2007-04-13 01:04:36 +02:00
|
|
|
<?xml version="1.0" encoding="UTF-8"?>
|
|
|
|
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
|
|
|
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
|
|
|
|
<article>
|
|
|
|
<!--$Id$-->
|
|
|
|
|
|
|
|
<articleinfo>
|
|
|
|
<title>Shorewall Version 4</title>
|
|
|
|
|
|
|
|
<authorgroup>
|
|
|
|
<author>
|
|
|
|
<firstname>Tom</firstname>
|
|
|
|
|
|
|
|
<surname>Eastep</surname>
|
|
|
|
</author>
|
|
|
|
</authorgroup>
|
|
|
|
|
|
|
|
<pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
|
|
|
|
|
|
|
|
<copyright>
|
|
|
|
<year>2007</year>
|
|
|
|
|
|
|
|
<holder>Thomas M. Eastep</holder>
|
|
|
|
</copyright>
|
|
|
|
|
|
|
|
<legalnotice>
|
|
|
|
<para>Permission is granted to copy, distribute and/or modify this
|
|
|
|
document under the terms of the GNU Free Documentation License, Version
|
|
|
|
1.2 or any later version published by the Free Software Foundation; with
|
|
|
|
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
|
|
|
Texts. A copy of the license is included in the section entitled
|
|
|
|
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
|
|
|
License</ulink></quote>.</para>
|
|
|
|
</legalnotice>
|
|
|
|
</articleinfo>
|
|
|
|
|
|
|
|
<section>
|
|
|
|
<title>Introduction</title>
|
|
|
|
|
|
|
|
<para>Shorewall version 4 is currently in development and is available for
|
2007-05-19 16:41:19 +02:00
|
|
|
beta testing.</para>
|
2007-04-13 01:04:36 +02:00
|
|
|
|
|
|
|
<para>Shorewall version 4 represents a substantial shift in direction for
|
|
|
|
Shorewall. Up to now</para>
|
|
|
|
|
|
|
|
<itemizedlist>
|
|
|
|
<listitem>
|
|
|
|
<para>Shorewall has been written entirely in Bourne Shell.</para>
|
|
|
|
</listitem>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>Shorewall ran the <command>iptables</command> utility to add
|
|
|
|
each Netfilter rule.</para>
|
|
|
|
</listitem>
|
|
|
|
</itemizedlist>
|
|
|
|
|
2007-04-25 00:53:50 +02:00
|
|
|
<para>Shorewall version 4 offers you a choice. You can continue to use the
|
|
|
|
existing shell-based implementation or you can use a new implementation of
|
|
|
|
the Shorewall compiler written in the Perl programming language. The new
|
|
|
|
compiler:</para>
|
2007-04-13 01:04:36 +02:00
|
|
|
|
|
|
|
<itemizedlist>
|
|
|
|
<listitem>
|
|
|
|
<para>has a small disk footprint</para>
|
|
|
|
</listitem>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>is very fast.</para>
|
|
|
|
</listitem>
|
|
|
|
|
|
|
|
<listitem>
|
2007-04-13 01:10:18 +02:00
|
|
|
<para>generates a firewall script that uses
|
|
|
|
<command>iptables-restore</command>; so the script is very
|
|
|
|
fast.</para>
|
2007-04-13 01:04:36 +02:00
|
|
|
</listitem>
|
|
|
|
</itemizedlist>
|
|
|
|
|
|
|
|
<para>Both compilers may be installed on your system and you can use
|
|
|
|
whichever one suits you in a particular case.</para>
|
|
|
|
</section>
|
|
|
|
|
|
|
|
<section>
|
|
|
|
<title>Installing Shorewall Version 4</title>
|
|
|
|
|
|
|
|
<para>You can download the development version of Shorewall Version 4 from
|
|
|
|
any of the download sites with the exception of SourceForge. It is
|
|
|
|
contained in the <filename
|
2007-05-19 16:41:19 +02:00
|
|
|
class="directory">/pub/shorewall/development/4.0</filename>
|
2007-04-13 01:04:36 +02:00
|
|
|
directory.</para>
|
|
|
|
|
|
|
|
<para>Shorewall 4 contains four packages:</para>
|
|
|
|
|
|
|
|
<itemizedlist>
|
|
|
|
<listitem>
|
|
|
|
<para>Shorewall-shell - the old shell-based compiler and related
|
|
|
|
components.</para>
|
|
|
|
</listitem>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>Shorewall-perl - the new Perl-based compiler. May be installed
|
2007-05-19 16:41:19 +02:00
|
|
|
under Shorewall 3.4.2 or later or 4.0.x.</para>
|
2007-04-13 01:04:36 +02:00
|
|
|
</listitem>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>Shorewall - the part of Shorewall common to both
|
|
|
|
compilers.</para>
|
|
|
|
</listitem>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>Shorewall-lite- same as the 3.4 version of Shorewall Lite. Can
|
|
|
|
run scripts generated by either Shorewall-perl or
|
|
|
|
Shorewall-shell.</para>
|
|
|
|
</listitem>
|
|
|
|
</itemizedlist>
|
|
|
|
|
|
|
|
<para>If you upgrade to Shorewall Version 4, you must install
|
|
|
|
Shorewall-shell and/or Shorewall-perl; in fact, if you are using the
|
|
|
|
tarball for your installation, you must install Shorewall-shell and/or
|
|
|
|
Shorewall-perl <emphasis role="bold">before</emphasis> you upgrade
|
|
|
|
Shorewall.</para>
|
|
|
|
</section>
|
|
|
|
|
2007-04-13 01:45:46 +02:00
|
|
|
<section>
|
|
|
|
<title>Prerequisites for using the Shorewall Version 4 Perl-based
|
|
|
|
Compiler</title>
|
|
|
|
|
|
|
|
<itemizedlist>
|
|
|
|
<listitem>
|
|
|
|
<para>Perl (I use Perl 5.8.8 but other versions should work
|
|
|
|
fine)</para>
|
|
|
|
</listitem>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>Perl Cwd Module</para>
|
|
|
|
</listitem>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>Perl File::Basename Module</para>
|
|
|
|
</listitem>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>Perl File::Temp Module</para>
|
|
|
|
</listitem>
|
2007-06-23 19:08:26 +02:00
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>Perl Getopt::Long Module</para>
|
|
|
|
</listitem>
|
2007-04-13 01:45:46 +02:00
|
|
|
</itemizedlist>
|
|
|
|
</section>
|
|
|
|
|
2007-04-13 01:04:36 +02:00
|
|
|
<section>
|
|
|
|
<title>Incompatibilities Introduced in the Shorewall Version 4 Perl-based
|
|
|
|
Compiler</title>
|
|
|
|
|
|
|
|
<para>The Shorewall-perl compiler is not 100% compatible with the
|
|
|
|
Shorewall-shell version.</para>
|
|
|
|
|
|
|
|
<orderedlist>
|
|
|
|
<listitem>
|
|
|
|
<para>The Perl-based compiler requires the following capabilities in
|
|
|
|
your kernel and iptables.</para>
|
|
|
|
|
|
|
|
<itemizedlist>
|
|
|
|
<listitem>
|
|
|
|
<para>addrtype match (may be relaxed later)</para>
|
|
|
|
</listitem>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>multiport match (will not be relaxed)</para>
|
|
|
|
</listitem>
|
|
|
|
</itemizedlist>
|
|
|
|
|
|
|
|
<para>These capabilities are in current distributions.</para>
|
|
|
|
</listitem>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>Now that Netfilter has features to deal reasonably with port
|
|
|
|
lists, I see no reason to duplicate those features in Shorewall. The
|
|
|
|
Shorewall-shell compiler goes to great pain (in some cases) to break
|
|
|
|
very long port lists ( > 15 where port ranges in lists count as two
|
|
|
|
ports) into individual rules. In the new compiler, I'm avoiding the
|
|
|
|
ugliness required to do that. The new compiler just generates an error
|
|
|
|
if your list is too long. It will also produce an error if you insert
|
|
|
|
a port range into a port list and you don't have extended multiport
|
|
|
|
support.</para>
|
|
|
|
</listitem>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>BRIDGING=Yes is not supported. The kernel code necessary to
|
|
|
|
support this option was removed in Linux kernel 2.6.20.</para>
|
|
|
|
</listitem>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>The BROADCAST column in the interfaces file is essentially
|
|
|
|
unused; if you enter anything in this column but '-' or 'detect', you
|
|
|
|
will receive a warning. This will be relaxed if and when the addrtype
|
|
|
|
match requirement is relaxed.</para>
|
|
|
|
</listitem>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>The 'refresh' command is now synonymous with 'restart'.</para>
|
|
|
|
</listitem>
|
|
|
|
|
|
|
|
<listitem>
|
2007-04-25 00:53:50 +02:00
|
|
|
<para>Because the compiler is now written in Perl, your compile-time
|
2007-04-13 01:04:36 +02:00
|
|
|
extension scripts from earlier versions will no longer work.
|
|
|
|
Compile-time extension scripts are executed using the Perl 'eval `cat
|
|
|
|
<file>`' mechanism. Be sure that each script returns a 'true'
|
|
|
|
value; otherwise, the compiler will assume that the script failed and
|
|
|
|
will abort the compilation.</para>
|
|
|
|
|
2007-04-25 00:53:50 +02:00
|
|
|
<para>When a script is invoked, the <emphasis
|
|
|
|
role="bold">$chainref</emphasis> scalar variable will hold a reference
|
|
|
|
to a chain table entry.</para>
|
2007-04-13 01:04:36 +02:00
|
|
|
|
|
|
|
<simplelist>
|
2007-04-25 00:53:50 +02:00
|
|
|
<member><emphasis role="bold">$chainref->{name}</emphasis>
|
|
|
|
contains the name of the chain</member>
|
2007-04-13 01:04:36 +02:00
|
|
|
|
2007-04-25 00:53:50 +02:00
|
|
|
<member><emphasis role="bold">$chainref->{table}</emphasis> holds
|
|
|
|
the table name</member>
|
2007-04-13 01:04:36 +02:00
|
|
|
</simplelist>
|
|
|
|
|
|
|
|
<para>To add a rule to the chain:</para>
|
|
|
|
|
|
|
|
<simplelist>
|
|
|
|
<member>add_rule $chainref, <<replaceable>the
|
|
|
|
rule</replaceable>></member>
|
|
|
|
</simplelist>
|
|
|
|
|
|
|
|
<para>Where</para>
|
|
|
|
|
|
|
|
<simplelist>
|
|
|
|
<member><<replaceable>the rule</replaceable>> is a scalar
|
|
|
|
argument holding the rule text. Do not include "-A
|
|
|
|
<<replaceable>chain name</replaceable>>"</member>
|
|
|
|
</simplelist>
|
|
|
|
|
|
|
|
<para>Example:</para>
|
|
|
|
|
|
|
|
<simplelist>
|
|
|
|
<member>add_rule $chainref, '-j ACCEPT';</member>
|
|
|
|
</simplelist>
|
|
|
|
|
|
|
|
<para>To insert a rule into the chain:</para>
|
|
|
|
|
|
|
|
<simplelist>
|
|
|
|
<member>insert_rule $chainref,
|
|
|
|
<<replaceable>rulenum</replaceable>>, <<replaceable>the
|
|
|
|
rule</replaceable>></member>
|
|
|
|
</simplelist>
|
|
|
|
|
|
|
|
<para>The log_rule_limit function works like it does in the shell
|
|
|
|
compiler with two exceptions:</para>
|
|
|
|
|
|
|
|
<itemizedlist>
|
|
|
|
<listitem>
|
|
|
|
<para>You pass the chain reference rather than the name of the
|
|
|
|
chain.</para>
|
|
|
|
</listitem>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>The commands are 'add' and 'insert' rather than '-A' and
|
|
|
|
'-I'.</para>
|
|
|
|
</listitem>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>There is only a single "pass as-is to iptables" argument (so
|
2007-04-25 00:53:50 +02:00
|
|
|
you must quote that part</para>
|
2007-04-13 01:04:36 +02:00
|
|
|
</listitem>
|
|
|
|
</itemizedlist>
|
|
|
|
|
|
|
|
<para>Example:</para>
|
|
|
|
|
|
|
|
<programlisting> log_rule_limit
|
|
|
|
'info' ,
|
|
|
|
$chainref ,
|
|
|
|
$chainref->{name},
|
|
|
|
'DROP' ,
|
|
|
|
'', #Limit
|
|
|
|
'' , #Log tag
|
2007-04-25 00:53:50 +02:00
|
|
|
'add'
|
|
|
|
'-p tcp '; </programlisting>
|
2007-04-13 01:04:36 +02:00
|
|
|
</listitem>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>The <filename>/etc/shorewall/tos</filename> file now has
|
|
|
|
zone-independent SOURCE and DEST columns as do all other files except
|
|
|
|
the rules and policy files.</para>
|
|
|
|
|
|
|
|
<para>The SOURCE column may be one of the following:</para>
|
|
|
|
|
|
|
|
<simplelist>
|
|
|
|
<member>[<command>all</command>:]<<replaceable>address</replaceable>>[,...]</member>
|
|
|
|
|
|
|
|
<member>[<command>all</command>:]<<replaceable>interface</replaceable>>[:<<replaceable>address</replaceable>>[,...]]</member>
|
|
|
|
|
|
|
|
<member><command>$FW</command>[:<<replaceable>address</replaceable>>[,...]]</member>
|
|
|
|
</simplelist>
|
|
|
|
|
|
|
|
<para>The DEST column may be one of the following:</para>
|
|
|
|
|
|
|
|
<simplelist>
|
|
|
|
<member>[<command>all</command>:]<<replaceable>address</replaceable>>[,...]</member>
|
|
|
|
|
|
|
|
<member>[<command>all</command>:]<<replaceable>interface</replaceable>>[:<<replaceable>address</replaceable>>[,...]]</member>
|
|
|
|
</simplelist>
|
|
|
|
|
|
|
|
<para>This is a permanent change. The old zone-based rules have never
|
|
|
|
worked right and this is a good time to replace them. I've tried to
|
|
|
|
make the new syntax cover the most common cases without requiring
|
|
|
|
change to existing files. In particular, it will handle the tos file
|
|
|
|
released with Shorewall 1.4 and earlier.</para>
|
|
|
|
</listitem>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>Currently, support for ipsets is untested. That will change with
|
|
|
|
future pre-releases but one thing is certain -- Shorewall is now out
|
|
|
|
of the ipset load/reload business. With scripts generated by the
|
|
|
|
Perl-based Compiler, the Netfilter ruleset is never cleared. That
|
|
|
|
means that there is no opportunity for Shorewall to load/reload your
|
|
|
|
ipsets since that cannot be done while there are any current rules
|
|
|
|
using ipsets.</para>
|
|
|
|
|
|
|
|
<para>So:</para>
|
|
|
|
|
|
|
|
<orderedlist numeration="upperroman">
|
|
|
|
<listitem>
|
|
|
|
<para>Your ipsets must be loaded before Shorewall starts. You are
|
|
|
|
free to try to do that with the following code in
|
|
|
|
<filename>/etc/shorewall/start</filename>:</para>
|
|
|
|
|
|
|
|
<programlisting>if [ "$COMMAND" = start ]; then
|
|
|
|
ipset -U :all: :all:
|
|
|
|
ipset -F
|
|
|
|
ipset -X
|
|
|
|
ipset -R < /etc/shorewall/ipsets
|
|
|
|
fi</programlisting>
|
|
|
|
|
|
|
|
<para>The file <filename>/etc/shorewall/ipsets</filename> will
|
|
|
|
normally be produced using the <command>ipset -S</command>
|
|
|
|
command.</para>
|
|
|
|
|
|
|
|
<para>The above will work most of the time but will fail in a
|
|
|
|
<command>shorewall stop</command> - <command>shorewall
|
|
|
|
start</command> sequence if you use ipsets in your routestopped
|
|
|
|
file (see below).</para>
|
|
|
|
</listitem>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>Your ipsets may not be reloaded until Shorewall is stopped
|
|
|
|
or cleared.</para>
|
|
|
|
</listitem>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>If you specify ipsets in your routestopped file then
|
|
|
|
Shorewall must be cleared in order to reload your ipsets.</para>
|
|
|
|
</listitem>
|
|
|
|
</orderedlist>
|
|
|
|
|
|
|
|
<para>As a consequence, scripts generated by the Perl-based compiler
|
|
|
|
will ignore <filename>/etc/shorewall/ipsets</filename> and will issue
|
|
|
|
a warning if you set SAVE_IPSETS=Yes in
|
|
|
|
<filename>shorewall.conf</filename>.</para>
|
|
|
|
</listitem>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>Because the configuration files (with the exception of
|
|
|
|
<filename>/etc/shorewall/params</filename>) are now processed by the
|
|
|
|
Shorewall-perl compiler rather than by the shell, only the basic forms
|
|
|
|
of Shell expansion ($variable and ${variable}) are supported. The more
|
|
|
|
exotic forms such as ${variable:=default} are not supported. Both
|
|
|
|
variables defined in /etc/shorewall/params and environmental variables
|
|
|
|
(exported by the shell) can be used in configuration files.</para>
|
|
|
|
</listitem>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>USE_ACTIONS=No is not supported. That option is intended to
|
|
|
|
minimize Shorewall's footprint in embedded applications. As a
|
|
|
|
consequence, Default Macros are not supported.</para>
|
|
|
|
</listitem>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>DELAYBLACKLISTLOAD=Yes is not supported. The entire ruleset is
|
|
|
|
atomically loaded with one execution of
|
|
|
|
<command>iptables-restore</command>.</para>
|
|
|
|
</listitem>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>MAPOLDACTIONS=Yes is not supported. People should have converted
|
|
|
|
to using macros by now.</para>
|
|
|
|
</listitem>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>The pre Shorewall-3.0 format of the zones file is not supported;
|
|
|
|
neither is the <filename>/etc/shorewall/ipsec</filename> file.</para>
|
|
|
|
</listitem>
|
2007-04-25 00:53:50 +02:00
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>BLACKLISTNEWONLY=No is not permitted with FASTACCEPT=Yes. This
|
|
|
|
combination doesn't work in previous versions of Shorewall so the
|
|
|
|
Perl-based compiler simply rejects it.</para>
|
|
|
|
</listitem>
|
2007-05-19 16:41:19 +02:00
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>Shorewall-perl has a single rule generator that is used for all
|
|
|
|
rule-oriented files. So it is important that the syntax is consistent
|
|
|
|
between files.</para>
|
|
|
|
|
|
|
|
<para>With shorewall-shell, there is a special syntax in the SOURCE
|
|
|
|
column of /etc/shorewall/masq to designate "all traffic entering the
|
|
|
|
firewall on this interface except...".</para>
|
|
|
|
|
|
|
|
<para>Example:<programlisting>#INTERFACE SOURCE ADDRESSES
|
|
|
|
eth0 eth1!192.168.4.9 ...</programlisting>Shorewall-perl
|
|
|
|
uses syntax that is consistent with the rest of
|
|
|
|
Shorewall:<programlisting>#INTERFACE SOURCE ADDRESSES
|
2007-06-23 19:08:26 +02:00
|
|
|
eth0 eth1:!192.168.4.9 ...</programlisting></para>
|
2007-05-19 16:41:19 +02:00
|
|
|
</listitem>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>The 'allowoutUPnP' built-in action is no longer supported. In
|
|
|
|
kernel 2.6.14, the Netfilter team have removed support for '-m owner
|
|
|
|
--owner-cmd' which that action depended on.</para>
|
|
|
|
</listitem>
|
2007-04-13 01:04:36 +02:00
|
|
|
</orderedlist>
|
|
|
|
</section>
|
|
|
|
|
|
|
|
<section>
|
|
|
|
<title>Compiler Selection</title>
|
|
|
|
|
|
|
|
<para>If you only install one compiler, then that compiler will be
|
|
|
|
used.</para>
|
|
|
|
|
|
|
|
<para>If you install both compilers, then the compiler actually used
|
|
|
|
depends on the SHOREWALL_COMPILER setting in
|
2007-05-19 16:41:19 +02:00
|
|
|
<filename>shorewall.conf</filename>.</para>
|
2007-04-13 01:04:36 +02:00
|
|
|
|
2007-05-19 16:41:19 +02:00
|
|
|
<para>The value of this new option can be either 'perl' or 'shell'.</para>
|
|
|
|
|
|
|
|
<para>If you add 'SHOREWALL_COMPILER=perl' to
|
2007-04-13 01:04:36 +02:00
|
|
|
<filename>/etc/shorewall/shorewall.conf</filename> then by default, the
|
|
|
|
new compiler will be used on the system. If you add it to
|
|
|
|
<filename>shorewall.conf</filename> in a separate directory (such as a
|
|
|
|
Shorewall-lite export directory) then the new compiler will only be used
|
2007-05-19 16:41:19 +02:00
|
|
|
when you compile from that directory.</para>
|
|
|
|
|
|
|
|
<para>If you only install one compiler, it is suggested that you do not
|
|
|
|
set SHOREWALL_COMPILER.</para>
|
|
|
|
|
|
|
|
<para>You can select the compiler to use on the command line using the 'C
|
|
|
|
option:<simplelist>
|
|
|
|
<member>'-C shell' means use the shell compiler</member>
|
|
|
|
|
|
|
|
<member>'-C perl' means use the perl compiler</member>
|
|
|
|
</simplelist>The -C option overrides the setting in
|
|
|
|
shorewall.conf.</para>
|
|
|
|
|
|
|
|
<para>Example:<programlisting><command>shorewall restart -C perl</command></programlisting>Regardless
|
|
|
|
of the setting of SHOREWALL_COMPILER, there is one change in Shorewall
|
|
|
|
operation that is triggered simply by installing shorewall-perl. Your
|
|
|
|
params file will be processed during compilation with the shell's '-a'
|
|
|
|
option which causes any variables that you set or create in that file to
|
|
|
|
be automatically exported. Since the params file is processed before
|
|
|
|
shorewall.conf, using -a insures that the settings of your params
|
|
|
|
variables are available to the new compiler should its use be specified in
|
|
|
|
shorewall.conf.</para>
|
2007-04-13 01:04:36 +02:00
|
|
|
</section>
|
|
|
|
</article>
|