Shorewall 2.0.2

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1326 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2004-05-13 22:07:06 +00:00
parent 659ace14da
commit 9def7cde17
28 changed files with 1732 additions and 1206 deletions

View File

@ -42,6 +42,15 @@
# to a separate log through use of ulogd # to a separate log through use of ulogd
# (http://www.gnumonks.org/projects/ulogd). # (http://www.gnumonks.org/projects/ulogd).
# #
# Actions specifying logging may be followed by a
# log tag (a string of alphanumeric characters)
# are appended to the string generated by the
# LOGPREFIX (in /etc/shorewall/shorewall.conf).
#
# Example: ACCEPT:info:ftp would include 'ftp '
# at the end of the log prefix generated by the
# LOGPREFIX setting.
#
# SOURCE Source hosts to which the rule applies. # SOURCE Source hosts to which the rule applies.
# A comma-separated list of subnets # A comma-separated list of subnets
# and/or hosts. Hosts may be specified by IP or MAC # and/or hosts. Hosts may be specified by IP or MAC

View File

@ -46,13 +46,19 @@
49.0.0.0/8 logdrop # JTC - Returned to IANA Mar 98 49.0.0.0/8 logdrop # JTC - Returned to IANA Mar 98
50.0.0.0/8 logdrop # JTC - Returned to IANA Mar 98 50.0.0.0/8 logdrop # JTC - Returned to IANA Mar 98
58.0.0.0/7 logdrop # Reserved 58.0.0.0/7 logdrop # Reserved
70.0.0.0/7 logdrop # Reserved 71.0.0.0/8 logdrop # Reserved
72.0.0.0/5 logdrop # Reserved 72.0.0.0/5 logdrop # Reserved
85.0.0.0/8 logdrop # Reserved 89.0.0.0/8 logdrop # Reserved
86.0.0.0/7 logdrop # Reserved 90.0.0.0/7 logdrop # Reserved
88.0.0.0/5 logdrop # Reserved 92.0.0.0/6 logdrop # Reserved
96.0.0.0/3 logdrop # Reserved 96.0.0.0/3 logdrop # Reserved
127.0.0.0/8 logdrop # Loopback 127.0.0.0/8 logdrop # Loopback
173.0.0.0/8 logdrop # Reserved
174.0.0.0/7 logdrop # Reserved
176.0.0.0/5 logdrop # Reserved
184.0.0.0/6 logdrop # Reserved
189.0.0.0/8 logdrop # Reserved
190.0.0.0/8 logdrop # Reserved
197.0.0.0/8 logdrop # Reserved 197.0.0.0/8 logdrop # Reserved
198.18.0.0/15 logdrop # Reserved 198.18.0.0/15 logdrop # Reserved
223.0.0.0/8 logdrop # Reserved - Returned by APNIC in 2003 223.0.0.0/8 logdrop # Reserved - Returned by APNIC in 2003

View File

@ -1,52 +1,61 @@
Changes since 2.0.0 Changes since 2.0.1
1) Eliminate Warning about Policy as rule when using actions. 1) Reformat the code in define_firewall().
2) Add bridging Code. 2) Reimplement dynamic zones.
3) Cleanup Warning elimination. 3) Tweak new dynamic zone implementation.
4) Add 'nobogons' 4) Implement CONFIG_PATH.
5) Add 'netmap' 5) Apply Stijn Jonker's fix for CONFIG_PATH.
6) Fix another <zone>_frwd problem. 6) Restore logic to make 'find_file' check for SHOREWALL_DIR separately.
7) Add -x option to /sbin/shorewall. 7) Allow CONFIG_PATH to be inherited.
8) Implement Sean Mathews's fix fix Proxy ARP and IPSEC. 8) Fix ensure_config_path call.
9) Improve zone-definition checking. 9) Make LOCAL and ALL INTERFACES independent in the nat file.
10) Add additional options to hosts file 10) Add "ko.gz" to the vast list of module suffixes that distributions
have invented.
11) Replace 'subnet' with 'network' in the code 11) Update the bogons file
12) Fix item 10 above :-( 12) Added example for log rate limiting knobs in shorewall.conf.
13) Replace good code with crap to satisfy 'ash'. 13) Fix init.debian.sh.
14) Fix if_match to only do wild-card matches on patterns ending in 14) Implement the -q option.
"+".
15) Tighten edits on bridge port names. 15) Add saved configuration support (iptables-save/iptables-restore
integration).
16) Make 'routeback' on interfaces work again. 16) Use modprobe if it is available.
17) Reduce useless intra-zone rules on bridges. 17) Lots of fixes to 'save'
18) Make 'routeback' on hosts work again. 18) 'shorewall forget'
19) Fix display of ICMP packets. 19) SNAT/MASQUERADE by proto/port(s)
20) Fix init.debian.sh 20) Shorewall 2.0.2 Beta 1 changes.
21) Eliminate meaningless warning out of proxyarp processing. 21) Fix ALL INTERFACES column parsing.
22) Fix module loading on Mandrake. 22) Correct "shorewall delete" processing.
23) Eliminate confusing IPV6 warnings. 23) Apply Alex Wilms's patch for install.sh
24) Apply Stefan Engel's fix for "shorewall delete" 24) Add ACCEPT+ and NONAT targets.
25) Apply the install.sh fix from Alex Wilms 25) Added 'initialized' extension script.
26) Renamed 'initialized' to 'initdone'
27) Applied Stijn Jonker's fix for "shorewall add"
28) Correct typo that broke "shorewall delete"
29) Apply Stijn Jonker's -q fix.

View File

@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of # shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall. # Shoreline Firewall.
VERSION=2.0.1 VERSION=2.0.2
usage() # $1 = exit status usage() # $1 = exit status
{ {
@ -120,8 +120,12 @@ restore_file /usr/share/shorewall/rfc1918
restore_file /usr/share/shorewall/bogons restore_file /usr/share/shorewall/bogons
restore_file /usr/share/shorewall/configpath
restore_file /etc/shorewall/init restore_file /etc/shorewall/init
restore_file /etc/shorewall/initdone
restore_file /etc/shorewall/start restore_file /etc/shorewall/start
restore_file /etc/shorewall/stop restore_file /etc/shorewall/stop

File diff suppressed because it is too large Load Diff

View File

@ -82,11 +82,24 @@ fix_bang() {
done done
} }
#
# Set default config path
#
ensure_config_path() {
local F=/usr/share/shorewall/configpath
if [ -z "$CONFIG_PATH" ]; then
[ -f $F ] || { echo " ERROR: $F does not exist"; exit 2; }
. $F
fi
}
# #
# Find a File -- For relative file name, look first in $SHOREWALL_DIR then in /etc/shorewall # Find a File -- For relative file name, look first in $SHOREWALL_DIR then in /etc/shorewall
# #
find_file() find_file()
{ {
local saveifs= directory
case $1 in case $1 in
/*) /*)
echo $1 echo $1
@ -94,11 +107,19 @@ find_file()
*) *)
if [ -n "$SHOREWALL_DIR" -a -f $SHOREWALL_DIR/$1 ]; then if [ -n "$SHOREWALL_DIR" -a -f $SHOREWALL_DIR/$1 ]; then
echo $SHOREWALL_DIR/$1 echo $SHOREWALL_DIR/$1
elif [ -f /etc/shorewall/$1 ]; then
echo /etc/shorewall/$1
elif [ -f /usr/share/shorewall/$1 ]; then
echo /usr/share/shorewall/$1
else else
saveifs=$IFS
IFS=:
for directory in $CONFIG_PATH; do
if [ -f $directory/$1 ]; then
echo $directory/$1
IFS=$saveifs
return
fi
done
IFS=$saveifs
echo /etc/shorewall/$1 echo /etc/shorewall/$1
fi fi
;; ;;
@ -485,14 +506,14 @@ in_network() # $1 = IP address, $2 = CIDR network
ip_vlsm() { ip_vlsm() {
local mask=$(decodeaddr $1) local mask=$(decodeaddr $1)
local vlsm=0 local vlsm=0
local x=$(( 128 $LEFTSHIFT 24 )) local x=$(( 128 $LEFTSHIFT 24 )) # 0x80000000
while [ $(( $x & $mask )) -ne 0 ]; do while [ $(( $x & $mask )) -ne 0 ]; do
[ $mask -eq $x ] && mask=0 || mask=$(( $mask $LEFTSHIFT 1 )) # Don't Ask... [ $mask -eq $x ] && mask=0 || mask=$(( $mask $LEFTSHIFT 1 )) # Not all shells shift 0x80000000 left properly.
vlsm=$(($vlsm + 1)) vlsm=$(($vlsm + 1))
done done
if [ $(( $mask & 2147483647)) -ne 0 ]; then if [ $(( $mask & 2147483647 )) -ne 0 ]; then # 2147483647 = 0x7fffffff
echo "Invalid net mask: $1" >&2 echo "Invalid net mask: $1" >&2
else else
echo $vlsm echo $vlsm

View File

@ -116,6 +116,14 @@ drop)
See also \"help address\"" See also \"help address\""
;; ;;
forget)
echo "forget: forget
Deletes /var/lib/shorewall/save and /var/lib/shorewall/restore. Those
files are created by the 'shorewall save' command
See also \"help save\""
;;
help) help)
echo "help: help [<command> | host | address ] echo "help: help [<command> | host | address ]
Display helpful information about the shorewall commands." Display helpful information about the shorewall commands."
@ -157,10 +165,11 @@ monitor)
;; ;;
refresh) refresh)
echo "refresh: refresh echo "refresh: [ -q ] refresh
The rules involving the broadcast addresses of firewall interfaces, The rules involving the broadcast addresses of firewall interfaces,
the black list, traffic control rules and ECN control rules are recreated the black list, traffic control rules and ECN control rules are recreated
to reflect any changes made. Existing connections are untouched" to reflect any changes made. Existing connections are untouched
If \"-q\" is specified, less detain is displayed making it easier to spot warnings"
;; ;;
reject) reject)
@ -178,15 +187,29 @@ reset)
;; ;;
restart) restart)
echo "restart: restart [ -c <configuration-directory> ] echo "restart: restart [ -q ] [ -c <configuration-directory> ]
Restart is the same as a shorewall stop && shorewall start. Restart is the same as a shorewall stop && shorewall start.
Existing connections are dropped." Existing connections are maintained.
If \"-q\" is specified, less detain is displayed making it easier to spot warnings"
;;
restore)
echo "restore: restore
Restore Shorewall to its last state saved using the 'save' command
Existing connections are maintained.
See also \"help save\" and \"help forget\""
;; ;;
save) save)
echo "save: save echo "save: save
The dynamic data is stored in /var/lib/shorewall/save The dynamic data is stored in /var/lib/shorewall/save. The state of the
Shorewall allow, drop, rejct and save implement dynamic blacklisting." firewall is stored in /var/lib/shorewall/restore for use by the 'shorewall restore'
and 'shorewall -f start' commands.
Shorewall allow, drop, rejct and save implement dynamic blacklisting.
See also \"help restore\" and \"help forget\""
;; ;;
show) show)
@ -213,10 +236,12 @@ show)
;; ;;
start) start)
echo "start: start [ -c <configuration-directory> ] echo "start: [ -q ] [ -f ] [ -c <configuration-directory> ] start
Start shorewall. Existing connections through shorewall managed Start shorewall. Existing connections through shorewall managed
interfaces are untouched. New connections will be allowed only interfaces are untouched. New connections will be allowed only
if they are allowed by the firewall rules or policies." if they are allowed by the firewall rules or policies.
If \"-q\" is specified, less detain is displayed making it easier to spot warnings
If \"-f\" is specified, the last saved configuraton if any will be restored"
;; ;;
stop) stop)

View File

@ -14,6 +14,11 @@
# individual IP addresses. Most simple setups don't need to # individual IP addresses. Most simple setups don't need to
# (should not) place anything in this file. # (should not) place anything in this file.
# #
# The order of entries in this file is not significant in
# determining zone composition. Rather, the order that the zones
# are defined in /etc/shorewall/zones determines the order in
# which the records in this file are interpreted.
#
# ZONE - The name of a zone defined in /etc/shorewall/zones # ZONE - The name of a zone defined in /etc/shorewall/zones
# #
# HOST(S) - The name of an interface defined in the # HOST(S) - The name of an interface defined in the
@ -49,10 +54,10 @@
# an ethernet NIC and must be up before # an ethernet NIC and must be up before
# Shorewall is started. # Shorewall is started.
# #
# routeback - Shorewall show set up the infrastructure # routeback - Shorewall should set up the infrastructure
# to pass packets from this/these # to pass packets from this/these
# address(es) back to themselves. This is # address(es) back to themselves. This is
# necessary of hosts in this group use the # necessary if hosts in this group use the
# services of a transparent proxy that is # services of a transparent proxy that is
# a member of the group or if DNAT is used # a member of the group or if DNAT is used
# to send requests originating from this # to send requests originating from this

View File

@ -83,7 +83,7 @@ wait_for_pppd () {
shorewall_start () { shorewall_start () {
echo -n "Starting \"Shorewall firewall\": " echo -n "Starting \"Shorewall firewall\": "
wait_for_pppd wait_for_pppd
$SRWL start >> $INITLOG 2>&1 && echo "done." || echo_notdone $SRWL -f start >> $INITLOG 2>&1 && echo "done." || echo_notdone
return 0 return 0
} }

View File

@ -62,7 +62,12 @@ command="$1"
case "$command" in case "$command" in
stop|start|restart|status) start)
exec /sbin/shorewall -f start
;;
stop|restart|status)
exec /sbin/shorewall $@ exec /sbin/shorewall $@
;; ;;

View File

@ -22,7 +22,7 @@
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
# #
VERSION=2.0.1 VERSION=2.0.2
usage() # $1 = exit status usage() # $1 = exit status
{ {
@ -83,10 +83,12 @@ install_file_with_backup() # $1 = source $2 = target $3 = mode
# Parse the run line # Parse the run line
# #
# DEST is the SysVInit script directory # DEST is the SysVInit script directory
# INIT is the name of the script in the $DEST directory
# RUNLEVELS is the chkconfig parmeters for firewall # RUNLEVELS is the chkconfig parmeters for firewall
# ARGS is "yes" if we've already parsed an argument # ARGS is "yes" if we've already parsed an argument
# #
DEST="" DEST="/etc/init.d"
INIT="shorewall"
RUNLEVELS="" RUNLEVELS=""
ARGS="" ARGS=""
@ -117,10 +119,6 @@ done
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
if [ -z "$DEST" ]; then
DEST=/etc/init.d
fi
# #
# Determine where to install the firewall script # Determine where to install the firewall script
# #
@ -160,11 +158,11 @@ echo "shorewall control program installed in ${PREFIX}/sbin/shorewall"
if [ -n "$DEBIAN" ]; then if [ -n "$DEBIAN" ]; then
install_file_with_backup init.debian.sh /etc/init.d/shorewall 0544 install_file_with_backup init.debian.sh /etc/init.d/shorewall 0544
else else
install_file_with_backup init.sh ${PREFIX}${DEST}/shorewall 0544 install_file_with_backup init.sh ${PREFIX}${DEST}/$INIT 0544
fi fi
echo echo
echo "Shorewall script installed in ${PREFIX}${DEST}/shorewall" echo "Shorewall script installed in ${PREFIX}${DEST}/$INIT"
# #
# Create /etc/shorewall, /usr/share/shorewall and /var/shorewall if needed # Create /etc/shorewall, /usr/share/shorewall and /var/shorewall if needed
@ -392,13 +390,19 @@ fi
# #
install_file_with_backup rfc1918 ${PREFIX}/usr/share/shorewall/rfc1918 0600 install_file_with_backup rfc1918 ${PREFIX}/usr/share/shorewall/rfc1918 0600
echo echo
echo "RFC 1918 file installed as ${PREFIX}/etc/shorewall/rfc1918" echo "RFC 1918 file installed as ${PREFIX}/usr/share/shorewall/rfc1918"
# #
# Install the bogons file # Install the bogons file
# #
install_file_with_backup bogons ${PREFIX}/usr/share/shorewall/bogons 0600 install_file_with_backup bogons ${PREFIX}/usr/share/shorewall/bogons 0600
echo echo
echo "Bogon file installed as ${PREFIX}/etc/shorewall/bogons" echo "Bogon file installed as ${PREFIX}/usr/share/shorewall/bogons"
#
# Install the default config path file
#
install_file_with_backup configpath ${PREFIX}/usr/share/shorewall/configpath 0600
echo
echo " Default config path file installed as ${PREFIX}/etc/shorewall/configpath"
# #
# Install the init file # Install the init file
# #
@ -410,6 +414,16 @@ else
echo "Init file installed as ${PREFIX}/etc/shorewall/init" echo "Init file installed as ${PREFIX}/etc/shorewall/init"
fi fi
# #
# Install the initdone file
#
if [ -f ${PREFIX}/etc/shorewall/initdone ]; then
backup_file /etc/shorewall/initdone
else
run_install -o $OWNER -g $GROUP -m 0600 initdone ${PREFIX}/etc/shorewall/initdone
echo
echo "Initdone file installed as ${PREFIX}/etc/shorewall/initdone"
fi
#
# Install the start file # Install the start file
# #
if [ -f ${PREFIX}/etc/shorewall/start ]; then if [ -f ${PREFIX}/etc/shorewall/start ]; then
@ -508,7 +522,7 @@ chmod 644 ${PREFIX}/usr/share/shorewall/version
if [ -z "$PREFIX" ]; then if [ -z "$PREFIX" ]; then
rm -f /usr/share/shorewall/init rm -f /usr/share/shorewall/init
ln -s ${DEST}/shorewall /usr/share/shorewall/init ln -s ${DEST}/${INIT} /usr/share/shorewall/init
fi fi
# #
@ -549,7 +563,7 @@ if [ -z "$PREFIX" -a -n "$first_install" ]; then
else else
cant_autostart cant_autostart
fi fi
else elif [ "$INIT" != rc.firewall ]; then #Slackware starts this automatically
cant_autostart cant_autostart
fi fi

View File

@ -115,11 +115,21 @@
# established connection will be accepted # established connection will be accepted
# from this interface, even if # from this interface, even if
# NEWNOTSYN=No has been specified in # NEWNOTSYN=No has been specified in
# /etc/shorewall/shorewall.conf. # /etc/shorewall/shorewall.conf. In other
# words, packets coming in on this interface
# are processed as if NEWNOTSYN=Yes had been
# specified in /etc/shorewall/shorewall.conf.
# #
# This option has no effect if # This option has no effect if
# NEWNOTSYN=Yes. # NEWNOTSYN=Yes.
# #
# It is the opinion of the author that
# NEWNOTSYN=No creates more problems than
# it solves and I recommend against using
# that setting in shorewall.conf (hence
# making the use of the 'newnotsyn'
# interface option unnecessary).
#
# routeback - If specified, indicates that Shorewall # routeback - If specified, indicates that Shorewall
# should include rules that allow filtering # should include rules that allow filtering
# traffic arriving on this interface back # traffic arriving on this interface back

View File

@ -55,6 +55,27 @@
# #
# This column may not contain DNS Names. # This column may not contain DNS Names.
# #
# If you want to leave this column empty
# but you need to specify the next column then
# place a hyphen ("-") here.
#
# PROTO -- (Optional) If you wish to restrict this entry to a
# particular protocol then enter the protocol
# name (from /etc/protocols) or number here.
#
# PORT(S) -- (Optional) If the PROTO column specifies TCP (protocol 6)
# or UDP (protocol 17) then you may list one
# or more port numbers (or names from
# /etc/services) separated by commas or you
# may list a single port range
# (<low port>:<high port>).
#
# Where a comma-separated list is given, your
# kernel and iptables must have multiport match
# support and a maximum of 15 ports may be
# listed.
#
#
# Example 1: # Example 1:
# #
# You have a simple masquerading setup where eth0 connects to # You have a simple masquerading setup where eth0 connects to
@ -94,6 +115,19 @@
# #
# eth0:0 192.168.1.0/24 206.124.146.176 # eth0:0 192.168.1.0/24 206.124.146.176
# #
############################################################################## # Example 5:
#INTERFACE SUBNET ADDRESS #
# You want all outgoing SMTP traffic entering the firewall
# on eth1 to be sent from eth0 with source IP address
# 206.124.146.177. You want all other outgoing traffic
# from eth1 to be sent from eth0 with source IP address
# 206.124.146.176.
#
# eth0 eth1 206.124.146.177 tcp smtp
# eth0 eth1 206.124.146.176
#
# THE ORDER OF THE ABOVE TWO RULES IS SIGNIFICANT!!!!!
#
###############################################################################
#INTERFACE SUBNET ADDRESS PROTO PORT(S)
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

View File

@ -29,8 +29,7 @@
# If No or no (or left empty) then NAT will be effective # If No or no (or left empty) then NAT will be effective
# only through the interface named in the INTERFACE # only through the interface named in the INTERFACE
# column # column
# LOCAL If Yes or yes and the ALL INTERFACES column contains # LOCAL If Yes or yes, NAT will be effective from the firewall
# Yes or yes, NAT will be effective from the firewall
# system # system
############################################################################## ##############################################################################
#EXTERNAL INTERFACE INTERNAL ALL LOCAL #EXTERNAL INTERFACE INTERNAL ALL LOCAL

View File

@ -1,114 +1,227 @@
Shorewall 2.0.1 Shorewall 2.0.2
---------------------------------------------------------------------- ----------------------------------------------------------------------
Problems Corrected since 2.0.0 Problems Corrected since 2.0.1
1) Using actions in the manner recommended in the documentation 1) The /etc/init.d/shorewall script installed on Debian by install.sh
results in a Warning that the rule is a policy. failed silently due to a missing file
(/usr/share/shorewall/wait4ifup). That file is not part of the
normal Shorewall distribution and is provided by the Debian
maintainer.
2) When a zone on a single interface is defined using 2) A meaningless warning message out of the proxyarp file processing
/etc/shorewall/hosts, superfluous rules are generated in the has been eliminated.
<zone>_frwd chain.
3) Thanks to Sean Mathews, a long-standing problem with Proxy ARP and 3) The "shorewall delete" command now correctly removes all dynamic
IPSEC has been corrected. Thanks Sean!!! rules pertaining to the host(s) being deleted. Thanks to Stefan
Engel for this correction.
4) The "shorewall show log" and "shorewall logwatch" commands
incorrectly displayed type 3 ICMP packets.
5) On Debian systems, an install using the tarball results in an
inability to start Shorewall at system boot.
6) Confusing warning messages regarding IPV6 occur during startup.
7) Modules listed in /etc/shorewall/modules don't load on Mandrake
10.0 final.
8) "shorewall delete" now correctly deletes dynamic rules from
the ruleset. Thanks to Stefan Engel for this fix.
9) The install.sh script now works correctly on SuSE. Thanks to Alex
Wilms for this correction.
----------------------------------------------------------------------- -----------------------------------------------------------------------
Issues when migrating from Shorewall 2.0.0 to Shorewall 2.0.1: Issues when migrating from Shorewall 2.0.0 to Shorewall 2.0.1:
1) The function of 'norfc1918' is now split between that option and a 1) Extension Scripts
new 'nobogons' option.
The rfc1918 file released with Shorewall now contains entries for In order for extension scripts to work properly with the new
only those three address ranges reserved by RFC 1918. A 'nobogons' iptables-save/restore integration (see New Feature 1 below), some
interface option has been added which handles bogon source change may be required to your extension scripts.
addresses (those which are reserved by the IANA, those reserved for
DHCP auto-configuration and the class C test-net reserved for
testing and documentation examples). This will allow users to
perform RFC 1918 filtering without having to deal with out
of date data from IANA. Those who are willing to update their
/usr/share/shorewall/bogons file regularly can specify the
'nobogons' option in addition to 'norfc1918'.
The level at which bogon packets are logged is specified in the new If your extension scripts are executing commands other than iptables
BOGON_LOG_LEVEL variable in shorewall.conf. If that option is not then those commands must also be written to the restore file (a
specified or is specified as empty (e.g, BOGON_LOG_LEVEL="") then temporary file in /var/lib/shorewall that is renamed
bogon packets whose TARGET is 'logdrop' in /var/lib/shorewall/restore-base at the end of the operation).
/usr/share/shorewall/bogons are logged at the 'info' level.
New Features: The following functions should be of help:
1) Support for Bridging Firewalls has been added. For details, see A. save_command() -- saves the passed command to the restore file.
http://shorewall.net/bridge.html
2) Support for NETMAP has been added. NETMAP allows NAT to be defined
between two network:
a.b.c.1 -> x.y.z.1
a.b.c.2 -> x.y.z.2
a.b.c.3 -> x.y.z.3
...
http://shorewall.net/netmap.html
3) The /sbin/shorewall program now accepts a "-x" option to cause
iptables to print out the actual packet and byte counts rather than
abbreviated counts such as "13MB".
Commands affected by this are:
shorewall -x show [ <chain>[ <chain> ...] ]
shorewall -x show tos|mangle
shorewall -x show nat
shorewall -x status
shorewall -x monitor [ <interval> ]
4) Shorewall now traps two common zone definition errors:
- Including the firewall zone in a /etc/shorewall/hosts record.
- Defining an interface for a zone in both /etc/shorewall/interfaces
and /etc/shorewall/hosts.
In the second case, the following will appear during "shorewall
[re]start" or "shorewall check":
Determining Hosts in Zones...
...
Error: Invalid zone definition for zone <name of zone>
Terminated
5) To support bridging, the following options have been added to
entries in /etc/shorewall/hosts:
norfc1918
nobogons
blacklist
tcpflags
nosmurfs
newnotsyn
With the exception of 'newnotsyn', these options are only
useful when the entry refers to a bridge port.
Example: Example:
#ZONE HOST(S) OPTIONS save_command echo Operation Complete
net br0:eth0 norfc1918,nobogons,blacklist,tcpflags,nosmurfs
That command would simply write "echo Operation Complete" to the
restore file.
B. run_and_save_command() -- saves the passed command to the restore
file then executes it. The return value is the exit status of the
command.
Example:
run_and_save_command "echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all"
Note that as in this example, when the command involves file
redirection then the entire command must be enclosed in quotes. This
applies to all of the functions described here.
C. ensure_and_save_command() -- runs the passed command. If the
command fails, the firewall is restored to it's prior saved state
and the operation is terminated. If the command succeeds, the
command is written to the restore file.
2) Dynamic Zone support.
If you don't need to use the "shorewall add" and "shorewall delete"
commands, you should set DYNAMIC_ZONES=No in
/etc/shorewall/shorewall.conf.
New Features:
1) Shorewall has now been integrated with
iptables-save/iptables-restore to provide very fast start and
restart. The elements of this integration are as follows:
a) The 'shorewall save' command now saves the current configuration
in addition to the current dynamic blacklist. If you have
dynamic zones, you will want to issue 'shorewall save' when the
zones are empty or the current contents of the zones will be
restored by the 'shorewall restore' and 'shorewall -f start'
commands.
b) The 'shorewall restore' command has been added. This command
restores the configuration at the time of the last 'save'.
c) The -f (fast) option has been added to 'shorewall start'. When
specified (e.g. 'shorewall -f start'), shorewall will perform a
'shorewall restore' if there is a saved configuration. If there
is no saved configuration, a normal 'shorewall start' is
performed.
d) The /etc/init.d/shorewall script now translates the 'start'
command into 'shorewall -f start' so that fast restart is
possible.
e) When a state-changing command encounters an error and there is a
current saved configuration, that configuration will be restored
(currently, the firewall is placed in the 'stopped' state).
f) If you have previously saved the running configuration and want
Shorewall to discard it, use the 'shorewall forget' command.
WARNING: iptables 1.2.9 is broken with respect to iptables-save;
If your kernel has connection tracking match support, you must
patch iptables 1.2.9 with the iptables patch availale from
the Shorewall errata page.
2) The previous implementation of dynamic zones was difficult to
maintain. I have changed the code to make dynamic zones optional
under the control of the DYNAMIC_ZONES option in
/etc/shorewall/shorewall.conf.
3) In earlier Shorewall 2.0 releases, Shorewall searches in order the
following directories for configuration files.
a) The directory specified in a 'try' command or specified using
the -c option.
b) /etc/shorewall
c) /usr/share/shorewall
In this release, the CONFIG_PATH option is added to shorewall.conf.
CONFIG_PATH contains a list of directory names separated by colons
(":"). If not set or set to a null value (e.g., CONFIG_PATH="") then
"CONFIG_PATH=/etc/shorewall:/usr/share/shorewall" is assumed.
Now Shorewall searches for shorewall.conf according to the old
rules and for other configuration files as follows:
a) The directory specified in a 'try' command or specified using
the -c option.
b) Each directory in $CONFIG_PATH is searched in sequence.
In case it is not obvious, your CONFIG_PATH should include
/usr/share/shorewall and your shorewall.conf file must be in the
directory specified via -c or in a try command, in /etc/shorewall
or in /usr/share/shorewall.
For distribution packagers, the default CONFIG_PATH is set in
/usr/share/shorewall/configpath. You can customize this file to
have a default that differs from mine.
4) Previously, in /etc/shorewall/nat a Yes (or yes) in the LOCAL column
would only take effect if the ALL INTERFACES column also contained
Yes or yes. Now, the LOCAL columns contents are treated
independently of the contents of the ALL INTERFACES column.
5) The folks at Mandrake have created yet another kernel module
naming convention (module names end in "ko.gz"). As a consequence,
beginning with this release, if MODULE_SUFFIX isn't specified in
shorewall.conf, then the default value is "o gz ko o.gz ko.gz".
6) An updated bogons file is included in this release.
7) In /etc/shorewall/rules and in action files generated from
/usr/share/shorewall/action.template, rules that perform logging can
specify an optional "log tag". A log tag is a string of alphanumeric
characters and is specified by following the log level with ":" and
the log tag.
Example:
ACCEPT:info:ftp net dmz tcp 21
The log tag is appended to the log prefix generated by the LOGPREFIX
variable in /etc/shorewall/conf. If "ACCEPT:info" generates the log
prefix "Shorewall:net2dmz:ACCEPT:" then "ACCEPT:info:ftp" will
generate "Shorewall:net2dmz:ACCEPT:ftp " (note the trailing blank).
The maximum length of a log prefix supported by iptables is 29
characters; if a larger prefix is generated, Shorewall will issue a
warning message and will truncate the prefix to 29 characters.
8) A new "-q" option has been added to /sbin/shorewall commands. It
causes the start, restart, check and refresh commands to produce
much less output so that warning messages are more visible (when
testing this change, I discovered a bug where a bogus warning
message was being generated).
9) Shorewall now uses 'modprobe' to load kernel modules if that utility
is available in the PATH; otherwise, 'insmod' is used.
10) It is now possible to restrict entries in the /etc/shorewall/masq
file to particular protocols and destination port(s). Two new
columns (PROTO and PORT(S)) have been added to the file.
Example:
You want all outgoing SMTP traffic entering the firewall
on eth1 to be sent from eth0 with source IP address
206.124.146.177. You want all other outgoing traffic
from eth1 to be sent from eth0 with source IP address
206.124.146.176.
eth0 eth1 206.124.146.177 tcp 25
eth0 eth1 206.124.146.176
THE ORDER OF THE ABOVE TWO RULES IS SIGNIFICANT!!!!!
Assuming that 10.0.0.0/8 is the only host/network connected
to eth1, the progress message at "shorewall start" would be:
Masqueraded Networks and Hosts:
To 0.0.0.0/0 (tcp 25) from 10.0.0.0/8 through eth0 using 206.124.146.177
To 0.0.0.0/0 (all) from 10.0.0.0/8 through eth0 using 206.124.146.176
11) Two new actions are available in the /etc/shorewall/rules file.
ACCEPT+ -- Behaves like ACCEPT with the exception that it exempts
matching connections from subsequent DNAT[-] and
REDIRECT[-] rules.
NONAT -- Exempts matching connections from subsequent DNAT[-]
and REDIRECT[-] rules.
12) A new extension script 'initdone' has been added. This script is invoked
at the same point as the 'common' script was previously and is useful for
users who mis-used that script under Shorewall 1.x (the script was intended
for adding rules to the 'common' chain but many users treated it as a script
for adding rules before Shorewall's).
13) Installing/Upgrading Shorewall on Slackware has been
improved. Slackware users must use the tarball and must modify
settings in the install.sh script before running it as follows:
DEST="/etc/rc.d"
INIT="rc.firewall"
Thanks to Alex Wilms for helping with this change.

View File

@ -25,6 +25,13 @@
# LOG, QUEUE or an <action>. # LOG, QUEUE or an <action>.
# #
# ACCEPT -- allow the connection request # ACCEPT -- allow the connection request
# ACCEPT+ -- like ACCEPT but also excludes the
# connection from any subsequent
# DNAT[-] or REDIRECT[-] rules
# NONAT -- Excludes the connection from any
# subsequent DNAT[-] or REDIRECT[-]
# rules but doesn't generate a rule
# to accept the traffic.
# DROP -- ignore the request # DROP -- ignore the request
# REJECT -- disallow the request and return an # REJECT -- disallow the request and return an
# icmp-unreachable or an RST packet. # icmp-unreachable or an RST packet.
@ -70,6 +77,15 @@
# to a separate log through use of ulogd # to a separate log through use of ulogd
# (http://www.gnumonks.org/projects/ulogd). # (http://www.gnumonks.org/projects/ulogd).
# #
# Actions specifying logging may be followed by a
# log tag (a string of alphanumeric characters)
# are appended to the string generated by the
# LOGPREFIX (in /etc/shorewall/shorewall.conf).
#
# Example: ACCEPT:info:ftp would include 'ftp '
# at the end of the log prefix generated by the
# LOGPREFIX setting.
#
# SOURCE Source hosts to which the rule applies. May be a zone # SOURCE Source hosts to which the rule applies. May be a zone
# defined in /etc/shorewall/zones, $FW to indicate the # defined in /etc/shorewall/zones, $FW to indicate the
# firewall itself, or "all" If the ACTION is DNAT or # firewall itself, or "all" If the ACTION is DNAT or

View File

@ -80,6 +80,10 @@
# "dropped" addresses so that it will # "dropped" addresses so that it will
# be automatically reinstated the # be automatically reinstated the
# next time that Shorewall starts. # next time that Shorewall starts.
# Save the current state so that 'shorewall
# restore' can be used.
#
# shorewall forget Discard the data saved by 'shorewall save'
# #
# shorewall ipaddr [ <address>/<cidr> | <address> <netmask> ] # shorewall ipaddr [ <address>/<cidr> | <address> <netmask> ]
# #
@ -160,6 +164,7 @@ get_config() {
exit 2 exit 2
fi fi
fi fi
} }
# #
@ -530,7 +535,7 @@ help()
# #
usage() # $1 = exit status usage() # $1 = exit status
{ {
echo "Usage: $(basename $0) [debug|trace] [nolock] [-c <directory>] [ -x ] <command>" echo "Usage: $(basename $0) [debug|trace] [nolock] [-c <directory>] [ -x ] [ -q ] <command>"
echo "where <command> is one of:" echo "where <command> is one of:"
echo " add <interface>[:<host>] <zone>" echo " add <interface>[:<host>] <zone>"
echo " allow <address> ..." echo " allow <address> ..."
@ -538,6 +543,7 @@ usage() # $1 = exit status
echo " clear" echo " clear"
echo " delete <interface>[:<host>] <zone>" echo " delete <interface>[:<host>] <zone>"
echo " drop <address> ..." echo " drop <address> ..."
echo " forget"
echo " help [ <command > | host | address ]" echo " help [ <command > | host | address ]"
echo " hits" echo " hits"
echo " ipcalc [ <address>/<vlsm> | <address> <netmask> ]" echo " ipcalc [ <address>/<vlsm> | <address> <netmask> ]"
@ -548,6 +554,7 @@ usage() # $1 = exit status
echo " reject <address> ..." echo " reject <address> ..."
echo " reset" echo " reset"
echo " restart" echo " restart"
echo " restore"
echo " save" echo " save"
echo " show [<chain> [ <chain> ... ]|classifiers|connections|log|nat|tc|tos]" echo " show [<chain> [ <chain> ... ]|classifiers|connections|log|nat|tc|tos]"
echo " start" echo " start"
@ -585,13 +592,24 @@ if [ $# -gt 0 ] && [ "$1" = "nolock" ]; then
fi fi
SHOREWALL_DIR= SHOREWALL_DIR=
QUIET=
IPT_OPTIONS="-nv" IPT_OPTIONS="-nv"
FAST=
done=0 done=0
while [ $done -eq 0 ]; do while [ $done -eq 0 ]; do
[ $# -eq 0 ] && usage 1 [ $# -eq 0 ] && usage 1
case $1 in option=$1
-c) case $option in
-*)
option=${option#-}
[ -z "$option" ] && usage 1
while [ -n "$option" ]; do
case $option in
c)
[ $# -eq 1 ] && usage 1 [ $# -eq 1 ] && usage 1
if [ ! -d $2 ]; then if [ ! -d $2 ]; then
@ -603,11 +621,26 @@ while [ $done -eq 0 ]; do
fi fi
SHOREWALL_DIR=$2 SHOREWALL_DIR=$2
shift option=
shift shift
;; ;;
-x) x*)
IPT_OPTIONS="-xnv" IPT_OPTIONS="-xnv"
option=${option#x}
;;
q*)
QUIET=Yes
option=${option#q}
;;
f*)
FAST=Yes
option=${option#f}
;;
*)
usage 1
;;
esac
done
shift shift
;; ;;
*) *)
@ -621,6 +654,7 @@ if [ $# -eq 0 ]; then
fi fi
[ -n "$SHOREWALL_DIR" ] && export SHOREWALL_DIR [ -n "$SHOREWALL_DIR" ] && export SHOREWALL_DIR
[ -n "$QUIET" ] && export QUIET
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
MUTEX_TIMEOUT= MUTEX_TIMEOUT=
@ -638,6 +672,8 @@ else
exit 2 exit 2
fi fi
ensure_config_path
config=$(find_file shorewall.conf) config=$(find_file shorewall.conf)
if [ -f $config ]; then if [ -f $config ]; then
@ -647,6 +683,10 @@ else
exit 2 exit 2
fi fi
ensure_config_path
export CONFIG_PATH
[ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall [ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall
if [ ! -f $FIREWALL ]; then if [ ! -f $FIREWALL ]; then
@ -691,7 +731,23 @@ case $(echo -n "Testing") in
esac esac
case "$1" in case "$1" in
start|stop|restart|reset|clear|refresh|check) start)
[ $# -ne 1 ] && usage 1
get_config
if [ -n "$FAST" ]; then
if [ -f /var/lib/shorewall/restore ]; then
echo Restoring Shorewall...
. /var/lib/shorewall/restore
date > $STATEDIR/restarted
echo Shorewall restored
else
exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock start
fi
else
exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock start
fi
;;
stop|restart|reset|clear|refresh|check)
[ $# -ne 1 ] && usage 1 [ $# -ne 1 ] && usage 1
get_config get_config
exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $1 exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $1
@ -909,11 +965,24 @@ case "$1" in
[ -n "$debugging" ] && set -x [ -n "$debugging" ] && set -x
[ $# -ne 1 ] && usage 1 [ $# -ne 1 ] && usage 1
mutex_on mutex_on
if qt iptables -L shorewall -n; then if qt iptables -L shorewall -n; then
[ -d /var/lib/shorewall ] || mkdir /var/lib/shorewall [ -d /var/lib/shorewall ] || mkdir /var/lib/shorewall
if iptables -L dynamic -n > /var/lib/shorewall/save; then if iptables -L dynamic -n > /var/lib/shorewall/save; then
echo "Dynamic Rules Saved" echo " Dynamic Rules Saved"
if [ -f /var/lib/shorewall/restore-base ]; then
cp -f /var/lib/shorewall/restore-base /var/lib/shorewall/restore-$$
if iptables-save >> /var/lib/shorewall/restore-$$ ; then
echo EOF >> /var/lib/shorewall/restore-$$
mv -f /var/lib/shorewall/restore-$$ /var/lib/shorewall/restore
chmod +x /var/lib/shorewall/restore
echo " Currently-running Configuration Saved"
else
rm -f /var/lib/shorewall/restore-$$
echo " ERROR: Currently-running Configuration Not Saved"
fi
fi
else else
echo "Error Saving the Dynamic Rules" echo "Error Saving the Dynamic Rules"
fi fi
@ -922,6 +991,11 @@ case "$1" in
fi fi
mutex_off mutex_off
;; ;;
forget)
rm -f /var/lib/shorewall/restore
rm -f /var/lib/shorewall/save
echo " Previously saved information discarded"
;;
ipcalc) ipcalc)
[ -n "$debugging" ] && set -x [ -n "$debugging" ] && set -x
if [ $# -eq 2 ]; then if [ $# -eq 2 ]; then
@ -957,6 +1031,16 @@ case "$1" in
;; ;;
esac esac
;; ;;
restore)
if [ -f /var/lib/shorewall/restore ]; then
echo Restoring Shorewall...
. /var/lib/shorewall/restore
echo Shorewall restored
else
echo "File /var/lib/shorewall/restore: file not found"
exit 2
fi
;;
call) call)
[ -n "$debugging" ] && set -x [ -n "$debugging" ] && set -x
# #

View File

@ -90,12 +90,21 @@ LOGFORMAT="Shorewall:%s:%s:"
# maximum initial burst size that will be logged. If set empty, the default # maximum initial burst size that will be logged. If set empty, the default
# value of 5 will be used. # value of 5 will be used.
# #
# If BOTH variables are set empty then logging will not be rate-limited.
#
# Example: # Example:
# #
# LOGRATE=10/minute # LOGRATE=10/minute
# LOGBURST=5 # LOGBURST=5
# #
# If BOTH variables are set empty then logging will not be rate-limited. # For each logging rule, the first time the rule is reached, the packet
# will be logged; in fact, since the burst is 5, the first five packets
# will be logged. After this, it will be 6 seconds (1 minute divided by
# the rate of 10) before a message will be logged from the rule, regardless
# of how many packets reach it. Also, every 6 seconds which passes without
# matching a packet, one of the bursts will be regained; if no packets hit
# the rule for 30 seconds, the burst will be fully recharged; back where
# we started.
# #
LOGRATE= LOGRATE=
@ -236,6 +245,19 @@ STATEDIR=/var/lib/shorewall
MODULESDIR= MODULESDIR=
#
# CONFIGURATION SEARCH PATH
#
# This option holds a list of directory names separated by colons
# (":"). Shorewall will search each directory in turn when looking for a
# configuration file. When processing a 'try' command or a command
# containing the "-c" option, Shorewall will automatically add the
# directory specified in the command to the front of this list.
#
# If not specified or specified as null ("CONFIG_PATH=""),
# CONFIG_PATH=/etc/shorewall:/usr/share/shorewall is assumed.
CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
################################################################################ ################################################################################
# F I R E W A L L O P T I O N S # F I R E W A L L O P T I O N S
################################################################################ ################################################################################
@ -515,9 +537,9 @@ BLACKLISTNEWONLY=Yes
# #
# When loading a module named in /etc/shorewall/modules, Shorewall normally # When loading a module named in /etc/shorewall/modules, Shorewall normally
# looks in the MODULES DIRECTORY (see MODULESDIR above) for files whose names # looks in the MODULES DIRECTORY (see MODULESDIR above) for files whose names
# end in ".o", ".ko", ".gz" or "o.gz". If your distribution uses a different # end in ".o", ".ko", ".gz", "o.gz" or "ko.gz" . If your distribution uses a
# naming convention then you can specify the suffix (extension) for module # different naming convention then you can specify the suffix (extension) for
# names in this variable. # module names in this variable.
# #
# To see what suffix is used by your distribution: # To see what suffix is used by your distribution:
# #
@ -556,6 +578,14 @@ DISABLE_IPV6=Yes
# #
BRIDGING=No BRIDGING=No
#
# DYNAMIC ZONES
#
# If you need to be able to add and delete hosts from zones dynamically then
# set DYNAMIC_ZONES=Yes. Otherwise, set DYNAMIC_ZONES=No.
DYNAMIC_ZONES=No
################################################################################ ################################################################################
# P A C K E T D I S P O S I T I O N # P A C K E T D I S P O S I T I O N
################################################################################ ################################################################################

View File

@ -1,5 +1,5 @@
%define name shorewall %define name shorewall
%define version 2.0.1 %define version 2.0.2
%define release 1 %define release 1
%define prefix /usr %define prefix /usr
@ -91,6 +91,7 @@ fi
%attr(0600,root,root) %config(noreplace) /etc/shorewall/hosts %attr(0600,root,root) %config(noreplace) /etc/shorewall/hosts
%attr(0600,root,root) %config(noreplace) /etc/shorewall/blacklist %attr(0600,root,root) %config(noreplace) /etc/shorewall/blacklist
%attr(0600,root,root) %config(noreplace) /etc/shorewall/init %attr(0600,root,root) %config(noreplace) /etc/shorewall/init
%attr(0600,root,root) %config(noreplace) /etc/shorewall/initdone
%attr(0600,root,root) %config(noreplace) /etc/shorewall/start %attr(0600,root,root) %config(noreplace) /etc/shorewall/start
%attr(0600,root,root) %config(noreplace) /etc/shorewall/stop %attr(0600,root,root) %config(noreplace) /etc/shorewall/stop
%attr(0600,root,root) %config(noreplace) /etc/shorewall/stopped %attr(0600,root,root) %config(noreplace) /etc/shorewall/stopped
@ -135,10 +136,21 @@ fi
%attr(0544,root,root) /usr/share/shorewall/help %attr(0544,root,root) /usr/share/shorewall/help
%attr(0600,root,root) /usr/share/shorewall/rfc1918 %attr(0600,root,root) /usr/share/shorewall/rfc1918
%attr(0600,root,root) /usr/share/shorewall/bogons %attr(0600,root,root) /usr/share/shorewall/bogons
%attr(0600,root,root) /usr/share/shorewall/configpath
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
%changelog %changelog
* Thu May 13 2004 Tom Eastep tom@shorewall.net
- Updated for 2.0.2-1
* Mon May 10 2004 Tom Eastep tom@shorewall.net
- Add /etc/shorewall/initdone
* Fri May 07 2004 Tom Eastep tom@shorewall.net
- Shorewall 2.0.2-RC1
* Tue May 04 2004 Tom Eastep tom@shorewall.net
- Shorewall 2.0.2-Beta2
* Tue Apr 13 2004 Tom Eastep tom@shorewall.net
- Add /usr/share/shorewall/configpath
* Mon Apr 05 2004 Tom Eastep tom@shorewall.net * Mon Apr 05 2004 Tom Eastep tom@shorewall.net
- Updated for 2.0.1-1 - Updated for 2.0.1-1
* Thu Apr 02 2004 Tom Eastep tom@shorewall.net * Thu Apr 02 2004 Tom Eastep tom@shorewall.net

View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version # You may only use this script to uninstall the version
# shown below. Simply run this script to remove Seattle Firewall # shown below. Simply run this script to remove Seattle Firewall
VERSION=2.0.1 VERSION=2.0.2
usage() # $1 = exit status usage() # $1 = exit status
{ {

View File

@ -18,10 +18,130 @@ Texts. A copy of the license is included in the section entitled “<span
class="quote"><a href="GnuCopyright.htm" target="_self">GNU Free class="quote"><a href="GnuCopyright.htm" target="_self">GNU Free
Documentation License</a></span>”.<br> Documentation License</a></span>”.<br>
</p> </p>
<p>2004-04-05<br> <p>2004-05-13<br>
</p> </p>
<hr style="width: 100%; height: 2px;"> <hr style="width: 100%; height: 2px;">
<p><b>3/14/2004 - Shorewall 2.0.0b&nbsp;</b><b></b></p> <p><b> 4/5/2004 - Shorewall 2.0.1</b><b></b><br>
</p>
Problems Corrected since 2.0.0<br>
<br>
<ol>
<li>Using actions in the manner recommended in the
documentation results in a Warning that the rule is a policy.</li>
<li>When a zone on a single interface is defined using
/etc/shorewall/hosts, superfluous rules are generated in the
&lt;zone&gt;_frwd chain.</li>
<li>Thanks to Sean Mathews, a long-standing problem with Proxy
ARP and IPSEC has been corrected. Thanks Sean!!!</li>
<li>The "shorewall show log" and "shorewall logwatch" commands
incorrectly displayed type 3 ICMP packets.<br>
</li>
</ol>
Issues when migrating from Shorewall 2.0.0 to Shorewall 2.0.1:<br>
<br>
<ol>
<li>The function of 'norfc1918' is now split between that
option and a new 'nobogons' option.<br>
<br>
The rfc1918 file released with Shorewall now contains entries for only
those three address ranges reserved by RFC 1918. A 'nobogons' interface
option has been added which handles bogon source addresses (those which
are reserved by the IANA, those reserved for DHCP auto-configuration
and the class C test-net reserved for testing and documentation
examples). This will allow users to perform RFC 1918 filtering without
having to deal with out of date data from IANA. Those who are willing
to update their /usr/share/shorewall/bogons file regularly can specify
the 'nobogons' option in addition to 'norfc1918'.<br>
<br>
The level at which bogon packets are logged is specified in the new
BOGON_LOG_LEVEL variable in shorewall.conf. If that option is not
specified or is specified as empty (e.g, BOGON_LOG_LEVEL="") then bogon
packets whose TARGET is 'logdrop' in /usr/share/shorewall/bogons are
logged at the 'info' level.</li>
</ol>
New Features:<br>
<br>
<ol>
<li>Support for Bridging Firewalls has been added. For details,
see<br>
<br>
<a href="http://shorewall.net/bridge.html">http://shorewall.net/bridge.html</a><br>
<br>
</li>
<li>Support for NETMAP has been added. NETMAP allows NAT to be
defined between two network:<br>
<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;
a.b.c.1&nbsp;&nbsp;&nbsp; -&gt; x.y.z.1<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
a.b.c.2&nbsp;&nbsp;&nbsp; -&gt; x.y.z.2<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
a.b.c.3&nbsp;&nbsp;&nbsp; -&gt; x.y.z.3<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ...<br>
<br>
&nbsp; <a href="http://shorewall.net/netmap.htm">http://shorewall.net/netmap.htm</a><br>
<br>
</li>
<li>The /sbin/shorewall program now accepts a "-x" option to
cause iptables to print out the actual packet and byte counts rather
than abbreviated counts such as "13MB".<br>
<br>
Commands affected by this are:<br>
<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
shorewall -x show [ &lt;chain&gt;[ &lt;chain&gt; ...] ]<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
shorewall -x show tos|mangle<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
shorewall -x show nat<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
shorewall -x status<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
shorewall -x monitor [ &lt;interval&gt; ]<br>
<br>
</li>
<li>Shorewall now traps two common zone definition errors:<br>
<ul>
<li>Including the firewall zone in a /etc/shorewall/hosts
record.</li>
<li>Defining an interface for a zone in both
/etc/shorewall/interfaces and /etc/shorewall/hosts.<br>
<br>
</li>
</ul>
</li>
<li>In the second case, the following will appear during
"shorewall [re]start" or "shorewall check":<br>
<br>
&nbsp;&nbsp; Determining Hosts in Zones...<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ...<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Error: Invalid zone definition for zone
&lt;name of zone&gt;<br>
&nbsp;&nbsp; Terminated<br>
<br>
</li>
<li>To support bridging, the following options have been added
to entries in /etc/shorewall/hosts:<br>
<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; norfc1918<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; nobogons<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; blacklist<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; tcpflags<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; nosmurfs<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; newnotsyn<br>
<br>
With the exception of 'newnotsyn', these options are only useful when
the entry refers to a bridge port.<br>
<br>
&nbsp;&nbsp; Example:<br>
<br>
&nbsp;&nbsp; #ZONE&nbsp;&nbsp; HOST(S)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
OPTIONS<br>
&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp;&nbsp;
br0:eth0&nbsp;&nbsp;&nbsp;&nbsp;
norfc1918,nobogons,blacklist,tcpflags,nosmurfs</li>
</ol>
<p><b>3/14/2004 - Shorewall 2.0.0b&nbsp;</b></p>
Corrects two problems:<br> Corrects two problems:<br>
<ol> <ol>
<li>Thanks to Sean Mathews, the long-standing problem with <li>Thanks to Sean Mathews, the long-standing problem with

View File

@ -21,10 +21,6 @@
<li><a href="support.htm"><span style="font-weight: bold;">Support</span></a></li> <li><a href="support.htm"><span style="font-weight: bold;">Support</span></a></li>
</ul> </ul>
<span style="font-weight: bold;"></span> <span style="font-weight: bold;"></span>
<div style="text-align: left;"><a href="http://www.shorewall.net"
target="_top"><img alt="(Protected by Shorewall)"
src="images/ProtectedBy.png"
style="border: 0px solid ; width: 216px; height: 45px;" title=""></a></div>
<ul> <ul>
<li> <a href="shorewall_features.htm">Features</a></li> <li> <a href="shorewall_features.htm">Features</a></li>
<li><a href="Shorewall_Doesnt.html">What it <li><a href="Shorewall_Doesnt.html">What it
@ -43,14 +39,16 @@ Repository</a></li>
<li><a href="useful_links.html">Useful Links</a></li> <li><a href="useful_links.html">Useful Links</a></li>
<li> <a href="shoreline.htm">About the Author</a></li> <li> <a href="shoreline.htm">About the Author</a></li>
<li> <a href="seattlefirewall_index.htm#Donations">Donations</a></li> <li> <a href="seattlefirewall_index.htm#Donations">Donations</a></li>
<small></small>
</ul> </ul>
<p><a href="copyright.htm"><font size="2">Copyright © 2001-2004 Thomas <p><a href="copyright.htm"><font size="2">Copyright © 2001-2004 Thomas
M. Eastep.</font></a><br> M. Eastep.</font></a><br>
</p> </p>
<div style="text-align: left;">
<div style="text-align: left;"><a href="http://www.shorewall.net" <div style="text-align: left;"><a href="http://www.shorewall.net"
target="_top"><br> target="_top"><img alt="(Protected by Shorewall)"
</a></div> src="images/ProtectedBy.png"
style="border: 0px solid ; width: 216px; height: 45px;" title=""></a></div>
<a href="http://www.shorewall.net" target="_top"></a></div>
<p><br> <p><br>
<a href="copyright.htm"> </a> </p> <a href="copyright.htm"> </a> </p>
</body> </body>

View File

@ -47,7 +47,7 @@ compatibility mode).</li>
<h3>What is Shorewall?</h3> <h3>What is Shorewall?</h3>
<div style="margin-left: 40px;">The Shoreline Firewall, more <div style="margin-left: 40px;">The Shoreline Firewall, more
commonly known as "Shorewall", is commonly known as "Shorewall", is
high-level tool for configuring Netfilter. You describe your a high-level tool for configuring Netfilter. You describe your
firewall/gateway requirements using entries in a set of configuration firewall/gateway requirements using entries in a set of configuration
files. Shorewall reads those configuration files and with the help of files. Shorewall reads those configuration files and with the help of
the iptables utility, Shorewall configures Netfilter to match your the iptables utility, Shorewall configures Netfilter to match your
@ -118,129 +118,251 @@ Documentation License"</a>. </div>
<p>Copyright © 2001-2004 Thomas M. Eastep </p> <p>Copyright © 2001-2004 Thomas M. Eastep </p>
<hr style="width: 100%; height: 2px;"> <hr style="width: 100%; height: 2px;">
<h2>News</h2> <h2>News</h2>
<p><b>4/5/2004 - Shorewall 2.0.1 </b><b> <img alt="(New)" <p><b>5/13/2004 - Shorewall 2.0.2</b><b> </b><b> <img
src="images/new10.gif" alt="(New)" src="images/new10.gif"
style="border: 0px solid ; width: 28px; height: 12px;" title=""></b><br> style="border: 0px solid ; width: 28px; height: 12px;" title=""></b></p>
<b></b></p> <p>Problems Corrected since 2.0.1<br>
Problems Corrected since 2.0.0<br> </p>
<br>
<ol> <ol>
<li>Using actions in the manner recommended in the <li>The /etc/init.d/shorewall script installed on Debian by
documentation results in a Warning that the rule is a policy.</li> install.sh failed silently due to a missing file
<li>When a zone on a single interface is defined using (/usr/share/shorewall/wait4ifup). That file is not part of the normal
/etc/shorewall/hosts, superfluous rules are generated in the Shorewall distribution and is provided by the Debian maintainer.</li>
&lt;zone&gt;_frwd chain.</li> <li>A meaningless warning message out of the proxyarp file
<li>Thanks to Sean Mathews, a long-standing problem with Proxy processing has been eliminated.</li>
ARP and IPSEC has been corrected. Thanks Sean!!!</li> <li>The "shorewall delete" command now correctly removes all
<li>The "shorewall show log" and "shorewall logwatch" commands dynamic rules pertaining to the host(s) being deleted. Thanks to Stefan
incorrectly displayed type 3 ICMP packets.<br> Engel for this correction.</li>
</li>
</ol> </ol>
Issues when migrating from Shorewall 2.0.0 to Shorewall 2.0.1:<br> Issues when migrating from Shorewall 2.0.0 to Shorewall 2.0.1:<br>
<br>
<ol> <ol>
<li>The function of 'norfc1918' is now split between that <li>Extension Scripts -- In order for extension scripts to work
option and a new 'nobogons' option.<br> properly with the new iptables-save/restore integration (see New
Feature 1 below), some change may be required to your extension
scripts. If your extension scripts are executing commands other than
iptables then those commands must also be written to the restore file
(a temporary file in /var/lib/shorewall that is renamed
/var/lib/shorewall/restore-base at the end of the operation).<br>
<br> <br>
The rfc1918 file released with Shorewall now contains entries for only The following functions should be of help:<br>
those three address ranges reserved by RFC 1918. A 'nobogons' interface
option has been added which handles bogon source addresses (those which
are reserved by the IANA, those reserved for DHCP auto-configuration
and the class C test-net reserved for testing and documentation
examples). This will allow users to perform RFC 1918 filtering without
having to deal with out of date data from IANA. Those who are willing
to update their /usr/share/shorewall/bogons file regularly can specify
the 'nobogons' option in addition to 'norfc1918'.<br>
<br> <br>
The level at which bogon packets are logged is specified in the new A. save_command() -- saves the passed command to the restore file.<br>
BOGON_LOG_LEVEL variable in shorewall.conf. If that option is not <br>
specified or is specified as empty (e.g, BOGON_LOG_LEVEL="") then bogon &nbsp;&nbsp;&nbsp; Example:<br>
packets whose TARGET is 'logdrop' in /usr/share/shorewall/bogons are <br>
logged at the 'info' level.</li> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; save_command echo Operation
Complete<br>
<br>
&nbsp;&nbsp; That command would simply write "echo Operation Complete"
to the restore file.<br>
<br>
B. run_and_save_command() -- saves the passed command to the restore
file then executes it. The return value is the exit status of the
command.<br>
<br>
&nbsp; &nbsp; Example:<br>
<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; run_and_save_command "echo 1 &gt;
/proc/sys/net/ipv4/icmp_echo_ignore_all"<br>
<br>
&nbsp;&nbsp;&nbsp; Note that as in this example, when the command
involves file redirection then the entire command must be enclosed in
quotes. This applies to all of the functions described here.<br>
<br>
C. ensure_and_save_command() -- runs the passed command. If the command
fails, the firewall is restored to it's prior saved state and the
operation is terminated. If the command succeeds, the command is
written to the restore file.<br>
<br>
</li>
<li>Dynamic Zone support -- If you don't need to use the
"shorewall add" and "shorewall delete commands, you should set
DYNAMIC_ZONES=No in /etc/shorewall/shorewall.conf.</li>
</ol> </ol>
New Features:<br> New Features:<br>
<br>
<ol> <ol>
<li>Support for Bridging Firewalls has been added. For details, <li>Shorewall has now been integrated with
see<br> iptables-save/iptables-restore to provide very fast start and restart.
The elements of this integration are as follows:<br>
<br> <br>
<a href="http://shorewall.net/bridge.html">http://shorewall.net/bridge.html</a><br> a) The 'shorewall save' command now saves the current configuration in
addition to the current dynamic blacklist. If you have dynamic zones,
you will want to issue 'shorewall save' when the zones are empty or the
current contents of the zones will be restored by the 'shorewall
restore' and 'shorewall -f start' commands.<br>
<br>
b) The 'shorewall restore' command has been added. This command
restores the configuration at the time of the last 'save'.<br>
<br>
c) The -f (fast) option has been added to 'shorewall start'. When
specified (e.g. 'shorewall -f start'), shorewall will perform a
'shorewall restore' if there is a saved configuration. If there is no
saved configuration, a normal 'shorewall start' is performed.<br>
<br>
d) The /etc/init.d/shorewall script now translates the 'start' command
into 'shorewall -f start' so that fast restart is possible.<br>
<br>
e) When a state-changing command encounters an error and there is
current saved configuration, that configuration will be restored
(currently, the firewall is placed in the 'stopped' state).<br>
<br>
f) If you have previously saved the running configuration and want
Shorewall to discard it, use the 'shorewall forget' command. WARNING:
iptables 1.2.9 is broken with respect to iptables-save; if your kernel
has connection tracking match support, you must patch iptables 1.2.9
with the iptables patch availale from the Shorewall errata page.<br>
<br> <br>
</li> </li>
<li>Support for NETMAP has been added. NETMAP allows NAT to be <li>The previous implementation of dynamic zones was difficult
defined between two network:<br> to maintain. I have changed the code to make dynamic zones optional
<br> under the control of the DYNAMIC_ZONES option in
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp; /etc/shorewall/shorewall.conf.<br>
a.b.c.1&nbsp;&nbsp;&nbsp; -&gt; x.y.z.1<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
a.b.c.2&nbsp;&nbsp;&nbsp; -&gt; x.y.z.2<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
a.b.c.3&nbsp;&nbsp;&nbsp; -&gt; x.y.z.3<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ...<br>
<br>
&nbsp; <a href="http://shorewall.net/netmap.htm">http://shorewall.net/netmap.htm</a><br>
<br> <br>
</li> </li>
<li>The /sbin/shorewall program now accepts a "-x" option to <li>In earlier Shorewall 2.0 releases, Shorewall searches in
cause iptables to print out the actual packet and byte counts rather order the following directories for configuration files.<br>
than abbreviated counts such as "13MB".<br>
<br> <br>
Commands affected by this are:<br> a) The directory specified in a 'try' command or specified using the -c
option.<br>
b) /etc/shorewall<br>
c) /usr/share/shorewall<br>
<br> <br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; In this release, the CONFIG_PATH option is added to shorewall.conf.
shorewall -x show [ &lt;chain&gt;[ &lt;chain&gt; ...] ]<br> CONFIG_PATH contains a list of directory names separated by colons
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; (":"). If not set or set to a null value (e.g., CONFIG_PATH="") then
shorewall -x show tos|mangle<br> "CONFIG_PATH=/etc/shorewall:/usr/share/shorewall" is assumed. Now
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Shorewall searches for shorewall.conf according to the old rules and
shorewall -x show nat<br> for other configuration files as follows:<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <br>
shorewall -x status<br> a) The directory specified in a 'try' command or specified using the -c
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; option.<br>
shorewall -x monitor [ &lt;interval&gt; ]<br> b) Each directory in $CONFIG_PATH is searched in sequence.<br>
<br>
In case it is not obvious, your CONFIG_PATH should include
/usr/share/shorewall and your shorewall.conf file must be in the
directory specified via -c or in a try command, in /etc/shorewall or in
/usr/share/shorewall.<br>
<br>
For distribution packagers, the default CONFIG_PATH is set in
/usr/share/shorewall/configpath. You can customize this file to have a
default that differs from mine.<br>
<br> <br>
</li> </li>
<li>Shorewall now traps two common zone definition errors:<br> <li>Previously, in /etc/shorewall/nat a Yes (or yes) in the
<ul> LOCAL column would only take effect if the ALL INTERFACES column also
<li>Including the firewall zone in a /etc/shorewall/hosts contained Yes or yes. Now, the LOCAL columns contents are treated
record.</li> independently of the contents of the ALL INTERFACES column.<br>
<li>Defining an interface for a zone in both
/etc/shorewall/interfaces and /etc/shorewall/hosts.<br>
<br> <br>
</li> </li>
</ul> <li>The folks at Mandrake have created yet another kernel
</li> module naming convention (module names end in "ko.gz"). As a
<li>In the second case, the following will appear during consequence, beginning with this release, if MODULE_SUFFIX isn't
"shorewall [re]start" or "shorewall check":<br> specified in shorewall.conf, then the default value is "o gz ko o.gz
<br> ko.gz".<br>
&nbsp;&nbsp; Determining Hosts in Zones...<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ...<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Error: Invalid zone definition for zone
&lt;name of zone&gt;<br>
&nbsp;&nbsp; Terminated<br>
<br> <br>
</li> </li>
<li>To support bridging, the following options have been added <li>An updated bogons file is included in this release.<br>
to entries in /etc/shorewall/hosts:<br>
<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; norfc1918<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; nobogons<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; blacklist<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; tcpflags<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; nosmurfs<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; newnotsyn<br>
<br>
With the exception of 'newnotsyn', these options are only useful when
the entry refers to a bridge port.<br>
<br>
&nbsp;&nbsp; Example:<br>
<br>
&nbsp;&nbsp; #ZONE&nbsp;&nbsp; HOST(S)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
OPTIONS<br>
&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp;&nbsp;
br0:eth0&nbsp;&nbsp;&nbsp;&nbsp;
norfc1918,nobogons,blacklist,tcpflags,nosmurfs<br>
<br> <br>
</li> </li>
<li>In /etc/shorewall/rules and in action files generated from
/usr/share/shorewall/action.template, rules that perform logging can
specify an optional "log tag". A log tag is a string of alphanumeric
characters and is specified by following the log level with ":" and the
log tag.<br>
<br>
Example:<br>
<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ACCEPT:info:ftp
net&nbsp;&nbsp;&nbsp;&nbsp; dmz&nbsp;&nbsp;&nbsp;&nbsp;
tcp&nbsp;&nbsp;&nbsp;&nbsp; 21<br>
<br>
The log tag is appended to the log prefix generated by the LOGPREFIX
variable in /etc/shorewall/conf. If "ACCEPT:info" generates the log
prefix "Shorewall:net2dmz:ACCEPT:" then "ACCEPT:info:ftp" will generate
"Shorewall:net2dmz:ACCEPT:ftp " (note the trailing blank). The maximum
length of a log prefix supported by iptables is 29 characters; if a
larger prefix is generated, Shorewall will issue a warning message and
will truncate the prefix to 29 characters.<br>
<br>
</li>
<li>A new "-q" option has been added to /sbin/shorewall
commands. It causes the start, restart, check and refresh commands to
produce much less output so that warning messages are more visible
(when testing this change, I discovered a bug where a bogus warning
message was being generated).<br>
<br>
</li>
<li>Shorewall now uses 'modprobe' to load kernel modules if
that utility is available in the PATH; otherwise, 'insmod' is used.<br>
<br>
</li>
<li>It is now possible to restrict entries in the
/etc/shorewall/masq file to particular protocols and destination
port(s). Two new columns (PROTO and PORT(S)) have been added to the
file.<br>
<br>
Example:<br>
<br>
You want all outgoing SMTP traffic entering the firewall on eth1 to be
sent from eth0 with source IP address 206.124.146.177. You want all
other outgoing traffic from eth1 to be sent from eth0 with source IP
address 206.124.146.176.<br>
<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; eth0&nbsp;&nbsp;&nbsp;
eth1&nbsp;&nbsp;&nbsp; 206.124.146.177 tcp&nbsp;&nbsp;&nbsp;&nbsp; 25<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; eth0&nbsp;&nbsp;&nbsp;
eth1&nbsp;&nbsp;&nbsp; 206.124.146.176<br>
<br>
THE ORDER OF THE ABOVE TWO RULES IS SIGNIFICANT!!!!!<br>
<br>
Assuming that 10.0.0.0/8 is the only host/network connected to eth1,
the progress message at "shorewall start" would be:<br>
<br>
&nbsp;&nbsp;&nbsp; Masqueraded Networks and Hosts:<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; To 0.0.0.0/0 (tcp 25) from
10.0.0.0/8 through eth0 using 206.124.146.177<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; To 0.0.0.0/0 (all) from 10.0.0.0/8
through eth0 using 206.124.146.176<br>
<br>
</li>
<li>Two new actions are available in the /etc/shorewall/rules
file.<br>
<br>
&nbsp;&nbsp;&nbsp; ACCEPT+&nbsp;&nbsp;&nbsp; -- Behaves like ACCEPT
with the exception that it exempts matching connections from subsequent
DNAT[-] and REDIRECT[-] rules.<br>
&nbsp;&nbsp;&nbsp; NONAT&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; -- Exempts
matching connections from subsequent DNAT[-] and REDIRECT[-] rules.<br>
<br>
</li>
<li>A new extension script 'initdone' has been added. This
script is invoked at the same point as the 'common' script was
previously and is useful for users who mis-used that script under
Shorewall 1.x (the script was intended for adding rules to the 'common'
chain but many users treated it as a script for adding rules before
Shorewall's).<br>
<br>
</li>
<li>Installing/Upgrading Shorewall on Slackware has been
improved. Slackware users must use the tarball and must modify settings
in the install.sh script before running it as follows:<br>
<br>
&nbsp;&nbsp;&nbsp; DEST="/etc/rc.d"<br>
&nbsp;&nbsp;&nbsp; INIT="rc.firewall"<br>
<br>
Thanks to Alex Wilms for helping with this change.<br>
</li>
</ol>
<p><b>4/17/2004 - Presentation at LinuxFest NW</b><b><br>
</b></p>
<p>Today I gave a presentation at LinuxFest NW in Bellingham. The
presentation was entitled "<a
href="http://lists.shorewall.net/Shorewall_and_the_Enterprise.htm"
target="_blank">Shorewall
and the Enterprise</a>" and described the history of Shorewall and gave
an overview of its features.<br>
</p>
<ol>
</ol> </ol>
<p><a href="News.htm">More News</a></p> <p><a href="News.htm">More News</a></p>
<hr style="width: 100%; height: 2px;"> <hr style="width: 100%; height: 2px;">
@ -276,7 +398,7 @@ please consider making a donation to the <a href="http://www.alz.org/"
</tbody> </tbody>
</table> </table>
</div> </div>
<p><font size="2">Updated 04/12/2004 - <a href="support.htm">Tom Eastep</a></font><br> <p><font size="2">Updated 05/10/2004 - <a href="support.htm">Tom Eastep</a></font><br>
</p> </p>
</body> </body>
</html> </html>

View File

@ -15,7 +15,7 @@
</author> </author>
</authorgroup> </authorgroup>
<pubdate>2004-05-07</pubdate> <pubdate>2004-05-09</pubdate>
<copyright> <copyright>
<year>2001</year> <year>2001</year>
@ -35,8 +35,7 @@
1.2 or any later version published by the Free Software Foundation; with 1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled Texts. A copy of the license is included in the section entitled
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation <quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
License</ulink></quote>.</para>
</legalnotice> </legalnotice>
</articleinfo> </articleinfo>
@ -45,9 +44,9 @@
<important> <important>
<para>Before attempting installation, I strongly urge you to read and <para>Before attempting installation, I strongly urge you to read and
print a copy of the <ulink print a copy of the <ulink url="shorewall_quickstart_guide.htm">Shorewall
url="shorewall_quickstart_guide.htm">Shorewall QuickStart</ulink> Guide QuickStart</ulink> Guide for the configuration that most closely matches
for the configuration that most closely matches your own.</para> your own.</para>
</important> </important>
<warning> <warning>
@ -65,15 +64,14 @@
<listitem> <listitem>
<para>Install the RPM</para> <para>Install the RPM</para>
<programlisting><command>rpm -ivh &lt;shorewall rpm&gt;</command></programlisting> <programlisting><command>rpm -ivh &#60;shorewall rpm&#62;</command></programlisting>
<note> <note>
<para>Some SuSE users have encountered a problem whereby rpm reports <para>Some SuSE users have encountered a problem whereby rpm reports
a conflict with kernel &lt;= 2.2 even though a 2.4 kernel is a conflict with kernel &#60;= 2.2 even though a 2.4 kernel is
installed. If this happens, simply use the --nodeps option to installed. If this happens, simply use the --nodeps option to rpm.</para>
rpm.</para>
<programlisting><filename><command>rpm -ivh --nodeps &lt;shorewall rpm&gt;</command></filename></programlisting> <programlisting><filename><command>rpm -ivh --nodeps &#60;shorewall rpm&#62;</command></filename></programlisting>
</note> </note>
<note> <note>
@ -84,10 +82,9 @@
<programlisting>error: failed dependencies:iproute is needed by shorewall-1.4.x-1</programlisting> <programlisting>error: failed dependencies:iproute is needed by shorewall-1.4.x-1</programlisting>
<para>This may be worked around by using the --nodeps option of <para>This may be worked around by using the --nodeps option of rpm.</para>
rpm.</para>
<programlisting><command>rpm -ivh --nodeps &lt;shorewall rpm&gt;</command></programlisting> <programlisting><command>rpm -ivh --nodeps &#60;shorewall rpm&#62;</command></programlisting>
</note> </note>
</listitem> </listitem>
@ -119,9 +116,9 @@
<important> <important>
<para>Before attempting installation, I strongly urge you to read and <para>Before attempting installation, I strongly urge you to read and
print a copy of the <ulink print a copy of the <ulink url="shorewall_quickstart_guide.htm">Shorewall
url="shorewall_quickstart_guide.htm">Shorewall QuickStart</ulink> Guide QuickStart</ulink> Guide for the configuration that most closely matches
for the configuration that most closely matches your own.</para> your own.</para>
</important> </important>
<para>To install Shorewall using the tarball and install script:</para> <para>To install Shorewall using the tarball and install script:</para>
@ -137,15 +134,17 @@
</listitem> </listitem>
<listitem> <listitem>
<para>If you are running <ulink <para>If you are running <ulink url="http://www.slackware.com">Slackware</ulink>,
url="http://www.slackware.com">Slackware</ulink>, edit the install.sh you need Shorewall 2.0.2 RC1 or later. You must also edit the
file and change the line</para> install.sh file and change the lines</para>
<programlisting>DEST=""</programlisting> <programlisting>DEST=&#34;/etc/init.d&#34;
INIT=&#34;shorewall&#34;</programlisting>
<para>to</para> <para>to</para>
<programlisting>DEST="/etc/rc.d"</programlisting> <programlisting>DEST=&#34;/etc/rc.d&#34;
INIT=&#34;rc.firewall&#34;</programlisting>
</listitem> </listitem>
<listitem> <listitem>
@ -160,10 +159,9 @@
</listitem> </listitem>
<listitem> <listitem>
<para>Enable Startup by removing <para>Enable Startup by removing <filename>/etc/shorewall/startup_disabled</filename>
<filename>/etc/shorewall/startup_disabled</filename> (Debian users (Debian users will edit <filename>/etc/default/shorewall</filename>
will edit <filename>/etc/default/shorewall</filename> and set and set startup=1).</para>
startup=1).</para>
</listitem> </listitem>
<listitem> <listitem>
@ -175,8 +173,7 @@
<listitem> <listitem>
<para>If the install script was unable to configure Shorewall to be <para>If the install script was unable to configure Shorewall to be
started automatically at boot, see <ulink started automatically at boot, see <ulink
url="starting_and_stopping_shorewall.htm">these url="starting_and_stopping_shorewall.htm">these instructions</ulink>.</para>
instructions</ulink>.</para>
</listitem> </listitem>
</orderedlist> </orderedlist>
</section> </section>
@ -186,16 +183,15 @@
<important> <important>
<para>Before attempting installation, I strongly urge you to read and <para>Before attempting installation, I strongly urge you to read and
print a copy of the <ulink print a copy of the <ulink url="shorewall_quickstart_guide.htm">Shorewall
url="shorewall_quickstart_guide.htm">Shorewall QuickStart</ulink> Guide QuickStart</ulink> Guide for the configuration that most closely matches
for the configuration that most closely matches your own.</para> your own.</para>
</important> </important>
<para>To install my version of Shorewall on a fresh Bering disk, simply <para>To install my version of Shorewall on a fresh Bering disk, simply
replace the <quote>shorwall.lrp</quote> file on the image with the file replace the <quote>shorwall.lrp</quote> file on the image with the file
that you downloaded. See the <ulink url="two-interface.htm">two-interface that you downloaded. See the <ulink url="two-interface.htm">two-interface
QuickStart Guide</ulink> for information about further steps QuickStart Guide</ulink> for information about further steps required.</para>
required.</para>
</section> </section>
<section id="Upgrade_RPM"> <section id="Upgrade_RPM">
@ -215,23 +211,22 @@
please check your /etc/shorewall/interfaces file to be sure that it please check your /etc/shorewall/interfaces file to be sure that it
contains an entry for each interface mentioned in the hosts file. Also, contains an entry for each interface mentioned in the hosts file. Also,
there are certain 1.2 rule forms that are no longer supported under 1.4 there are certain 1.2 rule forms that are no longer supported under 1.4
(you must use the new 1.4 syntax). See <ulink (you must use the new 1.4 syntax). See <ulink url="errata.htm#Upgrade">the
url="errata.htm#Upgrade">the upgrade issues</ulink> for details.</para> upgrade issues</ulink> for details.</para>
</important> </important>
<orderedlist> <orderedlist>
<listitem> <listitem>
<para>Upgrade the RPM</para> <para>Upgrade the RPM</para>
<programlisting><command>rpm -Uvh &lt;shorewall rpm file&gt;</command></programlisting> <programlisting><command>rpm -Uvh &#60;shorewall rpm file&#62;</command></programlisting>
<note> <note>
<para>Some SuSE users have encountered a problem whereby rpm reports <para>Some SuSE users have encountered a problem whereby rpm reports
a conflict with kernel &lt;= 2.2 even though a 2.4 kernel is a conflict with kernel &#60;= 2.2 even though a 2.4 kernel is
installed. If this happens, simply use the --nodeps option to installed. If this happens, simply use the --nodeps option to rpm.</para>
rpm.</para>
<programlisting><command>rpm -Uvh --nodeps &lt;shorewall rpm&gt;</command></programlisting> <programlisting><command>rpm -Uvh --nodeps &#60;shorewall rpm&#62;</command></programlisting>
</note> </note>
<note> <note>
@ -242,17 +237,15 @@
<programlisting>error: failed dependencies:iproute is needed by shorewall-1.4.0-1</programlisting> <programlisting>error: failed dependencies:iproute is needed by shorewall-1.4.0-1</programlisting>
<para>This may be worked around by using the --nodeps option of <para>This may be worked around by using the --nodeps option of rpm.</para>
rpm.</para>
<programlisting><command>rpm -Uvh --nodeps &lt;shorewall rpm&gt;</command></programlisting> <programlisting><command>rpm -Uvh --nodeps &#60;shorewall rpm&#62;</command></programlisting>
</note> </note>
</listitem> </listitem>
<listitem> <listitem>
<para>See if there are any incompatibilities between your <para>See if there are any incompatibilities between your
configuration and the new Shorewall version and correct as configuration and the new Shorewall version and correct as necessary.</para>
necessary.</para>
<programlisting><command>shorewall check</command></programlisting> <programlisting><command>shorewall check</command></programlisting>
</listitem> </listitem>
@ -282,8 +275,8 @@
please check your /etc/shorewall/interfaces file to be sure that it please check your /etc/shorewall/interfaces file to be sure that it
contains an entry for each interface mentioned in the hosts file. Also, contains an entry for each interface mentioned in the hosts file. Also,
there are certain 1.2 rule forms that are no longer supported under 1.4 there are certain 1.2 rule forms that are no longer supported under 1.4
(you must use the new 1.4 syntax). See <ulink (you must use the new 1.4 syntax). See <ulink url="errata.htm#Upgrade">the
url="errata.htm#Upgrade">the upgrade issues</ulink> for details.</para> upgrade issues</ulink> for details.</para>
</important> </important>
<orderedlist> <orderedlist>
@ -299,15 +292,17 @@
</listitem> </listitem>
<listitem> <listitem>
<para>If you are running <ulink <para>If you are running <ulink url="http://www.slackware.com">Slackware</ulink>,
url="http://www.slackware.com">Slackware</ulink>, edit the install.sh you should use Shorewall 2.0.2 RC1 or later. You must also edit the
file and change the line</para> install.sh file and change the lines</para>
<programlisting>DEST=""</programlisting> <programlisting>DEST=&#34;/etc/init.d&#34;
INIT=&#34;shorewall&#34;</programlisting>
<para>to</para> <para>to</para>
<programlisting>DEST="/etc/rc.d"</programlisting> <programlisting>DEST=&#34;/etc/rc.d&#34;
INIT=&#34;rc.firewall&#34;</programlisting>
</listitem> </listitem>
<listitem> <listitem>
@ -318,8 +313,7 @@
<listitem> <listitem>
<para>See if there are any incompatibilities between your <para>See if there are any incompatibilities between your
configuration and the new Shorewall version and correct as configuration and the new Shorewall version and correct as necessary.</para>
necessary.</para>
<programlisting><command>shorewall check</command></programlisting> <programlisting><command>shorewall check</command></programlisting>
</listitem> </listitem>
@ -333,8 +327,7 @@
<listitem> <listitem>
<para>If the install script was unable to configure Shorewall to be <para>If the install script was unable to configure Shorewall to be
started automatically at boot, see <ulink started automatically at boot, see <ulink
url="starting_and_stopping_shorewall.htm">these url="starting_and_stopping_shorewall.htm">these instructions</ulink>.</para>
instructions</ulink>.</para>
</listitem> </listitem>
</orderedlist> </orderedlist>
</section> </section>
@ -363,7 +356,6 @@
<section> <section>
<title>Uninstall/Fallback</title> <title>Uninstall/Fallback</title>
<para>See <quote><ulink url="fallback.htm">Fallback and <para>See <quote><ulink url="fallback.htm">Fallback and Uninstall</ulink></quote>.</para>
Uninstall</ulink></quote>.</para>
</section> </section>
</article> </article>

View File

@ -13,7 +13,7 @@
</author> </author>
</authorgroup> </authorgroup>
<pubdate>2004-05-03</pubdate> <pubdate>2004-05-10</pubdate>
<copyright> <copyright>
<year>2001-2004</year> <year>2001-2004</year>
@ -27,8 +27,7 @@
1.2 or any later version published by the Free Software Foundation; with 1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled Texts. A copy of the license is included in the section entitled
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation <quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
License</ulink></quote>.</para>
</legalnotice> </legalnotice>
</articleinfo> </articleinfo>
@ -56,9 +55,9 @@
<listitem> <listitem>
<para><emphasis role="bold">DO NOT INSTALL CORRECTED COMPONENTS ON A <para><emphasis role="bold">DO NOT INSTALL CORRECTED COMPONENTS ON A
RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW.</emphasis>
BELOW.</emphasis> For example, do NOT install the 1.3.9a firewall For example, do NOT install the 1.3.9a firewall script if you are
script if you are running 1.3.7c.</para> running 1.3.7c.</para>
</listitem> </listitem>
</itemizedlist> </itemizedlist>
</caution> </caution>
@ -80,8 +79,7 @@
<section> <section>
<title>Bogons File</title> <title>Bogons File</title>
<para><ulink <para><ulink url="http://shorewall.net/pub/shorewall/errata/2.0.1/bogons">Here</ulink>
url="http://shorewall.net/pub/shorewall/errata/2.0.1/bogons">Here</ulink>
is the most up to date version of the <ulink is the most up to date version of the <ulink
url="Documentation.htm#Bogons">bogons file</ulink>.</para> url="Documentation.htm#Bogons">bogons file</ulink>.</para>
</section> </section>
@ -98,22 +96,20 @@
</listitem> </listitem>
<listitem> <listitem>
<para>Modules listed in /etc/shorewall/modules don't load or produce <para>Modules listed in /etc/shorewall/modules don&#39;t load or
errors on Mandrake 10.0 Final.</para> produce errors on Mandrake 10.0 Final.</para>
</listitem> </listitem>
<listitem> <listitem>
<para>The <command>shorewall delete</command> command does not <para>The <command>shorewall delete</command> command does not
remove all dynamic rules pertaining to the host(s) being remove all dynamic rules pertaining to the host(s) being deleted.</para>
deleted.</para>
</listitem> </listitem>
</itemizedlist> </itemizedlist>
<para>These problems are corrected in <ulink <para>These problems are corrected in <ulink
url="http://shorewall.net/pub/shorewall/errata/2.0.1/firewall">this url="http://shorewall.net/pub/shorewall/errata/2.0.1/firewall">this
firewall script</ulink> which may be installed in firewall script</ulink> which may be installed in <filename>/usr/share/shorewall/firewall</filename>
<filename>/usr/share/shorewall/firewall</filename> as described as described above.</para>
above.</para>
<itemizedlist> <itemizedlist>
<listitem> <listitem>
@ -137,11 +133,10 @@
url="http://shorewall.net/pub/shorewall/errata/2.0.1/init.debian.sh">this url="http://shorewall.net/pub/shorewall/errata/2.0.1/init.debian.sh">this
file</ulink> as /etc/init.d/shorewall (replacing the existing file file</ulink> as /etc/init.d/shorewall (replacing the existing file
with that name). If you are just installing or upgrading to with that name). If you are just installing or upgrading to
Shorewall 2.0.0 or 2.0.1, then replace the Shorewall 2.0.0 or 2.0.1, then replace the <filename>init.debian.sh</filename>
<filename>init.debian.sh</filename> file in the Shorewall file in the Shorewall distribution directory (shorewall-2.0.x) with
distribution directory (shorewall-2.0.x) with the updated file the updated file before running <command>install.sh</command> from
before running <command>install.sh</command> from that that directory.</para>
directory.</para>
</listitem> </listitem>
</itemizedlist> </itemizedlist>
</section> </section>
@ -163,13 +158,11 @@
</listitem> </listitem>
</itemizedlist> </itemizedlist>
<para>The first problem has been corrected in Shorewall update <para>The first problem has been corrected in Shorewall update 2.0.0a.</para>
2.0.0a.</para>
<para>All of these problems may be corrected by installing <ulink <para>All of these problems may be corrected by installing <ulink
url="http://shorewall.net/pub/shorewall/errata/2.0.0/firewall">this url="http://shorewall.net/pub/shorewall/errata/2.0.0/firewall">this
firewall script</ulink> in /usr/share/shorewall as described firewall script</ulink> in /usr/share/shorewall as described above.</para>
above.</para>
</section> </section>
</section> </section>
@ -186,7 +179,8 @@
<para>If you want to use the new features in Shorewall 2.0.2 (Betas, RCs, <para>If you want to use the new features in Shorewall 2.0.2 (Betas, RCs,
Final) or later then you need to patch your iptables 1.2.9 with <ulink Final) or later then you need to patch your iptables 1.2.9 with <ulink
url="http://shorewall.net/pub/shorewall/errata/iptables-1.2.9.diff">this url="http://shorewall.net/pub/shorewall/errata/iptables-1.2.9.diff">this
patch</ulink>.</para> patch</ulink> or you need to use the <ulink
url="http://www.netfilter.org/downloads.html#cvs">CVS version of iptables</ulink>.</para>
</section> </section>
<section> <section>
@ -197,151 +191,30 @@
--reject-with tcp-reset</quote> is broken. The symptom most commonly seen --reject-with tcp-reset</quote> is broken. The symptom most commonly seen
is that REJECT rules act just like DROP rules when dealing with TCP. A is that REJECT rules act just like DROP rules when dealing with TCP. A
kernel patch and precompiled modules to fix this problem are available at kernel patch and precompiled modules to fix this problem are available at
<ulink <ulink url="ftp://ftp1.shorewall.net/pub/shorewall/errata/kernel">ftp://ftp1.shorewall.net/pub/shorewall/errata/kernel</ulink></para>
url="ftp://ftp1.shorewall.net/pub/shorewall/errata/kernel">ftp://ftp1.shorewall.net/pub/shorewall/errata/kernel</ulink></para>
<note> <note>
<para>RedHat have corrected this problem in their 2.4.20-27.x <para>RedHat have corrected this problem in their 2.4.20-27.x kernels.</para>
kernels.</para>
</note> </note>
</section> </section>
<appendix> <appendix>
<title>Revision History</title> <title>Revision History</title>
<para><revhistory> <para><revhistory><revision><revnumber>1.14</revnumber><date>2004-05-10</date><authorinitials>TE</authorinitials><revremark>Add
<revision> link to Netfilter CVS</revremark></revision><revision><revnumber>1.13</revnumber><date>2004-05-04</date><authorinitials>TE</authorinitials><revremark>Add
<revnumber>1.12</revnumber> Alex Wilms&#39;s &#34;install.sh&#34; fix.</revremark></revision><revision><revnumber>1.12</revnumber><date>2004-05-03</date><authorinitials>TE</authorinitials><revremark>Add
Stefan Engel&#39;s &#34;shorewall delete&#34; fix.</revremark></revision><revision><revnumber>1.11</revnumber><date>2004-04-28</date><authorinitials>TE</authorinitials><revremark>Add
<date>2004-05-04</date> iptables 1.2.9 iptables-save bug notice.</revremark></revision><revision><revnumber>1.10</revnumber><date>2004-04-21</date><authorinitials>TE</authorinitials><revremark>Debian
initialization script problem. Deleted obsolete sections.</revremark></revision><revision><revnumber>1.9</revnumber><date>2004-04-20</date><authorinitials>TE</authorinitials><revremark>Updated
<authorinitials>TE</authorinitials> RFC1918 and BOGONS files.</revremark></revision><revision><revnumber>1.8</revnumber><date>2004-03-20</date><authorinitials>TE</authorinitials><revremark>Proxy
ARP/IPSEC fix.</revremark></revision><revision><revnumber>1.7</revnumber><date>2004-03-17</date><authorinitials>TE</authorinitials><revremark>Action
<revremark>Add Alex Wilms's "install.sh" fix.</revremark> rules are reported as policies.</revremark></revision><revision><revnumber>1.6</revnumber><date>2004-02-03</date><authorinitials>TE</authorinitials><revremark>Update
</revision> for Shorewall 2.0.0.</revremark></revision><revision><revnumber>1.5</revnumber><date>2004-01-19</date><authorinitials>TE</authorinitials><revremark>IPV6
address problems. Make RFC1918 file section more prominent.</revremark></revision><revision><revnumber>1.4</revnumber><date>2004-01-14</date><authorinitials>TE</authorinitials><revremark>Confusing
<revision> template file in 1.4.9</revremark></revision><revision><revnumber>1.3</revnumber><date>2004-01-03</date><authorinitials>TE</authorinitials><revremark>Added
<revnumber>1.11</revnumber> note about REJECT RedHat Kernal problem being corrected.</revremark></revision><revision><revnumber>1.2</revnumber><date>2003-12-29</date><authorinitials>TE</authorinitials><revremark>Updated
RFC1918 file</revremark></revision><revision><revnumber>1.1</revnumber><date>2003-12-17</date><authorinitials>TE</authorinitials><revremark>Initial
<date>2004-05-03</date> Conversion to Docbook XML</revremark></revision></revhistory></para>
<authorinitials>TE</authorinitials>
<revremark>Add Stefan Engel's "shorewall delete" fix.</revremark>
</revision>
<revision>
<revnumber>1.10</revnumber>
<date>2004-04-28</date>
<authorinitials>TE</authorinitials>
<revremark>Add iptables 1.2.9 iptables-save bug notice.</revremark>
</revision>
<revision>
<revnumber>1.9</revnumber>
<date>2004-04-21</date>
<authorinitials>TE</authorinitials>
<revremark>Debian initialization script problem. Deleted obsolete
sections.</revremark>
</revision>
<revision>
<revnumber>1.8</revnumber>
<date>2004-04-20</date>
<authorinitials>TE</authorinitials>
<revremark>Updated RFC1918 and BOGONS files.</revremark>
</revision>
<revision>
<revnumber>1.7</revnumber>
<date>2004-03-20</date>
<authorinitials>TE</authorinitials>
<revremark>Proxy ARP/IPSEC fix.</revremark>
</revision>
<revision>
<revnumber>1.6</revnumber>
<date>2004-03-17</date>
<authorinitials>TE</authorinitials>
<revremark>Action rules are reported as policies.</revremark>
</revision>
<revision>
<revnumber>1.5</revnumber>
<date>2004-02-03</date>
<authorinitials>TE</authorinitials>
<revremark>Update for Shorewall 2.0.0.</revremark>
</revision>
<revision>
<revnumber>1.4</revnumber>
<date>2004-01-19</date>
<authorinitials>TE</authorinitials>
<revremark>IPV6 address problems. Make RFC1918 file section more
prominent.</revremark>
</revision>
<revision>
<revnumber>1.3</revnumber>
<date>2004-01-14</date>
<authorinitials>TE</authorinitials>
<revremark>Confusing template file in 1.4.9</revremark>
</revision>
<revision>
<revnumber>1.3</revnumber>
<date>2004-01-03</date>
<authorinitials>TE</authorinitials>
<revremark>Added note about REJECT RedHat Kernal problem being
corrected.</revremark>
</revision>
<revision>
<revnumber>1.2</revnumber>
<date>2003-12-29</date>
<authorinitials>TE</authorinitials>
<revremark>Updated RFC1918 file</revremark>
</revision>
<revision>
<revnumber>1.1</revnumber>
<date>2003-12-17</date>
<authorinitials>TE</authorinitials>
<revremark>Initial Conversion to Docbook XML</revremark>
</revision>
</revhistory></para>
</appendix> </appendix>
</article> </article>

View File

@ -13,7 +13,7 @@
</author> </author>
</authorgroup> </authorgroup>
<pubdate>2004-04-24</pubdate> <pubdate>2004-05-09</pubdate>
<copyright> <copyright>
<year>2001-2002</year> <year>2001-2002</year>
@ -223,6 +223,22 @@ ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62
ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62;</emphasis> tcp 23</programlisting> ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62;</emphasis> tcp 23</programlisting>
</section> </section>
<section>
<title>TFTP</title>
<para>You must have TFTP connection tracking support in your kernel. If
modularized, the modules are <emphasis role="bold">ip_conntrack_tftp</emphasis>
(and <emphasis role="bold">ip_nat_tftp</emphasis> if any form of NAT is
involved) These modules may be loaded using entries in
<filename>/etc/shorewall/modules</filename>. The <emphasis role="bold">ip_conntrack_tftp</emphasis>
module must be loaded first. Note that the <filename>/etc/shorewall/modules</filename>
file released with recent Shorewall versions contains entries for these
modules.</para>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62;</emphasis> udp 69</programlisting>
</section>
<section> <section>
<title>Traceroute</title> <title>Traceroute</title>
@ -280,7 +296,8 @@ ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62
<appendix> <appendix>
<title>Revision History</title> <title>Revision History</title>
<para><revhistory><revision><revnumber>1.8</revnumber><date>2004-04-24</date><authorinitials>TE</authorinitials><revremark>Revised <para><revhistory><revision><revnumber>1.10</revnumber><date>2004-05-09</date><authorinitials>TE</authorinitials><revremark>Added
TFTP.</revremark></revision><revision><revnumber>1.9</revnumber><date>2004-04-24</date><authorinitials>TE</authorinitials><revremark>Revised
ICQ/AIM.</revremark></revision><revision><revnumber>1.8</revnumber><date>2004-04-23</date><authorinitials>TE</authorinitials><revremark>Added ICQ/AIM.</revremark></revision><revision><revnumber>1.8</revnumber><date>2004-04-23</date><authorinitials>TE</authorinitials><revremark>Added
SNMP.</revremark></revision><revision><revnumber>1.7</revnumber><date>2004-02-18</date><authorinitials>TE</authorinitials><revremark>Make SNMP.</revremark></revision><revision><revnumber>1.7</revnumber><date>2004-02-18</date><authorinitials>TE</authorinitials><revremark>Make
NFS work for everyone.</revremark></revision><revision><revnumber>1.6</revnumber><date>2004-02-14</date><authorinitials>TE</authorinitials><revremark>Add NFS work for everyone.</revremark></revision><revision><revnumber>1.6</revnumber><date>2004-02-14</date><authorinitials>TE</authorinitials><revremark>Add

View File

@ -15,7 +15,7 @@
</author> </author>
</authorgroup> </authorgroup>
<pubdate>2004-05-04</pubdate> <pubdate>2004-05-10</pubdate>
<copyright> <copyright>
<year>2001-2004</year> <year>2001-2004</year>
@ -29,8 +29,7 @@
1.2 or any later version published by the Free Software Foundation; with 1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled Texts. A copy of the license is included in the section entitled
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation <quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
License</ulink></quote>.</para>
</legalnotice> </legalnotice>
</articleinfo> </articleinfo>
@ -65,8 +64,13 @@
</listitem> </listitem>
<listitem> <listitem>
<para>start -- invoked after the firewall has been started or <para>initdone (added in Shorewall 2.0.2 RC1) -- invoked after Shorewall
restarted.</para> has flushed all existing rules but before any rules have been added to
the builtin chains.</para>
</listitem>
<listitem>
<para>start -- invoked after the firewall has been started or restarted.</para>
</listitem> </listitem>
<listitem> <listitem>
@ -94,8 +98,8 @@
</listitem> </listitem>
</itemizedlist> </itemizedlist>
<para><emphasis role="bold">If your version of Shorewall doesn't have the <para><emphasis role="bold">If your version of Shorewall doesn&#39;t have
file that you want to use from the above list, you can simply create the the file that you want to use from the above list, you can simply create the
file yourself.</emphasis> You can also supply a script with the same name as file yourself.</emphasis> You can also supply a script with the same name as
any of the filter chains in the firewall and the script will be invoked any of the filter chains in the firewall and the script will be invoked
after the /etc/shorewall/rules file has been processed but before the after the /etc/shorewall/rules file has been processed but before the
@ -110,10 +114,10 @@
<command>run_iptables</command> instead. <command>run_iptables</command> <command>run_iptables</command> instead. <command>run_iptables</command>
will run the iptables utility passing the arguments to will run the iptables utility passing the arguments to
<command>run_iptables</command> and if the command fails, the firewall <command>run_iptables</command> and if the command fails, the firewall
will be stopped (Shorewall version &lt; 2.0.2 Beta 1 or there is no will be stopped (Shorewall version &#60; 2.0.2 Beta 1 or there is no
<filename>/var/lib/shorewall/restore</filename> file) or restored <filename>/var/lib/shorewall/restore</filename> file) or restored
(Shorewall version &gt;= 2.0.2 Beta 1 and (Shorewall version &#62;= 2.0.2 Beta 1 and <filename>/var/lib/shorewall/restore</filename>
<filename>/var/lib/shorewall/restore</filename> exists).</para> exists).</para>
</listitem> </listitem>
<listitem> <listitem>
@ -121,13 +125,11 @@
commands other than <command>iptables</command> that must be re-run in commands other than <command>iptables</command> that must be re-run in
order to restore the firewall to its current state then you must save order to restore the firewall to its current state then you must save
the commands to the <firstterm>restore file</firstterm>. The restore the commands to the <firstterm>restore file</firstterm>. The restore
file is a temporary file in <filename file is a temporary file in <filename class="directory">/var/lib/shorewall</filename>
class="directory">/var/lib/shorewall</filename> that will be renamed that will be renamed <filename>/var/lib/shorewall/restore-base</filename>
<filename>/var/lib/shorewall/restore-base</filename> at the successful at the successful completion of the Shorewall command. The
completion of the Shorewall command. The <command>shorewall <command>shorewall save</command> command combines <filename>/var/lib/shorewall/restore-base</filename>
save</command> command combines with the output of <command>iptables-save</command> to produce the
<filename>/var/lib/shorewall/restore-base</filename> with the output of
<command>iptables-save</command> to produce the
<filename>/var/lib/shorewall/restore</filename> script.</para> <filename>/var/lib/shorewall/restore</filename> script.</para>
<para>Here are three functions that are useful when running commands <para>Here are three functions that are useful when running commands
@ -140,15 +142,15 @@
<para>Example: <programlisting>save_command echo Operation Complete</programlisting></para> <para>Example: <programlisting>save_command echo Operation Complete</programlisting></para>
<para>That command would simply write "echo Operation Complete" to <para>That command would simply write &#34;echo Operation
the restore file.</para> Complete&#34; to the restore file.</para>
</listitem> </listitem>
<listitem> <listitem>
<para><emphasis role="bold">run_and_save_command()</emphasis> -- <para><emphasis role="bold">run_and_save_command()</emphasis> --
saves the passed command to the restore file then executes it. The saves the passed command to the restore file then executes it. The
return value is the exit status of the command. Example: return value is the exit status of the command. Example:
<programlisting>run_and_save_command "echo 1 &gt; /proc/sys/net/ipv4/icmp_echo_ignore_all"</programlisting></para> <programlisting>run_and_save_command &#34;echo 1 &#62; /proc/sys/net/ipv4/icmp_echo_ignore_all&#34;</programlisting></para>
<para>Note that as in this example, when the command involves file <para>Note that as in this example, when the command involves file
redirection then the entire command must be enclosed in quotes. This redirection then the entire command must be enclosed in quotes. This
@ -158,21 +160,21 @@
<listitem> <listitem>
<para><emphasis role="bold">ensure_and_save_command()</emphasis> -- <para><emphasis role="bold">ensure_and_save_command()</emphasis> --
runs the passed command. If the command fails, the firewall is runs the passed command. If the command fails, the firewall is
restored to it's prior saved state and the operation is terminated. restored to it&#39;s prior saved state and the operation is
If the command succeeds, the command is written to the restore terminated. If the command succeeds, the command is written to the
file</para> restore file</para>
</listitem> </listitem>
</orderedlist> </orderedlist>
</listitem> </listitem>
</itemizedlist> </itemizedlist>
<para>Beginning with Shorewall 2.0.0, you can also define a <emphasis>common <para>Beginning with Shorewall 2.0.0, you can also define a
action</emphasis> to be performed immediately before a policy of ACCEPT, <emphasis>common action</emphasis> to be performed immediately before a
DROP or REJECT is applied. Separate <ulink policy of ACCEPT, DROP or REJECT is applied. Separate <ulink
url="User_defined_Actions.html">actions</ulink> can be assigned to each url="User_defined_Actions.html">actions</ulink> can be assigned to each
policy type so for example you can have a different common action for DROP policy type so for example you can have a different common action for DROP
and REJECT policies. The most common usage of common actions is to silently and REJECT policies. The most common usage of common actions is to silently
drop traffic that you don't wish to have logged by the policy.</para> drop traffic that you don&#39;t wish to have logged by the policy.</para>
<para>As released, Shorewall defines a number of actions which are cataloged <para>As released, Shorewall defines a number of actions which are cataloged
in the <filename>/usr/share/shorewall/actions.std</filename> file. That file in the <filename>/usr/share/shorewall/actions.std</filename> file. That file
@ -195,10 +197,10 @@ Reject:REJECT</programlisting>
<para>One final note. The chain created to perform an action has the same <para>One final note. The chain created to perform an action has the same
name as the action. You can use an extension script by that name to add name as the action. You can use an extension script by that name to add
rules to the action's chain in the same way as you can any other chain. So rules to the action&#39;s chain in the same way as you can any other chain.
if you create the new action <quote>Dagger</quote> and define it in So if you create the new action <quote>Dagger</quote> and define it in
<filename>/etc/shorewall/action.Dagger</filename>, you can also have an <filename>/etc/shorewall/action.Dagger</filename>, you can also have an
extension script named <filename>/etc/shorewall/Dagger</filename> that can extension script named <filename>/etc/shorewall/Dagger</filename> that can
add rules to the <quote>Dagger</quote> chain that can't be created using add rules to the <quote>Dagger</quote> chain that can&#39;t be created using
<filename>/etc/shorewall/action.Dagger</filename>.</para> <filename>/etc/shorewall/action.Dagger</filename>.</para>
</article> </article>

View File

@ -30,8 +30,7 @@
1.2 or any later version published by the Free Software Foundation; with 1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled Texts. A copy of the license is included in the section entitled
<quote><ulink type="" url="copyright.htm">GNU Free Documentation <quote><ulink type="" url="copyright.htm">GNU Free Documentation License</ulink></quote>.</para>
License</ulink></quote>.</para>
</legalnotice> </legalnotice>
</articleinfo> </articleinfo>
@ -42,10 +41,10 @@
the version number mentioned in the section title is later than what you the version number mentioned in the section title is later than what you
are currently running.</para> are currently running.</para>
<para>In the descriptions that follows, the term <para>In the descriptions that follows, the term <emphasis>group</emphasis>
<emphasis>group</emphasis> refers to a particular network or subnetwork refers to a particular network or subnetwork (which may be
(which may be <literal>0.0.0.0/0</literal> or it may be a host address) <literal>0.0.0.0/0</literal> or it may be a host address) accessed through
accessed through a particular interface.</para> a particular interface.</para>
<para>Examples:</para> <para>Examples:</para>
@ -62,7 +61,20 @@
</section> </section>
<section> <section>
<title>Version &gt;= 2.0.2 Beta 1</title> <title>Version &#62;= 2.0.2 RC1</title>
<itemizedlist>
<listitem>
<para>If you are upgrading from Shorewall 1.4.x and you have commands
in your <filename>/etc/shorewall/common</filename> file that are not
directly related to the <emphasis role="bold">common</emphasis> chain
then you will want to move those commands to <filename>/etc/shorewall/initdone</filename>.</para>
</listitem>
</itemizedlist>
</section>
<section>
<title>Version &#62;= 2.0.2 Beta 1</title>
<itemizedlist> <itemizedlist>
<listitem> <listitem>
@ -72,12 +84,11 @@
scripts.</para> scripts.</para>
<para>If your extension scripts are executing commands other than <para>If your extension scripts are executing commands other than
iptables then those commands must also be written to the restore file <command>iptables</command> then those commands must also be written
(a temporary file in <filename to the restore file (a temporary file in <filename class="directory">/var/lib/shorewall</filename>
class="directory">/var/lib/shorewall</filename> that is renamed that is renamed <filename>/var/lib/shorewall/restore-base</filename>
<filename>/var/lib/shorewall/restore-base</filename> at the at the completeion of the <filename>/sbin/shorewall</filename>
completeion of the <filename>/sbin/shorewall</filename> command). The command). The following functions should be of help:</para>
following functions should be of help:</para>
<orderedlist> <orderedlist>
<listitem> <listitem>
@ -86,14 +97,14 @@
<para>Example: <programlisting>save_command echo Operation Complete</programlisting></para> <para>Example: <programlisting>save_command echo Operation Complete</programlisting></para>
<para>That command would simply write "echo Operation Complete" to <para>That command would simply write &#34;echo Operation
the restore file.</para> Complete&#34; to the restore file.</para>
</listitem> </listitem>
<listitem> <listitem>
<para> run_and_save_command() -- saves the passed command to the <para>run_and_save_command() -- saves the passed command to the
restore file then executes it. The return value is the exit status restore file then executes it. The return value is the exit status
of the command. Example: <programlisting>run_and_save_command "echo 1 &gt; /proc/sys/net/ipv4/icmp_echo_ignore_all"</programlisting></para> of the command. Example: <programlisting>run_and_save_command &#34;echo 1 &#62; /proc/sys/net/ipv4/icmp_echo_ignore_all&#34;</programlisting></para>
<para>Note that as in this example, when the command involves file <para>Note that as in this example, when the command involves file
redirection then the entire command must be enclosed in quotes. redirection then the entire command must be enclosed in quotes.
@ -102,55 +113,54 @@
<listitem> <listitem>
<para>ensure_and_save_command() -- runs the passed command. If the <para>ensure_and_save_command() -- runs the passed command. If the
command fails, the firewall is restored to it's prior saved state command fails, the firewall is restored to it&#39;s prior saved
and the operation is terminated. If the command succeeds, the state and the operation is terminated. If the command succeeds,
command is written to the restore file</para> the command is written to the restore file</para>
</listitem> </listitem>
</orderedlist> </orderedlist>
</listitem> </listitem>
<listitem> <listitem>
<para>Dynamic Zone support. - If you don't need to use the <para>Dynamic Zone support. - If you don&#39;t need to use the
<command>shorewall add</command> and <command>shorewall <command>shorewall add</command> and <command>shorewall delete</command>
delete</command> commands, you should set DYNAMIC_ZONES=No in commands, you should set DYNAMIC_ZONES=No in <filename>/etc/shorewall/shorewall.conf</filename>.</para>
<filename>/etc/shorewall/shorewall.conf</filename>.</para>
</listitem> </listitem>
</itemizedlist> </itemizedlist>
</section> </section>
<section> <section>
<title>Version &gt;= 2.0.1</title> <title>Version &#62;= 2.0.1</title>
<itemizedlist> <itemizedlist>
<listitem> <listitem>
<para>The function of 'norfc1918' is now split between that option and <para>The function of &#39;norfc1918&#39; is now split between that
a new 'nobogons' option. The rfc1918 file released with Shorewall now option and a new &#39;nobogons&#39; option. The rfc1918 file released
contains entries for only those three address ranges reserved by RFC with Shorewall now contains entries for only those three address
1918. A 'nobogons' interface option has been added which handles bogon ranges reserved by RFC 1918. A &#39;nobogons&#39; interface option has
source addresses (those which are reserved by the IANA, those reserved been added which handles bogon source addresses (those which are
for DHCP auto-configuration and the class C test-net reserved for reserved by the IANA, those reserved for DHCP auto-configuration and
testing and documentation examples). This will allow users to perform the class C test-net reserved for testing and documentation examples).
RFC 1918 filtering without having to deal with out of date data from This will allow users to perform RFC 1918 filtering without having to
IANA. Those who are willing to update their deal with out of date data from IANA. Those who are willing to update
<filename>/usr/share/shorewall/bogons</filename> file regularly can their <filename>/usr/share/shorewall/bogons</filename> file regularly
specify the 'nobogons' option in addition to 'norfc1918'. The level at can specify the &#39;nobogons&#39; option in addition to
which bogon packets are logged is specified in the new BOGON_LOG_LEVEL &#39;norfc1918&#39;. The level at which bogon packets are logged is
variable in shorewall.conf. If that option is not specified or is specified in the new BOGON_LOG_LEVEL variable in shorewall.conf. If
specified as empty (e.g, BOGON_LOG_LEVEL="") then bogon packets whose that option is not specified or is specified as empty (e.g,
TARGET is 'logdrop' in BOGON_LOG_LEVEL=&#34;&#34;) then bogon packets whose TARGET is
<filename>/usr/share/shorewall/bogons</filename> are logged at the &#39;logdrop&#39; in <filename>/usr/share/shorewall/bogons</filename>
'info' level.</para> are logged at the &#39;info&#39; level.</para>
</listitem> </listitem>
</itemizedlist> </itemizedlist>
</section> </section>
<section> <section>
<title>VERSION &gt;= 2.0.0-Beta1</title> <title>VERSION &#62;= 2.0.0-Beta1</title>
<itemizedlist> <itemizedlist>
<listitem> <listitem>
<para>The 'dropunclean' and 'logunclean' interface options are no <para>The &#39;dropunclean&#39; and &#39;logunclean&#39; interface
longer supported. If either option is specified in options are no longer supported. If either option is specified in
<filename>/etc/shorewall/interfaces</filename>, a threatening message <filename>/etc/shorewall/interfaces</filename>, a threatening message
will be generated.</para> will be generated.</para>
</listitem> </listitem>
@ -159,19 +169,18 @@
<para>The NAT_BEFORE_RULES option has been removed from <para>The NAT_BEFORE_RULES option has been removed from
<filename>shorewall.conf</filename>. The behavior of Shorewall 2.0 is <filename>shorewall.conf</filename>. The behavior of Shorewall 2.0 is
as if NAT_BEFORE_RULES=No had been specified. In other words, DNAT as if NAT_BEFORE_RULES=No had been specified. In other words, DNAT
rules now always take precidence over one-to-one NAT rules now always take precidence over one-to-one NAT specifications.</para>
specifications.</para>
</listitem> </listitem>
<listitem> <listitem>
<para>The default value for the ALL INTERFACES column in <para>The default value for the ALL INTERFACES column in
<filename>/etc/shorewall/nat</filename> has changed. In Shorewall 1.*, <filename>/etc/shorewall/nat</filename> has changed. In Shorewall 1.*,
if the column was left empty, a value of "Yes" was assumed. This has if the column was left empty, a value of &#34;Yes&#34; was assumed.
been changed so that a value of "No" is now assumed.</para> This has been changed so that a value of &#34;No&#34; is now assumed.</para>
</listitem> </listitem>
<listitem> <listitem>
<para>The following files don't exist in Shorewall 2.0:</para> <para>The following files don&#39;t exist in Shorewall 2.0:</para>
<simplelist> <simplelist>
<member><filename>/etc/shorewall/common.def</filename></member> <member><filename>/etc/shorewall/common.def</filename></member>
@ -181,14 +190,13 @@
<member><filename>/etc/shorewall/icmpdef</filename></member> <member><filename>/etc/shorewall/icmpdef</filename></member>
<member><filename>/etc/shorewall/action.template</filename> (moved <member><filename>/etc/shorewall/action.template</filename> (moved
to to <filename>/usr/share/shorewall/action.template</filename>)</member>
<filename>/usr/share/shorewall/action.template</filename>)</member>
</simplelist> </simplelist>
<para>The <filename>/etc/shorewall/action</filename> file now allows <para>The <filename>/etc/shorewall/action</filename> file now allows
an action to be designated as the "common" action for a particular an action to be designated as the &#34;common&#34; action for a
policy type by following the action name with ":" and the policy particular policy type by following the action name with &#34;:&#34;
(DROP, REJECT or ACCEPT).</para> and the policy (DROP, REJECT or ACCEPT).</para>
<para>The file /usr/share/shorewall/actions.std has been added to <para>The file /usr/share/shorewall/actions.std has been added to
define those actions that are released as part of Shorewall 2.0 In define those actions that are released as part of Shorewall 2.0 In
@ -204,29 +212,28 @@
policies while the <quote>Reject</quote> action is the default action policies while the <quote>Reject</quote> action is the default action
for REJECT policies. These actions will be performed on packets prior for REJECT policies. These actions will be performed on packets prior
to applying the DROP or REJECT policy respectively. In the first to applying the DROP or REJECT policy respectively. In the first
release, the difference between "Reject" and "Drop" is that "Reject" release, the difference between &#34;Reject&#34; and &#34;Drop&#34; is
REJECTs SMB traffic while "Drop" silently drops such traffic.</para> that &#34;Reject&#34; REJECTs SMB traffic while &#34;Drop&#34;
silently drops such traffic.</para>
<para>As described above, Shorewall allows a common action for ACCEPT <para>As described above, Shorewall allows a common action for ACCEPT
policies but does not specify such an action in the default policies but does not specify such an action in the default
configuration.</para> configuration.</para>
<para>For more information see the <ulink <para>For more information see the <ulink
url="User_defined_Actions.html">User-defined Action url="User_defined_Actions.html">User-defined Action Page</ulink>.</para>
Page</ulink>.</para>
</listitem> </listitem>
<listitem> <listitem>
<para>The <filename>/etc/shorewall</filename> directory no longer <para>The <filename>/etc/shorewall</filename> directory no longer
contains <filename>users</filename> file or a contains <filename>users</filename> file or a <filename>usersets</filename>
<filename>usersets</filename> file. Similar functionality is now file. Similar functionality is now available using user-defined
available using user-defined actions.</para> actions.</para>
<para>Now, action files created by copying <para>Now, action files created by copying <filename>/usr/share/shorewall/action.template</filename>
<filename>/usr/share/shorewall/action.template</filename> may now may now specify a USER and or GROUP name/id in the final column just
specify a USER and or GROUP name/id in the final column just like in like in the rules file (see below). It is thus possible to create
the rules file (see below). It is thus possible to create actions that actions that control traffic from a list of users and/or groups.</para>
control traffic from a list of users and/or groups.</para>
</listitem> </listitem>
<listitem> <listitem>
@ -234,69 +241,64 @@
now labeled USER/GROUP and may contain:</para> now labeled USER/GROUP and may contain:</para>
<simplelist> <simplelist>
<member>[!]&lt;<emphasis>user number</emphasis>&gt;[:]</member> <member>[!]&#60;<emphasis>user number</emphasis>&#62;[:]</member>
<member>[!]&lt;<emphasis>user name</emphasis>&gt;[:]</member> <member>[!]&#60;<emphasis>user name</emphasis>&#62;[:]</member>
<member>[!]:&lt;<emphasis>group number</emphasis>&gt;</member> <member>[!]:&#60;<emphasis>group number</emphasis>&#62;</member>
<member>[!]:&lt;<emphasis>group name</emphasis>&gt;</member> <member>[!]:&#60;<emphasis>group name</emphasis>&#62;</member>
<member>[!]&lt;<emphasis>user <member>[!]&#60;<emphasis>user number</emphasis>&#62;:&#60;<emphasis>group
number</emphasis>&gt;:&lt;<emphasis>group number</emphasis>&#62;</member>
number</emphasis>&gt;</member>
<member>[!]&lt;<emphasis>user <member>[!]&#60;<emphasis>user name</emphasis>&#62;:&#60;<emphasis>group
name</emphasis>&gt;:&lt;<emphasis>group number</emphasis>&#62;</member>
number</emphasis>&gt;</member>
<member>[!]&lt;<emphasis>user <member>[!]&#60;<emphasis>user inumber</emphasis>&#62;:&#60;<emphasis>group
inumber</emphasis>&gt;:&lt;<emphasis>group name</emphasis>&#62;</member>
name</emphasis>&gt;</member>
<member>[!]&lt;<emphasis>user <member>[!]&#60;<emphasis>user name</emphasis>&#62;:&#60;<emphasis>group
name</emphasis>&gt;:&lt;<emphasis>group name</emphasis>&gt;</member> name</emphasis>&#62;</member>
</simplelist> </simplelist>
</listitem> </listitem>
<listitem> <listitem>
<para>If your kernel has IPV6 support (recent <para>If your kernel has IPV6 support (recent <trademark>SuSe</trademark>
<trademark>SuSe</trademark> for example), and you don't use IPV6 then for example), and you don&#39;t use IPV6 then you will probably want
you will probably want to set DISABLE_IPV6=Yes in <ulink to set DISABLE_IPV6=Yes in <ulink url="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</ulink>.
url="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</ulink>.
You must have ipv6tables installed.</para> You must have ipv6tables installed.</para>
</listitem> </listitem>
</itemizedlist> </itemizedlist>
</section> </section>
<section> <section>
<title>Version &gt;= 1.4.8</title> <title>Version &#62;= 1.4.8</title>
<itemizedlist mark="bullet"> <itemizedlist mark="bullet">
<listitem> <listitem>
<para>The meaning of <varname>ROUTE_FILTER=Yes</varname> has changed. <para>The meaning of <varname>ROUTE_FILTER=Yes</varname> has changed.
Previously this setting was documented as causing route filtering to Previously this setting was documented as causing route filtering to
occur on all network interfaces; this didn't work. Beginning with this occur on all network interfaces; this didn&#39;t work. Beginning with
release, <varname>ROUTE_FILTER=Yes</varname> causes route filtering to this release, <varname>ROUTE_FILTER=Yes</varname> causes route
occur on all interfaces brought up while Shorewall is running. This filtering to occur on all interfaces brought up while Shorewall is
means that it may be appropriate to set running. This means that it may be appropriate to set
<varname>ROUTE_FILTER=Yes</varname> and use the routefilter option in <varname>ROUTE_FILTER=Yes</varname> and use the routefilter option in
<filename <filename class="directory">/etc/shorewall/</filename><filename>interfaces</filename>
class="directory">/etc/shorewall/</filename><filename>interfaces</filename>
entries.</para> entries.</para>
</listitem> </listitem>
</itemizedlist> </itemizedlist>
</section> </section>
<section> <section>
<title>Version &gt;= 1.4.6</title> <title>Version &#62;= 1.4.6</title>
<itemizedlist mark="bullet"> <itemizedlist mark="bullet">
<listitem> <listitem>
<para>The <varname>NAT_ENABLED</varname>, <para>The <varname>NAT_ENABLED</varname>, <varname>MANGLE_ENABLED</varname>
<varname>MANGLE_ENABLED</varname> and <varname>MULTIPORT</varname> and <varname>MULTIPORT</varname> options have been removed from
options have been removed from <filename>shorewall.conf</filename>. <filename>shorewall.conf</filename>. These capabilities are now
These capabilities are now automatically detected by Shorewall.</para> automatically detected by Shorewall.</para>
</listitem> </listitem>
<listitem> <listitem>
@ -312,48 +314,39 @@ zone eth1:192.168.1.0/24,192.168.2.0/24
</section> </section>
<section> <section>
<title>Version &gt;= 1.4.4</title> <title>Version &#62;= 1.4.4</title>
<para>If you are upgrading from 1.4.3 and have set the <para>If you are upgrading from 1.4.3 and have set the <varname>LOGMARKER</varname>
<varname>LOGMARKER</varname> variable in <filename variable in <filename class="directory">/etc/shorewall/</filename><filename>shorewall.conf</filename>,
class="directory">/etc/shorewall/</filename><filename>shorewall.conf</filename>,
then you must set the new <varname>LOGFORMAT</varname> variable then you must set the new <varname>LOGFORMAT</varname> variable
appropriately and remove your setting of appropriately and remove your setting of <varname>LOGMARKER</varname>.</para>
<varname>LOGMARKER</varname>.</para>
</section> </section>
<section> <section>
<title>Version 1.4.4</title> <title>Version 1.4.4</title>
<para>If you have zone names that are 5 characters long, you may <para>If you have zone names that are 5 characters long, you may
experience problems starting Shorewall because the experience problems starting Shorewall because the <option>--log-prefix</option>
<option>--log-prefix</option> in a logging rule is too long. Upgrade to in a logging rule is too long. Upgrade to Version 1.4.4a to fix this
Version 1.4.4a to fix this problem.</para> problem.</para>
</section> </section>
<section> <section>
<title>Version &gt;= 1.4.2</title> <title>Version &#62;= 1.4.2</title>
<para>There are some cases where you may want to handle traffic from a <para>There are some cases where you may want to handle traffic from a
particular group to itself. While I personally think that such a setups particular group to itself. While I personally think that such a setups
are ridiculous, there are two cases covered in this documentation where it are ridiculous, there are two cases covered in this documentation where it
can occur: <itemizedlist> can occur: <itemizedlist><listitem><para><ulink url="FAQ.htm#faq2">In FAQ
<listitem> #2</ulink></para></listitem><listitem><para><ulink
<para><ulink url="FAQ.htm#faq2">In FAQ #2</ulink></para> url="Shorewall_Squid_Usage.html">When running <application>Squid</application>
</listitem> as a transparent proxy in your local zone.</ulink></para></listitem></itemizedlist>
If you have either of these cases, you will want to review the current
<listitem> documentation and change your configuration accordingly.</para>
<para><ulink url="Shorewall_Squid_Usage.html">When running
<application>Squid</application> as a transparent proxy in your
local zone.</ulink></para>
</listitem>
</itemizedlist> If you have either of these cases, you will want to
review the current documentation and change your configuration
accordingly.</para>
</section> </section>
<section> <section>
<title>Version &gt;= 1.4.1</title> <title>Version &#62;= 1.4.1</title>
<itemizedlist mark="bullet"> <itemizedlist mark="bullet">
<listitem> <listitem>
@ -362,10 +355,11 @@ zone eth1:192.168.1.0/24,192.168.2.0/24
was treated just like any other traffic; any matching rules were was treated just like any other traffic; any matching rules were
applied followed by enforcement of the appropriate policy. With 1.4.1 applied followed by enforcement of the appropriate policy. With 1.4.1
and later versions, unless you have explicit rules for traffic from Z and later versions, unless you have explicit rules for traffic from Z
to Z or you have an explicit Z to Z policy (where "Z" is some zone) to Z or you have an explicit Z to Z policy (where &#34;Z&#34; is some
then traffic between the groups in zone Z will be accepted. If you do zone) then traffic between the groups in zone Z will be accepted. If
have one or more explicit rules for Z to Z or if you have an explicit you do have one or more explicit rules for Z to Z or if you have an
Z to Z policy then the behavior is as it was in prior versions.</para> explicit Z to Z policy then the behavior is as it was in prior
versions.</para>
<orderedlist numeration="arabic"> <orderedlist numeration="arabic">
<listitem> <listitem>
@ -377,29 +371,26 @@ zone eth1:192.168.1.0/24,192.168.2.0/24
<listitem> <listitem>
<para>If you have a Z Z DROP or Z Z REJECT policy or you have <para>If you have a Z Z DROP or Z Z REJECT policy or you have
Z-&gt;Z rules then your configuration should not require any Z-&#62;Z rules then your configuration should not require any
change.</para> change.</para>
</listitem> </listitem>
<listitem> <listitem>
<para>If you are currently relying on a implicit policy (one that <para>If you are currently relying on a implicit policy (one that
has "all" in either the SOURCE or DESTINATION column) to prevent has &#34;all&#34; in either the SOURCE or DESTINATION column) to
traffic between two interfaces to a zone Z and you have no rules prevent traffic between two interfaces to a zone Z and you have no
for Z-&gt;Z then you should add an explicit DROP or REJECT policy rules for Z-&#62;Z then you should add an explicit DROP or REJECT
for Z to Z.</para> policy for Z to Z.</para>
</listitem> </listitem>
</orderedlist> </orderedlist>
</listitem> </listitem>
<listitem> <listitem>
<para>Sometimes, you want two separate zones on one interface but you <para>Sometimes, you want two separate zones on one interface but you
don't want Shorewall to set up any infrastructure to handle traffic don&#39;t want Shorewall to set up any infrastructure to handle
between them. <example> traffic between them. <example><title>The <filename>zones</filename>,
<title>The <filename>zones</filename>, <filename>interfaces</filename> and, <filename>hosts</filename> file
<filename>interfaces</filename> and, <filename>hosts</filename> contents</title><programlisting>
file contents</title>
<programlisting>
<filename class="directory">/etc/shorewall/</filename><filename>zones</filename> <filename class="directory">/etc/shorewall/</filename><filename>zones</filename>
z1 Zone1 The first Zone z1 Zone1 The first Zone
z2 Zone2 The second Zone z2 Zone2 The second Zone
@ -409,21 +400,17 @@ z2 eth1 192.168.1.255
<filename class="directory">/etc/shorewall/</filename><filename>hosts</filename> <filename class="directory">/etc/shorewall/</filename><filename>hosts</filename>
z1 eth1:192.168.1.3 z1 eth1:192.168.1.3
</programlisting> </programlisting></example> Here, zone z1 is nested in zone z2 and the
</example> Here, zone z1 is nested in zone z2 and the firewall is firewall is not going to be involved in any traffic between these two
not going to be involved in any traffic between these two zones. zones. Beginning with Shorewall 1.4.1, you can prevent Shorewall from
Beginning with Shorewall 1.4.1, you can prevent Shorewall from setting setting up any infrastructure to handle traffic between z1 and z2 by
up any infrastructure to handle traffic between z1 and z2 by using the using the new NONE policy: <example><title>The contents of
new NONE policy: <example> <filename>policy</filename></title><programlisting>
<title>The contents of <filename>policy</filename></title>
<programlisting>
<filename class="directory">/etc/shorewall/</filename><filename>policy</filename> <filename class="directory">/etc/shorewall/</filename><filename>policy</filename>
z1 z2 NONE z1 z2 NONE
z2 z1 NONE z2 z1 NONE
</programlisting> </programlisting></example> Note that NONE policies are generally used in
</example> Note that NONE policies are generally used in pairs pairs unless there is asymetric routing where only the traffic on one
unless there is asymetric routing where only the traffic on one
direction flows through the firewall and you are using a NONE polciy direction flows through the firewall and you are using a NONE polciy
in the other direction.</para> in the other direction.</para>
</listitem> </listitem>
@ -436,21 +423,21 @@ z2 z1 NONE
<itemizedlist mark="bullet"> <itemizedlist mark="bullet">
<listitem> <listitem>
<para>In Version 1.4.1, Shorewall will never create rules to deal with <para>In Version 1.4.1, Shorewall will never create rules to deal with
traffic from a given group back to itself. The traffic from a given group back to itself. The <varname>multi</varname>
<varname>multi</varname> interface option is no longer available so if interface option is no longer available so if you want to route
you want to route traffic between two subnetworks on the same traffic between two subnetworks on the same interface then I recommend
interface then I recommend that you upgrade to Version 1.4.2 and use that you upgrade to Version 1.4.2 and use the <varname>routeback</varname>
the <varname>routeback</varname> interface or host option.</para> interface or host option.</para>
</listitem> </listitem>
</itemizedlist> </itemizedlist>
</section> </section>
<section> <section>
<title>Version &gt;= 1.4.0</title> <title>Version &#62;= 1.4.0</title>
<important> <important>
<para>Shorewall &gt;=1.4.0 requires the <command>iproute</command> <para>Shorewall &#62;=1.4.0 requires the <command>iproute</command>
package ('<literal>ip</literal>' utility).</para> package (&#39;<literal>ip</literal>&#39; utility).</para>
</important> </important>
<note> <note>
@ -458,89 +445,46 @@ z2 z1 NONE
<command>iproute2</command> which will cause the upgrade of Shorewall to <command>iproute2</command> which will cause the upgrade of Shorewall to
fail with the diagnostic: <synopsis> fail with the diagnostic: <synopsis>
error: failed dependencies:iproute is needed by shorewall-1.4.0-1 error: failed dependencies:iproute is needed by shorewall-1.4.0-1
</synopsis> This may be worked around by using the </synopsis> This may be worked around by using the <option>--nodeps</option>
<option>--nodeps</option> option of <command>rpm</command> (<command>rpm option of <command>rpm</command> (<command>rpm -Uvh --nodeps
-Uvh --nodeps
<filename>your_shorewall_rpm.rpm</filename></command>).</para> <filename>your_shorewall_rpm.rpm</filename></command>).</para>
</note> </note>
<para>If you are upgrading from a version &lt; 1.4.0, then: <itemizedlist <para>If you are upgrading from a version &#60; 1.4.0, then: <itemizedlist
mark="bullet"> mark="bullet"><listitem><para>The <varname>noping</varname> and
<listitem> <varname>forwardping</varname> interface options are no longer supported
<para>The <varname>noping</varname> and nor is the <varname>FORWARDPING</varname> option in <filename>shorewall.conf</filename>.
<varname>forwardping</varname> interface options are no longer ICMP echo-request (ping) packets are treated just like any other
supported nor is the <varname>FORWARDPING</varname> option in connection request and are subject to rules and policies.</para></listitem><listitem><para>Interface
<filename>shorewall.conf</filename>. ICMP echo-request (ping) names of the form <varname>&#60;device&#62;:&#60;integer&#62;</varname> in
packets are treated just like any other connection request and are <filename class="directory">/etc/shorewall/</filename><filename>interfaces</filename>
subject to rules and policies.</para>
</listitem>
<listitem>
<para>Interface names of the form
<varname>&lt;device&gt;:&lt;integer&gt;</varname> in <filename
class="directory">/etc/shorewall/</filename><filename>interfaces</filename>
now generate a Shorewall error at startup (they always have produced now generate a Shorewall error at startup (they always have produced
warnings in <application warnings in <application class="software">iptables</application>).</para></listitem><listitem><para>The
class="software">iptables</application>).</para> <varname>MERGE_HOSTS</varname> variable has been removed from
</listitem> <filename>shorewall.conf</filename>. Shorewall 1.4 behaves like 1.3 did
when <varname>MERGE_HOSTS=Yes</varname>; that is zone contents are
<listitem> determined by <emphasis>BOTH</emphasis> the interfaces and hosts files
<para>The <varname>MERGE_HOSTS</varname> variable has been removed when there are entries for the zone in both files.</para></listitem><listitem><para>The
from <filename>shorewall.conf</filename>. Shorewall 1.4 behaves like <varname>routestopped</varname> option in the interfaces and hosts file
1.3 did when <varname>MERGE_HOSTS=Yes</varname>; that is zone has been eliminated; use entries in the <filename>routestopped</filename>
contents are determined by <emphasis>BOTH</emphasis> the interfaces file instead.</para></listitem><listitem><para>The Shorewall 1.2 syntax
and hosts files when there are entries for the zone in both for <varname>DNAT</varname> and <varname>REDIRECT</varname> rules is no
files.</para> longer accepted; you must convert to using the new syntax.</para></listitem><listitem><para>The
</listitem> <varname>ALLOWRELATED</varname> variable in <filename>shorewall.conf</filename>
is no longer supported. Shorewall 1.4 behavior is the same as 1.3 with
<listitem> <varname>ALLOWRELATED=Yes</varname>.</para></listitem><listitem><para>Late-arriving
<para>The <varname>routestopped</varname> option in the interfaces DNS replies are now dropped by default; there is no need for your own
and hosts file has been eliminated; use entries in the <filename class="directory">/etc/shorewall/</filename><filename>common</filename>
<filename>routestopped</filename> file instead.</para> file simply to avoid logging these packets.</para></listitem><listitem><para>The
</listitem> <filename>firewall</filename>, <filename>functions</filename> and
<filename>version</filename> files have been moved to <filename
<listitem> class="directory">/usr/share/shorewall</filename>.</para></listitem><listitem><para>The
<para>The Shorewall 1.2 syntax for <varname>DNAT</varname> and <filename>icmp.def</filename> file has been removed. If you include it
<varname>REDIRECT</varname> rules is no longer accepted; you must from <filename class="directory">/etc/shorewall/</filename><filename>icmpdef</filename>,
convert to using the new syntax.</para> you will need to modify that file.</para></listitem><listitem><para>If you
</listitem> followed the advice in FAQ #2 and call <varname>find_interface_address</varname>
in <filename class="directory">/etc/shorewall/</filename><filename>params</filename>,
<listitem> that code should be moved to <filename class="directory">/etc/shorewall/</filename><filename>init</filename>.</para></listitem></itemizedlist></para>
<para>The <varname>ALLOWRELATED</varname> variable in
<filename>shorewall.conf</filename> is no longer supported.
Shorewall 1.4 behavior is the same as 1.3 with
<varname>ALLOWRELATED=Yes</varname>.</para>
</listitem>
<listitem>
<para>Late-arriving DNS replies are now dropped by default; there is
no need for your own <filename
class="directory">/etc/shorewall/</filename><filename>common</filename>
file simply to avoid logging these packets.</para>
</listitem>
<listitem>
<para>The <filename>firewall</filename>,
<filename>functions</filename> and <filename>version</filename>
files have been moved to <filename
class="directory">/usr/share/shorewall</filename>.</para>
</listitem>
<listitem>
<para>The <filename>icmp.def</filename> file has been removed. If
you include it from <filename
class="directory">/etc/shorewall/</filename><filename>icmpdef</filename>,
you will need to modify that file.</para>
</listitem>
<listitem>
<para>If you followed the advice in FAQ #2 and call
<varname>find_interface_address</varname> in <filename
class="directory">/etc/shorewall/</filename><filename>params</filename>,
that code should be moved to <filename
class="directory">/etc/shorewall/</filename><filename>init</filename>.</para>
</listitem>
</itemizedlist></para>
</section> </section>
<section> <section>
@ -551,69 +495,44 @@ error: failed dependencies:iproute is needed by shorewall-1.4.0-1
<para>The <varname>multi</varname> interface option is no longer <para>The <varname>multi</varname> interface option is no longer
supported. Shorewall will generate rules for sending packets back out supported. Shorewall will generate rules for sending packets back out
the same interface that they arrived on in two cases: <itemizedlist the same interface that they arrived on in two cases: <itemizedlist
mark="hollow"> mark="hollow"><listitem><para>There is an <emphasis>explicit</emphasis>
<listitem> policy for the source zone to or from the destination zone. An
<para>There is an <emphasis>explicit</emphasis> policy for the explicit policy names both zones and does not use the
source zone to or from the destination zone. An explicit policy <varname>all</varname> reserved word.</para></listitem><listitem><para>There
names both zones and does not use the <varname>all</varname> are one or more rules for traffic for the source zone to or from the
reserved word.</para> destination zone including rules that use the <varname>all</varname>
</listitem> reserved word. Exception: if the source zone and destination zone are
the same then the rule must be explicit - it must name the zone in
<listitem> both the <varname>SOURCE</varname> and <varname>DESTINATION</varname>
<para>There are one or more rules for traffic for the source columns.</para></listitem></itemizedlist></para>
zone to or from the destination zone including rules that use
the <varname>all</varname> reserved word. Exception: if the
source zone and destination zone are the same then the rule must
be explicit - it must name the zone in both the
<varname>SOURCE</varname> and <varname>DESTINATION</varname>
columns.</para>
</listitem>
</itemizedlist></para>
</listitem> </listitem>
</itemizedlist> </itemizedlist>
</section> </section>
<section> <section>
<title>Version &gt;= 1.3.14</title> <title>Version &#62;= 1.3.14</title>
<para>Beginning in version 1.3.14, Shorewall treats entries in <filename <para>Beginning in version 1.3.14, Shorewall treats entries in <filename
class="directory">/etc/shorewall/</filename><filename>masq</filename> class="directory">/etc/shorewall/</filename><filename>masq</filename>
differently. The change involves entries with an <emphasis differently. The change involves entries with an <emphasis role="bold">interface
role="bold">interface name</emphasis> in the <varname>SUBNET</varname> name</emphasis> in the <varname>SUBNET</varname> (second) <emphasis
(second) <emphasis role="bold">column</emphasis>: <itemizedlist role="bold">column</emphasis>: <itemizedlist mark="bullet"><listitem><para>Prior
mark="bullet"> to 1.3.14, Shorewall would detect the FIRST subnet on the interface (as
<listitem> shown by <quote>ip addr show interface</quote>) and would masquerade
<para>Prior to 1.3.14, Shorewall would detect the FIRST subnet on traffic from that subnet. Any other subnets that routed through
the interface (as shown by <quote>ip addr show interface</quote>) <literal>eth1</literal> needed their own entry in <filename
and would masquerade traffic from that subnet. Any other subnets class="directory">/etc/shorewall/</filename><filename>masq</filename> to
that routed through <literal>eth1</literal> needed their own entry be masqueraded or to have <acronym>SNAT</acronym> applied.</para></listitem><listitem><para>Beginning
in <filename with Shorewall 1.3.14, Shorewall uses the firewall&#39;s routing table to
class="directory">/etc/shorewall/</filename><filename>masq</filename> determine ALL subnets routed through the named interface. Traffic
to be masqueraded or to have <acronym>SNAT</acronym> applied.</para> originating in ANY of those subnets is masqueraded or has SNAT applied.</para></listitem></itemizedlist>
</listitem> You will need to make a change to your configuration if: <orderedlist
numeration="arabic"><listitem><para>You have one or more entries in
<listitem> <filename class="directory">/etc/shorewall/</filename><filename>masq</filename>
<para>Beginning with Shorewall 1.3.14, Shorewall uses the firewall's with an interface name in the <varname>SUBNET</varname> (second) column;
routing table to determine ALL subnets routed through the named and</para></listitem><listitem><para>That interface connects to more than
interface. Traffic originating in ANY of those subnets is one subnetwork.</para></listitem></orderedlist> Two examples: <example
masqueraded or has SNAT applied.</para> label="1"><title>Suppose that your current config is as follows:</title><programlisting>
</listitem>
</itemizedlist> You will need to make a change to your configuration if:
<orderedlist numeration="arabic">
<listitem>
<para>You have one or more entries in <filename
class="directory">/etc/shorewall/</filename><filename>masq</filename>
with an interface name in the <varname>SUBNET</varname> (second)
column; and</para>
</listitem>
<listitem>
<para>That interface connects to more than one subnetwork.</para>
</listitem>
</orderedlist> Two examples: <example label="1">
<title>Suppose that your current config is as follows:</title>
<programlisting>
<!-- I added a space below the end of the config file for clarity --> <!-- I added a space below the end of the config file for clarity -->
[root@gateway test]# cat /etc/shorewall/masq [root@gateway test]# cat /etc/shorewall/masq
#INTERFACE SUBNET ADDRESS #INTERFACE SUBNET ADDRESS
@ -625,13 +544,10 @@ eth0 192.168.10.0/24 206.124.146.176
192.168.1.0/24 scope link 192.168.1.0/24 scope link
192.168.10.0/24 proto kernel scope link src 192.168.10.254 192.168.10.0/24 proto kernel scope link src 192.168.10.254
[root@gateway test]# [root@gateway test]#
</programlisting> </programlisting></example> In this case, the second entry in <filename
</example> In this case, the second entry in <filename
class="directory">/etc/shorewall/</filename><filename>masq</filename> is class="directory">/etc/shorewall/</filename><filename>masq</filename> is
no longer required. <example label="2"> no longer required. <example label="2"><title>What if your current
<title>What if your current configuration is like this?</title> configuration is like this?</title><programlisting>
<programlisting>
[root@gateway test]# cat /etc/shorewall/masq [root@gateway test]# cat /etc/shorewall/masq
#INTERFACE SUBNET ADDRESS #INTERFACE SUBNET ADDRESS
eth0 eth2 206.124.146.176 eth0 eth2 206.124.146.176
@ -641,23 +557,20 @@ eth0 eth2 206.124.146.176
192.168.1.0/24 scope link 192.168.1.0/24 scope link
192.168.10.0/24 proto kernel scope link src 192.168.10.254 192.168.10.0/24 proto kernel scope link src 192.168.10.254
[root@gateway test]# [root@gateway test]#
</programlisting> </programlisting></example> In this case, you would want to change the
</example> In this case, you would want to change the entry in entry in /etc/shorewall/masq to: <programlisting>
/etc/shorewall/masq to: <programlisting>
#INTERFACE SUBNET ADDRESS #INTERFACE SUBNET ADDRESS
eth0 192.168.1.0/24 206.124.146.176 eth0 192.168.1.0/24 206.124.146.176
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
</programlisting> Version 1.3.14 also introduced simplified ICMP </programlisting> Version 1.3.14 also introduced simplified ICMP
echo-request (ping) handling. The option echo-request (ping) handling. The option <varname>OLD_PING_HANDLING=Yes</varname>
<varname>OLD_PING_HANDLING=Yes</varname> in <filename in <filename class="directory">/etc/shorewall/</filename><filename>shorewall.conf</filename>
class="directory">/etc/shorewall/</filename><filename>shorewall.conf</filename>
is used to specify that the old (pre-1.3.14) ping handling is to be used is used to specify that the old (pre-1.3.14) ping handling is to be used
(If the option is not set in your <filename (If the option is not set in your <filename class="directory">/etc/shorewall/</filename>shorewall.conf
class="directory">/etc/shorewall/</filename>shorewall.conf then then <varname>OLD_PING_HANDLING=Yes</varname> is assumed). I don&#39;t
<varname>OLD_PING_HANDLING=Yes</varname> is assumed). I don't plan on plan on supporting the old handling indefinitely so I urge current users
supporting the old handling indefinitely so I urge current users to to migrate to using the new handling as soon as possible. See the
migrate to using the new handling as soon as possible. See the 'Ping' &#39;Ping&#39; handling documentation for details.</para>
handling documentation for details.</para>
</section> </section>
<section> <section>
@ -675,7 +588,7 @@ rpm -Uvh --force shorewall-1.3.10-1.noarch.rpm
</section> </section>
<section> <section>
<title>Version &gt;= 1.3.9</title> <title>Version &#62;= 1.3.9</title>
<itemizedlist> <itemizedlist>
<listitem> <listitem>
@ -689,23 +602,22 @@ rpm -Uvh --force shorewall-1.3.10-1.noarch.rpm
</section> </section>
<section> <section>
<title>Version &gt;= 1.3.8</title> <title>Version &#62;= 1.3.8</title>
<itemizedlist> <itemizedlist>
<listitem> <listitem>
<para>If you have a pair of firewall systems configured for failover <para>If you have a pair of firewall systems configured for failover
or if you have asymmetric routing, you will need to modify your or if you have asymmetric routing, you will need to modify your
firewall setup slightly under Shorewall versions &gt;= 1.3.8. firewall setup slightly under Shorewall versions &#62;= 1.3.8.
Beginning with version 1.3.8, you must set Beginning with version 1.3.8, you must set <varname>NEWNOTSYN=Yes</varname>
<varname>NEWNOTSYN=Yes</varname> in your <filename in your <filename class="directory">/etc/shorewall/</filename><filename>shorewall.conf</filename>
class="directory">/etc/shorewall/</filename><filename>shorewall.conf</filename>
file.</para> file.</para>
</listitem> </listitem>
</itemizedlist> </itemizedlist>
</section> </section>
<section> <section>
<title>Version &gt;= 1.3.7</title> <title>Version &#62;= 1.3.7</title>
<itemizedlist> <itemizedlist>
<listitem> <listitem>
@ -713,14 +625,14 @@ rpm -Uvh --force shorewall-1.3.10-1.noarch.rpm
class="directory">/etc/</filename><filename>shorewall.conf</filename> class="directory">/etc/</filename><filename>shorewall.conf</filename>
will need to include the following rules in their <filename will need to include the following rules in their <filename
class="directory">/etc/shorewall/</filename><filename>icmpdef</filename> class="directory">/etc/shorewall/</filename><filename>icmpdef</filename>
file (creating this file if necessary): <programlisting> file (creating this file if necessary):
<programlisting>
run_iptables -A icmpdef -p ICMP --icmp-type echo-reply -j ACCEPT run_iptables -A icmpdef -p ICMP --icmp-type echo-reply -j ACCEPT
run_iptables -A icmpdef -p ICMP --icmp-type source-quench -j ACCEPT run_iptables -A icmpdef -p ICMP --icmp-type source-quench -j ACCEPT
run_iptables -A icmpdef -p ICMP --icmp-type destination-unreachable -j ACCEPT run_iptables -A icmpdef -p ICMP --icmp-type destination-unreachable -j ACCEPT
run_iptables -A icmpdef -p ICMP --icmp-type time-exceeded -j ACCEPT run_iptables -A icmpdef -p ICMP --icmp-type time-exceeded -j ACCEPT
run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem -j ACCEPT run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem -j ACCEPT
</programlisting> Users having an <filename </programlisting> Users having an <filename class="directory">/etc/shorewall/</filename><filename>icmpdef</filename>
class="directory">/etc/shorewall/</filename><filename>icmpdef</filename>
file may remove the <command>./etc/shorewall/icmp.def</command> file may remove the <command>./etc/shorewall/icmp.def</command>
command from that file since the <filename>icmp.def</filename> file is command from that file since the <filename>icmp.def</filename> file is
now empty.</para> now empty.</para>
@ -729,37 +641,24 @@ run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem -j ACCEPT
</section> </section>
<section> <section>
<title>Upgrading Bering to Shorewall &gt;= 1.3.3</title> <title>Upgrading Bering to Shorewall &#62;= 1.3.3</title>
<itemizedlist> <itemizedlist>
<listitem> <listitem>
<para>To properly upgrade with Shorewall version 1.3.3 and later: <para>To properly upgrade with Shorewall version 1.3.3 and later:
<orderedlist numeration="arabic"> <orderedlist numeration="arabic"><listitem><para>Be sure you have a
<listitem> backup -- you will need to transcribe any Shorewall configuration
<para>Be sure you have a backup -- you will need to transcribe changes that you have made to the new configuration.</para></listitem><listitem><para>Replace
any Shorewall configuration changes that you have made to the the <filename>shorwall.lrp</filename> package provided on the Bering
new configuration.</para> floppy with the later one. If you did not obtain the later version
</listitem> from Jacques&#39;s site, see additional instructions below.</para></listitem><listitem><para>Edit
the <filename class="directory">/var/lib/lrpkg/</filename><filename>root.exclude.list</filename>
<listitem> file and remove the <filename>/var/lib/shorewall</filename> entry if
<para>Replace the <filename>shorwall.lrp</filename> package present. Then do not forget to backup <filename>root.lrp</filename>!</para></listitem></orderedlist>
provided on the Bering floppy with the later one. If you did not The .lrp that I release isn&#39;t set up for a two-interface firewall
obtain the later version from Jacques's site, see additional like Jacques&#39;s. You need to follow the instructions for setting up
instructions below.</para> a two-interface firewall plus you also need to add the following two
</listitem> Bering-specific rules to <filename class="directory">/etc/shorewall/</filename><filename>rules</filename>:
<listitem>
<para>Edit the <filename
class="directory">/var/lib/lrpkg/</filename><filename>root.exclude.list</filename>
file and remove the <filename>/var/lib/shorewall</filename>
entry if present. Then do not forget to backup
<filename>root.lrp</filename>!</para>
</listitem>
</orderedlist> The .lrp that I release isn't set up for a
two-interface firewall like Jacques's. You need to follow the
instructions for setting up a two-interface firewall plus you also
need to add the following two Bering-specific rules to <filename
class="directory">/etc/shorewall/</filename><filename>rules</filename>:
<programlisting> <programlisting>
# Bering specific rules: # Bering specific rules:
# allow loc to fw udp/53 for dnscache to work # allow loc to fw udp/53 for dnscache to work
@ -780,55 +679,41 @@ ACCEPT loc fw tcp 80
<para>If you have a pair of firewall systems configured for failover <para>If you have a pair of firewall systems configured for failover
or if you have asymmetric routing, you will need to modify your or if you have asymmetric routing, you will need to modify your
firewall setup slightly under Shorewall versions 1.3.6 and 1.3.7 firewall setup slightly under Shorewall versions 1.3.6 and 1.3.7
<orderedlist> <orderedlist><listitem><para>Create the file <filename
<listitem>
<para>Create the file <filename
class="directory">/etc/shorewall/</filename><filename>newnotsyn</filename> class="directory">/etc/shorewall/</filename><filename>newnotsyn</filename>
and in it add the following rule: <!-- The following code wraps off of the document. I have added the comment above the command. --> and in it add the following rule: <!-- The following code wraps off of the document. I have added the comment above the command. -->
<programlisting> <programlisting>
# So that the connection tracking table can be rebuilt # So that the connection tracking table can be rebuilt
# from non-SYN packets after takeover. # from non-SYN packets after takeover.
run_iptables -A newnotsyn -j RETURN run_iptables -A newnotsyn -j RETURN
</programlisting></para> </programlisting></para></listitem><listitem><para>Create <filename
</listitem>
<listitem>
<para>Create <filename
class="directory">/etc/shorewall/</filename><filename>common</filename> class="directory">/etc/shorewall/</filename><filename>common</filename>
(if you don't already have that file) and include the following: (if you don&#39;t already have that file) and include the following:
<programlisting> <programlisting>
#Accept Acks to rebuild connection tracking table. #Accept Acks to rebuild connection tracking table.
run_iptables -A common -p tcp --tcp-flags ACK,FIN,RST ACK -j ACCEPT run_iptables -A common -p tcp --tcp-flags ACK,FIN,RST ACK -j ACCEPT
./etc/shorewall/common.def ./etc/shorewall/common.def
</programlisting></para> </programlisting></para></listitem></orderedlist></para>
</listitem>
</orderedlist></para>
</listitem> </listitem>
</itemizedlist> </itemizedlist>
</section> </section>
<section> <section>
<title>Versions &gt;= 1.3.5</title> <title>Versions &#62;= 1.3.5</title>
<itemizedlist> <itemizedlist>
<listitem> <listitem>
<para>Some forms of pre-1.3.0 rules file syntax are no longer <para>Some forms of pre-1.3.0 rules file syntax are no longer
supported. <example label="1"> supported. <example label="1"><title></title><programlisting>
<title></title>
<programlisting>
ACCEPT net loc:192.168.1.12:22 tcp 11111 - all ACCEPT net loc:192.168.1.12:22 tcp 11111 - all
</programlisting> </programlisting></example> Must be replaced with:
</example> Must be replaced with: <programlisting>
DNAT net loc:192.168.1.12:22 tcp 11111
</programlisting> <example label="2">
<title></title>
<programlisting> <programlisting>
DNAT net loc:192.168.1.12:22 tcp 11111
</programlisting> <example label="2"><title></title><programlisting>
ACCEPT loc fw::3128 tcp 80 - all ACCEPT loc fw::3128 tcp 80 - all
</programlisting> </programlisting></example> Must be replaced with:
</example> Must be replaced with: <programlisting> <programlisting>
REDIRECT loc 3128 tcp 80 REDIRECT loc 3128 tcp 80
</programlisting></para> </programlisting></para>
</listitem> </listitem>
@ -836,7 +721,7 @@ REDIRECT loc 3128 tcp 80
</section> </section>
<section> <section>
<title>Version &gt;= 1.3.2</title> <title>Version &#62;= 1.3.2</title>
<itemizedlist> <itemizedlist>
<listitem> <listitem>