shorewall_code/Shorewall-common/releasenotes.txt
2007-09-21 16:55:28 +00:00

1438 lines
53 KiB
Plaintext

Shorewall 4.0 Patch release 4
WARNING: Suppport for the 'detectnets' option will be removed from
Shorewall-perl in Shorewall 4.0 Patch release 5. See 'Other changes' below.
----------------------------------------------------------------------------
R E L E A S E 4 . 0 H I G H L I G H T S
----------------------------------------------------------------------------
1) This is the first Shorewall release that fully integrates the new
Shorewall-perl compiler. See the "New Features" section below.
2) You are now offered a choice as to which compiler(s) you install. In
4.0.0, there are the following packages:
- Shorewall-common ( common files )
- Shorewall-shell ( the shell-based compiler )
- Shorewall-perl (the Perl-based compiler )
You must install at least one of the compiler packages (you may
install them both) along with Shorewall-common.
YOU DO NOT NEED TO UNINSTALL ANY OF YOUR CURRENT PACKAGES.
See the Migration Considerations below for further information.
3) The facilities for supporting bridge/firewalls under earlier
releases are deprecated and their documentation is omitted from the
4.0 distribution. New bridge support is implemented in the
Shorewall-perl compiler. This support utilizes the reduced-function
physdev match support available in Linux kernel 2.6.20 and later.
Problems Corrected in Shorewall 4.0.4
1) If no interface had the 'blacklist' option, then when using
Shorewall-perl, the 'start' and 'restart' command fail:
ERROR: No filter chain found with name blacklst
New Shorewall-perl 4.0.3 packages were released that corrected this
problem; it is included here for completeness.
2) If no interface had the 'blacklist' option, then when using
Shorewall-perl, the generated script would issue this harmless
message during 'shorewall refresh':
chainlist_reload: Not found
3) If /bin/sh was a light-weight shell such as ash or dash, then
'shorewall refresh' failed.
4) During start/restart, the script generated by Shorewall-perl is
clearing the proxy_arp flag on all interfaces; that is not the
documented behavior.
5) If the module-init-tools package was not installed and
/etc/shorewall/modules did not exist or was non-empty, then
Shorewall-perl would fail with the message:
ERROR: Can't run lsmod : /etc/shorewall/modules (line 0)
6) Shorewall-perl now makes a compile-time check to insure that
iptables-restore exists and is executable. This check is made when
the compiler is being run by root and the -e option is not
given.
Note that iptables-restore must reside in the same directory as the
iptables executable specified by IPTABLES in shorewall.conf or
located by the PATH in the event that IPTABLES is not specified.
7) When using Shorewall-perl, if an action was invoked with more than
10 different combinations of log-levels/tags, some of those
invocations with have incorrect logging.
8) Previously, when 'shorewall restore' was executed, the
iptables-restore utility was always located using the PATH setting
rather than the IPTABLES setting.
With Shorewall-perl, the IPTABLES setting is now used to locate
this utility during 'restore' as it is during the processing of
other commands.
9) Although the shorewall.conf manpage indicates that the value
'internal' is allowed for TC_ENABLED, that value was previously
rejected ('Internal' was accepted).
10) The meaning of the 'loose' provider option was accidentally reversed
in Shorewall-perl. Rather than causing certain routing rules to be
omitted when specified, it actually caused them to be added (these
rules were omitted when the option was NOT specified).
11) If the 'bridge' option was specified on an interface but there were
no bport zones, then traffic originating on the firewall was not
passed through the accounting chain.
12) In commands such as:
shorewall compile <directory>
shorewall restart <directory>
shorewall check <directory>
if the name of the <directory> contained a period ("."), then
Shorewall-perl would incorrectly substitute the current working
directory for the name.
13) Previously, if the following sequence of routing rules was
specified, then the first rule would always be omitted.
#SOURCE DEST PROVIDER PRIORITY
$SRC_A $DESTIP1 ISP1 1000
$SRC_A $DESTIP2 SOMEISP 1000
$SRC_A - ISP2 1000
The reason for this omission was that Shorewall uses a
delete-before-add approach and attempting to delete the third rule
resulted in the deletion of the first one instead.
This problem occurred with both compilers.
14) When using Shorewall-shell, provider numbers were not recognized in
the PROVIDER column of /etc/shorewall/route_rules.
15) An off-by-one problem in Shorewall-perl caused the value 255 to be
rejected in the MARK column of /etc/shorewall/tcclasses.
Other Changes in Shorewall 4.0.4
1) The detection of 'Repeat Match' has been improved. 'Repeat Match'
is not a match at all but rather is a feature of recent versions of
iptables that allows a particular match to be used multiple times
within a single rule.
Example:
-A foo -m physdev --physdev-in eth0 -m physdev --physdev-out ...
When using Shorewall-shell, the availability of 'Repeat Match' can
speed up compilation very slightly.
2) Apparently recent Fedora releases are broken. The
following sequence of commands demonstrates the problem:
ip rule add from 1.1.1.1 to 10.0.0.0/8 priority 1000 table 5
ip rule add from 1.1.1.1 to 0.0.0.0/0 priority 1000 table main
ip rule del from 1.1.1.1 to 0.0.0.0/0 priority 1000
The third command should fail but doesn't; instead, it incorrectly
removes the rule added by the first command.
To work around this issue, you can set DELETE_THEN_ADD=No in
shorewall.conf which prevents Shorewall from deleting ip rules
before attempting to add a similar rule.
3) When using Shorewall-perl, the following message is now issued if
the 'detectnets' option is specified in /etc/shorewall/interfaces:
WARNING: Support for the 'detectnets' option will be removed from
Shorewall-perl in version 4.0.5; better to use 'routefilter' and 'logmartians
The 'detect' options has always been rather silly. On input, it
duplicates the function of 'routefilter'. On output, it is a no-op
since traffic that doesn't match a route out of an interface won't
be sent through that interface (duh!).
Beginning with Shorewall 4.0.5, the warning message will read:
WARNING: Support for the 'detectnets' option has been removed
Migration Considerations:
1) Beginning with Shorewall 4.0.0, there is no single 'shorewall'
package. Rather there are two compiler packages (shorewall-shell
and shorewall-perl) and a set of base files (shorewall-common)
which are required by either compiler package.
Although the names of the packages are changing, you can upgrade
without having to uninstall/reinstall.
To repeat: YOU DO NOT NEED TO UNINSTALL ANY EXISTING PACKAGE.
If you attempt to upgrade using the shorewall-common RPM, you get
this result:
gateway:~ # rpm -Uvh shorewall-common-4.0.0.noarch.rpm
error: Failed dependencies:
shorewall_compiler is needed by shorewall-common-4.0.0-1.noarch
gateway:~ #
You must either:
rpm -Uvh shorewall-shell-4.0.0.noarch.rpm \
shorewall-common-4.0.0.noarch.rpm
or
rpm -Uvh shorewall-shell-4.0.0.noarch.rpm \
shorewall-perl-4.0.0.noarch.rpm \
shorewall-common-4.0.0.noarch.rpm
If you don't want to use shorewall-perl exclusively then use the
second command above then
rpm -e shorewall-shell
If you are upgrading using the tarball, you must install
shorewall-shell and/or shorewall-perl before you upgrade
using shorewall-common. Otherwise, the install.sh script fails with:
ERROR: No Shorewall compiler is installed
The shorewall-shell and shorewall-perl packages are installed from
the tarball in the expected way; untar the package, and run the
install.sh script.
Example 1: You have 'shorewall' installed and you want to continue
to use the shorewall-shell compiler.
tar -jxf shorewall-common-4.0.0.tar.bz2
tar -jxf shorewall-shell-4.0.0.tar.bz2
cd shorewall-shell-4.0.0
./install.sh
cd ../shorewall-common-4.0.0
./install.sh
shorewall check
shorewall restart
Example 2: You have shorewall 3.4.4 and shorewall-perl 4.0.0-Beta7
installed and you want to upgrade to 4.0. You do not need the
shell-based compiler.
tar -jxf shorewall-common-4.0.0.tar.bz2
tar -jxf shorewall-perl-4.0.0.tar.bz2
cd shorewall-perl-4.0.0
./install.sh
cd ../shorewall-common-4.0.0
./install.sh
shorewall check
shorewall restart
Be sure to modify shorewall.conf if it still has
SHOREWALL_COMPILER=shell.
2) The ROUTE_FILTER and LOG_MARTIANS options in shorewall.conf work
slightly differently in Shorewall 4.0.0. In prior releases, leaving
these options empty was equivalent to setting them to 'No' which
caused the corresponding flag in /proc to be reset for all
interfaces. Beginning in Shorewall 4.0.0, leaving these options
empty causes Shorewall to leave the flags in /proc as they are. You
must set the option to 'No' in order to obtain the old behavior.
3) The -f option is no longer the default when Shorewall is started at
boot time (usually via /etc/init.d/shorewall). With Shorewall-perl,
"shorewall start" is nearly as fast as "shorewall restore" and
"shorewall start" uses the current configuration which avoids
confusion.
If you plan on continuing to use Shorewall-shell and you want to
use the "-f" option at boot time, then you must add the following
to /etc/sysconfig/shorewall or /etc/default/shorewall:
OPTIONS="-f"
If you currently have neither of those files, you will need to
create one of them.
4) This issue will only affect you if you use Shorewall Lite and have
modified /usr/share/configpath to specify a different LITEDIR.
The implementation of LITEDIR has always been
unsatisfactory. Furthermore, there have been other cases where
people have asked to be able to designate the state directory
(default /var/lib/shorewall[-lite]).
To meet these objectives:
a) The LITEDIR variable has been eliminated in
/usr/share/shorewall[-lite]/configpath.
b) A new file /etc/shorewall[-lite]/vardir has been added. This
file is not created by default but may be added as needed. It
is expected to contain a single variable assignment:
VARDIR=<directory>
Example:
VARDIR=/root/shorewall
To change VARDIR, copy the old directory to the new one before you
restart Shorewall[-lite].
To use this feature with Shorewall-lite, all packages involved
(compiler, shorewall-common and shorewall-lite) must be version
4.0.0-RC2 or later.
----------------------------------------------------------------------------
N E W F E A T U R E S
----------------------------------------------------------------------------
1) Shorewall-perl
This Shorewall package includes a complete rewrite of the compiler
in Perl.
I decided to make Shorewall-perl a separate package for several reasons:
a) Embedded applications are unlikely to adopt Shorewall-perl; even
Mini-Perl has a substantial disk and RAM footprint.
b) Because of the gross incompatibilities between the new compiler and the
old (see below), migration to the new compiler must be voluntary.
------------------------------------------------------------------------
T H E G O O D N E W S:
------------------------------------------------------------------------
a) The compiler has a small disk footprint.
b) The compiler is very fast.
c) The compiler generates a firewall script that uses iptables-restore;
so the script is very fast.
d) The new compiler does a much better job of validating the
configuration and catches many errors that resulted in run-time
failures with the old compiler.
e) Use of the Shorewall-perl is optional! The old slow clunky
Bourne-shell compiler is still available.
------------------------------------------------------------------------
T H E B A D N E W S:
------------------------------------------------------------------------
There are a number of incompatibilities between the Perl-based compiler
and the Bourne-shell one.
a) The Perl-based compiler requires the following capability in your
kernel and iptables.
- multiport match
This capability is in current distributions.
b) Now that Netfilter has features to deal reasonably with port lists,
I see no reason to duplicate those features in Shorewall. The
Bourne-shell compiler goes to great pain (in some cases) to
break very long port lists ( > 15 where port ranges in lists
count as two ports) into individual rules. In the new compiler, I'm
avoiding the ugliness required to do that. The new compiler just
generates an error if your list is too long. It will also produce
an error if you insert a port range into a port list and you don't
have extended multiport support.
c) The old BRIDGING=Yes support has been replaced by new bridge
support that uses the reduced 'physdev match' capabilities found
in kernel 2.6.20 and later. This new implementation may be used
where it is desired to control traffic through a bridge.
The new implementation includes the following features:
a) A new "Bridge Port" zone type is defined. Specify 'bport' or
'bport4' in the TYPE column of /etc/shorewall/zones.
Bridge Port zones should be a sub-zone of a regular ipv4 zone
that represents all hosts attached to the bridge.
b) A new 'bridge' option is defined for entries in
/etc/shorewall/interfaces. Bridges should have this option
specified, even if you don't want to filter traffic going
through the bridge.
c) Bridge ports must now be defined in
/etc/shorewall/interfaces. The INTERFACE column contains
both the bridge name and the port name separated by a colon
(e.g., "br0:eth1"). No OPTIONS are allowed for bridge
ports. The bridge must be defined before its ports and must
have the 'bridge' option.
Bridge Port (BP) zones have a number of limitations:
a) Each BP zone may only be associated with ports on a single
bridge.
b) BP zones may not be associated with interfaces that are not
bridge ports.
c) You may not have policies or rules where the DEST is a BP
zone but the source is not a BP zone. If you need such
rules, you must use the BP zone's parent zone as the DEST
zone.
Example (Bridge br0 with ports eth1 and tap0):
/etc/shorewall/zones:
fw firewall
net ipv4
loc ipv4
lan:loc bport
vpn:loc bport
/etc/shorewall/interfaces:
net eth0 - ...
loc br0 - ...
lan eth1
vpn tap0
When using the /etc/shorewall/hosts file to define a bport4
zone, you specify only the port name:
Example:
/etc/shorewall/zones:
fw firewall
net ipv4
loc ipv4
lan:loc bport
vpn:loc bport
/etc/shorewall/hosts
lan eth1:192.168.2.0/24 ...
The structure of the accounting rules changes slightly when
there are bridges defined in the Shorewall
configuration. Because of the restrictions imposed by Netfilter
in kernel 2.6.21 and later, output accounting rules must be
segregated from forwarding and input rules.
To accomplish this separation, Shorewall-perl creates two
accounting chains:
- accounting - for input and forwarded traffic.
- accountout - for output traffic.
If the CHAIN column contains '-', then:
- If the SOURCE column in a rule includes the name of the
firewall zone (e.g., $FW), then the rule is add only
to the accountout chain.
- Otherwise, if the DEST in the rule is any or all or 0.0.0.0/0,
then the rule is added to both accounting and accountout.
- Otherwise, the rule is added to accounting only.
See http://www.shorewall.net/4.0/bridge-Shorewall-perl.html for
additional information about the new bridge support.
d) The BROADCAST column in the interfaces file is essentially unused;
if you enter anything in this column but '-' or 'detect', you will
receive a warning.
e) Because the compiler is written in Perl, some of your extension
scripts from earlier versions will no longer work because
Shorewall-perl runs those extension scripts at compile-time rather
than at run-time.
Compile-time scripts are:
initdone
maclog
All per-chain scripts including those associated with actions.
Compile-time extension scripts are executed using the Perl 'eval
`cat <file>`' mechanism. Be sure that each script returns a
'true' value; otherwise, the compiler will assume that the
script failed and will abort the compilation.
All scripts will need to begin with the following line:
use Shorewall::Chains;
For more complex scripts, you may need to 'use' other Shorewall
Perl modules -- browse /usr/share/shorewall-perl/Shorewall/ to
see what's available.
When a script is invoked, the $chainref scalar variable will hold a
reference to a chain table entry.
$chainref->{name} contains the name of the chain
$chainref->{table} holds the table name
To add a rule to the chain:
add_rule( $chainref, <the rule> );
Where
<the rule> is a scalar argument holding the rule text. Do
not include "-A <chain name>"
Example:
add_rule( $chainref, '-j ACCEPT' );
To insert a rule into the chain:
insert_rule( $chainref, <rulenum>, <the rule> );
The log_rule_limit function works like it does in the shell
compiler with two exceptions:
- You pass the chain reference rather than the name of
the chain.
- The commands are 'add' and 'insert' rather than '-A'
and '-I'.
- There is only a single "pass as-is to iptables"
argument (so you must quote that part).
Example:
log_rule_limit(
'info' ,
$chainref ,
$chainref->{name},
'DROP' ,
'', #Limit
'' , #Log tag
'add', #Command
'-p tcp' #Pass as-is
);
Note that in the 'initdone' script, there is no default chain
($chainref). You can objtain a reference to a standard chain by:
my $chainref = $chain_table{<table>}{<chain name>};
Example:
my $chainref = $chain_table{'filter'}{'INPUT'};
The continue script is eliminated. That script was designed to
allow you to add special rules during [re]start. Shorewall-perl
doesn't need such rules.
See http://www.shorewall.net/4.0/shorewall_extension_scripts.htm
for further information about extension scripts under
Shorewall-perl.
f) The 'refresh' command now works like 'restart' with the
following exceptions:
- The refresh command is rejected if Shorewall is not running.
- The refresh command only rebuilds the 'blacklst' chain.
- A directory name may not be specified in the refresh command.
g) The /etc/shorewall/tos file now has zone-independent SOURCE and
DEST columns as do all other files except the rules and policy
files.
The SOURCE column may be one of the following:
[all:]<address>[,...]
[all:]<interface>[:<address>[,...]]
$FW[:<address>[,...]]
The DEST column may be one of the following:
[all:]<address>[,...]
[all:]<interface>[:<address>[,...]]
This is a permanent change. The old zone-based rules have never
worked right and this is a good time to replace them. I've tried
to make the new syntax cover the most common cases without
requiring change to existing files. In particular, it will
handle the tos file released with Shorewall 1.4 and earlier.
h) Shorewall-perl insists that ipset names begin with a letter and
be composed of alphanumeric characters and underscores (_). When
used in a Shorewall configuration file, the name must be
preceded by a plus sign (+) as with the shell-based compiler.
Shorewall-perl is now out of the ipset load/reload business. With
scripts generated by the Perl-based Compiler, the Netfilter
ruleset is never cleared. That means that there is no
opportunity for Shorewall to load/reload your ipsets since that
cannot be done while there are any current rules using ipsets.
So:
i) Your ipsets must be loaded before Shorewall starts. You
are free to try to do that with the following code in
/etc/shorewall/start:
if [ "$COMMAND" = start ]; then
ipset -U :all: :all:
ipset -F
ipset -X
ipset -R < /my/ipset/contents
fi
The file '/my/ipset/contents' (not its real name of
course) will normally be produced using the ipset -S
command.
The above will work most of the time but will fail in a
'shorewall stop' - 'shorewall start' sequence if you
use ipsets in your routestopped file (see below).
ii) Your ipsets may not be reloaded until Shorewall is stopped
or cleared.
iii) If you specify ipsets in your routestopped file then
Shorewall must be cleared in order to reload your ipsets.
As a consequence, scripts generated by the Perl-based compiler
will ignore /etc/shorewall/ipsets and will issue a warning if
you set SAVE_IPSETS=Yes in shorewall.conf.
i) Because the configuration files (with the exception of
/etc/shorewall/params) are now processed by the Perl-based
compiler rather than by the shell, only the basic forms of Shell
expansion ($variable and ${variable}) are supported. The more
exotic forms such as ${variable:=default} are not
supported. Both variables defined in /etc/shorewall/params and
environmental variables (exported by the shell) can be used in
configuration files.
j) USE_ACTIONS=No is not supported. That option is intended to
minimize Shorewall's footprint in embedded applications. As a
consequence, Default Macros are not supported.
k) DELAYBLACKLISTLOAD=Yes is not supported. The entire ruleset is
atomically loaded with one execution of iptables-restore.
l) MAPOLDACTIONS=Yes is not supported. People should have converted
to using macros by now.
m) The pre Shorewall-3.0 format of the zones file is not supported;
neither is the /etc/shorewall/ipsec file.
n) BLACKLISTNEWONLY=No is not permitted with FASTACCEPT=Yes. This
combination doesn't work in previous versions of Shorewall so
the Perl-based compiler simply rejects it.
o) Shorewall-perl has a single rule generator that is used for all
rule-oriented files. So it is important that the syntax is
consistent between files.
With shorewall-shell, there is a special syntax in the SOURCE
column of /etc/shorewall/masq to designate "all traffic entering
the firewall on this interface except...".
Example:
#INTERFACE SOURCE ADDRESSES
eth0 eth1!192.168.4.9 ...
Shorewall-perl uses syntax that is consistent with the rest of
Shorewall:
#INTERFACE SOURCE ADDRESSES
eth0 eth1:!192.168.4.9 ...
p) The 'allowoutUPnP' built-in action is no longer supported. The
Netfilter team have removed support for '-m owner --owner-cmd'
which that action depended on.
q) The treatment of the following interface options has changed under
Shorewall-perl.
- arp_filter
- routefilter
- logmartians
- proxy_arp
- sourceroute
With the Shorewall-shell compiler, Shorewall resets these options
on all interfaces then sets the option on those interfaces
for which the option is defined in /etc/shorewall/interfaces.
Under Shorewall-perl, these options can be specified with the value
0 or 1 (e.g., proxy_arp=0). If no value is specified, the value 1
is assumed. Shorewall will modify only the setting of those
interfaces for which the option is specified and will set the
option to the given value.
A fatal compilation error is also generated if you specify one of
these options with a wildcard interface (one ending with '+').
r) The LOG_MARTIANS and ROUTE_FILTER options are now tri-valued in
Shorewall-perl.
Yes - Same as before
No - Same as before except that it applies regardless of
whether any interfaces have the logmartians/routefilter
option
Keep - Shorewall ignores the option entirely (which is the
default).
s) Shorewall-perl support nn 'optional' option has been added to
/etc/shorewall/interfaces. This option is recognized by
Shorewall-perl but not by Shorewall-shell. When 'optional' is
specified for an interface, Shorewall will be silent when:
- a /proc/sys/net/ipv4/conf/ entry for the interface cannot be
modified (including for proxy ARP).
- The first address of the interface cannot be obtained.
I specify 'optional' on interfaces to Xen virtual machines that
may or may not be running when Shorewall is [re]started.
CAUTION: Use 'optional' at your own risk. If you [re]start
Shorewall when an 'optional' interface is not available and then
do a 'shorewall save', subsequent 'shorewall restore' and
'shorewall -f start' operations will instantiate a ruleset that
does not support that interface, even if it is available at the
time of the restore/start.
t) Shorewall-perl validates all IP addresses and addresses ranges
in rules. DNS names are resolved and an error is issued for any
name that cannot be resolved.
u) Shorewall-perl checks configuration files for the presense of
characters that can cause problems if they are allowed into the
generated firewall script:
- Double Quotes. These are prohibited except in the
shorewall.conf and params files.
- Single Quotes. These are prohibited except in the
shorewall.conf and params files and in COMMENT lines.
- Single back quotes. These are prohibited except in the
shorewall.conf and params files.
- Backslash. Probibited except as the last character on a line
to denote line continuation.
v) Under Shorewall-perl, macros may invoke other macros with the
restriction that such macros may not be invoked within an action
body.
When marcros are invoked recursively, the parameter passed to an
invocation are automatically propagated to lower level macros.
Macro invocations may be nested to a maximum level of 5.
w) The PKTTYPE option is ignored by Shorewall-perl. Shorewall-perl
will use Address type match if it is available; otherwise, it
will behave as if PKTTYPE=No had been specified.
x) Shorewall-perl detects dead policy file entries that result
when an entry is masked by an earlier more general
entry. Example:
all all REJECT info
loc net ACCEPT
------------------------------------------------------------------------
P R E R E Q U I S I T E S
------------------------------------------------------------------------
- Perl (I use Perl 5.8.8 but other versions should work fine)
- Perl Cwd Module
- Perl File::Basename Module
- Perl File::Temp Module
- Perl Getopt::Long Module
- Perl FindBin Module
------------------------------------------------------------------------
U S I N G T H E N E W C O M P I L E R
------------------------------------------------------------------------
If you only install one compiler, then that compiler will be used.
If you install both compilers, then the compiler actually used depends
on the SHOREWALL_COMPILER setting in shorewall.conf.
The value of this new option can be either 'perl' or 'shell'.
If you add 'SHOREWALL_COMPILER=perl' to /etc/shorewall/shorewall.conf
then by default, the new compiler will be used on the system. If you
add it to shorewall.conf in a separate directory (such as a
Shorewall-lite export directory) then the new compiler will only be
used when you compile from that directory.
If you only install one compiler, it is suggested that you do not set
SHOREWALL_COMPILER.
You can also select the compiler to use on the command line using the
'C option:
'-C shell' means use the shell compiler
'-C perl' means use the perl compiler
The -C option overrides the setting in shorewall.conf.
Example:
shorewall restart -C perl
2) Thanks to Paul Gear, an IPPServer macro has been added. Be sure to
read the comments in the macro file before trying to use this
macro.
3) Eariler generations of Shorewall Lite required that remote root
login via ssh be enabled in order to use the 'load' and 'reload'
commands.
Beginning with this release, you may define an alternative means
for accessing the remote firewall system.
Two new options have been added to shorewall.conf:
RSH_COMMAND
RCP_COMMAND
The default values for these are as follows:
RSH_COMMAND: ssh ${root}@${system} ${command}
RCP_COMMAND: scp ${files} ${root}@${system}:${destination}
Shell variables that will be set when the commands are envoked are
as follows:
root - root user. Normally 'root' but may be overridden using
the '-r' option.
system - The name/IP address of the remote firewall system.
command - For RSH_COMMAND, the command to be executed on the
firewall system.
files - For RCP_COMMAND, a space-separated list of files to
be copied to the remote firewall system.
destination - The directory on the remote system that the files
are to be copied into.
4) The accounting, masq, rules and tos files now have a 'MARK' column
similar to the column of the same name in the tcrules file. This
column allows filtering by MARK and CONNMARK value (CONNMARK is
only accepted under Shorewall Perl).
5) SOURCE and DEST are now reserved zone names to avoid problems with
bi-directional macro definitions which use these as names as key
words.
6) The "shorewall show zones" command now flags zone members that have
been added using "shorewall add" by preceding them with a plus sign
("+").
Example:
Shorewall 3.9.4 Zones at gateway - Mon May 14 07:48:16 PDT 2007
fw (firewall)
net (ipv4)
eth0:0.0.0.0/0
loc (ipv4)
br0:0.0.0.0/0
eth4:0.0.0.0/0
eth5:0.0.0.0/0
+eth1:0.0.0.0/0
dmz (ipv4)
eth3:0.0.0.0/0
vpn (ipv4)
tun+:0.0.0.0/0
In the above output, "eth1:0.0.0.0/0" was dynamically added to the
'loc' zone. As part of this change, "shorewall delete" will only
delete entries that have been added dynamically. In earlier
versions, any entry could be deleted although the ruleset was only
changed by deleting entries that had been added dynamically.
7) The 'shorewall version' command now lists the version of the
installed compiler(s) if the -a option is used:
gateway:/bulk/backup # shorewall version -a
4.0.0-Beta1
Shorewall-shell 4.0.0-Beta1
Shorewall-perl 4.0.0-Beta1
gateway:/bulk/backup #
8) The Perl compiler is externalized. Both the compiler.pl program
and the Perl Module interface are documented.
The compiler program is /usr/share/shorewall-perl/compiler.pl:
compiler.pl [ <option> ... ] [ <filename> ]
If a <filename> is given, then the configuration will be compiled
output placed in the named file. If <filename> is not given, then
the configuration will simply be syntax checked.
Options are:
-v <verbosity>
--verbosity=<verbosity>
The <verbosity> is a number between 0 and 2 and corresponds to
the VERBOSITY setting in shorewall.conf. This setting controls
the verbosity of the compiler itself.
-e
--export
If given, the configuration will be compiled for export to
another system.
-d <directory>
--directory=<directory>
If this option is omitted, the configuration in /etc/shorewall
is compiled/checked. Otherwise, the configuration in the named
directory will be compiled/checked.
-t
--timestamp
If given, each progress message issued by the compiler and by
the compiled program will be timestamped.
--debug
If given, when a warning or error message is issued, it is
supplimented with a stack trace. Requires the Carp Perl
module.
--refresh=<chainlist>
If given, the compiled script's 'refresh' command will refresh
the chains in the comma-separated <chainlist> rather than
'blacklst'.
Example (compiles the configuration in the current directory
generating a script named 'firewall' and using VERBOSITY
2).
/usr/share/shorewall-perl/compiler.pl -v 2 -d . firewall
Note: For compatibility with the Shorewall 3.4.2 and 3.4.3
releases, options not passed on the run-line get their values from
environmental variables:
Option Variable
--verbosity VERBOSE
--export EXPORT
--directory SHOREWALL_DIR
--timestamp TIMESTAMP
The Perl Module is externalized as follows:
use lib '/usr/share/shorewall-perl';
use Shorewall::Compiler;
compiler $filename, $directory, $verbose, $options $chains
The arguments to the compiler function are as follows:
$filename - Name of the compiled script to be created.
If the arguments evaluates to false, the
configuration is syntax checked
$directory - The directory containing the configuration.
If passed as '', then /etc/shorewall/ is assumed.
$verbose - The verbosity level (0-2).
$options - A bitmap of options. Shorewall::Compiler
exports two constants to help building this
argument:
EXPORT = 0x01
TIMESTAMP = 0x02
$chains - A comma-separated list of chains that the
generated script's 'refresh' command will
reload.
The compiler raises an exception with 'die' if it encounters an
error; $@ contains the 'ERROR' messages describing the problem.
The compiler function can be called repeatedly with different
inputs.
9) When TC_ENABLED=Internal, Shorewall-perl now validates classids in
the MARK/CLASSIFY column of /etc/shorewall/tcrules against the
classes generated by /etc/shorewall/tcclasses.
10) During installation, Shorewall generates the Perl module
/usr/share/shorewall-perl/Shorewall/Ports.pm, using your
/etc/protocols and /etc/services as input.
To re-generate the module from those two files:
1. Backup your current /usr/share/shorewall-perl/Shorewall/Ports.pm
file.
2. /usr/share/shorewall-perl/buildports.pl > \
/usr/share/shorewall-perl/Shorewall/Ports.pm
Note: If the buildports.pl program fails to run to a successful
completion during installation, a fallback version of
module will be installed. That fallback module was generated from
the /etc/protocols and /etc/services shipped with Ubuntu Feisty
Fawn.
Even if the buildports.pl program runs successfully, the fallback
module is also installed as
/usr/share/shorewall-perl/Shorewall/FallbackPorts.pm. So if you
encounter problems with the generated module, simply copy the
fallback module to /usr/share/shorewall-perl/Shorewall/Ports.pm.
11) Tuomo Soini has contributed bi-directional macros for various
tunnel types:
IPsecah
GRE
IPsec
IPIP
IPsecnat
L2TP
12) The -f option is no longer the default when Shorewall is started at
boot time (usually via /etc/init.d/shorewall). With Shorewall-perl,
"shorewall start" is nearly as fast as "shorewall restore" and
"shorewall start" uses the current configuration which avoids
confusion.
13) The implementation of LITEDIR has always been
unsatisfactory. Furthermore, there have been other cases where
people have asked to be able to designate the state directory
(default /var/lib/shorewall[-lite]).
To meet these objectives:
a) The LITEDIR variable has been eliminated in
/usr/share/shorewall[-lite]/configpath.
b) A new file /etc/shorewall[-lite]/vardir has been added. This
file is not created by default but may be added as needed. It
is expected to contain a single variable assignment:
VARDIR=<directory>
Example:
VARDIR=/root/shorewall
To change VARDIR, copy the old directory to the new one before you
restart Shorewall[-lite].
To use this feature with Shorewall-lite, all packages involved
(compiler, shorewall-common and shorewall-lite) must be version
4.0.0-RC2 or later.
Problems corrected in 4.0.1.
1) The Shorewall Lite installer was producing an empty shorewall-lite
manpage. Since the installer runs as part of creating the RPM, the
RPM also suffered from this problem. The 4.0.0 Shorewall-lite
packages were re-uploaded with this problem corrected.
2) The Shorewall Lite uninstaller incorrectly removed /sbin/shorewall
rather than /sbin/shorewall-lite.
3) Both the Shorewall and Shorewall Lite uninstallers did a "shorewall
clear" if Shorewall [Lite] was running. Now, the Shorewall Lite
uninstaller correctly does "shorewall-lite clear" and both
uninstallers only perform the 'clear' operation if the other
product is not installed. This prevents the removal of one of the
two products from clearing the firewall configuration established
by the other one.
4) The 'ipsec' OPTION in /etc/shorewall/hosts was mis-handled by
Shorewall-perl. If the zone type was changed to 'ipsec' or
'ipsec4' and the 'ipsec' option removed from the hosts file entry,
the configuration worked properly.
5) If a CLASSID was specified in a tcrule and TC_ENABLED=No, then
Shorewall-perl produced the following:
Compiling...
Use of uninitialized value in string ne at /usr/share/shorewall-perl/Shorewall/Tc.pm line 285, <$currentfile> line 18.
ERROR: Class Id n:m is not associated with device eth0 : /etc/shorewall/tcrules (line 18)
6) If IPTABLES was not specified in shorewall.conf, Shorewall-perl was
locating the binary using the PATH environmental variable rather
than the PATH setting in shorewall.conf. If no PATH was available
when Shorewall-perl was run and IPTABLES was not set in
shorewall.conf, the following messages were issued:
Use of uninitialized value in split at /usr/share/shorewall-perl/Shorewall/Config.pm line 1054.
ERROR: Can't find iptables executable
ERROR: Shorewall restart failed
7) If the "Mangle FORWARD Chain" capability was supported, entries in
the /etc/shorewall/ecn file would cause invalid iptables commands
to be generated. This problem occurred with both compilers.
8) Shorewall now starts at reboot after an upgrade from shorewall <
4.0.0. Previously, Shorewall was not started automatically at
reboot after an upgrade using the RPM.
9) Shorewall-perl was generating invalid iptables-restore input when a
log level was specified with the dropBcast and allowBcast builtin
actions and when a log level followed by '!' was used with any
builtin actions.
10) Shorewall-perl was incorrectly rejecting 'min' as a valid unit of
time in rate-limiting specifications.
11) Certain errors occurring during
start/restart/safe-start/safe-restart/try processing could cause
the lockfile to be left behind. This resulted in a 60-second delay
the next time one of these commands was run.
Other changes in Shorewall 4.0.1.
1) A new EXPAND_POLICIES option is added to shorewall.conf. The
option is recognized by Shorewall-perl and is ignored by
Shorewall-shell.
Normally, when the SOURCE or DEST columns in shorewall-policy(5)
contains 'all', a single policy chain is created and the policy is
enforced in that chain. For example, if the policy entry is
#SOURCE DEST POLICY LOG
# LEVEL
net all DROP info
then the chain name is 'net2all' which is also the chain named in
Shorewall log messages generated as a result of the policy. If
EXPAND_POLICIES=Yes, then Shorewall-perl will create a separate
chain for each pair of zones covered by the policy. This makes the
resulting log messages easier to interpret since the chain in the
messages will have a name of the form 'a2b' where 'a' is the SOURCE
zone and 'b' is the DEST zone. See
http://linuxman.wikispaces.com/PPPPPPS for more information.
2) The Shorewall-perl dependency on the "Address Type Match"
capability has been relaxed. This allows Shorewall 4.0.1 to be used
on releases like RHEL4 that don't support that capability.
3) Shorewall-perl now detects dead policy file entries that result
when an entry is masked by an earlier entry. Example:
all all REJECT info
loc net ACCEPT
4) Recent kernels are apparently hard to configure and we have been
seeing a lot of problem reports where the root cause is the lack of
state match support in the kernel. This problem is difficult to
diagnose when using Shorewall-perl so the generated shell program
now checks specifically for this problem and terminates with an
error if the capability doesn't exist.
Problems corrected in 4.0.2
1) The Shorewall-perl compiler was still generating invalid
iptables-restore input from entries in /etc/shorewall/ecn.
2) When using Shorewall-perl, unless an interface was specified as
'optional' in the interfaces file, the 'restore' command would
fail if the routes through the interface or the addresses on the
interface could not be detected.
Route detection occurs when the interface is named in the SOURCE
column of the masq file. Address detection occurs when
DETECT_DNAT_IPADDRS=Yes and the interface is the SOURCE for a DNAT
or REDIRECT rule or when 'maclist' is specified for the interface.
Since the 'restore' command doesn't use the detected information,
detection is now skipped if the command is 'restore'.
3) It was not previously possible to define traffic shaping on a
bridge port; the generated script complained that the
interface was not up and configured.
4) When Shorewall-shell was not installed, certain options in
/etc/shorewall/interfaces and /etc/shorewall/hosts would cause the
'add' and 'delete' commands to fail with a missing library error.
OPTION FILE
maclist interfaces,hosts
proxyarp interfaces
5) The /var/lib/shorewall/zones file was being overwritten during
processing of the 'refresh' command by a script generated with
Shorewall-perl. The result was that hosts previously added to
dynamic zones could not be deleted after the 'refresh'.
6) If the file named as the output file in a Shorewall-perl 'compile'
command was a symbolic link, the generated error message
erroneously stated that the file's parent directory was a symbolic
link.
As part of this change, cosmetic changes were made to a number of
other error messages.
7) Some intra-zone rules were missing when a zone involved multiple
interfaces or when a zone included both IPSEC and non-IPSEC
networks.
8) Shorewall was not previously loading the xt_multiport kernel
module.
9) The Russian and French translations no longer have English headings
on notes, cautions, etc..
10) Previously, using a port list in the DEST PORT(S) column of the
rules file or in an action file could cause an invalid iptables
command to be generated by Shorewall-shell.
11) If there were no bridges in a configuration, Shorewall-perl would
ignore the CHAIN column in /etc/shorewall/accounting.
Other changes in 4.0.2
1) Shorewall-perl now detects when a port range is included in a list
of ports and iptables/kernel support for Extended Multi-port Match
is not available. This avoids an iptables-restore failure at
run-time.
2) Most chains created by Shorewall-shell have names that can be
embedded within shell variable names. This is a workaround for
limitations in the shell programming language which has no
equivalent to Perl hashes. Often chain names must have the name of
a network interface encoded in them. Given that interface names can
contain characters that are invalid in a shell variable name,
Shorewall-shell performs a name mapping which was carried forward to
Shorewall-perl:
- Trailing '+' is dropped.
- The characters ".", "-", "%' and "@" are translated to "_".
This mapping has been elminated in the 4.0.2 release of Shorewall-
perl. So where before you would see chain "eth0_0_in", you may now
see the same chain named "eth0.0_in". Similarly, a chain previously
named "ppp_fwd" may now be called "ppp+_fwd".
3) Shorewall-perl now uses the contents of the BROADCAST column in
/etc/shorewall/interfaces when the Address Type match capability is
not available.
Problems Corrected in 4.0.3
1) Using the LOG target in the rules file could result in two LOG
rules being generated by Shorewall-shell. Additionally, using an IP
address range in a rule that performed logging could result in an
invalid iptables command.
2) Shorewall now loads the act_police kernel module needed by traffic
shaping.
3) Previously, "shorewall show -f capabilities" and "shorecap" omitted
the "TCPMSS Match" capability. This made it appear to a compiler
using a capabilities file that the TCPMSS Match capability was not
available.
4) Previously, Shorewall would truncate long log prefixes to 29
characters. This resulted in there being no space between the log
prefix and the IN= part of the message.
Example: fw2net:LOG:HTTPSoutIN= OUT=eth0
Beginning with this release, Shorewall will truncate the prefix to
28 bytes and add a trailing space.
Example: fw2net:LOG:HTTPSou IN= OUT=eth0
5) Previously, if:
- FASTACCEPT=No
- The policy from Z1 to Z2 was CONTINUE
- Neither Z1 nor Z2 had parent zones
- There were no Z1->Z2 rules
then connections from Z2->Z1 would fail even if there were
rules/policies allowing them. This has been
corrected.
6) The 'shorewall add' and 'shorewall delete' command would fail when:
- The running configuration was compiled with Shorewall-perl.
- The name of the interface specified in the command contained an
embedded special character such as '.' or '-'.
This problem was the result of the change in Shorewall 4.0.2 that
removed the legacy mapping of interface names when embedding such
names in a Netfilter chain name. To correct the problem, the
pre-4.0.2 name mapping is restored when DYNAMIC_ZONES=Yes.
5) A bug in Shorewall-shell prevented proper handling of PREROUTING
marks when HIGH_ROUTE_MARKS=No and the track option was specified
in /etc/shorewall/providers.
6) With Shorewall-perl, if EXPORTPARAMS=Yes then INCLUDE directives in
the params file would fail at script execution time with "INCLUDE:
not found". This has been corrected.
7) Shorewall-perl was mis-sorting the zone list when zones were nested
more than one deep.
8) Stale references to http://www.shorewall.net/Documentation.htm have
been removed from the config files (including samples). That URL
has been replaced by the online manpages.
Other Changes in 4.0.3
1) A script generated by Shorewall-perl now tries to modify/restore
/etc/iproute2/rt_tables only if the file is writable. This prevents
run-time errors when /etc is mounted read-only.
A new KEEP_RT_TABLES option has been added to shorewall.conf. When
set to Yes, this option prevents Shorewall from altering the
/etc/iproute2/rt_tables database. The KEEP_RT_TABLES option is only
recognized by Shorewall-perl and is ignored by Shorewall-shell.
2) Shorewall-perl now requires the FindBin Perl module.
3) When an optional provider is not available, a script generated by
Shorewall-perl will no longer add the corresponding
routing rules.
4) A new 'isusable' extension script has been added. This script
allows you to extend the availability test that Shorewall performs
on optional providers.
Here's an example that uses ping to ensure that the default
gateways through eth0 and eth1 are reachable:
case $1 in
eth0)
ping -c 4 -I eth0 206.124.146.254 > /dev/null 2>&1
return
;;
eth1)
ping -c 4 -I eth1 192.168.12.254 > /dev/null 2>&1
return
;;
*)
# Assume we don't need to do any additional testing
# for this interface beyond Shorewall's
return 0
;;
esac
Additional information is available at
http://www.shorewall.net/shorewall_extension_scripts.htm.
5) Processing of the message log in the 'show log', 'logwatch' and
'dump' commands has been speeded up thanks to a suggestion by
Andrew Suffield.
6) Beginning with Shorewall 4.0, the shorewall 'stop', and 'clear'
commands were processed by the generated script from the
last successful 'start', 'restart' or 'refresh' command. This had
the side effect that updates to the /etc/shorewall/routestopped
file did not take effect until one of those three commands was
successfully processed.
Beginning with Shorewall 4.0.3, the old 3.x behavior is restored as
the default and the 4.0 behavior is enabled using the '-f' command
option.
Example: shorewall stop -f
7) An 'mss' option has been added to the interfaces file. This option
is only recognized by Shorewall-perl and causes Shorewall to set
the MSS field in forwarded TCP SYN packets going in or out the
interface to the value that you specify.
Example:
#ZONE INTERFACE BROADCAST OPTIONS
vpn ppp0 - mss=1400
The mss option only affects incoming traffic that has not been
decrypted by IPSEC and outgoing traffic that will not subsequently
be encrypted by IPSEC. The MSS for IPSEC traffic is managed by the
'mss' option in /etc/shorewall/zones.
8) Shorewall now detects the presence of the 'hashlimit match'
capability. There is no builtin support yet for hashlimit but
detection allows extension scripts for user-supplied actions to
determine if the capability exists.
With Shorewall-shell, $HASHLIMIT_MATCH will be non-empty if the
capability exists.
With Shorewall-perl, $capabilities{HASHLIMIT_MATCH} will be true in
a boolean context if the capability exists. Shorewall-perl users
may also code the following in their extension script:
use Shorewall::Config;
require_capability( 'HASHLIMIT_MATCH', #Capability
'My hashlimit action' , #Feature requiring
#capability
's' ); #Feature is singular
#(if plural, pass the
empty string)
That call would procduce the following fatal error if the
capability isn't available:
ERROR: My hashlimit action requires the Hashlimit match capability
in your kernel and iptables
9) NFQUEUE support has been added to Shorewall-perl.
NFQUEUE may appear in actions, macros, rules and as a policy.
When NFQUEUE is used by itself, queue number zero is assumed. To
specify a queue number, follow NFQUEUE by a slash ("/") and the
queue number.
Examples (/etc/shorewall/rules):
NFQUEUE loc net tcp #Queue number 0
NFQUEUE/22 loc net udp #Queue number 22
NFQUEUE/22:info loc net gre #With logging
An NFQUEUE_DEFAULT option has been added to shorewall.conf for
specifying the default action to use with NFQUEUE policies.
Use of NFQUEUE requires the NFQUEUE Target capability in your
kernel/iptables. If you intend to use NFQUEUE with Shorewall-lite,
then you must install Shorewall-lite 4.0.3 in order to build a
capabilities file that includes NFQUEUE Target. If your
capabilities file was generated by a Shorewall/Shorewall-lite
version earlier that 4.0.3, you will receive a warning during
compilation.
10) The 'refresh' command can now refresh chains other than 'blacklst'.
The syntax of the command is now:
shorewall refresh [ <chain> ... ]
If no <chain> is given then 'blacklst' is assumed. Otherwise, the
Shorewall-perl compiler compiles a script whose 'refresh' command
refreshes the listed <chain>(s).
The listed chains are assumed to be in the filter table. You can
refresh chains in other tables by prefixing the chain name with the
table name followed by ":" (e.g., nat:net_dnat). Chain names which
follow are assumed to be in that table until the end of the list or
until an entry in the list names another table.
This feature requires Shorewall-perl 4.0.3 as well as
Shorewall-common 4.0.3.