From 693f59b6624ec4cb1db2ed6e924a627b8a3469e1 Mon Sep 17 00:00:00 2001
From: judas_iscariote
2005-11-11
+
2005-11-18
++Problems Corrected in 3.0.1+
+ +1) If the previous firewall configuration included a policy other than + ACCEPT in the nat, mangle or raw tables then Shorewall would not set + the policy to ACCEPT. This could result in a ruleset that rejected or + dropped all traffic. + +2) The Makefile was broken such that 'make' didn't always work correctly. + +3) If the SOURCE or DEST column in a macro body was non-empty and a dash + ("-") appeared in the corresponding column of an invocation of that + macro, then an invalid rule was generated. + +4) The comments in the /etc/shorewall/blacklist file have been updated to + clarify that the PORTS column refers to destination port number/service + names. + +5) When CLAMPMSS is set to a value other than "No" and FASTACCEPT=Yes, the + order of the rules generated was incorrect causing RELATED TCP connections + to not have CLAMPMSS applied. + +New Features in 3.0.1 + +1) To make the macro facility more flexible, Shorewall now examines the + contents of the SOURCE and DEST columns in both the macro body and in + the invocation and tries to create the intended rule. If the value in + the invocation appears to be an address (IP or MAC) or the name of an + ipset, then it is placed after the value in the macro body. Otherwise, + it is placed before the value in the macro body. + + Example 1: + + /etc/shorewall/macro.foo: + + PARAM - 192.168.1.5 tcp http + + /etc/shorewallrules: + + foo/ACCEPT net loc + + Effective rule: + + ACCEPT net loc:192.168.1.5 tcp http + + Example 2: + + /etc/shorewall/macro.bar: + + PARAM net loc tcp http + + /etc/shorewall/rules: + + bar/ACCEPT - 192.168.1.5 + + Effective rule: + + ACCEPT net loc:192.168.1.5 tcp http +
New Features in Shorewall 3.0.0+ 10/05/2005 +Shorewall 2.4.5
1) Error and warning messages are made easier to spot by using capitalization (e.g., ERROR: and WARNING:).
2) A new option 'critical' has been added to /etc/shorewall/routestopped. This option can be used to enable @@ -419,744 +479,6 @@ compatibility with Shorewall 3.0. In 2.4.6, the "dump" command provides the same output as the "status".
-10/05/2005 -Shorewall 2.4.5
- -
-Problems Corrected in 2.4.5
--
-09/12/2005 Shorewall 2.4.4- In previous versions, when the command is 'start', 'restart' or -'stop' then OUTPUT traffic to hosts listed in -/etc/shorewall/routestopped is not enabled if ADMINISABSENTMINDED=Yes. -That traffic is now enabled independent of the setting of -ADMINISABSENTMINDED.
-- Although it was documented that icmp types could be used in the -tcrules file, the code did not support it. Thanks to Jorge Molina, that -problem is now corrected.
-- In a multi-ISP configuration, fwmark routing rules now have a -higher priority than source IP rules. This allows entries in tcrules to -be more effective in controlling routing.
-- Previously, not all of the mangle chains were flushed during -"shorewall restart".
-
-
-Problems Corrected
--
-New Features- An incorrect comment in the /etc/shorewall/proxyarp file has been -removed.
-- The message generated when a duplicate policy has been entered is -now more informative. Previously, only the POLICY column contents -appeared in the message. Now the SOURCE, DEST and POLICY column -contents are shown.
-- Shorewall now clears the Netfilter "raw" table during "shorewall -[re]start", "shorewall stop" and "shorewall clear" processing.
-
--
-08/16/2005 Shorewall 2.4.3- Tunnel types "openvpnserver" and "openvpnclient" have been added -to reflect the introduction of client and server OpenVPN configurations -in OpenVPN 2.0.
-- The COMMAND variable is now set to 'restore' in restore scripts. -The value of this variable is sometimes of interest to programmers -providing custom /etc/shorewall/tcstart scripts.
-
-
-
-Problems Corrected:
--
-New Features:- Shorewall is no longer dependent on the 'which' utility.
-- The 'shorewall add' command failed if there existed a zone in the -configuration that specified the 'ipsec' option in /etc/shorewall/hosts.
-- Shorewall is no longer dependent on /bin/echo.
-- A CLASSIFY rule with $FW in the SOURCE column (tcrules) no -longer results in a "shorewall start" error.
-- You may now use port lists in the DEST PORT and SOURCE PORT -columns of the /etc/shorewall/accounting file.
-- The "shorewall show capabilities" command now accurately reports -the availability of "Packet type match" independent of the setting of -PKTTYPE in shorewall.conf.
-- Thanks to Tuomo Soini, all of the files have been siginificantly -cleaned up in terms of formatting and extra white-space.
-
-
--
-07/30/2005 Shorewall 2.2.6- New Allow.Submission and Allow.NTPbrd actions have been added. -Users of the Allow.NTP action that use NTP broadcasting should switch -to use of Allow.NTPbrd instead.
-- The kernel version string is now included in the output of -"shorewall status".
-
-
-
-Problems Corrected:
--
-07/21/2005 Shorewall 2.4.2- MACLIST_TTL Vulnerability fix.
-- TCP_FLAGS_LOG_LEVEL=ULOG breaks with recent versions of iptables.
-- The bogons file has been updated to reflect recent IANA -allocations.
-
-
-Problems Corrected:
--
-New Features:- The /etc/shorewall/hosts file now includes information about -defining a zone using one or more ipsets.
-- A vulnerability involving MACLIST_TTL > 0 -or MACLIST_DISPOSITION=ACCEPT has been corrected.
-- It is now possible to specify !<address> in the SUBNET -column of /etc/shorewall/masq. Previously, it was necessary to write -0.0.0.0/0!<address>.
-- When <network1>!<network2> was specified in the -SUBNET column of /etc/shorewall/masq, IPSEC policies were not correctly -applied to the resulting rules. This usually resulted in IPSEC not -working through the interface specified in the INTERFACES column.
-
-
--
-- A 'loose' provider option has been added. If you wish to be able -to use marking to specify the gateway used by connections originating -on the firewall itself, the specify 'loose' for each provider. It has -bee reported that 'loose' may break the effect of 'track' so beware if -you need 'track' functionality (you shouldn't be originating many -connections from your firewall to the net anyway).
-
-
-To use 'loose', you also need to add two entries in /etc/shorewall/masq:
-#INTERFACE SUBNET ADDRESS
-where:
- $IF_ISP1 $IP_ISP2 $IP_ISP1
- $IF_ISP2 $IP_ISP1 $IP_ISP2 -
-$IF_ISP1 is the interface to ISP 1.-
- $IF_ISP2 is the interface to ISP 2.
- $IP_ISP1 is the IP address of $IF_ISP1
- $IP_ISP2 is the IP address of $IF_ISP2 -- /sbin/shorewall now issues a warning each time that it finds that -startup is disabled.
-- A new COPY column has been added to the /etc/shorewall/providers -file. Normally, when a table name/number is given in the DUPLICATE -column, the entire table (less default routes) is copied. The COPY -column allows you to limit the routes copied to those that go through -an interface listed in COPY. For example, if you enter eth0 in -INTERFACE, "eth1,eth2" in COPY and 'main' in DUPLICATE then the new -table created will contain those routes through the interfaces eth0, -eth1 and eth2.
-
-
-07/17/2005 Security -vulnerability in MACLIST processing
-Description
-A security vulnerability has been discovered which affects all -supported stable versions of Shorewall. This vulnerability -enables a client accepted by MAC address filtering to bypass any other -rule. If MACLIST_TTL is set to a value greater than 0 or -MACLIST_DISPOSITION is set to "ACCEPT" in /etc/shorewall/shorewall.conf -(default is MACLIST_TTL=0 and MACLIST_DISPOSITION=REJECT), and a client -is positively identified through its MAC address, it bypasses all other -policies/rules in place, thus gaining access to all open services on -the firewall.
-Fix
-Workaround
-For Shorewall 2.2.x or 2.4.x, set MACLIST_TTL=0 or -MACLIST_DISPOSITION=REJECT in /etc/shorewall/shorewall.conf. For -Shorewall 2.0.x, set MACLIST_DISPOSITION=REJECT in -/etc/shorewall/shorewall.conf. MACLIST filtering is of limited -value on Internet-connected hosts, and the Shorewall team recommends -this approach to be used if possible.
-Upgrade
-For Shorewall 2.4.x, a fixed version of the 'firewall' script is -available at: -http://shorewall.net/pub/shorewall/2.4/shorewall-2.4.1/errata/firewall -and its mirrors, -http://www.shorewall.net/pub/shorewall/2.4/shorewall-2.4.1/errata/firewall -and -http://slovakia.shorewall.net/pub/shorewall/2.4/shorewall-2.4.1/errata/firewall.
-For Shorewall 2.2.x, a fixed version of the 'firewall' script is -available at: -http://shorewall.net/pub/shorewall/2.2/shorewall-2.2.5/errata/firewall -and its mirrors, -http://www.shorewall.net/pub/shorewall/2.2/shorewall-2.2.5/errata/firewall -and -http://slovakia.shorewall.net/pub/shorewall/2.2/shorewall-2.2.5/errata/firewall.
-For Shorewall 2.0.x, a fixed version of the 'firewall' script is -available at: http://shorewall.net/pub/shorewall/errata/2.0.17/firewall -and its mirrors, -http://www.shorewall.net/pub/shorewall/errata/2.0.17/firewall and -http://slovakia.shorewall.net/pub/shorewall/errata/2.0.17/firewall.
-Users of any version before 2.0.17 are urged to upgrade to a -supported version of Shorewall (preferably 2.4.1) before using the -fixed files. Only the most recent version of the 2.0.x and 2.2.x -streams will be supported by the development team, and the 1.x branches -are no longer maintained at all. Future releases of Shorewall -will include this fix.
-This information was based on Patrick -Blitz's post to the Full Disclosure mailing list. Thanks to -Supernaut (supernaut at ns dot sympatico dot ca) for reporting this bug.
-
-Version Upgrade
-
-The vulnerability is corrected in Shorewall 2.4.2 and in Shorewall -2.2.6.
-
-
07/13/2005 -Shorewall 2.4.1
-
-Problems Corrected:
--
-06/05/2005 Shorewall 2.4.0- Shell variables may now be used in the zones file.
-- The /usr/share/shorewall/bogons file has been updated to reflect -recent IANA allocations.
-- Shorewall now detects an error where multiple providers specify -the 'track' option on the same interface.
-- The remnants of the GATEWAY column in /etc/shorewall/interfaces -have been removed. This column appeared briefly in one of the Beta -versions and was immediately removed but some vestiges remained.
-- Shorewall now correctly restores a load-balancing default route -during processing of the 'shorewall restore' and 'shorewall -f start' -commands. The latter command is normally executed by the Shorewall init -script during reboot.
-- A log level of "None!" is now allowed on builtin actions such as -ACCEPT and DROP.
-- Previously, LIMIT:BURST parameters in /etc/shorewall/policy were -not correctly applied when the policy was QUEUE.
-- The 'chkconfig' command on FC4 and Mandriva previously created -symbolic links with incorrect names ("S-1shorewall"). The init script -has been changed to prevent this incorrect behavior.
-- DHCP traffic forwarded through a bridge could, under some -configurations, be filtered by the 'maclist' option even though the -'dhcp' option was specified. This has been corrected.
-
-
-
-Note: Because of the short time that has elapsed since the -release of Shorewall 2.2.0, Shorewall 2.0 will be supported until 1 -December 2005 or until the release of Shorewall 2.6.0, whichever occurs -first.
-
-New Features:
--
Old News here- Shorewall 2.4.0 includes support for multiple internet interfaces -to different ISPs.
-
-
-The file /etc/shorewall/providers may be used to define the different -providers. It can actually be used to define alternate routing tables -so uses like transparent proxy can use the file as well.
-
-Columns are:
-
- -NAME -The provider name.
-
- -NUMBER The -provider number -- a number between 1 and 15
-
- -MARK -A FWMARK value used in your /etc/shorewall/tcrules file to direct -packets for this provider.
-
- -DUPLICATE The name of an existing -table to duplicate. May be -'main' or the name of a previous provider.
-
- -INTERFACE The name of the network -interface to the provider. -Must be listed in/etc/shorewall/interfaces.
-
- -GATEWAY The IP address -of the provider's gateway router. If you enter "detect" here then -Shorewall
- -will attempt to determine -the gateway IP address automatically.
-
- -OPTIONS A -comma-separated list selected from the following:
-
- -track If specified, connections FROM this interface are - to be tracked so that -responses may be
- -routed back out this same -interface.
-
- -You want specify 'track' if internet hosts will be connecting to local servers through
- -this provider.
-
- -Because of limitations in the 'ip' utility and policy routing, you may not use the -SAVE or
- -RESTORE tcrules options or use connectionmarking on any traffic to or from this
- -interface. For traffic control purposes, you must mark packets in the FORWARD chain -(or
- -better yet, use the CLASSIFY target).
-
- -balance The providers that have 'balance' specified will get outbound traffic load-balanced -among
- -them. By default, all -interfaces with 'balance' specified will have the same weight (1).
- -You can change theweight -of the route out of the interface by specifiying balance=<weight>
- -where <weight> isthe -desired route weight.
-
- Example: You run squid in -your DMZ on IP address 192.168.2.99. Your DMZ interface is eth2
-
- -#NAME NUMBER MARK DUPLICATE INTERFACE -GATEWAY OPTIONS
- -Squid 1 -1 -- -eth2 192.168.2.99 -
-
-Use of this feature requires that your kernel and iptabls support -CONNMARK target and conntrack match support. It does NOT require the -ROUTE target extension.
-
-WARNING: The current version of iptables (1.3.1) is broken with respect -to CONNMARK and iptables-save/iptables-restore. This means that if you -configure multiple ISPs, "shorewall restore" may fail. You must patch -your iptables using the patch at -http://shorewall.net/pub/shorewall/contrib/iptables/CONNMARK.diff.
-
-- Shorewall 2.3.0 supports the 'cmd-owner' option of the owner -match facility in Netfilter. Like all owner match options, 'cmd-owner' -may only be applied to traffic that originates on the firewall.
-
-
-The syntax of the USER/GROUP column in the following files has been -extended:
-
- /etc/shorewall/accounting
- /etc/shorewall/rules
- /etc/shorewall/tcrules
- -/usr/share/shorewall/action.template
-
-To specify a command, prefix the command name with "+".
-
- Examples:
-
- -+mozilla-bin -#The program is named "mozilla-bin"
- -joe+mozilla-bin #The -program is named "mozilla-bin" and
- -#is being run by user "joe"
- -joe:users+mozilla-bin #The program is named "mozilla-bin" -and
- -#is being run by user "joe" with
- -#effective group "users".
-
- Note that this is not a particularly robust feature and I -would never advertise it as a "Personal Firewall" equivalent. Using -symbolic links, it's easy to alias command names to be anything you -want.
-
-- Support has been added for ipsets (see http://people.netfilter.org/kadlec/ipset/).
-
-
-In most places where a host or network address may be used, you may -also use the name of an ipset prefaced by "+".
-
- Example: "+Mirrors"
-
-The name of the set may be optionally followed by:
-
-a) a number from 1 to 6 enclosed in square brackets ([]) -- this number -indicates the maximum number of ipset binding levels that are to be -matched. Depending on the context where the ipset name is used, either -all "src" or all "dst" matches will be used.
-
- Example: "+Mirrors[4]"
-
-b) a series of "src" and "dst" options separated by commas and inclosed -in square brackets ([]). These will be passed directly to iptables in -the generated --set clause. See the ipset documentation for details.
-
- Example: -"+Mirrors[src,dst,src]"
-
-Note that "+Mirrors[4]" used in the SOURCE column of the rules file is -equivalent to "+Mirrors[src,src,src,src]".
-
-To generate a negative match, prefix the "+" with "!" as in "!+Mirrors".
-
-Example 1: Blacklist all hosts in an ipset named "blacklist"
-
- -/etc/shorewall/blacklist
-
- -#ADDRESS/SUBNET -PROTOCOL PORT
- -+blacklist
-
-Example 2: Allow SSH from all hosts in an ipset named "sshok:
-
- -/etc/shorewall/rules
-
- -#ACTION -SOURCE DEST -PROTO DEST PORT(S)
- -ACCEPT -+sshok -fw -tcp 22
-
-Shorewall can automatically capture the contents of your ipsets for -you. If you specify SAVE_IPSETS=Yes in /etc/shorewall/shorewall.conf -then "shorewall save" will save the contents of your ipsets. The file -where the sets are saved is formed by taking the name where the -Shorewall configuration is stored and appending "-ipsets". So if you -enter the command "shorewall save standard" then your Shorewall -configuration will be saved in var/lib/shorewall/standard and your -ipset contents will be saved in /var/lib/shorewall/standard-ipsets. -Assuming the default RESTOREFILE setting, if you just enter "shorewall -save" then your Shorewall configuration will be saved in -/var/lib/shorewall/restore and your ipset contents will be saved in -/var/lib/shorewall/restore-ipsets.
-
-Regardless of the setting of SAVE_IPSETS, the "shorewall -f start" and -"shorewall restore" commands will restore the ipset contents -corresponding to the Shorewall configuration restored provided that the -saved Shorewall configuration specified exists.
-
-For example, "shorewall restore standard" would restore the ipset -contents from /var/lib/shorewall/standard-ipsets provided that -/var/lib/shorewall/standard exists and is executable and that -/var/lib/shorewall/standard-ipsets exists and is executable.
-
-Also regardless of the setting of SAVE_IPSETS, the "shorewall forget" -command will purge the saved ipset information (if any) associated with -the saved shorewall configuration being removed.
-
-You can also associate ipset contents with Shorewall configuration -directories using the following command:
-
- ipset -S > <config -directory>/ipsets
-
-Example:
-
- ipset -S > /etc/shorewall/ipsets
-
-When you start or restart Shorewall (including using the 'try' command) -from the configuration directory, your ipsets will be configured from -the saved ipsets file. Once again, this behavior is independent of the -setting of SAVE_IPSETS.
-
-Ipsets are well suited for large blacklists. You can maintain your -blacklist using the 'ipset' utility without ever having to restart or -refresh Shorewall. If you use the SAVE_IPSETS=Yes feature just be sure -to "shorewall save" after altering the blacklist ipset(s).
-
-Example /etc/shorewall/blacklist:
-
- -#ADDRESS/SUBNET -PROTOCOL PORT
- -+Blacklist[src,dst]
- -+Blacklistnets[src,dst]
-
-Create the blacklist ipsets using:
-
- ipset -N -Blacklist iphash
- ipset -N -Blacklistnets nethash
-
-Add entries
-
- ipset -A Blacklist 206.124.146.177
- ipset -A Blacklistnets -206.124.146.0/24
-
-To allow entries for individual ports
-
- ipset -N SMTP portmap --from 1 ---to 31
- ipset -A SMTP 25
-
- ipset -A Blacklist 206.124.146.177
- ipset -B Blacklist 206.124.146.177 --b SMTP
-
-Now only port 25 will be blocked from 206.124.146.177.
-
-- Shorewall 2.4.0 can now configure routing if your kernel and -iptables support the ROUTE target extension. This extension is -available in Patch-O-Matic-ng. This feature is *EXPERIMENTAL* since the -Netfilter team have no intention of ever releasing the ROUTE target -extension to kernel.org.
-
-
-Routing is configured using the /etc/shorewall/routes file. Columns in -the file are as follows:
-
- -SOURCE -Source of the packet. May be any of the following:
-
-
- -- A host or network address
- -- A network interface name.
- -- The name of an ipset prefaced with "+"
- -- $FW (for packets originating on the firewall)
- -- A MAC address in Shorewall format
- -- A range of IP addresses (assuming that your kernel and iptables support range -match)
- -- A network interface name followed by ":" and an address or address range.
-
- -DEST -Destination of the packet. May be any of the following:
-
- -- A host or network address
- -- A network interface name (determined from
- -routing table(s))
- -- The name of an ipset prefaced with "+"
- -- A network interface name followed by ":"
- -and an address or address range.
-
- -PROTO -Protocol - Must be "tcp", "udp", "icmp", "ipp2p", a number, or "all". "ipp2p" -requires
- -ipp2p match support in your kernel andiptables.
-
- -PORT(S) Destination -Ports. A comma-separated list of Port names (from /etc/services), port
- -numbers or port ranges; -if the protocol is "icmp", thiscolumn is interpreted as the
- -destination icmp-type(s).
-
- -If the protocol is ipp2p, this column is interpreted as an ipp2p option without -the
- -leading "--" (example "bit" for bit-torrent). If no PORT is given, "ipp2p" is -assumed.
-
- -This column is ignored if PROTOCOL = all but must be entered if any of the following
- -field is supplied. In -that case, it is suggested that this field contain "-"
-
- -SOURCE PORT(S) (Optional) Source port(s). If omitted, any source port is acceptable. -Specified as a
- -comma-separated list of port names, port numbers or port ranges.
-
- -TEST -Defines a test on the existing packet or connection mark.
-
- -The rule will match only if the test returns true. Tests have the format
- -[!]<value>[/<mask>][:C]
-
- -Where:
-
- -! Inverts the test (not equal) - <value> Value of the -packet or
- -connection mark.
-
- -<mask> A mask to be applied to the mark before testing
- -:C Designates a connection mark. If omitted, the packet mark's value
- -is tested.
-
- -INTERFACE The interface that the -packet is to be routed out -of. If you do not specify this
- -field then you must place -"-" in this column and enter an IP address in the GATEWAY
- -column.
-
- -GATEWAY The gateway -that the packet is to be forewarded through.
-
-- Normally when Shorewall is stopped, starting or restarting then -connections are allowed from hosts listed in -/etc/shorewall/routestopped to the firewall and to other hosts listed -in /etc/shorewall/routestopped.
-
-
-A new 'source' option is added for entries in that file which will -cause Shorewall to allow traffic from the host listed in the entry to -ANY other host. When 'source' is specified in an entry, it is -unnecessary to also specify 'routeback'.
-
-Similarly, a new 'dest' option is added which will cause Shorewall to -allow traffic to the host listed in the entry from ANY other host. When -'source' is specified in an entry, it is unnecessary to also specify -'routeback'.
-
-- This change was implemented by Lorenzo Martignoni. It provides -two new commands: "safe-start" and "safe-restart".
-
-
- safe-start starts Shorewall -then prompts you to ask you if everything looks ok. If you answer "no" -or if you don't answer within 60 seconds, a "shorewall clear" is -executed.
-
- safe-restart saves your -current configuration to /var/lib/shorewall/safe-restart then issues a -"shorewall restart"; It then prompts you to ask if you if you want to -accept the new configuration. If you answer "no" or if you don't answer -within 60 seconds, the configuration is restored to its prior state.
-
-These new commands require either that your /bin/sh supports the "-t" -option to the 'read' command or that you have /bin/bash installed.
-
#INTERFACE SUBNET ADDRESS
+ $IF_ISP1 $IP_ISP2 $IP_ISP1
+ $IF_ISP2 $IP_ISP1 $IP_ISP2
+
+where:$IF_ISP1 is the interface to ISP 1.+
+ $IF_ISP2 is the interface to ISP 2.
+ $IP_ISP1 is the IP address of $IF_ISP1
+ $IP_ISP2 is the IP address of $IF_ISP2 +
A security vulnerability has been discovered which affects all +supported stable versions of Shorewall. This vulnerability +enables a client accepted by MAC address filtering to bypass any other +rule. If MACLIST_TTL is set to a value greater than 0 or +MACLIST_DISPOSITION is set to "ACCEPT" in /etc/shorewall/shorewall.conf +(default is MACLIST_TTL=0 and MACLIST_DISPOSITION=REJECT), and a client +is positively identified through its MAC address, it bypasses all other +policies/rules in place, thus gaining access to all open services on +the firewall.
+For Shorewall 2.2.x or 2.4.x, set MACLIST_TTL=0 or +MACLIST_DISPOSITION=REJECT in /etc/shorewall/shorewall.conf. For +Shorewall 2.0.x, set MACLIST_DISPOSITION=REJECT in +/etc/shorewall/shorewall.conf. MACLIST filtering is of limited +value on Internet-connected hosts, and the Shorewall team recommends +this approach to be used if possible.
+For Shorewall 2.4.x, a fixed version of the 'firewall' script is +available at: +http://shorewall.net/pub/shorewall/2.4/shorewall-2.4.1/errata/firewall +and its mirrors, +http://www.shorewall.net/pub/shorewall/2.4/shorewall-2.4.1/errata/firewall +and +http://slovakia.shorewall.net/pub/shorewall/2.4/shorewall-2.4.1/errata/firewall.
+For Shorewall 2.2.x, a fixed version of the 'firewall' script is +available at: +http://shorewall.net/pub/shorewall/2.2/shorewall-2.2.5/errata/firewall +and its mirrors, +http://www.shorewall.net/pub/shorewall/2.2/shorewall-2.2.5/errata/firewall +and +http://slovakia.shorewall.net/pub/shorewall/2.2/shorewall-2.2.5/errata/firewall.
+For Shorewall 2.0.x, a fixed version of the 'firewall' script is +available at: http://shorewall.net/pub/shorewall/errata/2.0.17/firewall +and its mirrors, +http://www.shorewall.net/pub/shorewall/errata/2.0.17/firewall and +http://slovakia.shorewall.net/pub/shorewall/errata/2.0.17/firewall.
+Users of any version before 2.0.17 are urged to upgrade to a +supported version of Shorewall (preferably 2.4.1) before using the +fixed files. Only the most recent version of the 2.0.x and 2.2.x +streams will be supported by the development team, and the 1.x branches +are no longer maintained at all. Future releases of Shorewall +will include this fix.
+This information was based on Patrick
+Blitz's post to the Full Disclosure mailing list. Thanks to
+Supernaut (supernaut at ns dot sympatico dot ca) for reporting this bug.
+
Version Upgrade
+
The vulnerability is corrected in Shorewall 2.4.2 and in Shorewall
+2.2.6.
+
05/02/2005 Shorewall
2.2.4
@@ -93,7 +831,7 @@
column contents: <column contents>
net Net The big bad Internet
loc Local Extended local zone @@ -1528,7 +2266,7 @@ loc Local Extended local zone /etc/shorewall/ecn produce startup errors.
openvpn:tcp net 1.2.3.4 # TCP tunnel on port 5000
openvpn:3344 net 1.2.3.4 # UDP on port 3344
@@ -1730,7 +2468,7 @@ loc Local Extended local zone "2_2_0_Beta8">12/11/2004 - Shorewall 2.2.0 Beta 8
Problems Corrected:
- +New Features:
- A typo in the /etc/shorewall/interfaces file has been @@ -1741,7 +2479,7 @@ loc Local Extended local zone was available.
- +
- Recent 2.6 kernels include code that evaluates TCP @@ -1794,7 +2532,7 @@ loc Local Extended local zone "2_2_0_Beta7">12/04/2004 - Shorewall 2.2.0 Beta 7
Problems Corrected:
- +New Features:
- The "shorewall add" and "shorewall delete" commands now @@ -1850,7 +2588,7 @@ loc Local Extended local zone was run, capabilities were mis-detected.
- +
- You can now use the "shorewall show zones" command to @@ -1922,13 +2660,13 @@ loc Local Extended local zone "2_0_13">12/02/2004 - Shorewall 2.0.13
Problems Corrected:
- +
- A typo in /usr/share/shorewall/firewall caused the "shorewall add" to issue an error message:
- +/usr/share/shorewall/firewall: line 1: match_destination_hosts: command not found@@ -1938,7 +2676,7 @@ loc Local Extended local zone "2_0_12">12/01/2004 - Shorewall 2.0.12
Problems Corrected:
- +New Features:
- A typo in shorewall.conf (NETNOTSYN) has been @@ -1992,7 +2730,7 @@ loc Local Extended local zone policies and rules. This has been corrected.
- +
- Variable expansion may now be used with the INCLUDE @@ -2019,7 +2757,7 @@ loc Local Extended local zone Beta 5 was more or less DOA. Here's Beta 6.
Problems Corrected:
- +
- Fixed a number of problems associated with not having an @@ -2033,14 +2771,14 @@ loc Local Extended local zone "2_2_0_Beta5">11/26/2004 - Shorewall 2.2.0 Beta 5
Problems corrected:
- +New Features:
- A typo in shorewall.conf (NETNOTSYN) has been corrected.
- +
- For consistency, the CLIENT PORT(S) column in the tcrules @@ -2059,7 +2797,7 @@ loc Local Extended local zone "2_0_11">11/23/2004 - Shorewall 2.0.11
Problems corrected:
- +New Features:
- The INSTALL file now include special instructions for @@ -2074,7 +2812,7 @@ loc Local Extended local zone a new install has been corrected.
- +
- The AllowNNTP action now allows NNTP over SSL/TLS @@ -2085,7 +2823,7 @@ loc Local Extended local zone "2_2_0_Beta4">11/19/2004 - Shorewall 2.2.0 Beta 4
Problems Corrected:
- +New Features:
- A cut and paste error resulted in some nonsense in the @@ -2099,7 +2837,7 @@ loc Local Extended local zone but did nothing -- now it works.
- +New Features:
- The AllowNNTP action now allows NNTP over SSL/TLS @@ -2110,7 +2848,7 @@ loc Local Extended local zone "2_2_0_Beta3">11/09/2004 - Shorewall 2.2.0 Beta 3
Problems Corrected:
- +
- Missing '#' in the rfc1918 file has been corrected.
@@ -2119,13 +2857,13 @@ loc Local Extended local zone Slackware users.
- +
- In CLASSIFY rules (/etc/shorewall/tcrules), an interface name may now appear in the DEST column as in:
- +#MARK/ SOURCE DEST PROTO PORT(S)
#CLASSIFY
@@ -2137,7 +2875,7 @@ loc Local Extended local zone "2_2_0_Beta2">11/02/2004 - Shorewall 2.2.0 Beta 2
Problems Corrected:
- +New Features:
- The "shorewall check" command results in the (harmless) @@ -2160,7 +2898,7 @@ loc Local Extended local zone file.
- +
- The SUBNET column in /etc/shorewall/rfc1918 has been @@ -2172,7 +2910,7 @@ loc Local Extended local zone "2_0_10">10/25/2004 - Shorewall 2.0.10
Problems Corrected:
- +New Features:
- The GATEWAY column was previously ignored in 'pptpserver' @@ -2191,7 +2929,7 @@ loc Local Extended local zone
- +
- The "shorewall status" command has been enhanced to @@ -2229,7 +2967,7 @@ loc Local Extended local zone The first beta in the 2.2 series is now available. Download location is:
- +New Features:
- +. Merci Beacoup, Fabien!
- The "shorewall status" command now includes the output of @@ -3054,7 +3792,7 @@ loc Local Extended local zone
5/21/2004 - Shorewall 2.0.2c
One problem corrected:
- +Issues when migrating from Shorewall 2.0.1 to Shorewall 2.0.2:
- DNAT rules with a dynamic source zone don't work @@ -3128,7 +3866,7 @@ loc Local Extended local zone
- +New Features:
- Extension Scripts -- In order for extension scripts to @@ -3180,7 +3918,7 @@ loc Local Extended local zone set DYNAMIC_ZONES=No in /etc/shorewall/shorewall.conf.
- +
- Shorewall has now been integrated with @@ -3391,13 +4129,13 @@ loc Local Extended local zone presentation was entitled "Shorewall and the Enterprise" and described - the history of Shorewall and gave an overview of its features. + the history of Shorewall and gave an overview of its features.
4/5/2004 - Shorewall 2.0.1
Problems Corrected since 2.0.0
- +
- Using actions in the manner recommended in the @@ -3418,7 +4156,7 @@ loc Local Extended local zone Issues when migrating from Shorewall 2.0.0 to Shorewall 2.0.1:
- +New Features:
- The function of 'norfc1918' is now split between that @@ -3445,7 +4183,7 @@ loc Local Extended local zone
- +
- Support for Bridging Firewalls has been added. For @@ -3496,7 +4234,7 @@ loc Local Extended local zone
- Shorewall now traps two common zone definition errors:
- +
- Including the firewall zone in a /etc/shorewall/hosts @@ -3550,7 +4288,7 @@ loc Local Extended local zone
3/14/2004 - Shorewall 2.0.0b
Corrects two problems:
- +
- Thanks to Sean Mathews, the long-standing problem with @@ -3816,7 +4554,7 @@ loc Local Extended local zone
Corrects one problem:
Entries in /etc/shorewall/tcrules with an empty USER/GROUP - column would cause a startup error. + column would cause a startup error.
2/12/2004 - Shorewall 1.4.10b
@@ -3873,7 +4611,7 @@ loc Local Extended local zone None.
New Features:
- +
- The INTERFACE column in the /etc/shorewall/masq file may @@ -3958,7 +4696,7 @@ loc Local Extended local zone None.
New Features:
- +
- The INTERFACE column in the /etc/shorewall/masq file may @@ -4034,7 +4772,7 @@ loc Local Extended local zone None.
New Features:
- +
- The INTERFACE column in the /etc/shorewall/masq file may @@ -4103,7 +4841,7 @@ loc Local Extended local zone None.
New Features:
- +Migration Issues:
- The INTERFACE column in the /etc/shorewall/masq file may @@ -4513,7 +5251,7 @@ loc Local Extended local zone field questions and problems from new users. I will not monitor that list personally. I will continue my active development of Shorewall and will be available via the development list to - handle development issues -- Tom. + handle development issues -- Tom.
11/07/2003 - Shorewall 1.4.8
@@ -4603,7 +5341,7 @@ loc Local Extended local zone
- +New Features:
- The definition of the ROUTE_FILTER option in @@ -4611,7 +5349,7 @@ loc Local Extended local zone
- +Migration Issues:
- A new QUEUE action has been introduced for rules. QUEUE @@ -4660,7 +5398,7 @@ loc Local Extended local zone Given the small number of new features and the relatively few lines of code that were changed, there will be no Beta for 1.4.8.
- +http://shorewall.net/pub/shorewall/Beta
@@ -4737,7 +5475,7 @@ loc Local Extended local zone 'routefilter' option in the interfaces file.
- +New Features:
- The definition of the ROUTE_FILTER option in @@ -4745,7 +5483,7 @@ loc Local Extended local zone
- +
- A new QUEUE action has been introduced for rules. QUEUE @@ -4806,7 +5544,7 @@ loc Local Extended local zone
10/24/2003 - Shorewall 1.4.7b
This is a bugfx rollup of the 1.4.7a fixes plus:
- +
- The fix for problem 5 in 1.4.7a was wrong with the result @@ -4880,7 +5618,7 @@ loc Local Extended local zone Problems Corrected since version 1.4.6 (Those in bold font were corrected since 1.4.7 RC2).
- +Migration Issues:
- Corrected problem in 1.4.6 where the MANGLE_ENABLED @@ -5012,7 +5750,7 @@ loc Local Extended local zone
- +New Features:
- Shorewall IP Traffic Accounting has changed since @@ -5030,7 +5768,7 @@ loc Local Extended local zone
- +
- Thanks to Steve Herber, the 'help' command can now give @@ -5226,7 +5964,7 @@ loc Local Extended local zone Problems Corrected since version 1.4.6 (Those in bold font were corrected since 1.4.7 RC 1).
- +Migration Issues:
- Corrected problem in 1.4.6 where the MANGLE_ENABLED @@ -5346,7 +6084,7 @@ loc Local Extended local zone
- +New Features:
- Shorewall IP Traffic Accounting has changed since @@ -5364,7 +6102,7 @@ loc Local Extended local zone
- +
- Thanks to Steve Herber, the 'help' command can now give @@ -5560,7 +6298,7 @@ loc Local Extended local zone Problems Corrected since version 1.4.6 (Those in bold font were corrected since 1.4.7 Beta 1).
- +Migration Issues:
- Corrected problem in 1.4.6 where the MANGLE_ENABLED @@ -5626,7 +6364,7 @@ loc Local Extended local zone
- +New Features:
- Shorewall IP Traffic Accounting has changed since @@ -5644,7 +6382,7 @@ loc Local Extended local zone
- +
- Thanks to Steve Herber, the 'help' command can now give @@ -5840,7 +6578,7 @@ loc Local Extended local zone Problems Corrected since version 1.4.6 (Those in bold font were corrected since 1.4.7 Beta 1).
- +Migration Issues:
- Corrected problem in 1.4.6 where the MANGLE_ENABLED @@ -5900,7 +6638,7 @@ loc Local Extended local zone
- +New Features:
- Shorewall IP Traffic Accounting has changed since @@ -5918,7 +6656,7 @@ loc Local Extended local zone
- +
- Thanks to Steve Herber, the 'help' command can now give @@ -6121,7 +6859,7 @@ loc Local Extended local zone Guide Thanks to Fabien Demassieux, there is now a French translation of the - Shorewall Setup Guide. Merci Beacoup, Fabien! + Shorewall Setup Guide
8/25/2003 - Shorewall 1.4.7 Beta 1
@@ -6133,7 +6871,7 @@ loc Local Extended local zone "_top">ftp://shorewall.net/pub/shorewall/Beta
Problems Corrected since version 1.4.6
- +Migration Issues:
- Corrected problem in 1.4.6 where the MANGLE_ENABLED @@ -6167,7 +6905,7 @@ loc Local Extended local zone
- +New Features:
- Shorewall IP Traffic Accounting has changed since @@ -6185,7 +6923,7 @@ loc Local Extended local zone
- +
- Thanks to Steve Herber, the 'help' command can now give @@ -6383,7 +7121,7 @@ loc Local Extended local zone "_top">ftp://shorewall.net/pub/shorewall/Snapshots/ Problems Corrected since version 1.4.6
- +Migration Issues:
- Corrected problem in 1.4.6 where the MANGLE_ENABLED @@ -6417,7 +7155,7 @@ loc Local Extended local zone
- +New Features:
- Once you have installed this version of Shorewall, you @@ -6438,7 +7176,7 @@ loc Local Extended local zone page for details.
- +
- Shorewall now creates a dynamic blacklisting chain for @@ -6647,7 +7385,7 @@ loc Local Extended local zone "_top">ftp://shorewall.net/pub/shorewall/Snapshots/ Problems Corrected since version 1.4.6
- +Migration Issues:
- Corrected problem in 1.4.6 where the MANGLE_ENABLED @@ -6678,7 +7416,7 @@ loc Local Extended local zone
- +New Features:
- Once you have installed this version of Shorewall, you @@ -6691,7 +7429,7 @@ loc Local Extended local zone rejectall"
- +
- Shorewall now creates a dynamic blacklisting chain for @@ -6882,7 +7620,7 @@ loc Local Extended local zone "_top">ftp://shorewall.net/pub/shorewall/Snapshots/ Problems Corrected since version 1.4.6
- +Migration Issues:
- Corrected problem in 1.4.6 where the MANGLE_ENABLED @@ -6908,7 +7646,7 @@ loc Local Extended local zone
- +New Features:
- Once you have installed this version of Shorewall, you @@ -6921,7 +7659,7 @@ loc Local Extended local zone rejectall"
- +
- Shorewall now creates a dynamic blacklisting chain for @@ -7038,7 +7776,7 @@ loc Local Extended local zone
8/5/2003 - Shorewall-1.4.6b
Problems Corrected since version 1.4.6:
- +
- Previously, if TC_ENABLED is set to yes in shorewall.conf @@ -7068,7 +7806,7 @@ loc Local Extended local zone
8/5/2003 - Shorewall-1.4.6b
Problems Corrected since version 1.4.6:
- +
- Previously, if TC_ENABLED is set to yes in shorewall.conf @@ -7213,7 +7951,7 @@ loc Local Extended local zone "_top">ftp://shorewall.net/pub/shorewall/Snapshots/ Problems Corrected since version 1.4.6
- +Migration Issues:
- Corrected problem in 1.4.6 where the MANGLE_ENABLED @@ -7225,7 +7963,7 @@ loc Local Extended local zone
- +New Features:
- Once you have installed this version of Shorewall, you @@ -7238,7 +7976,7 @@ loc Local Extended local zone rejectall"
- +
- Shorewall now creates a dynamic blacklisting chain for @@ -7308,12 +8046,12 @@ loc Local Extended local zone Two new commands ('dropall' and 'rejectall') have been introduced that do what 'drop' and 'reject' used to do; namely, when an address is blacklisted using these new commands, it - will be blacklisted on all of your firewall's interfaces. + will be blacklisted on all of your firewall's interfaces.
7/22/2003 - Shorewall-1.4.6a
Problems Corrected:
- +
- Previously, if TC_ENABLED is set to yes in shorewall.conf @@ -7587,7 +8325,7 @@ loc Local Extended local zone Thanks to the folks at securityopensource.org.br, there is now a Shorewall mirror in Brazil. + "_top">Shorewall mirror in Brazil.
7/15/2003 - Shorewall-1.4.6 RC 1
@@ -8235,7 +8973,7 @@ loc Local Extended local zone that restores the previous 5-character limit by conditionally omitting the log rule number when the LOGFORMAT doesn't contain '%d'.
- +5/23/2003 - Shorewall-1.4.4
I apologize for the rapid-fire releases but since there is a @@ -8244,13 +8982,13 @@ loc Local Extended local zone bug-fix release.
Problems corrected:
- +None.New Features:
- +
- A REDIRECT- rule target has been added. This target @@ -8291,7 +9029,7 @@ loc Local Extended local zone This version primarily corrects the documentation included in the .tgz and in the .rpm. In addition:
- +
- (This change is in 1.4.3 but is not documented) If you @@ -8315,7 +9053,7 @@ loc Local Extended local zone
See the upgrade issues for a - discussion of how these changes may affect your configuration. + discussion of how these changes may affect your configuration.5/18/2003 - Shorewall 1.4.3
Problems Corrected:
- +New Features:
- There were several cases where Shorewall would fail to @@ -8329,7 +9067,7 @@ loc Local Extended local zone confused.
- +New Features:
- IPV6-IPV4 (6to4) tunnels are now supported in the @@ -8350,7 +9088,7 @@ loc Local Extended local zone
5/8/2003 - Shorewall Mirror in Chile
Thanks to Darcy Ganga, there is now an HTTP mirror in Santiago - Chile. + Chile.4/21/2003 - Samples updated for Shorewall version 1.4.2
@@ -8491,14 +9229,14 @@ loc Local Extended local zone if there are entries in /etc/shorewall/ecn.
- +Note: In the list that follows, the term group refers to a particular network or subnetwork (which may be 0.0.0.0/0 or it may be a host address) accessed through a particular interface. Examples:
- +eth0:0.0.0.0/0
@@ -8531,7 +9269,7 @@ loc Local Extended local zone traffic from Z1 to Z2.3/17/2003 - Shorewall 1.4.0
Shorewall 1.4 represents the next step in the evolution of @@ -8544,7 +9282,7 @@ loc Local Extended local zone
Function from 1.3 that has been omitted from this version include:
- +Changes for 1.4 include:
- The MERGE_HOSTS variable in shorewall.conf is no longer @@ -8588,7 +9326,7 @@ loc Local Extended local zone
- +
- The /etc/shorewall/shorewall.conf file has been @@ -8759,7 +9497,7 @@ loc Local Extended local zone
Example 1 -- This is how it works in 1.3.14.
- +[root@gateway test]# cat /etc/shorewall/masq
#INTERFACE SUBNET ADDRESS
@@ -8796,7 +9534,7 @@ loc Local Extended local zone Example 2 -- Suppose that your current config is as follows:
- +[root@gateway test]# cat /etc/shorewall/masq
#INTERFACE SUBNET ADDRESS
@@ -8819,7 +9557,7 @@ loc Local Extended local zone Example 3 -- What if your current configuration is like this?
- +[root@gateway test]# cat /etc/shorewall/masq
#INTERFACE SUBNET ADDRESS
@@ -8837,7 +9575,7 @@ loc Local Extended local zone
In this case, you would want to change the entry in /etc/shorewall/masq to:
- +#INTERFACE SUBNET ADDRESS
eth0 192.168.1.0/24 206.124.146.176
@@ -8915,7 +9653,7 @@ loc Local Extended local zone
Example 1 -- This is how it works in 1.3.14.
- +[root@gateway test]# cat /etc/shorewall/masq
#INTERFACE SUBNET ADDRESS
@@ -8952,7 +9690,7 @@ loc Local Extended local zone Example 2 -- Suppose that your current config is as follows:
- +[root@gateway test]# cat /etc/shorewall/masq
#INTERFACE SUBNET ADDRESS
@@ -8975,7 +9713,7 @@ loc Local Extended local zone Example 3 -- What if your current configuration is like this?
- +[root@gateway test]# cat /etc/shorewall/masq
#INTERFACE SUBNET ADDRESS
@@ -8993,7 +9731,7 @@ loc Local Extended local zone
In this case, you would want to change the entry in /etc/shorewall/masq to:
- +#INTERFACE SUBNET ADDRESS
eth0 192.168.1.0/24 206.124.146.176
@@ -9014,7 +9752,7 @@ loc Local Extended local zone http://slovakia.shorewall.net/pub/shorewall/pdf/ - +1/17/2003 - shorewall.net has MOVED
@@ -9178,7 +9916,7 @@ loc Local Extended local zone 2, if BLACKLIST_LOG_LEVEL was set to anything but ULOG, the firewall would fail to start and "shorewall refresh" would also fail.
- +12/20/2002 - Shorewall 1.3.12 Beta 2
@@ -9187,7 +9925,7 @@ loc Local Extended local zone audience).
Features include:
- +You may download the Beta from:
- "shorewall refresh" now reloads the traffic shaping rules @@ -9226,7 +9964,7 @@ loc Local Extended local zone the upgrade process won't overwrite your file.
- +product. Here is the press release.
- +12/7/2002 - Shorewall Support for Mandrake 9.0
@@ -9363,11 +10101,11 @@ loc Local Extended local zone Alexandru Hartmann reports that his Shorewall package is now a part of the Gentoo Linux distribution. Thanks Alex!
- +10/23/2002 - Shorewall 1.3.10 Beta 1
In this version:
- +You may download the Beta from:
- You may now define the @@ -9405,7 +10143,7 @@ loc Local Extended local zone distribution-dependent code.
- +
- 10/9/2002 - Shorewall 1.3.9b This release rolls up fixes to the installer and to the firewall script.
- +10/6/2002 - Shorewall.net now running on RH8.0
Roles up the fix for broken tunnels.
@@ -9434,7 +10172,7 @@ loc Local Extended local zone
9/30/2002 - Shorewall 1.3.9a
- +9/30/2002 - TUNNELS Broken in 1.3.9!!!
There is an updated firewall script at ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall -- copy that file to /usr/lib/shorewall/firewall.
- +9/28/2002 - Shorewall 1.3.9
@@ -9475,7 +10213,7 @@ loc Local Extended local zone A couple of recent configuration changes at www.shorewall.net broke the Search facility:
- +- Hopefully these problems are now corrected. + Hopefully these problems are now corrected.@@ -9486,14 +10224,14 @@ loc Local Extended local zone
- Only one page of matches was presented.
9/23/2002 - Full Shorewall Site/Mailing List Archive Search Capability Restored
A couple of recent configuration changes at www.shorewall.net had the negative effect of breaking the Search facility:
- +Hopefully these problems are now corrected.
- Mailing List Archive Search was not available.
@@ -9503,7 +10241,7 @@ loc Local Extended local zone- Only one page of matches was presented.
- +9/18/2002 - Debian 1.3.8 Packages Available
@@ -10191,7 +10929,7 @@ loc Local Extended local zone
- Filtering by MAC address has been added. MAC addresses may be used as - the source address in: + the source address in: