The fact that your configuration file format has CHANGED, without an entry in the CHANGELOG is certainly a bug, and i believe asking for a CHANGELOG entry so that system administrators do not have their firewall rules dropped randomly, without warning, is appropriate, and represents a bug in your package.
This is a BUG. FIX IT, bt at least placing an entry in changelog, for system administrators whom use your software. Julia Longtin On Tue, Feb 14, 2012 at 9:55 AM, Arno van Amersfoort < arn...@rocky.eld.leidenuniv.nl> wrote: > Well, again, the fact that it worked before doesn't mean it's a bug and > therefor needs special handling. > > This bug can be closed as WONTFIX. > > a. > > > > On 06-Feb-12 17:07, Julia Longtin wrote: > >> No, i mean something in the changes file, so you know *before* you >> restart your firewall, and the port forwards are dropped. an outage and >> warning that does not tell one what to do to fix it is certainly an issue. >> >> Julia Longtin >> >> On Mon, Feb 6, 2012 at 12:28 PM, Arno van Amersfoort >> <arn...@rocky.eld.leidenuniv.**nl <arn...@rocky.eld.leidenuniv.nl><mailto: >> arn...@rocky.eld.**leidenuniv.nl <arn...@rocky.eld.leidenuniv.nl>>> >> >> wrote: >> >> Well it does do that: >> >> Restarting Arno's Iptables Firewall... >> ** WARNING: In Variable NAT_FORWARD_TCP, Rule: >> "~8888>10.100.__0.117~80" is ignored. >> Feb 06 13:27:41 WARNING: Not all firewall rules are applied. >> >> a. >> >> >> >> On 06-Feb-12 12:54, Julia Longtin wrote: >> >> Oh, that makes sense to me... except since it WAS valid syntax, >> it means >> that when it STOPPED being valid syntax, i need a little more >> warning >> than "oh, all your port forwards no longer exist, have a nice >> day!". I >> read debchanges, so at least a warning to sysadmins that the >> syntax that >> used to be valid is no longer valid makes sense to me. >> >> Luckily, there will at least be this thread to guide other >> sysadmins. I >> had to use bash -x to trace through things and discover the >> 'fix' for my >> perfectly 'valid' syntax not working. >> >> Julia Longtin >> >> On Mon, Feb 6, 2012 at 6:17 AM, Arno van Amersfoort >> <arn...@rocky.eld.leidenuniv._**_nl >> >> <mailto:arn...@rocky.eld.**leidenuniv.nl<arn...@rocky.eld.leidenuniv.nl> >> > >> <mailto:arn...@rocky.eld.__lei**denuniv.nl <http://leidenuniv.nl> >> >> <mailto:arn...@rocky.eld.**leidenuniv.nl<arn...@rocky.eld.leidenuniv.nl> >> >>> >> >> wrote: >> >> Hello Julia, >> >> >> Ah you mean that the first WITH the "~" in front of the 8888 >> used to >> be a valid syntax? If so, this was never intended and it >> certainly >> doesn't serve any purpose. The fix is simple, as you already >> know, >> get rid of it ;-), unless I'm missing something here. >> >> >> cheers, >> >> Arno >> >> >> On 03-Feb-12 17:25, Julia Longtin wrote: >> >> I mean that going from >> "NAT_FORWARD_TCP=~8888>10.100.**____0.117~80" >> >> >> causes >> the problem. you have the fix correct. >> >> Its possibly my syntax is wrong.. but it used to work >> this way. >> >> Julia Longtin >> >> On Fri, Feb 3, 2012 at 2:56 PM, Arno van Amersfoort >> <arn...@rocky.eld.leidenuniv._**___nl >> <mailto:arn...@rocky.eld.__lei**denuniv.nl <http://leidenuniv.nl> >> >> <mailto:arn...@rocky.eld.**leidenuniv.nl<arn...@rocky.eld.leidenuniv.nl> >> >> >> <mailto:arn...@rocky.eld. >> <mailto:arn...@rocky.eld.>__le**i__denuniv.nl<http://lei__denuniv.nl>< >> http://leidenuniv.nl> >> >> <mailto:arn...@rocky.eld.__lei**denuniv.nl <http://leidenuniv.nl> >> >> <mailto:arn...@rocky.eld.**leidenuniv.nl<arn...@rocky.eld.leidenuniv.nl> >> >>>> >> wrote: >> >> You mean that >> "NAT_FORWARD_TCP="8888>10.100.**______0.117~80" >> causes the >> problem and >> "NAT_FORWARD_TCP="0/0~8888>10.**______100.0.117~80" >> >> >> fixes >> >> that? I tried reproducing it, but I can't get it to >> fail. >> Could you >> provide a snippet of the error? >> >> thanks. >> >> Arno >> >> >> On 03-Feb-12 15:37, Julia Longtin wrote: >> >> Package: arno-iptables-firewall >> Version: 2.0.1-1 >> Severity: important >> >> Dear Maintainer, >> After performing an upgrade, i have found that the >> format of the >> rules expected in firewall.conf have changed. >> Instead of accepting a blank source IP, it now >> requires >> a source >> IP, or parse_rules fails, and gives a WARNING: >> rule will be >> ignored.. >> >> see the '0/0' that has been added to my >> NAT_FORWARD_TCP >> rules. >> >> Julia Longtin >> >> -- System Information: >> Debian Release: wheezy/sid >> APT prefers unstable >> APT policy: (500, 'unstable'), (500, 'stable') >> Architecture: i386 (x86_64) >> >> Kernel: Linux 3.1.0-1-amd64 (SMP w/2 CPU cores) >> Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 >> (charmap=locale: >> Cannot set LC_CTYPE to default locale: No such >> file or >> directory >> locale: Cannot set LC_MESSAGES to default locale: >> No >> such file >> or directory >> locale: Cannot set LC_ALL to default locale: No >> such file or >> directory >> ANSI_X3.4-1968) >> Shell: /bin/sh linked to /bin/dash >> >> Versions of packages arno-iptables-firewall >> depends on: >> ii debconf [debconf-2.0] 1.5.41 >> ii gawk 1:3.1.8+dfsg-0.1 >> ii iproute 20120105-1 >> ii iptables 1.4.12.2-1 >> >> Versions of packages arno-iptables-firewall >> recommends: >> ii dnsutils 1:9.8.1.dfsg.P1-2 >> ii lynx 2.8.8dev.9-3 >> ii rsyslog 5.8.6-1 >> >> arno-iptables-firewall suggests no packages. >> >> -- Configuration Files: >> /etc/arno-iptables-firewall/__**____firewall.conf >> changed: >> EXT_IF="$DC_EXT_IF" >> EXT_IF_DHCP_IP=$DC_EXT_IF_____**__DHCP_IP >> EXTERNAL_DHCP_SERVER=0 >> EXTERNAL_DHCPV6_SERVER=0 >> INT_IF="$DC_INT_IF" >> INTERNAL_NET="$DC_INTERNAL____**___NET" >> >> >> >> INTERNAL_NET_ANTISPOOF=1 >> DMZ_IF="" >> DMZ_NET="" >> DMZ_NET_ANTISPOOF=1 >> NAT=$DC_NAT >> NAT_INTERNAL_NET="$DC_NAT_____**__INTERNAL_NET" >> NAT_LOCAL_REDIRECT=1 >> NAT_FORWARD_TCP="0/0~8888>10._**_____100.0.117~80 >> \ >> >> >> >> 0/0~8889>10.100.0.88~80 \ >> 0/0~8890>10.100.0.40~80 \ >> 0/0~8891>10.100.0.58~80 \ >> 0/0~8892>10.100.0.100~80 \ >> 0/0~8893>10.100.0.20~80 \ >> 0/0~2280>10.100.0.44~22 \ >> 0/0~2281>10.100.0.75~22 \ >> 0/0~8333>10.100.0.95~8333 " >> NAT_FORWARD_UDP="" >> NAT_FORWARD_IP="" >> INET_FORWARD_TCP="" >> INET_FORWARD_UDP="" >> INET_FORWARD_IP="" >> IP4TABLES="/sbin/iptables" >> IP6TABLES="/sbin/ip6tables" >> >> ENV_FILE="/usr/share/arno-____**__iptables-firewall/** >> environment" >> >> >> PLUGIN_BIN_PATH="/usr/share/__**____arno-iptables-firewall/___** >> ___plugins" >> >> PLUGIN_CONF_PATH="/etc/arno-__**____iptables-firewall/plugins" >> >> >> >> DMESG_PANIC_ONLY=1 >> MANGLE_TOS=1 >> SET_MSS=1 >> TTL_INC=0 >> USE_IRC=0 >> LOOSE_FORWARD=0 >> FORWARD_LINK_LOCAL=0 >> IPV6_DROP_RH_ZERO=1 >> RESERVED_NET_DROP=0 >> DRDOS_PROTECT=0 >> IPV6_SUPPORT=0 >> NMB_BROADCAST_FIX=0 >> COMPILED_IN_KERNEL_MESSAGES=1 >> DEFAULT_POLICY_DROP=1 >> TRUSTED_IF="" >> IF_TRUSTS="" >> >> >> CUSTOM_RULES="/etc/arno-______**iptables-firewall/custom-_____** >> _rules" >> >> >> >> LOCAL_CONFIG_FILE="" >> DISABLE_IPTABLES_BATCH=0 >> TRACE=0 >> BLOCKED_HOST_LOG=1 >> SCAN_LOG=1 >> POSSIBLE_SCAN_LOG=1 >> BAD_FLAGS_LOG=1 >> INVALID_TCP_LOG=0 >> INVALID_UDP_LOG=0 >> INVALID_ICMP_LOG=0 >> RESERVED_NET_LOG=0 >> FRAG_LOG=1 >> INET_OUTPUT_DENY_LOG=1 >> LAN_OUTPUT_DENY_LOG=1 >> LAN_INPUT_DENY_LOG=1 >> DMZ_OUTPUT_DENY_LOG=1 >> DMZ_INPUT_DENY_LOG=1 >> FORWARD_DROP_LOG=1 >> LINK_LOCAL_DROP_LOG=1 >> ICMP_REQUEST_LOG=1 >> ICMP_OTHER_LOG=1 >> PRIV_TCP_LOG=1 >> PRIV_UDP_LOG=1 >> UNPRIV_TCP_LOG=1 >> UNPRIV_UDP_LOG=1 >> IGMP_LOG=1 >> OTHER_IP_LOG=1 >> ICMP_FLOOD_LOG=1 >> FIREWALL_LOG="/var/log/arno-__** >> ____iptables-firewall" >> >> >> >> LOGLEVEL="info" >> LOG_HOST_INPUT_TCP="" >> LOG_HOST_INPUT_UDP="" >> LOG_HOST_INPUT_IP="" >> LOG_HOST_OUTPUT_TCP="" >> LOG_HOST_OUTPUT_UDP="" >> LOG_HOST_OUTPUT_IP="" >> LOG_INPUT_TCP="" >> LOG_INPUT_UDP="" >> LOG_INPUT_IP="" >> LOG_OUTPUT_TCP="" >> LOG_OUTPUT_UDP="" >> LOG_OUTPUT_IP="" >> LOG_HOST_INPUT="" >> LOG_HOST_OUTPUT="" >> SYN_PROT=1 >> REDUCE_DOS_ABILITY=1 >> ECHO_IGNORE=0 >> LOG_MARTIANS=1 >> IP_FORWARDING=1 >> IPV6_AUTO_CONFIGURATION=1 >> ICMP_REDIRECT=0 >> CONNTRACK=16384 >> ECN=1 >> RP_FILTER=1 >> SOURCE_ROUTE_PROTECTION=1 >> LOCAL_PORT_RANGE="32768 61000" >> DEFAULT_TTL=64 >> NO_PMTU_DISCOVERY=0 >> LAN_OPEN_ICMP=1 >> LAN_OPEN_TCP="21 22 80" >> LAN_OPEN_UDP="53 67 69" >> LAN_OPEN_IP="" >> LAN_DENY_TCP="" >> LAN_DENY_UDP="" >> LAN_DENY_IP="" >> LAN_HOST_OPEN_TCP="" >> LAN_HOST_OPEN_UDP="" >> LAN_HOST_OPEN_IP="" >> LAN_HOST_DENY_TCP="" >> LAN_HOST_DENY_UDP="" >> LAN_HOST_DENY_IP="" >> LAN_INET_OPEN_ICMP=1 >> LAN_INET_OPEN_TCP="" >> LAN_INET_OPEN_UDP="" >> LAN_INET_OPEN_IP="" >> LAN_INET_DENY_TCP="" >> LAN_INET_DENY_UDP="" >> LAN_INET_DENY_IP="" >> LAN_INET_HOST_OPEN_TCP="" >> LAN_INET_HOST_OPEN_UDP="" >> LAN_INET_HOST_OPEN_IP="" >> LAN_INET_HOST_DENY_TCP="" >> LAN_INET_HOST_DENY_UDP="" >> LAN_INET_HOST_DENY_IP="" >> DMZ_OPEN_ICMP=1 >> DMZ_OPEN_TCP="" >> DMZ_OPEN_UDP="" >> DMZ_OPEN_IP="" >> DMZ_HOST_OPEN_TCP="" >> DMZ_HOST_OPEN_UDP="" >> DMZ_HOST_OPEN_IP="" >> INET_DMZ_OPEN_ICMP=0 >> INET_DMZ_OPEN_TCP="" >> INET_DMZ_OPEN_UDP="" >> INET_DMZ_OPEN_IP="" >> INET_DMZ_DENY_TCP="" >> INET_DMZ_DENY_UDP="" >> INET_DMZ_DENY_IP="" >> INET_DMZ_HOST_OPEN_TCP="" >> INET_DMZ_HOST_OPEN_UDP="" >> INET_DMZ_HOST_OPEN_IP="" >> INET_DMZ_HOST_DENY_TCP="" >> INET_DMZ_HOST_DENY_UDP="" >> INET_DMZ_HOST_DENY_IP="" >> DMZ_INET_OPEN_ICMP=1 >> DMZ_INET_OPEN_TCP="" >> DMZ_INET_OPEN_UDP="" >> DMZ_INET_OPEN_IP="" >> DMZ_INET_DENY_TCP="" >> DMZ_INET_DENY_UDP="" >> DMZ_INET_DENY_IP="" >> DMZ_INET_HOST_OPEN_TCP="" >> DMZ_INET_HOST_OPEN_UDP="" >> DMZ_INET_HOST_OPEN_IP="" >> DMZ_INET_HOST_DENY_TCP="" >> DMZ_INET_HOST_DENY_UDP="" >> DMZ_INET_HOST_DENY_IP="" >> DMZ_LAN_OPEN_ICMP=0 >> DMZ_LAN_HOST_OPEN_TCP="" >> DMZ_LAN_HOST_OPEN_UDP="" >> DMZ_LAN_HOST_OPEN_IP="" >> FULL_ACCESS_HOSTS="" >> BROADCAST_TCP_NOLOG="" >> HOST_OPEN_TCP="" >> HOST_OPEN_UDP="" >> HOST_OPEN_IP="" >> HOST_OPEN_ICMP="" >> HOST_DENY_TCP="" >> HOST_DENY_UDP="" >> HOST_DENY_IP="" >> HOST_DENY_ICMP="" >> HOST_DENY_TCP_NOLOG="" >> HOST_DENY_UDP_NOLOG="" >> HOST_DENY_IP_NOLOG="" >> HOST_DENY_ICMP_NOLOG="" >> HOST_REJECT_TCP="" >> HOST_REJECT_UDP="" >> HOST_REJECT_TCP_NOLOG="" >> HOST_REJECT_UDP_NOLOG="" >> DENY_TCP_OUTPUT="" >> DENY_UDP_OUTPUT="" >> DENY_IP_OUTPUT="" >> HOST_DENY_TCP_OUTPUT="" >> HOST_DENY_UDP_OUTPUT="" >> HOST_DENY_IP_OUTPUT="" >> OPEN_ICMP=$DC_OPEN_ICMP >> OPEN_ICMPV6=1 >> OPEN_TCP="$DC_OPEN_TCP" >> OPEN_UDP="$DC_OPEN_UDP" >> OPEN_IP="" >> DENY_TCP="" >> DENY_UDP="" >> DENY_TCP_NOLOG="" >> DENY_UDP_NOLOG="" >> REJECT_TCP="" >> REJECT_UDP="" >> REJECT_TCP_NOLOG="" >> REJECT_UDP_NOLOG="" >> BLOCK_HOSTS="" >> BLOCK_HOSTS_BIDIRECTIONAL=1 >> >> >> -- debconf information: >> perl: warning: Setting locale failed. >> perl: warning: Please check that your locale >> settings: >> LANGUAGE = (unset), >> LC_ALL = (unset), >> LANG = "en_GB.UTF-8" >> are supported and installed on your system. >> perl: warning: Falling back to the standard >> locale ("C"). >> locale: Cannot set LC_CTYPE to default locale: >> No such >> file or >> directory >> locale: Cannot set LC_MESSAGES to default locale: >> No >> such file >> or directory >> locale: Cannot set LC_ALL to default locale: No >> such file or >> directory >> * >> arno-iptables-firewall/config-**______int-nat-net: 10.100.0/24 >> 172.16.0/24 >> * arno-iptables-firewall/______**dynamic-ip: true >> * arno-iptables-firewall/config-**______int-net: >> 10.100.0/24 >> 172.16.0/24 >> * arno-iptables-firewall/icmp-__**____echo: true >> * arno-iptables-firewall/______**services-udp: 53 >> arno-iptables-firewall/title: >> * arno-iptables-firewall/config-**______ext-if: >> eth0 >> * arno-iptables-firewall/______**services-tcp: 22 >> 53 80 >> * arno-iptables-firewall/______**restart: true >> * arno-iptables-firewall/config-**______int-if: >> >> eth1 br0 >> * arno-iptables-firewall/nat: true >> * arno-iptables-firewall/______**debconf-wanted: >> true >> >> >> >> >> -- debsums errors found: >> perl: warning: Setting locale failed. >> perl: warning: Please check that your locale >> settings: >> LANGUAGE = (unset), >> LC_ALL = (unset), >> LANG = "en_GB.UTF-8" >> are supported and installed on your system. >> perl: warning: Falling back to the standard >> locale ("C"). >> >> >> >> >> >> >>
