Hi all ! I come back on shorewall6. Few months I made some changes on one (and only one) file, Bug 22778 : Shorewall6 support (shorewall.pm from drakx-net still has "# Deliberately not adding shorewall6 support here for now") https://bugs.mageia.org/show_bug.cgi?id=22778 but I note that it wasn't working anymore, when I ran # shorewall restart, I meet an error : [root@jabztop jibz]# shorewall6 restart Compiling using Shorewall 5.2.2... Processing /etc/shorewall6/params ... Processing /etc/shorewall6/shorewall6.conf... Loading Modules... Compiling /etc/shorewall6/zones... Compiling /etc/shorewall6/interfaces... Determining Hosts in Zones... Locating Action Files... ERROR: No policy defined from zone net to zone fw /etc/shorewall6/policy (EOF) My file /etc/shorewall6/policy was unpopulated : [root@jabztop jibz]# cat /etc/shorewall6/policy # # Shorewall6 -- /etc/shorewall6/policy # # For information about entries in this file, type "man shorewall6-policy" # # The manpage is also online at # http://www.shorewall.net/manpages6/shorewall6-policy.html # ############################################################################### #SOURCE DEST POLICY LOGLEVEL RATE CONNLIMIT [root@jabztop jibz]# compared to the shorewall (non6) [root@jabztop jibz]# cat /etc/shorewall/policy # # Shorewall -- /etc/shorewall/policy # # For information about entries in this file, type "man shorewall-policy" # # The manpage is also online at # http://www.shorewall.net/manpages/shorewall-policy.html # ############################################################################### fw net ACCEPT net all DROP info all all REJECT info [root@jabztop jibz]# I copy-pasted this three last lines into /etc/shorewall6/policy as suggested by Jankusanagi on #mageia-dev (Thank you !) and the firewall can restart. [root@jabztop jibz]# shorewall6 restart Compiling using Shorewall 5.2.2... Processing /etc/shorewall6/params ... Processing /etc/shorewall6/shorewall6.conf... Loading Modules... Compiling /etc/shorewall6/zones... Compiling /etc/shorewall6/interfaces... Determining Hosts in Zones... Locating Action Files... Compiling /etc/shorewall6/policy... Compiling TCP Flags filtering... Compiling MAC Filtration -- Phase 1... Compiling /etc/shorewall6/rules... Compiling /etc/shorewall6/conntrack... Compiling MAC Filtration -- Phase 2... Applying Policies... Compiling /usr/share/shorewall/action.AllowICMPs for chain AllowICMPs... Compiling /usr/share/shorewall/action.Broadcast for chain Broadcast... Compiling /usr/share/shorewall/action.Multicast for chain Multicast... Generating Rule Matrix... Optimizing Ruleset... Creating ip6tables-restore input... Shorewall configuration compiled to /var/lib/shorewall6/.restart Stopping Shorewall6.... Processing /etc/shorewall6/stop ... Preparing ip6tables-restore input... Running /sbin/ip6tables-restore --wait 60... Processing /etc/shorewall6/stopped ... done. Starting Shorewall6.... Initializing... Processing /etc/shorewall6/init ... Setting up Proxy NDP... Preparing ip6tables-restore input... Running /sbin/ip6tables-restore --wait 60... Processing /etc/shorewall6/start ... Processing /etc/shorewall6/started ... done. [root@jabztop jibz]# Jankusanagi found on his computer a trace of this file, it was populated with the same 3 last lines. So what happens on my file ? He suggests that the graphical interface wipes it, I believe on an update, but I cannot confirm (I'm still looking for a command to check files).
Where is the shorewall6 or shorewall-ipv6 package ? https://svnweb.mageia.org/packages/cauldron/?dir_pagestart=14000
(In reply to J-B B from comment #1) > Where is the shorewall6 or shorewall-ipv6 package ? > https://svnweb.mageia.org/packages/cauldron/?dir_pagestart=14000 /usr/sbin/shorewall6 comes from the shorewall-ipv6 package, which comes from the shorewall SRPM. There is no registered maintainer, so assigning to all packagers collectively and CC'ing some committers.
Assignee: bugsquad => pkg-bugsCC: (none) => luigiwalser, mageia, marja11, smelrorSource RPM: shorewall-ipv6 => shorewall
As for bug 22778, I'll try to enable shorewall 6 to mcc. Patches welcome of course.
CC: (none) => lists.jjorgeStatus: NEW => ASSIGNEDAssignee: pkg-bugs => lists.jjorge
(In reply to José Jorge from comment #3) > As for bug 22778, I'll try to enable shorewall 6 to mcc. Patches welcome of > course. In fact, looks like this code is just too old. The better solution is to deprecate firewall config in MCC, and redirect users to firewall-config which is maintained. I have tried to use it, and managed very easily to get both Ipv4 and Ipv6 firewall tuned.
(In reply to José Jorge from comment #4) > I have tried to use it, and managed very easily to get both Ipv4 and Ipv6 > firewall tuned. Using it more, there were too much problems with firewalld. So I went the way of enabling shorewall6 in mcc. See bug 22778 for details.
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED