2006-12-28 18:43:00 +01:00
|
|
|
Shorewall 3.4.0 Beta 2
|
2006-10-31 20:01:23 +01:00
|
|
|
|
2006-12-18 22:52:25 +01:00
|
|
|
Release Highlights
|
2006-10-31 20:01:23 +01:00
|
|
|
|
2006-12-28 18:43:00 +01:00
|
|
|
1) Shorewall can now be tailored to reduce its footprint on embedded
|
|
|
|
systems. As part of this change, actions are now completely
|
|
|
|
optional.
|
|
|
|
|
|
|
|
See http://www.shorewall.net/Modularization.html for details.
|
2006-10-31 20:01:23 +01:00
|
|
|
|
2006-12-18 22:52:25 +01:00
|
|
|
2) Exclusion is now possible in /etc/shorewall/hosts. This is required
|
|
|
|
for bridge/firewalls under kernel 2.6.20 and later.
|
2006-10-31 20:01:23 +01:00
|
|
|
|
2006-12-28 18:43:00 +01:00
|
|
|
See http://www.shorewall.net/NewBridge.html.
|
|
|
|
|
2006-12-18 22:52:25 +01:00
|
|
|
3) Shorewall and Shorewall Lite now include man pages. There is a
|
|
|
|
man page for shorewall(8), one for shorewall-lite(8) and one for
|
|
|
|
each configuration file. As part of this change, all documentation
|
|
|
|
has been removed from Shorewall configuration files. This should
|
|
|
|
make it easier from users to upgrade from one release to the next
|
|
|
|
since the configuration files will only change when column is added
|
|
|
|
or renamed.
|
2006-12-10 21:40:25 +01:00
|
|
|
|
2006-12-28 18:43:00 +01:00
|
|
|
See http://www.shorewall.net/Documentation_Index.html#Manpages.
|
|
|
|
|
|
|
|
4) Shorewall now remembers the changes that it has made to routing as
|
|
|
|
a result of entries in /etc/shorewall/providers and
|
|
|
|
/etc/shorewall/route_rules and reverses those changes when
|
|
|
|
appropriate.
|
|
|
|
|
2006-12-30 18:30:53 +01:00
|
|
|
Problems Corrected in 3.4.0 Beta 2
|
|
|
|
|
|
|
|
1) If 'blacklist' was specified on an interface and the
|
2007-01-02 05:32:11 +01:00
|
|
|
/etc/shorewall/blacklist file was empty, then the generated
|
|
|
|
firewall script contained a syntax error (the function
|
|
|
|
load_blacklist() was empty).
|
2006-12-30 18:30:53 +01:00
|
|
|
|
2006-12-30 19:04:15 +01:00
|
|
|
2) If the file /etc/shorewall/init did not exist, then the compiler
|
|
|
|
would incorrectly copy /usr/share/shorewall/init into the
|
|
|
|
compiled script. /usr/share/shorewall/init is a symbolic link
|
|
|
|
to the Shorewall init script (usually /etc/init.d/shorewall).
|
|
|
|
|
2007-01-02 17:01:46 +01:00
|
|
|
3) To allow Shorewall and Shorewall Lite to coexist on a single
|
|
|
|
system, the Shorewall section 5 manpages are no longer included in
|
|
|
|
Shorewall Lite. In addition, the Shorewall Lite manpage for
|
|
|
|
"shorewall.conf" has been renamed "shorewall-lite.conf".
|
|
|
|
|
2006-08-30 19:57:04 +02:00
|
|
|
Migration Considerations:
|
|
|
|
|
|
|
|
1) Shorewall supports the notion of "default actions". A default
|
|
|
|
action defines a set of rules that are applied before a policy is
|
|
|
|
enforced. Default actions accomplish two goals:
|
|
|
|
|
|
|
|
a) Relieve log congestion. Default actions typically include rules
|
|
|
|
to silently drop or reject traffic that would otherwise be logged
|
|
|
|
when the policy is enforced.
|
|
|
|
|
2006-11-23 01:58:38 +01:00
|
|
|
b) Insure correct operation. Default actions can also avoid common
|
|
|
|
pitfalls like dropping connection requests on TCP port 113. If
|
|
|
|
these connections are dropped (rather than rejected) then you
|
|
|
|
may encounter problems connecting to internet services that
|
|
|
|
utilize the AUTH protocol of client authentication.
|
2006-08-30 19:57:04 +02:00
|
|
|
|
|
|
|
In prior Shorewall versions, default actions (action.Drop and
|
|
|
|
action.Reject) were defined for DROP and REJECT policies in
|
2006-08-30 22:03:38 +02:00
|
|
|
/usr/share/shorewall/actions.std. These could be overridden in
|
|
|
|
/etc/shorewall/actions.
|
2006-08-30 19:57:04 +02:00
|
|
|
|
|
|
|
This approach has two drawbacks:
|
|
|
|
|
|
|
|
a) All DROP policies must use the same default action and all
|
|
|
|
REJECT policies must use the same default action.
|
|
|
|
|
|
|
|
b) Now that we have modularized action processing (see the New
|
|
|
|
Features section below), we need a way to define default rules
|
2006-09-09 18:16:41 +02:00
|
|
|
for a policy that does not involve actions.
|
2006-08-30 19:57:04 +02:00
|
|
|
|
2006-08-30 22:03:38 +02:00
|
|
|
If you have not overridden the defaults using entries in
|
|
|
|
/etc/shorewall/actions then you need make no changes to migrate to
|
2006-12-28 19:12:08 +01:00
|
|
|
Shorewall version 3.4. Otherwise, please see item 3) in the New
|
2006-08-30 22:03:38 +02:00
|
|
|
Features below.
|
2006-08-30 20:20:08 +02:00
|
|
|
|
2006-09-06 19:12:00 +02:00
|
|
|
2) The 'Limit' action is now a builtin. If you have 'Limit' listed in
|
2006-09-05 00:51:23 +02:00
|
|
|
/etc/shorewall/actions, remove the entry. Also remove the files
|
2006-09-06 19:12:00 +02:00
|
|
|
/etc/shorewall/action.Limit and/or /etc/shorewall/Limit if you have
|
2006-09-05 00:51:23 +02:00
|
|
|
them.
|
|
|
|
|
2006-12-31 17:17:45 +01:00
|
|
|
3) This issue only applies if you have entries in
|
|
|
|
/etc/shorewall/providers.
|
|
|
|
|
|
|
|
Previously, Shorewall has not attempted to undo the changes it has
|
|
|
|
made to the firewall's routing as a result of entries in
|
|
|
|
/etc/shorewall/providers and /etc/shorewall/routes. Beginning with
|
|
|
|
this release, Shorewall will attempt to undo these changes.
|
|
|
|
|
|
|
|
See item 15 under new features below for additional information.
|
|
|
|
|
|
|
|
This change can present a migration issue in that the
|
|
|
|
initial routing configuration when this version of Shorewall is
|
|
|
|
installed has probably been changed by Shorewall already. Hence,
|
2006-12-31 17:41:17 +01:00
|
|
|
when Shorewall restores the original configuration, it will be
|
2006-12-31 17:17:45 +01:00
|
|
|
installing a configuration that the previously-installed version
|
|
|
|
has already modified.
|
|
|
|
|
|
|
|
The steps to correcting this after you have installed this version
|
|
|
|
of Shorewall are as follows:
|
|
|
|
|
|
|
|
a) "shorewall[-lite] stop"
|
|
|
|
b) Be sure that the files /var/lib/shorewall[-lite]/default_route
|
|
|
|
and /var/lib/shorewall[-lite]/undo_routing do not exist. If they
|
|
|
|
do exist, remove them.
|
|
|
|
b) Either restart networking or reboot.
|
|
|
|
|
2006-12-18 22:52:25 +01:00
|
|
|
New Features in Shorewall 3.4:
|
2006-12-01 17:36:17 +01:00
|
|
|
|
2006-12-18 22:52:25 +01:00
|
|
|
1) In order to accomodate small embedded applications, Shorewall 3.4
|
2006-08-28 18:26:11 +02:00
|
|
|
is now modularized. In addition to the base files, there are
|
|
|
|
loadable "libraries" that may be included or omitted from an
|
|
|
|
embedded system as required.
|
|
|
|
|
|
|
|
Loadable Shorewall libraries reside in /usr/share/shorewall/ and
|
|
|
|
have names that begin with "lib.". The following libraries are
|
2006-12-18 22:52:25 +01:00
|
|
|
included in Shorewall 3.4:
|
2006-08-28 18:26:11 +02:00
|
|
|
|
|
|
|
- lib.accounting. Must be available if you include entries in
|
2006-08-29 18:25:22 +02:00
|
|
|
/etc/shorewall/accounting.
|
2006-08-28 18:26:11 +02:00
|
|
|
|
2006-10-31 20:01:23 +01:00
|
|
|
- lib.actions. Must be available if you do not specify
|
2006-08-29 22:21:59 +02:00
|
|
|
USE_ACTIONS=No in /etc/shorewall/shorewall.conf.
|
|
|
|
|
2006-11-23 01:58:38 +01:00
|
|
|
- lib.base. The base Shorewall library required by all programs,
|
|
|
|
including compiled firewall scripts.
|
2006-11-21 00:39:46 +01:00
|
|
|
|
|
|
|
- lib.cli. Library containing the code common to /sbin/shorewall,
|
2006-11-21 22:50:56 +01:00
|
|
|
/sbin/shorewall-lite.
|
2006-11-21 00:39:46 +01:00
|
|
|
|
|
|
|
- lib.config. Library containing the code that is common to
|
|
|
|
/usr/share/shorewall/compiler and /usr/share/shorewall/firewall.
|
|
|
|
|
2006-08-28 18:26:11 +02:00
|
|
|
- lib.dynamiczones. Must be available if you specify
|
|
|
|
DYNAMIC_ZONES=Yes in shorewall.conf.
|
|
|
|
|
2006-08-29 18:25:22 +02:00
|
|
|
- lib.maclist. Must be available if you specify the 'maclist'
|
2006-08-28 18:26:11 +02:00
|
|
|
option in /etc/shorewall/interfaces or /etc/shorewall/hosts.
|
|
|
|
|
|
|
|
- lib.nat. Must be available if you have entries in
|
2006-11-09 05:18:49 +01:00
|
|
|
/etc/shorewall/masq, /etc/shorewall/nat or /etc/shorewall/netmap
|
|
|
|
or if you use DNAT or REDIRECT rules.
|
2006-08-28 18:26:11 +02:00
|
|
|
|
|
|
|
- lib.providers. Must be available if you have entries in
|
|
|
|
/etc/shorewall/providers.
|
|
|
|
|
|
|
|
- lib.proxyarp. Must be available if you have entries in
|
2006-08-28 22:22:56 +02:00
|
|
|
/etc/shorewall/proxyarp or if you specify the 'proxyarp' option
|
|
|
|
in /etc/shorewall/interfaces.
|
2006-08-28 18:26:11 +02:00
|
|
|
|
|
|
|
- lib.tc. Must be available if you have entries in
|
|
|
|
/etc/shorewall/tcdevices and /etc/shorewall/tcclasses.
|
|
|
|
|
|
|
|
- lib.tcrules. Must be available if you have entries in
|
|
|
|
/etc/shorewall/tcrules.
|
|
|
|
|
|
|
|
- lib.tunnels. Must be available if you have entries in
|
|
|
|
/etc/shorewall/tunnels.
|
|
|
|
|
2006-08-29 18:25:22 +02:00
|
|
|
Embedded applications can further decrease the size of the Shorewall
|
2006-08-28 18:26:11 +02:00
|
|
|
footprint by:
|
|
|
|
|
|
|
|
- Omitting the macro files.
|
|
|
|
- Omitting all unused extension scripts.
|
|
|
|
|
2006-08-29 22:21:59 +02:00
|
|
|
2) As hinted in the previous bullet, there is a new USE_ACTIONS option
|
|
|
|
in /etc/shorewall/shorewall.conf. Shorewall actions can be very
|
|
|
|
powerful but they also require a lot of code to implement. Embedded
|
|
|
|
applications can omit that code by setting
|
|
|
|
USE_ACTIONS=No. Shorewall will ignore all action-related files
|
|
|
|
including /usr/share/shorewall/actions.std and
|
|
|
|
/etc/shorewall/actions. Builtin actions will still be available for
|
|
|
|
use in rules and macros.
|
|
|
|
|
2006-08-31 00:04:49 +02:00
|
|
|
The 'Limit' action has been converted to a builtin so that Limit is
|
|
|
|
available even when USE_ACTIONS=No.
|
2006-08-29 22:21:59 +02:00
|
|
|
|
2006-08-31 00:04:49 +02:00
|
|
|
See the next item for more information.
|
2006-08-29 22:21:59 +02:00
|
|
|
|
2006-12-28 19:12:08 +01:00
|
|
|
3) Prior to Shorewall 3.4, default actions were specified in
|
2006-08-30 19:06:23 +02:00
|
|
|
/usr/share/shorewall/actions.std or in /etc/shorewall/actions.
|
|
|
|
|
|
|
|
This approach has two drawbacks:
|
|
|
|
|
|
|
|
a) All DROP policies must use the same default action and all
|
|
|
|
REJECT policies must use the same default action.
|
|
|
|
|
2006-09-09 18:16:41 +02:00
|
|
|
b) Now that we have modularized action processing (see the New
|
|
|
|
Features section below), we need a way to define default rules
|
|
|
|
for a policy that does not involve actions.
|
2006-08-30 19:06:23 +02:00
|
|
|
|
2006-08-30 22:03:38 +02:00
|
|
|
The solution is two-fold:
|
|
|
|
|
2006-08-31 08:14:47 +02:00
|
|
|
- Four new options have been added to the
|
2006-08-30 22:03:38 +02:00
|
|
|
/etc/shorewall/shorewall.conf file that allow specifying the
|
2006-08-31 08:14:47 +02:00
|
|
|
default action for DROP, REJECT, ACCEPT and QUEUE.
|
2006-08-30 22:03:38 +02:00
|
|
|
|
2006-08-31 08:14:47 +02:00
|
|
|
The options are DROP_DEFAULT, REJECT_DEFAULT, ACCEPT_DEFAULT and
|
|
|
|
QUEUE_DEFAULT.
|
2006-08-30 22:03:38 +02:00
|
|
|
|
|
|
|
DROP_DEFAULT describes the rules to be applied before a
|
|
|
|
connection request is dropped by a DROP policy; REJECT_DEFAULT
|
|
|
|
describes the rules to be applied if a connection request is
|
2006-08-31 08:14:47 +02:00
|
|
|
rejected by a REJECT policy. The other two are similar for
|
|
|
|
ACCEPT and QUEUE policies.
|
2006-08-30 22:03:38 +02:00
|
|
|
|
|
|
|
The value assigned to these may be:
|
2006-08-30 19:06:23 +02:00
|
|
|
|
2006-10-31 20:01:23 +01:00
|
|
|
a) The name of an action.
|
2006-08-30 22:03:38 +02:00
|
|
|
b) The name of a macro
|
|
|
|
c) 'None' or 'none'
|
|
|
|
|
|
|
|
The default values are:
|
|
|
|
|
|
|
|
DROP_DEFAULT="Drop"
|
|
|
|
REJECT_DEFAULT="Reject"
|
2006-08-31 08:14:47 +02:00
|
|
|
ACCEPT_DEFAULT=none
|
|
|
|
QUEUE_DEFAULT=none
|
2006-08-30 22:03:38 +02:00
|
|
|
|
|
|
|
If USE_ACTIONS=Yes, then these values refer to action.Drop and
|
|
|
|
action.Reject respectively. If USE_ACTIONS=No, then these values
|
|
|
|
refer to macro.Drop and macro.Reject.
|
|
|
|
|
|
|
|
If you set the value of either option to "None" then no default
|
2006-11-23 01:58:38 +01:00
|
|
|
action will be used and the default action or macro (if any)
|
|
|
|
must be specified in /etc/shorewall/policy
|
2006-08-30 22:03:38 +02:00
|
|
|
|
|
|
|
- The POLICY column in /etc/shorewall/policy has been extended.
|
|
|
|
|
2006-08-31 08:14:47 +02:00
|
|
|
In /etc/shorewall/policy, when the POLICY is DROP, REJECT,
|
|
|
|
ACCEPT or QUEUE then the policy may be followed by ":" and one
|
|
|
|
of the following:
|
2006-10-31 20:01:23 +01:00
|
|
|
|
2006-08-30 19:06:23 +02:00
|
|
|
a) The word "None" or "none". This causes any default
|
2006-09-09 18:16:41 +02:00
|
|
|
action defined in /etc/shorewall/shorewall.conf
|
|
|
|
to be omitted for this policy.
|
2006-08-30 19:06:23 +02:00
|
|
|
b) The name of an action (requires that USE_ACTIONS=Yes
|
2006-10-31 20:01:23 +01:00
|
|
|
in shorewall.conf). That action will be invoked
|
2006-08-30 19:06:23 +02:00
|
|
|
before the policy is enforced.
|
|
|
|
c) The name of a macro. The rules in that macro will
|
|
|
|
be applied before the policy is enforced. This
|
|
|
|
does not require USE_ACTIONS=Yes.
|
|
|
|
|
|
|
|
Example:
|
|
|
|
|
|
|
|
#SOURCE DEST POLICY LOG
|
|
|
|
# LEVEL
|
|
|
|
loc net ACCEPT
|
2006-09-09 18:16:41 +02:00
|
|
|
net all DROP:MyDrop info
|
2006-08-30 19:06:23 +02:00
|
|
|
#
|
|
|
|
# THE FOLLOWING POLICY MUST BE LAST
|
|
|
|
#
|
2006-09-09 18:16:41 +02:00
|
|
|
all all REJECT:MyReject info
|
2006-10-05 00:40:34 +02:00
|
|
|
|
|
|
|
4) For users whose kernel and iptables have Extended MARK Target
|
|
|
|
support, it is now possible to logically AND or OR a value into the
|
|
|
|
current packet mark by preceding the mark value (and optional mask)
|
|
|
|
with an ampersand ("&") or vertical bar ("|") respectively.
|
|
|
|
|
|
|
|
Example: To logically OR the value 4 into the mark value for
|
|
|
|
packets from 192.168.1.1:
|
|
|
|
|
|
|
|
#MARK SOURCE
|
|
|
|
|4 192.168.1.1
|
|
|
|
|
|
|
|
5) Previously, zone names were restricted to five characters in
|
2006-11-23 01:58:38 +01:00
|
|
|
length. That limit derives from the --log-prefix in Netfilter log
|
2006-10-05 00:40:34 +02:00
|
|
|
messages which must be 29 bytes or less in length. With the
|
|
|
|
standard Shorewall LOGFORMAT, that leaves 11 characters for the
|
|
|
|
chain name; given that many chain names are of the form
|
2006-11-21 00:39:46 +01:00
|
|
|
<zone1>2<zone2>, that gives a maximum zone name length of 5.
|
2006-10-05 00:40:34 +02:00
|
|
|
|
|
|
|
Beginning with this release, the maximum length of a zone name is
|
|
|
|
dependent on the LOGFORMAT (the maximum length may never be less
|
|
|
|
than 5 but it may be greater than 5). For example, setting
|
|
|
|
LOGFORMAT="FW:%s:%s:" will allow zone names of up to 8 characters.
|
|
|
|
|
2006-11-23 01:58:38 +01:00
|
|
|
6) Netfilter provides support for attachmend of comments to Netfilter
|
|
|
|
rules. Comments can be up to 255 bytes in length and are visible
|
|
|
|
using the "shorewall show <chain>", "shorewall show nat",
|
2006-10-20 19:41:13 +02:00
|
|
|
"shorewall show mangle" and "shorewall dump" commands. Comments are
|
|
|
|
delimited by '/* ... */" in the output.
|
|
|
|
|
2006-12-28 19:12:08 +01:00
|
|
|
Beginning with Shorewall 3.4, you may place COMMENT lines in the
|
2006-10-20 19:41:13 +02:00
|
|
|
/etc/shorewall/rules, /etc/shorewall/tcrules, /etc/shorewall/nat
|
|
|
|
and /etc/shorewall/masq files and in action files. The remainder of
|
|
|
|
the line is treated as a comment and it will be attached as a
|
2006-11-23 01:58:38 +01:00
|
|
|
Netfilter comment to the rule(s) generated by succeding entries
|
2006-10-20 19:41:13 +02:00
|
|
|
in the file.
|
|
|
|
|
|
|
|
Note: Do not prefix the comment with "#". Shorewall's two-pass
|
|
|
|
compiler strips off "#" comments in the first pass and processes
|
2006-11-23 01:58:38 +01:00
|
|
|
COMMENT lines in the second pass. Hence, by the time that COMMENT
|
|
|
|
is processed, the "#" and everything following it has been removed
|
|
|
|
(see example below).
|
2006-10-20 19:41:13 +02:00
|
|
|
|
|
|
|
To stop the current comment from being attached to further
|
|
|
|
rules, simply include COMMENT on a line by itself (so that the
|
|
|
|
following rules will have no comment) or specify a new COMMENT.
|
|
|
|
|
|
|
|
If you do not have Comment support in your iptables/kernel (see the
|
|
|
|
output of "shorewall[-lite] show capabilities") then COMMENTS are
|
|
|
|
ignored with this warning:
|
|
|
|
|
|
|
|
COMMENT ignored -- requires comment support in iptables/Netfilter
|
|
|
|
|
|
|
|
Example from my rules file:
|
|
|
|
|
|
|
|
#SOURCE SOURCE DEST PROTO DEST PORT(S)
|
2006-10-31 20:01:23 +01:00
|
|
|
|
2006-10-20 19:41:13 +02:00
|
|
|
COMMENT Stop Microsoft Noise
|
|
|
|
|
|
|
|
REJECT loc net tcp 137,445
|
|
|
|
REJECT loc net udp 137:139
|
2006-10-31 20:01:23 +01:00
|
|
|
|
2006-10-20 19:41:13 +02:00
|
|
|
COMMENT # Stop comment from being attached to rules below
|
|
|
|
|
|
|
|
The output of "shorewall show loc2net" includes (folded):
|
|
|
|
|
|
|
|
0 0 reject tcp -- * * 0.0.0.0/0
|
|
|
|
0.0.0.0/0 multiport dports 137,445 /* Stop Microsoft Noise */
|
|
|
|
0 0 reject udp -- * * 0.0.0.0/0
|
|
|
|
0.0.0.0/0 udp dpts:137:139 /* Stop Microsoft Noise */
|
|
|
|
|
|
|
|
7) A new macro (macro.RDP) has been added for Microsoft Remote
|
|
|
|
Desktop. This macro was contributed by Tuomo Soini.
|
|
|
|
|
|
|
|
8) A new 'maclog' extension file has been added. This file is
|
|
|
|
processed just before logging based on the setting of
|
2006-11-23 01:58:38 +01:00
|
|
|
MACLIST_LOG_LEVEL is done. When the extension is invoked, the CHAIN
|
|
|
|
variable will contain the name of the chain where rules should be
|
|
|
|
inserted. Remember that if you have specified MACLIST_TABLE=mangle,
|
|
|
|
then your run_iptables commands should include "-t mangle".
|
2006-10-20 19:41:13 +02:00
|
|
|
|
|
|
|
9) The SUBNET column in /etc/shorewall/masq has been renamed SOURCE to
|
|
|
|
more accurately describe the contents of the column.
|
|
|
|
|
|
|
|
10) Previously, it was not possible to use exclusion in
|
|
|
|
/etc/shorewall/hosts. Beginning with this release, you may now use
|
|
|
|
exclusion lists in entries in this file. Exclusion lists are
|
|
|
|
discussed at:
|
|
|
|
|
|
|
|
http://www.shorewall.net/configuration_file_basics.htm#Exclusion.
|
|
|
|
|
|
|
|
Example:
|
|
|
|
|
|
|
|
loc eth0:192.168.1.0/24!192.168.1.4,192.168.1.16/28
|
|
|
|
|
|
|
|
In that example, the 'loc' zone is defined to be the subnet
|
|
|
|
192.168.1.0/24 interfacing via eth0 *except* for host 192.168.1.4
|
|
|
|
and hosts in the sub-network 192.168.1.16/28.
|
2006-10-30 19:22:46 +01:00
|
|
|
|
|
|
|
11) New "shorewall[-lite] show ip" and "shorewall[-lite] show routing"
|
|
|
|
commands have been added. The first produces the same output as "ip
|
|
|
|
addr ls". The second produces a report about your routing rules and
|
|
|
|
tables.
|
|
|
|
|
|
|
|
12) Beginning with this release, Shorewall and Shorewall Lite will
|
|
|
|
share common change logs and release notes.
|
|
|
|
|
2006-12-28 19:12:08 +01:00
|
|
|
13) In Shorewall versions prior to 3.4, multiple jumps to a '2all'
|
2006-10-30 19:22:46 +01:00
|
|
|
chain could be generated in succession.
|
|
|
|
|
|
|
|
Example from an earlier shorewall version:
|
|
|
|
|
|
|
|
gateway:~ # shorewall-lite show eth2_fwd
|
2006-12-28 19:12:08 +01:00
|
|
|
Shorewall Lite 3.4.0-Beta1 Chains eth2_fwd at gateway - Thu Oct 19 08:54:37 PDT 2006
|
2006-10-30 19:22:46 +01:00
|
|
|
|
|
|
|
Counters reset Thu Oct 19 08:34:47 PDT 2006
|
|
|
|
|
|
|
|
Chain eth2_fwd (1 references)
|
|
|
|
pkts bytes target prot opt in out source destination
|
|
|
|
0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW
|
2006-11-23 01:58:38 +01:00
|
|
|
0 0 wifi2all all -- * eth0 0.0.0.0/0 0.0.0.0/0
|
|
|
|
0 0 wifi2all all -- * br0 0.0.0.0/0 0.0.0.0/0
|
|
|
|
0 0 wifi2all all -- * eth3 0.0.0.0/0 0.0.0.0/0
|
|
|
|
0 0 wifi2all all -- * tun+ 0.0.0.0/0 0.0.0.0/0
|
2006-10-31 20:01:23 +01:00
|
|
|
gateway:~ #
|
2006-10-30 19:22:46 +01:00
|
|
|
|
|
|
|
This redundancy may be eliminated by setting OPTIMIZE=1 in shorewall.conf.
|
|
|
|
|
|
|
|
gateway:~ # shorewall-lite show eth2_fwd
|
2006-12-28 19:12:08 +01:00
|
|
|
Shorewall Lite 3.4.0-Beta1 Chains eth2_fwd at gateway - Thu Oct 19 09:15:24 PDT 2006
|
2006-10-30 19:22:46 +01:00
|
|
|
|
|
|
|
Counters reset Thu Oct 19 09:15:19 PDT 2006
|
|
|
|
|
|
|
|
Chain eth2_fwd (1 references)
|
|
|
|
pkts bytes target prot opt in out source destination
|
|
|
|
0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW
|
|
|
|
0 0 wifi2all all -- * * 0.0.0.0/0 0.0.0.0/0
|
|
|
|
gateway:~ #
|
2006-10-31 20:01:23 +01:00
|
|
|
|
2006-10-30 19:22:46 +01:00
|
|
|
Note that with OPTIMIZE=1, traffic destined for an
|
|
|
|
interface/Address that falls outside of all defined zones may now
|
|
|
|
be logged out of a '2all' chain rather than out of the FORWARD
|
|
|
|
chain.
|
|
|
|
|
|
|
|
The OPTIMIZE setting also controls the suppression of redundant
|
|
|
|
wildcard rules (those specifying "all" in the SOURCE or DEST
|
|
|
|
column). A wildcard rule is considered to be redundant when it
|
|
|
|
has the same ACTION and Log Level as the applicable policy.
|
|
|
|
|
|
|
|
Example:
|
|
|
|
|
|
|
|
/etc/shorewall/policy
|
|
|
|
|
|
|
|
#SOURCE DEST POLICY LEVEL
|
|
|
|
loc net ACCEPT
|
|
|
|
|
|
|
|
/etc/shorewall/rules
|
|
|
|
|
|
|
|
#ACTION SOURCE DEST PROTO DEST
|
|
|
|
# PORT(S)
|
|
|
|
...
|
|
|
|
ACCEPT all all icmp 8
|
|
|
|
|
|
|
|
OPTIMIZE=0
|
|
|
|
|
|
|
|
gateway:~ # shorewall show loc2net
|
2006-12-28 19:12:08 +01:00
|
|
|
Shorewall Lite 3.4.0-Beta1 Chains loc2net at gateway - Thu Oct 26 07:55:03 PDT 2006
|
2006-10-30 19:22:46 +01:00
|
|
|
|
|
|
|
Counters reset Thu Oct 26 07:54:58 PDT 2006
|
|
|
|
|
|
|
|
Chain loc2net (1 references)
|
2006-10-31 20:01:23 +01:00
|
|
|
pkts bytes target prot opt in out source destination
|
2006-10-30 19:22:46 +01:00
|
|
|
...
|
2006-10-31 20:01:23 +01:00
|
|
|
0 0 DROP all -- * * !192.168.0.0/22 0.0.0.0/0
|
|
|
|
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8
|
|
|
|
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
|
2006-10-30 19:22:46 +01:00
|
|
|
|
|
|
|
gateway:~
|
|
|
|
|
|
|
|
OPTIMIZE=1
|
2006-10-31 20:01:23 +01:00
|
|
|
|
2006-10-30 19:22:46 +01:00
|
|
|
gateway:~ # shorewall show loc2net
|
2006-12-28 19:12:08 +01:00
|
|
|
Shorewall Lite 3.4.0-Beta1 Chains loc2net at gateway - Thu Oct 26 07:57:12 PDT 2006
|
2006-10-30 19:22:46 +01:00
|
|
|
|
|
|
|
Counters reset Thu Oct 26 07:56:38 PDT 2006
|
|
|
|
|
|
|
|
Chain loc2net (1 references)
|
2006-10-31 20:01:23 +01:00
|
|
|
pkts bytes target prot opt in out source destination
|
2006-10-30 19:22:46 +01:00
|
|
|
...
|
2006-10-31 20:01:23 +01:00
|
|
|
0 0 DROP all -- * * !192.168.0.0/22 0.0.0.0/0
|
|
|
|
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
|
2006-10-30 19:22:46 +01:00
|
|
|
|
|
|
|
gateway:~
|
|
|
|
|
|
|
|
If you really want a rule that duplicates the policy, follow the
|
|
|
|
action with "!":
|
|
|
|
|
|
|
|
#ACTION SOURCE DEST PROTO DEST
|
|
|
|
# PORT(S)
|
|
|
|
...
|
|
|
|
ACCEPT! all all icmp 8
|
|
|
|
|
|
|
|
14) IP Address ranges are now allowed in the drop, reject, allow and
|
|
|
|
logdrop shorewall[-lite] commands.
|
|
|
|
|
2006-11-21 00:39:46 +01:00
|
|
|
15) Previously, Shorewall has not attempted to undo the changes it has
|
2006-10-30 19:22:46 +01:00
|
|
|
made to the firewall's routing as a result of entries in
|
|
|
|
/etc/shorewall/providers and /etc/shorewall/routes. Beginning with
|
|
|
|
this release, Shorewall will attempt to undo these changes.
|
|
|
|
|
|
|
|
When Shorewall starts or is restarted and there are entries in
|
|
|
|
/etc/shorewall/providers, Shorewall will capture the contents
|
|
|
|
of /etc/shorewall/rt_tables and will restore that database when
|
|
|
|
Shorewall is stopped or restarted. Similarly, the default route
|
|
|
|
will be captured the first time that you [re]start Shorewall using
|
|
|
|
this version and will be restored under the following conditions:
|
|
|
|
|
|
|
|
a) shorewall stop
|
|
|
|
b) shorewall clear
|
|
|
|
c) shorewall restart or restore and there are no entries in
|
|
|
|
/etc/shorewall/providers.
|
|
|
|
|
|
|
|
Once the default route has been restored, Shorewall will delete
|
|
|
|
the saved copy so that it will once again be captured at the next
|
|
|
|
shorewall start or shorewall restore.
|
|
|
|
|
2006-11-21 00:39:46 +01:00
|
|
|
16) Shorewall no longer includes policy matches in its generated
|
2006-11-20 16:42:20 +01:00
|
|
|
ruleset when no IPSEC zones or IPSEC networks are defined (IPSEC
|
|
|
|
networks are defined using the 'ipsec' option in
|
|
|
|
/etc/shorewall/hosts).
|
|
|
|
|
2006-11-21 00:39:46 +01:00
|
|
|
17) The Makefile installed in /usr/share/shorewall/configfiles/ is now
|
2006-11-20 16:42:20 +01:00
|
|
|
the same one mentioned at
|
|
|
|
http://www.shorewall.net/CompiledPrograms.html.
|
|
|
|
|
|
|
|
Once the file is copied into an export directory, you modify the
|
|
|
|
setting of the HOST variable to match the name of the remote
|
|
|
|
firewall.
|
|
|
|
|
|
|
|
The default target is the "firewall" script so "make" compiles the
|
|
|
|
firewall script if any of the configuration files have
|
|
|
|
changed. "make install" builds "firewall" if necessary then
|
|
|
|
installs it on the remote firewall. "make capabilities" will
|
2006-12-31 17:17:45 +01:00
|
|
|
generate the "capabilities" file. "make save" will save the running
|
|
|
|
configuration on the remote firewall.
|
2006-11-20 16:42:20 +01:00
|
|
|
|
2006-11-21 00:39:46 +01:00
|
|
|
18) Shorewall and Shorewall Lite now include the following manpages.
|
2006-11-20 16:42:20 +01:00
|
|
|
|
|
|
|
shorewall-accounting(5)
|
|
|
|
shorewall-actions(5)
|
|
|
|
shorewall-blacklist(5)
|
|
|
|
shorewall.conf(5)
|
2006-12-15 00:05:59 +01:00
|
|
|
shorewall-ecn(5)
|
|
|
|
shorewall-exclusion(5)
|
2006-11-20 16:42:20 +01:00
|
|
|
shorewall-hosts(5)
|
|
|
|
shorewall-interfaces(5)
|
2007-01-02 17:01:46 +01:00
|
|
|
shorewall-lite.conf(5)
|
2006-11-20 16:42:20 +01:00
|
|
|
shorewall-lite(8)
|
|
|
|
shorewall-maclist(5)
|
|
|
|
shorewall-masq(5)
|
|
|
|
shorewall-nat(5)
|
|
|
|
shorewall-netmap(5)
|
|
|
|
shorewall-params(5)
|
|
|
|
shorewall-policy(5)
|
|
|
|
shorewall-providers(5)
|
|
|
|
shorewall-proxyarp(5)
|
|
|
|
shorewall-route_rules(5)
|
|
|
|
shorewall-routestopped(5)
|
|
|
|
shorewall-rules(5)
|
|
|
|
shorewall-tcclasses(5)
|
|
|
|
shorewall-tcdevices(5)
|
|
|
|
shorewall-tcrules(5)
|
|
|
|
shorewall-template(5)
|
|
|
|
shorewall-tos(5)
|
|
|
|
shorewall-tunnels(5)
|
|
|
|
shorewall(8)
|
|
|
|
shorewall-zones(5)
|
2006-11-21 00:39:46 +01:00
|
|
|
|
2006-12-18 22:52:25 +01:00
|
|
|
Now that the manpages are in place, command-specific help has been
|
|
|
|
removed since it duplicates information in the man pages.
|
|
|
|
|
2006-11-21 00:39:46 +01:00
|
|
|
19) From the beginning, the Shorewall configuration files in
|
|
|
|
/etc/shorewall/ have contained documentary comments. While these
|
|
|
|
comments are useful, they present an upgrade problem. Beginning
|
|
|
|
with this release, these comments are removed from the
|
|
|
|
configuration files themselves and are replaced by the manpages
|
|
|
|
described in the preceding release note entry.
|
|
|
|
|
2006-12-18 22:52:25 +01:00
|
|
|
20) Shorewall now uses tc fwmark filters to classify packets for
|
|
|
|
traffic shaping when the DEVICE isn't an interface described in
|
|
|
|
/etc/shorewall/interfaces. This is in preparation for the upcoming
|
|
|
|
change to the way that --physdev-out works in iptables/Netfilter;
|
|
|
|
that change is now scheduled for kernel 2.6.20.
|
|
|
|
|
|
|
|
21) If your kernel and iptables have extended multiport support, then
|
|
|
|
Shorewall will use that support for the destination port when
|
|
|
|
generating rules from entries in the /etc/shorewall/tcrules file.
|
|
|
|
|
|
|
|
22) The 'safe-start' and 'safe-restart' command have been
|
|
|
|
improved. Both now accept an optional directory name; if supplied,
|
|
|
|
Shorewall will look first in that directory for configuration
|
|
|
|
files.
|
|
|
|
|
|
|
|
The commands have also been enhanced to only restore the
|
|
|
|
configuration once in the event of a failure. Previously, if there
|
|
|
|
was a current 'save' command in effect, then that configuration
|
|
|
|
would be restored on a failure and then the last-running
|
|
|
|
configuration would be restored.
|
|
|
|
|
|
|
|
23) The 'try' command has been reimplemented with new semantics.
|
|
|
|
|
|
|
|
If Shorewall is started then the firewall state is saved to a
|
|
|
|
temporary saved configuration (/var/lib/shorewall/.try). Next, if
|
|
|
|
Shorewall is currently started then a restart command is issued;
|
|
|
|
otherwise, a start command is performed. if an error occurs during
|
|
|
|
the compliation phase of the restart or start, the command
|
|
|
|
terminates without changing the Shorewall state. If an error occurs
|
|
|
|
during the restart phase, then a 'shorewall restore' is performed
|
|
|
|
using the saved configuration. If an error occurs during the start
|
|
|
|
phase, then Shorewall is cleared. If the start/restart succeeds
|
|
|
|
and a timeout is specified then a 'clear' or 'restore' is performed
|
|
|
|
after timeout seconds.
|
|
|
|
|
|
|
|
24) The syntax of the 'export' command has been made slightly
|
|
|
|
friendlier.
|
|
|
|
|
|
|
|
The old syntax:
|
|
|
|
|
|
|
|
export <directory1> [user@]system:[<directory2>]
|
|
|
|
|
|
|
|
It is now:
|
|
|
|
|
|
|
|
export <directory1> [user@]system[:<directory2>]
|
|
|
|
|
|
|
|
In other words, if you don't need to specify <directory2>, you may
|
|
|
|
omit the colon (":") following the system name.
|
|
|
|
|
|
|
|
The old syntax is still accepted -- that is, you can still
|
|
|
|
type:
|
|
|
|
|
|
|
|
export firewall2:
|
|
|
|
|
|
|
|
which is equivalent to
|
|
|
|
|
|
|
|
export firewall2
|
|
|
|
|
|
|
|
25) Shorewall commands may be speeded up slightly by using a
|
|
|
|
'capabilities' file. The 'capabilities' file was originally
|
|
|
|
designed for use with Shorewall Lite and records the
|
|
|
|
iptables/Netfilter features available on the target system.
|
|
|
|
|
|
|
|
To generate a capabilities file, execute the following command as
|
|
|
|
root:
|
|
|
|
|
|
|
|
shorewall show -f capabilities > /etc/shorewall/capabilities
|
|
|
|
|
|
|
|
When you install a new kernel and/or iptables, be sure to generate
|
|
|
|
a new capabilities file.
|
|
|
|
|
|
|
|
26) When syslogd is run with the -C option (which in some
|
|
|
|
implementations causes syslogd to log to an in-memory circular
|
|
|
|
buffer), /sbin/shorewall will now use the 'logread' command to read
|
|
|
|
the log from that buffer. This is for combatibility with OpenWRT.
|
|
|
|
|
|
|
|
27) There is now a ":T" qualifier in /etc/shorewall/tcrules which
|
|
|
|
causes the resulting rule to be inserted into the POSTROUTING
|
|
|
|
chain.
|
|
|
|
|
2007-01-01 01:40:42 +01:00
|
|
|
28) The program /usr/share/shorewall/wait4ifup can be used to wait for
|
|
|
|
a network device (such as a ppp device) to reach the UP state.
|
|
|
|
|
|
|
|
/usr/share/shorewall/wait4ifup <interface> [ <seconds> ]
|
|
|
|
|
|
|
|
The program will wait for up to <seconds> seconds for the
|
|
|
|
named <interface> to reach the UP state. if <seconds> is not given,
|
|
|
|
60 seconds is assumed.
|
|
|
|
|
2006-12-18 22:52:25 +01:00
|
|
|
Problems Corrected in 3.4.0 Beta 1.
|
|
|
|
|
|
|
|
1) It is now possible to place entries in the IPSEC column of
|
|
|
|
/etc/shorewall/masq without having specified ipsec zones or hosts.
|
|
|
|
|
2006-12-20 16:39:39 +01:00
|
|
|
2) The /etc/shorewall/masq file is no longer ignored when the
|
|
|
|
/etc/shorewall/nat file is empty.
|