Oh, that makes sense to me... except since it WAS valid syntax, it means
that when it STOPPED being valid syntax, i need a little more warning than
"oh, all your port forwards no longer exist, have a nice day!". I read
debchanges, so at least a warning to sysadmins that the syntax that used to
be valid is no longer valid makes sense to me.
Luckily, there will at least be this thread to guide other sysadmins. I had
to use bash -x to trace through things and discover the 'fix' for my
perfectly 'valid' syntax not working.
Julia Longtin
On Mon, Feb 6, 2012 at 6:17 AM, Arno van Amersfoort <
arn...@rocky.eld.leidenuniv.nl> wrote:
> Hello Julia,
>
>
> Ah you mean that the first WITH the "~" in front of the 8888 used to be a
> valid syntax? If so, this was never intended and it certainly doesn't serve
> any purpose. The fix is simple, as you already know, get rid of it ;-),
> unless I'm missing something here.
>
>
> cheers,
>
> Arno
>
>
> On 03-Feb-12 17:25, Julia Longtin wrote:
>
>> I mean that going from "NAT_FORWARD_TCP=~8888>10.100.**0.117~80" causes
>> the problem. you have the fix correct.
>>
>> Its possibly my syntax is wrong.. but it used to work this way.
>>
>> Julia Longtin
>>
>> On Fri, Feb 3, 2012 at 2:56 PM, Arno van Amersfoort
>> <arn...@rocky.eld.leidenuniv.**nl <arn...@rocky.eld.leidenuniv.nl><mailto:
>> arn...@rocky.eld.**leidenuniv.nl <arn...@rocky.eld.leidenuniv.nl>>>
>> wrote:
>>
>> You mean that "NAT_FORWARD_TCP="8888>10.100.**__0.117~80" causes the
>> problem and "NAT_FORWARD_TCP="0/0~8888>10.**__100.0.117~80" fixes
>>
>> that? I tried reproducing it, but I can't get it to fail. Could you
>> provide a snippet of the error?
>>
>> thanks.
>>
>> Arno
>>
>>
>> On 03-Feb-12 15:37, Julia Longtin wrote:
>>
>> Package: arno-iptables-firewall
>> Version: 2.0.1-1
>> Severity: important
>>
>> Dear Maintainer,
>> After performing an upgrade, i have found that the format of the
>> rules expected in firewall.conf have changed.
>> Instead of accepting a blank source IP, it now requires a source
>> IP, or parse_rules fails, and gives a WARNING: rule will be
>> ignored..
>>
>> see the '0/0' that has been added to my NAT_FORWARD_TCP rules.
>>
>> Julia Longtin
>>
>> -- System Information:
>> Debian Release: wheezy/sid
>> APT prefers unstable
>> APT policy: (500, 'unstable'), (500, 'stable')
>> Architecture: i386 (x86_64)
>>
>> Kernel: Linux 3.1.0-1-amd64 (SMP w/2 CPU cores)
>> Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=locale:
>> Cannot set LC_CTYPE to default locale: No such file or directory
>> locale: Cannot set LC_MESSAGES to default locale: No such file
>> or directory
>> locale: Cannot set LC_ALL to default locale: No such file or
>> directory
>> ANSI_X3.4-1968)
>> Shell: /bin/sh linked to /bin/dash
>>
>> Versions of packages arno-iptables-firewall depends on:
>> ii debconf [debconf-2.0] 1.5.41
>> ii gawk 1:3.1.8+dfsg-0.1
>> ii iproute 20120105-1
>> ii iptables 1.4.12.2-1
>>
>> Versions of packages arno-iptables-firewall recommends:
>> ii dnsutils 1:9.8.1.dfsg.P1-2
>> ii lynx 2.8.8dev.9-3
>> ii rsyslog 5.8.6-1
>>
>> arno-iptables-firewall suggests no packages.
>>
>> -- Configuration Files:
>> /etc/arno-iptables-firewall/__**firewall.conf changed:
>> EXT_IF="$DC_EXT_IF"
>> EXT_IF_DHCP_IP=$DC_EXT_IF___**DHCP_IP
>> EXTERNAL_DHCP_SERVER=0
>> EXTERNAL_DHCPV6_SERVER=0
>> INT_IF="$DC_INT_IF"
>> INTERNAL_NET="$DC_INTERNAL___**NET"
>>
>> INTERNAL_NET_ANTISPOOF=1
>> DMZ_IF=""
>> DMZ_NET=""
>> DMZ_NET_ANTISPOOF=1
>> NAT=$DC_NAT
>> NAT_INTERNAL_NET="$DC_NAT___**INTERNAL_NET"
>> NAT_LOCAL_REDIRECT=1
>> NAT_FORWARD_TCP="0/0~8888>10._**_100.0.117~80 \
>>
>> 0/0~8889>10.100.0.88~80 \
>> 0/0~8890>10.100.0.40~80 \
>> 0/0~8891>10.100.0.58~80 \
>> 0/0~8892>10.100.0.100~80 \
>> 0/0~8893>10.100.0.20~80 \
>> 0/0~2280>10.100.0.44~22 \
>> 0/0~2281>10.100.0.75~22 \
>> 0/0~8333>10.100.0.95~8333 "
>> NAT_FORWARD_UDP=""
>> NAT_FORWARD_IP=""
>> INET_FORWARD_TCP=""
>> INET_FORWARD_UDP=""
>> INET_FORWARD_IP=""
>> IP4TABLES="/sbin/iptables"
>> IP6TABLES="/sbin/ip6tables"
>> ENV_FILE="/usr/share/arno-__**iptables-firewall/environment"
>> PLUGIN_BIN_PATH="/usr/share/__**arno-iptables-firewall/__**
>> plugins"
>> PLUGIN_CONF_PATH="/etc/arno-__**iptables-firewall/plugins"
>>
>> DMESG_PANIC_ONLY=1
>> MANGLE_TOS=1
>> SET_MSS=1
>> TTL_INC=0
>> USE_IRC=0
>> LOOSE_FORWARD=0
>> FORWARD_LINK_LOCAL=0
>> IPV6_DROP_RH_ZERO=1
>> RESERVED_NET_DROP=0
>> DRDOS_PROTECT=0
>> IPV6_SUPPORT=0
>> NMB_BROADCAST_FIX=0
>> COMPILED_IN_KERNEL_MESSAGES=1
>> DEFAULT_POLICY_DROP=1
>> TRUSTED_IF=""
>> IF_TRUSTS=""
>> CUSTOM_RULES="/etc/arno-__**iptables-firewall/custom-__**rules"
>>
>> LOCAL_CONFIG_FILE=""
>> DISABLE_IPTABLES_BATCH=0
>> TRACE=0
>> BLOCKED_HOST_LOG=1
>> SCAN_LOG=1
>> POSSIBLE_SCAN_LOG=1
>> BAD_FLAGS_LOG=1
>> INVALID_TCP_LOG=0
>> INVALID_UDP_LOG=0
>> INVALID_ICMP_LOG=0
>> RESERVED_NET_LOG=0
>> FRAG_LOG=1
>> INET_OUTPUT_DENY_LOG=1
>> LAN_OUTPUT_DENY_LOG=1
>> LAN_INPUT_DENY_LOG=1
>> DMZ_OUTPUT_DENY_LOG=1
>> DMZ_INPUT_DENY_LOG=1
>> FORWARD_DROP_LOG=1
>> LINK_LOCAL_DROP_LOG=1
>> ICMP_REQUEST_LOG=1
>> ICMP_OTHER_LOG=1
>> PRIV_TCP_LOG=1
>> PRIV_UDP_LOG=1
>> UNPRIV_TCP_LOG=1
>> UNPRIV_UDP_LOG=1
>> IGMP_LOG=1
>> OTHER_IP_LOG=1
>> ICMP_FLOOD_LOG=1
>> FIREWALL_LOG="/var/log/arno-__**iptables-firewall"
>>
>> LOGLEVEL="info"
>> LOG_HOST_INPUT_TCP=""
>> LOG_HOST_INPUT_UDP=""
>> LOG_HOST_INPUT_IP=""
>> LOG_HOST_OUTPUT_TCP=""
>> LOG_HOST_OUTPUT_UDP=""
>> LOG_HOST_OUTPUT_IP=""
>> LOG_INPUT_TCP=""
>> LOG_INPUT_UDP=""
>> LOG_INPUT_IP=""
>> LOG_OUTPUT_TCP=""
>> LOG_OUTPUT_UDP=""
>> LOG_OUTPUT_IP=""
>> LOG_HOST_INPUT=""
>> LOG_HOST_OUTPUT=""
>> SYN_PROT=1
>> REDUCE_DOS_ABILITY=1
>> ECHO_IGNORE=0
>> LOG_MARTIANS=1
>> IP_FORWARDING=1
>> IPV6_AUTO_CONFIGURATION=1
>> ICMP_REDIRECT=0
>> CONNTRACK=16384
>> ECN=1
>> RP_FILTER=1
>> SOURCE_ROUTE_PROTECTION=1
>> LOCAL_PORT_RANGE="32768 61000"
>> DEFAULT_TTL=64
>> NO_PMTU_DISCOVERY=0
>> LAN_OPEN_ICMP=1
>> LAN_OPEN_TCP="21 22 80"
>> LAN_OPEN_UDP="53 67 69"
>> LAN_OPEN_IP=""
>> LAN_DENY_TCP=""
>> LAN_DENY_UDP=""
>> LAN_DENY_IP=""
>> LAN_HOST_OPEN_TCP=""
>> LAN_HOST_OPEN_UDP=""
>> LAN_HOST_OPEN_IP=""
>> LAN_HOST_DENY_TCP=""
>> LAN_HOST_DENY_UDP=""
>> LAN_HOST_DENY_IP=""
>> LAN_INET_OPEN_ICMP=1
>> LAN_INET_OPEN_TCP=""
>> LAN_INET_OPEN_UDP=""
>> LAN_INET_OPEN_IP=""
>> LAN_INET_DENY_TCP=""
>> LAN_INET_DENY_UDP=""
>> LAN_INET_DENY_IP=""
>> LAN_INET_HOST_OPEN_TCP=""
>> LAN_INET_HOST_OPEN_UDP=""
>> LAN_INET_HOST_OPEN_IP=""
>> LAN_INET_HOST_DENY_TCP=""
>> LAN_INET_HOST_DENY_UDP=""
>> LAN_INET_HOST_DENY_IP=""
>> DMZ_OPEN_ICMP=1
>> DMZ_OPEN_TCP=""
>> DMZ_OPEN_UDP=""
>> DMZ_OPEN_IP=""
>> DMZ_HOST_OPEN_TCP=""
>> DMZ_HOST_OPEN_UDP=""
>> DMZ_HOST_OPEN_IP=""
>> INET_DMZ_OPEN_ICMP=0
>> INET_DMZ_OPEN_TCP=""
>> INET_DMZ_OPEN_UDP=""
>> INET_DMZ_OPEN_IP=""
>> INET_DMZ_DENY_TCP=""
>> INET_DMZ_DENY_UDP=""
>> INET_DMZ_DENY_IP=""
>> INET_DMZ_HOST_OPEN_TCP=""
>> INET_DMZ_HOST_OPEN_UDP=""
>> INET_DMZ_HOST_OPEN_IP=""
>> INET_DMZ_HOST_DENY_TCP=""
>> INET_DMZ_HOST_DENY_UDP=""
>> INET_DMZ_HOST_DENY_IP=""
>> DMZ_INET_OPEN_ICMP=1
>> DMZ_INET_OPEN_TCP=""
>> DMZ_INET_OPEN_UDP=""
>> DMZ_INET_OPEN_IP=""
>> DMZ_INET_DENY_TCP=""
>> DMZ_INET_DENY_UDP=""
>> DMZ_INET_DENY_IP=""
>> DMZ_INET_HOST_OPEN_TCP=""
>> DMZ_INET_HOST_OPEN_UDP=""
>> DMZ_INET_HOST_OPEN_IP=""
>> DMZ_INET_HOST_DENY_TCP=""
>> DMZ_INET_HOST_DENY_UDP=""
>> DMZ_INET_HOST_DENY_IP=""
>> DMZ_LAN_OPEN_ICMP=0
>> DMZ_LAN_HOST_OPEN_TCP=""
>> DMZ_LAN_HOST_OPEN_UDP=""
>> DMZ_LAN_HOST_OPEN_IP=""
>> FULL_ACCESS_HOSTS=""
>> BROADCAST_TCP_NOLOG=""
>> HOST_OPEN_TCP=""
>> HOST_OPEN_UDP=""
>> HOST_OPEN_IP=""
>> HOST_OPEN_ICMP=""
>> HOST_DENY_TCP=""
>> HOST_DENY_UDP=""
>> HOST_DENY_IP=""
>> HOST_DENY_ICMP=""
>> HOST_DENY_TCP_NOLOG=""
>> HOST_DENY_UDP_NOLOG=""
>> HOST_DENY_IP_NOLOG=""
>> HOST_DENY_ICMP_NOLOG=""
>> HOST_REJECT_TCP=""
>> HOST_REJECT_UDP=""
>> HOST_REJECT_TCP_NOLOG=""
>> HOST_REJECT_UDP_NOLOG=""
>> DENY_TCP_OUTPUT=""
>> DENY_UDP_OUTPUT=""
>> DENY_IP_OUTPUT=""
>> HOST_DENY_TCP_OUTPUT=""
>> HOST_DENY_UDP_OUTPUT=""
>> HOST_DENY_IP_OUTPUT=""
>> OPEN_ICMP=$DC_OPEN_ICMP
>> OPEN_ICMPV6=1
>> OPEN_TCP="$DC_OPEN_TCP"
>> OPEN_UDP="$DC_OPEN_UDP"
>> OPEN_IP=""
>> DENY_TCP=""
>> DENY_UDP=""
>> DENY_TCP_NOLOG=""
>> DENY_UDP_NOLOG=""
>> REJECT_TCP=""
>> REJECT_UDP=""
>> REJECT_TCP_NOLOG=""
>> REJECT_UDP_NOLOG=""
>> BLOCK_HOSTS=""
>> BLOCK_HOSTS_BIDIRECTIONAL=1
>>
>>
>> -- debconf information:
>> perl: warning: Setting locale failed.
>> perl: warning: Please check that your locale settings:
>> LANGUAGE = (unset),
>> LC_ALL = (unset),
>> LANG = "en_GB.UTF-8"
>> are supported and installed on your system.
>> perl: warning: Falling back to the standard locale ("C").
>> locale: Cannot set LC_CTYPE to default locale: No such file or
>> directory
>> locale: Cannot set LC_MESSAGES to default locale: No such file
>> or directory
>> locale: Cannot set LC_ALL to default locale: No such file or
>> directory
>> * arno-iptables-firewall/config-**__int-nat-net: 10.100.0/24
>> 172.16.0/24
>> * arno-iptables-firewall/__**dynamic-ip: true
>> * arno-iptables-firewall/config-**__int-net: 10.100.0/24
>> 172.16.0/24
>> * arno-iptables-firewall/icmp-__**echo: true
>> * arno-iptables-firewall/__**services-udp: 53
>> arno-iptables-firewall/title:
>> * arno-iptables-firewall/config-**__ext-if: eth0
>> * arno-iptables-firewall/__**services-tcp: 22 53 80
>> * arno-iptables-firewall/__**restart: true
>> * arno-iptables-firewall/config-**__int-if: eth1 br0
>> * arno-iptables-firewall/nat: true
>> * arno-iptables-firewall/__**debconf-wanted: true
>>
>>
>> -- debsums errors found:
>> perl: warning: Setting locale failed.
>> perl: warning: Please check that your locale settings:
>> LANGUAGE = (unset),
>> LC_ALL = (unset),
>> LANG = "en_GB.UTF-8"
>> are supported and installed on your system.
>> perl: warning: Falling back to the standard locale ("C").
>>
>>
>>
>>
>>
