2004-06-24 01:02:35 +02:00
|
|
|
Shorewall 2.0.3
|
2004-03-15 19:47:21 +01:00
|
|
|
|
|
|
|
----------------------------------------------------------------------
|
2004-05-16 19:10:55 +02:00
|
|
|
Problems Corrected since 2.0.2
|
|
|
|
|
|
|
|
1) The 'firewall' script is not purging temporary restore files in
|
|
|
|
/var/lib/shorewall. These files have names of the form
|
|
|
|
"restore-nnnnn".
|
|
|
|
|
|
|
|
2) The /var/lib/shorewall/restore script did not load the kernel
|
|
|
|
modules specified in /etc/shorewall/modules.
|
|
|
|
|
2004-05-17 17:12:02 +02:00
|
|
|
3) Specifying a null common action in /etc/shorewall/actions (e.g.,
|
|
|
|
:REJECT) results in a startup error.
|
|
|
|
|
|
|
|
4) If /var/lib/shorewall does not exist, shorewall start fails.
|
|
|
|
|
2004-05-21 18:18:03 +02:00
|
|
|
5) DNAT rules with a dynamic source zone don't work properly. When
|
|
|
|
used, these rules cause the rule to be checked against ALL input,
|
|
|
|
not just input from the designated zone.
|
|
|
|
|
2004-06-24 00:10:23 +02:00
|
|
|
6) The install.sh script reported installing some files in
|
|
|
|
/etc/shorewall when the files were actually installed in
|
|
|
|
/usr/share/shorewall.
|
|
|
|
|
|
|
|
7) Shorewall checks netfilter capabilities before loading kernel
|
2004-05-28 02:08:14 +02:00
|
|
|
modules. Hence if kernel module autoloading isn't enabled, the
|
2004-05-28 16:20:43 +02:00
|
|
|
capabilities will be misdetected.
|
|
|
|
|
2004-06-24 00:10:23 +02:00
|
|
|
8) The 'newnotsyn' option in /etc/shorewall/hosts has no effect.
|
2004-05-14 00:07:06 +02:00
|
|
|
|
2004-06-24 00:10:23 +02:00
|
|
|
9) The file /etc/init.d/shorewall now gets proper ownership when the
|
|
|
|
RPM is built by a non-root user.
|
2004-05-14 00:07:06 +02:00
|
|
|
|
2004-06-24 00:10:23 +02:00
|
|
|
10) Rules that specify bridge ports in both the SOURCE and DEST
|
|
|
|
columns no longer cause "shorewall start" to fail.
|
2004-05-14 00:07:06 +02:00
|
|
|
|
2004-06-24 00:10:23 +02:00
|
|
|
11) Comments in the rules file have been added to advise users that
|
|
|
|
"all" in the SOURCE or DEST column does not affect intra-zone
|
|
|
|
traffic.
|
2004-05-14 00:07:06 +02:00
|
|
|
|
2004-06-24 00:10:23 +02:00
|
|
|
12) With BLACKLISTNEWONLY=Yes, ICMP packets with state INVALID are now
|
|
|
|
passed through the blacklisting chains. Without this change, it is
|
|
|
|
not possible to blacklist hosts that are mounting certain types of
|
|
|
|
ICMP-based DOS attacks.
|
2004-05-14 00:07:06 +02:00
|
|
|
|
2004-06-28 19:58:24 +02:00
|
|
|
Problems Corrected since 2.0.3
|
2004-06-28 19:35:03 +02:00
|
|
|
|
2004-06-28 19:58:24 +02:00
|
|
|
1) A non-empty DEST entry in /etc/shorewall/tcrules will generate an
|
|
|
|
error and Shorewall fails to start.
|
|
|
|
|
|
|
|
2) A potential security vulnerablilty in the way that Shorewall
|
|
|
|
handles temporary files and directories has been corrected.
|
2004-06-28 19:35:03 +02:00
|
|
|
|
2004-06-24 00:10:23 +02:00
|
|
|
-----------------------------------------------------------------------
|
|
|
|
Issues when migrating from Shorewall 2.0.2 to Shorewall 2.0.3:
|
2004-05-14 00:07:06 +02:00
|
|
|
|
2004-06-24 00:10:23 +02:00
|
|
|
1) The 'dropNonSyn' standard builtin action has been replaced with the
|
|
|
|
'dropNotSyn' standard builtin action. The old name can still be used
|
|
|
|
but will generate a warning.
|
2004-03-15 19:47:21 +01:00
|
|
|
|
2004-06-24 00:10:23 +02:00
|
|
|
-----------------------------------------------------------------------
|
2004-03-15 19:47:21 +01:00
|
|
|
New Features:
|
|
|
|
|
2004-06-24 00:10:23 +02:00
|
|
|
1) Shorewall now supports multiple saved configurations.
|
2004-03-15 19:47:21 +01:00
|
|
|
|
2004-06-24 00:10:23 +02:00
|
|
|
a) The default saved configuration (restore script) in
|
|
|
|
/var/lib/shorewall is now specified using the RESTOREFILE option
|
|
|
|
in shorewall.conf. If this variable isn't set then to maitain
|
|
|
|
backward compatibility, 'restore' is assumed.
|
|
|
|
|
|
|
|
The value of RESTOREFILE must be a simple file name; no slashes
|
|
|
|
("/") may be included.
|
|
|
|
|
|
|
|
b) The "save" command has been extended to be able to specify the
|
|
|
|
name of a saved configuration.
|
2004-03-15 19:47:21 +01:00
|
|
|
|
2004-06-24 00:10:23 +02:00
|
|
|
shorewall save [ <file name> ]
|
2004-03-15 19:47:21 +01:00
|
|
|
|
2004-06-24 00:10:23 +02:00
|
|
|
The current state is saved to /var/lib/shorewall/<file name>. If
|
|
|
|
no <file name> is given, the configuration is saved to
|
|
|
|
the file determined by the RESTOREFILE setting.
|
2004-03-15 19:47:21 +01:00
|
|
|
|
2004-06-24 00:10:23 +02:00
|
|
|
c) The "restore" command has been extended to be able to specify
|
|
|
|
the name of a saved configuration:
|
2004-03-15 19:47:21 +01:00
|
|
|
|
2004-06-24 00:10:23 +02:00
|
|
|
shorewall restore [ <file name> ]
|
2004-03-15 19:47:21 +01:00
|
|
|
|
2004-06-24 00:10:23 +02:00
|
|
|
The firewall state is restored from /var/lib/shorewall/<file
|
|
|
|
name>. If no <file name> is given, the firewall state is
|
|
|
|
restored from the file determined by the RESTOREFILE setting.
|
2004-03-15 19:47:21 +01:00
|
|
|
|
2004-06-24 00:10:23 +02:00
|
|
|
c) The "forget" command has changed. Previously, the command
|
|
|
|
unconditionally removed the /var/lib/shorewall/save file which
|
|
|
|
records the current dynamic blacklist. The "forget" command now
|
|
|
|
leaves that file alone.
|
2004-03-15 19:47:21 +01:00
|
|
|
|
2004-06-24 00:10:23 +02:00
|
|
|
Also, the "forget" command has been extended to be able to
|
|
|
|
specify the name of a saved configuration:
|
2004-03-15 19:47:21 +01:00
|
|
|
|
2004-06-24 00:10:23 +02:00
|
|
|
shorewall forget [ <file name> ]
|
2004-03-15 19:47:21 +01:00
|
|
|
|
2004-06-24 00:10:23 +02:00
|
|
|
The file /var/lib/shorewall/<file name> is removed. If no <file
|
|
|
|
name> is given, the file determined by the RESTOREFILE setting
|
|
|
|
is removed.
|
2004-03-15 19:47:21 +01:00
|
|
|
|
2004-06-24 00:10:23 +02:00
|
|
|
d) The "shorewall -f start" command restores the state from the
|
|
|
|
file determined by the RESTOREFILE setting.
|
2004-03-15 19:47:21 +01:00
|
|
|
|
2004-06-24 00:10:23 +02:00
|
|
|
2) "!" is now allowed in accounting rules.
|
2004-05-14 00:07:06 +02:00
|
|
|
|
2004-06-24 00:10:23 +02:00
|
|
|
3) Interface names appearing within the configuration are now
|
|
|
|
verified. Interface names must match the name of an entry in
|
|
|
|
/etc/shorewall/interfaces (or if bridging is enabled, they must
|
|
|
|
match the name of an entry in /etc/shorewall/interfaces or the name
|
|
|
|
of a bridge port appearing in /etc/shorewall/hosts).
|
2004-03-15 19:47:21 +01:00
|
|
|
|
2004-06-24 00:10:23 +02:00
|
|
|
4) A new 'rejNotSyn' built-in standard action has been added. This
|
|
|
|
action responds to "New not SYN" packets with an RST.
|
2004-05-14 00:07:06 +02:00
|
|
|
|
2004-06-24 00:10:23 +02:00
|
|
|
The 'dropNonSyn' action has been superceded by the new 'dropNotSyn'
|
|
|
|
action. The old name will be accepted until the next major release
|
|
|
|
of Shorewall but will generate a warning.
|
2004-05-14 00:07:06 +02:00
|
|
|
|
2004-06-24 00:10:23 +02:00
|
|
|
Several new logging actions involving "New not SYN" packets have
|
|
|
|
been added:
|
2004-05-14 00:07:06 +02:00
|
|
|
|
2004-06-24 00:10:23 +02:00
|
|
|
logNewNotSyn -- logs the packet with disposition = LOG
|
|
|
|
dLogNewNotSyn -- logs the packet with disposition = DROP
|
|
|
|
rLogNewNotSyn -- logs the packet with disposition = REJECT
|
2004-05-14 00:07:06 +02:00
|
|
|
|
2004-06-24 00:10:23 +02:00
|
|
|
The packets are logged at the log level specified in the
|
|
|
|
LOGNEWNOTSYN option in shorewall.conf. If than option is empty or
|
|
|
|
not specified, then 'info' is assumed.
|
2004-05-14 00:07:06 +02:00
|
|
|
|
2004-06-24 00:10:23 +02:00
|
|
|
Examples (In all cases, set NEWNOTSYN=Yes in shorewall.conf):
|
2004-05-14 00:07:06 +02:00
|
|
|
|
2004-06-24 00:10:23 +02:00
|
|
|
A: To simulate the behavior of NEWNOTSYN=No:
|
2004-05-14 00:07:06 +02:00
|
|
|
|
2004-06-24 00:10:23 +02:00
|
|
|
a) Add 'NoNewNotSyn' to /etc/shorewall/actions.
|
|
|
|
b) Create /etc/shorewall/action.NoNewNotSyn containing:
|
2004-05-14 00:07:06 +02:00
|
|
|
|
2004-06-24 00:10:23 +02:00
|
|
|
dLogNotSyn
|
|
|
|
dropNotSyn
|
2004-05-14 00:07:06 +02:00
|
|
|
|
2004-06-24 00:10:23 +02:00
|
|
|
c) Early in your rules file, place:
|
2004-05-14 00:07:06 +02:00
|
|
|
|
2004-06-24 00:10:23 +02:00
|
|
|
NoNewNotSyn all all tcp
|
2004-05-14 00:07:06 +02:00
|
|
|
|
2004-06-24 00:10:23 +02:00
|
|
|
B: Drop 'New not SYN' packets from the net only. Don't log them.
|
2004-05-14 00:07:06 +02:00
|
|
|
|
2004-06-24 00:10:23 +02:00
|
|
|
a) Early in your rules file, place:
|
2004-05-14 00:07:06 +02:00
|
|
|
|
2004-06-24 00:10:23 +02:00
|
|
|
dropNotSyn net all tcp
|
2004-05-14 00:07:06 +02:00
|
|
|
|
2004-06-24 00:10:23 +02:00
|
|
|
5) Slackware users no longer have to modify the install.sh script
|
|
|
|
before installation. Tuomo Soini has provided a change that allows
|
|
|
|
the INIT and FIREWALL variables to be specified outside the script
|
|
|
|
as in:
|
2004-05-14 00:07:06 +02:00
|
|
|
|
2004-06-24 00:10:23 +02:00
|
|
|
DEST=/etc/rc.d INIT=rc.firewall ./install.sh
|
2004-05-14 00:07:06 +02:00
|
|
|
|
|
|
|
|
2004-06-24 00:10:23 +02:00
|
|
|
|
2004-05-14 00:07:06 +02:00
|
|
|
|