[opensuse-support] Installing the Shorewall lite firewall is not possible. What is wrong?
I did ask this question before on the opensuse-security list because I was thinking it is about security. One other person said that may be better to ask the question here becuase it is about installation. Ok. I am asking it twice on two lists! Sorry. Here it is. Helo, I am hoping to install Shorewall lite firewall on the remote VM. On it I am running openSUSE Leap 15.1 for production. It is just new instaled. I added the most modern version repositorie zypper ar https://download.opensuse.org/repositories/security:/netfilter/openSUSE_Leap... Security zypper install shorewall-lite shorewall-init When I install it zypper install shorewall-lite shorewall-init there is this problem Problem: shorewall-init-5.2.4-242.1.noarch requires shorewall >= 5.0, but this requirement cannot be provided not installable providers: shorewall-5.1.12.4-lp151.2.24.noarch[Leap151OSS] shorewall-5.2.4-lp151.238.1.noarch[Security] Solution 1: do not install shorewall-lite-5.2.4-242.1.noarch Solution 2: do not install shorewall-init-5.2.4-242.1.noarch Solution 3: break shorewall-init-5.2.4-242.1.noarch by ignoring some of its dependencies I do not understand it. What do I do that is the problem? Thank you for the help, Janek -- To unsubscribe, e-mail: opensuse-support+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-support+owner@opensuse.org
03.04.2020 21:49, JadoNena пишет:
I did ask this question before on the opensuse-security list because I was thinking it is about security.
One other person said that may be better to ask the question here becuase it is about installation.
Ok. I am asking it twice on two lists! Sorry.
Here it is.
Helo,
I am hoping to install Shorewall lite firewall on the remote VM.
On it I am running openSUSE Leap 15.1 for production. It is just new instaled.
I added the most modern version repositorie
zypper ar https://download.opensuse.org/repositories/security:/netfilter/openSUSE_Leap... Security zypper install shorewall-lite shorewall-init
When I install it
zypper install shorewall-lite shorewall-init there is this problem
Problem: shorewall-init-5.2.4-242.1.noarch requires shorewall >= 5.0, but this requirement cannot be provided not installable providers: shorewall-5.1.12.4-lp151.2.24.noarch[Leap151OSS] shorewall-5.2.4-lp151.238.1.noarch[Security] Solution 1: do not install shorewall-lite-5.2.4-242.1.noarch Solution 2: do not install shorewall-init-5.2.4-242.1.noarch Solution 3: break shorewall-init-5.2.4-242.1.noarch by ignoring some of its dependencies
I do not understand it. What do I do that is the problem?
shorewall-lite conflicts with shorewall. You cannot install both packages at the same time. -- To unsubscribe, e-mail: opensuse-support+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-support+owner@opensuse.org
Hello
shorewall-lite conflicts with shorewall. You cannot install both packages at the same time.
From the upstream project it is no problem to INSTALL both applications at the same time. You do not RUN then at the same time. Of course.
I do not know what is the openSUSE packages decision. Why is it so that you can not install both? But I am not doing that any way. That is not the question I am asking about. I am asking about installing together two pacakges only shorewall-lite shorewall-init There is also no problem with this from the upstream project. https://shorewall.org/Shorewall-init.html "Shorewall Init can be used together with any combination of the other Shorewall packages" https://shorewall.org/manpages/shorewall-init.html "Shorewall-init is an optional package (added in Shorewall 4.4.10) that can be installed along with Shorewall, Shorewall6, Shorewall-lite and/or Shorewall6-lite." So that is what I am asking about. Why is it a problem for openSUSE doing that? Thank you, Janek -- To unsubscribe, e-mail: opensuse-support+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-support+owner@opensuse.org
03.04.2020 22:33, JadoNena пишет:
Hello
shorewall-lite conflicts with shorewall. You cannot install both packages at the same time.
From the upstream project it is no problem to INSTALL both applications at the same time. You do not RUN then at the same time. Of course.
I do not know what is the openSUSE packages decision. Why is it so that you can not install both?
I am not openSUSE shorewall maintainer. Open bug report.
But I am not doing that any way.
That is not the question I am asking about.
Still this is the correct answer.
I am asking about installing together two pacakges only
shorewall-lite shorewall-init
shorewall-init package requires shorewall package.
There is also no problem with this from the upstream project.
https://shorewall.org/Shorewall-init.html "Shorewall Init can be used together with any combination of the other Shorewall packages"
https://shorewall.org/manpages/shorewall-init.html "Shorewall-init is an optional package (added in Shorewall 4.4.10) that can be installed along with Shorewall, Shorewall6, Shorewall-lite and/or Shorewall6-lite."
So that is what I am asking about. Why is it a problem for openSUSE doing that?
Thank you,
Janek
-- To unsubscribe, e-mail: opensuse-support+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-support+owner@opensuse.org
I am asking about installing together two pacakges only shorewall-lite shorewall-init
shorewall-init package requires shorewall package.
Ok. Then that is a openSUSE only decision. For some reason.
From the upstream project it must not be like this.
It must be possible to install shorewall-lite and shorewall-init together. Will openSUSE fix this? Or is this a fixed decision and we should use another distribution if we want it? I have thought that the openSUSE follow the upstream projects. Is that not true? Thank you, Janel -- To unsubscribe, e-mail: opensuse-support+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-support+owner@opensuse.org
On Fri, 03 Apr 2020 21:17:56 +0000 JadoNena <jadochneinaber@protonmail.ch> wrote:
I am asking about installing together two pacakges only shorewall-lite shorewall-init
shorewall-init package requires shorewall package.
Ok. Then that is a openSUSE only decision. For some reason.
From the upstream project it must not be like this.
It must be possible to install shorewall-lite and shorewall-init together.
Will openSUSE fix this? Or is this a fixed decision and we should use another distribution if we want it?
I have thought that the openSUSE follow the upstream projects. Is that not true?
As Andrei said, the best way to answer your questions is to file an openSUSE bug report at https://bugzilla.opensuse.org/index.cgi
Thank you,
Janel
-- To unsubscribe, e-mail: opensuse-support+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-support+owner@opensuse.org
Hello,
As Andrei said, the best way to answer your questions is to file an openSUSE bug report at https://bugzilla.opensuse.org/index.cgi
I tried to file the bug. The registration does not allow me with my email address. I do not know why? May be the maintainers of the shorewall for openSUSE package are here and can they make a comment? Thank you, Janek -- To unsubscribe, e-mail: opensuse-support+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-support+owner@opensuse.org
Hello,
As Andrei said, the best way to answer your questions is to file an openSUSE bug report at https://bugzilla.opensuse.org/index.cgi
I tried to file the bug. The registration does not allow me with my email address. I do not know why?
May be the maintainers of the shorewall for openSUSE package are here and can they make a comment?
Thank you,
Janek Are you aware that openSUSE is a community project, driven by volunteers and
Op zaterdag 4 april 2020 05:53:29 CEST schreef JadoNena: that the world currently is in a corona crisis? -- Gertjan Lettink a.k.a. Knurpht openSUSE Forums Team -- To unsubscribe, e-mail: opensuse-support+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-support+owner@opensuse.org
Are you aware that openSUSE is a community project, driven by volunteers and that the world currently is in a corona crisis?
I have a freind who very sadly died from it. What that has to do with asking my question here? Stop being crazy. -- To unsubscribe, e-mail: opensuse-support+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-support+owner@opensuse.org
On 04/03/2020 11:57 PM, Knurpht-openSUSE wrote:
Hello,
As Andrei said, the best way to answer your questions is to file an openSUSE bug report at https://bugzilla.opensuse.org/index.cgi I tried to file the bug. The registration does not allow me with my email address. I do not know why?
May be the maintainers of the shorewall for openSUSE package are here and can they make a comment?
Thank you,
Janek Are you aware that openSUSE is a community project, driven by volunteers and
Op zaterdag 4 april 2020 05:53:29 CEST schreef JadoNena: that the world currently is in a corona crisis?
This brings up the question of EOL for Leap 15.1. Is November 2020 still the target date? Regards, Lew -- To unsubscribe, e-mail: opensuse-support+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-support+owner@opensuse.org
On 4/5/20 12:54 AM, Lew Wolfgang wrote:
On 04/03/2020 11:57 PM, Knurpht-openSUSE wrote:
Hello,
As Andrei said, the best way to answer your questions is to file an openSUSE bug report at https://bugzilla.opensuse.org/index.cgi I tried to file the bug. The registration does not allow me with my email address. I do not know why?
May be the maintainers of the shorewall for openSUSE package are here and can they make a comment?
Thank you,
Janek Are you aware that openSUSE is a community project, driven by volunteers and
Op zaterdag 4 april 2020 05:53:29 CEST schreef JadoNena: that the world currently is in a corona crisis?
This brings up the question of EOL for Leap 15.1. Is November 2020 still the target date?
There isn't so much a target date for EOL as there is a target date for the next release (15.2), 15.1 will go EOL 6 months after the 15.2 release to give everyone the time they need to migrate. Given that a large percentage of openSUSE contributors normally work remotely anyway and our infra is well placed to deal with everyone working remotely as is now the case, in most parts of the project there is still good progress being made toward 15.2 (I have it running on a machine here and all seems good). Having said that for some of the less core packages where there may only be one or two people taking care of them in there spare time have the potential to be impacted. -- Simon Lees (Simotek) http://simotek.net Emergency Update Team keybase.io/simotek SUSE Linux Adelaide Australia, UTC+10:30 GPG Fingerprint: 5B87 DB9D 88DC F606 E489 CEC5 0922 C246 02F0 014B
On 04/04/2020 05.53, JadoNena wrote:
Hello,
As Andrei said, the best way to answer your questions is to file an openSUSE bug report at https://bugzilla.opensuse.org/index.cgi
I tried to file the bug. The registration does not allow me with my email address. I do not know why?
Try if something here helps: <https://en.opensuse.org/openSUSE:Submitting_bug_reports>
May be the maintainers of the shorewall for openSUSE package are here and can they make a comment?
They would if they were. -- Cheers / Saludos, Carlos E. R. (from 15.1 x86_64 at Telcontar)
On 4/4/20 7:47 AM, JadoNena wrote:
I am asking about installing together two pacakges only shorewall-lite shorewall-init
shorewall-init package requires shorewall package.
Ok. Then that is a openSUSE only decision. For some reason.
From the upstream project it must not be like this.
It must be possible to install shorewall-lite and shorewall-init together.
Will openSUSE fix this? Or is this a fixed decision and we should use another distribution if we want it?
I have thought that the openSUSE follow the upstream projects. Is that not true?
Generally they do, this looks like a simple mistake of shorewall-init requiring shorewall rather then shorewall-lite, this is a rare case where if you install shorewall-lite there is a fair chance you can then install shorewall-init with the --force option and it will probably work. Alternatively if shorewall-init is just some startup scripts you might be able to replicate them anyway. After writing the above paragraph I was curious and read the spec, the init package requires "shoreline_firewall = %{version}-%{release}" and both the shorewall and shorewall-lite package have "shoreline_firewall = %{version}-%{release}" so from that logic it should work but it seems the resolver is somehow confused, i'd try a "zypper in shorewall-lite" followed by a "zypper in shorewall-init" and see if that makes it happier (otherwise just force the version), zypper could be getting confused by the multiple available versions and repo priorities, alternatively using yast you'll be able to go to the versions tab and specifically pick the right versions which may help. I should also point out that any package you install from a 3rd party repository such as https://download.opensuse.org/repositories/security:/netfilter/openSUSE_Leap... can't be considered as part of an official openSUSE distro so we can't guarantee the quality of the package having said that its mirrored in tumbleweed and so is likely being reviewed but its possible that no one is testing that version on Leap 15.1 -- Simon Lees (Simotek) http://simotek.net Emergency Update Team keybase.io/simotek SUSE Linux Adelaide Australia, UTC+10:30 GPG Fingerprint: 5B87 DB9D 88DC F606 E489 CEC5 0922 C246 02F0 014B
04.04.2020 15:08, Simon Lees пишет:
After writing the above paragraph I was curious and read the spec, the init package requires "shoreline_firewall = %{version}-%{release}" and both the shorewall and shorewall-lite package have "shoreline_firewall = %{version}-%{release}" so from that logic it should work but it seems the resolver is somehow confused,
shorewall-init has explicit "Requires = shorewall", so no, resolver is not confused. Also it is not clear whether Conflicts between shorewall and shorewall-lite is justified. While upstream does not recommend parallel installation, it explicitly states that it is possible. Looking at shorewall-init script, it should work with both shorewall and shorewall-lite (but requires manual configuration).
Hello,
I have thought that the openSUSE follow the upstream projects. Is that not true?
Generally they do, this looks like a simple mistake of shorewall-init requiring shorewall rather then shorewall-lite, this is a rare case where if you install shorewall-lite there is a fair chance you can then install shorewall-init with the --force option and it will probably work. Alternatively if shorewall-init is just some startup scripts you might be able to replicate them anyway.
After writing the above paragraph I was curious and read the spec, the init package requires "shoreline_firewall = %{version}-%{release}" and both the shorewall and shorewall-lite package have "shoreline_firewall = %{version}-%{release}" so from that logic it should work but it seems the resolver is somehow confused, i'd try a "zypper in shorewall-lite" followed by a "zypper in shorewall-init" and see if that makes it happier (otherwise just force the version), zypper could be getting confused by the multiple available versions and repo priorities, alternatively using yast you'll be able to go to the versions tab and specifically pick the right versions which may help.
I should also point out that any package you install from a 3rd party repository such as https://download.opensuse.org/repositories/security:/netfilter/openSUSE_Leap... can't be considered as part of an official openSUSE distro so we can't guarantee the quality of the package having said that its mirrored in tumbleweed and so is likely being reviewed but its possible that no one is testing that version on Leap 15.1
Your much detail is helpfull. Thank you. The maintainer did allready comment and did fix it in the package. But many people here are saying that the Shorewall released version is not supported by openSUSE. I understand it is a policy for the Leap 15.1 release version. I do not think to change the policy. But Security is important for the production distribution choice here. So probabaly I will look for a distribution that is supporting it. Thank you for the help, Janek -- To unsubscribe, e-mail: opensuse-support+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-support+owner@opensuse.org
On 4/4/20 9:31 AM, JadoNena wrote:
But many people here are saying that the Shorewall released version is not supported by openSUSE.
I understand it is a policy for the Leap 15.1 release version.
I do not think to change the policy.
But Security is important for the production distribution choice here.
So probabaly I will look for a distribution that is supporting it.
Thank you for the help,
Janek
You might consider just moving to nftables instead of using convenience layers for iptables, which is on it's way out the door. It may seem more difficult at first, but for me, ended up being cleaner than jacking with Shorewall, and even UFW. If you are using a desktop environment, then you might consider firewalld [1], which supports nftables as it's backend by default, at least on up-to-date Gnu+Linux. No offense to LEAP, i'm just saying I don't know if it's supported yet, and am not going to check. You may have to consult outside documentation like the arch wiki [2] or the upstream project's docs for nftables itself, if you plan not to use a GUI, as nftables doesn't seem to be documented in the openSUSE wiki. [1]: https://en.opensuse.org/Firewalld [2]: https://wiki.archlinux.org/index.php/Nftables -- To unsubscribe, e-mail: opensuse-support+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-support+owner@opensuse.org
Hello,
You might consider just moving to nftables instead of using convenience layers for iptables, which is on it's way out the door.
I am strong with Shorewall. Only new to openSUSE and the packages here. I can do Shorewall installation without the packages. I was hoping to use the distribution packages for making maintenance more simple. It has flexibiltiy to do much and is working here many years now. And the documentation is very very good. I think iptables will still be here for some time. And the Shorewall team has the future in its eyes too. Janek -- To unsubscribe, e-mail: opensuse-support+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-support+owner@opensuse.org
On 4/4/20 10:49 AM, JadoNena wrote:
Hello,
You might consider just moving to nftables instead of using convenience layers for iptables, which is on it's way out the door. I am strong with Shorewall. Only new to openSUSE and the packages here.
I can do Shorewall installation without the packages. I was hoping to use the distribution packages for making maintenance more simple.
It has flexibiltiy to do much and is working here many years now. And the documentation is very very good. Whatever works for you. Just thought i'd mention it.
I think iptables will still be here for some time. I'm sure people will continue to use iptables for many years/decades. That doesn't really contradict what i said. Maybe my slang is not 100% clear, but it's not important. And the Shorewall team has the future in its eyes too.
Their future has already happened in this dimension. :) nftables has been ready to use for some time, and has been supported by a GUI (firewalld) already for some time, as well. This may not matter for you, if you are happy with iptables and Shorewall. That's cool.
Janek
-- ---- --- Information Technology Works on the net: https://ITwrx.org on the fediverse: @ITwrx@blurts.net -- To unsubscribe, e-mail: opensuse-support+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-support+owner@opensuse.org
And the Shorewall team has the future in its eyes too.
Their future has already happened in this dimension. :) nftables has been ready to use for some time, and has been supported by a GUI (firewalld) already for some time, as well.
There is a new shorewall team after the retiring of the original developer. They are planning for nftables support so I understand. It can take some time of course. For me I do not like so much the firewall GUI's. Janek -- To unsubscribe, e-mail: opensuse-support+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-support+owner@opensuse.org
On 4/5/20 1:01 AM, JadoNena wrote:
Hello,
I have thought that the openSUSE follow the upstream projects. Is that not true?
Generally they do, this looks like a simple mistake of shorewall-init requiring shorewall rather then shorewall-lite, this is a rare case where if you install shorewall-lite there is a fair chance you can then install shorewall-init with the --force option and it will probably work. Alternatively if shorewall-init is just some startup scripts you might be able to replicate them anyway.
After writing the above paragraph I was curious and read the spec, the init package requires "shoreline_firewall = %{version}-%{release}" and both the shorewall and shorewall-lite package have "shoreline_firewall = %{version}-%{release}" so from that logic it should work but it seems the resolver is somehow confused, i'd try a "zypper in shorewall-lite" followed by a "zypper in shorewall-init" and see if that makes it happier (otherwise just force the version), zypper could be getting confused by the multiple available versions and repo priorities, alternatively using yast you'll be able to go to the versions tab and specifically pick the right versions which may help.
I should also point out that any package you install from a 3rd party repository such as https://download.opensuse.org/repositories/security:/netfilter/openSUSE_Leap... can't be considered as part of an official openSUSE distro so we can't guarantee the quality of the package having said that its mirrored in tumbleweed and so is likely being reviewed but its possible that no one is testing that version on Leap 15.1
Your much detail is helpfull. Thank you.
The maintainer did allready comment and did fix it in the package.
But many people here are saying that the Shorewall released version is not supported by openSUSE.
I understand it is a policy for the Leap 15.1 release version.
I do not think to change the policy.
But Security is important for the production distribution choice here.
So probabaly I will look for a distribution that is supporting it.
Thank you for the help,
Well Leap is supporting it just at a slightly older version, if the newer version has security fixes then we can probably bring it into Leap. -- Simon Lees (Simotek) http://simotek.net Emergency Update Team keybase.io/simotek SUSE Linux Adelaide Australia, UTC+10:30 GPG Fingerprint: 5B87 DB9D 88DC F606 E489 CEC5 0922 C246 02F0 014B
participants (8)
-
Andrei Borzenkov -
Carlos E. R. -
Dave Howorth -
ITwrx -
JadoNena -
Knurpht-openSUSE -
Lew Wolfgang -
Simon Lees