Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation;
with no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled “GNU Free
Documentation License”.
Effectively today, Shorewall source code repository was migrated to Subversion SCM. Please read https://sourceforge.net/svn/?group_id=22587 for more information.2006-02-10 Shorewall 3.0.5
Problems corrected in Shorewall 3.0.5
1) Previously, if /etc/shorewall/ipsets existed, it was run when Shorewall starts
but not when Shorewall was restored.
2) When using the NETKEY IPSEC implementation in kernel 2.6 but without the
policy match patch and the Netfilter/IPSEC patches, previously an
entry in /etc/shorewall/tunnels was not sufficient in cases where:
a) gw<->gw traffic was encrypted
b) The gw<->gw policy through the tunnel was not ACCEPT
Thanks to Tuomo Soini, this has been corrected. By simply including the
remote VPN zone in the GATEWAY ZONE column for the tunnel's entry, no
additional rules are required.
3) Extra blank output lines are no longer produced by install.sh (patch
courtesy of Tuomo Soini).
4) TCP packets sent to QUEUE by rules in the ESTABLISHED section of the
rules file previously didn't work (they had the "--syn" parameter
added to them which resulted in a rule that no traffic would match).
WARNING: If you use the QUEUE target from an action, Shorewall will
still insert --syn if the protocol is tcp. So you don't want to
invoke such an action from the ESTABLISHED section of the rules
file.
5) The description of the SOURCE column in /etc/shorewall/rules has been
improved (patch courtesy of Ed Suominen).
6) The 'allow', 'drop' and 'reject' commands no longer produce iptables
errors when executed while Shorewall is not started.
7) The spelling of "maximize-throughput" has been corrected in the code
that implements tcclasses parsing. Patch courtesy of Paul Traina.
8) Shorewall now generates the correct match for devices in
/etc/shorewall/tcdevices that are actually bridge ports.
New Features in Shorewall 3.0.5
1) The facilities available for dealing with the TOS field in
/etc/shorewall/tcclasses has been expended. The OPTIONS field is now may
contain a comma-separates list of the following:
tos=0x<value>[/0x<mask>] (mask defaults to 0xff)
- this lets you define a classifier
for the given <value>/<mask> combination
of the IP packet's TOS/Precedence/DiffSrv
octet (aka the TOS byte). Please note,
classifiers override all mark settings,
so if you define a classifer for a class,
all traffic having that mark will go in it
regardless of any mark set on the packet
by a firewall/mangle filter.
NOTE: multiple tos= statements may be
applied per class and per interface, but
a given value/mask pair is valid for only
ONE class per interface.
tos-<tosname> - aliases for the following TOS octet
value and mask encodings. TOS encodings
of the "TOS byte" have been deprecated in
favor of diffserve classes, but programs
like ssh, rlogin, and ftp still use them.
tos-minimize-delay 0x10/0x10
tos-maximize-throughput 0x08/0x08
tos-maximize-reliability 0x04/0x04
tos-minimize-cost 0x02/0x02
tos-normal-service 0x00/0x1e
tcp-ack - defined causes an tc filter to
be created that puts all tcp ack
packets on that interface that have
an size of <=64 Bytes to go in this
class. This is useful for speeding up
downloads. Please note that the size
of the ack packets is limited to 64
bytes as some applications (p2p for
example) use to make every packet an
ack packet which would cause them
all into here. We want only packets
WITHOUT payload to match, so the size
limit.
NOTE: This option is only valid for
ONE class per interface.
Note that the semantics of 'tos-<tosname>' have changed slightly. Previously,
these were tested using a mask of 0xff (example: tos-minimize-delay was
equivalent to 0x10/0xff). Now each bit is tested individually.
This enhancement is courtesy of Paul Traina.
2006-01-05 Shorewall 3.0.4Problems Corrected in 3.0.42005-12-13 Shorewall 3.0.3
1) The shorewall.conf file is once again "console friendly". Patch is
courtesy of Tuomo Soini.
2) A potential security hole has been closed. Previously, Shorewall ACCEPTed
all traffic from a bridge port that was sent back out on the same port. If
the port was described in /etc/shorewall/hosts using the wildcard "+" (eg,
xenbr0:vif+), this could lead to traffic being passed in variance with the
supplied policies and rules.
3) Previously, an intra-zone policy of NONE would cause a startup error. That
problem has been corrected.
4) When RETAIN_ALIASES=Yes, the script produced by "shorewall save" did not
add the retained aliases. This means that the following sequence of
events resulted in missing aliases:
shorewall start
shorewall restart
shorewall save
reboot
shorewall -f start (which is the default during boot up)
5) When a 2.x standard action is invoked with a log level (example
"AllowPing:info"), logging does not occur.
New Features in 3.0.4
1) By popular demand, the 'Limit' action described at
http://www1.shorewall.net/PortKnocking.html#Limit has been made a standard
action. Limit requires 'recent match' support in your kernel and iptables.
2) DISABLE_IPV6 no longer disabled local (loopback) IPV6 traffic. This
change is reported to improve Java startup time on some distributions.
3) Shorewall now contains support for wildcard ports. In
/etc/shorewall/hosts, you may specify the port name with trailing "+" then
use specific port names in rules.
Example:
/etc/shorewall/hosts
vpn br0:tap+
/etc/shorewall/rules
DROP vpn:tap0 vpn:tap1 udp 9999
4) For the benefit of those who run Shorewall on distributions that don't
autoload kernel modules, /etc/shorewall/modules now contains load commands
for a wide range of Netfilter modules.
Problems Corrected in 3.0.3
1) The comments in the /etc/shorewall/shorewall.conf and
/etc/shorewall/hosts files have been changed to clarify when
BRIDGING=Yes is required when dealing with bridges.
2) Thanks to Tuomo Soini, formatting of the comments in the tcdevices
and tcclasses files has been cleaned up.
3) Specifying 'trace' on the 'safe-start' and 'safe-restart' command no
longer fails.
4) The output of "shorewall help restore" has been corrected. It previously
printed incorrect syntax for that command.
5) The README.txt file in the tarball was stale and contained incorrect
information. It has been corrected.
6) The shorewall.conf default setting of CLEAR_TC was previously "No". Given
that the default setting of TC_ENABLED is "Internal", the setting of
CLEAR_TC has been changed to the more appropriate value of "Yes".
7) Specifying an interface name in the SOURCE column of /etc/shorewall/tcrules
resulted in a startup error.
8) When the 'install.sh' script is used on Debian, it now creates
/var/log/shorewall-init.log. And if perl is installed on the system then
STARTUP_ENABLED=Yes is specified in shorewall.conf (the user must still
set startup=1 in /etc/default/shorewall).
New Features in 3.0.3
1) A "shorewall show macros" command has been added. This command displays a list of the standard macros along with a brief description of each. 2) The '-q' option is now supported with 'safe-start' and 'safe-restart'. 3) The value "-" is now allowed in the ADDRESS/SUBNET column of /etc/shorewall/blacklist. That value is equivalent to specifying 0.0.0.0/0 in that column. 4) The output of "shorewall show tc" and "shorewall show classifiers" is now included in the output from "shorewall dump". This will aid us in analyzing traffic shaping problems. 5) You can now specify 'none' in the COPY column of /etc/shorewall/providers to signal that you want Shorewall to only copy routes through the interface listed in the INTERFACE column. Note: This works on older versions of Shorewall as well. It is now documented. 6) An 'ipdecimal' command has been added to /sbin/shorewall. This command converts between dot-quad and decimal. Example: gateway:/etc/openvpn# shorewall ipdecimal 192.168.1.4 3232235780 gateway:/etc/openvpn# shorewall ipdecimal 3232235780 192.168.1.4 gateway:/etc/openvpn# 7) /etc/init.d/shorewall now supports a 'reload' command which is synonymous with the 'restart' command.
2005-12-12
Problems Corrected in 3.0.22005-11-18 Shorewall 3.0.1
1) A couple of typos in the one-interface sample configuration have
been corrected.
2) The 3.0.1 version of Shorewall was incompatible with old versions of
the Linux kernel (2.4.7 for example). The new code ignores errors
produced when Shorewall 3.x is run on these ancient kernels.
3) Arch Linux installation routines has been improved.
New Features in 3.0.2
1) A new Webmin macro has been added. This macro assumes that Webmin is
running on its default port (10000).
Problems Corrected in 3.0.1
1) If the previous firewall configuration included a policy other than ACCEPT in the nat, mangle or raw tables then Shorewall would not set the policy to ACCEPT. This could result in a ruleset that rejected or dropped all traffic. 2) The Makefile was broken such that 'make' didn't always work correctly. 3) If the SOURCE or DEST column in a macro body was non-empty and a dash ("-") appeared in the corresponding column of an invocation of that macro, then an invalid rule was generated. 4) The comments in the /etc/shorewall/blacklist file have been updated to clarify that the PORTS column refers to destination port number/service names. 5) When CLAMPMSS is set to a value other than "No" and FASTACCEPT=Yes, the order of the rules generated was incorrect causing RELATED TCP connections to not have CLAMPMSS applied. New Features in 3.0.1 1) To make the macro facility more flexible, Shorewall now examines the contents of the SOURCE and DEST columns in both the macro body and in the invocation and tries to create the intended rule. If the value in the invocation appears to be an address (IP or MAC) or the name of an ipset, then it is placed after the value in the macro body. Otherwise, it is placed before the value in the macro body. Example 1: /etc/shorewall/macro.foo: PARAM - 192.168.1.5 tcp http /etc/shorewallrules: foo/ACCEPT net loc Effective rule: ACCEPT net loc:192.168.1.5 tcp http Example 2: /etc/shorewall/macro.bar: PARAM net loc tcp http /etc/shorewall/rules: bar/ACCEPT - 192.168.1.5 Effective rule: ACCEPT net loc:192.168.1.5 tcp http
New Features in Shorewall 3.0.010/31/2005 Shorewall 2.4.6
1) Error and warning messages are made easier to spot by using
capitalization (e.g., ERROR: and WARNING:).
2) A new option 'critical' has been added to
/etc/shorewall/routestopped. This option can be used to enable
communication with a host or set of hosts during the entire
"shorewall [re]start/stop" process. Listing a host with this option
differs from listing it without the option in several ways:
a) The option only affect traffic between the listed host(s) and the
firewall itself.
b) If there are any entries with 'critical', the firewall
will be completely opened briefly during start, restart and stop but
there will be no chance of any packets to/from the listed host(s)
being dropped or rejected.
Possible uses for this option are:
a) Root file system is NFS mounted. You will want to list the NFS server
in the 'critical' option.
b) You are running Shorewall in a Crossbeam environment
(www.crossbeam.com). You will want to list the Crossbeam interface
in this option
3) A new 'macro' feature has been added.
Macros are very similar to actions and can be used in similar
ways. The differences between actions and macros are as follows:
a) An action creates a separate chain with the same name as the
action (when logging is specified on the invocation of an action,
a chain beginning with "%" followed by the name of the action and
possibly followed by a number is created). When a macro is
invoked, it is expanded in-line and no new chain is created.
b) An action may be specified as the default action for a policy;
macros cannot be specified this way.
c) Actions must be listed in either /usr/share/shorewall/actions.std
or in /etc/shorewall/actions. Macros are defined simply by
placing their definition file in the CONFIG_PATH.
d) Actions are defined in a file with a name beginning with
"action." and followed by the name of the action. Macro files are
defined in a file with a name beginning with "macro.".
e) Actions may invoke other actions. Macros may not directly invoke
other macros although they may invoke other macros indirectly
through an action.
f) DNAT[-] and REDIRECT[-] rules may not appear in an action. They
are allowed in a macro with the restriction that the a macro
containing one of these rules may not be invoked from an action.
g) The values specified in the various columns when you invoke a
macro are substituted in the corresponding column in each rule in
the macro. The first three columns get special treatment:
ACTION If you code PARAM as the action in a macro then
when you invoke the macro, you can include the
name of the macro followed by a slash ("/") and
an ACTION (either built-in or user-defined. All
instances of PARAM in the body of the macro will be
replaced with the ACTION.
Any logging applied when the macro is invoked is
applied following the same rules as for actions.
SOURCE and
DEST If the rule in the macro file specifies a value and
the invocation of the rule also specifies a value then
the value in the invocation is appended to the value
in the rule using ":" as a separator.
Example:
/etc/shorewall/macro.SMTP
PARAM - loc tcp 25
/etc/shorewall/rules:
SMTP/DNAT:info net 192.168.1.5
Would be equivalent to the following in the rules file:
DNAT:info net loc:192.168.1.5 tcp 25
Rest Any value in the invocation replaces the value in the
rule in the macro.
One additional restriction applies to the mixing of macros and
actions. Macros that are invoked from actions cannot themselves
invoke other actions.
4) If you have 'make' installed on your firewall, then when you use
the '-f' option to 'shorewall start' (as happens when you reboot),
if your /etc/shorewall/ directory contains files that were modified
after Shorewall was last restarted then Shorewall is started using
the config files rather than using the saved configuration.
5) The 'arp_ignore' option has been added to /etc/shorewall/interfaces
entries. This option sets
/proc/sys/net/ipv4/conf/<interface>/arp_ignore. By default, the
option sets the value to 1. You can also write arp_ignore=<value>
where value is one of the following:
1 - reply only if the target IP address is local address
configured on the incoming interface
2 - reply only if the target IP address is local address
configured on the incoming interface and both with the sender's
IP address are part from same subnet on this interface
3 - do not reply for local addresses configured with scope
host, only resolutions for global and link addresses are
replied
4-7 - reserved
8 - do not reply for all local addresses
WARNING -- DO NOT SPECIFY arp_ignore FOR ANY INTERFACE INVOLVED IN
PROXY ARP.
6) In /etc/shorewall/rules, "all+" in the SOURCE or DEST column works
like "all" but also includes intrazone traffic. So the rule:
ACCEPT loc all+ tcp 22
would allow SSH traffic from loc->loc whereas
ACCEPT loc all tcp 22
does not.
7) A new FASTACCEPT option has been added to shorewall.conf.
Normally, Shorewall defers accepting ESTABLISHED/RELATED packets
until these packets reach the chain in which the original connection
was accepted. So for packets going from the 'loc' zone to the 'net'
zone, ESTABLISHED/RELATED packets are ACCEPTED in the 'loc2net'
chain.
If you set FASTACCEPT=Yes, then ESTABLISHED/RELEATED packets are
accepted early in the INPUT, FORWARD and OUTPUT chains. If you set
FASTACCEPT=Yes then you may not include rules in the ESTABLISHED or
RELATED sections of /etc/shorewall/rules.
8) Shorewall now generates an error if the 'norfc1918' option is
specified for an interface with an RFC 1918 address.
9) You may now specify "!" followed by a list of addresses in the
SOURCE and DEST columns of entries in /etc/shorewall/rules,
/etc/shorewall/tcrules and in action files and Shorewall will
generate the rule that you expect.
Example 1 (/etc/shorewall/rules):
#ACTION SOURCE DEST PROTO DEST PORT(S)
ACCEPT loc:!192.168.1.0/24,10.0.0.0/8 net tcp 80
That rule would allow loc->net HTTP access except for the local
networks 192.168.1.0/24 and 10.0.0.0/8.
Example 2 (/etc/shorewall/rules):
#ACTION SOURCE DEST PROTO DEST PORT(S)
ACCEPT loc:10.0.0.0/24!10.0.0.4,10.0.0.22 \
net tcp 80
That rule would allow loc->net HTTP access from the local
network 10.0.0.0/24 except for hosts 10.0.0.4 and 10.0.0.22.
10) Tunnel types "openvpnserver" and "openvpnclient" have been added
to reflect the introduction of client and server OpenVPN
configurations in OpenVPN 2.0.
11) The COMMAND variable is now set to 'restore' in restore
scripts. The value of this variable is sometimes of interest to
programmers providing custom /etc/shorewall/tcstart scripts.
12) Previously, if you defined any intra-zone rule(s) then any traffic
not matching the rule(s) was subject to normal policies (which
usually turned out to involve the all->all REJECT policy). Now, the
intra-zone ACCEPT policy will still be in effect in the presence of
intra-zone rules. That policy can still be overridden by an
explicit policy in your /etc/shorewall/policy file.
Example:
/etc/shorewall/rules:
DNAT loc:!192.168.1.4 loc:192.168.1.4:3128 tcp 80
Any other loc->loc traffic will still be accepted. If you want to
also log that other loc->loc traffic at the info log level then
insert this into /etc/shorewall/policy:
#SOURCE DEST POLICY LOG LEVEL
loc loc ACCEPT info
13) Prior to Shorewall 2.5.3, the rules file only controlled packets in
the Netfilter states NEW and INVALID. Beginning with this release,
the rules file can also deal with packets in the ESTABLISHED and
RELATED states.
The /etc/shorewall/rules file may now be divided into
"sections". Each section is introduced by a line that begins with
the keyword SECTION followed by the section name. Sections
are as listed below and must appear in the order shown.
ESTABLISHED
Rules in this section apply to packets in the ESTABLISHED
state.
RELATED
Rules in this section apply to packets in the RELATED state.
NEW
Rules in this section apply to packets in the NEW and INVALID
states.
Rules in the ESTABLISHED and RELATED sections are limited to the
following ACTIONs:
ACCEPT, DROP, REJECT, QUEUE, LOG and User-defined actions.
Macros may be used in these sections provided that they expand to
only these ACTIONs.
At the end of the ESTABLISHED and RELATED sections, there is an
implicit "ALLOW all all all" rule.
RESTRICTION: If you specify FASTACCEPT=Yes in
/etc/shorewall.shorewall.conf then the ESTABLISHED and RELATED
sections must be empty.
14) The value 'ipp2p' is once again allowed in the PROTO column of
the rules file. It is recommended that rules specifying 'ipp2p'
only be included in the ESTABLISHED section of the file.
15) Shorewall actions lack a generalized way to pass parameters to an
extension script associated with an action. To work around this
lack, some users have used the log tag as a parameter. This works
but requires that a log level other than 'none' be specified when
the action is invoked. Beginning with this release, you can invoke
an action with 'none'.
Example:
#ACTION SOURCE DEST
A:none:these,are,parameters $FW net
When /etc/shorewall/A is invoked, the LEVEL variable will be empty
but the TAG variable will contain "these,are,parameters" which
can be easily parsed to isolate "these", "are" and "parameters":
ifs=$IFS
IFS=,
set -- $TAG
IFS=$ifs
Now, $1 = these, $2 = are and $3 = parameters
16) The "shorewall check" command now checks the /etc/shorewall/masq,
/etc/shorewall/blacklist, /etc/shorewall/proxyarp,
/etc/shorewall/nat and /etc/shorewall/providers files.
17) Arne Bernin's "tc4shorewall" package has been integrated into
Shorewall.
See: http://www.shorewall.net/3.0/traffic_shaping.htm for details.
Thanks, Arne!
18) When /usr/share/shorewall/functions is loaded it now sets
SHOREWALL_LIBRARY=Loaded
Application code such as /etc/shorewall/tcstart may test that
variable to determine if the library has been loaded into the
current shell process.
19) The install.sh script now does a much cleaner job of backing up the
current installation. It copies the directories /etc/shorewall,
/usr/share/shorewall and /var/lib/shorewall to a directory of the
same name with "-$VERSION.bkout" appended. The init script and
/sbin/shorewall are backed up to the /usr/share/shorewall and
/var/lib/shorewall directories respectively. This makes it very
simple to remove the backups:
rm -rf /etc/shorewall-*.bkout
rm -rf /usr/share/shorewall-*.bkout
rm -rf /var/lib/shorewall-*.bkout
20) A new '-n' option has been added to the "start", "restart",
"restore", "stop" and "try" commands. This option instructs
Shorewall to not alter the routing in any way.
This option is useful when you have a multi-ISP environment because
it prevents the route cache from being flushed which preserves the
mapping of end-point address pairs to routes.
21) The output of "shorewall dump" now includes a capabilities report
such as the one produced by "shorewall show capabilities".
22) The "plain" zone type has been replaced by "ipv4". The types
"IPv4" and "IPV4" are synonyms for "ipv4". In addition, "IPSEC",
"ipsec4" and "IPSEC4" are recognized synonyms for "ipsec".
23) The NEWNOTSYN and LOGNEWNOTSYN options in shorewall.conf have been
removed as have the 'newnotsyn' options in /etc/shorewall/interfaces
and /etc/shorewall/hosts. See the Migration Considerations for
instructions if you wish to block "new-not-syn" TCP packets.
24) The "shorewall show zones" command now displays the zone type. You
must have restarted Shorewall using this release before this feature
will work correctly.
25) The multi-ISP code now requires that that you set MARK_IN_FORWARD_CHAIN=Yes
in shorewall.conf. This is done to ensure that "shorewall refresh" will
work correctly.
26) Shorewall now supports UDP IPP2P matching. In addition to the "ipp2p"
keyword in the PROTOCOL column of the relevant files, the following
values may be specified:
ipp2p:tcp Equivalent to ipp2p and matches TCP traffic
only.
ipp2p:udp Matches UDP traffic.
ipp2p:all Matches both UDP and TCP traffic. You may
not specify a SOURCE PORT with this PROTOCOL.
27) Normally MAC verification triggered by the 'maclist' interface and host
options is done out of the INPUT and FORWARD chains of the filter table.
Users have reported that under some circumstances, MAC verification is
failing for forwarded packets when the packets are being forwarded out
of a bridge.
To work around this problem, a MACLIST_TABLE option has been added to
shorewall.conf. The default value is MACLIST_TABLE=filter which results
in the current behavior. If MACLIST_TABLE=mangle then filtering will
take place out of the PREROUTING chain of the mangle table. Because
the REJECT target may not be used in the PREROUTING chain, the settings
MACLIST_DISPOSITION=REJECT and MACLIST_TABLE=mangle are incompatible.
28) The sample configurations are now packaged with the product. They are
in the Samples directory on the tarball and are in the RPM they are
in the Samples sub-directory of the Shorewall documentation
directory.