2004-04-12 16:16:46 +02:00
|
|
|
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
2003-12-30 02:19:52 +01:00
|
|
|
<html>
|
|
|
|
<head>
|
2004-04-12 16:16:46 +02:00
|
|
|
<meta content="HTML Tidy, see www.w3.org" name="generator">
|
|
|
|
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
|
|
|
|
<title>Shoreline Firewall (Shorewall) 2.0</title>
|
|
|
|
<base target="_self">
|
2003-12-30 02:19:52 +01:00
|
|
|
</head>
|
2004-04-12 16:16:46 +02:00
|
|
|
<body>
|
|
|
|
<div>
|
2004-05-28 19:24:32 +02:00
|
|
|
<h1>Shorewall 2.0</h1>
|
|
|
|
<span style="font-weight: bold;">Tom Eastep</span><br>
|
|
|
|
<br>
|
|
|
|
The information on this site
|
2004-04-12 16:16:46 +02:00
|
|
|
applies only to 2.0.x releases of
|
|
|
|
Shorewall. For older versions:<br>
|
2004-05-28 19:24:32 +02:00
|
|
|
<ul>
|
|
|
|
<li>The 1.4 site is <a href="http://www.shorewall.net/1.4"
|
2004-04-12 16:16:46 +02:00
|
|
|
target="_top">here.<br>
|
2004-05-28 19:24:32 +02:00
|
|
|
</a></li>
|
|
|
|
<li>The 1.3 site is <a href="http://www.shorewall.net/1.3"
|
2004-04-12 16:16:46 +02:00
|
|
|
target="_top">here.</a></li>
|
2004-05-28 19:24:32 +02:00
|
|
|
<li>The 1.2 site is <a href="http://shorewall.net/1.2/" target="_top">here</a>.</li>
|
|
|
|
</ul>
|
2004-08-14 23:00:08 +02:00
|
|
|
Here are the <a
|
2004-08-21 20:16:21 +02:00
|
|
|
href="http://shorewall.net/pub/shorewall/2.1/shorewall-2.1.4/releasenotes.txt">release
|
2004-08-14 23:00:08 +02:00
|
|
|
notes </a>for the current 2.1 Developement Release<br>
|
|
|
|
<br>
|
2004-05-28 19:24:32 +02:00
|
|
|
Copyright © 2001-2004 Thomas M. Eastep<br>
|
|
|
|
<div>
|
|
|
|
<div class="legalnotice">
|
|
|
|
<p>Permission is granted to copy, distribute and/or modify this
|
|
|
|
document under the terms of the GNU Free Documentation License, Version
|
|
|
|
1.2 or any later version published by the Free Software Foundation;
|
|
|
|
with no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
|
|
|
Texts. A copy of the license is included in the section entitled “<span
|
|
|
|
class="quote"><a
|
|
|
|
href="file:///vfat/Ursa/Shorewall/Shorewall-Website/GnuCopyright.htm"
|
|
|
|
target="_self">GNU Free
|
|
|
|
Documentation License</a></span>”.</p>
|
|
|
|
</div>
|
|
|
|
</div>
|
|
|
|
<div>
|
2004-08-14 23:00:08 +02:00
|
|
|
<p class="pubdate">2004-08-10<br>
|
2004-05-28 19:24:32 +02:00
|
|
|
</p>
|
|
|
|
<hr style="width: 100%; height: 2px;"></div>
|
|
|
|
<h3>Table of Contents</h3>
|
|
|
|
<div style="margin-left: 40px;"><a href="#Intro">Introduction to
|
|
|
|
Shorewall</a><br>
|
|
|
|
<div style="margin-left: 40px;"><a href="#Glossary">Glossary</a><br>
|
|
|
|
<a href="#WhatIs">What is Shorewall?</a><br>
|
|
|
|
<a href="#GettingStarted">Getting Started with Shorewall</a><br>
|
|
|
|
<a href="#Info">Looking for Information?</a><br>
|
|
|
|
<a href="#Mandrake">Running Shorewall on Mandrake® with a
|
|
|
|
two-interface setup?</a><br>
|
|
|
|
<a href="#License">License</a><br>
|
|
|
|
</div>
|
2004-08-07 05:33:54 +02:00
|
|
|
<a href="#News">News</a><a href="#2_0_7"><br>
|
2004-07-03 00:42:04 +02:00
|
|
|
</a>
|
2004-08-07 05:33:54 +02:00
|
|
|
<div style="margin-left: 40px;"><a href="#2_0_7">Shorewall 2.0.7</a><br>
|
|
|
|
<a href="#2_0_6">Shorewall 2.0.6</a><br>
|
|
|
|
<a href="#2_0_5">Shorewall 2.0.5</a><br>
|
|
|
|
<a href="#2_0_4">Shorewall 2.0.4</a><br>
|
|
|
|
<a href="#Release_Model">New Release
|
|
|
|
Model</a><br>
|
|
|
|
<a href="#2_0_3c">Shorewall 2.0.3c</a><br>
|
2004-07-03 00:42:04 +02:00
|
|
|
<a href="#2_0_3b">Shorewall 2.0.3b</a><br>
|
|
|
|
<a href="#2_0_3a">Shorewall 2.0.3a</a><br>
|
|
|
|
<a href="#2_0_3">Shorewall
|
|
|
|
2.0.3</a><br>
|
2004-05-28 19:24:32 +02:00
|
|
|
</div>
|
|
|
|
<a href="#Leaf">Leaf</a><br>
|
|
|
|
<a href="#Donations">Donations</a><br>
|
|
|
|
</div>
|
|
|
|
<h2><a name="Intro"></a>Introduction to Shorewall</h2>
|
|
|
|
<h3><a name="Glossary"></a>Glossary</h3>
|
|
|
|
<ul>
|
|
|
|
<li><a href="http://www.netfilter.org" target="_top">Netfilter</a>
|
2004-04-12 16:16:46 +02:00
|
|
|
- the
|
|
|
|
packet filter facility built into the 2.4 and later Linux kernels.</li>
|
2004-05-28 19:24:32 +02:00
|
|
|
<li>ipchains - the packet filter facility built into the 2.2
|
2004-04-12 16:16:46 +02:00
|
|
|
Linux kernels. Also the name of the utility program used to configure
|
|
|
|
and control that facility. Netfilter can be used in ipchains
|
|
|
|
compatibility mode.</li>
|
2004-05-28 19:24:32 +02:00
|
|
|
<li>iptables - the utility program used to configure and
|
2004-04-12 16:16:46 +02:00
|
|
|
control Netfilter. The term 'iptables' is often used to refer to the
|
|
|
|
combination of iptables+Netfilter (with Netfilter not in ipchains
|
|
|
|
compatibility mode).</li>
|
2004-05-28 19:24:32 +02:00
|
|
|
</ul>
|
|
|
|
<h3><a name="WhatIs"></a>What is Shorewall?</h3>
|
|
|
|
<div style="margin-left: 40px;">The Shoreline Firewall, more
|
2004-04-12 16:16:46 +02:00
|
|
|
commonly known as "Shorewall", is
|
2004-05-14 00:07:06 +02:00
|
|
|
a high-level tool for configuring Netfilter. You describe your
|
2004-04-12 16:16:46 +02:00
|
|
|
firewall/gateway requirements using entries in a set of configuration
|
|
|
|
files. Shorewall reads those configuration files and with the help of
|
|
|
|
the iptables utility, Shorewall configures Netfilter to match your
|
|
|
|
requirements. Shorewall can be used on a dedicated firewall system, a
|
|
|
|
multi-function gateway/router/server or on a standalone GNU/Linux
|
|
|
|
system. Shorewall does not use Netfilter's ipchains compatibility mode
|
|
|
|
and can thus take advantage of Netfilter's <a
|
|
|
|
href="http://www.cs.princeton.edu/%7Ejns/security/iptables/iptables_conntrack.html"
|
|
|
|
target="_top">connection
|
|
|
|
state tracking
|
|
|
|
capabilities</a>.<br>
|
2004-05-28 19:24:32 +02:00
|
|
|
<br>
|
2004-04-12 16:16:46 +02:00
|
|
|
Shorewall is <span style="text-decoration: underline;">not</span> a
|
|
|
|
daemon. Once Shorewall has configured Netfilter, it's job is complete.
|
|
|
|
After that, there is no Shorewall code running although the <a
|
|
|
|
href="starting_and_stopping_shorewall.htm">/sbin/shorewall
|
|
|
|
program can be used at any time to monitor the Netfilter firewall</a>.<br>
|
2004-05-28 19:24:32 +02:00
|
|
|
</div>
|
|
|
|
<h3><a name="GettingStarted"></a>Getting Started with Shorewall</h3>
|
|
|
|
<div style="margin-left: 40px;">New to Shorewall? Start by
|
2004-04-12 16:16:46 +02:00
|
|
|
selecting the <a href="shorewall_quickstart_guide.htm">QuickStart Guide</a>
|
|
|
|
that most
|
2004-05-28 19:24:32 +02:00
|
|
|
closely matches your environment and follow the step by step
|
|
|
|
instructions.<br>
|
|
|
|
</div>
|
|
|
|
<h3><a name="Info"></a>Looking for Information?</h3>
|
|
|
|
<div style="margin-left: 40px;">The <a href="Documentation_Index.html">Documentation
|
2004-04-12 16:16:46 +02:00
|
|
|
Index</a> is a good place to start as is the Quick Search in the frame
|
|
|
|
above. </div>
|
2004-05-28 19:24:32 +02:00
|
|
|
<h3><a name="Mandrake"></a>Running Shorewall on Mandrake® with a
|
|
|
|
two-interface setup?</h3>
|
|
|
|
<div style="margin-left: 40px;">If so, the documentation on this
|
2004-04-12 16:16:46 +02:00
|
|
|
site will not apply directly
|
|
|
|
to your setup. If you want to use the documentation that you find here,
|
|
|
|
you will want to consider uninstalling what you have and installing a
|
|
|
|
setup that matches the documentation on this site. See the <a
|
|
|
|
href="two-interface.htm">Two-interface QuickStart Guide</a> for
|
|
|
|
details.<br>
|
2004-05-28 19:24:32 +02:00
|
|
|
<br>
|
|
|
|
<span style="font-weight: bold;">Update: </span>I've been
|
2004-04-12 16:16:46 +02:00
|
|
|
informed by Mandrake Development that this problem has been corrected
|
|
|
|
in Mandrake 10.0 Final (the problem still exists in the 10.0 Community
|
|
|
|
release).<br>
|
2004-05-28 19:24:32 +02:00
|
|
|
</div>
|
|
|
|
<h3><a name="License"></a>License</h3>
|
|
|
|
<div style="margin-left: 40px;">This program is free software;
|
2004-04-12 16:16:46 +02:00
|
|
|
you can redistribute it and/or modify it
|
|
|
|
under the terms of <a href="http://www.gnu.org/licenses/gpl.html">Version
|
|
|
|
2 of the GNU General Public License</a> as published by the Free
|
|
|
|
Software Foundation.<br>
|
2004-05-28 19:24:32 +02:00
|
|
|
</div>
|
|
|
|
<p style="margin-left: 40px;">This program is distributed in the
|
2004-04-12 16:16:46 +02:00
|
|
|
hope that it will be
|
|
|
|
useful, but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
|
|
General Public License for more detail.</p>
|
2004-05-28 19:24:32 +02:00
|
|
|
<div style="margin-left: 40px;"> </div>
|
|
|
|
<p style="margin-left: 40px;">You should have received a copy of
|
2004-04-12 16:16:46 +02:00
|
|
|
the GNU General Public
|
|
|
|
License along with this program; if not, write to the Free Software
|
|
|
|
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA</p>
|
2004-05-28 19:24:32 +02:00
|
|
|
<div style="margin-left: 40px;">Permission is granted to copy,
|
2004-04-12 16:16:46 +02:00
|
|
|
distribute and/or modify this document
|
|
|
|
under the terms of the GNU Free Documentation License, Version 1.2 or
|
|
|
|
any later version published by the Free Software Foundation; with no
|
|
|
|
Invariant Sections, with no Front-Cover, and with no Back-Cover Texts.
|
|
|
|
A copy of the license is included in the section entitled <a>"GNU Free
|
|
|
|
Documentation License"</a>. </div>
|
2004-05-28 19:24:32 +02:00
|
|
|
<p> </p>
|
|
|
|
<hr style="width: 100%; height: 2px;">
|
|
|
|
<h2><a name="News"></a>News</h2>
|
2004-08-07 05:33:54 +02:00
|
|
|
<span style="font-weight: bold;"><a name="2_0_7"></a>7/29/2004 -
|
|
|
|
Shorewall 2.0.7<br>
|
|
|
|
<br>
|
|
|
|
</span>Problems Corrected:<br>
|
|
|
|
<ol>
|
|
|
|
<li>The PKTTYPE option introduced in version 2.0.6 is now used when
|
|
|
|
generating rules to REJECT packets. Broadcast packets are silently
|
|
|
|
dropped rather than being rejected with an ICMP (which is a protocol
|
|
|
|
violation) and users whose kernels have broken packet type match
|
|
|
|
support are likely to see messages reporting this violation. Setting
|
|
|
|
PKTTYPE=No should cause these messages to cease.</li>
|
|
|
|
<li>Multiple interfaces with the 'blacklist' option no longer result
|
|
|
|
in an error message at startup.</li>
|
|
|
|
<li>The following has been added to /etc/shorewall/bogons:<br>
|
|
|
|
<br>
|
|
|
|
0.0.0.0 RETURN<br>
|
|
|
|
<br>
|
|
|
|
This prevents the 'nobogons' option from logging DHCP 'DISCOVER'
|
|
|
|
broadcasts.<br>
|
|
|
|
</li>
|
|
|
|
</ol>
|
|
|
|
New Features:<br>
|
|
|
|
<br>
|
|
|
|
<ol>
|
|
|
|
<li>To improve supportability, the "shorewall status" command now
|
|
|
|
includes IP and Route configuration information.<br>
|
|
|
|
<br>
|
|
|
|
Example:<br>
|
|
|
|
<br style="font-family: monospace;">
|
|
|
|
<span style="font-family: monospace;"> IP Configuration</span><br
|
|
|
|
style="font-family: monospace;">
|
|
|
|
<br style="font-family: monospace;">
|
|
|
|
<span style="font-family: monospace;"> 1: lo:
|
|
|
|
<LOOPBACK,UP> mtu 16436 qdisc noqueue</span><br
|
|
|
|
style="font-family: monospace;">
|
|
|
|
<span style="font-family: monospace;">
|
|
|
|
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00</span><br
|
|
|
|
style="font-family: monospace;">
|
|
|
|
<span style="font-family: monospace;">
|
|
|
|
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo</span><br
|
|
|
|
style="font-family: monospace;">
|
|
|
|
<span style="font-family: monospace;">
|
|
|
|
inet6 ::1/128 scope host</span><br style="font-family: monospace;">
|
|
|
|
<span style="font-family: monospace;"> 2: eth0:
|
|
|
|
<BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast qlen
|
|
|
|
1000</span><br style="font-family: monospace;">
|
|
|
|
<span style="font-family: monospace;">
|
|
|
|
link/ether 00:a0:c9:15:39:78 brd ff:ff:ff:ff:ff:ff</span><br
|
|
|
|
style="font-family: monospace;">
|
|
|
|
<span style="font-family: monospace;">
|
|
|
|
inet6 fe80::2a0:c9ff:fe15:3978/64 scope link</span><br
|
|
|
|
style="font-family: monospace;">
|
|
|
|
<span style="font-family: monospace;"> 3: eth1:
|
|
|
|
<BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast qlen
|
|
|
|
1000</span><br style="font-family: monospace;">
|
|
|
|
<span style="font-family: monospace;">
|
|
|
|
link/ether 00:a0:c9:a7:d7:bf brd ff:ff:ff:ff:ff:ff</span><br
|
|
|
|
style="font-family: monospace;">
|
|
|
|
<span style="font-family: monospace;">
|
|
|
|
inet6 fe80::2a0:c9ff:fea7:d7bf/64 scope link</span><br
|
|
|
|
style="font-family: monospace;">
|
|
|
|
<span style="font-family: monospace;"> 5: sit0@NONE:
|
|
|
|
<NOARP> mtu 1480 qdisc noop</span><br
|
|
|
|
style="font-family: monospace;">
|
|
|
|
<span style="font-family: monospace;">
|
|
|
|
link/sit 0.0.0.0 brd 0.0.0.0</span><br style="font-family: monospace;">
|
|
|
|
<span style="font-family: monospace;"> 6: eth2:
|
|
|
|
<BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast qlen
|
|
|
|
1000</span><br style="font-family: monospace;">
|
|
|
|
<span style="font-family: monospace;">
|
|
|
|
link/ether 00:40:d0:07:3a:1b brd ff:ff:ff:ff:ff:ff</span><br
|
|
|
|
style="font-family: monospace;">
|
|
|
|
<span style="font-family: monospace;">
|
|
|
|
inet6 fe80::240:d0ff:fe07:3a1b/64 scope link</span><br
|
|
|
|
style="font-family: monospace;">
|
|
|
|
<span style="font-family: monospace;"> 7: br0:
|
|
|
|
<BROADCAST,MULTICAST,NOTRAILERS,UP> mtu 1500 qdisc noqueue</span><br
|
|
|
|
style="font-family: monospace;">
|
|
|
|
<span style="font-family: monospace;">
|
|
|
|
link/ether 00:40:d0:07:3a:1b brd ff:ff:ff:ff:ff:ff</span><br
|
|
|
|
style="font-family: monospace;">
|
|
|
|
<span style="font-family: monospace;">
|
|
|
|
inet 192.168.1.3/24 brd 192.168.1.255 scope global br0</span><br
|
|
|
|
style="font-family: monospace;">
|
|
|
|
<span style="font-family: monospace;">
|
|
|
|
inet6 fe80::240:d0ff:fe07:3a1b/64 scope link</span><br
|
|
|
|
style="font-family: monospace;">
|
|
|
|
<br style="font-family: monospace;">
|
|
|
|
<span style="font-family: monospace;"> Routing Rules</span><br
|
|
|
|
style="font-family: monospace;">
|
|
|
|
<br style="font-family: monospace;">
|
|
|
|
<span style="font-family: monospace;">
|
|
|
|
0: from all lookup local</span><br
|
|
|
|
style="font-family: monospace;">
|
|
|
|
<span style="font-family: monospace;"> 32765:
|
|
|
|
from all fwmark ca lookup www.out</span><br
|
|
|
|
style="font-family: monospace;">
|
|
|
|
<span style="font-family: monospace;"> 32766:
|
|
|
|
from all lookup main</span><br style="font-family: monospace;">
|
|
|
|
<span style="font-family: monospace;"> 32767:
|
|
|
|
from all lookup default</span><br style="font-family: monospace;">
|
|
|
|
<br style="font-family: monospace;">
|
|
|
|
<span style="font-family: monospace;"> Table local:</span><br
|
|
|
|
style="font-family: monospace;">
|
|
|
|
<br style="font-family: monospace;">
|
|
|
|
<span style="font-family: monospace;"> broadcast
|
|
|
|
192.168.1.0 dev br0 proto kernel scope link src
|
|
|
|
192.168.1.3</span><br style="font-family: monospace;">
|
|
|
|
<span style="font-family: monospace;"> broadcast
|
|
|
|
127.255.255.255 dev lo proto kernel scope link src
|
|
|
|
127.0.0.1</span><br style="font-family: monospace;">
|
|
|
|
<span style="font-family: monospace;"> local
|
|
|
|
192.168.1.3 dev br0 proto kernel scope host src
|
|
|
|
192.168.1.3</span><br style="font-family: monospace;">
|
|
|
|
<span style="font-family: monospace;"> broadcast
|
|
|
|
192.168.1.255 dev br0 proto kernel scope link src
|
|
|
|
192.168.1.3</span><br style="font-family: monospace;">
|
|
|
|
<span style="font-family: monospace;"> broadcast
|
|
|
|
127.0.0.0 dev lo proto kernel scope link src 127.0.0.1</span><br
|
|
|
|
style="font-family: monospace;">
|
|
|
|
<span style="font-family: monospace;"> local 127.0.0.1
|
|
|
|
dev lo proto kernel scope host src 127.0.0.1</span><br
|
|
|
|
style="font-family: monospace;">
|
|
|
|
<span style="font-family: monospace;"> local
|
|
|
|
127.0.0.0/8 dev lo proto kernel scope host src
|
|
|
|
127.0.0.1</span><br style="font-family: monospace;">
|
|
|
|
<br style="font-family: monospace;">
|
|
|
|
<span style="font-family: monospace;"> Table www.out:</span><br
|
|
|
|
style="font-family: monospace;">
|
|
|
|
<br style="font-family: monospace;">
|
|
|
|
<span style="font-family: monospace;"> default via
|
|
|
|
192.168.1.3 dev br0</span><br style="font-family: monospace;">
|
|
|
|
<br style="font-family: monospace;">
|
|
|
|
<span style="font-family: monospace;"> Table main:</span><br
|
|
|
|
style="font-family: monospace;">
|
|
|
|
<br style="font-family: monospace;">
|
|
|
|
<span style="font-family: monospace;"> 192.168.1.0/24
|
|
|
|
dev br0 proto kernel scope link src 192.168.1.3</span><br
|
|
|
|
style="font-family: monospace;">
|
|
|
|
<span style="font-family: monospace;"> default via
|
|
|
|
192.168.1.254 dev br0</span><br style="font-family: monospace;">
|
|
|
|
<br style="font-family: monospace;">
|
|
|
|
<span style="font-family: monospace;"> Table default:</span><br
|
|
|
|
style="font-family: monospace;">
|
|
|
|
</li>
|
|
|
|
</ol>
|
|
|
|
<span style="font-weight: bold;"><a name="2_0_6"></a>7/16/2004 -
|
|
|
|
Shorewall 2.0.6<br>
|
|
|
|
<br>
|
|
|
|
</span>Problems Corrected:<br>
|
|
|
|
<ul>
|
|
|
|
<li>Some users have reported the packet type match option in
|
|
|
|
iptables/Netfilter failing to match certain broadcast packets. The
|
|
|
|
result is that the firewall log shows a lot of broadcast packets.<br>
|
|
|
|
<br>
|
|
|
|
Other users have complained of the following message when starting
|
|
|
|
Shorewall:<br>
|
|
|
|
<br>
|
|
|
|
|
|
|
|
modprobe: cant locate module ipt_pkttype<br>
|
|
|
|
<br>
|
|
|
|
Users experiencing either of these problems can use PKTTYPE=No in
|
|
|
|
shorewall.conf to cause Shorewall to use IP address filtering of
|
|
|
|
broadcasts rather than packet type.</li>
|
|
|
|
<li>The shorewall.conf and zones file are no longer given execute
|
|
|
|
permission by the installer script.</li>
|
|
|
|
<li>ICMP packets that are in the INVALID state are now dropped by the
|
|
|
|
Reject and Drop default actions. They do so using the new 'dropInvalid'
|
|
|
|
builtin action.<br>
|
|
|
|
</li>
|
|
|
|
</ul>
|
|
|
|
<span style="font-weight: bold;"><a name="2_0_5"></a>7/10/2004 -
|
|
|
|
Shorewall 2.0.5<br>
|
|
|
|
</span><br>
|
|
|
|
Problems Corrected:<br>
|
|
|
|
<ul>
|
|
|
|
<li>If DISABLE_IPV6=Yes in shorewall.conf then harmless error
|
|
|
|
messages referring to $RESTOREBASE are generated during <span
|
|
|
|
style="font-weight: bold;">shorewall stop</span>.</li>
|
|
|
|
<li>An anachronistic comment concerning a mangle option has been
|
|
|
|
removed from shorewall.conf.<br>
|
|
|
|
</li>
|
|
|
|
</ul>
|
|
|
|
<a name="2_0_4"></a><span style="font-weight: bold;">7/06/2004 -
|
|
|
|
Shorewall 2.0.4<br>
|
|
|
|
</span><br>
|
|
|
|
Problems Corrected:<br>
|
|
|
|
<ul>
|
|
|
|
<li>Rules with $FW as the source zone and that specify logging can
|
|
|
|
cause "shorewall start" to fail.<br>
|
|
|
|
</li>
|
|
|
|
</ul>
|
|
|
|
<a name="Release_Model"></a><span style="font-weight: bold;">7/03/2004
|
|
|
|
- New Shorewall Release Model<br>
|
|
|
|
<br>
|
|
|
|
</span>Effective today, Shorewall is adopting a new release model which
|
|
|
|
takes ideas from the one used in the Linux Kernel and from the release
|
|
|
|
model for Postfix.<br>
|
|
|
|
<ol>
|
|
|
|
<li>Releases continue to have a three-level identification <span
|
|
|
|
style="font-style: italic;">x.y.z</span> (e.g., 2.0.3).<br>
|
|
|
|
</li>
|
|
|
|
<li>The first two levels (<span style="font-style: italic;">x.y)</span>
|
|
|
|
designate the <span style="font-style: italic;">Major Release Number</span>
|
|
|
|
(e.g., 2.0)</li>
|
|
|
|
<li>The third level (<span style="font-style: italic;">z</span>)
|
|
|
|
designates the <span style="font-style: italic;">Minor Release Number</span>.</li>
|
|
|
|
<li>Even numbered major releases (e.g., <span
|
|
|
|
style="font-style: italic;">1.4, 2.0, 2.2, ...)</span> are <span
|
|
|
|
style="font-style: italic;">Stable Releases</span>. No new features
|
|
|
|
are added to stable releases and new minor releases of a stable release
|
|
|
|
will only contain bug fixes. Installing a new minor release for the
|
|
|
|
major release that you are currently running involves no migration
|
|
|
|
issues (for example, if you are running 1.4.10 and I release 1.4.11,
|
|
|
|
your current configuration is 100% compatible with the new release).</li>
|
|
|
|
<li>Support is available through the <a
|
|
|
|
href="http://lists.shorewall.net">Mailing List </a>for the two most
|
|
|
|
recent Stable Releases.<br>
|
|
|
|
</li>
|
|
|
|
<li>Odd numbered major releases (e.g., 2.1, 2.3, ...) are <span
|
|
|
|
style="font-style: italic;">Development Releases</span>. Development
|
|
|
|
releases are where new functionality is introduced. Documentation for
|
|
|
|
new features will be available but it may not be up to the standards of
|
|
|
|
the stable release documentation. Sites running Development Releases
|
|
|
|
should be prepared to play an active role in testing new features. Bug
|
|
|
|
fixes and problem resolution for the development release take a back
|
|
|
|
seat to support of the stable releases. Problem reports for the current
|
|
|
|
development release should be sent to the <a
|
|
|
|
href="mailto:shorewall-devel@lists.shorewall.net">Shorewall
|
|
|
|
Development Mailing List</a>.<br>
|
|
|
|
</li>
|
|
|
|
<li>When the level of functionality of the current development
|
|
|
|
release is judged adaquate, the Beta period for a new Stable release
|
|
|
|
will begin. Beta releases have identifications of the form <span
|
|
|
|
style="font-style: italic;">x.y.0-BetaN</span> where <span
|
|
|
|
style="font-style: italic;">x.y</span> is the number of the next
|
|
|
|
Stable Release and <span style="font-style: italic;">N</span>=1,2,3...
|
|
|
|
. Betas are expected to occur rougly once per year. Beta releases may
|
|
|
|
contain new functionality not present in the previous beta release
|
|
|
|
(e.g., 2.2.0-Beta4 may contain functionality not present in
|
|
|
|
2.2.0-Beta3). When I'm confident that the current Beta release is
|
|
|
|
stable, I will release the first <span style="font-style: italic;">Release
|
|
|
|
Candidate. </span>Release candidates have identifications of the form <span
|
|
|
|
style="font-style: italic;">x.y.0-RCn </span>where<span
|
|
|
|
style="font-style: italic;"> <span style="font-style: italic;">x.y</span>
|
|
|
|
</span>is the number of the next Stable Release and<span
|
|
|
|
style="font-style: italic;"> <span style="font-style: italic;">n</span></span>=1,2,3...
|
|
|
|
. Release candidates contain no new functionailty -- they only contain
|
|
|
|
bug fixes. When the stability of the current release candidate is
|
|
|
|
judged to be sufficient then that release candidate will be released as
|
|
|
|
the new stable release (e.g., 2.2.0). At that time, the new stable
|
|
|
|
release and the prior stable release are those that are supported.</li>
|
|
|
|
<li>What does it mean for a major release to be <span
|
|
|
|
style="font-style: italic;">supported?</span> It means that I will
|
|
|
|
answer questions about the release and that if a bug is found, I will
|
|
|
|
fix the bug and include the fix in the next minor release.</li>
|
|
|
|
<li>Between minor releases, bug fixes will continue to be made
|
|
|
|
available through the Errata page for each major release.<br>
|
|
|
|
</li>
|
|
|
|
</ol>
|
|
|
|
The immediate implications of this change are as follows:<br>
|
|
|
|
<ol>
|
|
|
|
<li>The functionality of the 2.0 major release is frozen at the level
|
|
|
|
of minor release 2.0.3.</li>
|
|
|
|
<li>The two major releases currently supported are 1.4 and 2.0.</li>
|
|
|
|
<li>I will be opening the 2.1 development release shortly with the
|
|
|
|
release of 2.1.0.</li>
|
|
|
|
<li>Bug-fix releases with identifications of the form <span
|
|
|
|
style="font-style: italic;">x.y.zX </span>where X=a,b,c,... (e.g.,
|
|
|
|
2.0.3c) will not be seen in the future.<br>
|
|
|
|
</li>
|
|
|
|
</ol>
|
|
|
|
<span style="font-weight: bold;"></span><span style="font-weight: bold;"><a
|
|
|
|
name="2_0_3c"><span style="font-weight: bold;">7/02/2004 -
|
2004-07-03 00:42:04 +02:00
|
|
|
Shorewall 2.0.3c<br>
|
|
|
|
<br>
|
|
|
|
</span></a></span>Problems Corrected<span style="font-weight: bold;">:<br>
|
|
|
|
</span>
|
2004-05-28 19:24:32 +02:00
|
|
|
<ol>
|
2004-07-03 00:42:04 +02:00
|
|
|
<li> Error messages regarding $RESTOREBASE occur during <span
|
|
|
|
class="bold"><b>shorewall stop</b></span> </li>
|
|
|
|
<li> If CLEAR_TC=Yes in <tt class="filename">shorewall.conf</tt>, <span
|
|
|
|
class="bold"><b>shorewall stop</b></span> fails without removing the
|
|
|
|
lock file. </li>
|
2004-05-28 19:24:32 +02:00
|
|
|
</ol>
|
2004-07-03 00:42:04 +02:00
|
|
|
<span style="font-weight: bold;"><br>
|
|
|
|
</span><span style="font-weight: bold;"><a name="2_0_3b"></a>6/30/2004
|
|
|
|
-
|
|
|
|
Shorewall 2.0.3b and Shorewall 1.4.10g<br>
|
|
|
|
<br>
|
|
|
|
</span>Problems Corrected:<br>
|
2004-05-28 19:24:32 +02:00
|
|
|
<ol>
|
2004-07-03 00:42:04 +02:00
|
|
|
<li>The security vulnerability fix released in Shorewall 2.0.3a
|
|
|
|
failed under Slackware 9.1.</li>
|
|
|
|
<li>The security vulnerability fix released in Shorewall 2.0.3a
|
|
|
|
failed if mktemp was not installed.<br>
|
2004-05-28 19:24:32 +02:00
|
|
|
</li>
|
|
|
|
</ol>
|
2004-07-03 00:42:04 +02:00
|
|
|
<a name="2_0_3a"></a><span style="font-weight: bold;">6/28/2004 -
|
|
|
|
Shorewall 2.0.3a and Shorewall 1.4.10f<br>
|
|
|
|
<br>
|
|
|
|
</span>Problems Corrected:<br>
|
2004-05-28 19:24:32 +02:00
|
|
|
<ol>
|
2004-07-03 00:42:04 +02:00
|
|
|
<li>Javier Fernández-Sanguino Peña has discovered an exploitable
|
|
|
|
vulnerability in the way that Shorewall handles temporary files and
|
|
|
|
directories. The vulnerability can allow a non-root user to cause
|
|
|
|
arbitrary files on the system to be overwritten. LEAF Bering and Bering
|
|
|
|
uClibc users are generally not at risk due to the fact that LEAF boxes
|
|
|
|
do not typically allow logins by non-root users. <br>
|
2004-05-28 19:24:32 +02:00
|
|
|
</li>
|
2004-07-03 00:42:04 +02:00
|
|
|
<li>(2.0.3a only) A non-empty DEST entry in /etc/shorewall/tcrules
|
|
|
|
will generate an error and Shorewall fails to start.</li>
|
2004-05-28 19:24:32 +02:00
|
|
|
</ol>
|
2004-07-03 00:42:04 +02:00
|
|
|
<div style="margin-left: 40px;">Note:: Slackware users may need the
|
|
|
|
'functions' file from CVS (STABLE/ project for 1.4.10f and STABLE2/
|
|
|
|
project for 2.0.3a) to prevent startup errors with these versions
|
|
|
|
installed. These updatged files are also available from the Errata (<a
|
|
|
|
href="errata.htm">2.0,</a> <a href="1.4/errata.htm">1.4</a>).<br>
|
|
|
|
<br>
|
|
|
|
</div>
|
|
|
|
<a name="2_0_3"></a><span style="font-weight: bold;">6/23/2004 -
|
|
|
|
Shorewall 2.0.3<br>
|
|
|
|
<br>
|
|
|
|
</span>Problems Corrected:<br>
|
2004-05-28 19:24:32 +02:00
|
|
|
<ol>
|
2004-07-03 00:42:04 +02:00
|
|
|
<li>The 'firewall' script is not purging temporary restore files in
|
|
|
|
/var/lib/shorewall. These files have names of the form "restore-nnnnn".</li>
|
|
|
|
<li>The /var/lib/shorewall/restore script did not load the kernel
|
|
|
|
modules specified in /etc/shorewall/modules.</li>
|
|
|
|
<li>Specifying a null common action in /etc/shorewall/actions (e.g.,
|
|
|
|
:REJECT) results in a startup error.</li>
|
|
|
|
<li>If /var/lib/shorewall does not exist, shorewall start fails.</li>
|
|
|
|
<li>DNAT rules with a dynamic source zone don't work properly. When
|
|
|
|
used, these rules cause the rule to be checked against ALL input, not
|
|
|
|
just input from the designated zone.</li>
|
|
|
|
<li>The install.sh script reported installing some files in
|
|
|
|
/etc/shorewall when the files were actually installed in
|
|
|
|
/usr/share/shorewall.</li>
|
|
|
|
<li>Shorewall checks netfilter capabilities before loading kernel
|
|
|
|
modules. Hence if kernel module autoloading isn't enabled, the
|
|
|
|
capabilities will be misdetected.</li>
|
|
|
|
<li>The 'newnotsyn' option in /etc/shorewall/hosts has no effect.</li>
|
|
|
|
<li>The file /etc/init.d/shorewall now gets proper ownership when the
|
|
|
|
RPM is built by a non-root user.</li>
|
|
|
|
<li>Rules that specify bridge ports in both the SOURCE and DEST
|
|
|
|
columns no longer cause "shorewall start" to fail.</li>
|
|
|
|
<li>Comments in the rules file have been added to advise users that
|
|
|
|
"all" in the SOURCE or DEST column does not affect intra-zone traffic.</li>
|
|
|
|
<li>With BLACKLISTNEWONLY=Yes, ICMP packets with state INVALID are
|
|
|
|
now passed through the blacklisting chains. Without this change, it is
|
|
|
|
not possible to blacklist hosts that are mounting certain types of
|
|
|
|
ICMP-based DOS attacks.</li>
|
2004-05-28 19:24:32 +02:00
|
|
|
</ol>
|
2004-07-03 00:42:04 +02:00
|
|
|
Issues when migrating from Shorewall 2.0.2 to Shorewall 2.0.3:<br>
|
2004-05-28 19:24:32 +02:00
|
|
|
<ol>
|
2004-07-03 00:42:04 +02:00
|
|
|
<li>The 'dropNonSyn' standard builtin action has been replaced with
|
|
|
|
the 'dropNotSyn' standard builtin action. The old name can still be
|
|
|
|
used but will generate a warning.</li>
|
2004-05-28 19:24:32 +02:00
|
|
|
</ol>
|
2004-04-12 16:16:46 +02:00
|
|
|
New Features:<br>
|
2004-05-28 19:24:32 +02:00
|
|
|
<ol>
|
2004-07-03 00:42:04 +02:00
|
|
|
<li>Shorewall now supports multiple saved configurations.</li>
|
|
|
|
<ol>
|
|
|
|
<li>The default saved configuration (restore script) in
|
|
|
|
/var/lib/shorewall is now specified using the RESTOREFILE option in
|
|
|
|
shorewall.conf. If this variable isn't set then to maintain backward
|
|
|
|
compatibility, 'restore' is assumed.<br>
|
|
|
|
<br>
|
|
|
|
The value of RESTOREFILE must be a simple file name; no slashes ("/")
|
|
|
|
may be included.<br>
|
|
|
|
</li>
|
|
|
|
<li>The "save" command has been extended to be able to specify the
|
|
|
|
name of a saved configuration.<br>
|
|
|
|
<br>
|
|
|
|
shorewall
|
|
|
|
save [ <file name> ]<br>
|
|
|
|
<br>
|
|
|
|
The current state is saved to /var/lib/shorewall/<file name>. If
|
|
|
|
no <file name> is given, the configuration is saved to the file
|
|
|
|
determined by the RESTOREFILE setting.</li>
|
|
|
|
<li>The "restore" command has been extended to be able to specify
|
|
|
|
the name of a saved configuration:<br>
|
|
|
|
<br>
|
|
|
|
shorewall
|
|
|
|
restore [ <file name> ]<br>
|
|
|
|
<br>
|
|
|
|
The firewall state is restored from /var/lib/shorewall/<file
|
|
|
|
name>. If no <file name> is given, the firewall state is
|
|
|
|
restored from the file determined by the RESTOREFILE setting.</li>
|
|
|
|
<li>The "forget" command has changed. Previously, the command
|
|
|
|
unconditionally removed the /var/lib/shorewall/save file which records
|
|
|
|
the current dynamic blacklist. The "forget" command now leaves that
|
|
|
|
file alone.<br>
|
|
|
|
<br>
|
|
|
|
Also, the "forget" command has been extended to be able to specify the
|
|
|
|
name of a saved configuration:<br>
|
|
|
|
<br>
|
|
|
|
|
|
|
|
shorewall forget [ <file name> ]<br>
|
|
|
|
<br>
|
|
|
|
The file /var/lib/shorewall/<file name> is removed. If no
|
|
|
|
<file name> is given, the file determined by the RESTOREFILE
|
|
|
|
setting is removed.</li>
|
|
|
|
<li>The "shorewall -f start" command restores the state from the
|
|
|
|
file determined by the RESTOREFILE setting.</li>
|
|
|
|
</ol>
|
|
|
|
<li>"!" is now allowed in accounting rules.</li>
|
|
|
|
<li>Interface names appearing within the configuration are now
|
|
|
|
verified. Interface names must match the name of an entry in
|
|
|
|
/etc/shorewall/interfaces (or if bridging is enabled, they must match
|
|
|
|
the name of an entry in /etc/shorewall/interfaces or the name of a
|
|
|
|
bridge port appearing in /etc/shorewall/hosts).</li>
|
|
|
|
<li>A new 'rejNotSyn' built-in standard action has been added. This
|
|
|
|
action responds to "New not SYN" packets with an RST.<br>
|
|
|
|
<br>
|
|
|
|
The 'dropNonSyn' action has been superceded by the new 'dropNotSyn'
|
|
|
|
action. The old name will be accepted until the next major release of
|
|
|
|
Shorewall but will generate a warning.<br>
|
|
|
|
<br>
|
|
|
|
Several new logging actions involving "New not SYN" packets have been
|
|
|
|
added:<br>
|
|
|
|
<br>
|
|
|
|
logNewNotSyn -- logs
|
|
|
|
the packet with disposition = LOG<br>
|
|
|
|
dLogNewNotSyn -- logs the
|
|
|
|
packet with disposition = DROP<br>
|
|
|
|
rLogNewNotSyn -- logs the
|
|
|
|
packet with disposition = REJECT<br>
|
|
|
|
<br>
|
|
|
|
The packets are logged at the log level specified in the LOGNEWNOTSYN
|
|
|
|
option in shorewall.conf. If than option is empty or not specified,
|
|
|
|
then 'info' is assumed.<br>
|
|
|
|
<br>
|
|
|
|
Examples (In all cases, set NEWNOTSYN=Yes in shorewall.conf):</li>
|
|
|
|
<ol>
|
|
|
|
<li>To simulate the behavior of NEWNOTSYN=No:
|
|
|
|
<ol>
|
|
|
|
<li>Add 'NoNewNotSyn' to /etc/shorewall/actions.</li>
|
|
|
|
<li>Create /etc/shorewall/action.NoNewNotSyn containing:<br>
|
|
|
|
<br>
|
|
|
|
|
|
|
|
dLogNotSyn<br>
|
|
|
|
|
|
|
|
dropNotSyn<br>
|
|
|
|
<br>
|
|
|
|
</li>
|
|
|
|
<li>Early in your rules file, place:<br>
|
|
|
|
<br>
|
|
|
|
|
|
|
|
NoNewNotSyn all all tcp<br>
|
|
|
|
<br>
|
|
|
|
</li>
|
|
|
|
</ol>
|
|
|
|
</li>
|
|
|
|
<li>Drop 'New not SYN' packets from the net only. Don't log them:</li>
|
|
|
|
<ol>
|
|
|
|
<li>Early in your rules file, place:<br>
|
|
|
|
<br>
|
|
|
|
|
|
|
|
dropNotSyn
|
|
|
|
net all tcp<br>
|
|
|
|
<br>
|
|
|
|
</li>
|
|
|
|
</ol>
|
|
|
|
</ol>
|
|
|
|
<li>Slackware users no longer have to modify the install.sh script
|
|
|
|
before installation. Tuomo Soini has provided a change that allows the
|
|
|
|
INIT and FIREWALL variables to be specified outside the script as in:<br>
|
|
|
|
<br>
|
|
|
|
DEST=/etc/rc.d INIT=rc.firewall
|
|
|
|
./install.sh<br>
|
2004-05-28 19:24:32 +02:00
|
|
|
</li>
|
|
|
|
</ol>
|
|
|
|
<ol>
|
|
|
|
</ol>
|
|
|
|
<p><a href="News.htm">More News</a></p>
|
|
|
|
<hr style="width: 100%; height: 2px;">
|
|
|
|
<h2><a name="Leaf"></a>Leaf<br>
|
|
|
|
</h2>
|
|
|
|
<p><a href="http://leaf.sourceforge.net" target="_top"><img
|
2004-04-12 16:16:46 +02:00
|
|
|
alt="(Leaf Logo)"
|
|
|
|
style="border: 0px solid ; height: 36px; width: 49px;"
|
|
|
|
src="images/leaflogo.gif" title=""></a> LEAF is an open source project
|
|
|
|
which provides a Firewall/router on a floppy, CD or CF. Several LEAF
|
2004-05-28 19:24:32 +02:00
|
|
|
distributions including Bering and Bering-uClibc use Shorewall as their
|
2004-04-12 16:16:46 +02:00
|
|
|
Netfilter configuration tool.<br>
|
2004-05-28 19:24:32 +02:00
|
|
|
</p>
|
|
|
|
<div>
|
|
|
|
<div style="text-align: center;"> </div>
|
|
|
|
</div>
|
|
|
|
<hr style="width: 100%; height: 2px;">
|
2004-08-07 05:33:54 +02:00
|
|
|
<h2><a name="Donations"></a>Donations</h2>
|
2004-05-28 19:24:32 +02:00
|
|
|
<p style="text-align: left;"><big><a href="http://www.alz.org"
|
2004-08-07 05:33:54 +02:00
|
|
|
target="_top"><img src="images/alz_logo2.gif"
|
2004-04-12 16:16:46 +02:00
|
|
|
alt="(Alzheimer's Association Logo)"
|
2004-08-07 05:33:54 +02:00
|
|
|
style="border: 0px solid ; width: 300px; height: 60px;" align="right"></a></big></p>
|
|
|
|
<h2></h2>
|
|
|
|
<p style="text-align: left;"> </p>
|
2004-05-28 19:24:32 +02:00
|
|
|
<h2><big><a href="http://www.starlight.org" target="_top"><img
|
|
|
|
src="images/newlog.gif" title="" alt="(Starlight Foundation Logo)"
|
2004-08-07 05:33:54 +02:00
|
|
|
style="border: 0px solid ; width: 59px; height: 102px;" align="right"></a></big></h2>
|
2004-05-28 19:24:32 +02:00
|
|
|
<p style="text-align: left;"><big>Shorewall
|
2004-04-12 16:16:46 +02:00
|
|
|
is free but
|
|
|
|
if you
|
|
|
|
try it and find it useful,
|
|
|
|
please consider making a donation to the <a href="http://www.alz.org/"
|
2004-05-28 19:24:32 +02:00
|
|
|
target="_top">Alzheimer's Association</a> or to the <a
|
|
|
|
href="http://www.starlight.org" target="_top">Starlight Children's
|
|
|
|
Foundation</a>.<br>
|
|
|
|
</big></p>
|
|
|
|
<p style="text-align: left;"><big>Thanks<br>
|
|
|
|
<br>
|
|
|
|
</big></p>
|
|
|
|
<p style="text-align: left;"><big><br>
|
|
|
|
</big> </p>
|
2004-04-12 16:16:46 +02:00
|
|
|
</div>
|
|
|
|
</body>
|
2003-12-30 02:19:52 +01:00
|
|
|
</html>
|