No, i mean something in the changes file, so you know *before* you restart your firewall, and the port forwards are dropped. an outage and warning that does not tell one what to do to fix it is certainly an issue.
Julia Longtin On Mon, Feb 6, 2012 at 12:28 PM, Arno van Amersfoort < arn...@rocky.eld.leidenuniv.nl> wrote: > Well it does do that: > > Restarting Arno's Iptables Firewall... > ** WARNING: In Variable NAT_FORWARD_TCP, Rule: "~8888>10.100.__0.117~80" > is ignored. > Feb 06 13:27:41 WARNING: Not all firewall rules are applied. > > a. > > > > On 06-Feb-12 12:54, Julia Longtin wrote: > >> Oh, that makes sense to me... except since it WAS valid syntax, it means >> that when it STOPPED being valid syntax, i need a little more warning >> than "oh, all your port forwards no longer exist, have a nice day!". I >> read debchanges, so at least a warning to sysadmins that the syntax that >> used to be valid is no longer valid makes sense to me. >> >> Luckily, there will at least be this thread to guide other sysadmins. I >> had to use bash -x to trace through things and discover the 'fix' for my >> perfectly 'valid' syntax not working. >> >> Julia Longtin >> >> On Mon, Feb 6, 2012 at 6:17 AM, Arno van Amersfoort >> <arn...@rocky.eld.leidenuniv.**nl <arn...@rocky.eld.leidenuniv.nl><mailto: >> arn...@rocky.eld.**leidenuniv.nl <arn...@rocky.eld.leidenuniv.nl>>> >> >> wrote: >> >> Hello Julia, >> >> >> Ah you mean that the first WITH the "~" in front of the 8888 used to >> be a valid syntax? If so, this was never intended and it certainly >> doesn't serve any purpose. The fix is simple, as you already know, >> get rid of it ;-), unless I'm missing something here. >> >> >> cheers, >> >> Arno >> >> >> On 03-Feb-12 17:25, Julia Longtin wrote: >> >> I mean that going from "NAT_FORWARD_TCP=~8888>10.100.**__0.117~80" >> >> causes >> the problem. you have the fix correct. >> >> Its possibly my syntax is wrong.. but it used to work this way. >> >> Julia Longtin >> >> On Fri, Feb 3, 2012 at 2:56 PM, Arno van Amersfoort >> <arn...@rocky.eld.leidenuniv._**_nl >> >> <mailto:arn...@rocky.eld.**leidenuniv.nl<arn...@rocky.eld.leidenuniv.nl> >> > >> <mailto:arn...@rocky.eld.__lei**denuniv.nl <http://leidenuniv.nl> >> >> <mailto:arn...@rocky.eld.**leidenuniv.nl<arn...@rocky.eld.leidenuniv.nl> >> >>> >> wrote: >> >> You mean that "NAT_FORWARD_TCP="8888>10.100.**____0.117~80" >> causes the >> problem and "NAT_FORWARD_TCP="0/0~8888>10.**____100.0.117~80" >> >> fixes >> >> that? I tried reproducing it, but I can't get it to fail. >> Could you >> provide a snippet of the error? >> >> thanks. >> >> Arno >> >> >> On 03-Feb-12 15:37, Julia Longtin wrote: >> >> Package: arno-iptables-firewall >> Version: 2.0.1-1 >> Severity: important >> >> Dear Maintainer, >> After performing an upgrade, i have found that the >> format of the >> rules expected in firewall.conf have changed. >> Instead of accepting a blank source IP, it now requires >> a source >> IP, or parse_rules fails, and gives a WARNING: rule will be >> ignored.. >> >> see the '0/0' that has been added to my NAT_FORWARD_TCP >> rules. >> >> Julia Longtin >> >> -- System Information: >> Debian Release: wheezy/sid >> APT prefers unstable >> APT policy: (500, 'unstable'), (500, 'stable') >> Architecture: i386 (x86_64) >> >> Kernel: Linux 3.1.0-1-amd64 (SMP w/2 CPU cores) >> Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 >> (charmap=locale: >> Cannot set LC_CTYPE to default locale: No such file or >> directory >> locale: Cannot set LC_MESSAGES to default locale: No >> such file >> or directory >> locale: Cannot set LC_ALL to default locale: No such file >> or >> directory >> ANSI_X3.4-1968) >> Shell: /bin/sh linked to /bin/dash >> >> Versions of packages arno-iptables-firewall depends on: >> ii debconf [debconf-2.0] 1.5.41 >> ii gawk 1:3.1.8+dfsg-0.1 >> ii iproute 20120105-1 >> ii iptables 1.4.12.2-1 >> >> Versions of packages arno-iptables-firewall recommends: >> ii dnsutils 1:9.8.1.dfsg.P1-2 >> ii lynx 2.8.8dev.9-3 >> ii rsyslog 5.8.6-1 >> >> arno-iptables-firewall suggests no packages. >> >> -- Configuration Files: >> /etc/arno-iptables-firewall/__**__firewall.conf changed: >> EXT_IF="$DC_EXT_IF" >> EXT_IF_DHCP_IP=$DC_EXT_IF_____**DHCP_IP >> EXTERNAL_DHCP_SERVER=0 >> EXTERNAL_DHCPV6_SERVER=0 >> INT_IF="$DC_INT_IF" >> INTERNAL_NET="$DC_INTERNAL____**_NET" >> >> >> INTERNAL_NET_ANTISPOOF=1 >> DMZ_IF="" >> DMZ_NET="" >> DMZ_NET_ANTISPOOF=1 >> NAT=$DC_NAT >> NAT_INTERNAL_NET="$DC_NAT_____**INTERNAL_NET" >> NAT_LOCAL_REDIRECT=1 >> NAT_FORWARD_TCP="0/0~8888>10._**___100.0.117~80 \ >> >> >> 0/0~8889>10.100.0.88~80 \ >> 0/0~8890>10.100.0.40~80 \ >> 0/0~8891>10.100.0.58~80 \ >> 0/0~8892>10.100.0.100~80 \ >> 0/0~8893>10.100.0.20~80 \ >> 0/0~2280>10.100.0.44~22 \ >> 0/0~2281>10.100.0.75~22 \ >> 0/0~8333>10.100.0.95~8333 " >> NAT_FORWARD_UDP="" >> NAT_FORWARD_IP="" >> INET_FORWARD_TCP="" >> INET_FORWARD_UDP="" >> INET_FORWARD_IP="" >> IP4TABLES="/sbin/iptables" >> IP6TABLES="/sbin/ip6tables" >> ENV_FILE="/usr/share/arno-____** >> iptables-firewall/environment" >> >> PLUGIN_BIN_PATH="/usr/share/__**__arno-iptables-firewall/____** >> plugins" >> PLUGIN_CONF_PATH="/etc/arno-__** >> __iptables-firewall/plugins" >> >> >> DMESG_PANIC_ONLY=1 >> MANGLE_TOS=1 >> SET_MSS=1 >> TTL_INC=0 >> USE_IRC=0 >> LOOSE_FORWARD=0 >> FORWARD_LINK_LOCAL=0 >> IPV6_DROP_RH_ZERO=1 >> RESERVED_NET_DROP=0 >> DRDOS_PROTECT=0 >> IPV6_SUPPORT=0 >> NMB_BROADCAST_FIX=0 >> COMPILED_IN_KERNEL_MESSAGES=1 >> DEFAULT_POLICY_DROP=1 >> TRUSTED_IF="" >> IF_TRUSTS="" >> >> CUSTOM_RULES="/etc/arno-____**iptables-firewall/custom-____** >> rules" >> >> >> LOCAL_CONFIG_FILE="" >> DISABLE_IPTABLES_BATCH=0 >> TRACE=0 >> BLOCKED_HOST_LOG=1 >> SCAN_LOG=1 >> POSSIBLE_SCAN_LOG=1 >> BAD_FLAGS_LOG=1 >> INVALID_TCP_LOG=0 >> INVALID_UDP_LOG=0 >> INVALID_ICMP_LOG=0 >> RESERVED_NET_LOG=0 >> FRAG_LOG=1 >> INET_OUTPUT_DENY_LOG=1 >> LAN_OUTPUT_DENY_LOG=1 >> LAN_INPUT_DENY_LOG=1 >> DMZ_OUTPUT_DENY_LOG=1 >> DMZ_INPUT_DENY_LOG=1 >> FORWARD_DROP_LOG=1 >> LINK_LOCAL_DROP_LOG=1 >> ICMP_REQUEST_LOG=1 >> ICMP_OTHER_LOG=1 >> PRIV_TCP_LOG=1 >> PRIV_UDP_LOG=1 >> UNPRIV_TCP_LOG=1 >> UNPRIV_UDP_LOG=1 >> IGMP_LOG=1 >> OTHER_IP_LOG=1 >> ICMP_FLOOD_LOG=1 >> FIREWALL_LOG="/var/log/arno-__**__iptables-firewall" >> >> >> LOGLEVEL="info" >> LOG_HOST_INPUT_TCP="" >> LOG_HOST_INPUT_UDP="" >> LOG_HOST_INPUT_IP="" >> LOG_HOST_OUTPUT_TCP="" >> LOG_HOST_OUTPUT_UDP="" >> LOG_HOST_OUTPUT_IP="" >> LOG_INPUT_TCP="" >> LOG_INPUT_UDP="" >> LOG_INPUT_IP="" >> LOG_OUTPUT_TCP="" >> LOG_OUTPUT_UDP="" >> LOG_OUTPUT_IP="" >> LOG_HOST_INPUT="" >> LOG_HOST_OUTPUT="" >> SYN_PROT=1 >> REDUCE_DOS_ABILITY=1 >> ECHO_IGNORE=0 >> LOG_MARTIANS=1 >> IP_FORWARDING=1 >> IPV6_AUTO_CONFIGURATION=1 >> ICMP_REDIRECT=0 >> CONNTRACK=16384 >> ECN=1 >> RP_FILTER=1 >> SOURCE_ROUTE_PROTECTION=1 >> LOCAL_PORT_RANGE="32768 61000" >> DEFAULT_TTL=64 >> NO_PMTU_DISCOVERY=0 >> LAN_OPEN_ICMP=1 >> LAN_OPEN_TCP="21 22 80" >> LAN_OPEN_UDP="53 67 69" >> LAN_OPEN_IP="" >> LAN_DENY_TCP="" >> LAN_DENY_UDP="" >> LAN_DENY_IP="" >> LAN_HOST_OPEN_TCP="" >> LAN_HOST_OPEN_UDP="" >> LAN_HOST_OPEN_IP="" >> LAN_HOST_DENY_TCP="" >> LAN_HOST_DENY_UDP="" >> LAN_HOST_DENY_IP="" >> LAN_INET_OPEN_ICMP=1 >> LAN_INET_OPEN_TCP="" >> LAN_INET_OPEN_UDP="" >> LAN_INET_OPEN_IP="" >> LAN_INET_DENY_TCP="" >> LAN_INET_DENY_UDP="" >> LAN_INET_DENY_IP="" >> LAN_INET_HOST_OPEN_TCP="" >> LAN_INET_HOST_OPEN_UDP="" >> LAN_INET_HOST_OPEN_IP="" >> LAN_INET_HOST_DENY_TCP="" >> LAN_INET_HOST_DENY_UDP="" >> LAN_INET_HOST_DENY_IP="" >> DMZ_OPEN_ICMP=1 >> DMZ_OPEN_TCP="" >> DMZ_OPEN_UDP="" >> DMZ_OPEN_IP="" >> DMZ_HOST_OPEN_TCP="" >> DMZ_HOST_OPEN_UDP="" >> DMZ_HOST_OPEN_IP="" >> INET_DMZ_OPEN_ICMP=0 >> INET_DMZ_OPEN_TCP="" >> INET_DMZ_OPEN_UDP="" >> INET_DMZ_OPEN_IP="" >> INET_DMZ_DENY_TCP="" >> INET_DMZ_DENY_UDP="" >> INET_DMZ_DENY_IP="" >> INET_DMZ_HOST_OPEN_TCP="" >> INET_DMZ_HOST_OPEN_UDP="" >> INET_DMZ_HOST_OPEN_IP="" >> INET_DMZ_HOST_DENY_TCP="" >> INET_DMZ_HOST_DENY_UDP="" >> INET_DMZ_HOST_DENY_IP="" >> DMZ_INET_OPEN_ICMP=1 >> DMZ_INET_OPEN_TCP="" >> DMZ_INET_OPEN_UDP="" >> DMZ_INET_OPEN_IP="" >> DMZ_INET_DENY_TCP="" >> DMZ_INET_DENY_UDP="" >> DMZ_INET_DENY_IP="" >> DMZ_INET_HOST_OPEN_TCP="" >> DMZ_INET_HOST_OPEN_UDP="" >> DMZ_INET_HOST_OPEN_IP="" >> DMZ_INET_HOST_DENY_TCP="" >> DMZ_INET_HOST_DENY_UDP="" >> DMZ_INET_HOST_DENY_IP="" >> DMZ_LAN_OPEN_ICMP=0 >> DMZ_LAN_HOST_OPEN_TCP="" >> DMZ_LAN_HOST_OPEN_UDP="" >> DMZ_LAN_HOST_OPEN_IP="" >> FULL_ACCESS_HOSTS="" >> BROADCAST_TCP_NOLOG="" >> HOST_OPEN_TCP="" >> HOST_OPEN_UDP="" >> HOST_OPEN_IP="" >> HOST_OPEN_ICMP="" >> HOST_DENY_TCP="" >> HOST_DENY_UDP="" >> HOST_DENY_IP="" >> HOST_DENY_ICMP="" >> HOST_DENY_TCP_NOLOG="" >> HOST_DENY_UDP_NOLOG="" >> HOST_DENY_IP_NOLOG="" >> HOST_DENY_ICMP_NOLOG="" >> HOST_REJECT_TCP="" >> HOST_REJECT_UDP="" >> HOST_REJECT_TCP_NOLOG="" >> HOST_REJECT_UDP_NOLOG="" >> DENY_TCP_OUTPUT="" >> DENY_UDP_OUTPUT="" >> DENY_IP_OUTPUT="" >> HOST_DENY_TCP_OUTPUT="" >> HOST_DENY_UDP_OUTPUT="" >> HOST_DENY_IP_OUTPUT="" >> OPEN_ICMP=$DC_OPEN_ICMP >> OPEN_ICMPV6=1 >> OPEN_TCP="$DC_OPEN_TCP" >> OPEN_UDP="$DC_OPEN_UDP" >> OPEN_IP="" >> DENY_TCP="" >> DENY_UDP="" >> DENY_TCP_NOLOG="" >> DENY_UDP_NOLOG="" >> REJECT_TCP="" >> REJECT_UDP="" >> REJECT_TCP_NOLOG="" >> REJECT_UDP_NOLOG="" >> BLOCK_HOSTS="" >> BLOCK_HOSTS_BIDIRECTIONAL=1 >> >> >> -- debconf information: >> perl: warning: Setting locale failed. >> perl: warning: Please check that your locale settings: >> LANGUAGE = (unset), >> LC_ALL = (unset), >> LANG = "en_GB.UTF-8" >> are supported and installed on your system. >> perl: warning: Falling back to the standard locale ("C"). >> locale: Cannot set LC_CTYPE to default locale: No such >> file or >> directory >> locale: Cannot set LC_MESSAGES to default locale: No >> such file >> or directory >> locale: Cannot set LC_ALL to default locale: No such file >> or >> directory >> * arno-iptables-firewall/config-**____int-nat-net: >> 10.100.0/24 >> 172.16.0/24 >> * arno-iptables-firewall/____**dynamic-ip: true >> * arno-iptables-firewall/config-**____int-net: 10.100.0/24 >> 172.16.0/24 >> * arno-iptables-firewall/icmp-__**__echo: true >> * arno-iptables-firewall/____**services-udp: 53 >> arno-iptables-firewall/title: >> * arno-iptables-firewall/config-**____ext-if: eth0 >> * arno-iptables-firewall/____**services-tcp: 22 53 80 >> * arno-iptables-firewall/____**restart: true >> * arno-iptables-firewall/config-**____int-if: eth1 br0 >> * arno-iptables-firewall/nat: true >> * arno-iptables-firewall/____**debconf-wanted: true >> >> >> >> -- debsums errors found: >> perl: warning: Setting locale failed. >> perl: warning: Please check that your locale settings: >> LANGUAGE = (unset), >> LC_ALL = (unset), >> LANG = "en_GB.UTF-8" >> are supported and installed on your system. >> perl: warning: Falling back to the standard locale ("C"). >> >> >> >> >> >>
