2003-07-04 17:08:29 +02:00
|
|
|
This is a minor release of Shorewall.
|
2002-05-01 01:13:15 +02:00
|
|
|
|
2003-07-26 18:44:38 +02:00
|
|
|
Problems Corrected since version 1.4.6:
|
|
|
|
|
|
|
|
|
|
1) Corrected problem in 1.4.6 where the MANGLE_ENABLED variable was
|
|
|
|
|
being tested before it was set.
|
|
|
|
|
|
|
|
|
|
2) Corrected handling of MAC addresses in the SOURCE column of the
|
|
|
|
|
tcrules file. Previously, these addresses resulted in an invalid
|
|
|
|
|
iptables command.
|
2002-12-31 02:10:28 +01:00
|
|
|
|
2003-08-05 17:05:45 +02:00
|
|
|
3) The "shorewall stop" command is now disabled when
|
|
|
|
|
/etc/shorewall/startup_disabled exists. This prevents people from
|
|
|
|
|
shooting themselves in the foot prior to having configured
|
|
|
|
|
Shorewall.
|
|
|
|
|
|
|
|
|
|
4) A change introduced in version 1.4.6 caused error messages during
|
|
|
|
|
"shorewall [re]start" when ADD_IP_ALIASES=Yes and ip addresses were
|
|
|
|
|
being added to a PPP interface; the addresses were successfully
|
|
|
|
|
added in spite of the messages.
|
|
|
|
|
|
|
|
|
|
The firewall script has been modified to eliminate the error
|
|
|
|
|
messages.
|
|
|
|
|
|
2003-08-12 00:25:45 +02:00
|
|
|
5) Interface-specific dynamic blacklisting chains are now displayed by
|
|
|
|
|
"shorewall monitor" on the "Dynamic Chains" page (previously named
|
|
|
|
|
"Dynamic Chain").
|
|
|
|
|
|
2003-08-23 20:14:59 +02:00
|
|
|
6) Thanks to Henry Yang, LOGRATE and LOGBURST now work again.
|
|
|
|
|
|
2003-07-06 17:31:26 +02:00
|
|
|
Migration Issues:
|
|
|
|
|
|
2003-07-22 00:02:34 +02:00
|
|
|
1) Once you have installed this version of Shorewall, you must
|
|
|
|
|
restart Shorewall before you may use the 'drop', 'reject', 'allow'
|
2003-07-26 18:44:38 +02:00
|
|
|
or 'save' commands.
|
|
|
|
|
|
|
|
|
|
2) To maintain strict compatibility with previous versions, current
|
|
|
|
|
uses of "shorewall drop" and "shorewall reject" should be replaced
|
2003-08-23 20:14:59 +02:00
|
|
|
with "shorewall dropall" and "shorewall rejectall".
|
|
|
|
|
|
|
|
|
|
3) IP Traffic Accounting is changed from Snapshot 20030813.
|
2003-07-06 17:31:26 +02:00
|
|
|
|
2003-08-24 00:00:27 +02:00
|
|
|
4) The Uset Set capability introduced in SnapShot 20030821 has
|
|
|
|
|
changed -- see the User Set page for details.
|
|
|
|
|
|
2003-05-31 17:29:14 +02:00
|
|
|
New Features:
|
2003-05-22 22:37:24 +02:00
|
|
|
|
2003-07-22 00:02:34 +02:00
|
|
|
1) Shorewall now creates a dynamic blacklisting chain for each interface
|
|
|
|
|
defined in /etc/shorewall/interfaces. The 'drop' and 'reject'
|
|
|
|
|
commands use the routing table to determine which of these chains is
|
|
|
|
|
to be used for blacklisting the specified IP address(es).
|
2003-07-26 18:44:38 +02:00
|
|
|
|
|
|
|
|
Two new commands ('dropall' and 'rejectall') have been introduced
|
|
|
|
|
that do what 'drop' and 'reject' used to do; namely, when an address
|
|
|
|
|
is blacklisted using these new commands, it will be blacklisted on
|
|
|
|
|
all of your firewall's interfaces.
|
2003-07-28 19:32:41 +02:00
|
|
|
|
2003-07-27 20:17:39 +02:00
|
|
|
2) Thanks to Steve Herber, the help command can now give
|
|
|
|
|
command-specific help.
|
2003-07-28 19:32:41 +02:00
|
|
|
|
2003-08-05 17:05:45 +02:00
|
|
|
3) A new option "ADMINISABSENTMINDED" has been added to
|
2003-07-30 01:04:04 +02:00
|
|
|
/etc/shorewall/shorewall.conf. This option has a default value of
|
2003-08-05 17:05:45 +02:00
|
|
|
"No" for existing Shorewall users who are upgrading to this release.
|
|
|
|
|
With this setting, Shorewall's 'stopped' state continues as it has
|
2003-07-30 01:04:04 +02:00
|
|
|
been; namely, in the stopped state only traffic to/from hosts listed
|
|
|
|
|
in /etc/shorewall/routestopped is accepted.
|
|
|
|
|
|
2003-08-05 17:05:45 +02:00
|
|
|
The default for new users installing Shorewall for the first time is
|
|
|
|
|
ADMINISABSENTMINDED=Yes.With that setting, in addition to traffic
|
|
|
|
|
to/from the hosts listed in /etc/shorewall/routestopped, Shorewall
|
|
|
|
|
will allow:
|
2003-07-30 01:04:04 +02:00
|
|
|
|
2003-08-05 17:05:45 +02:00
|
|
|
a) All traffic originating from the firewall itself; and
|
|
|
|
|
b) All traffic that is part of or related to an already-existing
|
|
|
|
|
connection.
|
2003-07-30 01:04:04 +02:00
|
|
|
|
|
|
|
|
In particular, with ADMINISABSENTMINDED=Yes, a "shorewall stop"
|
|
|
|
|
entered through an ssh session will not kill the session.
|
|
|
|
|
|
|
|
|
|
Note though that it is still possible for people to shoot themselves
|
|
|
|
|
in the foot.
|
|
|
|
|
|
|
|
|
|
Example:
|
|
|
|
|
|
|
|
|
|
/etc/shorewall/nat:
|
|
|
|
|
|
|
|
|
|
206.124.146.178 eth0:0 192.168.1.5
|
|
|
|
|
|
|
|
|
|
/etc/shorewall/rules:
|
|
|
|
|
|
|
|
|
|
ACCEPT net loc:192.168.1.5 tcp 22
|
|
|
|
|
ACCEPT loc fw tcp 22
|
|
|
|
|
|
|
|
|
|
I ssh into 206.124.146.178 which establishes an SSH connection with
|
|
|
|
|
192.168.1.5. I then create a second SSH connection from that
|
|
|
|
|
computer to the firewall and confidently type "shorewall
|
|
|
|
|
stop". As part of stopping, Shorewall removes eth0:0 which kills my
|
|
|
|
|
SSH connection to 192.168.1.5!!!
|
|
|
|
|
|
2003-08-06 02:06:44 +02:00
|
|
|
4) Given the wide range of VPN software, I can never hope to add
|
|
|
|
|
specific support for all of it. I have therefore decided to add
|
|
|
|
|
"generic" tunnel support.
|
|
|
|
|
|
|
|
|
|
Generic tunnels work pretty much like any of the other tunnel
|
|
|
|
|
types. You usually add a zone to represent the systems at the other
|
|
|
|
|
end of the tunnel and you add the appropriate rules/policies to
|
|
|
|
|
implement your security policy regarding traffic to/from those
|
|
|
|
|
systems.
|
|
|
|
|
|
|
|
|
|
In the /etc/shorewall/tunnels file, you can have entries of the
|
|
|
|
|
form:
|
|
|
|
|
|
|
|
|
|
# TYPE ZONE GATEWAY GATEWAY ZONE
|
2003-08-07 01:50:33 +02:00
|
|
|
generic:<protocol>[:<port>] <zone> <ip address> <gateway zones>
|
2003-08-06 02:06:44 +02:00
|
|
|
|
|
|
|
|
where:
|
|
|
|
|
|
|
|
|
|
<protocol> is the protocol used by the tunnel
|
|
|
|
|
<port> if the protocol is 'udp' or 'tcp' then this
|
|
|
|
|
is the destination port number used by the
|
|
|
|
|
tunnel.
|
|
|
|
|
<zone> is the zone of the remote tunnel gateway
|
|
|
|
|
<ip address> is the IP address of the remote tunnel
|
|
|
|
|
gateway.
|
2003-08-07 01:50:33 +02:00
|
|
|
<gateway zone> Optional. A comma-separated list of zone names.
|
|
|
|
|
If specified, the remote gateway is to be
|
|
|
|
|
considered part of these zones.
|
2003-08-06 02:06:44 +02:00
|
|
|
|
2003-08-08 22:55:06 +02:00
|
|
|
5) An 'arp_filter' option has been added to the
|
|
|
|
|
/etc/shorewall/interfaces file. This option causes
|
|
|
|
|
/proc/sys/net/ipv4/conf/<interface>/arp_filter to be set with the
|
|
|
|
|
result that this interface will only answer ARP 'who-has' requests
|
|
|
|
|
from hosts that are routed out of that interface. Setting this
|
|
|
|
|
option facilitates testing of your firewall where multiple firewall
|
|
|
|
|
interfaces are connected to the same HUB/Switch (all interfaces
|
|
|
|
|
connected to the single HUB/Switch should have this option
|
|
|
|
|
specified). Note that using such a configuration in a production
|
|
|
|
|
environment is strongly recommended against.
|
2003-08-06 02:06:44 +02:00
|
|
|
|
2003-08-10 03:11:50 +02:00
|
|
|
6) The ADDRESS column in /etc/shorewall/masq may now include a
|
|
|
|
|
comma-separated list of addresses and/or address ranges. Netfilter
|
|
|
|
|
will use all listed addresses/ranges in round-robin fashion.
|
|
|
|
|
|
|
|
|
|
7) An /etc/shorewall/accounting file has been added to allow for
|
2003-08-23 20:14:59 +02:00
|
|
|
traffic accounting..
|
|
|
|
|
|
|
|
|
|
The accounting rules are placed in a chain called "accounting" and
|
|
|
|
|
can thus be displayed using "shorewall show accounting".
|
|
|
|
|
|
|
|
|
|
The file has the following columns:
|
|
|
|
|
|
|
|
|
|
ACTION - What to do when a match is found. Possible
|
|
|
|
|
values are:
|
|
|
|
|
|
|
|
|
|
COUNT - Simply count the match and continue
|
|
|
|
|
trying to match the packet with the
|
|
|
|
|
following accounting rules.
|
|
|
|
|
|
|
|
|
|
DONE - Count the match and don't attempt to
|
|
|
|
|
match any following accounting rules.
|
|
|
|
|
|
|
|
|
|
<chain> - The name of a chain to jump to.
|
|
|
|
|
Shorewall will create the chain
|
|
|
|
|
automatically. If the name of the
|
|
|
|
|
chain is followed by ":COUNT" then
|
|
|
|
|
a COUNT rule matching this rule
|
|
|
|
|
will automatically be added to
|
|
|
|
|
<chain>
|
|
|
|
|
|
|
|
|
|
CHAIN - The name of the chain where the accounting
|
|
|
|
|
rule is to be added. If empty or "-" then
|
|
|
|
|
the "accounting" chain is assumed.
|
2003-08-10 18:01:21 +02:00
|
|
|
|
|
|
|
|
SOURCE - Packet Source
|
|
|
|
|
|
|
|
|
|
The name of an interface, an address (host or
|
|
|
|
|
net) or an interface name followed by ":"
|
|
|
|
|
and a host or net address.
|
|
|
|
|
|
|
|
|
|
DESTINATION - Packet Destination
|
|
|
|
|
|
|
|
|
|
Format the same as the SOURCE column.
|
|
|
|
|
|
|
|
|
|
PROTOCOL A protocol name (from /etc/protocols), a
|
|
|
|
|
protocol number.
|
|
|
|
|
|
|
|
|
|
DEST PORT Destination Port number
|
|
|
|
|
|
|
|
|
|
Service name from /etc/services or port
|
|
|
|
|
number. May only be specified if the protocol
|
|
|
|
|
is TCP or UDP (6 or 17).
|
|
|
|
|
|
|
|
|
|
SOURCE PORT Source Port number
|
|
|
|
|
|
|
|
|
|
Service name from /etc/services or port
|
|
|
|
|
number. May only be specified if the protocol
|
|
|
|
|
is TCP or UDP (6 or 17).
|
|
|
|
|
|
2003-08-23 20:14:59 +02:00
|
|
|
In all columns except ACTION and CHAIN, the values "-","any" and
|
|
|
|
|
"all" are treated as wild-cards.
|
2003-08-10 18:01:21 +02:00
|
|
|
|
|
|
|
|
The accounting rules are evaluated in the Netfilter 'filter'
|
|
|
|
|
table. This is the same environment where the 'rules' file rules are
|
|
|
|
|
evaluated and in this environment, DNAT has already occurred in
|
|
|
|
|
inbound packets and SNAT has not yet occurred on outbound ones.
|
|
|
|
|
|
|
|
|
|
The accounting rules are placed in a chain called "accounting" and
|
2003-08-23 20:14:59 +02:00
|
|
|
can thus be displayed using "shorewall show accounting".
|
|
|
|
|
|
|
|
|
|
See http://shorewall.net/Accounting.html for examples.
|
2003-08-12 00:53:01 +02:00
|
|
|
|
2003-08-13 02:19:24 +02:00
|
|
|
8) Bridge interfaces (br[0-9]) may now be used in /etc/shorewall/maclist.
|
2003-08-13 20:48:28 +02:00
|
|
|
|
|
|
|
|
9) ACCEPT, DNAT[-], REDIRECT[-] and LOG rules defined in
|
|
|
|
|
/etc/shorewall/rules may now be rate-limited. For DNAT and
|
|
|
|
|
REDIRECT rules, rate limiting occurs in the nat table DNAT rule; the
|
|
|
|
|
corresponding ACCEPT rule in the filter table is not rate
|
|
|
|
|
limited. If you want to limit the filter table rule, you will need
|
|
|
|
|
to create two rules; a DNAT- rule and an ACCEPT rule which can be
|
|
|
|
|
rate-limited separately.
|
|
|
|
|
|
2003-08-15 17:54:13 +02:00
|
|
|
To specify a rate limit, you can follow one of two approaches:
|
2003-08-13 20:48:28 +02:00
|
|
|
|
2003-08-15 17:54:13 +02:00
|
|
|
a) You may follow ACCEPT, DNAT[-], REDIRECT[-] or LOG with
|
2003-08-13 20:48:28 +02:00
|
|
|
|
2003-08-15 17:54:13 +02:00
|
|
|
< <rate>/<interval>[:<burst>] >
|
2003-08-13 20:48:28 +02:00
|
|
|
|
2003-08-15 17:54:13 +02:00
|
|
|
where
|
2003-08-13 20:48:28 +02:00
|
|
|
|
2003-08-15 17:54:13 +02:00
|
|
|
<rate> is the sustained rate per <interval>
|
|
|
|
|
<interval> is "sec" or "min"
|
|
|
|
|
<burst> is the largest burst accepted within an
|
|
|
|
|
<interval>. If not given, the default of 5 is
|
|
|
|
|
assumed.
|
2003-08-13 20:48:28 +02:00
|
|
|
|
2003-08-15 17:54:13 +02:00
|
|
|
There may be no white space between the ACTION and "<" nor there
|
|
|
|
|
may be any white space within the burst specification. If you want
|
|
|
|
|
to specify logging of a rate-limited rule, the ":" and log level
|
|
|
|
|
comes after the ">" (e.g., ACCEPT<2/sec:4>:info ).
|
|
|
|
|
|
|
|
|
|
b) There is a new RATE LIMIT column at the far right of the
|
|
|
|
|
file (beyond column 80). You may place the rate limit there in
|
|
|
|
|
the format:
|
|
|
|
|
|
|
|
|
|
<rate>/<interval>[:<burst>]
|
|
|
|
|
|
|
|
|
|
where <rate>, <interval> and <burst> are as above.
|
|
|
|
|
|
2003-08-23 20:14:59 +02:00
|
|
|
You may not place a rate limit in both the ACTION and RATE LIMIT
|
|
|
|
|
columns.
|
|
|
|
|
|
2003-08-13 20:48:28 +02:00
|
|
|
Let's take an example:
|
|
|
|
|
|
|
|
|
|
ACCEPT<2/sec:4> net dmz tcp 80
|
|
|
|
|
|
|
|
|
|
The first time this rule is reached, the packet will be accepted; in
|
|
|
|
|
fact, since the burst is 4, the first four packets will be
|
|
|
|
|
accepted. After this, it will be 500ms (1 second divided by the rate
|
|
|
|
|
of 2) before a packet will be accepted from this rule, regardless of
|
|
|
|
|
how many packets reach it. Also, every 500ms which passes without
|
|
|
|
|
matching a packet, one of the bursts will be regained; if no packets
|
|
|
|
|
hit the rule for 2 second, the burst will be fully recharged;
|
|
|
|
|
back where we started.
|
2003-08-13 21:29:15 +02:00
|
|
|
|
|
|
|
|
Warning: When rate limiting is specified on a rule with "all" in the
|
|
|
|
|
SOURCE or DEST fields, the limit will apply to each pair of
|
2003-08-13 21:32:12 +02:00
|
|
|
zones individually rather than as a single limit for all pairs of
|
2003-08-13 21:29:15 +02:00
|
|
|
zones covered by the rule.
|
|
|
|
|
|
2003-08-15 02:59:06 +02:00
|
|
|
10) Multiple chains may now be displayed in one "shorewall show"
|
2003-08-15 03:20:37 +02:00
|
|
|
command (e.g., shorewall show INPUT FORWARD OUTPUT).
|
2003-08-23 20:14:59 +02:00
|
|
|
|
|
|
|
|
11) Output rules (those with $FW as the SOURCE) may now be limited to
|
|
|
|
|
a set of local users and/or groups. See
|
|
|
|
|
http://shorewall.net/UserSets.html for details.
|
