From 704947a1c4b2567ff1d8da6239521fe2ad425e93 Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Sat, 13 Feb 2016 19:04:07 +0200 Subject: [PATCH 1/4] Accounting: update to new config headers and update to ?SECTION Signed-off-by: Tuomo Soini --- docs/Accounting.xml | 70 +++++++++++++++++++++------------------------ 1 file changed, 33 insertions(+), 37 deletions(-) diff --git a/docs/Accounting.xml b/docs/Accounting.xml index fd33dd011..1dd987f69 100644 --- a/docs/Accounting.xml +++ b/docs/Accounting.xml @@ -74,20 +74,18 @@ have a web server in your DMZ connected to eth1, then to count HTTP traffic in both directions requires two rules: - #ACTION CHAIN SOURCE DESTINATION PROTOCOL DEST SOURCE - # PORT PORT - DONE - eth0 eth1 tcp 80 - DONE - eth1 eth0 tcp - 80 + #ACTION CHAIN SOURCE DEST PROTO DPORT SPORT USER MARK IPSEC + DONE - eth0 eth1 tcp 80 + DONE - eth1 eth0 tcp - 80 Associating a counter with a chain allows for nice reporting. For example: - #ACTION CHAIN SOURCE DESTINATION PROTOCOL DEST SOURCE - # PORT PORT - web:COUNT - eth0 eth1 tcp 80 - web:COUNT - eth1 eth0 tcp - 80 - web:COUNT - eth0 eth1 tcp 443 - web:COUNT - eth1 eth0 tcp - 443 + #ACTION CHAIN SOURCE DEST PROTO DPORT SPORT USER MARK IPSEC + web:COUNT - eth0 eth1 tcp 80 + web:COUNT - eth1 eth0 tcp - 80 + web:COUNT - eth0 eth1 tcp 443 + web:COUNT - eth1 eth0 tcp - 443 DONE web Now shorewall show web (or @@ -110,12 +108,11 @@ Here is a slightly different example: - #ACTION CHAIN SOURCE DESTINATION PROTOCOL DEST SOURCE - # PORT PORT - web - eth0 eth1 tcp 80 - web - eth1 eth0 tcp - 80 - web - eth0 eth1 tcp 443 - web - eth1 eth0 tcp - 443 + #ACTION CHAIN SOURCE DEST PROTO DPORT SPORT USER MARK IPSEC + web - eth0 eth1 tcp 80 + web - eth1 eth0 tcp - 80 + web - eth0 eth1 tcp 443 + web - eth1 eth0 tcp - 443 COUNT web eth0 eth1 COUNT web eth1 eth0 @@ -152,12 +149,11 @@ you have to reverse the rules below. - #ACTION CHAIN SOURCE DESTINATION PROTOCOL DEST SOURCE - # PORT PORT - web - eth0 - tcp 80 - web - - eth0 tcp - 80 - web - eth0 - tcp 443 - web - - eth0 tcp - 443 + #ACTION CHAIN SOURCE DEST PROTO DPORT SPORT USER MARK IPSEC + web - eth0 - tcp 80 + web - - eth0 tcp - 80 + web - eth0 - tcp 443 + web - - eth0 tcp - 443 COUNT web eth0 COUNT web - eth0 @@ -309,7 +305,7 @@ Section headers have the form: - + section-name When sections are enabled: @@ -414,19 +410,19 @@ lives on the firewall itself. - #ACTION CHAIN SOURCE DESTINATION PROTO DEST SOURCE USER/ MARK IPSEC -# PORT(S) PORT(S) GROUP -SECTION INPUT -ACCOUNT(fw-net,$FW_NET) - COM_IF -ACCOUNT(dmz-net,$DMZ_NET) - COM_IF + +#ACTION CHAIN SOURCE DEST PROTO DPORT SPORT USER MARK IPSEC +?SECTION INPUT +ACCOUNT(fw-net,$FW_NET) - COM_IF +ACCOUNT(dmz-net,$DMZ_NET) - COM_IF -SECTION OUTPUT -ACCOUNT(fw-net,$FW_NET) - - COM_IF -ACCOUNT(dmz-net,$DMZ_NET) - - COM_IF +?SECTION OUTPUT +ACCOUNT(fw-net,$FW_NET) - - COM_IF +ACCOUNT(dmz-net,$DMZ_NET) - - COM_IF -SECTION FORWARD -ACCOUNT(loc-net,$INT_NET) - COM_IF INT_IF -ACCOUNT(loc-net,$INT_NET) - INT_IF COM_IF +?SECTION FORWARD +ACCOUNT(loc-net,$INT_NET) - COM_IF INT_IF +ACCOUNT(loc-net,$INT_NET) - INT_IF COM_IF @@ -504,9 +500,9 @@ ACCOUNT(loc-net,$INT_NET) - INT_IF COM_IF is eth1 with network 172.20.1.0/24. To account for all traffic between the WAN and LAN interfaces: - #ACTION CHAIN SOURCE DEST ... -ACCOUNT(net-loc,172.20.1.0/24) - eth0 eth1 -ACCOUNT(net-loc,172.20.1.0/24) - eth1 eth0 + #ACTION CHAIN SOURCE DEST PROTO DPORT SPORT USER MARK IPSEC +ACCOUNT(net-loc,172.20.1.0/24) - eth0 eth1 +ACCOUNT(net-loc,172.20.1.0/24) - eth1 eth0 This will create a net-loc table for counting packets and bytes for traffic between the two From 5230eb3b65a959f62859be53a6dedb8a1d48aa67 Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Sun, 14 Feb 2016 18:31:44 +0200 Subject: [PATCH 2/4] FAQ: convert to new header format and update blacklist entry to use blrules Signed-off-by: Tuomo Soini --- docs/FAQ.xml | 216 +++++++++++++++++++++++++++++++-------------------- 1 file changed, 131 insertions(+), 85 deletions(-) diff --git a/docs/FAQ.xml b/docs/FAQ.xml index 6f8e465b4..d311b462d 100644 --- a/docs/FAQ.xml +++ b/docs/FAQ.xml @@ -207,28 +207,26 @@ port-forwarding rule from the net to a local system is as follows: - #ACTION SOURCE DEST PROTO DEST PORT + #ACTION SOURCE DEST PROTO DPORT DNAT net loc:local-IP-address[:local-port] protocol port-number So to forward UDP port 7777 to internal system 192.168.1.5, the rule is: - #ACTION SOURCE DEST PROTO DEST PORT + #ACTION SOURCE DEST PROTO DPORT DNAT net loc:192.168.1.5 udp 7777 If you want to forward requests directed to a particular address ( external-IP ) on your firewall to an internal system: - #ACTION SOURCE DEST PROTO DEST PORT SOURCE ORIGINAL -# PORT DEST. + #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST DNAT net loc:local-IP-address>[:local-port] protocol port-number - external-IP If you want to forward requests from a particular Internet address ( address ): - #ACTION SOURCE DEST PROTO DEST PORT SOURCE ORIGINAL -# PORT DEST. + #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST DNAT net:address loc:local-IP-address[:local-port] protocol port-number - Finally, if you need to forward a range of ports, in the DEST PORT @@ -386,7 +384,7 @@ DNAT net:address loc:local-IP-addressAnswer:In /etc/shorewall/rules: - #ACTION SOURCE DEST PROTO DEST PORT + #ACTION SOURCE DEST PROTO DPORT DNAT net loc:192.168.1.3:22 tcp 1022 @@ -448,8 +446,7 @@ DNAT net fw:192.168.1.1:22 tcp 4104 - You have this rule on the Shorewall system:#ACTION SOURCE DEST PROTO DEST PORT SOURCE ORIGINAL -# PORT DEST. + You have this rule on the Shorewall system:#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST DNAT net loc:192.168.1.4 tcp 21 - 206.124.146.176 @@ -494,8 +491,8 @@ DNAT net loc:192.168.1.4 tcp 21 - 206.1 default gateway on the FTP server to the Shorewall system's internal IP address (192.168.1.1). But if that isn't possible, you can work around the problem with the following ugly hack in - /etc/shorewall/masq:#INTERFACE SOURCE ADDRESS PROTO PORT -eth1:192.168.1.4 0.0.0.0/0 192.168.1.1 tcp 21 + /etc/shorewall/masq:#INTERFACE SOURCE ADDRESS PROTO PORT +eth1:192.168.1.4 0.0.0.0/0 192.168.1.1 tcp 21 This rule has the undesirable side effect of making all FTP connections from the net appear to the FTP server as if they @@ -514,17 +511,25 @@ eth1:192.168.1.4 0.0.0.0/0 192.168.1.1 tcp 21net and connects on interface eth0: - In /etc/shorewall/rules:#ACTION SOURCE DEST PROTO DEST PORT SOURCE ORIGINAL -# PORT DEST. -DNAT net net:66.249.93.111:993 tcp 80 - 206.124.146.176 + In /etc/shorewall/rules:#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST + +?SECTION ALL +?SECTION ESTABLISHED +?SECTION RELATED +?SECTION INVALID +?SECTION UNTRACKED +?SECTION NEW + +DNAT net net:66.249.93.111:993 tcp 80 - 206.124.146.176 In /etc/shorewall/interfaces, specify the routeback option on - eth0:#ZONE INTERFACE BROADCAST OPTIONS -net eth0 detect routeback + eth0:?FORMAT 2 +#ZONE INTERFACE OPTIONS +net eth0 routeback - /etc/shorewall/masq;#INTERFACE SOURCE ADDRESS PROTO PORT -eth0:66.249.93.111 0.0.0.0/0 206.124.146.176 tcp 993 + /etc/shorewall/masq;#INTERFACE SOURCE ADDRESS PROTO PORT +eth0:66.249.93.111 0.0.0.0/0 206.124.146.176 tcp 993 and in /etc/shorewall/shorewall.conf: @@ -542,9 +547,8 @@ eth0:66.249.93.111 0.0.0.0/0 206.124.146.176 tcp 993Answer: Use this rule. - #ACTION SOURCE DEST PROTO DEST -# PORT(S) -REDIRECT net 22 tcp 9022 + #ACTION SOURCE DEST PROTO DPORT +REDIRECT net 22 tcp 9022 Note that the above rule will also allow connections from the net on TCP port 22. If you don't want that, see Example: - #ACTION SOURCE DEST PROTO DEST PORT SOURCE ORIGINAL -# PORT DEST. -DNAT net net:192.168.4.22 tcp 80,443 - #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST +DNAT net net:192.168.4.22 tcp 80,443 - 206.124.146.178 @@ -704,14 +707,15 @@ DNAT net net:192.168.4.22 tcp 80,443 - < In /etc/shorewall/interfaces: - #ZONE INTERFACE BROADCAST OPTIONS -loc eth1 detect routeback + ?FORMAT 2 +#ZONE INTERFACE OPTIONS +loc eth1 routeback In /etc/shorewall/masq: - #INTERFACE SOURCE ADDRESS PROTO PORT(S) + #INTERFACE SOURCE ADDRESS PROTO PORT eth1:192.168.1.5 192.168.1.0/24 192.168.1.254 tcp www Note: The technique described here is known as @@ -721,16 +725,23 @@ loc eth1 detect routeback external IP address be used as the source: - #INTERFACE SOURCE ADDRESS PROTO PORT(S) + #INTERFACE SOURCE ADDRESS PROTO PORT eth1:192.168.1.5 192.168.1.0/24 130.151.100.69 tcp www In /etc/shorewall/rules: - #ACTION SOURCE DEST PROTO DEST PORT SOURCE ORIGINAL -# PORT DEST. -DNAT loc loc:192.168.1.5 tcp www - 130.151.100.69 + #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST + +?SECTION ALL +?SECTION ESTABLISHED +?SECTION RELATED +?SECTION INVALID +?SECTION UNTRACKED +?SECTION NEW + +DNAT loc loc:192.168.1.5 tcp www - 130.151.100.69 That rule (and the second one in the previous bullet) only works of course if you have a static external IP address. If you @@ -741,9 +752,16 @@ eth1:192.168.1.5 192.168.1.0/24 130.151.100.69and make your DNAT rule: - #ACTION SOURCE DEST PROTO DEST PORT SOURCE ORIGINAL -# PORT DEST. -DNAT loc loc:192.168.1.5 tcp www - #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST + +?SECTION ALL +?SECTION ESTABLISHED +?SECTION RELATED +?SECTION INVALID +?SECTION UNTRACKED +?SECTION NEW + +DNAT loc loc:192.168.1.5 tcp www - $ETH0_IP Using this technique, you will want to configure your @@ -825,14 +843,14 @@ DNAT loc loc:192.168.1.5 tcp www - In /etc/shorewall/interfaces: - #ZONE INTERFACE BROADCAST OPTIONS -dmz eth2 192.168.2.255 routeback + ?FORMAT 2 +#ZONE INTERFACE OPTIONS +dmz eth2 routeback In /etc/shorewall/masq: - #INTERFACE: SOURCE ADDRESS -#ADDRESS -eth2:192.168.1.2 192.168.2.0/24 + #INTERFACE SOURCE +eth2:192.168.1.2 192.168.2.0/24 In /etc/shorewall/nat, be sure that you have Yes in the ALL INTERFACES column. @@ -862,9 +880,16 @@ eth2:192.168.1.2 192.168.2.0/24 You can enable access to the server from your local network using the firewall's external IP address by adding this rule: - #ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL -# PORT DEST -DNAT loc dmz:192.168.2.4 tcp 80 - 206.124.146.176 + #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST + +?SECTION ALL +?SECTION ESTABLISHED +?SECTION RELATED +?SECTION INVALID +?SECTION UNTRACKED +?SECTION NEW + +DNAT loc dmz:192.168.2.4 tcp 80 - 206.124.146.176 If your external IP address is dynamic, then you must do the following: @@ -875,9 +900,16 @@ eth2:192.168.1.2 192.168.2.0/24 and make your DNAT rule: - #ACTION SOURCE DEST PROTO DEST PORT SOURCE ORIGINAL -# PORT DEST. -DNAT loc dmz:192.168.2.4 tcp 80 - #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST + +?SECTION ALL +?SECTION ESTABLISHED +?SECTION RELATED +?SECTION INVALID +?SECTION UNTRACKED +?SECTION NEW + +DNAT loc dmz:192.168.2.4 tcp 80 - $ETH0_IP @@ -1433,16 +1465,23 @@ net-fw DROP eth2 5 packets from 61.158.162.9 to 206.124.146.177Answer: Temporarily add the following rule: - #ACTION SOURCE DEST PROTO DEST PORT(S) -DROP net fw udp 10619 + #ACTION SOURCE DEST PROTO DPORT - Alternatively, if you do not set BLACKLIST_LOGLEVEL and you have - specifed the 'blacklist' option on your external interface in - /etc/shorewall/interfaces, then you can blacklist - the port. In /etc/shorewall/blacklist: +?SECTION ALL +?SECTION ESTABLISHED +?SECTION RELATED +?SECTION INVALID +?SECTION UNTRACKED +?SECTION NEW - #ADDRESS/SUBNET PROTOCOL PORT -- udp 10619 +DROP net $FW udp 10619 + + Alternatively, if you do not set BLACKLIST_LOGLEVEL you can blacklist + the port. In /etc/shorewall/blrules: + + #ACTION SOURCE DEST PROTO DPORT + +DROP net $FW udp 10619
@@ -2361,12 +2400,11 @@ gateway:~# Answer: Suppose that you want all traffic to go out through ISP1 (mark 1) unless you specify otherwise. Then simply add these two rules as the first marking rules in your - /etc/shorewall/mangle - (/etc/shorewall/tcrules) file: + /etc/shorewall/mangle (was tcrules) file: - #ACTION SOURCE DEST -1:P 0.0.0.0/0 -1 $FW + #ACTION SOURCE DEST +MARK(1):P 0.0.0.0/0 +MARK(1) $FW other MARK rules Now any traffic that isn't marked by one of your other MARK rules @@ -2449,8 +2487,8 @@ root@gateway:~# at 10-12kb and adjust as necessary. Example (simple traffic shaping): - #INTERFACE TYPE IN-BANDWIDTH OUT-BANDWIDTH -eth0 External 50mbit:200kb 5.0mbit:100kb:200ms:100mbit:#INTERFACE TYPE IN_BANDWIDTH OUT_BANDWIDTH +eth0 External 50mbit:200kb 5.0mbit:100kb:200ms:100mbit:10kb @@ -2495,8 +2533,7 @@ root@gateway:/etc/shorewall# Example from /etc/shorewall/tcdevices: - #NUMBER: IN-BANDWIDTH OUT-BANDWIDTH OPTIONS -#INTERFACE + #INTERFACE IN_BANDWITH OUT_BANDWIDTH OPTIONS 1:COMB_IF ~20mbit:250ms:4sec ${UPLOAD}kbit hfsc,linklayer=ethernet,overhead=0 To create a rate-estimated filter, precede the bandwidth with a @@ -2674,9 +2711,17 @@ VS3=fw:192.168.2.14 /etc/shorewall/rules: - #ACTION SOURCE DEST PROTO DEST PORT(S) -ACCEPT $VS1 net tcp 25 -DNAT net $VS1 tcp 25 + #ACTION SOURCE DEST PROTO DPORT + +?SECTION ALL +?SECTION ESTABLISHED +?SECTION RELATED +?SECTION INVALID +?SECTION UNTRACKED +?SECTION NEW + +ACCEPT $VS1 net tcp 25 +DNAT net $VS1 tcp 25 etc...
@@ -2925,7 +2970,7 @@ else
(FAQ 26) When I try to use any of the SYN options in nmap on or behind the firewall, I get <quote>operation not permitted</quote>. How - can I use nmap with Shorewall?" + can I use nmap with Shorewall? Answer: Temporarily remove any rejNotSyn, - #ACTION SOURCE DEST PROTO -REJECT fw net:pagead2.googlesyndication.com all + #ACTION SOURCE DEST PROTO +REJECT fw net:pagead2.googlesyndication.com all However, this also sometimes restricts access to "google.com". Why is that? Using dig, I found these IPs for domain @@ -2992,9 +3037,9 @@ REJECT fw net:pagead2.googlesyndication.com all - #ACTION SOURCE DEST PROTO -REJECT fw net:216.239.37.99 all -REJECT fw net:216.239.39.99 allGiven that + #ACTION SOURCE DEST PROTO +REJECT $FW net:216.239.37.99 all +REJECT $FW net:216.239.39.99 allGiven that name-based multiple hosting is a common practice (another example: lists.shorewall.net and www1.shorewall.net are both hosted on the same system with a single IP address), it is not possible to filter @@ -3079,10 +3124,9 @@ gateway:~# Answer: Add these two policies: - #SOURCE DESTINATION POLICY LOG LIMIT:BURST -# LEVEL -$FW loc ACCEPT -loc $FW ACCEPT + #SOURCE DEST POLICY LOGLEVEL LIMIT CONNLIMIT +$FW loc ACCEPT +loc $FW ACCEPT You should also delete any ACCEPT rules from $FW->loc and loc->$FW since those rules are redundant with the above @@ -3121,16 +3165,16 @@ loc $FW ACCEPT /etc/shorewall/masq: - #INTERFACE SOURCE ADDRESS + #INTERFACE SOURCE ADDRESS COMMENT DSL Modem -EXT_IF:172.20.1.2 0.0.0.0/0 172.20.1.254 +EXT_IF:172.20.1.2 0.0.0.0/0 172.20.1.254 /etc/shorewall/proxyarp: - #ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT + #ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT 172.20.1.2 EXT_IF INT_IF no yes @@ -3159,11 +3203,11 @@ EXT_IF:172.20.1.2 0.0.0.0/0 172.20.1.254 Your entry in /etc/shorewall/masq would then be: - #INTERFACE SOURCE ADDRESS + #INTERFACE SOURCE ADDRESS -COMMENT DSL Modemhttp://ipv6.shorewall.net/SimpleBridge.html +COMMENT DSL Modem -EXT_IF:192.168.1.1 0.0.0.0/0 192.168.1.254 +EXT_IF:192.168.1.1 0.0.0.0/0 192.168.1.254 @@ -3192,8 +3236,9 @@ EXT_IF:192.168.1.1 0.0.0.0/0 192.168.1.254 default name for the firewall zone is fw: - #ZONE TYPE OPTIONS -fw firewall + #ZONE TYPE OPTIONS + +fw firewall So, using the default or sample configurations, writing $FW is the same as writing $FW would be the same as writing gate. - #ZONE TYPE OPTIONS -gate firewall + #ZONE TYPE OPTIONS + +gate firewall
Why was that done? From b4ca4b52fe79e449c250fa87a71addbbe1ab41f9 Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Sun, 14 Feb 2016 21:53:13 +0200 Subject: [PATCH 3/4] upgrade_issues: fix one typoed "section" and use new header for one sample Signed-off-by: Tuomo Soini --- docs/upgrade_issues.xml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/docs/upgrade_issues.xml b/docs/upgrade_issues.xml index 3ecb05bd0..d5ffa2f74 100644 --- a/docs/upgrade_issues.xml +++ b/docs/upgrade_issues.xml @@ -92,7 +92,7 @@ - Beginning with Shorewall 4.6.0, ection headers are now preceded + Beginning with Shorewall 4.6.0, section headers are now preceded by '?' (e.g., '?SECTION ...'). If your configuration contains any bare 'SECTION' entries, the following warning is issued: @@ -1139,8 +1139,7 @@ shorewall restart The RPMs are set up so that if Example: - #SOURCE DEST POLICY LOG -# LEVEL + #SOURCE DEST POLICY LOGLEVEL loc net ACCEPT net all DROP:MyDrop info # From fcf435bc16b1d4da01a04da2bf1fdd991ae2bde1 Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Sun, 14 Feb 2016 22:13:55 +0200 Subject: [PATCH 4/4] Audit: use new headers Signed-off-by: Tuomo Soini --- docs/Audit.xml | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) diff --git a/docs/Audit.xml b/docs/Audit.xml index 2eac40e46..59c3d9b98 100644 --- a/docs/Audit.xml +++ b/docs/Audit.xml @@ -139,9 +139,8 @@ Example: - #SOURCE DEST POLICY LOG -# LEVEL -net fw DROP:audit + #SOURCE DEST POLICY +net $FW DROP:audit It is allowed to also specify a log level on audited policies resulting in both auditing and logging. @@ -170,8 +169,8 @@ net fw DROP:audit Example: - #ACTION SOURCE DEST PROTO -A_ACCEPT:info loc net ... + #ACTION SOURCE DEST PROTO +A_ACCEPT:info loc net ... @@ -330,12 +329,12 @@ A_ACCEPT:info loc net ... The parameters can be passed in the POLICY column of the policy file. - SOURCE DEST POLICY -net all DROP:Drop(audit):audit #Same as DROP:A_DROP:audit + #SOURCE DEST POLICY +net all DROP:Drop(audit):audit #Same as DROP:A_DROP:audit - SOURCE DEST POLICY -net all DROP:Drop(-,DROP) #DROP rather than REJECT Auth + #SOURCE DEST POLICY +net all DROP:Drop(-,DROP) #DROP rather than REJECT Auth The parameters can also be specified in shorewall.conf: