diff --git a/Shorewall-Website/News.htm b/Shorewall-Website/News.htm index 7faed0655..26a305f37 100644 --- a/Shorewall-Website/News.htm +++ b/Shorewall-Website/News.htm @@ -19,82 +19,134 @@ Texts. A copy of the license is included in the section entitled “GNU Free Documentation License”.

-

2005-07-17
+

2005-07-21

-
- -

07/17/2005 Security vulnerability in MACLIST processing

- +07/21/2005 Shorewall 2.4.2
+
+Problems Corrected:
+
    +
  1. The /etc/shorewall/hosts file now includes information about +defining a zone using one or more ipsets.
    2. +
  2. A vulnerability involving MACLIST_TTL > 0 +or MACLIST_DISPOSITION=ACCEPT has been corrected.
    3. +
  3. It is now possible to specify !<address> in the SUBNET +column of /etc/shorewall/masq. Previously, it was necessary to write +0.0.0.0/0!<address>.
    4. +
  4. When <network1>!<network2> was specified in the +SUBNET column of /etc/shorewall/masq, IPSEC policies were not correctly +applied to the resulting rules. This usually resulted in IPSEC not +working through the interface specified in the INTERFACES column.
    +
    5. +
+New Features:
+
    +
  1. A 'loose' provider option has been added. If you wish to be able +to use marking to specify the gateway used by connections originating +on the firewall itself, the specify 'loose' for each provider. It has +bee reported that 'loose' may break the effect of 'track' so beware if +you need 'track' functionality (you shouldn't be originating many +connections from your firewall to the net anyway).
    +
    +To use 'loose', you also need to add two entries in /etc/shorewall/masq:
    + 
       #INTERFACE           SUBNET          ADDRESS
       $IF_ISP1             $IP_ISP2        $IP_ISP1
       $IF_ISP2             $IP_ISP1        $IP_ISP2
    +where:
    + 
            $IF_ISP1        is the interface to ISP 1.
            $IF_ISP2        is the interface to ISP 2.
            $IP_ISP1        is the IP address of $IF_ISP1
            $IP_ISP2        is the IP address of $IF_ISP2
    +
    2. +
  2. /sbin/shorewall now issues a warning each time that it finds that +startup is disabled.
    3. +
  3. A new COPY column has been added to the /etc/shorewall/providers +file. Normally, when a table name/number is given in the DUPLICATE +column, the entire table (less default routes) is copied. The COPY +column allows you to limit the routes copied to those that go through +an interface listed in COPY. For example, if you enter eth0 in +INTERFACE, "eth1,eth2" in COPY and 'main' in DUPLICATE then the new +table created will contain those routes through the interfaces eth0, +eth1 and eth2.
    +
    4. +
+ +
+

07/17/2005 Security vulnerability in +MACLIST processing

Description

-

-A security vulnerability has been discovered which affects all supported -stable versions of Shorewall.  This vulnerability enables a client +A security vulnerability has been discovered which affects all +supported +stable versions of Shorewall.  This vulnerability enables a client accepted by MAC address filtering to bypass any other rule.  If -MACLIST_TTL is set to a value greater than 0 or MACLIST_DISPOSITION is set -to "ACCEPT" in /etc/shorewall/shorewall.conf (default is MACLIST_TTL=0 and -MACLIST_DISPOSITION=REJECT), and a client is positively identified through +MACLIST_TTL is set to a value greater than 0 or MACLIST_DISPOSITION is +set +to "ACCEPT" in /etc/shorewall/shorewall.conf (default is MACLIST_TTL=0 +and +MACLIST_DISPOSITION=REJECT), and a client is positively identified +through its MAC address, it bypasses all other policies/rules in place, thus gaining access to all open services on the firewall.

-

Fix

-

Workaround

-

-For Shorewall 2.2.x or 2.4.x, set MACLIST_TTL=0 or MACLIST_DISPOSITION=REJECT +For Shorewall 2.2.x or 2.4.x, set MACLIST_TTL=0 or +MACLIST_DISPOSITION=REJECT in /etc/shorewall/shorewall.conf.  For Shorewall 2.0.x, set -MACLIST_DISPOSITION=REJECT in /etc/shorewall/shorewall.conf.  MACLIST +MACLIST_DISPOSITION=REJECT in /etc/shorewall/shorewall.conf.  +MACLIST filtering is of limited value on Internet-connected hosts, and the Shorewall team recommends this approach to be used if possible.

-

Upgrade

-

-For Shorewall 2.4.x, a fixed version of the 'firewall' script is available at: -http://shorewall.net/pub/shorewall/2.4/shorewall-2.4.1/errata/firewall -and its mirrors, -http://www.shorewall.net/pub/shorewall/2.4/shorewall-2.4.1/errata/firewall +For Shorewall 2.4.x, a fixed version of the 'firewall' script is +available at: +http://shorewall.net/pub/shorewall/2.4/shorewall-2.4.1/errata/firewall +and its mirrors, http://www.shorewall.net/pub/shorewall/2.4/shorewall-2.4.1/errata/firewall and -http://slovakia.shorewall.net/pub/shorewall/2.4/shorewall-2.4.1/errata/firewall. +http://slovakia.shorewall.net/pub/shorewall/2.4/shorewall-2.4.1/errata/firewall.

-

-For Shorewall 2.2.x, a fixed version of the 'firewall' script is available at: -http://shorewall.net/pub/shorewall/2.2/shorewall-2.2.5/errata/firewall -and its mirrors, -http://www.shorewall.net/pub/shorewall/2.2/shorewall-2.2.5/errata/firewall +For Shorewall 2.2.x, a fixed version of the 'firewall' script is +available at: +http://shorewall.net/pub/shorewall/2.2/shorewall-2.2.5/errata/firewall +and its mirrors, http://www.shorewall.net/pub/shorewall/2.2/shorewall-2.2.5/errata/firewall and -http://slovakia.shorewall.net/pub/shorewall/2.2/shorewall-2.2.5/errata/firewall. +http://slovakia.shorewall.net/pub/shorewall/2.2/shorewall-2.2.5/errata/firewall.

-

-For Shorewall 2.0.x, a fixed version of the 'firewall' script is available at: +For Shorewall 2.0.x, a fixed version of the 'firewall' script is +available at: http://shorewall.net/pub/shorewall/errata/2.0.17/firewall -and its mirrors, -http://www.shorewall.net/pub/shorewall/errata/2.0.17/firewall +and its mirrors, http://www.shorewall.net/pub/shorewall/errata/2.0.17/firewall and -http://slovakia.shorewall.net/pub/shorewall/errata/2.0.17/firewall. +http://slovakia.shorewall.net/pub/shorewall/errata/2.0.17/firewall.

-

Users of any version before 2.0.17 are urged to upgrade to a supported version of Shorewall (preferably 2.4.1) before using the fixed -files.  Only the most recent version of the 2.0.x and 2.2.x +files.  Only the most recent version of the 2.0.x and 2.2.x streams will be supported by the development team, and the 1.x branches -are no longer maintained at all.  Future releases of Shorewall will +are no longer maintained at all.  Future releases of Shorewall +will include this fix.

-

This information was based on Patrick -Blitz's post to the Full Disclosure mailing list.  Thanks to -Supernaut (supernaut at ns dot sympatico dot ca) for reporting this bug. +Blitz's post to the Full Disclosure mailing list.  Thanks to +Supernaut (supernaut at ns dot sympatico dot ca) for reporting this bug.
+

+

Version Upgrade
+

+

The vulnerability is corrected in Shorewall 2.4.2.

-
07/13/2005 Shorewall 2.4.1

@@ -124,7 +176,6 @@ configurations, be filtered by the 'maclist' option even though the 'dhcp' option was specified. This has been corrected.
- 06/05/2005 Shorewall 2.4.0

diff --git a/Shorewall-Website/shorewall_index.htm b/Shorewall-Website/shorewall_index.htm index 736275ab3..7e9b8f124 100644 --- a/Shorewall-Website/shorewall_index.htm +++ b/Shorewall-Website/shorewall_index.htm @@ -33,12 +33,12 @@ to 2.x releases of Shorewall. For older versions:

target="_top">here.

-

The current 2.4 Stable Release is 2.4.1 -- Here are the release +

The current 2.4 Stable Release is 2.4.2 -- Here are the release notes and here are the known + href="http://shorewall.net/pub/shorewall/2.4/shorewall-2.4.2/known_problems.txt">known problems and updates.
+ href="http://shorewall.net/pub/shorewall/2.4/shorewall-2.4.2/errata/">updates.

GNU Free Documentation License”.

-

2005-07-16

+

2005-07-21

Table of Contents

Introduction