Created attachment 848 [details]
/var/log/shorewall-init.log with Interactive Firewall enabled

Contents of /var/log/shorewall-init.log for a boot with Interactive Firewall enabled. Note the deprecation warnings resulting from /etc/ifw/start and the source and iptables Input/output errors resulting from /etc/ifw/rules

Created attachment 849 [details]
/var/log/shorewall-init.log with Interactive Firewall disabled

Contents of /var/log/shorewall-init.log following boot with Interactive Firewall disabled. Note there are no warnings or errors reported.

I should also advise that, with the Interactive Firewall enabled and Ping reporting enabled, when the system is pinged no alert is issued. I conclude that the iptables Input/output errors mean that the associated rules for the Interactive Firewall have not been added.

The author of mandi found some time to look into this bug report.

He said 

/var/lib/shorewall/.start: 1: source: not found

wasn't brilliant and that it was probably not supported by dash.

He didn't find time to explain what he meant by "it", but I guess he meant shorewall, because shorewall depends on dash and mandi doesn't

CC'ing some people who committed shorewall and/or dash

CC: (none) => mageia, marja11, pterjan, thierry.vignaud
Source RPM: mandi-1.0-10.mga1.src.rpm => shorewall, dash

Created attachment 1162 [details]
Patch to replace source command with a period

The "it" would the the source command, which is not a dash builtin command.

Changing the source rpm to drakx-net-1.0-1.mga2.src.rpm

CC: (none) => davidwhodgins
Source RPM: shorewall, dash => drakx-net-1.0-1.mga2.src.rpm

Fyi, drakfirewall.pm updates /etc/ifw/rules which is then included
by shorewall when it compiles it's rules.

I expect that once an updated drakfirewall.pm is installed, the interactive
firewall would have to be disabled/re-enabled to update the files.

A workaround would be to have the updated package include a post-install
scriptlet that would replace the word source with the period, if it exists
in /etc/ifw/rules, and then restart shorewall.

@ Dave

Thanks a lot for helping and for explaining (and for all the other times you did and do that) :D

(In reply to comment #6)
> Changing the source rpm to drakx-net-1.0-1.mga2.src.rpm

This bug was filed against Mga 1, where the version is 0.97.1-2.mga1.

If you confirm that it is in cauldron, too, I'll open a new bug report for that one and make this one depend on it.

assigning to maintainer

@ blino

Merci beaucoup, pour aider sur IRC hier soir alors que tu n'avais pas du temps :D

Keywords: (none) => PATCH
Assignee: bugsquad => mageia
Source RPM: drakx-net-1.0-1.mga2.src.rpm => drakx-net-0.97.1-2.mga1.src.rpm

Yes it's present in cauldron too.

Well, there are quite a lot of bugs here, at least:
- the source builtin from IFW files not supported in dash (fixed in drakx-net SVN)
- the duplicate lines in shorewall config files (in Cauldron only, #3452, fixed in SVN)
- ipset syntax changed, mandi has to be adapted (I have a patch)
- the IFWLOG kernel module should be fixed on recent kernels (I have a patch), needs a new kernel package

Status: NEW => ASSIGNED

The last missing piece for Mageia 1 is probably the IFWLOG fix I submitted in bug #3596 (waiting to be included in next kernel update).
The ipset issue seems Cauldron-specific.

Closing as wontfix for Mageia 1, it is fixed in Mageia 2

Status: ASSIGNED => RESOLVED
Resolution: (none) => WONTFIX