mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-23 06:38:53 +01:00
Shorewall 2.2.4
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2076 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
de28a9c326
commit
4305dd4b2b
@ -6,7 +6,8 @@
|
||||
<title>Shorewall News</title>
|
||||
</head>
|
||||
<body>
|
||||
<h1 style="text-align: left;">Shorewall News Archive</h1>
|
||||
<h1 style="text-align: left;">Shorewall News and Announcements<br>
|
||||
</h1>
|
||||
<span style="font-weight: bold;">Tom Eastep<br>
|
||||
<br>
|
||||
</span>Copyright © 2001-2005 Thomas M. Eastep<br>
|
||||
@ -18,11 +19,398 @@ Texts. A copy of the license is included in the section entitled “<span
|
||||
class="quote"><a href="GnuCopyright.htm" target="_self">GNU Free
|
||||
Documentation License</a></span>”.<br>
|
||||
</p>
|
||||
<p>2005-04-14<br>
|
||||
<p>2005-05-02<br>
|
||||
</p>
|
||||
<hr style="width: 100%; height: 2px;">
|
||||
<p><span style="font-weight: bold;"><br>
|
||||
</span><span style="font-weight: bold;">02/15/2005
|
||||
</span><span style="font-weight: bold;"></span><span
|
||||
style="font-weight: bold;">05/02/2005 Shorewall 2.2.4<br>
|
||||
</span></p>
|
||||
<p>Problems Corrected:<br>
|
||||
</p>
|
||||
<ol>
|
||||
<li>The error message:<br>
|
||||
<br>
|
||||
Error: No appropriate chain for
|
||||
zone <z1> to zone <z2><br>
|
||||
<br>
|
||||
has been changed to one that is more self-explanatory:<br>
|
||||
<br>
|
||||
Error: No policy defined for zone
|
||||
<z1> to zone <z2></li>
|
||||
<li>When only an interface name appeared in the HOST(S) column of an
|
||||
/etc/shorewall/hosts file entry, a misleading iptables error message
|
||||
resulted. Now the following message is generated:<br>
|
||||
<br>
|
||||
Error: Invalid HOST(S) column
|
||||
contents: <column contents></li>
|
||||
</ol>
|
||||
New Features:<br>
|
||||
<ol>
|
||||
<li>Support has been added for UPnP using linux-igd (<a
|
||||
href="http://linux-idg.sourceforge.net/">http://linux-idg.sourceforge.net</a>).
|
||||
UPnP is required by a number of popular applications including MSN IM.</li>
|
||||
</ol>
|
||||
<div style="margin-left: 40px;"><span style="font-weight: bold;">WARNING</span>:<br>
|
||||
<div style="margin-left: 40px;">From a security architecture viewpoint,
|
||||
UPnP is a disaster. It assumes that:<br>
|
||||
<ol style="list-style-type: lower-alpha;">
|
||||
<li>All local systems and their users are completely trustworthy.</li>
|
||||
<li>No local system is infected with any worm or trojan.</li>
|
||||
</ol>
|
||||
</div>
|
||||
<div style="margin-left: 40px;">If either of these assumptions are not
|
||||
true then UPnP can be used to totally defeat your firewall and to allow
|
||||
incoming connections to arbitrary local systems on any port whatsoever.<br>
|
||||
In short: <span style="font-weight: bold;">USE UPnP AT YOUR OWN RISK</span>.<br>
|
||||
</div>
|
||||
<div style="margin-left: 40px;"><br>
|
||||
</div>
|
||||
</div>
|
||||
<div style="margin-left: 40px;"><span style="font-weight: bold;">WARNING</span>:<br>
|
||||
<div style="margin-left: 40px;">The linux-igd project appears to be
|
||||
inactive and the web site does not display correctly on any open source
|
||||
browser that I've tried.<br>
|
||||
<br>
|
||||
Building and installing linux-igd is not for the faint of heart. You
|
||||
must download the source from CVS and be prepared to do quite a bit of
|
||||
fiddling with the include files from libupnp (which is required to
|
||||
build and/or run linux-igd).<br>
|
||||
<br>
|
||||
</div>
|
||||
</div>
|
||||
<div style="margin-left: 40px;">Configuring linux-igd:<br>
|
||||
<div style="margin-left: 40px;">In /etc/upnpd.conf, you will want:<br>
|
||||
<br>
|
||||
|
||||
insert_forward_rules = yes<br>
|
||||
|
||||
prerouting_chain_name = UPnP<br>
|
||||
|
||||
forward_chain_name = forwardUPnP<br>
|
||||
<br>
|
||||
</div>
|
||||
</div>
|
||||
<div style="margin-left: 40px;">Shorewall Configuration:<br>
|
||||
<div style="margin-left: 40px;">In /etc/shorewall/interfaces, you need
|
||||
the 'upnp' option on your external interface.<br>
|
||||
<br>
|
||||
If your fw->loc policy is not ACCEPT then you need this rule:<br>
|
||||
<br>
|
||||
|
||||
allowoutUPnP
|
||||
fw loc<br>
|
||||
<br>
|
||||
Note: To use 'allowoutUPnP', your iptables and kernel must support the
|
||||
'owner match' feature (see the output of "shorewall check").<br>
|
||||
<br>
|
||||
If your loc->fw policy is not ACCEPT then you need this rule:<br>
|
||||
<br>
|
||||
|
||||
allowinUPnP
|
||||
loc fw<br>
|
||||
<br>
|
||||
You MUST have this rule:<br>
|
||||
<br>
|
||||
|
||||
forwardUPnP
|
||||
net loc<br>
|
||||
<br>
|
||||
</div>
|
||||
</div>
|
||||
<div style="margin-left: 40px;"> You must also ensure that
|
||||
you have a route to 224.0.0.0/4 on you internal (local) interface.<br>
|
||||
</div>
|
||||
<ol start="2" style="list-style-type: decimal;">
|
||||
<li>A new 'started' extension script has been added. The
|
||||
difference between this extension script and /etc/shorewall/start is
|
||||
that this one is invoked after delayed loading of the blacklist
|
||||
(DELAYBLACKLISTLOAD=Yes) and after the 'shorewall' chain has been
|
||||
created (thus signaling that the firewall is completely up.<br>
|
||||
<br>
|
||||
/etc/shorewall/started should not change the firewall configuration
|
||||
directly but may do so indirectly by running /sbin/shorewall with the
|
||||
'nolock' option.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>By default, shorewall is started with the "-f" (fast) option when
|
||||
your system boots. You can override that setting by setting the OPTIONS
|
||||
variable in /etc/sysconfig/shorewall (SuSE/Redhat) or
|
||||
/etc/default/shorewall (Debian/Bering). If neither file exists, feel
|
||||
free to create one or the other.<br>
|
||||
<br>
|
||||
Example: If you want Shorewall to always use the config files even if
|
||||
there is a saved configuration, then specify:<br>
|
||||
<br>
|
||||
OPTIONS=""<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>Shorewall now has support for the SAME target. This change
|
||||
affects the /etc/shorewall/masq and /etc/shorewall/rules file.<br>
|
||||
<br>
|
||||
SAME is useful when you specify multiple target IP addresses (in the
|
||||
ADDRESSES column of /etc/shorewall/masq or in the DEST column of
|
||||
/etc/shorewall/rules).<br>
|
||||
<br>
|
||||
If you use normal SNAT then multiple connections from a given local
|
||||
host to hosts on the internet can be assigned different source IP
|
||||
addresses. This confuses some applications that use multiple
|
||||
connections. To correct this problem, prefix the list of address ranges
|
||||
in the ADDRESS column with "SAME:"<br>
|
||||
<br>
|
||||
|
||||
Example: SAME:206.124.146.176-206.124.146.180<br>
|
||||
<br>
|
||||
If you want each internal system to use the same IP address from the
|
||||
list regardless of which internet host it is talking to then prefix the
|
||||
ranges with "SAME:nodst:".<br>
|
||||
<br>
|
||||
|
||||
Example: SAME:nodst:206.124.146.176-206.124.146.180<br>
|
||||
<br>
|
||||
Note that it is not possible to map port numbers when using SAME.<br>
|
||||
<br>
|
||||
In the rules file, when multiple connections from an internet host
|
||||
match a SAME rule then all of the connections will be sent to the same
|
||||
internal server. SAME rules are very similar to DNAT rules with the
|
||||
keyword SAME replacing DNAT. As in the masq file, changing the port
|
||||
number is not supported.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>A "shorewall show capabilities" command has been added to report
|
||||
the capabilities of your kernel and iptables.<br>
|
||||
<br>
|
||||
Example:<br>
|
||||
<br>
|
||||
gateway:~# shorewall show capabilities<br>
|
||||
Loading /usr/share/shorewall/functions...<br>
|
||||
Processing /etc/shorewall/params ...<br>
|
||||
Processing
|
||||
/etc/shorewall/shorewall.conf...<br>
|
||||
Loading Modules...<br>
|
||||
Shorewall has detected the following
|
||||
iptables/netfilter capabilities:<br>
|
||||
|
||||
NAT: Available<br>
|
||||
|
||||
Packet Mangling: Available<br>
|
||||
|
||||
Multi-port Match: Available<br>
|
||||
|
||||
Extended Multi-port Match: Available<br>
|
||||
|
||||
Connection Tracking Match: Available<br>
|
||||
|
||||
Packet Type Match: Not available<br>
|
||||
|
||||
Policy Match: Available<br>
|
||||
|
||||
Physdev Match: Available<br>
|
||||
|
||||
IP range Match: Available<br>
|
||||
|
||||
Recent Match: Available<br>
|
||||
|
||||
Owner Match: Available<br>
|
||||
gateway:~#<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>A "-v" option has been added to /sbin/shorewall. Currently, this
|
||||
option only affects the "show log" command (e.g., "shorewall -v show
|
||||
log") and the "monitor" command. In these commands, it causes the MAC
|
||||
address in the log message (if any) to be displayed. As previously,
|
||||
when "-v" is omitted, the MAC address is suppressed.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>In /etc/shorewall/rules, a value of 'none' in either the SOURCE
|
||||
or DEST columns now causes the rule to be ignored. This is most useful
|
||||
when used with shell variables:<br>
|
||||
<br>
|
||||
Example:<br>
|
||||
<br>
|
||||
/etc/shorewall/rules:<br>
|
||||
<br>
|
||||
|
||||
AllowFTP
|
||||
$FTP_CLIENTS fw<br>
|
||||
<br>
|
||||
When FTP_CLIENTS is set to
|
||||
'none', the above rule is ignored. Otherwise, the rule is
|
||||
evaluated and generates Netfilter rules.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>The installer now detects that it is running on a Slackware
|
||||
system and adjusts the DEST and INIT variables accordingly.<br>
|
||||
</li>
|
||||
</ol>
|
||||
<p><span style="font-weight: bold;">05/01/2005 Tom
|
||||
spoke at LinuxFest NW 2005 -- Bellingham Technical College,
|
||||
Bellingham Washington<br>
|
||||
</span><br>
|
||||
Tom's presentation was entitled "Shorewall and Native IPSEC" and is
|
||||
available for download <a href="http://shorewall.net/LinuxFest.pdf">here
|
||||
(PDF Format)</a>.
|
||||
<br>
|
||||
<br>
|
||||
<span style="font-weight: bold;">04/07/2005
|
||||
Shorewall 2.2.3<br>
|
||||
</span><br>
|
||||
Problems Corrected:<br>
|
||||
</p>
|
||||
<ol>
|
||||
<li>If a zone is defined in /etc/shorewall/hosts using
|
||||
<interface>:!<network> in the HOSTS column then startup
|
||||
errors occur on "shorewall [re]start".</li>
|
||||
<li>Previously, if "shorewall status" was run on a system whose
|
||||
kernel lacked advanced routing support
|
||||
(CONFIG_IP_ADVANCED_ROUTER), then no routing information was
|
||||
displayed.</li>
|
||||
</ol>
|
||||
New Features:<br>
|
||||
<ol>
|
||||
<li>A new extension script "continue" has been added. This script is
|
||||
invoked after Shorewall has set the built-in filter chains policy to
|
||||
DROP, deleted any existing Netfilter rules and user chains and has
|
||||
enabled existing connections. It is useful for enabling certain
|
||||
communication while Shorewall is being [re]started. Be sure to delete
|
||||
any rules that you add here in your /etc/shorewall/start file.</li>
|
||||
<li>There has been ongoing confusion about how the
|
||||
/etc/shorewall/routestopped file works. People understand how it works
|
||||
with the 'shorewall stop' command but when they read that 'shorewall
|
||||
restart' is logically equivalent to 'shorewall stop' followed by
|
||||
'shorewall start' then they erroneously conclude that
|
||||
/etc/shorewall/routestopped can be used to enable new connections
|
||||
during 'shorewall restart'. Up to now, it cannot -- that file is not
|
||||
processed during either 'shorewall start' or 'shorewall restart'.<br>
|
||||
<br>
|
||||
Beginning with Shorewall version 2.2.3, /etc/shorewall/routestopped
|
||||
will be processed TWICE during 'shorewall start' and during 'shorewall
|
||||
restart'. It will be processed early in the command execution to add
|
||||
rules allowing new connections while the command is running and it will
|
||||
be processed again when the command is complete to remove the rules
|
||||
added earlier.<br>
|
||||
<br>
|
||||
The result of this change will be that during most of [re]start, new
|
||||
connections will be allowed in accordance with the contents of
|
||||
/etc/shorewall/routestopped.</li>
|
||||
<li>The performance of configurations with a large numbers of entries
|
||||
in /etc/shorewall/maclist can be improved by setting the new
|
||||
MACLIST_TTL variable in /etc/shorewall/shorewall.conf.<br>
|
||||
<br>
|
||||
If your iptables and kernel support the "Recent Match" (see the output
|
||||
of "shorewall check" near the top), you can cache the results of a
|
||||
'maclist' file lookup and thus reduce the overhead associated with MAC
|
||||
Verification.<br>
|
||||
<br>
|
||||
When a new connection arrives from a 'maclist' interface, the packet
|
||||
passes through then list of entries for that interface in
|
||||
/etc/shorewall/maclist. If there is a match then the source IP address
|
||||
is added to the 'Recent' set for that interface. Subsequent connection
|
||||
attempts from that IP address occuring within $MACLIST_TTL seconds will
|
||||
be accepted without having to scan all of the entries. After
|
||||
$MACLIST_TTL from the first accepted connection request from an IP
|
||||
address, the next connection request from that IP address will be
|
||||
checked against the entire list.<br>
|
||||
<br>
|
||||
If MACLIST_TTL is not specified or is specified as empty (e.g,
|
||||
MACLIST_TTL="" or is specified as zero then 'maclist' lookups will not
|
||||
be cached.</li>
|
||||
<li>You can now specify QUEUE as a policy and you can designate a
|
||||
common action for QUEUE policies in /etc/shorewall/actions. This is
|
||||
useful for sending packets to something like Snort Inline.<br>
|
||||
</li>
|
||||
</ol>
|
||||
<span style="font-weight: bold;">03/31/2005
|
||||
Shorewall 2.0.17<br>
|
||||
<br>
|
||||
</span>Problems Corrected:<br>
|
||||
<ol>
|
||||
<li>Invoking the 'rejNotSyn' action results in an error at startup.</li>
|
||||
<li>The UDP and TCP port numbers in
|
||||
/usr/share/shorewall/action.AllowPCA were reversed.</li>
|
||||
<li>If a zone is defined in /etc/shorewall/hosts using <<span
|
||||
style="font-style: italic;">interface</span>>:!<<span
|
||||
style="font-style: italic;">network</span>> in the HOSTS column
|
||||
then startup errors occur on "shorewall [re]start".<br>
|
||||
</li>
|
||||
</ol>
|
||||
<span style="font-weight: bold;">03/12/2005
|
||||
Shorewall 2.2.2<br>
|
||||
</span><br>
|
||||
Problems Corrected:<br>
|
||||
<ol>
|
||||
<li>The SOURCE column in the /etc/shorewall/tcrules file now
|
||||
correctly allows IP ranges (assuming that your iptables and kernel
|
||||
support ranges).<br>
|
||||
</li>
|
||||
<li>If A is a user-defined action and you have file /etc/shorewall/A
|
||||
then when that file is invoked by Shorewall during [re]start, the $TAG
|
||||
value may be incorrect.</li>
|
||||
<li>Previously, if an iptables command generating a logging rule
|
||||
failed, the Shorewall [re]start was still successful. This error is now
|
||||
considered fatal and Shorewall will be either restored from the last
|
||||
save (if any) or it will be stopped.</li>
|
||||
<li>The port numbers for UDP and TCP were previously reversed in the
|
||||
/usr/share/shorewall/action.AllowPCA file.</li>
|
||||
<li>Previously, the 'install.sh' script did not update the
|
||||
/usr/share/shorewall/action.* files.</li>
|
||||
<li>Previously, when an interface name appeared in the DEST column of
|
||||
/etc/shorewall/tcrules, the name was not validated against the set of
|
||||
defined interfaces and bridge ports.<br>
|
||||
</li>
|
||||
</ol>
|
||||
New Features:<br>
|
||||
<ol>
|
||||
<li>The SOURCE column in the /etc/shorewall/tcrules file now allows
|
||||
$FW to be optionally followed by ":" and a host/network address or
|
||||
address range.</li>
|
||||
<li>Shorewall now clears the output device only if it is a terminal.
|
||||
This avoids ugly control sequences being placed in files when
|
||||
/sbin/shorewall output is redirected.</li>
|
||||
<li>The output from 'arp -na' has been added to the 'shorewall
|
||||
status' display.</li>
|
||||
<li>The 2.6.11 Linux kernel and iptables 1.3.0 now allow port ranges
|
||||
to appear in port lists handled by "multiport match". If Shorewall
|
||||
detects this capability, it will use "multiport match" for port lists
|
||||
containing port ranges. Be cautioned that each port range counts for
|
||||
TWO ports and a port list handled with "multiport match" can still
|
||||
specify a maximum of 15 ports.<br>
|
||||
<br>
|
||||
As always, if a port list in /etc/shorewall/rules is incompatible with
|
||||
"multiport match", a separate iptables rule will be generated for each
|
||||
element in the list.</li>
|
||||
<li>Traditionally, the RETURN target in the 'rfc1918' file has caused
|
||||
'norfc1918' processing to cease for a packet if the packet's source IP
|
||||
address matches the rule. Thus, if you have:<br>
|
||||
<br>
|
||||
<span style="font-family: monospace;">
|
||||
SUBNETS TARGET</span><br
|
||||
style="font-family: monospace;">
|
||||
<span style="font-family: monospace;">
|
||||
192.168.1.0/24 RETURN</span><br>
|
||||
<br>
|
||||
then traffic from 192.168.1.4 to 10.0.3.9 will be accepted even though
|
||||
you also have:<br>
|
||||
<br>
|
||||
<span style="font-family: monospace;">
|
||||
SUBNETS TARGET</span><br
|
||||
style="font-family: monospace;">
|
||||
<span style="font-family: monospace;">
|
||||
10.0.0.0/8 logdrop</span><br>
|
||||
<br>
|
||||
Setting RFC1918_STRICT=Yes in shorewall.conf will cause such traffic to
|
||||
be logged and dropped since while the packet's source matches the
|
||||
RETURN rule, the packet's destination matches the 'logdrop' rule.<br>
|
||||
<br>
|
||||
If not specified or specified as empty (e.g., RFC1918_STRICT="") then
|
||||
RFC1918_STRICT=No is assumed.<br>
|
||||
<br>
|
||||
WARNING: RFC1918_STRICT=Yes requires that your kernel and iptables
|
||||
support 'Connection Tracking' match.<br>
|
||||
</li>
|
||||
</ol>
|
||||
<span style="font-weight: bold;"></span><span style="font-weight: bold;"></span>
|
||||
<p><span style="font-weight: bold;">02/15/2005
|
||||
Shorewall 2.2.1<br>
|
||||
<br>
|
||||
</span>This release rolls up the fixes for bugs found in the first 2-3
|
||||
|
@ -9,9 +9,11 @@
|
||||
<body style="background-color: rgb(51, 102, 255); color: rgb(0, 0, 0);"
|
||||
alink="#0000ee" link="#0000ee" vlink="#551a8b">
|
||||
<a href="index.htm" target="_top" style="font-weight: bold;"><font
|
||||
color="#ffffff">Home</font></a><font color="#ffffff"><br>
|
||||
<a href="Introduction.html" style="font-weight: bold;" ;=""><font
|
||||
color="#ffffff">Introduction</font></a><br>
|
||||
color="#ffffff">Home</font></a><br>
|
||||
<a href="News.htm" style="font-weight: bold;"><font color="#ffffff">News
|
||||
and Announcements</font></a><br>
|
||||
<font color="#ffffff"><a href="Introduction.html"
|
||||
style="font-weight: bold;" ;=""><font color="#ffffff">Introduction</font></a><br>
|
||||
<a href="download.htm" style="font-weight: bold;"><font color="#ffffff">Download</font></a><font
|
||||
color="#ffffff"><br>
|
||||
<a href="Install.htm"><span style="font-weight: bold;"><font
|
||||
@ -25,8 +27,7 @@
|
||||
style="font-weight: bold;">Troubleshooting</span></font></a><font
|
||||
color="#ffffff"><br>
|
||||
<a href="support.htm"><font color="#ffffff"><span
|
||||
style="font-weight: bold;">Support</span></font></a> (Read this before
|
||||
asking for help)<br>
|
||||
style="font-weight: bold;">Getting Help</span></font></a><br>
|
||||
<font color="#ffffff"><br>
|
||||
<a href="shoreline.htm"><font color="#ffffff">About the Author</font></a><font
|
||||
color="#ffffff"> <br>
|
||||
@ -39,12 +40,10 @@ Repository</font></a><font color="#ffffff"><br>
|
||||
color="#ffffff"><br>
|
||||
<a href="shorewall_features.htm"><font color="#ffffff">Features</font></a><font
|
||||
color="#ffffff"> <font color="#ffffff"><br>
|
||||
<a href="LinuxFest.pdf"><font color="#ffffff">LinuxFest NW 2005 Presentation</font></a><font
|
||||
color="#ffffff"> <font color="#ffffff"><br>
|
||||
<a href="LinuxFest.pdf"><font color="#ffffff">LinuxFest NW 2005
|
||||
Presentation</font></a><font color="#ffffff"> <font color="#ffffff"><br>
|
||||
<a href="shorewall_mirrors.htm"><font color="#ffffff">Mirrors</font></a><font
|
||||
color="#ffffff"> <br>
|
||||
<a href="News.htm"><font color="#ffffff">News Archive</font></a><font
|
||||
color="#ffffff"><br>
|
||||
color="#ffffff"> <font color="#ffffff"><br>
|
||||
<a href="quotes.htm"><font color="#ffffff">Quotes from Users</font></a><font
|
||||
color="#ffffff"><br>
|
||||
<a href="shorewall_prerequisites.htm"><font color="#ffffff">Requirements</font></a><font
|
||||
@ -55,7 +54,7 @@ Issues</font></a><font color="#ffffff"><br>
|
||||
color="#ffffff"><br>
|
||||
<a href="Shorewall_Doesnt.html"><font color="#ffffff">What it
|
||||
Cannot Do</font></a>
|
||||
</font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font>
|
||||
</font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font>
|
||||
<ul>
|
||||
</ul>
|
||||
<p><font color="#ffffff"><font color="#ffffff"><font color="#ffffff"><font
|
||||
@ -64,12 +63,13 @@ Cannot Do</font></a>
|
||||
color="#ffffff"><font color="#ffffff"><font color="#ffffff"><font
|
||||
color="#ffffff"><font color="#ffffff"><font color="#ffffff"><font
|
||||
color="#ffffff"><font color="#ffffff"><font color="#ffffff"><font
|
||||
color="#ffffff"><font color="#ffffff"><font color="#ffffff"><a
|
||||
href="copyright.htm"><font size="2"><font color="#ffffff">Copyright ©
|
||||
color="#ffffff"><font color="#ffffff"><font color="#ffffff"><font
|
||||
color="#ffffff"><font color="#ffffff"><a href="copyright.htm"><font
|
||||
size="2"><font color="#ffffff">Copyright ©
|
||||
2001-2004</font></font></a><font size="2"><br>
|
||||
<a href="copyright.htm"><font size="2"><font color="#ffffff">Thomas
|
||||
M. Eastep.</font></font></a><font size="2"><br>
|
||||
</font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></p>
|
||||
</font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></p>
|
||||
<div style="text-align: left;">
|
||||
<div style="text-align: left;"><font color="#ffffff"><font
|
||||
color="#ffffff"><font color="#ffffff"><font color="#ffffff"><font
|
||||
@ -79,9 +79,10 @@ M. Eastep.</font></font></a><font size="2"><br>
|
||||
color="#ffffff"><font color="#ffffff"><font color="#ffffff"><font
|
||||
color="#ffffff"><font color="#ffffff"><font color="#ffffff"><font
|
||||
color="#ffffff"><font color="#ffffff"><font color="#ffffff"><font
|
||||
size="2"><a href="http://www.shorewall.net" target="_top"><img title=""
|
||||
color="#ffffff"><font color="#ffffff"><font size="2"><a
|
||||
href="http://www.shorewall.net" target="_top"><img title=""
|
||||
style="border: 0px solid ; width: 144px; height: 30px;"
|
||||
src="images/ProtectedBy.png" alt="(Protected by Shorewall)"></a></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></div>
|
||||
src="images/ProtectedBy.png" alt="(Protected by Shorewall)"></a></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></div>
|
||||
</div>
|
||||
<p><font color="#ffffff"><font color="#ffffff"><font color="#ffffff"><font
|
||||
color="#ffffff"><font color="#ffffff"><font color="#ffffff"><font
|
||||
@ -90,9 +91,10 @@ M. Eastep.</font></font></a><font size="2"><br>
|
||||
color="#ffffff"><font color="#ffffff"><font color="#ffffff"><font
|
||||
color="#ffffff"><font color="#ffffff"><font color="#ffffff"><font
|
||||
color="#ffffff"><font color="#ffffff"><font color="#ffffff"><font
|
||||
color="#ffffff"><font size="2">Please report errors on this site
|
||||
color="#ffffff"><font color="#ffffff"><font color="#ffffff"><font
|
||||
size="2">Please report errors on this site
|
||||
to <a href="mailto:webmaster@shorewall.net"
|
||||
style="color: rgb(255, 255, 255);">the Webmaster.</a><br>
|
||||
<a href="copyright.htm"> </a> </font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></p>
|
||||
<a href="copyright.htm"> </a> </font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></p>
|
||||
</body>
|
||||
</html>
|
||||
|
@ -10,6 +10,8 @@
|
||||
alink="#0000ee" link="#0000ee" vlink="#551a8b">
|
||||
<a href="index.htm" target="_top" style="font-weight: bold;"><font
|
||||
color="#ffffff">Home</font></a><font color="#ffffff"><br>
|
||||
<a href="News.htm" style="font-weight: bold;"><font color="#ffffff">News
|
||||
and Announcements</font></a><br>
|
||||
<a href="Introduction.html" style="color: rgb(255, 255, 255);"><span
|
||||
style="font-weight: bold;">Introduction</span></a><br>
|
||||
<a href="download.htm" style="font-weight: bold;"><font color="#ffffff">Download</font></a><font
|
||||
@ -38,6 +40,8 @@ Repository</font></a><font color="#ffffff"><br>
|
||||
color="#ffffff"><br>
|
||||
<a href="shorewall_features.htm"><font color="#ffffff">Features</font></a><font
|
||||
color="#ffffff"> <font color="#ffffff"><br>
|
||||
<a href="LinuxFest.pdf"><font color="#ffffff">LinuxFest NW 2005
|
||||
Presentation</font></a><font color="#ffffff"> <font color="#ffffff"><br>
|
||||
<a href="shorewall_mirrors.htm"><font color="#ffffff">Mirrors</font></a><font
|
||||
color="#ffffff"> <br>
|
||||
<a href="News.htm"><font color="#ffffff">News Archive</font></a><font
|
||||
|
@ -9,7 +9,7 @@
|
||||
<meta name="CHANGED" content="20040920;15183300">
|
||||
</head>
|
||||
<body dir="ltr" lang="en-US">
|
||||
<h1>Shorewall 2.x</h1>
|
||||
<h1><span style="font-weight: bold;"></span>Shorewall 2.x</h1>
|
||||
<p><b>Tom Eastep</b><br>
|
||||
<br>
|
||||
The information on this site applies only
|
||||
@ -28,12 +28,12 @@ to 2.x releases of Shorewall. For older versions:</p>
|
||||
target="_top">here</a>. </p>
|
||||
</li>
|
||||
</ul>
|
||||
<p>The current 2.2 Stable Release is 2.2.3 -- Here are the <a
|
||||
href="http://shorewall.net/pub/shorewall/2.2/shorewall-2.2.3/releasenotes.txt">release
|
||||
<p>The current 2.2 Stable Release is 2.2.4 -- Here are the <a
|
||||
href="http://shorewall.net/pub/shorewall/2.2/shorewall-2.2.4/releasenotes.txt">release
|
||||
notes</a> and here are the <a
|
||||
href="http://shorewall.net/pub/shorewall/2.2/shorewall-2.2.3/known_problems.txt">known
|
||||
href="http://shorewall.net/pub/shorewall/2.2/shorewall-2.2.4/known_problems.txt">known
|
||||
problems</a> and <a
|
||||
href="http://shorewall.net/pub/shorewall/2.2/shorewall-2.2.3/errata/">updates</a>.<br>
|
||||
href="http://shorewall.net/pub/shorewall/2.2/shorewall-2.2.4/errata/">updates</a>.<br>
|
||||
</p>
|
||||
<p><a
|
||||
href="http://lists.shorewall.net/pipermail/shorewall-announce/2004-December/000451.html"><span
|
||||
@ -48,7 +48,7 @@ Foundation; with no Invariant Sections, with no Front-Cover, and with
|
||||
no Back-Cover Texts. A copy of the license is included in the section
|
||||
entitled “<a href="GnuCopyright.htm" target="_self">GNU
|
||||
Free Documentation License</a>”.</p>
|
||||
<p>2005-05-01</p>
|
||||
<p>2005-05-02</p>
|
||||
<hr style="width: 100%; height: 2px;">
|
||||
<h3>Table of Contents</h3>
|
||||
<p style="margin-left: 0.42in; margin-bottom: 0in;"><a href="#Intro">Introduction
|
||||
@ -61,17 +61,7 @@ Shorewall</a><br>
|
||||
<a href="#Info">Looking for Information?</a><br>
|
||||
<a href="#Mandrake">Running
|
||||
Shorewall on Mandrake® with a two-interface setup?</a><br>
|
||||
<a href="#License">License</a></p>
|
||||
<p style="margin-bottom: 0in; margin-left: 40px;"><a href="#2_0_10">News</a></p>
|
||||
<p style="margin-left: 0.83in; margin-bottom: 0in;"><span
|
||||
style="text-decoration: underline;"></span><a href="#LinuxFest">Tom
|
||||
spoke at LinuxFest NW 2005</a><br>
|
||||
<a href="#2_2_3">Shorewall
|
||||
2.2.3</a><br>
|
||||
<a href="#2_0_17">Shorewall
|
||||
2.0.17</a><br>
|
||||
<a href="#2_2_2">Shorewall
|
||||
2.2.2</a><br>
|
||||
<a href="#License">License</a><br>
|
||||
</p>
|
||||
<div style="margin-left: 40px;"><br>
|
||||
<a href="#Leaf">Leaf</a><br>
|
||||
@ -180,174 +170,6 @@ Sections, with no Front-Cover, and with no Back-Cover Texts. A copy
|
||||
of the license is included in the section entitled "GNU Free
|
||||
Documentation License". </p>
|
||||
<hr>
|
||||
<h2><a name="News"></a>News</h2>
|
||||
<span style="font-weight: bold;"><a name="LinuxFest"></a>05/01/2005 Tom
|
||||
spoke at LinuxFest NW 2005 -- Bellingham Technical College,
|
||||
Bellingham Washington<br>
|
||||
</span><br>
|
||||
Tom's presentation was entitled "Shorewall and Native IPSEC" and is
|
||||
available for download <a href="LinuxFest.pdf">here (PDF Format)</a>.
|
||||
<br>
|
||||
<br>
|
||||
<span style="font-weight: bold;"><a name="2_2_3"></a>04/07/2005
|
||||
Shorewall 2.2.3<br>
|
||||
</span><br>
|
||||
Problems Corrected:<br>
|
||||
<ol>
|
||||
<li>If a zone is defined in /etc/shorewall/hosts using
|
||||
<interface>:!<network> in the HOSTS column then startup
|
||||
errors occur on "shorewall [re]start".</li>
|
||||
<li>Previously, if "shorewall status" was run on a system whose
|
||||
kernel lacked advanced routing support
|
||||
(CONFIG_IP_ADVANCED_ROUTER), then no routing information was
|
||||
displayed.</li>
|
||||
</ol>
|
||||
New Features:<br>
|
||||
<ol>
|
||||
<li>A new extension script "continue" has been added. This script is
|
||||
invoked after Shorewall has set the built-in filter chains policy to
|
||||
DROP, deleted any existing Netfilter rules and user chains and has
|
||||
enabled existing connections. It is useful for enabling certain
|
||||
communication while Shorewall is being [re]started. Be sure to delete
|
||||
any rules that you add here in your /etc/shorewall/start file.</li>
|
||||
<li>There has been ongoing confusion about how the
|
||||
/etc/shorewall/routestopped file works. People understand how it works
|
||||
with the 'shorewall stop' command but when they read that 'shorewall
|
||||
restart' is logically equivalent to 'shorewall stop' followed by
|
||||
'shorewall start' then they erroneously conclude that
|
||||
/etc/shorewall/routestopped can be used to enable new connections
|
||||
during 'shorewall restart'. Up to now, it cannot -- that file is not
|
||||
processed during either 'shorewall start' or 'shorewall restart'.<br>
|
||||
<br>
|
||||
Beginning with Shorewall version 2.2.3, /etc/shorewall/routestopped
|
||||
will be processed TWICE during 'shorewall start' and during 'shorewall
|
||||
restart'. It will be processed early in the command execution to add
|
||||
rules allowing new connections while the command is running and it will
|
||||
be processed again when the command is complete to remove the rules
|
||||
added earlier.<br>
|
||||
<br>
|
||||
The result of this change will be that during most of [re]start, new
|
||||
connections will be allowed in accordance with the contents of
|
||||
/etc/shorewall/routestopped.</li>
|
||||
<li>The performance of configurations with a large numbers of entries
|
||||
in /etc/shorewall/maclist can be improved by setting the new
|
||||
MACLIST_TTL variable in /etc/shorewall/shorewall.conf.<br>
|
||||
<br>
|
||||
If your iptables and kernel support the "Recent Match" (see the output
|
||||
of "shorewall check" near the top), you can cache the results of a
|
||||
'maclist' file lookup and thus reduce the overhead associated with MAC
|
||||
Verification.<br>
|
||||
<br>
|
||||
When a new connection arrives from a 'maclist' interface, the packet
|
||||
passes through then list of entries for that interface in
|
||||
/etc/shorewall/maclist. If there is a match then the source IP address
|
||||
is added to the 'Recent' set for that interface. Subsequent connection
|
||||
attempts from that IP address occuring within $MACLIST_TTL seconds will
|
||||
be accepted without having to scan all of the entries. After
|
||||
$MACLIST_TTL from the first accepted connection request from an IP
|
||||
address, the next connection request from that IP address will be
|
||||
checked against the entire list.<br>
|
||||
<br>
|
||||
If MACLIST_TTL is not specified or is specified as empty (e.g,
|
||||
MACLIST_TTL="" or is specified as zero then 'maclist' lookups will not
|
||||
be cached.</li>
|
||||
<li>You can now specify QUEUE as a policy and you can designate a
|
||||
common action for QUEUE policies in /etc/shorewall/actions. This is
|
||||
useful for sending packets to something like Snort Inline.<br>
|
||||
</li>
|
||||
</ol>
|
||||
<span style="font-weight: bold;"><a name="2_0_17"></a>03/31/2005
|
||||
Shorewall 2.0.17<br>
|
||||
<br>
|
||||
</span>Problems Corrected:<br>
|
||||
<ol>
|
||||
<li>Invoking the 'rejNotSyn' action results in an error at startup.</li>
|
||||
<li>The UDP and TCP port numbers in
|
||||
/usr/share/shorewall/action.AllowPCA were reversed.</li>
|
||||
<li>If a zone is defined in /etc/shorewall/hosts using <<span
|
||||
style="font-style: italic;">interface</span>>:!<<span
|
||||
style="font-style: italic;">network</span>> in the HOSTS column
|
||||
then startup errors occur on "shorewall [re]start".<br>
|
||||
</li>
|
||||
</ol>
|
||||
<span style="font-weight: bold;"><a name="2_2_2"></a>03/12/2005
|
||||
Shorewall 2.2.2<br>
|
||||
</span><br>
|
||||
Problems Corrected:<br>
|
||||
<ol>
|
||||
<li>The SOURCE column in the /etc/shorewall/tcrules file now
|
||||
correctly allows IP ranges (assuming that your iptables and kernel
|
||||
support ranges).<br>
|
||||
</li>
|
||||
<li>If A is a user-defined action and you have file /etc/shorewall/A
|
||||
then when that file is invoked by Shorewall during [re]start, the $TAG
|
||||
value may be incorrect.</li>
|
||||
<li>Previously, if an iptables command generating a logging rule
|
||||
failed, the Shorewall [re]start was still successful. This error is now
|
||||
considered fatal and Shorewall will be either restored from the last
|
||||
save (if any) or it will be stopped.</li>
|
||||
<li>The port numbers for UDP and TCP were previously reversed in the
|
||||
/usr/share/shorewall/action.AllowPCA file.</li>
|
||||
<li>Previously, the 'install.sh' script did not update the
|
||||
/usr/share/shorewall/action.* files.</li>
|
||||
<li>Previously, when an interface name appeared in the DEST column of
|
||||
/etc/shorewall/tcrules, the name was not validated against the set of
|
||||
defined interfaces and bridge ports.<br>
|
||||
</li>
|
||||
</ol>
|
||||
New Features:<br>
|
||||
<ol>
|
||||
<li>The SOURCE column in the /etc/shorewall/tcrules file now allows
|
||||
$FW to be optionally followed by ":" and a host/network address or
|
||||
address range.</li>
|
||||
<li>Shorewall now clears the output device only if it is a terminal.
|
||||
This avoids ugly control sequences being placed in files when
|
||||
/sbin/shorewall output is redirected.</li>
|
||||
<li>The output from 'arp -na' has been added to the 'shorewall
|
||||
status' display.</li>
|
||||
<li>The 2.6.11 Linux kernel and iptables 1.3.0 now allow port ranges
|
||||
to appear in port lists handled by "multiport match". If Shorewall
|
||||
detects this capability, it will use "multiport match" for port lists
|
||||
containing port ranges. Be cautioned that each port range counts for
|
||||
TWO ports and a port list handled with "multiport match" can still
|
||||
specify a maximum of 15 ports.<br>
|
||||
<br>
|
||||
As always, if a port list in /etc/shorewall/rules is incompatible with
|
||||
"multiport match", a separate iptables rule will be generated for each
|
||||
element in the list.</li>
|
||||
<li>Traditionally, the RETURN target in the 'rfc1918' file has caused
|
||||
'norfc1918' processing to cease for a packet if the packet's source IP
|
||||
address matches the rule. Thus, if you have:<br>
|
||||
<br>
|
||||
<span style="font-family: monospace;">
|
||||
SUBNETS TARGET</span><br
|
||||
style="font-family: monospace;">
|
||||
<span style="font-family: monospace;">
|
||||
192.168.1.0/24 RETURN</span><br>
|
||||
<br>
|
||||
then traffic from 192.168.1.4 to 10.0.3.9 will be accepted even though
|
||||
you also have:<br>
|
||||
<br>
|
||||
<span style="font-family: monospace;">
|
||||
SUBNETS TARGET</span><br
|
||||
style="font-family: monospace;">
|
||||
<span style="font-family: monospace;">
|
||||
10.0.0.0/8 logdrop</span><br>
|
||||
<br>
|
||||
Setting RFC1918_STRICT=Yes in shorewall.conf will cause such traffic to
|
||||
be logged and dropped since while the packet's source matches the
|
||||
RETURN rule, the packet's destination matches the 'logdrop' rule.<br>
|
||||
<br>
|
||||
If not specified or specified as empty (e.g., RFC1918_STRICT="") then
|
||||
RFC1918_STRICT=No is assumed.<br>
|
||||
<br>
|
||||
WARNING: RFC1918_STRICT=Yes requires that your kernel and iptables
|
||||
support 'Connection Tracking' match.<br>
|
||||
</li>
|
||||
</ol>
|
||||
<span style="font-weight: bold;"></span><span style="font-weight: bold;"></span>
|
||||
<p><a href="News.htm">More News</a></p>
|
||||
<hr>
|
||||
<h2><a name="Leaf"></a>Leaf</h2>
|
||||
<p><a href="http://leaf.sourceforge.net/" target="_top"><font
|
||||
color="#000000"><img src="images/leaflogo.gif" name="Graphic1"
|
||||
|
Loading…
Reference in New Issue
Block a user