NEW. Instead iptables discovers this packet as garbage and flags it
>>with INVALID. So there will be no need for this --tcp-flag.
>>    
>>
>
>Oops, a first tcp packet with the ACK set, but without any SYN can be in
>state NEW. Due to this, it would be safer to use "-syn" or "--tcp-flags
>ALL SYN" to tcp rules.
>
>Jörg
>
>  
>

[Jwall-developers] CVS

[Zachary L. <za...@th...>]

Guys,

There is going to be a major restructuring of CVS in the next couple of
days (I hope), so if anyone has anything outstanding to commit, please do
it soon.  If not, it will just take a bit of work to fit it into the new
structure.

I'll send out another email when I open the ticket with sf.net, and
another when it's done.  If you have any questions, shoot me an email.

Thanks,

Zack

PS - This is the proposed structure (thanks Dirk)

root:
  +-->src*
  |   +-->org*
  |       +-->jwall*
  |           +-->image* (images go in here, subdirectory as required)
  |           +-->property* (all resources go in here)
  |           ...
  |
  +-->tests*
  |   +-->org*
  |       +-->jwall*
  |       ...
  |
  +-->lib*
  |   +-->file1.jar*
  |   +-->file2.jar*
  |   ...
  |
  +-->docs*       (documentation for project, checked into cvs)
  +-->support*
  |   +-->build.xml*
  |   +-->jWall.jnlp* (in case of a webstart application)
  |   ...
  |
  +-->web   (html files for web site)

[Jwall-developers] Application logging changes

[Christian M. <C.M...@gm...>]

Hi all,
I'm changing the logging facilities of jwall to implement a "secure log" 
(maybe crypted) for policy changes and action monitoring.
I have now implement a new class for logging (org.jwall.util.Log) but my 
changes will be made in several steps:

Steps:
1. implement a new class responsible for logging. this step makes all future

changes easier,  because all changes can be made in one class
2. change all existing usages of Logger to org.jwall.util.Log
3. add Log.policy() to all places where policy changes are made
4. implement gui part to audit the log
5. implement security mechanisms to ensure consistency of the log file

And the current status:
Step one is done. In the Log class have already some log methods for the 
different levels but I'm sure some are missing.If you need something let me 
know. The levels are named like the java.util.logging Levels. In the 
implementation you have only to call the static methods like 
Log.severe(String message), Log.fine(String message) etc.
There is also a method to log policy changes. 
Log.policy(String message) 

The message writen to the logfile has additional informations about the 
invoking class, method and the source line.  
e.g. : 
 [org.jwall.util.SettingsParser.saveSettings() line -64] Saving file to 
/home/chr/.jwall.conf


My petition to you all, use the new class for logging in your future 
implementation and if you see a policy modification without logging add a 
Log.policy(String message); line to it.

I have already changed all classes in package "util" to use the new Log
class, 
the other will follow now.

cu
Christian

P.S. I'm looking for a new job because the company I'm working for, will
maybe 
be closed in the next months. So if you know interesting vacancies for a
software developer 
or an unix adminstrator in germany or europe, please send a message to me.
thx

-- 
NEU FÜR ALLE - GMX MediaCenter - für Fotos, Musik, Dateien...
Fotoalbum, File Sharing, MMS, Multimedia-Gruß, GMX FotoService

Jetzt kostenlos anmelden unter http://www.gmx.net

+++ GMX - die erste Adresse für Mail, Message, More! +++