Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 40520

Summary: The default install of shorewall puts a possibly incorrect value in /etc/shorewall/policy
Product: Gentoo Linux Reporter: Matt Miller <jmatthew3>
Component: Current packagesAssignee: Martin Holzer (RETIRED) <mholzer>
Status: RESOLVED FIXED    
Severity: minor CC: andreas.w.simon
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description Matt Miller 2004-02-05 12:54:13 UTC 
I'm not a firewall expert, but I figured out that shorewall works when I change the /etc/shorewall/policy file's first non comment line to:

fw   net   ACCEPT

from

loc  net   ACCEPT

I'm using this on a standalone box, and I assume that "loc net ACCEPT" would allow packets from the local network to the internet.  Maybe putting both lines there would work for more people out of the box?

Reproducible: Always
Steps to Reproduce:
see details
Actual Results:  
before) shorewall broke networking
after) shorewall worked fine
Comment 1 Martin Holzer (RETIRED) gentoo-dev 2004-04-19 01:58:41 UTC 
is this fixed with 2.0.0 ?
Comment 2 Andreas Simon 2004-04-21 01:05:11 UTC 
The default policy file from shorewall 2.0.1 still has 
loc             net             ACCEPT

But this is because it matches the default zones file, where
loc is defined. The default seems to be a small network (loc) with a
demilitarized zone. But even this "default" configuration doesn't
do much because there are no rules defined.

Generally shorewall won't run on your system without configuring
first. Shorewall doesn't know if you have a standalone system, a
big network, a demilitarized zone, which ports you want to be open, which
you want closed, etc. You must configure it.

Of course the default files can be changed to work for a standalone
system right from the start if this is desired.
Comment 3 Martin Holzer (RETIRED) gentoo-dev 2004-04-21 02:09:33 UTC 
maybe you could send this upstream
Comment 4 Andreas Simon 2004-04-21 03:03:40 UTC 
BTW the shorewall ebuild already contains the message:

"Read the documentation from http://www.shorewall.net"
"available at /usr/share/doc/${PF}/html/index.htm"
"Do not blindly start shorewall, edit the files in /etc/shorewall first"

Thus the result "shorewall broke networking" is actually expected if
it's not first configured.

Maybe it would make sense to make the last line more concrete:
"Do not blindly start shorewall, edit the files in /etc/shorewall first,
otherwise it could break your network connectivity"

I think there is really nothing to fix upstream because the default is not wrong. It just doesn't match the setup of the bug reporter.
The change the bug reporter made is btw mentioned in the Shorewall Quickstart Guides (which get installed with the documentation).
Comment 5 Martin Holzer (RETIRED) gentoo-dev 2004-07-02 01:36:01 UTC 
fixed with 2.0.3a