Hello,

Shorewall-3.0 is finally ported.

The .ipk package - as well as the full upstream SDK source - can be found here:

http://sfl.homelinux.net/openwrt/
http://people.softwarelivre.org/~alberto/openwrt/   (Tanks for the Help Bengoa )

I sugest the reading of README.OpenWRT before installing. That file is installed on your system with the rest of the files but most people will like to remove it to save some space.

The package is based on the current stable version (3.0.3) and seems to be running fine. Please, send the bugs/problems to: sfl.openwrt@terra.com.br

Best regards,

Fabio Longarai Silva <longarai@terra.com.br>

(Last edited by longarai on 2 Jan 2006, 19:34)

Thanks for the package.  I just installed it and tried to start it with a mostly default configuration. When I run "shorewall start" it goes along looking fine until it runs the /usr/share/shorewall/firewall script, at which point, one of the iptables commands fails. Here is the relevant output:

...
Creating Interface Chains...
Configuring Proxy ARP
Setting up NAT...
Setting up NETMAP...
Adding Common Rules
iptables v1.3.3: Unknown arg `--log-level'
Try `iptables -h' or 'iptables --help' for more information.
   ERROR: Command "/usr/sbin/iptables -A smurfs -s 192.168.72.255  -j  LOG  --log-level info --log-prefix "Shorewall:smurfs:DROP:"" Failed
Processing /etc/shorewall/stop ...
IP Forwarding Enabled
Processing /etc/shorewall/stopped ...
Terminated
root@Orange:/etc/shorewall#

If I take out --log-level it then issues the same complaint about --log-prefix. I think this is all related to the fact that I do not have /usr/lib/iptables/libipt_LOG.so.  I can't find that file in the version that I need (iptables 1.3.3) from any of the feeds.  Basically I was wondering if you had found a copy of that file somewhere or if you use ulog on your system and thus haven't run into this problem?

I'm running White Russian RC4 with an almost completely stock configuration. Thanks for any suggestions.

-John X

Hello John, tanks for the reply.

Your'e probably missing iptables-mod-extra.

The strange thing is that it's listed as a dependency so you shouldn't be able to install shorewall3 without it. This iptables-mod-extra package depends of the kmod-ipt-extra that has the correspondent kernel modules.

Did you installed shorewall with --force option?

Anyway, just install 'iptables-mod-extra' (with 'kmod-ipt-extra'), 'iptables-utils' and 'ip' and you should be ready to go.

Regards,

Fabio Longarai <longarai@terra.com.br>

it works very good, thanks for it!!!

your readme file is very informative to but I would extend the ip-up script with this:

if [ ! -f /tmp/myshorewall.lock ]; then
        touch /tmp/myshorewall.lock
        /sbin/shorewall start
else
        /sbin/shorewall refresh
fi

if you use the traffic shaper function of shorewall...

Thank you for the reply.  I found the problem. I had added the "experimental" feed to my ipkg.conf file and because of that had iptables-extra installed instead of iptables-mod-extra.  I removed that package and shorewall then removed the "experimental" feed from my ipkg.conf, and reinstalled shorewall.  It pulled in the correct dependency and all is well.  Thank you very much for packaging shorewall.  OpenWRT and Shorewall on my WRT54GS leave me so much more sane than trying to deal with my old 802.11b Linksys router.

Hello,

The new version 3.0.4 is out. Check the sites for updated packages.

I´ll be kepping the old (3.0.3) package files for some time...

Best regards,

Longarai

Hi,

Thanks very much for your package longarai!

I'm starting it from /etc/udhcpc.user:

----------------------

#!/bin/sh

go_restore () {
   if [ -x /etc/shorewall/restore ]; then
      mkdir -p /var/lib/shorewall
      ln -s /etc/shorewall/restore /var/lib/shorewall/.
      /sbin/shorewall -q restore
   else
      /sbin/shorewall -q start
   fi
}

/sbin/shorewall status || go_restore

----------------------

...using Shorewall's restore feature.  Basically, once I have the configuration I want I run:

shorewall save
cp /var/lib/shorewall/restore /etc/shorewall/.

When udhcpc.user is run, it first checks to see if shorewall is already running.  If it is, it aborts.  If it isn't, is checks for /etc/shorewall/restore and if it exists it creates a symlink to it in /var/lib/shorewall.  Shorewall is then able to restore this configuration.  If /etc/shorewall doesn't exit it will just start shorewall normally.

Works for me, since nothing changes (rule-wise) upon renewal of the wan interface.

Shorewall start:
real    1m 34.47s
user    0m 17.67s
sys     1m 16.60s

Shorewall restore:
real    0m 3.49s
user    0m 1.01s
sys     0m 2.48s

Thanks again.

Hi supernaut,

Yes, pre-saved rulesets are incredibly faster to load then the usual script execution.

The next version of shorewall will bring a nice 'shorewall generate' command that will build a script for
further loading. It will make shorewall a true 'rulesets generator'.

One nice thing is that this 'generate' command can be run in one machine and the generated file can
be executed from another...

Another fine thing is length match support for tcrules. It will - among other things - help on holding p2p
uploads without slowing down your dowloads.

I´m currently testing this development versions in openwrt environment, If anyone here want to try it
(and help testing) please mail me - I can send fresh a .ipk package.

Cheers,

Longarai

Hi,

I had to move the site where the package is hosted, the new one is here:

http://openwrt.homelinux.net/

Sorry for the downtime...

Cheers,

Longarai

Hi,

The repository is up:

src sfl http://openwrt.homelinux.net/repository

Check the documentation here:

http://openwrt.homelinux.net/

Tanks,

Longarai

Please note somewhere on your site, that these packages are not official and for this not supported by the OpenWrt developers.

Thanks.

(Last edited by olli on 11 Mar 2006, 23:59)

I never said that this packages are official and there´s nothing on the site that suggests that.

There's also no references to openwrt site.

There's some references to shorewall's site (which have some outstanding documentation),
but I have received no complains about that (they acctually linked my site from their Downloads page).

I have been supporting the users by e-mail since the beggining and never encouraged users
to ask for help to anyone but me. I also haven't forwarded any single problem to anyone here.

I do not know how many issues you have been receiving about my packages but do not worry,
I have updated the site so nobody should ever try to bother you again.

Regards,

Longarai