mirror of
https://gitlab.com/shorewall/code.git
synced 2025-08-09 23:54:22 +02:00
Shorewall-1.4.7a
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@774 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep
@ -37,14 +37,12 @@ and control that facility. Netfilter can be used in ipchains
|
||||
compatibility mode.<br>
|
||||
</li>
|
||||
<li>iptables - the utility program used to configure and
|
||||
control
|
||||
Netfilter. The term 'iptables' is often used to refer to the
|
||||
combination of iptables+Netfilter (with Netfilter not in
|
||||
ipchains compatibility mode).<br>
|
||||
control Netfilter. The term 'iptables' is often used to refer to the
|
||||
combination of iptables+Netfilter (with Netfilter not in ipchains
|
||||
compatibility mode).<br>
|
||||
</li>
|
||||
</ul>
|
||||
The
|
||||
Shoreline Firewall, more commonly known as "Shorewall", is
|
||||
The Shoreline Firewall, more commonly known as "Shorewall", is
|
||||
high-level tool for configuring Netfilter. You describe your
|
||||
firewall/gateway requirements using entries in a set of configuration
|
||||
files. Shorewall reads those configuration files and with the help of
|
||||
@ -56,14 +54,14 @@ and can thus take advantage of Netfilter's connection state tracking
|
||||
capabilities.
|
||||
<p>This program is free software; you can redistribute it and/or
|
||||
modify it under the terms of <a
|
||||
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the
|
||||
GNU General Public License</a> as published by the Free Software
|
||||
Foundation.<br>
|
||||
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU
|
||||
General Public License</a> as published by the Free Software Foundation.<br>
|
||||
<br>
|
||||
This program is distributed in the hope that it will be useful, but
|
||||
WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||
General Public License for more details.<br>
|
||||
General
|
||||
Public License for more details.<br>
|
||||
<br>
|
||||
You should have received a copy of the GNU General Public License along
|
||||
with this program; if not, write to the Free Software Foundation, Inc.,
|
||||
@ -81,30 +79,80 @@ Shorewall. For older versions:<br>
|
||||
</li>
|
||||
</ul>
|
||||
<h2>Getting Started with Shorewall</h2>
|
||||
New to Shorewall? Start by
|
||||
selecting the <a href="shorewall_quickstart_guide.htm">QuickStart Guide</a>
|
||||
that most closely match your environment and
|
||||
follow the step by step instructions.<br>
|
||||
New to Shorewall? Start by selecting the <a
|
||||
href="shorewall_quickstart_guide.htm">QuickStart Guide</a> that most
|
||||
closely match your environment and follow the step by step instructions.<br>
|
||||
<h2>Looking for Information?</h2>
|
||||
The <a href="shorewall_quickstart_guide.htm#Documentation">Documentation
|
||||
Index</a> is a good place to start as is the Quick Search to your
|
||||
right.
|
||||
<h2>Running Shorewall on Mandrake with a two-interface setup?</h2>
|
||||
If so, the documentation<b> </b>on this site will not apply directly
|
||||
to your setup. If you want to
|
||||
use the documentation that you find here, you will want to consider
|
||||
uninstalling what you have and installing a setup that matches the
|
||||
documentation on this site. See the <a href="two-interface.htm">Two-interface
|
||||
QuickStart Guide</a> for
|
||||
to
|
||||
your setup. If you want to use the documentation that you find here,
|
||||
you will want to consider uninstalling what you have and installing a
|
||||
setup that matches the documentation on this site. See the <a
|
||||
href="two-interface.htm">Two-interface QuickStart Guide</a> for
|
||||
details.
|
||||
<h2></h2>
|
||||
<h2><b>News</b></h2>
|
||||
<p><b>10/21/2003 - Shorewall 1.4.7a</b><b> <img
|
||||
style="border: 0px solid ; width: 28px; height: 12px;"
|
||||
src="images/new10.gif" alt="(New)" title=""></b></p>
|
||||
<p>This is a bugfix rollup of the following problem corrections:<br>
|
||||
</p>
|
||||
<ol>
|
||||
<li>Tuomo Soini has supplied a correction to a problem that
|
||||
occurs
|
||||
using some versions of 'ash'. The symptom is that "shorewall start"
|
||||
fails with:<br>
|
||||
<br>
|
||||
local: --limit: bad variable name<br>
|
||||
iptables v1.2.8: Couldn't load match
|
||||
`-j':/lib/iptables/libipt_-j.so:<br>
|
||||
cannot open shared object file: No such file or directory<br>
|
||||
Try `iptables -h' or 'iptables --help' for more
|
||||
information.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>Andres Zhoglo has supplied a correction that avoids trying
|
||||
to use the multiport match iptables facility on ICMP rules.<br>
|
||||
<br>
|
||||
Example of rule that previously caused "shorewall start"
|
||||
to fail:<br>
|
||||
<br>
|
||||
|
||||
ACCEPT loc $FW
|
||||
icmp 0,8,11,12<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>Previously, if the following error message was issued,
|
||||
Shorewall was left in an inconsistent state.<br>
|
||||
<br>
|
||||
Error: Unable to determine the routes routes through
|
||||
interface xxx<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>Handling of the LOGUNCLEAN option in shorewall.conf has
|
||||
been corrected.</li>
|
||||
<li>In Shorewall 1.4.2, an optimization was added. This
|
||||
optimization
|
||||
involved creating a chain named "<zone>_frwd" for most zones
|
||||
defined using the /etc/shorewall/hosts file. It has since been
|
||||
discovered that in many cases these new chains contain redundant rules
|
||||
and that the "optimization" turns out to be less than optimal. The
|
||||
implementation has now been corrected.</li>
|
||||
<li>When the MARK value in a tcrules entry is followed by ":F"
|
||||
or
|
||||
":P", the ":F" or ":P" was previously only applied to the first
|
||||
Netfilter rule generated by the entry. It is now applied to all entries.</li>
|
||||
</ol>
|
||||
<b>10/06/2003 - Shorewall 1.4.7</b><b> <img
|
||||
style="border: 0px solid ; width: 28px; height: 12px;"
|
||||
src="images/new10.gif" alt="(New)" title=""></b><br>
|
||||
<b><br>
|
||||
Problems Corrected since version 1.4.6 (Those in bold font
|
||||
were corrected since 1.4.7 RC2).</b><br>
|
||||
Problems Corrected since version 1.4.6 (Those in bold font were
|
||||
corrected since 1.4.7 RC2).</b><br>
|
||||
<ol>
|
||||
<li>Corrected problem in 1.4.6 where the MANGLE_ENABLED
|
||||
variable was being tested before it was set.</li>
|
||||
@ -120,65 +168,53 @@ were being added to a PPP interface; the addresses were successfully
|
||||
added in spite of the messages.<br>
|
||||
<br>
|
||||
The firewall script has been modified to eliminate the error messages</li>
|
||||
<li>Interface-specific dynamic blacklisting chains are
|
||||
now displayed by "shorewall monitor" on the "Dynamic Chains" page
|
||||
<li>Interface-specific dynamic blacklisting chains are now
|
||||
displayed by "shorewall monitor" on the "Dynamic Chains" page
|
||||
(previously named "Dynamic Chain").</li>
|
||||
<li>Thanks to Henry Yang, LOGRATE and LOGBURST now work again.</li>
|
||||
<li value="7">The 'shorewall reject'
|
||||
and
|
||||
'shorewall drop' commands now delete any existing rules for the subject
|
||||
IP address before adding a new DROP or REJECT rule. Previously, there
|
||||
could be many rules for the same IP address in the dynamic chain so
|
||||
that multiple 'allow' commands were required to re-enable traffic
|
||||
to/from the address.</li>
|
||||
<li>When ADD_SNAT_ALIASES=Yes in
|
||||
shorewall.conf, the following entry in /etc/shorewall/masq resulted in
|
||||
a startup error:<br>
|
||||
<li value="7">The 'shorewall reject' and 'shorewall drop'
|
||||
commands now delete any existing rules for the subject IP address
|
||||
before adding a new DROP or REJECT rule. Previously, there could be
|
||||
many rules for the same IP address in the dynamic chain so that
|
||||
multiple 'allow' commands were required to re-enable traffic to/from
|
||||
the address.</li>
|
||||
<li>When ADD_SNAT_ALIASES=Yes in shorewall.conf, the following
|
||||
entry in /etc/shorewall/masq resulted in a startup error:<br>
|
||||
<br>
|
||||
eth0 eth1
|
||||
206.124.146.20-206.124.146.24<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>Shorewall previously choked over
|
||||
IPV6
|
||||
addresses configured on interfaces in contexts where Shorewall needed
|
||||
to detect something about the interface (such as when "detect" appears
|
||||
in the BROADCAST column of the /etc/shorewall/interfaces file).</li>
|
||||
<li>Shorewall will now load
|
||||
module files that are formed from the module name by appending ".o.gz".</li>
|
||||
<li>When Shorewall adds a route to a
|
||||
proxy
|
||||
ARP host and such a route already exists, two routes resulted
|
||||
previously. This has been corrected so that the existing route is
|
||||
replaced if it already exists.</li>
|
||||
<li>The rfc1918 file has been
|
||||
updated to reflect recent allocations.</li>
|
||||
<li>The documentation of the
|
||||
USER SET column in the rules file has been corrected.</li>
|
||||
<li>If there is no policy
|
||||
defined for
|
||||
the zones specified in a rule, the firewall script previously
|
||||
encountered a shell syntax error:<br>
|
||||
|
||||
<br>
|
||||
<li>Shorewall previously choked over IPV6 addresses configured
|
||||
on interfaces in contexts where Shorewall needed to detect something
|
||||
about the interface (such as when "detect" appears in the BROADCAST
|
||||
column of the /etc/shorewall/interfaces file).</li>
|
||||
<li>Shorewall will now load module files that are formed from
|
||||
the module name by appending ".o.gz".</li>
|
||||
<li>When Shorewall adds a route to a proxy ARP host and such a
|
||||
route already exists, two routes resulted previously. This has been
|
||||
corrected so that the existing route is replaced if it already exists.</li>
|
||||
<li>The rfc1918 file has been updated to reflect recent
|
||||
allocations.</li>
|
||||
<li>The documentation of the USER SET column in the rules file
|
||||
has been corrected.</li>
|
||||
<li>If there is no policy defined for the zones specified in a
|
||||
rule, the firewall script previously encountered a shell syntax error:<br>
|
||||
<br>
|
||||
[: NONE: unexpected operator<br>
|
||||
|
||||
<br>
|
||||
<br>
|
||||
Now, the absence of a policy generates an error message and the
|
||||
firewall is stopped:<br>
|
||||
|
||||
<br>
|
||||
<br>
|
||||
No policy defined from zone
|
||||
<source> to zone <dest><br>
|
||||
<br>
|
||||
</li>
|
||||
<li>Previously, if neither
|
||||
/etc/shorewall/common nor /etc/shorewall/common.def existed, Shorewall
|
||||
would fail to start and would not remove the lock file. Failure to
|
||||
remove the lock file resulted in the following during subsequent
|
||||
attempts to start:<br>
|
||||
|
||||
<br>
|
||||
<li>Previously, if neither /etc/shorewall/common nor
|
||||
/etc/shorewall/common.def existed, Shorewall would fail to start and
|
||||
would not remove the lock file. Failure to remove the lock file
|
||||
resulted in the following during subsequent attempts to start:<br>
|
||||
<br>
|
||||
Loading /usr/share/shorewall/functions...<br>
|
||||
Processing /etc/shorewall/params ...<br>
|
||||
Processing /etc/shorewall/shorewall.conf...<br>
|
||||
@ -187,19 +223,17 @@ attempts to start:<br>
|
||||
<br>
|
||||
Shorewall now reports a fatal error if neither of these two files exist
|
||||
and correctly removes the lock fille.</li>
|
||||
<li>The order of processing
|
||||
the
|
||||
various options has been changed such that blacklist entries now take
|
||||
precedence over the 'dhcp' interface setting.</li>
|
||||
<li>The log message generated
|
||||
from the
|
||||
'logunclean' interface option has been changed to reflect a disposition
|
||||
of LOG rather than DROP.</li>
|
||||
<li>The order of processing the various options has been
|
||||
changed such that blacklist entries now take precedence over the 'dhcp'
|
||||
interface setting.</li>
|
||||
<li>The log message generated from the 'logunclean' interface
|
||||
option has been changed to reflect a disposition of LOG rather than
|
||||
DROP.</li>
|
||||
<li><span style="font-weight: bold;">When a user name and/or a
|
||||
group
|
||||
name was specified in the USER SET column and the destination zone was
|
||||
qualified with a IP address, the user and/or group name was not being
|
||||
used to qualify the rule.<br>
|
||||
group name was specified in the USER SET column and the destination
|
||||
zone
|
||||
was qualified with a IP address, the user and/or group name was not
|
||||
being used to qualify the rule.<br>
|
||||
<br>
|
||||
Example:<br>
|
||||
<br>
|
||||
@ -217,10 +251,9 @@ details.</li>
|
||||
<li>The Uset Set capability introduced in SnapShot 20030821 has
|
||||
changed -- see the <a href="UserSets.html">User Set page</a> for
|
||||
details.</li>
|
||||
<li>The
|
||||
per-interface Dynamic Blacklisting facility introduced in the first
|
||||
post-1.4.6 Snapshot has been removed. The facility had too many
|
||||
idiosyncrasies for dial-up users to be a viable part of Shorewall.<br>
|
||||
<li>The per-interface Dynamic Blacklisting facility introduced
|
||||
in the first post-1.4.6 Snapshot has been removed. The facility had too
|
||||
many idiosyncrasies for dial-up users to be a viable part of Shorewall.<br>
|
||||
</li>
|
||||
</ol>
|
||||
<b></b><b>New Features:</b><br>
|
||||
@ -239,8 +272,9 @@ command-specific help (e.g., shorewall help <command>).</li>
|
||||
<li>A new option "ADMINISABSENTMINDED" has been added to
|
||||
/etc/shorewall/shorewall.conf. This option has a default value of "No"
|
||||
for existing users which causes Shorewall's 'stopped' state to
|
||||
continue as it has been; namely, in the stopped state only traffic
|
||||
to/from hosts listed in /etc/shorewall/routestopped is accepted.<br>
|
||||
continue
|
||||
as it has been; namely, in the stopped state only traffic to/from hosts
|
||||
listed in /etc/shorewall/routestopped is accepted.<br>
|
||||
<br>
|
||||
With ADMINISABSENTMINDED=Yes (the default for new installs), in
|
||||
addition to traffic to/from the hosts listed in
|
||||
@ -248,7 +282,8 @@ addition to traffic to/from the hosts listed in
|
||||
<br>
|
||||
a) All traffic originating from the firewall itself; and<br>
|
||||
b) All traffic that is part of or related to an
|
||||
already-existing connection.<br>
|
||||
already-existing
|
||||
connection.<br>
|
||||
<br>
|
||||
In particular, with ADMINISABSENTMINDED=Yes, a "shorewall stop"
|
||||
entered through an ssh session will not kill the session.<br>
|
||||
@ -272,12 +307,9 @@ fw tcp 22<br>
|
||||
<br>
|
||||
From a remote system, I ssh to 206.124.146.178 which establishes an SSH
|
||||
connection with local system 192.168.1.5. I then create a second SSH
|
||||
connection
|
||||
from that computer to the firewall and confidently type "shorewall
|
||||
stop".
|
||||
As part of its stop processing, Shorewall removes eth0:0 which kills my
|
||||
SSH
|
||||
connection to 192.168.1.5!!!</li>
|
||||
connection from that computer to the firewall and confidently type
|
||||
"shorewall stop". As part of its stop processing, Shorewall removes
|
||||
eth0:0 which kills my SSH connection to 192.168.1.5!!!</li>
|
||||
<li>Given the wide range of VPN software, I can never hope to
|
||||
add specific support for all of it. I have therefore decided to add
|
||||
"generic" tunnel support.<br>
|
||||
@ -297,15 +329,17 @@ where:<br>
|
||||
<protocol> is the protocol
|
||||
used by the tunnel<br>
|
||||
<port> if the protocol
|
||||
is 'udp' or 'tcp' then this is the destination port number used by the
|
||||
tunnel.<br>
|
||||
is 'udp' or 'tcp' then this is the
|
||||
destination port number used by the tunnel.<br>
|
||||
<zone> is the zone of
|
||||
the remote tunnel gateway<br>
|
||||
<ip address> is the IP
|
||||
address of the remote tunnel gateway.<br>
|
||||
address of the remote tunnel
|
||||
gateway.<br>
|
||||
<gateway zone>
|
||||
Optional. A comma-separated list of zone names. If specified, the
|
||||
remote gateway is to be considered part of these zones.</li>
|
||||
Optional. A comma-separated list of zone
|
||||
names. If specified, the remote gateway is to be considered part of
|
||||
these zones.</li>
|
||||
<li>An 'arp_filter' option has been added to the
|
||||
/etc/shorewall/interfaces file. This option causes
|
||||
/proc/sys/net/ipv4/conf/<interface>/arp_filter to be set with the
|
||||
@ -315,7 +349,8 @@ facilitates testing of your firewall where multiple firewall interfaces
|
||||
are connected to the same HUB/Switch (all interfaces connected to the
|
||||
single HUB/Switch should have this option specified). Note that using
|
||||
such a configuration in a production environment is strongly
|
||||
recommended against.</li>
|
||||
recommended
|
||||
against.</li>
|
||||
<li>The ADDRESS column in /etc/shorewall/masq may now include a
|
||||
comma-separated list of addresses and/or address ranges. Netfilter will
|
||||
use all listed addresses/ranges in round-robin fashion. \</li>
|
||||
@ -334,8 +369,9 @@ separately.<br>
|
||||
<br>
|
||||
<span style="font-weight: bold;">Warning: </span>When rate
|
||||
limiting is specified on a rule with "all" in the SOURCE or DEST
|
||||
fields, the limit will apply to each pair of zones individually rather
|
||||
than as a single limit for all pairs of covered by the rule.<br>
|
||||
fields,
|
||||
the limit will apply to each pair of zones individually rather than as
|
||||
a single limit for all pairs of covered by the rule.<br>
|
||||
<br>
|
||||
To specify a rate limit, <br>
|
||||
<br>
|
||||
@ -344,15 +380,14 @@ a) Follow ACCEPT, DNAT[-], REDIRECT[-] or LOG with<br>
|
||||
<
|
||||
<rate>/<interval>[:<burst>] ><br>
|
||||
<br>
|
||||
|
||||
where<br>
|
||||
where<br>
|
||||
<br>
|
||||
<rate> is the sustained rate per
|
||||
<interval><br>
|
||||
<interval> is "sec" or "min"<br>
|
||||
<burst> is the largest burst
|
||||
accepted within an <interval>. If not given, the default of 5 is
|
||||
assumed.<br>
|
||||
accepted within an
|
||||
<interval>. If not given, the default of 5 is assumed.<br>
|
||||
<br>
|
||||
There may be no white space between the ACTION and "<" nor there may
|
||||
be any white space within the burst specification. If you want to
|
||||
@ -378,8 +413,9 @@ After this, it will be 500ms (1 second divided by the rate<br>
|
||||
of 2) before a packet will be accepted from this rule, regardless of
|
||||
how many packets reach it. Also, every 500ms which passes without
|
||||
matching a packet, one of the bursts will be regained; if no packets
|
||||
hit the rule for 2 second, the burst will be fully recharged; back
|
||||
where we started.<br>
|
||||
hit
|
||||
the rule for 2 second, the burst will be fully recharged; back where we
|
||||
started.<br>
|
||||
</li>
|
||||
<li>Multiple chains may now be displayed in one "shorewall
|
||||
show" command (e.g., shorewall show INPUT FORWARD OUTPUT).</li>
|
||||
@ -387,50 +423,6 @@ show" command (e.g., shorewall show INPUT FORWARD OUTPUT).</li>
|
||||
limited to a set of local users and/or groups. See <a
|
||||
href="UserSets.html">http://shorewall.net/UserSets.html</a> for
|
||||
details.</li>
|
||||
</ol>
|
||||
<p><b>8/27/2003 - Shorewall Mirror in Australia </b></p>
|
||||
<p>Thanks to Dave Kempe and Solutions First (<a
|
||||
href="http://www.solutionsfirst.com.au"><font size="3">http://www.solutionsfirst.com.au</font></a>),
|
||||
there is now a Shorewall Mirror in Australia:</p>
|
||||
<div style="margin-left: 40px;"><a
|
||||
href="http://www.shorewall.com.au" target="_top"><font size="3">http://www.shorewall.com.au</font></a><br>
|
||||
<font size="3"><a href="ftp://ftp.shorewall.com.au">ftp://ftp.shorewall.com.au</a></font></div>
|
||||
<p><b>8/26/2003 - French Version of the Shorewall Setup
|
||||
Guide </b></p>
|
||||
Thanks to Fabien <font size="3">Demassieux, there is now a <a
|
||||
href="shorewall_setup_guide_fr.htm">French translation of the
|
||||
Shorewall Setup Guide</a>. Merci Beacoup, Fabien!</font> <b>9/15/2003
|
||||
- Shorewall 1.4.7 Beta 2</b><b> <img
|
||||
style="border: 0px solid ; width: 28px; height: 12px;"
|
||||
src="file:///vfat/Shorewall-docs/images/new10.gif" alt="(New)" title=""></b>
|
||||
<p><b>8/5/2003 - Shorewall-1.4.6b</b><b> <img
|
||||
style="border: 0px solid ; width: 28px; height: 12px;"
|
||||
src="images/new10.gif" alt="(New)" title=""> <br>
|
||||
</b></p>
|
||||
<b>Problems Corrected since version 1.4.6:</b><br>
|
||||
<ol>
|
||||
<li>Previously, if TC_ENABLED is set to yes in shorewall.conf
|
||||
then Shorewall would fail to start with the error "ERROR: Traffic
|
||||
Control requires Mangle"; that problem has been corrected.</li>
|
||||
<li>Corrected handling of MAC addresses in the SOURCE column of
|
||||
the
|
||||
tcrules file. Previously, these addresses resulted in an invalid
|
||||
iptables
|
||||
command.</li>
|
||||
<li>The "shorewall stop" command is now disabled when
|
||||
/etc/shorewall/startup_disabled
|
||||
exists. This prevents people from shooting themselves in the foot prior
|
||||
to
|
||||
having configured Shorewall.</li>
|
||||
<li>A change introduced in version 1.4.6 caused error messages
|
||||
during
|
||||
"shorewall [re]start" when ADD_IP_ALIASES=Yes and ip addresses were
|
||||
being
|
||||
added to a PPP interface; the addresses were successfully added in
|
||||
spite
|
||||
of the messages.<br>
|
||||
<br>
|
||||
The firewall script has been modified to eliminate the error messages.</li>
|
||||
</ol>
|
||||
<p><b><a href="News.htm">More News</a></b></p>
|
||||
<b> </b>
|
||||
@ -503,7 +495,7 @@ Children's Foundation.</font></a> Thanks!</font></font></p>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<p><font size="2">Updated 10/06/2003 - <a href="support.htm">Tom Eastep</a></font>
|
||||
<p><font size="2">Updated 10/21/2003 - <a href="support.htm">Tom Eastep</a></font>
|
||||
<br>
|
||||
</p>
|
||||
</body>
|
||||
|
||||
Reference in New Issue
Block a user