diff --git a/Shorewall/Perl/Shorewall/Compiler.pm b/Shorewall/Perl/Shorewall/Compiler.pm index 02dffb08f..b61feffb4 100644 --- a/Shorewall/Perl/Shorewall/Compiler.pm +++ b/Shorewall/Perl/Shorewall/Compiler.pm @@ -97,6 +97,9 @@ sub generate_script_1() { # Functions to execute the various user exits (extension scripts) ################################################################################ EOF + my $lib = find_file 'lib.private'; + + copy1 $lib, emit "\n" if -f $lib; for my $exit qw/init isusable start tcclear started stop stopped clear refresh refreshed restored findgw/ { emit "\nrun_${exit}_exit() {"; diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index 3940d2b5e..ecc231ca6 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -79,6 +79,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_object push_indent pop_indent copy + copy1 create_temp_aux_config finalize_aux_config set_shorewall_dir @@ -1088,6 +1089,8 @@ sub copy1( $ ) { close IF; } + + $lastlineblank = 0; } # diff --git a/Shorewall/Perl/Shorewall/Nat.pm b/Shorewall/Perl/Shorewall/Nat.pm index 0c8990cae..549687c91 100644 --- a/Shorewall/Perl/Shorewall/Nat.pm +++ b/Shorewall/Perl/Shorewall/Nat.pm @@ -115,7 +115,7 @@ sub do_ipsec_options($) # sub process_one_masq( ) { - my ($interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark ) = split_line1 2, 7, 'masq file'; + my ($interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user ) = split_line1 2, 8, 'masq file'; if ( $interfacelist eq 'COMMENT' ) { process_comment; @@ -183,6 +183,7 @@ sub process_one_masq( ) # Handle Mark # $baserule .= do_test( $mark, 0xFF) if $mark ne '-'; + $baserule .= do_user( $user ) if $user ne '-'; for my $fullinterface (split_list $interfacelist, 'interface' ) { my $rule = ''; diff --git a/Shorewall/Perl/Shorewall/Providers.pm b/Shorewall/Perl/Shorewall/Providers.pm index 6bd21b2e1..ff04bbfef 100644 --- a/Shorewall/Perl/Shorewall/Providers.pm +++ b/Shorewall/Perl/Shorewall/Providers.pm @@ -116,7 +116,15 @@ sub setup_route_marking() { my $mark = $providerref->{mark}; my $base = uc chain_base $interface; - add_command( $chainref, qq(if [ -n "\$${base}_IS_USABLE" ]; then) ), incr_cmd_level( $chainref ) if $providerref->{optional}; + if ( $providerref->{optional} ) { + if ( $providerref->{shared} ) { + add_command( $chainref, qq(if [ interface_is_usable $interface -a -n "$providerref->{mac}" ]; then) ); + } else { + add_command( $chainref, qq(if [ -n "\$${base}_IS_USABLE" ]; then) ); + } + + incr_cmd_level( $chainref ); + } unless ( $marked_interfaces{$interface} ) { add_rule $mangle_table->{PREROUTING} , "-i $interface -m mark --mark 0/$mask -j routemark"; @@ -391,22 +399,25 @@ sub add_a_provider( ) { my $realm = ''; - if ( $optional && ! $shared ) { - start_provider( $table, $number, qq(if [ -n "\$${base}_IS_USABLE" ]; then) ); - $provider_interfaces{$interface} = $table; - } - + fatal_error "Interface $interface is already associated with non-shared provider $provider_interfaces{$interface}" if $provider_interfaces{$table}; + if ( $shared ) { - fatal_error "Interface $interface is associated with non-shared provider $provider_interfaces{$interface}" if $provider_interfaces{$table}; my $variable = $providers{$table}{mac} = get_interface_mac( $gateway, $interface , $table ); $realm = "realm $number"; start_provider( $table, $number, qq(if interface_is_usable $interface && [ -n "$variable" ]; then) ); - } elsif ( $gatewaycase eq 'detect' ) { - start_provider( $table, $number, qq(if interface_is_usable $interface && [ -n "$gateway" ]; then) ) unless $optional; } else { - start_provider( $table, $number, "if interface_is_usable $interface; then" ) unless $optional; + if ( $optional ) { + start_provider( $table, $number, qq(if [ -n "\$${base}_IS_USABLE" ]; then) ); + } elsif ( $gatewaycase eq 'detect' ) { + start_provider( $table, $number, qq(if interface_is_usable $interface && [ -n "$gateway" ]; then) ); + } else { + start_provider( $table, $number, "if interface_is_usable $interface; then" ); + } + + $provider_interfaces{$interface} = $table; + emit "run_ip route add default dev $interface table $number" if $gatewaycase eq 'none'; - } + } if ( $mark ne '-' ) { emit ( "qt \$IP -$family rule del fwmark $mark" ) if $config{DELETE_THEN_ADD}; @@ -800,7 +811,7 @@ sub handle_optional_interfaces() { if ( $provider ) { # - # This is a provider -- get the provider table entry + # This interface is associated with a non-shared provider -- get the provider table entry # my $providerref = $providers{$provider}; @@ -811,7 +822,7 @@ sub handle_optional_interfaces() { } } else { # - # Not a provider + # Not a provider interface # emit qq(if interface_is_usable $interface; then); } diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index ab5ab250e..55ba7613f 100644 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -14,6 +14,14 @@ Changes in Shorewall 4.4.0-Beta2 5) Add 'upnpclient' interface option. +6) Fix handling of optional interfaces. + +7) Add 'iptrace' and 'noiptrace' command. + +8) Add 'USER/GROUP' column to masq file. + +9) Added lib.private. + Changes in Shorewall 4.4.0-Beta1 1) Correct typo in Shorewall6 two-interface sample shorewall.conf. diff --git a/Shorewall/configfiles/lib.private b/Shorewall/configfiles/lib.private new file mode 100644 index 000000000..a83fba6f5 --- /dev/null +++ b/Shorewall/configfiles/lib.private @@ -0,0 +1,14 @@ +# +# Shorewall version 4 - lib.private File +# +# /etc/shorewall/lib.private +# +# Use this file to declare shell functions to be called in the other +# run-time extension scripts. The file will be copied into the generated +# firewall script. +# +# See http://shorewall.net/shorewall_extension_scripts.htm for additional +# information. +# +############################################################################### +#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE diff --git a/Shorewall/configfiles/masq b/Shorewall/configfiles/masq index 9b4f38dd1..c045d8170 100644 --- a/Shorewall/configfiles/masq +++ b/Shorewall/configfiles/masq @@ -7,5 +7,6 @@ # http://www.shorewall.net/manpages/shorewall-masq.html # ############################################################################### -#INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK +#INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK USER/ +# GROUP #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE diff --git a/Shorewall/install.sh b/Shorewall/install.sh index 32cab1332..d7a11fcbc 100755 --- a/Shorewall/install.sh +++ b/Shorewall/install.sh @@ -576,6 +576,15 @@ if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/accounting ]; then echo "Accounting file installed as ${PREFIX}/etc/shorewall/accounting" fi # +# Install the private library file +# +run_install $OWNERSHIP -m 0644 configfiles/lib.private ${PREFIX}/usr/share/shorewall/configfiles/lib.private + +if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/lib.private ]; then + run_install $OWNERSHIP -m 0600 configfiles/lib.private ${PREFIX}/etc/shorewall/lib.private + echo "Private library file installed as ${PREFIX}/etc/shorewall/lib.private" +fi +# # Install the Started file # run_install $OWNERSHIP -m 0644 configfiles/started ${PREFIX}/usr/share/shorewall/configfiles/started diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 851ec8454..7656186d7 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -149,6 +149,41 @@ None. that, like all aspects of UPnP, this is a security hole so use this option at your own risk. +2) 'iptrace' and 'noiptrace' commands have been added to both + /sbin/shorewall and /sbin/shorewall6. + + These are low-level debugging commands that cause + iptables/ip6tables TRACE log messages to be generated. See 'man + iptables' and 'man ip6tables' for details. + + The syntax for the commands is: + + iptrace + noiptrace + + iptrace starts the trace; noiptrace turns it off. + + The match expression must be an expression that is legal in both + the raw table OUTPUT and PREROUTING chains. + + Examaple: + + To trace all packets desinted for IP address 206.124.146.176: + + shorewall iptrace -d 206.124.146.176 + + To turn that trace off: + + shorewall noiptrace -d 206.124.146.176 + +3) A USER/GROUP column has been added to /etc/shorewall/masq. The + column works similarly to USER/GROUP columns in other Shorewall + configuration files. Only locally-generated traffic is matched. + +4) A new extension script, 'lib.private' has been added. This file is + intended to include declarations of shell functions that will be + called by the other run-time extension scripts. + ---------------------------------------------------------------------------- N E W F E A T U R E S IN 4 . 4 ---------------------------------------------------------------------------- diff --git a/Shorewall/shorewall b/Shorewall/shorewall index 2c45658bb..5c62e37c7 100755 --- a/Shorewall/shorewall +++ b/Shorewall/shorewall @@ -1454,10 +1454,12 @@ usage() # $1 = exit status echo " ipcalc {
/ |
}" echo " ipdecimal {
| }" echo " iprange
-
" + echo " iptrace " echo " load [ -s ] [ -c ] [ -r ] [ ] " echo " logdrop
..." echo " logreject
..." echo " logwatch []" + echo " noiptrace " echo " refresh [ ... ]" echo " reject
..." echo " reload [ -s ] [ -c ] [ -r ] [ ] " @@ -2012,6 +2014,26 @@ case "$COMMAND" in shift safe_commands $@ ;; + iptrace) + get_config + shift + if shorewall_is_started ; then + $IPTABLES -t raw -A PREROUTING $@ -j TRACE + $IPTABLES -t raw -A OUTPUT $@ -j TRACE + else + fatal_error "Shorewall is not started" + fi + ;; + noiptrace) + get_config + shift + if shorewall_is_started ; then + $IPTABLES -t raw -D PREROUTING $@ -j TRACE + $IPTABLES -t raw -D OUTPUT $@ -j TRACE + else + fatal_error "Shorewall is not started" + fi + ;; *) usage 1 ;; diff --git a/Shorewall6/shorewall6 b/Shorewall6/shorewall6 index 63f3cf763..ece124db5 100755 --- a/Shorewall6/shorewall6 +++ b/Shorewall6/shorewall6 @@ -1371,10 +1371,12 @@ usage() # $1 = exit status echo " export [ ] [@][:]" echo " forget [ ]" echo " help" + echo " iptrace " echo " load [ -s ] [ -c ] [ -r ] [ ] " echo " logdrop
..." echo " logreject
..." echo " logwatch []" + echo " noiptrace " echo " refresh [ ... ]" echo " reject
..." echo " reload [ -s ] [ -c ] [ -r ] [ ] " @@ -1857,7 +1859,26 @@ case "$COMMAND" in shift safe_commands $@ ;; - *) + iptrace) + get_config + shift + if shorewall_is_started ; then + $IP6TABLES -t raw -A PREROUTING $@ -j TRACE + $IP6TABLES -t raw -A OUTPUT $@ -j TRACE + else + fatal_error "Shorewall6 is not started" + fi + ;; + noiptrace) + get_config + shift + if shorewall_is_started ; then + $IP6TABLES -t raw -D PREROUTING $@ -j TRACE + $IP6TABLES -t raw -D OUTPUT $@ -j TRACE + else + fatal_error "Shorewall6 is not started" + fi + ;; *) usage 1 ;; diff --git a/docs/MultiISP.xml b/docs/MultiISP.xml index 7105ce4d8..9f376280b 100644 --- a/docs/MultiISP.xml +++ b/docs/MultiISP.xml @@ -1321,9 +1321,10 @@ fi in the preceding section. Like many Open Source products, LSM is poorly documented. It's - main configuration file is normally kept in /etc/lsm/lsm.conf, but the - file's name is passed as an argument to the lsm program so you can - name it anything you want. + main configuration file is normally kept in + /etc/lsm/lsm.conf, but the file's name is passed + as an argument to the lsm program so you can name it anything you + want. The sample lsm.conf included with the product shows some of the possibilities for configuration. One feature @@ -1332,50 +1333,86 @@ fi configuration file. I personally use LSM here at shorewall.net (configuration is - described below). Here are my relevant - configuration files: + described below). I have set things up + so that Shorewall [re]starts lsm during processing of the + start and restore commands. I + don't have Shorewall restart lsm during Shorewall + restart because I restart Shorewall much more often + than the average user is likely to do. I have Shorewall start lsm + because I have a dynamic IP address from one of my providers + (Comcast); Shorewall detects the default gateway to that provider and + creates a secondary configuration file + (/etc/lsm/shorewall.conf) that contains the link + configurations. That file is included by + /etc/lsm/lsm.conf.B + + Below are my relevant configuration files. + + + These files only work with Shorewall-perl 4.4 Beta 2 and + later. + /etc/shorewall/isusable: + Note that /etc/lsm/script writes + a ${VARDIR}/xxx.status file when the status of an + interface changes. + local status=0 [ -f ${VARDIR}/${1}.status ] && status=$(cat ${VARDIR}/${1}.status) return $status - /etc/shorewall/started: + /etc/shorewall/lib.private: ############################################################################### -# My 'restored' script calls this one if there is no lsm process running +# Create /etc/lsm/shorewall.conf +# Remove the current interface status files +# Start lsm ############################################################################### -if [ "$COMMAND" = start -o "$COMMAND" = restore ]; then +start_lsm() { killall lsm 2> /dev/null cat <<EOF > /etc/lsm/shorewall.conf connection { name=Avvanta checkip=206.124.146.254 - device=eth0 + device=$EXT_IF ttl=2 } connection { name=Comcast - checkip=$ETH3_GATEWAY - device=eth3 + checkip=${ETH0_GATEWAY:-71.231.152.1} + device=$COM_IF ttl=1 } EOF - rm -f ${VARDIR}/*.status + rm -f /etc/shorewall/*.status /usr/sbin/lsm /etc/lsm/lsm.conf >> /var/log/lsm -fi +} eth3 has a dynamic IP address so I need to use the - Shorewall-detected gateway address ($ETH3_GATEWAY). + Shorewall-detected gateway address ($ETH3_GATEWAY). I supply a default + value in the event that detection fails. + + /etc/shorewall/started: + + ################################################################################## +# [re]start lsm if this is a 'start' command or if lsm isn't running +################################################################################## +if [ "$COMMAND" = start -o -z "$(ps ax | grep 'lsm ' | grep -v 'grep ' )" ]; then + start_lsm +fi /etc/shorewall/restored: - if [ -z "$(ps ax | grep 'lsm ' | grep -v 'grep ' )" ]; then - run_started_exit + ################################################################################## +# Start lsm if it isn't running +################################################################################## +if [ -z "$(ps ax | grep 'lsm ' | grep -v 'grep ' )" ]; then + start_lsm fi /etc/lsm/lsm.conf: diff --git a/docs/PacketMarking.xml b/docs/PacketMarking.xml index 4fa9a358d..eb30ad4d1 100644 --- a/docs/PacketMarking.xml +++ b/docs/PacketMarking.xml @@ -51,7 +51,18 @@ stored in the skb (socket buffer) structure used by the Linux kernel to track packets; the mark value is not part of the packet itself and cannot be seen with tcpdump, - ethereal or any other packet sniffing program. + ethereal or any other packet sniffing program. They can + be seen in an iptables/ip6tables trace -- see the + iptrace command in shorewal(8) and shorewall6(8). + + Example (output has been folded for display ): + + [11692.096077] TRACE: mangle:tcout:return:3 IN= OUT=eth0 SRC=172.20.1.130 + DST=206.124.146.254 LEN=84 TOS=0x00 PREC=0x00 TTL=64 + ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=7212 SEQ=3 UID=0 + GID=1000 MARK=0x10082 Each active connection (even those that are not yet in ESTABLISHED state) has a mark value that is distinct from the packet marks. Connection diff --git a/docs/Shorewall-4.xml b/docs/Shorewall-4.xml new file mode 100644 index 000000000..c74ad1d20 --- /dev/null +++ b/docs/Shorewall-4.xml @@ -0,0 +1,189 @@ + + +
+ + + + Shorewall Version 4 + + + + Tom + + Eastep + + + + + + + 2007 + + 2009 + + Thomas M. Eastep + + + + Permission is granted to copy, distribute and/or modify this + document under the terms of the GNU Free Documentation License, Version + 1.2 or any later version published by the Free Software Foundation; with + no Invariant Sections, with no Front-Cover, and with no Back-Cover + Texts. A copy of the license is included in the section entitled + GNU Free Documentation + License. + + + +
+ Introduction + + Shorewall version 4.0 represented a substantial shift in direction + for Shorewall. Up until then + + + + Shorewall had been written entirely in Bourne Shell. + + + + Shorewall had run the iptables utility to add + each Netfilter rule. + + + + Shorewall version 4.0 offered you a choice. You could continue to + use the existing shell-based implementation or you could use a new + implementation of the Shorewall compiler written in the Perl programming + language. The new compiler: + + + + had a small disk footprint + + + + was very fast. + + + + generateed a firewall script that uses + iptables-restore; so the script was very + fast. + + + + generated better and more consistent error messages. + + + + did a much more thorough job of checking the configuration to + avoid run-time errors. + + + + supported creating either Ipv4 or Ipv6 firewalls (Shorewall + 4.2.4 and later). + + + + Both compilers could be + installed on your system and you could use whichever one suited you + in a particular case. +
+ +
+ Shorewall 4.4 + + Shorewall 4.4 (currently in Beta testing) discontinues the + availability of the legacy shell-based compiler. All users must migrate to + the perl-based compiler before or during an upgrade to Shorewall version + 4.4. We highly recommend that current users of the shell-based compiler + migrate before upgrading to 4.4 so that both compilers are available + during the migration. + + Shorewall 4.4 contains four packages: + + + + Shorewall - Everything needed + to create an IPv4 firewall. + + + + Shorewall-lite- Can run scripts + generated by Shorewall on another system. + + + + Shorewall6 - The utilities for + creating and operating an Ipv6 firewall. Requires Shorewall. + + + + Shorewall6-lite - Ipv6 + equivalent of Shorewall Lite. Can run scripts generated by Shoreall on + another system. + + +
+ +
+ Prerequisites for using the Shorewall Version 4.2/4.4 Perl-based + Compiler + + + + Perl (I use Perl 5.8.10 but other 5.8 versions should work + fine). + If you want to be able to use DNS names in your Shorewall6 + configuration files, then Perl 5.10 is required together with the + Perl Socket6 module. + + + + + Perl Cwd Module + + + + Perl File::Basename + Module + + + + Perl File::Temp Module + + + + Perl Getopt::Long Module + + + + Perl Carp Module + + + + Perl FindBin Module + + + + Perl Scalar::Util Module + + + + Please note that there are additional + requirements if you plan to install and use Shorewall6. +
+ +
+ Incompatibilities Introduced in the Shorewall Version 4 Perl-based + Compiler + + The Shorewall Perl-based compiler is not 100% compatible with the + Shorewall shell-based version. See this + document for details. +
+
diff --git a/docs/Shorewall-perl.xml b/docs/Shorewall-perl.xml index 4c794b6b0..9623df87f 100644 --- a/docs/Shorewall-perl.xml +++ b/docs/Shorewall-perl.xml @@ -108,9 +108,10 @@ - DYNAMIC_ZONES=Yes is not supported. Use an ipset to define your - dytnamic zones. + DYNAMIC_ZONES=Yes is not supported in Shorewall-perl 4.2. + Use an ipset to define your + dytnamic zones. In Shorewall 4.4, dynamic zone support based on + ipsets was added to Shorewall. @@ -534,6 +535,20 @@ DNAT- net loc:192.168.1.3 tcp 21you instead want:#ACTION SOURCE DEST PROTO DEST PORT(S) DNAT- net 192.168.1.3 tcp 21 + + + Supplying an interface name in the SOURCE column of + /etc/shorewall/masq is deprecated as of Shorewall 4.4. Entering the + name of an interface there will result in a compile-time + warning: + + WARNING: Using an interface as the masq SOURCE requires the + interface to be up and configured when Shorewall + starts/restarts + + To avoid this warning, replace interface names by the + corresponding network addresses (e.g., 192.168.144.0/24). + @@ -545,10 +560,100 @@ DNAT- net 192.168.1.3 tcp 21Cygwin. + url="http://www.cygwin.com/">Cygwin. Install using the + install.sh script. +
+ Installing Shorewall Version 4.0 or 4.2 + + Shorewall 4.2 contains six packages, four of which are also included + in Shorewall 4.0: + + + + Shorewall-shell - the old + shell-based compiler and related components. + + + + Shorewall-perl - the new + Perl-based compiler. + + + + Shorewall-common - the part of + Shorewall common to both compilers. + + + + Shorewall-lite- same as the 3.4 + version of Shorewall Lite. Can run scripts generated by either + Shorewall-perl or Shorewall-shell. + + + + Shorewall6 - The utilities for + creating and operating an Ipv6 firewall. Requires Shorewall-perl and + Shorewall-common. Introduced in Shorewall 4.2.4. + + + + Shorewall6-lite - Ipv6 + equivalent of Shorewall Lite. Can run scripts generated by + Shoreall-perl 4.2.4 and later. + + + + If you upgrade to Shorewall Version 4.0 or 4.2, you must install + Shorewall-shell and/or Shorewall-perl; in fact, if you are using the + tarball for your installation, you must install Shorewall-shell and/or + Shorewall-perl before you upgrade + Shorewall. See the upgrade issues + for details. +
+ +
+ Compiler Selection (Shorewall 4.0-4.2) + + If you only install one compiler, then that compiler will be + used. + + If you install both compilers, then the compiler actually used for + IPv4 depends on the SHOREWALL_COMPILER setting in + shorewall.conf. + + The value of this new option can be either 'perl' or 'shell'. + + If you add 'SHOREWALL_COMPILER=perl' to + /etc/shorewall/shorewall.conf then by default, the + new compiler will be used on the system. If you add it to + shorewall.conf in a separate directory (such as a + Shorewall-lite export directory) then the new compiler will only be used + when you compile from that directory. + + If you only install one compiler, it is suggested that you do not + set SHOREWALL_COMPILER. + + If both compilers are installed, you can select the compiler to use + on the command line using the 'C option: + '-C shell' means use the shell compiler + + '-C perl' means use the perl compiler + The -C option overrides the setting in + shorewall.conf. + + Example:shorewall restart -C perl + + When the Shorewall-perl compiler has been selected, the + params file is processed using the shell + option which causes all variables set within the file + to be exported automatically by the shell. The Shorewall-perl compiler + uses the current environmental variables to perform variable expansion + within the other Shorewall configuration files. +
+
The Shorewall Perl Modules diff --git a/docs/shorewall_extension_scripts.xml b/docs/shorewall_extension_scripts.xml index 082f80433..acb46567d 100644 --- a/docs/shorewall_extension_scripts.xml +++ b/docs/shorewall_extension_scripts.xml @@ -69,6 +69,13 @@ The following scripts can be supplied: + + lib.private -- Intended to contain + declarations of shell functions to be called by other run-time + extension scripts. See this + article for an example of its use. + + compile -- Invoked by the rules compiler early in the compilation process. Must be written in Perl. @@ -184,6 +191,15 @@ esac completion of a successful shorewall restore and shorewall-lite restore. + + + findgw -- This script is invoked when Shorewall is attempting to + discover the gateway through a dynamic interface. The script is most + often used when the interface is managed by dhclient which has no + standardized location/name for its lease database. Scripts for use + with dhclient on several distributions are available at http://www.shorewall.net/pub/shorewall/contrib/findgw/ + If your version of Shorewall doesn't have the diff --git a/manpages/shorewall-masq.xml b/manpages/shorewall-masq.xml index e7882bc04..b763a36e6 100644 --- a/manpages/shorewall-masq.xml +++ b/manpages/shorewall-masq.xml @@ -119,9 +119,11 @@ Set of hosts that you wish to masquerade. You can specify this as an address (net or host) or as an - interface. If you give the name of an - interface, the interface must be up before you start the firewall - (Shorewall will use your main routing table to determine the + interface (use of an + interface is deprecated). If you give the name + of an interface, the interface must be up before you start the + firewall and the Shorewall rules compiler will warn you of that + fact. (Shorewall will use your main routing table to determine the appropriate addresses to masquerade). In order to exclude a address of the specified SOURCE, you may @@ -384,6 +386,67 @@ + + + USER/GROUP (Optional) - + [!][user-name-or-number][:group-name-or-number][+program-name] + + + Only locally-generated connections will match if this column + is non-empty. + + When this column is non-empty, the rule applies only if the + program generating the output is running under the effective + user and/or group + specified (or is NOT running under that id if "!" is given). + + Examples: + + + + joe + + + program must be run by joe + + + + + :kids + + + program must be run by a member of the 'kids' + group + + + + + !:kids + + + program must not be run by a member of the 'kids' + group + + + + + +upnpd + + + #program named upnpd + + + The ability to specify a program name was removed from + Netfilter in kernel version 2.6.14. + + + + + + diff --git a/manpages/shorewall-tcclasses.xml b/manpages/shorewall-tcclasses.xml index 040fb54cf..f3af8188d 100644 --- a/manpages/shorewall-tcclasses.xml +++ b/manpages/shorewall-tcclasses.xml @@ -266,10 +266,7 @@ This lets you define a classifier for the given value/mask combination of the IP packet's TOS/Precedence/DiffSrv octet - (aka the TOS byte). Please note that classifiers override all - mark settings, so if you define a classifer for a class, all - traffic having that mark will go in it regardless of any mark - set on the packet by a firewall/mangle filter. + (aka the TOS byte). diff --git a/manpages/shorewall-tos.xml b/manpages/shorewall-tos.xml index cdab1e293..d8a87e0a9 100644 --- a/manpages/shorewall-tos.xml +++ b/manpages/shorewall-tos.xml @@ -1,4 +1,6 @@ + shorewall-tos @@ -26,38 +28,11 @@ The columns in the file are as follows. - - SOURCE - - {zone[:address]|all|$FW} - (Shorewall-shell) - - - Name of a zone declared in shorewall-zones(5), all or $FW. - - If not all or $FW, may optionally be followed by ":" and an - IP address, a MAC address, a subnet specification or the name of an - interface. - - Example: loc:192.168.2.3 - - MAC addresses must be prefixed with "~" and use "-" as a - separator. - - Example: ~00-A0-C9-15-39-78 - - - SOURCE - {all|address]|all:address|$FW} (Shorewall-perl) + role="bold">$FW} If all, may optionally be @@ -73,29 +48,10 @@ - - DEST - - {zone[:address]|all} (Shorewall-shell) - - - Name of a zone declared in shorewall-zones(5) or all. - - If not all, may optionally be - followed by ":" and an IP address or a subnet specification - - Example: loc:192.168.2.3 - - - DEST - {all|address]|all:address} - (Shorewall-perl) + role="bold">all:address} Example: 192.168.2.3 @@ -213,4 +169,4 @@ shorewall.conf(5), shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5), shorewall-tunnels(5), shorewall-zones(5) - \ No newline at end of file + diff --git a/manpages/shorewall.xml b/manpages/shorewall.xml index 337dd37ee..876a84f7b 100644 --- a/manpages/shorewall.xml +++ b/manpages/shorewall.xml @@ -219,6 +219,19 @@ choice="plain">address1address2 + + shorewall + + | + + -options + + + + iptables match + expression + + shorewall @@ -279,6 +292,19 @@ address + + shorewall + + | + + -options + + + + iptables match + expression + + shorewall @@ -835,6 +861,25 @@ + + iptrace + + + This is a low-level debugging command that causes iptables + TRACE log records to be created. See iptables(8) for details. + + The iptables match expression must + be one or more matches that may appear in both the raw table OUTPUT + and raw table PREROUTING chains. + + The trace records are written to the kernel's log buffer with + faciility = kernel and priority = warning, and they are routed from + there by your logging daemon (syslogd, rsyslog, syslog-ng, ...) -- + Shorewall has no control over where the messages go; consult your + logging daemon's documentation. + + + load @@ -919,6 +964,19 @@ + + noiptrace + + + This is a low-level debugging command that cancels a trace + started by a preceding iptrace command. + + The iptables match expression must + be one given in the iptrace command being + cancelled. + + + refresh @@ -1350,9 +1408,9 @@ version - Displays Shorewall's version. If the - option is included, the versions of Shorewall-shell and/or - Shorewall-perl will also be displayed. + Displays Shorewall's version. The option + is included for compatibility with earlier Shorewall releases and is + ignored. diff --git a/manpages6/shorewall6-tcclasses.xml b/manpages6/shorewall6-tcclasses.xml index ac0d258f3..50187ac47 100644 --- a/manpages6/shorewall6-tcclasses.xml +++ b/manpages6/shorewall6-tcclasses.xml @@ -260,10 +260,7 @@ This lets you define a classifier for the given value/mask combination of the IP packet's TOS/Precedence/DiffSrv octet - (aka the TOS byte). Please note that classifiers override all - mark settings, so if you define a classifer for a class, all - traffic having that mark will go in it regardless of any mark - set on the packet by a firewall/mangle filter. + (aka the TOS byte). diff --git a/manpages6/shorewall6.xml b/manpages6/shorewall6.xml index 56a79bbd3..b2509fd7e 100644 --- a/manpages6/shorewall6.xml +++ b/manpages6/shorewall6.xml @@ -144,6 +144,19 @@ + + shorewall6 + + | + + -options + + + + iptables match + expression + + shorewall6 @@ -204,6 +217,19 @@ address + + shorewall6 + + | + + -options + + + + iptables match + expression + + shorewall6 @@ -670,12 +696,22 @@ - hits + iptrace - Generates several reports from Shorewall6 log messages in the - current log file. If the option is included, the - reports are restricted to log messages generated today. + This is a low-level debugging command that causes iptables + TRACE log records to be created. See ip6tables(8) for + details. + + The ip6tables match expression must + be one or more matches that may appear in both the raw table OUTPUT + and raw table PREROUTING chains. + + The trace records are written to the kernel's log buffer with + faciility = kernel and priority = warning, and they are routed from + there by your logging daemon (syslogd, rsyslog, syslog-ng, ...) -- + Shorewall has no control over where the messages go; consult your + logging daemon's documentation. @@ -763,6 +799,19 @@ + + noiptrace + + + This is a low-level debugging command that cancels a trace + started by a preceding iptrace command. + + The iptables match expression must + be one given in the iptrace command being + cancelled. + + + refresh @@ -1163,7 +1212,7 @@ Displays Shorewall6's version. If the - option is included, the version of Shorewall-perl will also be + option is included, the version of Shorewall will also be displayed. diff --git a/web/News.htm b/web/News.htm index b9cc43bce..7e8f69dae 100644 --- a/web/News.htm +++ b/web/News.htm @@ -23,9 +23,13 @@ license is included in the section entitled GNU Free Documentation License".

-

June 14, 2009
+

June 18, 2009

+

2009-06-18 Shorewall 4.2.10
+

+
Problems corrected in Shorewall 4.2.10

1)  A 'large quantum' warning log message during restart has been
    eliminated. The log message occurred when an interface with a large
    OUT-BANDWIDTH was defined in /etc/shorewall/tcdevices.

2)  When a REJECT rule included a log entry, the disposition in the log
    message was incorrectly shown as 'reject' rather than 'REJECT'.

3)  When 'forward' was specified on one or more interfaces in
    /etc/shorewall6/interfaces, the progress message "Compiling
    Interface forwarding..." was issued multiple times. Now, only one
    instance of the message is generated.

4)  A typing error in the IPv6 two-interface sample shorewall6.conf
    file has been corrected. This error prevented the compiler from
    being able to find macros in /usr/share/shorewall/.

Known Problems Remaining:

1)  When exclusion is used in an entry in /etc/shorewall/hosts, then
    Shorewall-shell produces an invalid iptables rule if any of the 
    following OPTIONS are also specified in the entry:    

        blacklist
        maclist
        norfc1918
        tcpflags

2)  Shorewall-shell generates inversion rules which produce
    warnings with iptables 1.4.3.  

    Example:

        iptables -A  lan2fw  -p 6  --dport 999  -s ! 192.168.20.1  -j ACCEPT

    with iptables 1.4.3.1 the following information message is produced:

    Using intrapositioned negation (`--option ! this`) is deprecated in
    favor of extrapositioned (`! --option this`).

    We don't intend to fix this. It's time to migrate to Shorewall-perl
    anyway.

New Features in Shorewall 4.2.10

1)  Shorewall's suppport for dynamic gateways on interfaces managed by
    dhclient works on OpenSuSE systems but not on some other
    distributions.

    In order to generalize support for learning the gateway for dynamic
    interfaces, a new 'findgw' extension script (user exit) has been
    added.

    The exit will be invoked in a function that has a single argument:

        $1 = <name of an interface>

    If the function can determine the gateway for the passed interface,
    it should write the gateway to standard out. Here is a sample
    /etc/shorewall/findgw that works with dhclient (dhcp3) in Debian
    Lenny:

    if [ -f /var/lib/dhcp3/dhclient.${1}.leases ]; then
       grep 'option routers' /var/lib/dhcp3/dhclient.${1}.leases |\
          tail -n 1 |\
          while read j1 j2 gateway; do\
              echo $gateway | sed 's/;//';\
          done
    fi

    The same code works on Ubuntu Jaunty if you replace the first '.'
    with '-' and replace '.leases' with '.lease' (don't you just love
    the consistency between distributions?).

    That code also works on CentOS if you replace 'dhcp3' by
    'dhclient'.

    'findgw' files that have been customized for various distributions
    may be found at
    http://www.shorewall.net/pub/shorewall/contrib/findgw.
+

2009-06-13 Shorewall 4.4.0 Beta 1

Read the details at http://www1.shorewall.net/pub/shorewall/development/4.4/shorewall-4.4.0-Beta1/releasenotes.txt
diff --git a/web/download.htm b/web/download.htm index 97ece8490..55333344e 100644 --- a/web/download.htm +++ b/web/download.htm @@ -38,7 +38,7 @@

-
2009-06-14 +
2009-06-19

Package Information

Before trying to install, we strongly urge you to read and print a @@ -66,7 +66,8 @@ shake out the bugs in the next stable release. For additional information, see this article about the Shorewall Release Model. -

In Shorewall version 4.0.*, there are four related +

In Shorewall version 4.0.*, +there are four related packages:

  • Shorewall-shell -- the @@ -87,7 +88,8 @@ light-weight Shorewall version that will run compiled firewall scripts generated on a system with one of the compiler packages installed.
-In Shorewall version 4.2.*, there are two additional +In Shorewall version 4.2.*, +there are two additional packages that provide IPv6 support:
  • Shorewall6 -- Provides @@ -101,7 +103,8 @@ run compiled firewall scripts generated on a system with Shorewall6 installed.
-In Shorewall version 4.4.*, the Shorewall-common, Shorewall-shell and +In Shorewall version 4.4.*, +the Shorewall-common, Shorewall-shell and Shorewall-perl packages are discontinued and replaced with a single Shorewall package which combined the functions of Shorewall-common and Shorewall-perl. The shell-based @@ -137,6 +140,11 @@ or both of the compilers on a single administrative system and install Shorewall-lite and/or Shorewall6-lite on the firewalls. Doing so will allow for centralized administration and configuration of the firewalls. +
  • When RPM is used to install Shorewall, the compiler +(shorewall-shell +and/or shorewall-perl) and shorewall-common must be installed in a +single execution of the +rpm utility.
  • If you are installing Shorewall 4.4 or later:
      • @@ -153,11 +161,6 @@ configuration of the firewalls.
    -

    When RPM is used to install Shorewall, the compiler (shorewall-shell -and/or shorewall-perl) and shorewall-common must be installed in a -single execution of the -rpm utility.
    -

    Here are the installation instructions.

    Distribution-specific Download Sites

    Once you've printed the appropriate QuickStart Guide, download the @@ -215,7 +218,7 @@ stable release are available from the package maintainer's If you run Ubuntu, Benjamin Montgomery maintains a repository for -Hardy Heron.
    +Hardy Heron and Jaunty Jackalope.

  • If you run -

    2009-06-14
    +
    2009-06-20
    +

    Attention Shorewall-shell users
    +

    Current Shorewall Releases

    @@ -58,13 +60,13 @@ Stable Release
    - @@ -91,14 +93,14 @@ Release
    4.2.9 + 4.2.10 (includes IPv6 support.) Release + href="http://www1.shorewall.net/pub/shorewall/4.2/shorewall-4.2.10/releasenotes.txt">Release notes Known + href="http://www1.shorewall.net/pub/shorewall/4.2/shorewall-4.2.10/known_problems.txt">Known Problems
    4.4.0 -Beta 1
    +Beta 2
    		 Release + href="http://www1.shorewall.net/pub/shorewall/development/4.4/shorewall-4.4.0-Beta2/releasenotes.txt">Release Notes
         		Known + href="http://www1.shorewall.net/pub/shorewall/development/4.4/shorewall-4.4.0-Beta2/known_problems.txt">Known Problems