Menu
▾
▴
Re: [Shorewall-devel] Wither the /etc/shorewall/tunnels file
|
From: Steve H. <he...@th...> - 2005-08-30 00:29:54
|
Have any other configuration files been identified for cleanup or elimination? Steve Herber he...@th... work: 206-221-7262 Security Engineer, UW Medicine, IT Services home: 425-454-2399 On Sat, 27 Aug 2005, Tom Eastep wrote: > Because of the amount of change and the breadth of the change in the > current 2.5 development branch, we have decided that when the code is > released as a stable release, it will be called Shorewall 3.0.0. > > One of the changes in 3.0.0 is as follows (from the release notes): > > 9) In previous versions of Shorewall, the rules generated by entries in > /etc/shorewall/tunnels preceded those rules generated by entries in > /etc/shorewall/rules. Beginning with this release, the rules > generated by entries in the tunnels file will appear *AFTER* the > rules generated by the rules file. This may cause you problems if > you have REJECT, DENY or CONTINUE rules in your rules file that > would cause the tunnel transport packets to not reach the rules that > ACCEPT them. See http://www.shorewall.net/VPNBasics.html for > information on the rules generated by entries in the tunnels file. > > As I'm sure that many of you are aware, I have been dissatisfied for > some time with the notion of the tunnels file. I believe that it > prevents users from understanding the basics of VPN handling in > Netfilter and makes it harder for user's to troubleshoot VPN problems. I > wrote the article referred to in the above note to try to illustrate > that there is nothing magic about the tunnels file and that it is > perfectly possible to define VPN connections using the rules file alone. > > Given that we're calling the new release "Shorewall 3", it seems like a > good time to retire the tunnels file altogether. I can create a > "shorewall convert" command (or some such) that will read the tunnels > file and create a macro called "macro.tunnels" (for example). Existing > users with entries in the tunnels file can then simple add one line to > the front of their rules file to obtain the same behavior as in prior > releases: > > #ACTION SOURCE DEST ... > tunnels > > My concern, as always, is that people upgrade blindly between releases > then come whining to the mailing list or IRC channel when "it doesn't work". > > Example: > > I just upgraded from Shorewall 1.0.4-RC2 to Shorewall 3.2.4 and > now nothing works. Can someone help me? > > Of course, usually the poster is clueless about what version they were > running before the upgrade which makes it even more difficult. > > One idea I've had to try to slap them in the face ahead of time is to > create a file named 0READ_THIS_BEFORE_UPGRADING_TO_THIS_RELEASE in the > download directory (including at Sourceforge). I suspect that maybe one > in 10 might bother to read it. > > I welcome your input on this issue. > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ te...@sh... > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > |