shorewall_code/docs/Shorewall-4.xml

469 lines
17 KiB
XML
Raw Normal View History

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<article>
<!--$Id$-->
<articleinfo>
<title>Shorewall Version 4</title>
<authorgroup>
<author>
<firstname>Tom</firstname>
<surname>Eastep</surname>
</author>
</authorgroup>
<pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
<copyright>
<year>2007</year>
<holder>Thomas M. Eastep</holder>
</copyright>
<legalnotice>
<para>Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
License</ulink></quote>.</para>
</legalnotice>
</articleinfo>
<section>
<title>Introduction</title>
<para>Shorewall version 4 is currently in development and is available for
beta testing.</para>
<para>Shorewall version 4 represents a substantial shift in direction for
Shorewall. Up to now</para>
<itemizedlist>
<listitem>
<para>Shorewall has been written entirely in Bourne Shell.</para>
</listitem>
<listitem>
<para>Shorewall ran the <command>iptables</command> utility to add
each Netfilter rule.</para>
</listitem>
</itemizedlist>
<para>Shorewall version 4 offers you a choice. You can continue to use the
existing shell-based implementation or you can use a new implementation of
the Shorewall compiler written in the Perl programming language. The new
compiler:</para>
<itemizedlist>
<listitem>
<para>has a small disk footprint</para>
</listitem>
<listitem>
<para>is very fast.</para>
</listitem>
<listitem>
<para>generates a firewall script that uses
<command>iptables-restore</command>; so the script is very
fast.</para>
</listitem>
</itemizedlist>
<para>Both compilers may be installed on your system and you can use
whichever one suits you in a particular case.</para>
</section>
<section>
<title>Installing Shorewall Version 4</title>
<para>You can download the development version of Shorewall Version 4 from
any of the download sites with the exception of SourceForge. It is
contained in the <filename
class="directory">/pub/shorewall/development/4.0</filename>
directory.</para>
<para>Shorewall 4 contains four packages:</para>
<itemizedlist>
<listitem>
<para>Shorewall-shell - the old shell-based compiler and related
components.</para>
</listitem>
<listitem>
<para>Shorewall-perl - the new Perl-based compiler. May be installed
under Shorewall 3.4.2 or later or 4.0.x.</para>
</listitem>
<listitem>
<para>Shorewall - the part of Shorewall common to both
compilers.</para>
</listitem>
<listitem>
<para>Shorewall-lite- same as the 3.4 version of Shorewall Lite. Can
run scripts generated by either Shorewall-perl or
Shorewall-shell.</para>
</listitem>
</itemizedlist>
<para>If you upgrade to Shorewall Version 4, you must install
Shorewall-shell and/or Shorewall-perl; in fact, if you are using the
tarball for your installation, you must install Shorewall-shell and/or
Shorewall-perl <emphasis role="bold">before</emphasis> you upgrade
Shorewall.</para>
</section>
<section>
<title>Prerequisites for using the Shorewall Version 4 Perl-based
Compiler</title>
<itemizedlist>
<listitem>
<para>Perl (I use Perl 5.8.8 but other versions should work
fine)</para>
</listitem>
<listitem>
<para>Perl Cwd Module</para>
</listitem>
<listitem>
<para>Perl File::Basename Module</para>
</listitem>
<listitem>
<para>Perl File::Temp Module</para>
</listitem>
<listitem>
<para>Perl Getopt::Long Module</para>
</listitem>
</itemizedlist>
</section>
<section>
<title>Incompatibilities Introduced in the Shorewall Version 4 Perl-based
Compiler</title>
<para>The Shorewall-perl compiler is not 100% compatible with the
Shorewall-shell version.</para>
<orderedlist>
<listitem>
<para>The Perl-based compiler requires the following capabilities in
your kernel and iptables.</para>
<itemizedlist>
<listitem>
<para>addrtype match (may be relaxed later)</para>
</listitem>
<listitem>
<para>multiport match (will not be relaxed)</para>
</listitem>
</itemizedlist>
<para>These capabilities are in current distributions.</para>
</listitem>
<listitem>
<para>Now that Netfilter has features to deal reasonably with port
lists, I see no reason to duplicate those features in Shorewall. The
Shorewall-shell compiler goes to great pain (in some cases) to break
very long port lists ( &gt; 15 where port ranges in lists count as two
ports) into individual rules. In the new compiler, I'm avoiding the
ugliness required to do that. The new compiler just generates an error
if your list is too long. It will also produce an error if you insert
a port range into a port list and you don't have extended multiport
support.</para>
</listitem>
<listitem>
<para>BRIDGING=Yes is not supported. The kernel code necessary to
support this option was removed in Linux kernel 2.6.20.</para>
</listitem>
<listitem>
<para>The BROADCAST column in the interfaces file is essentially
unused; if you enter anything in this column but '-' or 'detect', you
will receive a warning. This will be relaxed if and when the addrtype
match requirement is relaxed.</para>
</listitem>
<listitem>
<para>The 'refresh' command is now synonymous with 'restart'.</para>
</listitem>
<listitem>
<para>Because the compiler is now written in Perl, your compile-time
extension scripts from earlier versions will no longer work.
Compile-time extension scripts are executed using the Perl 'eval `cat
&lt;file&gt;`' mechanism. Be sure that each script returns a 'true'
value; otherwise, the compiler will assume that the script failed and
will abort the compilation.</para>
<para>When a script is invoked, the <emphasis
role="bold">$chainref</emphasis> scalar variable will hold a reference
to a chain table entry.</para>
<simplelist>
<member><emphasis role="bold">$chainref-&gt;{name}</emphasis>
contains the name of the chain</member>
<member><emphasis role="bold">$chainref-&gt;{table}</emphasis> holds
the table name</member>
</simplelist>
<para>To add a rule to the chain:</para>
<simplelist>
<member>add_rule $chainref, &lt;<replaceable>the
rule</replaceable>&gt;</member>
</simplelist>
<para>Where</para>
<simplelist>
<member>&lt;<replaceable>the rule</replaceable>&gt; is a scalar
argument holding the rule text. Do not include "-A
&lt;<replaceable>chain name</replaceable>&gt;"</member>
</simplelist>
<para>Example:</para>
<simplelist>
<member>add_rule $chainref, '-j ACCEPT';</member>
</simplelist>
<para>To insert a rule into the chain:</para>
<simplelist>
<member>insert_rule $chainref,
&lt;<replaceable>rulenum</replaceable>&gt;, &lt;<replaceable>the
rule</replaceable>&gt;</member>
</simplelist>
<para>The log_rule_limit function works like it does in the shell
compiler with two exceptions:</para>
<itemizedlist>
<listitem>
<para>You pass the chain reference rather than the name of the
chain.</para>
</listitem>
<listitem>
<para>The commands are 'add' and 'insert' rather than '-A' and
'-I'.</para>
</listitem>
<listitem>
<para>There is only a single "pass as-is to iptables" argument (so
you must quote that part</para>
</listitem>
</itemizedlist>
<para>Example:</para>
<programlisting> log_rule_limit
'info' ,
$chainref ,
$chainref-&gt;{name},
'DROP' ,
'', #Limit
'' , #Log tag
'add'
'-p tcp '; </programlisting>
</listitem>
<listitem>
<para>The <filename>/etc/shorewall/tos</filename> file now has
zone-independent SOURCE and DEST columns as do all other files except
the rules and policy files.</para>
<para>The SOURCE column may be one of the following:</para>
<simplelist>
<member>[<command>all</command>:]&lt;<replaceable>address</replaceable>&gt;[,...]</member>
<member>[<command>all</command>:]&lt;<replaceable>interface</replaceable>&gt;[:&lt;<replaceable>address</replaceable>&gt;[,...]]</member>
<member><command>$FW</command>[:&lt;<replaceable>address</replaceable>&gt;[,...]]</member>
</simplelist>
<para>The DEST column may be one of the following:</para>
<simplelist>
<member>[<command>all</command>:]&lt;<replaceable>address</replaceable>&gt;[,...]</member>
<member>[<command>all</command>:]&lt;<replaceable>interface</replaceable>&gt;[:&lt;<replaceable>address</replaceable>&gt;[,...]]</member>
</simplelist>
<para>This is a permanent change. The old zone-based rules have never
worked right and this is a good time to replace them. I've tried to
make the new syntax cover the most common cases without requiring
change to existing files. In particular, it will handle the tos file
released with Shorewall 1.4 and earlier.</para>
</listitem>
<listitem>
<para>Currently, support for ipsets is untested. That will change with
future pre-releases but one thing is certain -- Shorewall is now out
of the ipset load/reload business. With scripts generated by the
Perl-based Compiler, the Netfilter ruleset is never cleared. That
means that there is no opportunity for Shorewall to load/reload your
ipsets since that cannot be done while there are any current rules
using ipsets.</para>
<para>So:</para>
<orderedlist numeration="upperroman">
<listitem>
<para>Your ipsets must be loaded before Shorewall starts. You are
free to try to do that with the following code in
<filename>/etc/shorewall/start</filename>:</para>
<programlisting>if [ "$COMMAND" = start ]; then
ipset -U :all: :all:
ipset -F
ipset -X
ipset -R &lt; /etc/shorewall/ipsets
fi</programlisting>
<para>The file <filename>/etc/shorewall/ipsets</filename> will
normally be produced using the <command>ipset -S</command>
command.</para>
<para>The above will work most of the time but will fail in a
<command>shorewall stop</command> - <command>shorewall
start</command> sequence if you use ipsets in your routestopped
file (see below).</para>
</listitem>
<listitem>
<para>Your ipsets may not be reloaded until Shorewall is stopped
or cleared.</para>
</listitem>
<listitem>
<para>If you specify ipsets in your routestopped file then
Shorewall must be cleared in order to reload your ipsets.</para>
</listitem>
</orderedlist>
<para>As a consequence, scripts generated by the Perl-based compiler
will ignore <filename>/etc/shorewall/ipsets</filename> and will issue
a warning if you set SAVE_IPSETS=Yes in
<filename>shorewall.conf</filename>.</para>
</listitem>
<listitem>
<para>Because the configuration files (with the exception of
<filename>/etc/shorewall/params</filename>) are now processed by the
Shorewall-perl compiler rather than by the shell, only the basic forms
of Shell expansion ($variable and ${variable}) are supported. The more
exotic forms such as ${variable:=default} are not supported. Both
variables defined in /etc/shorewall/params and environmental variables
(exported by the shell) can be used in configuration files.</para>
</listitem>
<listitem>
<para>USE_ACTIONS=No is not supported. That option is intended to
minimize Shorewall's footprint in embedded applications. As a
consequence, Default Macros are not supported.</para>
</listitem>
<listitem>
<para>DELAYBLACKLISTLOAD=Yes is not supported. The entire ruleset is
atomically loaded with one execution of
<command>iptables-restore</command>.</para>
</listitem>
<listitem>
<para>MAPOLDACTIONS=Yes is not supported. People should have converted
to using macros by now.</para>
</listitem>
<listitem>
<para>The pre Shorewall-3.0 format of the zones file is not supported;
neither is the <filename>/etc/shorewall/ipsec</filename> file.</para>
</listitem>
<listitem>
<para>BLACKLISTNEWONLY=No is not permitted with FASTACCEPT=Yes. This
combination doesn't work in previous versions of Shorewall so the
Perl-based compiler simply rejects it.</para>
</listitem>
<listitem>
<para>Shorewall-perl has a single rule generator that is used for all
rule-oriented files. So it is important that the syntax is consistent
between files.</para>
<para>With shorewall-shell, there is a special syntax in the SOURCE
column of /etc/shorewall/masq to designate "all traffic entering the
firewall on this interface except...".</para>
<para>Example:<programlisting>#INTERFACE SOURCE ADDRESSES
eth0 eth1!192.168.4.9 ...</programlisting>Shorewall-perl
uses syntax that is consistent with the rest of
Shorewall:<programlisting>#INTERFACE SOURCE ADDRESSES
eth0 eth1:!192.168.4.9 ...</programlisting></para>
</listitem>
<listitem>
<para>The 'allowoutUPnP' built-in action is no longer supported. In
kernel 2.6.14, the Netfilter team have removed support for '-m owner
--owner-cmd' which that action depended on.</para>
</listitem>
</orderedlist>
</section>
<section>
<title>Compiler Selection</title>
<para>If you only install one compiler, then that compiler will be
used.</para>
<para>If you install both compilers, then the compiler actually used
depends on the SHOREWALL_COMPILER setting in
<filename>shorewall.conf</filename>.</para>
<para>The value of this new option can be either 'perl' or 'shell'.</para>
<para>If you add 'SHOREWALL_COMPILER=perl' to
<filename>/etc/shorewall/shorewall.conf</filename> then by default, the
new compiler will be used on the system. If you add it to
<filename>shorewall.conf</filename> in a separate directory (such as a
Shorewall-lite export directory) then the new compiler will only be used
when you compile from that directory.</para>
<para>If you only install one compiler, it is suggested that you do not
set SHOREWALL_COMPILER.</para>
<para>You can select the compiler to use on the command line using the 'C
option:<simplelist>
<member>'-C shell' means use the shell compiler</member>
<member>'-C perl' means use the perl compiler</member>
</simplelist>The -C option overrides the setting in
shorewall.conf.</para>
<para>Example:<programlisting><command>shorewall restart -C perl</command></programlisting>Regardless
of the setting of SHOREWALL_COMPILER, there is one change in Shorewall
operation that is triggered simply by installing shorewall-perl. Your
params file will be processed during compilation with the shell's '-a'
option which causes any variables that you set or create in that file to
be automatically exported. Since the params file is processed before
shorewall.conf, using -a insures that the settings of your params
variables are available to the new compiler should its use be specified in
shorewall.conf.</para>
</section>
</article>