|

Computer Security

»

»

Firewall Builder

»

fwbuilder-discussion

fwbuilder is unable to compile imported SuSEfirewall2 rules

View: New views

3 Messages — Rating Filter: Alert me

	fwbuilder is unable to compile imported SuSEfirewall2 rules by jimmi :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Hi, tried to switch from SuSEfirewall2 to fwbuilder 3.0.6. I am getting a lot of "shadowing" errors. first error: Error: Rule '7 (global)' shadows rule '8 (global)' below it resulting from this imported rules: -A FORWARD -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWD-ILL-ROUTING " --log-tcp-options --log-ip-options -A FORWARD -j DROP added as: rule 7 and 8 are nearly identical 7) Action:Continue, logging and options, and limit is 3/seconds (instead of 3/min) 8) Action: Deny, no logging, no options others: -A forward_ext -d 192.168.101.2 -p tcp -m limit --limit 3/min -m tcp --dport 8080 -m state --state NEW -j LOG --log-prefix "SFW2-FWDext-ACC-REVMASQ " --log-tcp-options --log-ip-options -A forward_ext -d 192.168.101.2 -p tcp -m tcp --dport 8080 -j ACCEPT And how to implement such code generated by SuSEfirewall2: -A forward_ext -s 192.168.101.0/255.255.255.0 -d 192.168.0.0/255.255.255.0 -m limit --limit 3/min -m state --state NEW -m policy --dir in --pol ipsec --proto esp -j LOG --log-prefix "SFW2-FWDext-ACC-FORW " --log-tcp-options --log-ip-options -A forward_ext -s 192.168.101.0/255.255.255.0 -d 192.168.0.0/255.255.255.0 -m state --state NEW,RELATED,ESTABLISHED -m policy --dir in --pol ipsec --proto esp -j ACCEPT Kind Regards Chris ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Fwbuilder-discussion mailing list Fwbuilder-discussion@... https://lists.sourceforge.net/lists/listinfo/fwbuilder-discussion
	Re: fwbuilder is unable to compile imported SuSEfirewall2 rules by Vadim Kurland ✎ :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message this is to be expected. Rules will almost never compile cleanly after import because of entirely different design of the rules in the original script. You need to edit the policy by merging rules, getting rid of rules that do nothing by log and so on. Automatic import is meant to be an aid, a helper that creates address, networks and service objects and skeleton of rules. You have to edit the rules after it because it is almost impossible to automatically convert iptables rules generated by some other script or by hand into high level fwbuilder rules. On Aug 22, 2009, at 3:17 PM, Christian wrote: > Hi, > > tried to switch from SuSEfirewall2 to fwbuilder 3.0.6. > I am getting a lot of "shadowing" errors. > > first error: > > Error: Rule '7 (global)' shadows rule '8 (global)' below it > > resulting from this imported rules: > > -A FORWARD -m limit --limit 3/min -j LOG --log-prefix > "SFW2-FWD-ILL-ROUTING " --log-tcp-options --log-ip-options > -A FORWARD -j DROP > > added as: > rule 7 and 8 are nearly identical > 7) Action:Continue, logging and options, and limit is 3/seconds > (instead > of 3/min) > 8) Action: Deny, no logging, no options > you need to merge these rules manually > others: > -A forward_ext -d 192.168.101.2 -p tcp -m limit --limit 3/min -m tcp > --dport 8080 -m state --state NEW -j LOG --log-prefix > "SFW2-FWDext-ACC-REVMASQ " --log-tcp-options --log-ip-options > -A forward_ext -d 192.168.101.2 -p tcp -m tcp --dport 8080 -j ACCEPT > > And how to implement such code generated by SuSEfirewall2: > -A forward_ext -s 192.168.101.0/255.255.255.0 -d > 192.168.0.0/255.255.255.0 -m limit --limit 3/min -m state --state > NEW -m > policy --dir in --pol ipsec --proto esp -j LOG --log-prefix > "SFW2-FWDext-ACC-FORW " --log-tcp-options --log-ip-options > -A forward_ext -s 192.168.101.0/255.255.255.0 -d > 192.168.0.0/255.255.255.0 -m state --state NEW,RELATED,ESTABLISHED -m > policy --dir in --pol ipsec --proto esp -j ACCEPT these rules use module policy. You can implement this using Custom Service object in fwbuilder. See examples in the Users Guide. Vadim Kurland ✍ vadim@... ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Fwbuilder-discussion mailing list Fwbuilder-discussion@... https://lists.sourceforge.net/lists/listinfo/fwbuilder-discussion
	Re: fwbuilder is unable to compile imported SuSEfirewall2 rules by jimmi :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Hi Vadim, Vadim Kurland ✎ schrieb: > > this is to be expected. Rules will almost never compile cleanly after > import because of entirely different design of the rules in the > original script. You need to edit the policy by merging rules, getting > rid of rules that do nothing by log and so on. ok, you're thinking about merging them together ? > > Automatic import is meant to be an aid, a helper that creates address, > networks and service objects and skeleton of rules. You have to edit > the rules after it because it is almost impossible to automatically > convert iptables rules generated by some other script or by hand into > high level fwbuilder rules. Ahh, I understand > > > On Aug 22, 2009, at 3:17 PM, Christian wrote: > >> Hi, >> >> tried to switch from SuSEfirewall2 to fwbuilder 3.0.6. >> I am getting a lot of "shadowing" errors. >> >> first error: >> >> Error: Rule '7 (global)' shadows rule '8 (global)' below it >> >> resulting from this imported rules: >> >> -A FORWARD -m limit --limit 3/min -j LOG --log-prefix >> "SFW2-FWD-ILL-ROUTING " --log-tcp-options --log-ip-options >> -A FORWARD -j DROP >> >> added as: >> rule 7 and 8 are nearly identical >> 7) Action:Continue, logging and options, and limit is 3/seconds (instead >> of 3/min) >> 8) Action: Deny, no logging, no options >> > > you need to merge these rules manually OK, merging as mentioned above. > > >> others: >> -A forward_ext -d 192.168.101.2 -p tcp -m limit --limit 3/min -m tcp >> --dport 8080 -m state --state NEW -j LOG --log-prefix >> "SFW2-FWDext-ACC-REVMASQ " --log-tcp-options --log-ip-options >> -A forward_ext -d 192.168.101.2 -p tcp -m tcp --dport 8080 -j ACCEPT >> >> And how to implement such code generated by SuSEfirewall2: >> -A forward_ext -s 192.168.101.0/255.255.255.0 -d >> 192.168.0.0/255.255.255.0 -m limit --limit 3/min -m state --state NEW -m >> policy --dir in --pol ipsec --proto esp -j LOG --log-prefix >> "SFW2-FWDext-ACC-FORW " --log-tcp-options --log-ip-options >> -A forward_ext -s 192.168.101.0/255.255.255.0 -d >> 192.168.0.0/255.255.255.0 -m state --state NEW,RELATED,ESTABLISHED -m >> policy --dir in --pol ipsec --proto esp -j ACCEPT > > > > these rules use module policy. You can implement this using Custom > Service object in fwbuilder. See examples in the Users Guide. thanks, will have a look at it. Chris ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Fwbuilder-discussion mailing list Fwbuilder-discussion@... https://lists.sourceforge.net/lists/listinfo/fwbuilder-discussion