Copyright © 2001-2009 Thomas M. Eastep
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled "GNU Free Documentation License".
January 06, 2009
2009-01-06 Winner of the Shorewall Logo Design Competition Announced
The Shorewall developers are pleased to announce that after deliberatingSee
http://trac.shorewall.net/wiki/LogoDesignCompetition for details.
2008-12-31 Shorewall 4.2.4
1) In 4.2.4, two new packages are included:
a) Shorewall6 - analagous to Shorewall-common but handles IPv6
rather than IPv4.
b) Shorewall6-lite - analagous to Shorewall-lite but handles IPv6
rather than IPv4.
The packages store their configurations in /etc/shorewall6/ and
/etc/shorewall6-lite/ respectively.
The fact that the packages are separate from their IPv4 counterparts
means that you control IPv4 and IPv6 traffic separately (the same
way that Netfilter does). Starting/Stopping the firewall for one
address family has no effect on the other address family.
For additional information, see
http://www.shorewall.net/IPV6Support.html.
Other features of Shorewall6 are:
a) There is no NAT of any kind (most people see this as a giant step
forward). When an ISP assigns you a public IPv6 address, you are
actually assigned an IPv6 'prefix' which is like an IPv4
subnet. A 64-bit prefix allows 4 billion squared individual hosts
(the size of the current IPv4 address space squared).
b) The default zone type is ipv6.
c) The currently-supported interface options in Shorewall6 are:
blacklist
bridge
dhcp
nosmurfs (traps multicast and Subnet-router anycast addresses
used as the packet source address).
optional
routeback
sourceroute
tcpflags
mss
forward (setting it to 0 makes the router behave like a host
on that interface rather than like a router).
d) The currently-supported host options in Shorewall6 are:
blacklist
routeback
tcpflags
e) Traffic Shaping is disabled by default. The tcdevices and
tcclasses files are address-family independent so
to use the Shorewall builtin Traffic Shaper, TC_ENABLED=Internal
should be specified in Shorewall or in Shorewall6 but not in
both. In the configuration where the internal traffic shaper is
not enabled, CLEAR_TC=No should be specified.
tcfilters are not available in Shorewall6.
f) When both an interface and an address or address list need to
be specified in a rule, the address or list must be enclosed in
angle brackets. Example:
#ACTION SOURCE DEST
ACCEPT net:eth0:<2001:19f0:feee::dead:beef:cafe> dmz
Note that this includes MAC addresses as well as IPv6 addresses.
The HOSTS column in /etc/shorewall6/hosts also uses this
convention:
#ZONE HOSTS OPTIONS
chat6 eth0:<2001:19f0:feee::dead:beef:cafe>
Even when an interface is not specified, it is permitted to
enclose addresses in <> to improve readability. Example:
#ACTION SOURCE DEST
ACCEPT net:<2001:1::1> $FW
g) The options available in shorewall6.conf are a subset of those
available in shorewall.conf.
h) The Socket6.pm Perl module is required if you include DNS names
in your Shorewall6 configuration. Note that it is loaded the
first time that a DNS name is encountered so if it is missing,
you get a message similar to this one:
...
Checking /etc/shorewall6/rules...
Can't locate Socket6.pm in @INC (@INC contains: /root ...
teastep@ursa:~/Configs/standalone6$
2008-12-16 Shorewall 4.2.3
Problems corrected in Shorewall 4.2.3
1) Previously, Shorewall would allow compilation for export of a
script named 'shorewall' with the unfortunate side effect that
the 'shorewall.conf' file was overwritten. Scripts named
'shorewall' now cause a fatal error to be raised.
2) Previously, Shorewall-perl attempted to do Shell variable
substitution on the first line in /etc/shorewall/compile.
3) Following the Netfilter tradition, the IPP2P maintainer has made an
incompatible syntax change (the --ipp2p option has been
removed). Shorewall has always used "-m ipp2p --ipp2p" when
detecting the presence of IPP2P support.
Shorewall-common and Shorewall-perl have been modified to use
"-m ipp2p --edk" instead.
4) When Extended Conntrack Match support was available, Shorewall-perl
would create invalid iptables-restore input for certain DNAT rules.
5) An optimization in all Shorewall-perl 4.2 versions could cause
undesirable side effects. The optimization deleted the
<interface>_in and <interface>_fwd chains and moved their rules
to the appropriate rules chain (a <zone>2<xxx> chain).
This worked badly in cases where a zone was associated with more
than one interface. Rules could be duplicated or, worse, a rule
that was intended for only input from one of the interfaces would
be applied to input from all of the zone's interfaces.
This problem has been corrected so that an interface-related
chains is only deleted if:
a) the chain has no rules in it; or
b) the interface is associated with only one zone and that zone is
associated with only that interface in which case it is safe to
move the rules.
Other changes in Shorewall 4.2.3
1) Except with the -e option is specified, the Shorewall-perl compiler
now verifies user/group names appearing in the USER/GROUP column of
the rules file.
2) The output of 'shorewall dump' now includes the output from
'netstat -tunap'.
3) Shorewall-perl now accepts '+' as an interface name in
/etc/shorewall/interfaces. That name matches any interface and is
useful for defining a zone that will match any interface that might
be added after Shorewall is started.
A couple of words of caution are in order.
a) Because '+' matches any interface name, Shorewall cannot
verify interface names appearing in other files when '+' is
defined in /etc/shorewall/interfaces.
b) The zone assigned to '+' must be the last one defined in
/etc/shorewall/zones.
4) Shorewall-perl now uses the iptables --goto parameter in obvious
cases.
5) The 'reset' command now allows you to reset the packet and byte
counter on individual chains:
shorewall reset chain1 chain2 ...
shorewall-lite reset chain1 chain2 ...
2008-11-20 Shorewall 4.2.2
Problems corrected in Shorewall 4.2.2
1) Shorewall-perl now insures that each line copied from a
configuration file or user exit is terminated with a newline
character.
2) When ipranges were used to define zones, Shorewall-perl could
generate invalid iptables-restore input if 'Repeat Match' was not
available. Repeat Match is not a true match -- it rather is a
feature of recent iptables releases that allows a match to be
repeated within a rule.
3) With Shorewall-perl, if a destination port list had exactly 16
ports, where a port-range counts as two ports, then Shorewall-perl
would fail to split the rule into multiple rules and an
iptables-restore error would result.
4) The change to Shorewall-perl in 4.2.1 that promised iptables 1.4.1
compatibility contained a typo that prevented it from working
correctly.
5) If a no-NAT rule (DNAT-, ACCEPT+, NONAT) included a destination IP
address and no zone name in the DEST column, Shorewall-perl would
reject the rule. If a zone name was specified, Shorewall-perl
would issue a Warning message.
6) Previously, if Extended conntrack match support was available, a
DNAT rule that specified a server port but no destination port
would generate invalid iptables-restore input.
Other changes in Shorewall 4.2.2
1) A macro supporting JAP (anonymization protocol) has been added.
It can be used as any other macro (e.g., JAP/ACCEPT) in the rules
file.
2) A macro supporting DAAP (Digital Audio Access Protocol) has been added.
It can be used as any other macro (e.g., DAAP/ACCEPT) in the rules
file.
3) A macro supporting DCC (Distributed Checksum Clearinghouse) has been
added. It can be used as any other macro (e.g., DCCP/ACCEPT) in the
rules file.
4) A macro supporting GNUnet (secure peer-to-peer networking) has been
added. It can be used as any other macro (e.g., GNUnet/ACCEPT) in the
rules file.
5) In 4.2.1, a single capability ("Extended conntrack match support")
was used both to control the use of --ctorigport and to trigger use
of the new syntax for inversion of --ctorigdst (e.g., "!
--ctorigdst ..."). In 4.2.2, these are controlled by two separate
capabilities. If you use a capabilities file when compiling your
configuration, be sure to generate a new one after installing
4.2.2.
2008-10-25 Shorewall 4.2.1
Problems corrected in Shorewall 4.2.1
1) A description of the CONNBYTES column has been added to
shorewall-tcrules(5).
2) Previously, Shorewall-perl would accept zero as the <max> value in
the CONNBYTES column of tcrules even when the <min> field was
non-zero. A value of zero for <max> was equivalent to omitting
<max>.
3) iptables 1.4.1 discontinued support of syntax generated by
shorewall in some cases. Shorewall now detects when the new syntax
is required and uses it instead.
4) The Shorewall-perl implementation of the LENGTH column in
/etc/shorewall/tcrules was incomplete with the result that
all LENGTH rules matched. Thanks to Lennart Sorensen for the patch.
5) The 'export' command no longer fails with the error:
/sbin/shorewall: 1413: Syntax error: "(" unexpected (expecting "fi")
Other changes in Shorewall 4.2.1
1) With the recent renewed interest in DOS attacks, it seems
appropriate to have connection limiting support in Shorewall. To
that end, a CONNLIMIT column has been added to both the policy and
rules files.
The content of these columns is of the format
[!] <limit>[:<mask>]
where
<limit> is the limit on simultaneous TCP connections.
<mask> specifies the size of the network to which
the limit applies and is specified as a
CIDR mask length. The default value for
<mask> is 32 which means that each remote
IP address can have <limit> TCP connections
active at once.
! Not allowed in the policy file. In the rules file, it
causes connections to match when the number of
current connections exceeds <limit>.
When specified in the policy file, the limit is enforced on all
connections that are subject to the given policy (just like
LIMIT:BURST). The limit is checked on new connections before the
connection is passed through the rules in the NEW section of the
rules file.
It is important to note that while the limit is only checked for
those destinations specified in the DEST column, the number of
current connections is calculated over all destinations and not
just the destination specified in the DEST column.
Use of this feature requires the connlimit match capability in your
kernel and iptables. If you use a capabilities file when compiling
your Shorewall configuration(s), then you need to regenerate the
file using Shorewall or Shorewall-lite 4.2.1.
2) Shorewall now supports time/date restrictions on entries in the
rules file via a new TIME column.
The contents of this column is a series of one or more "time
elements" separated by apersands ("&"). Possible time elements are:
utc Times are expressed in Greenwich Mean Time.
localtz Times are expressed in local civil time (default)
timestart=hh:mm[:ss]
timestop=hh:mm[:ss] Start and stop time of day for rule
weekdays=ddd[,ddd]... where ddd is Mon,Tue,Wed,Thu,Fri,Sat or
Sun
monthdays=dd[,dd]... where dd is an ordinal day of the month.
datestart=yyyy[-mm[-dd[Thh[:mm[:ss]]]]]
datestop=yyyy[-mm[-dd[Thh[:mm[:ss]]]]]
where yyyy = Year
first mm = Month
dd = Day
hh = Hour
2nd mm = Minute
ss = Second
Examples:
1) utc×tart=10:00×top=12:00
Between 10am and 12 noon each day, GMT
2) datestart=2008-11-01T12:00
Beginning November 1, 2008 at noon LCT.
Use of this feature requires the time match capability in your
kernel and iptables. If you use a capabilities file when compiling
your Shorewall configuration(s), then you need to regenerate the
file using Shorewall or Shorewall-lite 4.2.1.
2006-10-05 Shorewall 4.2.0
Release Highlights.
1) Support is included for multiple internet providers through the same
ethernet interface.
2) Support for NFLOG has been added.
3) Enhanced operational logging.
4) The tarball installers now work under Cygwin.
5) Shorewall-perl now supports IFB devices which allow traffic shaping of
incoming traffic.
6) Shorewall-perl supports definition of u32 traffic classification
filters.
2008-03-29 Shorewall 4.0.10
Problems corrected in Shorewall-perl 4.0.10.
1) Shorewall-perl 4.0.9 erroneously reported an error message when a
bridge port was defined in /etc/shorewall/interfaces:
ERROR: Your iptables is not recent enough to support bridge ports
2) Under Shorewall-perl, if an empty action was invoked or was named
in one of the DEFAULT_xxx options in shorewall.conf, an
iptables-restore error occured.
3) If $ADMIN was empty, then the rule:
ACCEPT loc:$ADMIN all
became
ACCEPT loc net
It is now flagged as an error.
4) Previously, Shorewall-perl would reject an IP address range in the
ecn and routestopped files.
5) A POLICY of ":" in /etc/shorewall/policy would produce Perl
run-time errors.
6) An INTERFACE of ":" in /etc/shorewall/interfaces would produce Perl
run-time errors.
7) A MARK of ":" in /etc/shorewall/tcrules would produce Perl
run-time errors.
Problems corrected in Shorewall-shell 4.0.10.
1) Specifying a value for ACCEPT_DEFAULT or QUEUE_DEFAULT resulted in
a fatal error at compile time.
Known Problems Remaining.
1) The 'refresh' command doesn't refresh the mangle table. So changes
made to /etc/shorewall/providers and/or /etc/shorewall/tcrules may
not be reflected in the running ruleset.
Other changes in 4.0.10.
1) The Sample configurations have been updated to set
LOG_MARTIANS=keep. In 4.2, this will be changed to
LOG_MARTIANS=Yes.
2) Shorewall-perl now generates a fatal error if a non-existant shell
variable is used in any configuration file (except
/etc/shorewall/params).
3) Shorewall-perl now supports an 'l2tp' tunnel type. It opens UDP
port 1701 in both directions and assumes that the source port will
also be 1701. Some implementations (particularly OS X) use a
different source port. In that case, you should use
'generic:udp:1701' rather than 'l2tp'.
2008-03-01 Shorewall 3.4.8
1) Shorewall now removes any default bindings of ipsets before
attempting to reload them. Previously, default bindins were not
removed with the result that the ipsets could not be destroyed.
2) When HIGH_ROUTE_MARKS=Yes, unpredictable results could occur when
marking in the PREROUTING or OUTPUT chains. When a rule specified a
mark value > 255, the compiler was using the '--or-mark' operator
rather than the '--set-mark' operator with the result that when a
packet matched more than one rule, the resulting routing mark was
the logical product of the mark values in the rules.
Example:
0x100 192.168.1.44 0.0.0.0/0
0x200 0.0.0.0/0 0.0.0.0/0 tcp 25
A TCP packet from 192.168.1.44 with destination port 25 would end
up with a mark value of 0x300.
3) Shorewall now properly parses comma separated SOURCE (formerly
SUBNET) values in the masq configuration file. Previously, the comma
separated list was not split up into its components, resulting in an
invalid address being passed to the iptables command.
Example:
# /etc/shorewall/masq
#INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC
eth0 192.168.2.1,192.168.2.3
4) Previously, specifying both an interface and a MAC address in the
SOURCE column of the tcrules file caused a failure at runtime.
Thanks to Justin Joseph for the patch.
5) Previously, specifying both an interface and an address in the
tcrules DEST column would cause an incomplete rule to be generated.
Example:
1 192.168.1.4 eth2:206.124.146.177 tcp 22
The resulting tcrule would be as if this had been specified:
1 0.0.0.0/0 eth2:206.124.146.177 tcp 22
6) When HIGH_ROUTE_MARKS=Yes, the routing rules generated to match
fwmarks to routing tables overflowed the designated range for such
marks (10000 - 11000).
2008-02-23 Shorewall 4.0.9
Problems corrected in Shorewall-perl 4.0.9.1
1) In 4.0.9, Shorewall-perl incorrectly generated the following error
message:
ERROR: Your iptables is not recent enough to support bridge ports
Problems corrected in Shorewall-perl 4.0.9
1) If a zone was defined with exclusion in /etc/shorewall/hosts, then
the rules generated for directing outgoing connections to the zone
were incorrect.
Example:
/etc/shorewall/zones:
z ipv4
/etc/shorewall/interfaces:
- eth2
/etc/shorewall/hosts:
z eth2:192.168.1.0/24!192.168.1.5
Traffic from the firewall to 192.168.1.5 was incorrectly classified
as $FW->z.
2) Qualifying 'SOURCE' and 'DEST' with an IP address in a macro file
caused 'SOURCE' or 'DEST' to be interpreted incorrectly as the name
of an interface.
Example:
PARAM DEST SOURCE:224.0.0.22
3) Specifying '!<user>' in the USER/GROUP column of the files that
support it resulted in an invalid iptables rule under
Shorewall-perl.
4) Previously, Shorewall would accept both an interface and an IP
address in tcrules POSTROUTING entries (such as CLASSIFY).
Example:
1:11 eth1:192.168.4.9 - tcp 22
It also allowed both a destination interface and address.
Example:
1:P - eth1:192.168.4.9 tcp 22
Because Netfilter does not allow an input interface to be specified
in POSTROUTING or an output interface to be specified in
PREROUTING, Shorewall must use the routing table to generate a list
of networks accessed through any interface specified in these
cases. Given that a specific address (or set of addresses) has
already been specified, it makes no sense qualify it (them) by
another list of addresses.
5) Shorewall-perl incorrectly generated a fatal error when ':C',
':T' or ':CT' was used in a tcrules entry that gave $FW as the
SOURCE.
6) Users have been confused about this error message:
ERROR: Bridge Ports require Repeat match in your kernel and iptables
The message has been replaced with:
ERROR: Your iptables is not recent enough to support bridge ports
The minimum version required is 1.3.8.
Problems corrected in Shorewall-shell 4.0.9.
1) An optimization added to Shorewall-shell in 4.0.0 has been backed
out to work around a limitation of Busybox 'sed'.
2) Previously, specifying both an interface and an address in the
tcrules DEST column would cause an incomplete rule to be generated.
Example:
1 192.168.1.4 eth2:206.124.146.177 tcp 22
The resulting tcrule would be as if this had been specified:
1 0.0.0.0/0 eth2:206.124.146.177 tcp 22
3) When HIGH_ROUTE_MARKS=Yes, the routing rules generated to match
fwmarks to routing tables previously overflowed the designated
range defined for such marks (10000 - 11000).
Known Problems Remaining.
1) The 'refresh' command doesn't refresh the mangle table. So changes
made to /etc/shorewall/providers and/or /etc/shorewall/tcrules may
not be reflected in the running ruleset.
Other changes in 4.0.9.
1) The Shorewall-perl now flags unprintable garbage characters in
configuration files with the message:
ERROR: Non-ASCII gunk in file
2) The /usr/share/shorewall/modules file has been updated to reflect
module renaming in kernel 2.6.25.
3) The 'ip route replace' command is broken in kernel 2.6.24. To work
around this problem, the undocumented option BROKEN_ROUTING has
been added to shorewall.conf. The default is BROKEN_ROUTING=No.
If you are experiencing 'File Exists' errors from 'ip route
replace' commands, then add the following line to your
shorewall.conf:
BROKEN_ROUTING=Yes
Note: This workaround is only available in Shorewall-perl.
2008-01-25 Shorewall 4.0.8
Problems corrected in Shorewall-perl 4.0.8.
1) Mark tests (such as in the TEST column of tcrules or the MARK
column of the rules file) were ignoring the value 0. As part of
this fix, the default mask generated by entries in these columns
has been changed from 0xFF to 0xFFFF for compatibility with
Shorewall-shell.
2) The compilation date recorded in the firewall.conf file produced by
Shorewall-perl was previously mangled.
3) The ability to specify a DEST IP range (round-robin) in a DNAT rule
has been restored. In versions 4.0.5 - 4.0.7, an IP range was
incorrectly flagged as an error.
Problems corrected in Shorewall-shell 4.0.8.
1) Shorewall-shell now properly parses comma separated SOURCE (formerly
SUBNET) values in the masq configuration file. Previously, the comma
separated list was not split up into its components, resulting in an
invalid address being passed to the iptables command.
Example:
# /etc/shorewall/masq
#INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC
eth0 192.168.2.1,192.168.2.3
Known Problems Remaining.
1) The 'refresh' command doesn't refresh the mangle table. So changes
made to /etc/shorewall/providers and/or /etc/shorewall/tcrules may
not be reflected in the running ruleset.
Other changes in 4.0.8.
None.
Problems corrected in Shorewall-perl 4.0.7
1) If any of the following files was missing, a harmless Perl warning
was issued:
accounting
maclist
masq
nat
netmap
rfc1918
routestopped
tunnels
This problem was experienced mostly by Debian users and users of
Debian derivatives such as Ubuntu.
2) The iptables utility doesn't retry operations that fail due to
resource shortage. Beginning with this release, Shorewall reruns
iptables when such a failure occurs.
3) Previously, Shorewall-perl did not accept log levels in upper case
(e.g., INFO). Beginning with 4.0.7, log levels are treated in a
case-insensitive manner by Shorewall-perl.
4) The column headers in macro files were not aligned. This has been
corrected, along with some inaccuracies in the macro.template file.
5) The shorewall.conf files in the Samples did not contain some
recently-defined options. They are now up to date.
6) The names of the Jabber macros were shuffled. They are now named
correctly.
7) If ADD_IP_ALIASES=Yes, an alias was incorrectly added when the
specified INTERFACE ended with ":" (e.g., eth0:).
8) Shorewall-shell generated an incorrect iptables rule from the
following:
/etc/shorewall/rules:
ACCEPT loc:eth0:~00-02-02-02-02-02 ...
/etc/shorewall/tcrules:
xxxx eth0:~00-02-02-02-02-02 ...
Known Problems Remaining.
1) The 'refresh' command doesn't refresh the mangle table. So changes
made to /etc/shorewall/providers and/or /etc/shorewall/tcrules may
not be reflected in the running ruleset.
Other changes in 4.0.7
1) If the program named in SHOREWALL_SHELL doesn't exist or is not
executable, Shorewall and Shorewall-lite now both fall back to
/bin/sh after issuing a warning message. Previously, both
terminated with a fatal error.
2) The error message has been improved when a non-root user attempts
"shorewall show capabilities".
3) Shorewall-perl now generates fatal error conditions when there are
no IPv4 zones defined and when there are no interfaces defined.
2007-12-26 Shorewall 4.1.3
Problems corrected in Shorewall 4.1.3.
1) If NFLOG or ULOG was specified with parameters, the resulting
iptables-restore input contained elements that were incorrectly
up-cased.
2) If STARTUP_LOG is specified without LOG_VERBOSITY, /sbin/shorewall
produces an error.
3) If LOG_VERBOSITY is specified without STARTUP_LOG, run-time error
messages are produced.
4) Shorewall-shell was mishandling the entries in /etc/shorewall/rules
and in /etc/shorewall/tcrules where both a SOURCE interface and MAC
address were specified.
Example:
ACCEPT net:eth0:~01-02-03-04-05-06 $FW tcp 22
Other changes in Shorewall 4.1.3.
1) If the program named in SHOREWALL_SHELL doesn't exist or is not
executable, Shorewall and Shorewall-lite now both fall back to
/bin/sh after issuing a warning message. Previously, both
terminated with a fatal error.
2) The error message has been improved when a non-root user attempts
"shorewall show capabilities".
3) Shorewall-perl now generates fatal error conditions when there are
no IPv4 zones defined and when there are no interfaces defined.
4) Shorewall now unconditionally uses tc filter rules to classify
traffic by MARK value. Previously, Shorewall used the CLASSIFY
target in the POSTROUTING chain if it was available.
5) The Shorewall-common installer (install.sh) now works on Windows
under Cygwin.
To install Shorewall-perl under Cygwin:
$ tar -xf shorewall-perl-4.1.3.tar.bz2
$ tar -xf shorewall-common-4.1.3.tar.bz2
$ cd shorewall-perl-4.1.3
$ ./install.sh
$ cd ../shorewall-common-4.1.3
$ USER=<your user id> GROUP=None ./install.sh
The 'shorewall' program is installed in /bin/ (a.k.a, /usr/bin/).
2007-11-23 Shorewall 4.0.6
Problems corrected in Shorewall-perl 4.0.6.
1) In a DNAT or REDIRECT rule, if no serverport was given and the DEST
PORT(S) list contained a service name containing a hyphen ("-") then
an ERROR was generated.
Example -- Rules file:
DNAT net loc:$WINDOWS_IP tcp https,pptp,ms-wbt-server,4125
Results in:
ERROR: Invalid port range (ms:wbt:server) : rules (line 49)
Problem was introduced in Shorewall 4.0.5 and does not occur in
earlier releases.
2) If a long destination port list needed to be broken at a port pair,
the generated rule contained an extra comma which resulted in an
iptables-restore failure.
3) Several problems involving port ranges and port lists in REDIRECT
rules have been corrected.
4) Shorewall-perl no longer requires an address in the GATEWAY column
of /etc/shorewall/tunnels. If the column is left empty (or contains
'-') then 0.0.0.0/0 is assumed.
5) Previously with Shorewall-perl, redirecting both STDOUT and STDERR
to the same file descriptor resulted in scrambled output between
the two. The error messages were often in the middle of the
regular output far ahead of the point where the error occurred.
This problem was possible in the Debian Shorewall init script
(/etc/init.d/shorewall) which redirects output to the
Debian-specific /var/log/shorewall-init.log file in this way:
$SRWL $SRWL_OPTS start >> $INITLOG 2>&1 && ...
6) With both compilers, when HIGH_ROUTE_MARKS=Yes, unpredictable
results could occur when marking in the PREROUTING or OUTPUT
chains. When a rule specified a mark value > 255, the compilers
were using the '--or-mark' operator rather than the '--set-mark'
operator. Consequently, when a packet matched more than one
rule, the resulting routing mark was the logical product of the
mark values in the matching rules rather than the mark value from
the last matching rule.
Example:
0x100 192.168.1.44 0.0.0.0/0
0x200 0.0.0.0/0 0.0.0.0/0 tcp 25
A TCP packet from 192.168.1.44 with destination port 25 would have
a mark value of 0x300 rather than the expected value of 0x200.
7) Previously, a 'start -f' on Shorewall Lite would produce the
following distressing output before starting the firewall:
make: *** No rule to make target `/firewall', needed by
`/var/lib/shorewall-lite/restore'. Stop.
Furthermore, the Makefile for both Shorewall and Shorewall Lite
failed to take into account the /etc/shorewall/vardir file.
This has been corrected. As part of the fix, both /sbin/shorewall
and /sbin/shorewall-lite support a "show vardir" command that
displays the VARDIR setting.
8) Shorewall-perl was previously ignoring the USER/GROUP column of the
tcrules file.
9) Supplying the name of a built-in chain in the 'refresh' command
caused entries in the chain to be duplicated. Since this is a
feature of iptables-restore with the '-n' option, built-in chains
in the 'refresh' list will now be rejected.
Known Problems Remaining.
1) The 'refresh' command doesn't refresh the mangle table. So changes
made to /etc/shorewall/providers and/or /etc/shorewall/tcrules may
not be reflected in the running ruleset.
Other changes in Shorewall 4.0.6.
1) Shorewall-perl now uses the '--physdev-is-bridged' option when it
is available. This option will suppress messages like the following:
kernel: physdev match: using --physdev-out in the OUTPUT, FORWARD and
POSTROUTING chains for non-bridged traffic is not supported
anymore.
This change only affects users who use bport/bport4 zones in a
briged configuration and requires that capabilities files be
regenerated using Shorewall-common or Shorewall-lite 4.0.6.
2) Shorewall-perl now allows you to embed Shell or Perl scripts in
all configuration files except /etc/shorewall/params and
/etc/shorewall/shorewall.conf (As always, you can continue to
include arbitrary shell code in /etc/shorewall/params).
To embed a one-line script, use one of the following:
SHELL <shell script>
PERL <perl script>
For multi-line scripts, use:
BEGIN SHELL
<shell script>
END SHELL
BEGIN PERL
<perl script>
END PERL
For SHELL scripts, the output from the script is processed as if it
were part of the file.
Example 1 (Shell): To generate SMTP/ACCEPT rules from zones a b c d
and e to the firewall:
Either:
BEGIN SHELL
for z in a b c d e; do
echo SMTP/ACCEPT $z fw tcp 25
done
END SHELL
or
SHELL for z in a b c d e; do echo SMTP/ACCEPT $z fw tcp 25; done
Either is equivalent to:
SMTP/ACCEPT a fw tcp 25
SMTP/ACCEPT b fw tcp 25
SMTP/ACCEPT c fw tcp 25
SMTP/ACCEPT d fw tcp 25
SMTP/ACCEPT e fw tcp 25
With a Perl script, if you want to output text to be processed as
if it were part of the file, then pass the text to the shorewall()
function.
Example 2 (Perl): To generate SMTP/ACCEPT rules from zones a b c d
and e to the firewall:
BEGIN PERL
for ( qw/a b c d e/ ) {
shorewall "SMTP/ACCEPT $_ fw tcp 25";
}
END PERL
PERL scripts have access to any context accumulated in earlier PERL
scripts. All such embedded Perl, as well as conventional Perl
extension scripts are placed in the Shorewall::User package. That
way, your global variables and functions won't conflict with any of
Shorewall's.
To allow you to load Perl modules and initialize any global state,
a new 'compile' compile-time extension script has been added. It is
called early in the compilation process.
For additional information, see
- http://www.shorewall.net/configuration_file_basics.html#Embedded
3) To complement Embedded Perl scripts, Shorewall 4.0.6 allows Perl
scripts to create filter chains using
Shorewall::Chains::new_manual_chain() and then use the chain as a
target in subsequent entries in /etc/shorewall/rules.
See http://www.shorewall.net/ManualChains.html for information.
4) The 'hits' command now accepts a -t option which limits the report
to those log records generated today.
5) A DONT_LOAD option has been added to shorewall.conf. If there are
kernel modules that you don't wish to have loaded, you can list
them in this entry as a comma-separated list.
Example:
DONT_LOAD=nf_conntrack_sip,nf_nat_sip
6) Shorewall-perl now supports the --random option of the iptables
SNAT, MASQUERADE, DNAT and REDIRECT targets. Please note that
iptables support for this option is currently broken for the DNAT
and REDIRECT targets; I've sent a patch to the Netfilter team.
For MASQUERADE, simply place the word 'random' in the ADDRESS
column. This causes Netfilter to randomize the source port seen by
the remote host.
Example:
#INTERFACE SOURCE ADDRESS
eth0 eth1 random
For SNAT, follow the port list by ":random".
Example:
#INTERFACE SOURCE ADDRESS
eth0 eth1 206.124.146.179:10000-10999:random
For DNAT, follow the port list by ":random".
Example:
#ACTION SOURCE DEST PROTO DEST
# PORT(S)
DNAT net loc:192.168.1.4:40-50:random tcp 22
For REDIRECT, you must use the fully-qualified form of the DEST:
#ACTION SOURCE DEST PROTO DEST
# PORT(S)
REDIRECT net $FW::40-50:random tcp 22
Note that ':random' is only effective with SNAT, DNAT and REDIRECT
when a port range is specified in the ADDRESS/DEST column. It is
ignored by iptables/iptables-restore otherwise.
2007-10-22 Shorewall 4.0.5
Problems corrected in Shorewall 4.0.5.
1) Previously, Shorewall-perl misprocessed $FW::<port> in the DEST
column of a REDIRECT rule, generating an error. '$FW::<port>' now
produces the same effect as '<port>'.
2) If the PROTOCOL (PROTO) column contained 'TCP' or 'UDP' and SOURCE
PORT(S) or DEST PORT(S) were given, then Shorewall-perl rejected
the entry with the error:
ERROR: SOURCE/DEST PORT(S) not allowed with PROTO TCP : /etc/shorewall/rules
The rule was accepted if 'tcp' or 'udp' was used instead.
3) Shorewall-shell now removes any default bindings of ipsets before
attempting to reload them. Previously, default bindings were not
removed with the result that the ipsets could not be destroyed.
Other changes in Shorewall 4.0.5.
1) Two new options have been added to /etc/shorewall/hosts
(Shorewall-perl only).
broadcast: Permits limited broadcast (destination 255.255.255.255)
to the zone.
destonly: Normally used with the Multi-cast range. Specifies that
traffic will be sent to the specified net(s) but that
no traffic will be received from the net(s).
Example:
wifi eth1:192.168.3.0/24 broadcast
wifi eth1:224.0.0.0/4 destonly
In that example, limited broadcasts from the firewall with a source
IP in the 192.168.3.0/24 range will be acccepted as will multicasts
(with any source address).
2) A MULTICAST option has been added to shorewall.conf. This option
will normally be set to 'No' (the default). It should be set to
'Yes' under the following circumstances:
a) You have an interface that has parallel zones defined via
/etc/shorewall/hosts.
b) You want to forward multicast packets to two or more of those
parallel zones.
In such cases, you will configure a 'destonly' network on each
zone receiving multicasts.
The MULTICAST option is only recognized by Shorewall-perl and is
ignored by Shorewall-shell.
3) As announced in the Shorewall 4.0.4 release notes, Shorewall-perl
no longer supports the 'detectnets' option. Specifying that option
now results in the following message:
WARNING: Support for the 'detectnets' option has been removed
It is suggested that 'detectnets' be replaced by
'routefilter,logmartians'. That will produce the same filtering
effect as 'detectnets' while eliminating 1-2 rules per connection.
One user has asked how to retain the output of 'shorewall show
zones' if the 'detectnets' option is removed. While I don't advise
doing so, you can reproduce the current 'shorewall show' behavior
as follows.
Suppose that you have a zone named 'wifi' that produces the
following output with 'detectnets':
wifi (ipv4)
eth1:192.168.3.0/24
You can reproduce this behavior as follows:
/etc/shorewall/interfaces:
- eth1 detect ...
/etc/shorewall/hosts:
wifi eth1:192.168.3.0/24 broadcast
If you send multicast to the 'wifi' zone, you also need this entry
in your hosts file:
wifi eth1:224.0.0.0/4 destonly
4) (Shorewall-perl only) The server port in a DNAT or REDIRECT rule
may now be specified as a service name from
/etc/services. Additionally:
a) A port-range may be specified as the service port expressed in
the format <low port>-<high port>. Connections are assigned to
server ports in round-robin fashion.
b) The compiler only permits a server port to be specified if the
protocol is tcp or udp.
c) The compiler ensures that the server IP address is valid (note
that it is still not permitted to specify the server address as a
DNS name).
5) (Shorewall-perl only) Users are complaining that when they migrate
to Shorewall-perl, they have to restrict their port lists to 15
ports. In this release, we relax that restriction on destination
port lists. Since the SOURCE PORT(s) column in the configuration
files is rarely used, we have no plans to relax the restriction in
that column.
6) There have been several cases where iptables-restore has failed
while executing a COMMIT command in the .iptables_restore_input
file. This gives neither the user nor Shorewall support much to go
on when analyzing the problem. As a new debugging aid, the meaning
of 'trace' and 'debug' have been changed.
Traditionally, /sbin/shorewall and /sbin/shorewall-lite have
allowed either 'trace' or 'debug' as the first run-line
parameter. Prior to 4.0.5, the two words produced the same effect.
Beginning with Shorewall 4.0.5, the two words have different
effects when Shorewall-perl is used.
trace - Like the previous behavior.
In the Shorewall-perl compiler, generate a stack trace
on WARNING and ERROR messages.
In the generated script, sets the shell's -x option to
trace execution of the script.
debug - Ignored by the Shorewall-perl compiler.
In the generated script, causes the commands in
.iptables_restore_input to be executed as discrete iptables
commands. The failing command can thus be identified and a
diagnosis of the cause can be made.
Users of Shorewall-lite will see the following change when using a
script that was compiled with Shorewall-perl 4.0.5 or later.
trace - In the generated script, sets the shell's -x option to
trace execution of the script.
debug - In the generated script, causes the commands in
.iptables_restore_input to be executed as discrete iptables
commands. The failing command can thus be identified and a
diagnosis of the cause can be made.
In all other cases, 'debug' and 'trace' remain synonymous. In
particular, users of Shorewall-shell will see no change in
behavior.
WARNING: The 'debug' feature in Shorewall-perl is strictly for
problem analysis. When 'debug' is used:
a) The firewall is made 'wide open' before the rules are applied.
b) The routestopped file is not consulted and the rules are applied
in the canonical iptables-restore order (ASCIIbetical by chain).
So if you need critical hosts to be always available during
start/restart, you may not be able to use 'debug'.
7) /usr/share/shorewall-perl/buildports.pl,
/usr/share/shorewall-perl/FallbackPorts.pm and
/usr/share/shorewall-perl/Shorewall/Ports.pm have been removed.
Shorewall now resolves protocol and port names as using Perl's
interface to the the standard C library APIs getprotobyname() and
getservbyname().
Note 1:
The protocol names 'tcp', 'TCP', 'udp', 'UDP', 'all', 'ALL',
'icmp' and 'ICMP' are still resolved by Shorewall-perl
itself.
Note 2:
Those of you running Shorewall-perl under Cygwin may wish to
install "real" /etc/protocols and /etc/services files
in place of the symbolic links installed by Cygwin.
8) The contents of the Shorewall::*::$VERSION variables are now a
only of interest for Perl programs that are using the modules and
specifying a minimum version (e.g., "use Shorewall::Config
4.0.5;"). Each module continues to carry a separate version which
indicates the release of Shorewall-perl when the module was last
modified
2007-10-02 Shorewall 3.4.7
Problems Corrected in Shorewall 3.4.7
1) A bug prevented proper handling of PREROUTING marks when
HIGH_ROUTE_MARKS=No and the track option was specified in
/etc/shorewall/providers.
2) Previously, if the following sequence of routing rules was
specified, then the first rule would always be omitted.
#SOURCE DEST PROVIDER PRIORITY
$SRC_A $DESTIP1 ISP1 1000
$SRC_A $DESTIP2 SOMEISP 1000
$SRC_A - ISP2 1000
The reason for this omission was that Shorewall uses a
delete-before-add approach and attempting to delete the third rule
resulted in the deletion of the first one instead.
This problem occurred with both compilers.
3) When using Shorewall-shell, provider numbers were not recognized in
the PROVIDER column of /etc/shorewall/route_rules.
2007-09-28 Shorewall 4.0.4
Problems Corrected in Shorewall 4.0.4
1) If no interface had the 'blacklist' option, then when using
Shorewall-perl, the 'start' and 'restart' command failed:
ERROR: No filter chain found with name blacklst
New Shorewall-perl 4.0.3 packages were released that corrected this
problem; it is included here for completeness.
2) If no interface had the 'blacklist' option, then when using
Shorewall-perl, the generated script would issue this harmless
message during 'shorewall refresh':
chainlist_reload: Not found
3) If /bin/sh was a light-weight shell such as ash or dash, then
'shorewall refresh' failed.
4) During start/restart, the script generated by Shorewall-perl was
clearing the proxy_arp flag on all interfaces; that is not the
documented behavior.
5) If the module-init-tools package was not installed and
/etc/shorewall/modules did not exist or was non-empty, then
Shorewall-perl would fail with the message:
ERROR: Can't run lsmod : /etc/shorewall/modules (line 0)
6) Shorewall-perl now makes a compile-time check to insure that
iptables-restore exists and is executable. This check is made when
the compiler is being run by root and the -e option is not
given.
Note that iptables-restore must reside in the same directory as the
iptables executable specified by IPTABLES in shorewall.conf or
located by the PATH in the event that IPTABLES is not specified.
7) When using Shorewall-perl, if an action was invoked with more than
10 different combinations of log-levels/tags, some of those
invocations would have incorrect logging.
8) Previously, when 'shorewall restore' was executed, the
iptables-restore utility was always located using the PATH setting
rather than the IPTABLES setting.
With Shorewall-perl, the IPTABLES setting is now used to locate
this utility during 'restore' as it is during the processing of
other commands.
9) Although the shorewall.conf manpage indicates that the value
'internal' is allowed for TC_ENABLED, that value was previously
rejected ('Internal' was accepted).
10) The meaning of the 'loose' provider option was accidentally reversed
in Shorewall-perl. Rather than causing certain routing rules to be
omitted when specified, it actually caused them to be added (these
rules were omitted when the option was NOT specified).
11) If the 'bridge' option was specified on an interface but there were
no bport zones, then traffic originating on the firewall was not
passed through the accounting chain.
12) In commands such as:
shorewall compile <directory>
shorewall restart <directory>
shorewall check <directory>
if the name of the <directory> contained a period ("."), then
Shorewall-perl would incorrectly substitute the current working
directory for the name.
13) Previously, if the following sequence of routing rules was
specified, then the first rule would always be omitted.
#SOURCE DEST PROVIDER PRIORITY
$SRC_A $DESTIP1 ISP1 1000
$SRC_A $DESTIP2 SOMEISP 1000
$SRC_A - ISP2 1000
The reason for this omission was that Shorewall uses a
delete-before-add approach and attempting to delete the third rule
resulted in the deletion of the first one instead.
This problem occurred with both compilers.
14) When using Shorewall-shell, provider numbers were not recognized in
the PROVIDER column of /etc/shorewall/route_rules.
15) An off-by-one problem in Shorewall-perl caused the value 255 to be
rejected in the MARK column of /etc/shorewall/tcclasses.
16) When HIGH_ROUTE_MARKS=Yes, marks with values > 255 must be a
multiple of 256. That restriction was being enforced by
Shorewall-shell but not by Shorewall-perl. Shorewall-perl now also
enforces this restriction.
17) Using REDIRECT with a parameterized macro (e.g., DNS/REDIRECT)
failed with an "Unknown interface" error when using Shorewall-perl.
Other Changes in Shorewall 4.0.4
1) The detection of 'Repeat Match' has been improved. 'Repeat Match'
is not a match at all but rather is a feature of recent versions of
iptables that allows a particular match to be used multiple times
within a single rule.
Example:
-A foo -m physdev --physdev-in eth0 -m physdev --physdev-out ...
When using Shorewall-shell, the availability of 'Repeat Match' can
speed up compilation very slightly.
2) Apparently recent Fedora releases are broken. The
following sequence of commands demonstrates the problem:
ip rule add from 1.1.1.1 to 10.0.0.0/8 priority 1000 table 5
ip rule add from 1.1.1.1 to 0.0.0.0/0 priority 1000 table main
ip rule del from 1.1.1.1 to 0.0.0.0/0 priority 1000
The third command should fail but doesn't; instead, it incorrectly
removes the rule added by the first command.
To work around this issue, you can set DELETE_THEN_ADD=No in
shorewall.conf which prevents Shorewall from deleting ip rules
before attempting to add a similar rule.
3) When using Shorewall-perl, the following message is now issued if
the 'detectnets' option is specified in /etc/shorewall/interfaces:
WARNING: Support for the 'detectnets' option will be removed from
Shorewall-perl in version 4.0.5; better to use 'routefilter' and
'logmartians
The 'detect' options has always been rather silly. On input, it
duplicates the function of 'routefilter'. On output, it is a no-op
since traffic that doesn't match a route out of an interface won't
be sent through that interface (duh!).
Beginning with Shorewall 4.0.5, the warning message will read:
WARNING: Support for the 'detectnets' option has been removed
2007-09-01 Shorewall 4.0.3
Problems Corrected in 4.0.3
1) Using the LOG target in the rules file could result in two LOG
rules being generated by Shorewall-shell. Additionally, using an IP
address range in a rule that performed logging could result in an
invalid iptables command.
2) Shorewall now loads the act_police kernel module needed by traffic
shaping.
3) Previously, "shorewall show -f capabilities" and "shorecap" omitted
the "TCPMSS Match" capability. This made it appear to a compiler
using a capabilities file that the TCPMSS Match capability was not
available.
4) Previously, Shorewall would truncate long log prefixes to 29
characters. This resulted in there being no space between the log
prefix and the IN= part of the message.
Example: fw2net:LOG:HTTPSoutIN= OUT=eth0
Beginning with this release, Shorewall will truncate the prefix to
28 bytes and add a trailing space.
Example: fw2net:LOG:HTTPSou IN= OUT=eth0
5) Previously, if:
- FASTACCEPT=No
- The policy from Z1 to Z2 was CONTINUE
- Neither Z1 nor Z2 had parent zones
- There were no Z1->Z2 rules
then connections from Z2->Z1 would fail even if there were
rules/policies allowing them. This has been
corrected.
6) The 'shorewall add' and 'shorewall delete' command would fail when:
- The running configuration was compiled with Shorewall-perl.
- The name of the interface specified in the command contained an
embedded special character such as '.' or '-'.
This problem was the result of the change in Shorewall 4.0.2 that
removed the legacy mapping of interface names when embedding such
names in a Netfilter chain name. To correct the problem, the
pre-4.0.2 name mapping is restored when DYNAMIC_ZONES=Yes.
5) A bug in Shorewall-shell prevented proper handling of PREROUTING
marks when HIGH_ROUTE_MARKS=No and the track option was specified
in /etc/shorewall/providers.
6) With Shorewall-perl, if EXPORTPARAMS=Yes then INCLUDE directives in
the params file would fail at script execution time with "INCLUDE:
not found". This has been corrected.
7) Shorewall-perl was mis-sorting the zone list when zones were nested
more than one deep.
8) Stale references to http://www.shorewall.net/Documentation.htm have
been removed from the config files (including samples). That URL
has been replaced by the online manpages.
Other Changes in 4.0.3
1) A script generated by Shorewall-perl now tries to modify/restore
/etc/iproute2/rt_tables only if the file is writable. This prevents
run-time errors when /etc is mounted read-only.
A new KEEP_RT_TABLES option has been added to shorewall.conf. When
set to Yes, this option prevents Shorewall from altering the
/etc/iproute2/rt_tables database. The KEEP_RT_TABLES option is only
recognized by Shorewall-perl and is ignored by Shorewall-shell.
2) Shorewall-perl now requires the FindBin Perl module.
3) When an optional provider is not available, a script generated by
Shorewall-perl will no longer add the corresponding
routing rules.
4) A new 'isusable' extension script has been added. This script
allows you to extend the availability test that Shorewall performs
on optional providers.
Here's an example that uses ping to ensure that the default
gateways through eth0 and eth1 are reachable:
case $1 in
eth0)
ping -c 4 -I eth0 206.124.146.254 > /dev/null 2>&1
return
;;
eth1)
ping -c 4 -I eth1 192.168.12.254 > /dev/null 2>&1
return
;;
*)
# Assume we don't need to do any additional testing
# for this interface beyond Shorewall's
return 0
;;
esac
Additional information is available at
http://www.shorewall.net/shorewall_extension_scripts.htm.
5) Processing of the message log in the 'show log', 'logwatch' and
'dump' commands has been speeded up thanks to a suggestion by
Andrew Suffield.
6) Beginning with Shorewall 4.0, the shorewall 'stop', and 'clear'
commands were processed by the generated script from the
last successful 'start', 'restart' or 'refresh' command. This had
the side effect that updates to the /etc/shorewall/routestopped
file did not take effect until one of those three commands was
successfully processed.
Beginning with Shorewall 4.0.3, the old 3.x behavior is restored as
the default and the 4.0 behavior is enabled using the '-f' command
option.
Example: shorewall stop -f
is only recognized by Shorewall-perl and causes Shorewall to set
the MSS field in forwarded TCP SYN packets going in or out the
interface to the value that you specify.
Example:
#ZONE INTERFACE BROADCAST OPTIONS
vpn ppp0 - mss=1400
The mss option only affects incoming traffic that has not been
decrypted by IPSEC and outgoing traffic that will not subsequently
be encrypted by IPSEC. The MSS for IPSEC traffic is managed by the
'mss' option in /etc/shorewall/zones.
8) Shorewall now detects the presence of the 'hashlimit match'
capability. There is no builtin support yet for hashlimit but
detection allows extension scripts for user-supplied actions to
determine if the capability exists.
With Shorewall-shell, $HASHLIMIT_MATCH will be non-empty if the
capability exists.
With Shorewall-perl, $capabilities{HASHLIMIT_MATCH} will be true in
a boolean context if the capability exists. Shorewall-perl users
may also code the following in their extension script:
use Shorewall::Config;
require_capability( 'HASHLIMIT_MATCH', #Capability
'My hashlimit action' , #Feature requiring
#capability
's' ); #Feature is singular
#(if plural, pass the
empty string)
That call would procduce the following fatal error if the
capability isn't available:
ERROR: My hashlimit action requires the Hashlimit match capability
in your kernel and iptables
9) NFQUEUE support has been added to Shorewall-perl.
NFQUEUE may appear in actions, macros, rules and as a policy.
When NFQUEUE is used by itself, queue number zero is assumed. To
specify a queue number, follow NFQUEUE by a slash ("/") and the
queue number.
Examples (/etc/shorewall/rules):
NFQUEUE loc net tcp #Queue number 0
NFQUEUE/22 loc net udp #Queue number 22
NFQUEUE/22:info loc net gre #With logging
An NFQUEUE_DEFAULT option has been added to shorewall.conf for
specifying the default action to use with NFQUEUE policies.
Use of NFQUEUE requires the NFQUEUE Target capability in your
kernel/iptables. If you intend to use NFQUEUE with Shorewall-lite,
then you must install Shorewall-lite 4.0.3 in order to build a
capabilities file that includes NFQUEUE Target. If your
capabilities file was generated by a Shorewall/Shorewall-lite
version earlier that 4.0.3, you will receive a warning during
compilation.
10) The 'refresh' command can now refresh chains other than 'blacklst'.
The syntax of the command is now:
shorewall refresh [ <chain> ... ]
If no <chain> is given then 'blacklst' is assumed. Otherwise, the
Shorewall-perl compiler compiles a script whose 'refresh' command
refreshes the listed <chain>(s).
The listed chains are assumed to be in the filter table. You can
refresh chains in other tables by prefixing the chain name with the
table name followed by ":" (e.g., nat:net_dnat). Chain names which
follow are assumed to be in that table until the end of the list or
until an entry in the list names another table.
This feature requires Shorewall-perl 4.0.3 as well as
Shorewall-common 4.0.3.
2007-08-19 Shorewall 3.4.6
Problems Corrected in 3.4.6.
1) If the "Mangle FORWARD Chain" capability was supported, entries in
the /etc/shorewall/ecn file would cause invalid iptables
commands to be generated.
2) Certain errors occurring during
start/restart/safe-start/safe-restart/try processing could cause
the lockfile to be left behind. This resulted in a 60-second delay
the next time one of these commands was run.
3) It was not previously possible to define traffic shaping on a
bridge port; the generated script complained that the
interface was not up and configured.
4) Previously, using a port list in the DEST PORT(S) column of the
rules file or in an action file caused an invalid iptables command
to be generated.
5) Using the LOG target in the rules file could result in two LOG
rules being generated. Additionally, using an IP address range in a
rule that performed logging could result in an invalid iptables
command.
6) Shorewall now loads the act_police kernel module needed by traffic
shaping.
7) Previously, "shorewall show -f capabilities" and "shorecap" omitted
the "TCPMSS Match" capability. This made it appear to a compiler
using a capabilities file that the TCPMSS Match capability was not
available.
8) Previously, Shorewall would truncate long log prefixes to 29
characters. This resulted in there being no space between the log
prefix and the IN= part of the message.
Example: fw2net:LOG:HTTPSoutIN= OUT=eth0
Beginning with this release, Shorewall will truncate the prefix to
28 bytes and add a trailing space.
Example: fw2net:LOG:HTTPSou IN= OUT=eth0
9) Previously, if:
- FASTACCEPT=No
- The policy from Z1 to Z2 was CONTINUE
- Z1 and Z2 were orphans (neither had parent zones)
- There were no Z1->Z2 rules
then connections from Z2->Z1 would fail even if there were
rules/policies allowing them. This has been
corrected.
Other changes in 3.4.6.
1) Processing of the message log in the 'show log', 'logwatch' and
'dump' commands has been speeded up thanks to a suggestion by
Andrew Suffield.
2007-08-10 Shorewall 4.0.2
Problems corrected in 4.0.2
1) The Shorewall-perl compiler was still generating invalid
iptables-restore input from entries in /etc/shorewall/ecn.
2) When using Shorewall-perl, unless an interface was specified as
'optional' in the interfaces file, the 'restore' command would
fail if the routes through the interface or the addresses on the
interface could not be detected.
Route detection occurs when the interface is named in the SOURCE
column of the masq file. Address detection occurs when
DETECT_DNAT_IPADDRS=Yes and the interface is the SOURCE for a DNAT
or REDIRECT rule or when 'maclist' is specified for the interface.
Since the 'restore' command doesn't use the detected information,
detection is now skipped if the command is 'restore'.
3) It was not previously possible to define traffic shaping on a
bridge port; the generated script complained that the
interface was not up and configured.
4) When Shorewall-shell was not installed, certain options in
/etc/shorewall/interfaces and /etc/shorewall/hosts would cause the
'add' and 'delete' commands to fail with a missing library error.
OPTION FILE
maclist interfaces,hosts
proxyarp interfaces
5) The /var/lib/shorewall/zones file was being overwritten during
processing of the 'refresh' command by a script generated with
Shorewall-perl. The result was that hosts previously added to
dynamic zones could not be deleted after the 'refresh'.
6) If the file named as the output file in a Shorewall-perl 'compile'
command was a symbolic link, the generated error message
erroneously stated that the file's parent directory was a symbolic
link.
As part of this change, cosmetic changes were made to a number of
other error messages.
7) Some intra-zone rules were missing when a zone involved multiple
interfaces or when a zone included both IPSEC and non-IPSEC
networks.
8) Shorewall was not previously loading the xt_multiport kernel
module.
9) The Russian and French translations no longer have English headings
on notes, cautions, etc..
10) Previously, using a port list in the DEST PORT(S) column of the
rules file or in an action file could cause an invalid iptables
command to be generated by Shorewall-shell.
11) If there were no bridges in a configuration, Shorewall-perl would
ignore the CHAIN column in /etc/shorewall/accounting.
Other changes in 4.0.2
1) Shorewall-perl now detects when a port range is included in a list
of ports and iptables/kernel support for Extended Multi-port Match
is not available. This avoids an iptables-restore failure at
run-time.
2) Most chains created by Shorewall-shell have names that can be
embedded within shell variable names. This is a workaround for
limitations in the shell programming language which has no
equivalent to Perl hashes. Often chain names must have the name of
a network interface encoded in them. Given that interface names can
contain characters that are invalid in a shell variable name,
Shorewall-shell performs a name mapping which was carried forward to
Shorewall-perl:
- Trailing '+' is dropped.
- The characters ".", "-", "%' and "@" are translated to "_".
This mapping has been elminated in the 4.0.2 release of Shorewall-
perl. So where before you would see chain "eth0_0_in", you may now
see the same chain named "eth0.0_in". Similarly, a chain previously
named "ppp_fwd" may now be called "ppp+_fwd".
3) Shorewall-perl now uses the contents of the BROADCAST column in
/etc/shorewall/interfaces when the Address Type match capability is
not available.
2007-07-30 Shorewall 4.0.1
Problems corrected in 4.0.1.
1) The Shorewall Lite installer was producing an empty shorewall-lite
manpage. Since the installer runs as part of creating the RPM, the
RPM also suffered from this problem. The 4.0.0 Shorewall-lite
packages were re-uploaded with this problem corrected.
2) The Shorewall Lite uninstaller incorrectly removed /sbin/shorewall
rather than /sbin/shorewall-lite.
3) Both the Shorewall and Shorewall Lite uninstallers did a "shorewall
clear" if Shorewall [Lite] was running. Now, the Shorewall Lite
uninstaller correctly does "shorewall-lite clear" and both
uninstallers only perform the 'clear' operation if the other
product is not installed. This prevents the removal of one of the
two products from clearing the firewall configuration established
by the other one.
4) The 'ipsec' OPTION in /etc/shorewall/hosts was mis-handled by
Shorewall-perl. If the zone type was changed to 'ipsec' or
'ipsec4' and the 'ipsec' option removed from the hosts file entry,
the configuration worked properly.
5) If a CLASSID was specified in a tcrule and TC_ENABLED=No, then
Shorewall-perl produced the following:
Compiling...
Use of uninitialized value in string ne at /usr/share/shorewall-perl/Shorewall/Tc.pm line 285, <$currentfile> line 18.
ERROR: Class Id n:m is not associated with device eth0 : /etc/shorewall/tcrules (line 18)
6) If IPTABLES was not specified in shorewall.conf, Shorewall-perl was
locating the binary using the PATH environmental variable rather
than the PATH setting in shorewall.conf. If no PATH was available
when Shorewall-perl was run and IPTABLES was not set in
shorewall.conf, the following messages were issued:
Use of uninitialized value in split at /usr/share/shorewall-perl/Shorewall/Config.pm line 1054.
ERROR: Can't find iptables executable
ERROR: Shorewall restart failed
7) If the "Mangle FORWARD Chain" capability was supported, entries in
the /etc/shorewall/ecn file would cause invalid iptables commands
to be generated. This problem occurred with both compilers.
8) Shorewall now starts at reboot after an upgrade from shorewall <
4.0.0. Previously, Shorewall was not started automatically at
reboot after an upgrade using the RPMs.
9) Shorewall-perl was generating invalid iptables-restore input when a
log level was specified with the dropBcast and allowBcast builtin
actions and when a log level followed by '!' was used with any
builtin actions.
10) Shorewall-perl was incorrectly rejecting 'min' as a valid unit of
time in rate-limiting specifications.
11) Certain errors occurring during
start/restart/safe-start/safe-restart/try processing could cause
the lockfile to be left behind. This resulted in a 60-second delay
the next time one of these commands was run.
Other changes in Shorewall 4.0.1.
1) A new EXPAND_POLICIES option is added to shorewall.conf. The
option is recognized by Shorewall-perl and is ignored by
Shorewall-shell.
Normally, when the SOURCE or DEST columns in shorewall-policy(5)
contains 'all', a single policy chain is created and the policy is
enforced in that chain. For example, if the policy entry is
#SOURCE DEST POLICY LOG
# LEVEL
net all DROP info
then the chain name is 'net2all' which is also the chain named in
Shorewall log messages generated as a result of the policy. If
EXPAND_POLICIES=Yes, then Shorewall-perl will create a separate
chain for each pair of zones covered by the policy. This makes the
resulting log messages easier to interpret since the chain in the
messages will have a name of the form 'a2b' where 'a' is the SOURCE
zone and 'b' is the DEST zone. See
http://linuxman.wikispaces.com/PPPPPPS for more information.
2) The Shorewall-perl dependency on the "Address Type Match"
capability has been relaxed. This allows Shorewall 4.0.1 to be used
on releases like RHEL4 that don't support that capability.
3) Shorewall-perl now detects dead policy file entries that result
when an entry is masked by an earlier entry. Example:
all all REJECT info
loc net ACCEPT
4) Recent kernels are apparently hard to configure and we have been
seeing a lot of problem reports where the root cause is the lack of
state match support in the kernel. This problem is difficult to
diagnose when using Shorewall-perl so the generated shell program
now checks specifically for this problem and terminates with an
error if the capability doesn't exist.
2007-07-20 Shorewall 4.0.0
----------------------------------------------------------------------------
R E L E A S E H I G H L I G H T S
----------------------------------------------------------------------------
1) This is the first Shorewall release that fully integrates the new
Shorewall-perl compiler. See the "New Features" section below.
2) You are now offered a choice as to which compiler(s) you install. In
4.0.0, there are the following packages:
- Shorewall-common ( common files )
- Shorewall-shell ( the shell-based compiler )
- Shorewall-perl (the Perl-based compiler )
You must install at least one of the compiler packages (you may
install them both) along with Shorewall-common.
YOU DO NOT NEED TO UNINSTALL ANY OF YOUR CURRENT PACKAGES.
See the Migration Considerations below for further information.
3) The facilities for supporting bridge/firewalls under earlier
releases are deprecated and their documentation is omitted from the
4.0 distribution. New bridge support is implemented in the
Shorewall-perl compiler. This support utilizes the reduced-function
physdev match support available in Linux kernel 2.6.20 and later.
Problems corrected in 4.0.0 Final.
1) The shorewall-lite install.sh may now be run multiple times from
the same directory. Previously, the manpages were gzipped in-place
which made it impossible to rerun the script.
2) If shorewall.conf contained SHOREWALL_COMPILER=shell (which it can
on Shorewall 3.4.2-4 systems) and the shorewall-shell RPM was
removed, subsequent "shorewall [re]start" operations failed. When
shorewall-shell is removed, the shorewall.conf file is modified to
specify SHOREWALL_COMPILER= and the original is saved in
shorewall.conf.rpmsave.
3) The contents of the LOG LEVEL column in /etc/shorewall/policy are
now validated at compile time by Shorewall-perl.
Other changes in Shorewall 4.0.0 Final.
1) The Perl modules in /usr/share/shorewall-perl/Shorewall/ have been
consolidated somewhat, leading to slightly faster compilation.
Migration Considerations:
1) Beginning with Shorewall 4.0.0, there is no single 'shorewall'
package. Rather there are two compiler packages (shorewall-shell
and shorewall-perl) and a set of base files (shorewall-common)
which are required by either compiler package.
Although the names of the packages are changing, you can upgrade
without having to uninstall/reinstall.
To repeat: YOU DO NOT NEED TO UNINSTALL ANY EXISTING PACKAGE.
If you attempt to upgrade using the shorewall-common RPM, you get
this result:
gateway:~ # rpm -Uvh shorewall-common-4.0.0.noarch.rpm
error: Failed dependencies:
shorewall_compiler is needed by shorewall-common-4.0.0-1.noarch
gateway:~ #
You must either:
rpm -Uvh shorewall-shell-4.0.0.noarch.rpm \
shorewall-common-4.0.0.noarch.rpm
or
rpm -Uvh shorewall-shell-4.0.0.noarch.rpm \
shorewall-perl-4.0.0.noarch.rpm \
shorewall-common-4.0.0.noarch.rpm
If you don't want to use shorewall-perl exclusively then use the
second command above then
rpm -e shorewall-shell
If you are upgrading using the tarball, you must install
shorewall-shell and/or shorewall-perl before you upgrade
using shorewall-common. Otherwise, the install.sh script fails with:
ERROR: No Shorewall compiler is installed
The shorewall-shell and shorewall-perl packages are installed from
the tarball in the expected way; untar the package, and run the
install.sh script.
Example 1: You have 'shorewall' installed and you want to continue
to use the shorewall-shell compiler.
tar -jxf shorewall-common-4.0.0.tar.bz2
tar -jxf shorewall-shell-4.0.0.tar.bz2
cd shorewall-shell-4.0.0
./install.sh
cd ../shorewall-common-4.0.0
./install.sh
shorewall check
shorewall restart
Example 2: You have shorewall 3.4.4 and shorewall-perl 4.0.0-Beta7
installed and you want to upgrade to 4.0. You do not need the
shell-based compiler.
tar -jxf shorewall-common-4.0.0.tar.bz2
tar -jxf shorewall-perl-4.0.0.tar.bz2
cd shorewall-perl-4.0.0
./install.sh
cd ../shorewall-common-4.0.0
./install.sh
shorewall check
shorewall restart
Be sure to modify shorewall.conf if it still has
SHOREWALL_COMPILER=shell.
2) The ROUTE_FILTER and LOG_MARTIANS options in shorewall.conf work
slightly differently in Shorewall 4.0.0. In prior releases, leaving
these options empty was equivalent to setting them to 'No' which
caused the corresponding flag in /proc to be reset for all
interfaces. Beginning in Shorewall 4.0.0, leaving these options
empty causes Shorewall to leave the flags in /proc as they are. You
must set the option to 'No' in order to obtain the old behavior.
3) The -f option is no longer the default when Shorewall is started at
boot time (usually via /etc/init.d/shorewall). With Shorewall-perl,
"shorewall start" is nearly as fast as "shorewall restore" and
"shorewall start" uses the current configuration which avoids
confusion.
If you plan on continuing to use Shorewall-shell and you want to
use the "-f" option at boot time, then you must add the following
to /etc/sysconfig/shorewall or /etc/default/shorewall:
OPTIONS="-f"
If you currently have neither of those files, you will need to
create one of them.
4) This issue will only affect you if you use Shorewall Lite and have
modified /usr/share/configpath to specify a different LITEDIR.
The implementation of LITEDIR has always been
unsatisfactory. Furthermore, there have been other cases where
people have asked to be able to designate the state directory
(default /var/lib/shorewall[-lite]).
To meet these objectives:
a) The LITEDIR variable has been eliminated in
/usr/share/shorewall[-lite]/configpath.
b) A new file /etc/shorewall[-lite]/vardir has been added. This
file is not created by default but may be added as needed. It
is expected to contain a single variable assignment:
VARDIR=<directory>
Example:
VARDIR=/root/shorewall
To change VARDIR, copy the old directory to the new one before you
restart Shorewall[-lite].
To use this feature with Shorewall-lite, all packages involved
(compiler, shorewall-common and shorewall-lite) must be version
4.0.0-RC2 or later.
----------------------------------------------------------------------------
N E W F E A T U R E S
----------------------------------------------------------------------------
1) Shorewall-perl
This Shorewall package includes a complete rewrite of the compiler
in Perl.
I decided to make Shorewall-perl a separate package for several reasons:
a) Embedded applications are unlikely to adopt Shorewall-perl; even
Mini-Perl has a substantial disk and RAM footprint.
b) Because of the gross incompatibilities between the new compiler and the
old (see below), migration to the new compiler must be voluntary.
------------------------------------------------------------------------
T H E G O O D N E W S:
------------------------------------------------------------------------
a) The compiler has a small disk footprint.
b) The compiler is very fast.
c) The compiler generates a firewall script that uses iptables-restore;
so the script is very fast.
d) The new compiler does a much better job of validating the
configuration and catches many errors that resulted in run-time
failures with the old compiler.
e) Use of the Shorewall-perl is optional! The old slow clunky
Bourne-shell compiler is still available.
------------------------------------------------------------------------
T H E B A D N E W S:
------------------------------------------------------------------------
There are a number of incompatibilities between the Perl-based compiler
and the Bourne-shell one.
a) The Perl-based compiler requires the following capabilities in your
kernel and iptables.
- addrtype match
- multiport match
These capabilities are in current distributions.
b) Now that Netfilter has features to deal reasonably with port lists,
I see no reason to duplicate those features in Shorewall. The
Bourne-shell compiler goes to great pain (in some cases) to
break very long port lists ( > 15 where port ranges in lists
count as two ports) into individual rules. In the new compiler, I'm
avoiding the ugliness required to do that. The new compiler just
generates an error if your list is too long. It will also produce
an error if you insert a port range into a port list and you don't
have extended multiport support.
c) The old BRIDGING=Yes support has been replaced by new bridge
support that uses the reduced 'physdev match' capabilities found
in kernel 2.6.20 and later. This new implementation may be used
where it is desired to control traffic through a bridge.
The new implementation includes the following features:
a) A new "Bridge Port" zone type is defined. Specify 'bport' or
'bport4' in the TYPE column of /etc/shorewall/zones.
Bridge Port zones should be a sub-zone of a regular ipv4 zone
that represents all hosts attached to the bridge.
b) A new 'bridge' option is defined for entries in
/etc/shorewall/interfaces. Bridges should have this option
specified, even if you don't want to filter traffic going
through the bridge.
c) Bridge ports must now be defined in
/etc/shorewall/interfaces. The INTERFACE column contains
both the bridge name and the port name separated by a colon
(e.g., "br0:eth1"). No OPTIONS are allowed for bridge
ports. The bridge must be defined before its ports and must
have the 'bridge' option.
Bridge Port (BP) zones have a number of limitations:
a) Each BP zone may only be associated with ports on a single
bridge.
b) BP zones may not be associated with interfaces that are not
bridge ports.
c) You may not have policies or rules where the DEST is a BP
zone but the source is not a BP zone. If you need such
rules, you must use the BP zone's parent zone as the DEST
zone.
Example (Bridge br0 with ports eth1 and tap0):
/etc/shorewall/zones:
fw firewall
net ipv4
loc ipv4
lan:loc bport
vpn:loc bport
/etc/shorewall/interfaces:
net eth0 - ...
loc br0 - ...
lan eth1
vpn tap0
When using the /etc/shorewall/hosts file to define a bport4
zone, you specify only the port name:
Example:
/etc/shorewall/zones:
fw firewall
net ipv4
loc ipv4
lan:loc bport
vpn:loc bport
/etc/shorewall/hosts
lan eth1:192.168.2.0/24 ...
The structure of the accounting rules changes slightly when
there are bridges defined in the Shorewall
configuration. Because of the restrictions imposed by Netfilter
in kernel 2.6.21 and later, output accounting rules must be
segregated from forwarding and input rules.
To accomplish this separation, Shorewall-perl creates two
accounting chains:
- accounting - for input and forwarded traffic.
- accountout - for output traffic.
If the CHAIN column contains '-', then:
- If the SOURCE column in a rule includes the name of the
firewall zone (e.g., $FW), then the rule is add only
to the accountout chain.
- Otherwise, if the DEST in the rule is any or all or 0.0.0.0/0,
then the rule is added to both accounting and accountout.
- Otherwise, the rule is added to accounting only.
See http://www.shorewall.net/bridge-Shorewall-perl.html for
additional information about the new bridge support.
d) The BROADCAST column in the interfaces file is essentially unused;
if you enter anything in this column but '-' or 'detect', you will
receive a warning.
e) Because the compiler is written in Perl, some of your extension
scripts from earlier versions will no longer work because
Shorewall-perl runs those extension scripts at compile-time rather
than at run-time.
Compile-time scripts are:
initdone
maclog
All per-chain scripts including those associated with actions.
Compile-time extension scripts are executed using the Perl 'eval
`cat <file>`' mechanism. Be sure that each script returns a
'true' value; otherwise, the compiler will assume that the
script failed and will abort the compilation.
All scripts will need to begin with the following line:
use Shorewall::Chains;
For more complex scripts, you may need to 'use' other Shorewall
Perl modules -- browse /usr/share/shorewall-perl/Shorewall/ to
see what's available.
When a script is invoked, the $chainref scalar variable will hold a
reference to a chain table entry.
$chainref->{name} contains the name of the chain
$chainref->{table} holds the table name
To add a rule to the chain:
add_rule( $chainref, <the rule> );
Where
<the rule> is a scalar argument holding the rule text. Do
not include "-A <chain name>"
Example:
add_rule( $chainref, '-j ACCEPT' );
To insert a rule into the chain:
insert_rule( $chainref, <rulenum>, <the rule> );
The log_rule_limit function works like it does in the shell
compiler with two exceptions:
- You pass the chain reference rather than the name of
the chain.
- The commands are 'add' and 'insert' rather than '-A'
and '-I'.
- There is only a single "pass as-is to iptables"
argument (so you must quote that part).
Example:
log_rule_limit(
'info' ,
$chainref ,
$chainref->{name},
'DROP' ,
'', #Limit
'' , #Log tag
'add', #Command
'-p tcp' #Pass as-is
);
Note that in the 'initdone' script, there is no default chain
($chainref). You can objtain a reference to a standard chain by:
my $chainref = $chain_table{<table>}{<chain name>};
Example:
my $chainref = $chain_table{'filter'}{'INPUT'};
The continue script is eliminated. That script was designed to
allow you to add special rules during [re]start. Shorewall-perl
doesn't need such rules.
See http://www.shorewall.net/shorewall_extension_scripts.htm
for further information about extension scripts under
Shorewall-perl.
f) The 'refresh' command now works like 'restart' with the
following exceptions:
- The refresh command is rejected if Shorewall is not running.
- The refresh command only rebuilds the 'blacklst' chain.
- A directory name may not be specified in the refresh command.
g) The /etc/shorewall/tos file now has zone-independent SOURCE and
DEST columns as do all other files except the rules and policy
files.
The SOURCE column may be one of the following:
[all:]<address>[,...]
[all:]<interface>[:<address>[,...]]
$FW[:<address>[,...]]
The DEST column may be one of the following:
[all:]<address>[,...]
[all:]<interface>[:<address>[,...]]
This is a permanent change. The old zone-based rules have never
worked right and this is a good time to replace them. I've tried
to make the new syntax cover the most common cases without
requiring change to existing files. In particular, it will
handle the tos file released with Shorewall 1.4 and earlier.
h) Shorewall is now out of the ipset load/reload business. With
scripts generated by the Perl-based Compiler, the Netfilter
ruleset is never cleared. That means that there is no
opportunity for Shorewall to load/reload your ipsets since that
cannot be done while there are any current rules using ipsets.
So:
i) Your ipsets must be loaded before Shorewall starts. You
are free to try to do that with the following code in
/etc/shorewall/start:
if [ "$COMMAND" = start ]; then
ipset -U :all: :all:
ipset -F
ipset -X
ipset -R < /my/ipset/contents
fi
The file '/my/ipset/contents' (not its real name of
course) will normally be produced using the ipset -S
command.
The above will work most of the time but will fail in a
'shorewall stop' - 'shorewall start' sequence if you
use ipsets in your routestopped file (see below).
ii) Your ipsets may not be reloaded until Shorewall is stopped
or cleared.
iii) If you specify ipsets in your routestopped file then
Shorewall must be cleared in order to reload your ipsets.
As a consequence, scripts generated by the Perl-based compiler
will ignore /etc/shorewall/ipsets and will issue a warning if
you set SAVE_IPSETS=Yes in shorewall.conf.
i) Because the configuration files (with the exception of
/etc/shorewall/params) are now processed by the Perl-based
compiler rather than by the shell, only the basic forms of Shell
expansion ($variable and ${variable}) are supported. The more
exotic forms such as ${variable:=default} are not
supported. Both variables defined in /etc/shorewall/params and
environmental variables (exported by the shell) can be used in
configuration files.
j) USE_ACTIONS=No is not supported. That option is intended to
minimize Shorewall's footprint in embedded applications. As a
consequence, Default Macros are not supported.
k) DELAYBLACKLISTLOAD=Yes is not supported. The entire ruleset is
atomically loaded with one execution of iptables-restore.
l) MAPOLDACTIONS=Yes is not supported. People should have converted
to using macros by now.
m) The pre Shorewall-3.0 format of the zones file is not supported;
neither is the /etc/shorewall/ipsec file.
n) BLACKLISTNEWONLY=No is not permitted with FASTACCEPT=Yes. This
combination doesn't work in previous versions of Shorewall so
the Perl-based compiler simply rejects it.
o) Shorewall-perl has a single rule generator that is used for all
rule-oriented files. So it is important that the syntax is
consistent between files.
With shorewall-shell, there is a special syntax in the SOURCE
column of /etc/shorewall/masq to designate "all traffic entering
the firewall on this interface except...".
Example:
#INTERFACE SOURCE ADDRESSES
eth0 eth1!192.168.4.9 ...
Shorewall-perl uses syntax that is consistent with the rest of
Shorewall:
#INTERFACE SOURCE ADDRESSES
eth0 eth1:!192.168.4.9 ...
p) The 'allowoutUPnP' built-in action is no longer supported. The
Netfilter team have removed support for '-m owner --owner-cmd'
which that action depended on.
q) The treatment of the following interface options has changed under
Shorewall-perl.
- arp_filter
- routefilter
- logmartians
- proxy_arp
- sourceroute
With the Shorewall-shell compiler, Shorewall resets these options
on all interfaces then sets the option on those interfaces
for which the option is defined in /etc/shorewall/interfaces.
Under Shorewall-perl, these options can be specified with the value
0 or 1 (e.g., proxy_arp=0). If no value is specified, the value 1
is assumed. Shorewall will modify only the setting of those
interfaces for which the option is specified and will set the
option to the given value.
A fatal compilation error is also generated if you specify one of
these options with a wildcard interface (one ending with '+').
r) The LOG_MARTIANS and ROUTE_FILTER options are now tri-valued in
Shorewall-perl.
Yes - Same as before
No - Same as before except that it applies regardless of
whether any interfaces have the logmartians/routefilter
option
Keep - Shorewall ignores the option entirely (which is the
default).
s) Shorewall-perl support nn 'optional' option has been added to
/etc/shorewall/interfaces. This option is recognized by
Shorewall-perl but not by Shorewall-shell. When 'optional' is
specified for an interface, Shorewall will be silent when:
- a /proc/sys/net/ipv4/conf/ entry for the interface cannot be
modified (including for proxy ARP).
- The first address of the interface cannot be obtained.
I specify 'optional' on interfaces to Xen virtual machines that
may or may not be running when Shorewall is [re]started.
CAUTION: Use 'optional' at your own risk. If you [re]start
Shorewall when an 'optional' interface is not available and then
do a 'shorewall save', subsequent 'shorewall restore' and
'shorewall -f start' operations will instantiate a ruleset that
does not support that interface, even if it is available at the
time of the restore/start.
t) Shorewall-perl validates all IP addresses and addresses ranges
in rules. DNS names are resolved and an error is issued for any
name that cannot be resolved.
u) Shorewall-perl checks configuration files for the presense of
characters that can cause problems if they are allowed into the
generated firewall script:
- Double Quotes. These are prohibited except in the
shorewall.conf and params files.
- Single Quotes. These are prohibited except in the
shorewall.conf and params files and in COMMENT lines.
- Single back quotes. These are prohibited except in the
shorewall.conf and params files.
- Backslash. Probibited except as the last character on a line
to denote line continuation.
v) Under Shorewall-perl, macros may invoke other macros with the
restriction that such macros may not be invoked within an action
body.
When marcros are invoked recursively, the parameter passed to an
invocation are automatically propagated to lower level macros.
Macro invocations may be nested to a maximum level of 5.
------------------------------------------------------------------------
P R E R E Q U I S I T E S
------------------------------------------------------------------------
- Perl (I use Perl 5.8.8 but other versions should work fine)
- Perl Cwd Module
- Perl File::Basename Module
- Perl File::Temp Module
- Perl Getopt::Long Module
------------------------------------------------------------------------
U S I N G T H E N E W C O M P I L E R
If you only install one compiler, then that compiler will be used.
If you install both compilers, then the compiler actually used depends
on the SHOREWALL_COMPILER setting in shorewall.conf.
The value of this new option can be either 'perl' or 'shell'.
If you add 'SHOREWALL_COMPILER=perl' to /etc/shorewall/shorewall.conf
then by default, the new compiler will be used on the system. If you
add it to shorewall.conf in a separate directory (such as a
Shorewall-lite export directory) then the new compiler will only be
used when you compile from that directory.
If you only install one compiler, it is suggested that you do not set
SHOREWALL_COMPILER.
You can also select the compiler to use on the command line using the
'C option:
'-C shell' means use the shell compiler
'-C perl' means use the perl compiler
The -C option overrides the setting in shorewall.conf.
Example:
shorewall restart -C perl
2) Thanks to Paul Gear, an IPPServer macro has been added. Be sure to
read the comments in the macro file before trying to use this
macro.
3) Eariler generations of Shorewall Lite required that remote root
login via ssh be enabled in order to use the 'load' and 'reload'
commands.
Beginning with this release, you may define an alternative means
for accessing the remote firewall system.
Two new options have been added to shorewall.conf:
RSH_COMMAND
RCP_COMMAND
The default values for these are as follows:
RSH_COMMAND: ssh ${root}@${system} ${command}
RCP_COMMAND: scp ${files} ${root}@${system}:${destination}
Shell variables that will be set when the commands are envoked are
as follows:
root - root user. Normally 'root' but may be overridden using
the '-r' option.
system - The name/IP address of the remote firewall system.
command - For RSH_COMMAND, the command to be executed on the
firewall system.
files - For RCP_COMMAND, a space-separated list of files to
be copied to the remote firewall system.
destination - The directory on the remote system that the files
are to be copied into.
4) The accounting, masq, rules and tos files now have a 'MARK' column
similar to the column of the same name in the tcrules file. This
column allows filtering by MARK and CONNMARK value (CONNMARK is
only accepted under Shorewall Perl).
5) SOURCE and DEST are now reserved zone names to avoid problems with
bi-directional macro definitions which use these as names as key
words.
6) The "shorewall show zones" command now flags zone members that have
been added using "shorewall add" by preceding them with a plus sign
("+").
Example:
Shorewall 3.9.4 Zones at gateway - Mon May 14 07:48:16 PDT 2007
fw (firewall)
net (ipv4)
eth0:0.0.0.0/0
loc (ipv4)
br0:0.0.0.0/0
eth4:0.0.0.0/0
eth5:0.0.0.0/0
+eth1:0.0.0.0/0
dmz (ipv4)
eth3:0.0.0.0/0
vpn (ipv4)
tun+:0.0.0.0/0
In the above output, "eth1:0.0.0.0/0" was dynamically added to the
'loc' zone. As part of this change, "shorewall delete" will only
delete entries that have been added dynamically. In earlier
versions, any entry could be deleted although the ruleset was only
changed by deleting entries that had been added dynamically.
7) The 'shorewall version' command now lists the version of the
installed compiler(s) if the -a option is used:
gateway:/bulk/backup # shorewall version -a
4.0.0-Beta1
Shorewall-shell 4.0.0-Beta1
Shorewall-perl 4.0.0-Beta1
gateway:/bulk/backup #
8) The Perl compiler is externalized. Both the compiler.pl program
and the Perl Module interface are documented.
The compiler program is /usr/share/shorewall-perl/compiler.pl:
compiler.pl [ <option> ... ] [ <filename> ]
If a <filename> is given, then the configuration will be compiled
output placed in the named file. If <filename> is not given, then
the configuration will simply be syntax checked.
Options are:
-v <verbosity>
--verbosity=<verbosity>
The <verbosity> is a number between 0 and 2 and corresponds to
the VERBOSITY setting in shorewall.conf. This setting controls
the verbosity of the compiler itself.
-e
--export
If given, the configuration will be compiled for export to
another system.
-d <directory>
--directory=<directory>
If this option is omitted, the configuration in /etc/shorewall
is compiled/checked. Otherwise, the configuration in the named
directory will be compiled/checked.
-t
--timestamp
If given, each progress message issued by the compiler and by
the compiled program will be timestamped.
--debug
If given, when a warning or error message is issued, it is
supplimented with a stack trace. Requires the Carp Perl
module.
Example (compiles the configuration in the current directory
generating a script named 'firewall' and using VERBOSITY
2).
/usr/share/shorewall-perl/compiler.pl -v 2 -d . firewall
Note: For compatibility with the Shorewall 3.4.2 and 3.4.3
releases, options not passed on the run-line get their values from
environmental variables:
Option Variable
--verbosity VERBOSE
--export EXPORT
--directory SHOREWALL_DIR
--timestamp TIMESTAMP
The Perl Module is externalized as follows:
use lib '/usr/share/shorewall-perl';
use Shorewall::Compiler;
compiler $filename, $directory, $verbose, $options
The arguments to the compiler function are as follows:
$filename - Name of the compiled script to be created.
If the arguments evaluates to false, the
configuration is syntax checked
$directory - The directory containing the configuration.
If passed as '', then /etc/shorewall/ is assumed.
$verbose - The verbosity level (0-2).
$options - A bitmap of options. Shorewall::Compiler
exports two constants to help building this
argument:
EXPORT = 0x01
TIMESTAMP = 0x02
The compiler raises an exception with 'die' if it encounters an
error; $@ contains the 'ERROR' messages describing the problem.
The compiler function can be called repeatedly with different
inputs.
9) When TC_ENABLED=Internal, Shorewall-perl now validates classids in
the MARK/CLASSIFY column of /etc/shorewall/tcrules against the
classes generated by /etc/shorewall/tcclasses.
10) During installation, Shorewall generates the Perl module
/usr/share/shorewall-perl/Shorewall/Ports.pm, using your
/etc/protocols and /etc/services as input.
To re-generate the module from those two files:
1. Backup your current /usr/share/shorewall-perl/Shorewall/Ports.pm
file.
2. /usr/share/shorewall-perl/buildports.pl > \
/usr/share/shorewall-perl/Shorewall/Ports.pm
Note: If the buildports.pl program fails to run to a successful
completion during installation, a fallback version of
module will be installed. That fallback module was generated from
the /etc/protocols and /etc/services shipped with Ubuntu Feisty
Fawn.
Even if the buildports.pl program runs successfully, the fallback
module is also installed as
/usr/share/shorewall-perl/Shorewall/FallbackPorts.pm. So if you
encounter problems with the generated module, simply copy the
fallback module to /usr/share/shorewall-perl/Shorewall/Ports.pm.
11) Tuomo Soini has contributed bi-directional macros for various
tunnel types:
IPsecah
GRE
IPsec
IPIP
IPsecnat
L2TP
12) The -f option is no longer the default when Shorewall is started at
boot time (usually via /etc/init.d/shorewall). With Shorewall-perl,
"shorewall start" is nearly as fast as "shorewall restore" and
"shorewall start" uses the current configuration which avoids
confusion.
To re-generate the module from those two files:
1. Backup your current /usr/share/shorewall-perl/Shorewall/Ports.pm
file.
2. /usr/share/shorewall-perl/buildports.pl > \
/usr/share/shorewall-perl/Shorewall/Ports.pm
Note: If the buildports.pl program fails to run to a successful
completion during installation, a fallback version of
module will be installed. That fallback module was generated from
the /etc/protocols and /etc/services shipped with Ubuntu Feisty
Fawn.
Even if the buildports.pl program runs successfully, the fallback
module is also installed as
/usr/share/shorewall-perl/Shorewall/FallbackPorts.pm. So if you
encounter problems with the generated module, simply copy the
fallback module to /usr/share/shorewall-perl/Shorewall/Ports.pm.
11) Tuomo Soini has contributed bi-directional macros for various
tunnel types:
IPsecah
GRE
IPsec
IPIP
IPsecnat
L2TP
12) The -f option is no longer the default when Shorewall is started at
boot time (usually via /etc/init.d/shorewall). With Shorewall-perl,
"shorewall start" is nearly as fast as "shorewall restore" and
"shorewall start" uses the current configuration which avoids
confusion.
13) The implementation of LITEDIR has always been
unsatisfactory. Furthermore, there have been other cases where
people have asked to be able to designate the state directory
(default /var/lib/shorewall[-lite]).
To meet these objectives:
a) The LITEDIR variable has been eliminated in
/usr/share/shorewall[-lite]/configpath.
b) A new file /etc/shorewall[-lite]/vardir has been added. This
file is not created by default but may be added as needed. It
is expected to contain a single variable assignment:
VARDIR=<directory>
Example:
VARDIR=/root/shorewall
To change VARDIR, copy the old directory to the new one before you
restart Shorewall[-lite].
To use this feature with Shorewall-lite, all packages involved
(compiler, shorewall-common and shorewall-lite) must be version
4.0.0-RC2 or later.
2007-07-15 Shorewall 3.4.5
Problems Corrected in 3.4.5.
1) DYNAMIC_ZONES=Yes can now coexist with Shorewall-perl's 'bport'
zones. Those zones themselves may not be dynamically modified but
the presence of bport zones no longer causes the 'shorewall add'
command to fail.
2) Shorewall's internal traffic shaper once again works when the 'sed'
utility is provided by the Busybox package.
3) Version 3.4.4 erroneously accepted the values On, Off, on, off, ON
and OFF for the IP_FORWARDING option. These values were treated
like 'Keep'. The listed values are now once again flagged as an
error.
4) If 'routeback' and 'detectnets' were specified on an interface,
limited broadcasts (to 255.255.255.255) and multicasts were dropped
when forwarded through the interface. This could cause
broadcast-based and multicast applications to fail when running
through a bridge with 'detectnets'.
5) The 'hits' command works once again.
6) IPSECFILE=ipsec (either explicitly or defaulted) works
now. Previously, processing of the ipsec file was bypassed; often
with a confusing "missing file" message.
7) If DETECT_DNAT_IPADDRS=Yes in shorewall.conf but you did't have conntrack
match support, then the generated script was missing 'done's.
Other changes in 3.4.5.
1) When a Shorewall release includes detection of an additional
capability, existing capabilities files become out of
date. Previously, this condition was not detected.
Beginning with this release, each generated capabilities file
contains a CAPVERSION specification which defines the capabilities
version of the file. If the CAPVERSION in a capabilities file is
less than the current CAPVERSION, then Shorewall will issue the
following message:
WARNING: <file> is out of date -- it does not contain all of
the capabilities defined by Shorewall version <version>
where
<file> is the name of the capabilities file.
<version> is the current Shorewall version.
Existing capabilities files contain no CAPVERSION. When such a file
is read, Shorewall will issue this message:
WARNING: <file> may be not contain all of the capabilities defined
by Shorewall version <version>
2) When a directory is specified in a command such as 'start' or
'compile', Shorewall now reads the shorewall.conf file (if any) in
that directory before deciding which compiler to use. So if
SHOREWALL_COMPILER is not specified in
/etc/shorewall/shorewall.conf and the -C option was not specified
on the run-line, then if Shorewall-perl is installed, the additional
shorewall.conf file is read to see if it specifies a
SHOREWALL_COMPILER.
3) The 'save' command now uses iptables-save from the same directory
containing iptables. Previously, iptables-save was located via the
PATH setting.
2007-06-17 Shorewall 3.4.4
Problems corrected in 3.4.4:
1) The commands "shorewall add <interface> <zone>" and "shorewall
delete <interface> <zone>" no longer produce spurious error
messages.
2) The command "shorewall delete <interface> <zone>" now actually deletes
entries when it successfully completes. Previously, it would appear
to remove an entry, even when removing that entry should fail.
3) Setting HIGH_ROUTE_MARKS=No no longer causes TC_EXPERT flagging.
4) When run as root, the 'shorewall load' and 'shorewall reload'
commands would fail if the LOGFILE setting in
/etc/shorewall/shorewall.conf specified a non-existant file.
5) Entries in /etc/shorewall/tcrules that specify both a source and
destination port fail with the following diagnostic:
iptables v1.3.3: multiport can only have one option
6) Previously, Shorewall-lite did not allow DHCP traffic through an
interface when the interface was a bridge with 'dhcp' specified
unless there was a bridge on the administrative system with the
same name.
7) SOURCE and DEST are now flagged as invalid zone name to avoid
problems with macros that use those names as keywords.
8) Previously, Shorewall could *increase* the MSS under some
circumstances. This possibility is now eliminated, provided that
the system has TCPMSS match support (be sure to update your
capabilities files!).
9) Firewall zone names other than 'fw' no longer cause a error when
IPSECFILE is not set or is set to 'ipsec'.
10) The 'proxyarp' option on an interface was previously ignored when
the /etc/shorewall/proxyarp file was empty.
11) Previously, if action 'a' was defined then the following
rule generated an error:
a: z1 z2 ...
The trailing ":" is now ignored.
12) Previously, if a RATE/LIMIT was specified on a REJECT rule, the
generated error messages referred to the rule as a DROP rule.
13) The 'nolock' keyword was previously ignored on several
/sbin/shorewall[-lite] commands.
Other changes in 3.4.4:
1) The accounting, masq, rules and tos files now have a 'MARK' column
similar to the column of the same name in the tcrules file. This
column allows filtering by MARK value.
2) The "shorewall show zones" command now flags zone members that have
been added using "shorewall add" by preceding them with a plus sign
("+").
Example:
Shorewall 3.9.4 Zones at gateway - Mon May 14 07:48:16 PDT 2007
fw (firewall)
net (ipv4)
eth0:0.0.0.0/0
loc (ipv4)
br0:0.0.0.0/0
eth4:0.0.0.0/0
eth5:0.0.0.0/0
+eth1:0.0.0.0/0
dmz (ipv4)
eth3:0.0.0.0/0
vpn (ipv4)
tun+:0.0.0.0/0
In the above output, "eth1:0.0.0.0/0" was dynamically added to the
'loc' zone. As part of this change, "shorewall delete" will only
delete entries that have been added dynamically. In earlier
versions, any entry could be deleted although the ruleset was only
changed by deleting entries that had been added dynamically.
3) Eariler generations of Shorewall Lite required that remote root
login via ssh be enabled in order to use the 'load' and 'reload'
commands.
Beginning with this release, you may define an alternative means
for accessing the remote firewall system.
Two new options have been added to shorewall.conf:
RSH_COMMAND
RCP_COMMAND
The default values for these are as follows:
RSH_COMMAND: ssh ${root}@${system} ${command}
RCP_COMMAND: scp ${files} ${root}@${system}:${destination}
Shell variables that will be set when the commands are envoked are
as follows:
root - root user. Normally 'root' but may be overridden using
the '-r' option.
system - The name/IP address of the remote firewall system.
command - For RSH_COMMAND, the command to be executed on the
firewall system.
files - For RCP_COMMAND, a space-separated list of files to
be copied to the remote firewall system.
destination - The directory on the remote system that the files
are to be copied into.
4) You may now select the compiler to use on the command line using
the '-C' option. This option is available on the following
commands:
check
compile
export
load
reload
restart
start
try
safe-start
save-restart
Example:
shorewall try -C perl .
2007-06-12 New Host for www.shorewall.net and ftp.shorewall.net
I'm pleased to announce that Ty Christiansen and the folks at Master Mind
Productions (http://mastermindpro.com) have volunteered to host
www.shorewall.net and ftp.shorewall.net.
The new site is up and running and I've just changed DNS to point to the new
server. Let me know if you experience any problems.
Please join me in thanking Ty and Master Mind for their support of the
Shorewall project.
2007-04-30 Shorewall 3.4.3
Problems corrected in Shorewall 3.4.3
1) The shorecap program was not loading modules correctly.
2) The CHAIN variable is now set correctly before the 'maclog' script
is invoked.
3) The 'shorewall load' and 'shorewall reload' commands redundently
re-generated the capabilities file when it resided in the export
directory.
4) Setting LOGFILE to the value of a shell variable from the params
file now works.
5) The 'shorewall-lite restore' command can fail with a 'startup not
enabled' error.
6) When ROUTE_FILTER=Yes in shorewall.conf, Shorewall no longer clears
the rp_filter flag for all interfaces.
7) When LOG_MARTIANS=Yes in shorewall.conf, Shorewall no longer clears
the log_martians flag for all interfaces.
8) The 'shorewall add' and 'shorewall delete' commands no longer fail
with the message 'ERROR: Only one firewall zone may be defined'.
9) It was previously impossible to disable martian logging.
10) IP addresses (aliases) added by ADD_IP_ALIASES and ADD_SNAT_ALIASES
are now correctly deleted when Shorewall stops.
11) The 'shorewall add' and 'shorewall delete' commands no longer fail
with the error 'Only one firewall zone may be defined'.
12) The special 'detect' value now works correctly in the ADDRESSES
column of /etc/shorewall/masq.
Other changes in Shorewall 3.4.3
1) A LOCKFILE option has been added to shorewall.conf. This file is
used to serialize updates to the active firewall configuration.
If not specified, the defaults are:
Shorewall - /var/lib/shorewall/lock
Shorewall Lite - /var/lib/shorewall-lite/lock
2007-04-08 Shorewall 3.2.10
Problems Corrected in 3.2.10
1) Previously, if a 'start' or 'restart' command failed during the
compilation step, /sbin/shorewall erroneously returned an exit
status of zero.
2) If IMPLICIT_CONTINUE=Yes was in effect, then sub-zones received the
implicit CONTINUE policy for their intra-zone traffic (rather than
the implicit ACCEPT policy for such traffic). This could cause
intra-zone traffic to be rejected by rules in one of the parent
zones.
3) The "shorewall-[lite] [re]start and stop" commands reset the
proxy_arp flag on all interfaces on the system making it impossible
to control proxy arp manually with Shorewall installed. With this
change, shorewall will only clear proxy arp if there were entries in
/etc/shorewall/proxyarp the last time that Shorewall was
[re]started.
4) The /usr/share/shorewall[-lite]/modules file has been updated for
kernel 2.6.20.
5) The /proc/net/ip_conntrack pseudo-file has been inexplicably
renamed /proc/net/nf_conntrack in kernel 2.6.20. The lib.cli
library has been updated to look for both files.
6) Tunnels of type 'ipsecnat' failed to work properly due to a missing
rule.
7) The 'shorecap' program was not loading modules correctly.
Problems corrected in Shorewall 3.4.2
1) The /usr/share/shorewall[-lite]/modules file has been updated for
kernel 2.6.20.
2) The /proc/net/ip_conntrack pseudo-file has been inexplicably
renamed /proc/net/nf_conntrack in kernel 2.6.20. The lib.cli
library has been updated to look for both files.
3) Shoreall 3.4 was not consistent with respect to its treatment of
log level 'none' and 'none!' and built-in actions. In particular,
specifying 'none' with the Limit action produced a run-time error.
Shorewall now correctly suppresses generation of log messages when
a log level of 'none' or 'none!' is given to a built-in action.
4) Tunnels of type 'ipsecnat' would sometimes fail to work because of
a missing rule.
Problems Corrected in 3.4.1
1) The "shorewall-[lite] [re]start and stop" commands reset the
proxy_arp flag on all interfaces on the system making it impossible
to control proxy arp manually with Shorewall installed. There was a
partial fix included in 3.4.0; unfortunately, it did not correct the
problem completely. Shorewall 3.4.1 includes the rest of the change
necessarey to only clear proxy arp if there were entries in
/etc/shorewall/proxyarp the last time that Shorewall was
[re]started.
2) If the log-prefix in a log message exceeded 29 characters,
'shorewall restart' fails with 'truncate: command not found' and a
possible segmentation fault in iptables.
3) Log messages specifying a log tag had two spaces appended to the
log prefix. This could cause mysterious "log-prefix truncated"
messages.
4) When nested zones were defined in the /etc/shorewall/zones file and
IMPLICIT_CONTINUE=Yes was given in /etc/shorewall/shorewall.conf,
shell error messages ( usually '<zone>: not found' ) during
compilation resulted.
5) Use of CONTINUE policies lead to startup errors with a message
such as the following:
Applying Policies...
iptables v1.3.7: Couldn't load target
`CONTINUE':/usr/local/lib/iptables/libipt_CONTINUE.so: cannot open
shared object file: No such file or directory
Try `iptables -h' or 'iptables --help' for more information.
ERROR: Command "/sbin/iptables -A net2c148 -j CONTINUE"
Failed
6) If there were hosts defined as 'critical' in
/etc/shorewall/routestopped then problems occured in two cases:
i) On a Shorewall Lite system when 'shorewall stop' or 'shorewall
clear' was issued.
ii) On Shorewall or Shorewall lite system when 'start' or 'restart'
failed during execution of the compiled script and there was no saved
configuration ('shorewall[-lite] save' has not been issued).
The symptoms were that the following shell messages were issued and
the 'critical' hosts were not enabled:
/var/lib/shorewall/.start: line nnn: source_ip_range: command not found
/var/lib/shorewall/.start: line nnm: dest_ip_range: command not found
Other changes in 3.4.1
1) Several changes are included which allow testing of experimental
versions of Shorewall on systems with 3.4.1 and later 3.4 releases
installed. Among these changes is the detection and reporting of
"Address Type Match" which may be used in future 3.4 releases.
These changes have no effect on normal Shorewall operation.
Shorewall 3.4.0
Release Highlights
1) Shorewall can now be tailored to reduce its footprint on embedded
systems. As part of this change, actions are now completely
optional.
See http://www.shorewall.net/Modularization.html for details.
2) Exclusion is now possible in /etc/shorewall/hosts. This is required
for bridge/firewalls under kernel 2.6.20 and later.
See http://www.shorewall.net/NewBridge.html.
3) Shorewall and Shorewall Lite now include man pages. There is a
man page for shorewall(8), one for shorewall-lite(8) and one for
each configuration file. As part of this change, all documentation
has been removed from Shorewall configuration files. This should
make it easier from users to upgrade from one release to the next
since the configuration files will only change when column is added
or renamed.
See http://www.shorewall.net/manpages/Manpages.html
4) Shorewall now remembers the changes that it has made to routing as
a result of entries in /etc/shorewall/providers and
/etc/shorewall/route_rules and reverses those changes when
appropriate.
Problems Corrected in 3.4.0 Final.
1) In the rules file, following the action with "!" is supposed to
exempt the rule from being suppressed by OPTIMIZE=1. That feature
was not working.
2) If both a macro body and a macro invocation contained an entry in the
SOURCE or DEST column, then compilation failed with the error:
merge_macro_source_dest: command not found
3) An obscure bug in rule activation having to do with the new
exclusion feature in /etc/shorewall/hosts has been corrected.
4) The "shorewall-[lite] [re]start and stop" commands reset the
proxy_arp flag on all interfaces on the system making it impossible
to control proxy arp manually with Shorewall installed. With this
change, shorewall will only clear proxy arp if there were entries in
/etc/shorewall/proxyarp the last time that Shorewall was
[re]started.
New Features in Shorewall 3.4:
1) In order to accomodate small embedded applications, Shorewall 3.4
is now modularized. In addition to the base files, there are
loadable "libraries" that may be included or omitted from an
embedded system as required.
Loadable Shorewall libraries reside in /usr/share/shorewall/ and
have names that begin with "lib.". The following libraries are
included in Shorewall 3.4:
- lib.accounting. Must be available if you include entries in
/etc/shorewall/accounting.
- lib.actions. Must be available if you do not specify
USE_ACTIONS=No in /etc/shorewall/shorewall.conf.
- lib.base. The base Shorewall library required by all programs,
including compiled firewall scripts. This library is also
released as part of Shorewall Lite and is installed in
/usr/share/shorewall-lite/.
- lib.cli. Library containing the code common to /sbin/shorewall,
/sbin/shorewall-lite. This library is also released as part of
Shorewall Lite and is installed in /usr/share/shorewall-lite/.
- lib.config. Library containing the code that is common to
/usr/share/shorewall/compiler and /usr/share/shorewall/firewall.
- lib.dynamiczones. Must be available if you specify
DYNAMIC_ZONES=Yes in shorewall.conf.
- lib.maclist. Must be available if you specify the 'maclist'
option in /etc/shorewall/interfaces or /etc/shorewall/hosts.
- lib.nat. Must be available if you have entries in
/etc/shorewall/masq, /etc/shorewall/nat or /etc/shorewall/netmap
or if you use DNAT or REDIRECT rules.
- lib.providers. Must be available if you have entries in
/etc/shorewall/providers.
- lib.proxyarp. Must be available if you have entries in
/etc/shorewall/proxyarp or if you specify the 'proxyarp' option
in /etc/shorewall/interfaces.
- lib.tc. Must be available if you have entries in
/etc/shorewall/tcdevices and /etc/shorewall/tcclasses.
- lib.tcrules. Must be available if you have entries in
/etc/shorewall/tcrules.
- lib.tunnels. Must be available if you have entries in
/etc/shorewall/tunnels.
Embedded applications can further decrease the size of the Shorewall
footprint by:
- Omitting the macro files.
- Omitting all unused extension scripts.
See http://www.shorewall.net/Modularization.html for additional
details.
2) As hinted in the previous bullet, there is a new USE_ACTIONS option
in /etc/shorewall/shorewall.conf. Shorewall actions can be very
powerful but they also require a lot of code to implement. Embedded
applications can omit that code by setting
USE_ACTIONS=No. Shorewall will ignore all action-related files
including /usr/share/shorewall/actions.std and
/etc/shorewall/actions. Builtin actions will still be available for
use in rules and macros.
The 'Limit' action has been converted to a builtin so that Limit is
available even when USE_ACTIONS=No.
See the next item for more information.
3) Prior to Shorewall 3.4, default actions were specified in
/usr/share/shorewall/actions.std or in /etc/shorewall/actions.
This approach has two drawbacks:
a) All DROP policies must use the same default action and all
REJECT policies must use the same default action.
b) Now that we have modularized action processing (see the New
Features section below), we need a way to define default rules
for a policy that does not involve actions.
The solution is two-fold:
- Four new options have been added to the
/etc/shorewall/shorewall.conf file that allow specifying the
default action for DROP, REJECT, ACCEPT and QUEUE.
The options are DROP_DEFAULT, REJECT_DEFAULT, ACCEPT_DEFAULT and
QUEUE_DEFAULT.
DROP_DEFAULT describes the rules to be applied before a
connection request is dropped by a DROP policy; REJECT_DEFAULT
describes the rules to be applied if a connection request is
rejected by a REJECT policy. The other two are similar for
ACCEPT and QUEUE policies.
The value assigned to these may be:
a) The name of an action.
b) The name of a macro
c) 'None' or 'none'
The default values are:
DROP_DEFAULT="Drop"
REJECT_DEFAULT="Reject"
ACCEPT_DEFAULT=none
QUEUE_DEFAULT=none
If USE_ACTIONS=Yes, then these values refer to action.Drop and
action.Reject respectively. If USE_ACTIONS=No, then these values
refer to macro.Drop and macro.Reject.
If you set the value of either option to "None" then no default
action will be used and the default action or macro (if any)
must be specified in /etc/shorewall/policy
- The POLICY column in /etc/shorewall/policy has been extended.
In /etc/shorewall/policy, when the POLICY is DROP, REJECT,
ACCEPT or QUEUE then the policy may be followed by ":" and one
of the following:
a) The word "None" or "none". This causes any default
action defined in /etc/shorewall/shorewall.conf
to be omitted for this policy.
b) The name of an action (requires that USE_ACTIONS=Yes
in shorewall.conf). That action will be invoked
before the policy is enforced.
c) The name of a macro. The rules in that macro will
be applied before the policy is enforced. This
does not require USE_ACTIONS=Yes.<
br>
Example:
#SOURCE DEST POLICY LOG
# LEVEL
loc net ACCEPT
net all DROP:MyDrop info
#
# THE FOLLOWING POLICY MUST BE LAST
#
all all REJECT:MyReject info
4) For users whose kernel and iptables have Extended MARK Target
support, it is now possible to logically AND or OR a value into the
current packet mark by preceding the mark value (and optional mask)
with an ampersand ("&") or vertical bar ("|") respectively.
Example: To logically OR the value 4 into the mark value for
packets from 192.168.1.1:
#MARK SOURCE
|4 192.168.1.1
5) Previously, zone names were restricted to five characters in
length. That limit derives from the --log-prefix in Netfilter log
messages which must be 29 bytes or less in length. With the
standard Shorewall LOGFORMAT, that leaves 11 characters for the
chain name; given that many chain names are of the form
<zone1>2<zone2>, that gives a maximum zone name length of 5.
Beginning with this release, the maximum length of a zone name is
dependent on the LOGFORMAT (the maximum length may never be less
than 5 but it may be greater than 5). For example, setting
LOGFORMAT="FW:%s:%s:" will allow zone names of up to 8 characters.
6) Netfilter provides support for attachment of comments to Netfilter
rules. Comments can be up to 255 bytes in length and are visible
using the "shorewall show <chain>", "shorewall show nat",
"shorewall show mangle" and "shorewall dump" commands. Comments are
delimited by '/* ... */" in the output.
Beginning with Shorewall 3.4, you may place COMMENT lines in the
/etc/shorewall/rules, /etc/shorewall/tcrules, /etc/shorewall/nat
and /etc/shorewall/masq files and in action files. The remainder of
the line is treated as a comment and it will be attached as a
Netfilter comment to the rule(s) generated by succeding entries
in the file.
Note: Do not prefix the comment with "#". Shorewall's two-pass
compiler strips off "#" comments in the first pass and processes
COMMENT lines in the second pass. Hence, by the time that COMMENT
is processed, the "#" and everything following it has been removed
(see example below).
To stop the current comment from being attached to further
rules, simply include COMMENT on a line by itself (so that the
following rules will have no comment) or specify a new COMMENT.
If you do not have Comment support in your iptables/kernel (see the
output of "shorewall[-lite] show capabilities") then COMMENTS are
ignored with this warning:
COMMENT ignored -- requires comment support in iptables/Netfilter
Example from my rules file:
#SOURCE SOURCE DEST PROTO DEST PORT(S)
COMMENT Stop Microsoft Noise
REJECT loc net tcp 137,445
REJECT loc net udp 137:139
COMMENT # Stop comment from being attached to rules below
The output of "shorewall show loc2net" includes (folded):
0 0 reject tcp -- * * 0.0.0.0/0
0.0.0.0/0 multiport dports 137,445 /* Stop Microsoft Noise */
0 0 reject udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpts:137:139 /* Stop Microsoft Noise */
7) A new macro (macro.RDP) has been added for Microsoft Remote
Desktop. This macro was contributed by Tuomo Soini.
8) A new 'maclog' extension file has been added. This file is
processed just before logging based on the setting of
MACLIST_LOG_LEVEL is done. When the extension is invoked, the CHAIN
variable will contain the name of the chain where rules should be
inserted. Remember that if you have specified MACLIST_TABLE=mangle,
then your run_iptables commands should include "-t mangle".
9) The SUBNET column in /etc/shorewall/masq has been renamed SOURCE to
more accurately describe the contents of the column.
10) Previously, it was not possible to use exclusion in
/etc/shorewall/hosts. Beginning with this release, you may now use
exclusion lists in entries in this file. Exclusion lists are
discussed at:
http://www.shorewall.net/configuration_file_basics.htm#Exclusion.
Example:
loc eth0:192.168.1.0/24!192.168.1.4,192.168.1.16/28
In that example, the 'loc' zone is defined to be the subnet
192.168.1.0/24 interfacing via eth0 *except* for host 192.168.1.4
and hosts in the sub-network 192.168.1.16/28.
11) New "shorewall[-lite] show ip" and "shorewall[-lite] show routing"
commands have been added. The first produces the same output as "ip
addr ls". The second produces a report about your routing rules and
tables.
12) Beginning with this release, Shorewall and Shorewall Lite will
share common change logs and release notes.
13) In Shorewall versions prior to 3.4, multiple jumps to a '2all'
chain could be generated in succession.
Example from an earlier shorewall version:
gateway:~ # shorewall-lite show eth2_fwd
Shorewall Lite 3.4.0-Beta1 Chains eth2_fwd at gateway - Thu Oct 19 08:54:37 PDT 2006
Counters reset Thu Oct 19 08:34:47 PDT 2006
Chain eth2_fwd (1 references)
pkts bytes target prot opt in out source destination
0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW
0 0 wifi2all all -- * eth0 0.0.0.0/0 0.0.0.0/0
0 0 wifi2all all -- * br0 0.0.0.0/0 0.0.0.0/0
0 0 wifi2all all -- * eth3 0.0.0.0/0 0.0.0.0/0
0 0 wifi2all all -- * tun+ 0.0.0.0/0 0.0.0.0/0
gateway:~ #
This redundancy may be eliminated by setting OPTIMIZE=1 in shorewall.conf.
gateway:~ # shorewall-lite show eth2_fwd
Shorewall Lite 3.4.0-Beta1 Chains eth2_fwd at gateway - Thu Oct 19 09:15:24 PDT 2006
Counters reset Thu Oct 19 09:15:19 PDT 2006
Chain eth2_fwd (1 references)
pkts bytes target prot opt in out source destination
0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW
0 0 wifi2all all -- * * 0.0.0.0/0 0.0.0.0/0
gateway:~ #
Note that with OPTIMIZE=1, traffic destined for an
interface/Address that falls outside of all defined zones may now
be logged out of a '2all' chain rather than out of the FORWARD
chain.
The OPTIMIZE setting also controls the suppression of redundant
wildcard rules (those specifying "all" in the SOURCE or DEST
column). A wildcard rule is considered to be redundant when it
has the same ACTION and Log Level as the applicable policy.
Example:
/etc/shorewall/policy
#SOURCE DEST POLICY LEVEL
loc net ACCEPT
/etc/shorewall/rules
#ACTION SOURCE DEST PROTO DEST
# PORT(S)
...
ACCEPT all all icmp 8
OPTIMIZE=0
gateway:~ # shorewall show loc2net
Shorewall Lite 3.4.0-Beta1 Chains loc2net at gateway - Thu Oct 26 07:55:03 PDT 2006
Counters reset Thu Oct 26 07:54:58 PDT 2006<
br>
Chain loc2net (1 references)
pkts bytes target prot opt in out source destination
...
0 0 DROP all -- * * !192.168.0.0/22 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
gateway:~
OPTIMIZE=1
gateway:~ # shorewall show loc2net
Shorewall Lite 3.4.0-Beta1 Chains loc2net at gateway - Thu Oct 26 07:57:12 PDT 2006
Counters reset Thu Oct 26 07:56:38 PDT 2006
Chain loc2net (1 references)
pkts bytes target prot opt in out source destination
...
0 0 DROP all -- * * !192.168.0.0/22 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
gateway:~
If you really want a rule that duplicates the policy, follow the
action with "!":
#ACTION SOURCE DEST PROTO DEST
# PORT(S)
...
ACCEPT! all all icmp 8
14) IP Address ranges are now allowed in the drop, reject, allow and
logdrop shorewall[-lite] commands.
15) Previously, Shorewall has not attempted to undo the changes it has
made to the firewall's routing as a result of entries in
/etc/shorewall/providers and /etc/shorewall/routes. Beginning with
this release, Shorewall will attempt to undo these changes.
When Shorewall starts or is restarted and there are entries in
/etc/shorewall/providers, Shorewall will capture the contents
of /etc/shorewall/rt_tables and will restore that database when
Shorewall is stopped or restarted. Similarly, the default route
will be captured the first time that you [re]start Shorewall using
this version and will be restored under the following conditions:
a) shorewall stop
b) shorewall clear
c) shorewall restart or restore and there are no entries in
/etc/shorewall/providers.
Once the default route has been restored, Shorewall will delete
the saved copy so that it will once again be captured at the next
shorewall start or shorewall restore.
16) Shorewall no longer includes policy matches in its generated
ruleset when no IPSEC zones or IPSEC networks are defined (IPSEC
networks are defined using the 'ipsec' option in
/etc/shorewall/hosts).
17) The Makefile installed in /usr/share/shorewall/configfiles/ is now
the same one mentioned at
http://www.shorewall.net/CompiledPrograms.html.
Once the file is copied into an export directory, you modify the
setting of the HOST variable to match the name of the remote
firewall.
The default target is the "firewall" script so "make" compiles the
firewall script if any of the configuration files have
changed. "make install" builds "firewall" if necessary then
installs it on the remote firewall. "make capabilities" will
generate the "capabilities" file. "make save" will save the running
configuration on the remote firewall.
18) Shorewall and Shorewall Lite now include the following manpages.
shorewall-accounting(5)
shorewall-actions(5)
shorewall-blacklist(5)
shorewall.conf(5)
shorewall-ecn(5)
shorewall-exclusion(5)
shorewall-hosts(5)
shorewall-interfaces(5)
shorewall-lite.conf(5)
shorewall-lite(8)
shorewall-maclist(5)
shorewall-masq(5)
shorewall-nat(5)
shorewall-nesting(5)
shorewall-netmap(5)
shorewall-params(5)
shorewall-policy(5)
shorewall-providers(5)
shorewall-proxyarp(5)
shorewall-rfc1918(5)
shorewall-route_rules(5)
shorewall-routestopped(5)
shorewall-rules(5)
shorewall-tcclasses(5)
shorewall-tcdevices(5)
shorewall-tcrules(5)
shorewall-template(5)
shorewall-tos(5)
shorewall-tunnels(5)
shorewall(8)
shorewall-zones(5)
Now that the manpages are in place, command-specific help has been
removed since it duplicates information in the man pages.
19) From the beginning, the Shorewall configuration files in
/etc/shorewall/ have contained documentary comments. While these
comments are useful, they present an upgrade problem. Beginning
with this release, these comments are removed from the
configuration files themselves and are replaced by the manpages
described in the preceding release note entry.
20) Shorewall now uses tc fwmark filters to classify packets for
traffic shaping when the DEVICE isn't an interface described in
/etc/shorewall/interfaces. This is in preparation for the upcoming
change to the way that --physdev-out works in iptables/Netfilter;
that change is now scheduled for kernel 2.6.20.
21) If your kernel and iptables have extended multiport support, then
Shorewall will use that support for the destination port when
generating rules from entries in the /etc/shorewall/tcrules file.
22) The 'safe-start' and 'safe-restart' command have been
improved. Both now accept an optional directory name; if supplied,
Shorewall will look first in that directory for configuration
files.
The commands have also been enhanced to only restore the
configuration once in the event of a failure. Previously, if there
was a current 'save' command in effect, then that configuration
would be restored on a failure and then the last-running
configuration would be restored.
23) The 'try' command has been reimplemented with new semantics.
If Shorewall is started then the firewall state is saved to a
temporary saved configuration (/var/lib/shorewall/.try). Next, if
Shorewall is currently started then a restart command is issued;
otherwise, a start command is performed. if an error occurs during
the compliation phase of the restart or start, the command
terminates without changing the Shorewall state. If an error occurs
during the restart phase, then a 'shorewall restore' is performed
using the saved configuration. If an error occurs during the start
phase, then Shorewall is cleared. If the start/restart succeeds
and a timeout is specified then a 'clear' or 'restore' is performed
after timeout seconds.
24) The syntax of the 'export' command has been made slightly
friendlier.
The old syntax:
export <directory1> [user@]system:[<directory2>]
It is now:
export <directory1> [user@]system[:<directory2>]
In other words, if you don't need to specify <directory2>, you may
omit the colon (":") following the system name.
The old syntax is still accepted -- that is, you can still
type:
export firewall2:
which is equivalent to
export firewall2
25) Shorewall commands may be speeded up slightly by using a
'capabilities' file. The 'capabilities' file was originally
designed for use with Shorewall Lite and records the
iptables/Netfilter features available on the target system.
To generate a capabilities file, execute the following command as
root:
shorewall show -f capabilities > /etc/shorewall/capabil
ities
When you install a new kernel and/or iptables, be sure to generate
a new capabilities file.
26) When syslogd is run with the -C option (which in some
implementations causes syslogd to log to an in-memory circular
buffer), /sbin/shorewall will now use the 'logread' command to read
the log from that buffer. This is for combatibility with OpenWRT.
27) There is now a ":T" qualifier in /etc/shorewall/tcrules which
causes the resulting rule to be inserted into the POSTROUTING
chain.
28) The program /usr/share/shorewall/wait4ifup can be used to wait for
a network device (such as a ppp device) to reach the UP state.
/usr/share/shorewall/wait4ifup <interface> [ <seconds> ]
The program will wait for up to <seconds> seconds for the
named <interface> to reach the UP state. If <seconds> is not given,
60 seconds is assumed.
The exit status is zero if <interface> comes up within <seconds>
seconds and non-zero otherwise.
29) Previously, 'ipsecnat' tunnels allowed AH traffic by default
(unless 'isecnat:noah' was given). Given that AH is incompatible
with nat-traversal, 'ipsecnat' now implies 'ipsecnat:noah'.
30) Shorewall now generates half as many rules as previously in the
'blacklst' chain when BLACKLIST_LOGLEVEL is specified.
31) Beginning with Shorewall 3.4.0, if EXPORTPARAMS=No in
shorewall.conf then Shorewall will not process
/etc/shorewall/params when the compiled script is run. With
EXPORTPARAMS=No, any shell variables needed at run-time must be set
in /etc/shorewall/init.
In a Shorewall/Shorewall Lite environment, this allows
/etc/shorewall/params to be written to run exclusively
on the administrative system while /etc/shorewall/init runs
exclusively on the firewall system.
So shell variables required at compile time may be set in
/etc/shorewall/params and those required at run-time may be set in
/etc/shorewall/init.
Note 1: If you need shell variables values in your
/etc/shorewall/stop or /etc/shorewall/stopped script, then you need
to set their values in /etc/shorewall/stop. /etc/shorewall/init is
not invoked during processing of the 'stop' and 'clear' commands.
Note 2: EXPORTPARAMS was actually introduced in Shorewall version
3.2.9. It is described here for the benefit of those who did not
install that version.