2009-03-01 20:46:30 +01:00
|
|
|
Shorewall 4.3.7
|
2009-02-26 17:34:31 +01:00
|
|
|
|
|
|
|
Shorewall 4.3 is the development thread for Shorewall 4.4 which will be
|
|
|
|
released late in 2009.
|
2008-12-07 19:17:26 +01:00
|
|
|
|
2008-12-17 22:06:30 +01:00
|
|
|
----------------------------------------------------------------------------
|
2009-02-27 17:52:31 +01:00
|
|
|
R E L E A S E 4 . 3 H I G H L I G H T S
|
2008-12-17 22:06:30 +01:00
|
|
|
----------------------------------------------------------------------------
|
2008-12-13 21:45:23 +01:00
|
|
|
|
2009-02-24 00:39:46 +01:00
|
|
|
1) Support for Shorewall-shell has been discontinued. Shorewall-perl
|
|
|
|
has been combined with Shorewall-common to produce a single
|
|
|
|
Shorewall package.
|
|
|
|
|
|
|
|
2) The interfaces file OPTIONs have been extended to largely remove the
|
2009-02-27 17:52:31 +01:00
|
|
|
need for the hosts file.
|
|
|
|
|
|
|
|
3) It is now possible to define PREROUTING and OUTPUT marking rules
|
|
|
|
that cause new connections to use the same provider as an existing
|
|
|
|
connection of the same kind.
|
|
|
|
|
2009-03-06 21:25:59 +01:00
|
|
|
4) Dynamic Zone support is once again available for IPv4; ipset support is
|
|
|
|
required in your kernel and in iptables.
|
|
|
|
|
2009-03-01 20:46:30 +01:00
|
|
|
----------------------------------------------------------------------------
|
|
|
|
M I G R A T I O N I S S U E S
|
|
|
|
----------------------------------------------------------------------------
|
2009-02-26 17:34:31 +01:00
|
|
|
|
2009-03-01 20:46:30 +01:00
|
|
|
1) The 'shorewall stop', 'shorewall clear', 'shorewall6 stop' and
|
|
|
|
'shorewall6 clear' commands no longer read the 'routestopped'
|
|
|
|
file. The 'routestopped' file used is the one that was present at
|
|
|
|
the last 'start', 'restart' or 'restore' command.
|
2009-02-26 17:34:31 +01:00
|
|
|
|
2009-03-16 19:01:42 +01:00
|
|
|
2) The old macro parameter syntax (e.g., SSH/ACCEPT) is now deprecated
|
|
|
|
in favor of the new syntax (e.g., SSH(ACCEPT)). The 4.3 documentation
|
|
|
|
uses the new syntax exclusively, although the old syntax
|
|
|
|
continues to be supported.
|
|
|
|
|
2009-03-01 20:46:30 +01:00
|
|
|
----------------------------------------------------------------------------
|
|
|
|
P R O B L E M S C O R R E C T E D I N 4 . 3 . 7
|
|
|
|
----------------------------------------------------------------------------
|
2008-12-28 18:52:28 +01:00
|
|
|
|
2009-03-07 21:22:20 +01:00
|
|
|
1) Klemens Rutz reported a problem that affects all Shorewall-perl 4.2
|
|
|
|
and 4.3 versions.
|
2009-02-26 17:53:33 +01:00
|
|
|
|
2009-03-07 21:22:20 +01:00
|
|
|
The problem:
|
2009-02-27 02:17:59 +01:00
|
|
|
|
2009-03-07 21:22:20 +01:00
|
|
|
a) Only occurs when there are more than one non-firewall zone.
|
|
|
|
b) Results in the following interface options not being applied to
|
2009-03-01 20:46:30 +01:00
|
|
|
forwarded traffic.
|
2009-02-27 02:17:59 +01:00
|
|
|
|
2009-03-01 20:46:30 +01:00
|
|
|
blacklist
|
|
|
|
dhcp
|
|
|
|
maclist (when MACLIST_TABLE=filter)
|
|
|
|
norfc1918
|
|
|
|
nosmurfs
|
|
|
|
tcpflags
|
2009-03-05 17:18:58 +01:00
|
|
|
|
2009-03-07 21:22:20 +01:00
|
|
|
2) Matt LaPlante reported a problem whereby a valid DNAT- rule was
|
|
|
|
badly mis-handled.
|
2009-03-05 17:18:58 +01:00
|
|
|
|
2009-03-07 21:22:20 +01:00
|
|
|
The rule:
|
2009-03-05 17:18:58 +01:00
|
|
|
|
|
|
|
DNAT- loc net:1.2.3.4:2525 tcp 25
|
|
|
|
|
2009-03-07 21:22:20 +01:00
|
|
|
The result:
|
2009-03-05 17:18:58 +01:00
|
|
|
|
|
|
|
WARNING: Destination zone (1.2.3.4) ignored : /etc/shorewall/rules (line 459)
|
|
|
|
Can't call method "inet_htoa" without a package or object reference at
|
|
|
|
/usr/share/shorewall-perl/Shorewall/IPAddrs.pm line 150,
|
|
|
|
<$currentfile> line 459.
|
|
|
|
|
2009-03-07 21:22:20 +01:00
|
|
|
3) Previously, OPTIONS were not allowed with a bridge port in
|
|
|
|
/etc/shorewall/interfaces. That oversight has been corrected and
|
|
|
|
now the following OPTIONS are allowed:
|
|
|
|
|
|
|
|
blacklist
|
|
|
|
maclist
|
|
|
|
norfc1918
|
|
|
|
nosmurfs
|
|
|
|
routeback
|
|
|
|
tcpflags
|
|
|
|
|
2009-03-01 20:46:30 +01:00
|
|
|
----------------------------------------------------------------------------
|
|
|
|
K N O W N P R O B L E M S R E M A I N I N G
|
|
|
|
----------------------------------------------------------------------------
|
2008-12-28 18:52:28 +01:00
|
|
|
|
2009-02-22 18:43:56 +01:00
|
|
|
None.
|
2009-02-21 18:21:51 +01:00
|
|
|
|
2009-03-01 20:46:30 +01:00
|
|
|
----------------------------------------------------------------------------
|
2009-03-16 19:01:42 +01:00
|
|
|
N E W F E A T U R E S I N 4 . 3 . 7
|
2009-03-01 20:46:30 +01:00
|
|
|
----------------------------------------------------------------------------
|
2009-02-27 17:52:31 +01:00
|
|
|
|
2009-03-02 04:25:16 +01:00
|
|
|
1) The file /var/lib/shorewall/.restore has been renamed to
|
|
|
|
/var/lib/shorewall/firewall. A similar change has been made in
|
|
|
|
Shorewall6.
|
|
|
|
|
|
|
|
When a successful start or restart is completed, the script that
|
2009-03-06 21:25:59 +01:00
|
|
|
executed the command copies itself to to
|
|
|
|
/var/lib/shorewall[6/firewall.
|
|
|
|
|
|
|
|
2) Dynamic zone support is once again available for IPv4. This support
|
|
|
|
is built on top of ipsets so you must have installed the
|
|
|
|
xtable-addons.
|
|
|
|
|
2009-03-06 21:43:46 +01:00
|
|
|
Dynamic zones are available when Shorewall-lite is used as well.
|
|
|
|
|
2009-03-06 21:25:59 +01:00
|
|
|
Note that the dynamic zone support built into Shorewall provides no
|
|
|
|
additional functionality over what is provided by simply defining a
|
|
|
|
zone in terms of an ipset (see
|
|
|
|
http://www1.shorewall.net/ipsets.html#Dynamic).
|
|
|
|
|
|
|
|
You define a zone as having dynamic content in one of two ways:
|
|
|
|
|
|
|
|
- By specifying nets=dynamic in the OPTIONS column of an entry for
|
|
|
|
the zone in /etc/shorewall/interfaces; or
|
|
|
|
|
|
|
|
- By specifying <interface>:dynamic in the HOST(S) column of an
|
|
|
|
entry for the zone in /etc/shorewall/hosts.
|
|
|
|
|
|
|
|
When there are any dynamic zones present in your configuration,
|
2009-03-06 21:43:46 +01:00
|
|
|
Shorewall (Shorewall-lite) will:
|
2009-03-06 21:25:59 +01:00
|
|
|
|
2009-03-06 21:43:46 +01:00
|
|
|
a) Execute the following commands during 'shorewall start' or
|
|
|
|
'shorewall-lite start'.
|
2009-03-06 21:25:59 +01:00
|
|
|
|
|
|
|
ipset -U :all: :all:
|
|
|
|
ipset -U :all: :default:
|
|
|
|
ipset -F
|
|
|
|
ipset -X
|
|
|
|
ipset -R < ${VARDIR}/ipsets.save
|
|
|
|
|
2009-03-06 21:43:46 +01:00
|
|
|
where $VARDIR normally contains /var/lib/shorewall
|
|
|
|
(/var/lib/shorewall-lite) but may be modified by
|
|
|
|
/etc/shorewall/vardir (/etc/shorewall-lite/vardir).
|
|
|
|
|
2009-03-06 21:25:59 +01:00
|
|
|
|
|
|
|
b) During 'start', 'restart' and 'restore' processing, Shorewall
|
|
|
|
will then attempt to create an ipset named <zone>_<interface>
|
|
|
|
for each zone/interface pair that has been specified as
|
|
|
|
dynamic. The type of ipset created is 'iphash' so that only
|
|
|
|
individual IPv4 addresses may be added to the set.
|
|
|
|
|
2009-03-06 21:43:46 +01:00
|
|
|
c) Execute the following commands during 'shorewall stop' or
|
|
|
|
'shorewall-lite stop':
|
2009-03-06 21:25:59 +01:00
|
|
|
|
|
|
|
if ipset -S > ${VARDIR}/ipsets.tmp; then
|
|
|
|
mv -f ${VARDIR}/ipsets.tmp ${VARDIR}/ipsets.save
|
|
|
|
fi
|
|
|
|
|
|
|
|
The 'shorewall add' and 'shorewall delete' commands are supported
|
|
|
|
with their original syntax:
|
|
|
|
|
|
|
|
add <interface>[:<host-list>] ... <zone>
|
|
|
|
|
|
|
|
delete <interface>[:<host-list>] ... <zone>
|
|
|
|
|
2009-03-06 21:43:46 +01:00
|
|
|
In addition, the 'show dynamic' command is added that lists the dynamic
|
2009-03-06 21:25:59 +01:00
|
|
|
content of a zone.
|
|
|
|
|
2009-03-06 21:43:46 +01:00
|
|
|
show dynamic <zone>
|
|
|
|
|
|
|
|
These commands are supported by shorewall-lite as well.
|
2009-02-21 18:21:51 +01:00
|
|
|
|
2009-03-01 20:46:30 +01:00
|
|
|
----------------------------------------------------------------------------
|
|
|
|
N E W F E A T U R E S IN 4 . 3
|
|
|
|
----------------------------------------------------------------------------
|
2009-02-24 00:39:46 +01:00
|
|
|
|
|
|
|
1) The Shorewall packaging has been completely revamped in Shorewall
|
2009-02-27 17:52:31 +01:00
|
|
|
4.3.
|
2009-02-24 00:39:46 +01:00
|
|
|
|
|
|
|
The new packages are:
|
|
|
|
|
|
|
|
- Shorewall. Includes the former Shorewall-common and
|
|
|
|
Shorewall-perl packages. Includes everything needed
|
|
|
|
to create an IPv4 firewall.
|
|
|
|
|
|
|
|
- Shorewall6. Requires Shorewall. Adds the components necessary to
|
|
|
|
create an IPv6 firewall.
|
|
|
|
|
|
|
|
- Shorewall-lite
|
|
|
|
|
|
|
|
May be installed on a firewall system to run
|
|
|
|
IPv4 firewall scripts generated by Shorewall.
|
|
|
|
|
|
|
|
- Shorewall6-lite
|
|
|
|
|
|
|
|
May be installed on a firewall system to run
|
|
|
|
IPv6 firewall scripts generated by Shorewall.
|
|
|
|
|
|
|
|
2) The interfaces file supports a new 'nets=' option. This option
|
|
|
|
allows users to restrict a zone's definition to particular networks
|
|
|
|
through an interface without having to use the hosts file.
|
|
|
|
|
|
|
|
Example interfaces file:
|
|
|
|
|
|
|
|
#ZONE INTERFACE BROADCAST OPTIONS
|
|
|
|
loc eth3 detect dhcp,logmartians=1,routefilter=1,nets=172.20.1.0/24
|
|
|
|
dmz eth4 detect logmartians=1,routefilter=1,nets=206.124.146.177
|
|
|
|
net eth0 detect dhcp,blacklist,tcpflags,optional,routefilter=0,nets=(!172.20.0.0/24,206.124.146.177)
|
|
|
|
net eth2 detect dhcp,blacklist,tcpflags,optional,upnp,routefilter=0,nets=(!172.20.0.0/24,206.124.146.177)
|
|
|
|
loc tun+ detect nets=172.20.0.0/24
|
|
|
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
|
|
|
|
|
|
|
Note that when more than one network address is listed, the list
|
|
|
|
must be enclosed in parentheses. Notice also that exclusion may be
|
|
|
|
used.
|
|
|
|
|
|
|
|
The first entry in the above interfaces file is equivalent to the
|
|
|
|
following:
|
|
|
|
|
|
|
|
interfaces:
|
|
|
|
|
|
|
|
#ZONE INTERFACE BROADCAST OPTIONS
|
|
|
|
- eth0 detect dhcp,logmartians=1,routefilter=1
|
|
|
|
|
|
|
|
hosts:
|
|
|
|
|
|
|
|
#ZONE HOST(S) OPTIONS
|
|
|
|
loc $INT_IF:192.20.1.0/24 broadcast
|
|
|
|
|
|
|
|
Note that the 'broadcast' option is automatically assumed and need
|
|
|
|
not be explicitly specified.
|
2009-02-25 18:39:32 +01:00
|
|
|
|
|
|
|
3) Some websites run applications that require multiple connections
|
|
|
|
from a client browser. Where multiple 'balanced' providers are
|
|
|
|
configured, this can lead to problems when some of the connections
|
|
|
|
are routed through one provider and some through another.
|
|
|
|
|
|
|
|
To work around this issue, the SAME target has been added to
|
2009-02-25 22:04:17 +01:00
|
|
|
/etc/shorewall/tcrules. SAME may be used in the PREROUTING and
|
|
|
|
OUTPUT chains. When used in PREROUTING, it causes matching
|
|
|
|
connections from an individual local system to all use the same
|
|
|
|
provider.
|
2009-02-25 18:39:32 +01:00
|
|
|
|
|
|
|
For example:
|
|
|
|
|
|
|
|
SAME:P 192.168.1.0/24 - tcp 80,443
|
|
|
|
|
|
|
|
If a host in 192.168.1.0/24 attempts a connection on TCP port 80 or
|
|
|
|
443 and it has sent a packet on either of those ports in the last
|
2009-02-25 22:04:17 +01:00
|
|
|
five minutes then the new connection will use the same provider as
|
2009-02-25 18:39:32 +01:00
|
|
|
the connection over which that last packet was sent.
|
2009-02-25 22:04:17 +01:00
|
|
|
|
|
|
|
When used in the OUTPUT chain, it causes all matching connections
|
|
|
|
to an individual remote system to all use the same provider.
|
|
|
|
|
|
|
|
For example:
|
|
|
|
|
|
|
|
SAME $FW - tcp 80,443
|
|
|
|
|
|
|
|
If the firewall attempts a connection on TCP port 80 or
|
|
|
|
443 and it has sent a packet on either of those ports in the last
|
|
|
|
five minutes to the same remote system then the new connection will
|
|
|
|
use the same provider as the connection over which that last packet
|
|
|
|
was sent.
|
2009-02-26 00:47:38 +01:00
|
|
|
|
|
|
|
Important note: SAME only works with providers that have the
|
|
|
|
'track' option specified in /etc/shorewall/providers.
|
|
|
|
|