2006-02-04 18:14:46 +01:00
|
|
|
|
Shorewall 3.1.6
|
2005-11-27 21:59:47 +01:00
|
|
|
|
|
2006-01-07 18:33:10 +01:00
|
|
|
|
Note to users upgrading from Shorewall 2.x or 3.0
|
2005-12-01 18:58:24 +01:00
|
|
|
|
|
|
|
|
|
Most problems associated with upgrades come from two causes:
|
|
|
|
|
|
|
|
|
|
- The user didn't read and follow the migration considerations in these
|
|
|
|
|
release notes.
|
|
|
|
|
|
|
|
|
|
- The user mis-handled the /etc/shorewall/shorewall.conf file during
|
|
|
|
|
upgrade. Shorewall is designed to allow the default behavior of
|
|
|
|
|
the product to evolve over time. To make this possible, the design
|
|
|
|
|
assumes that you will not replace your current shorewall.conf file
|
|
|
|
|
during upgrades. If you feel absolutely compelled to have the latest
|
|
|
|
|
comments and options in your shorewall.conf then you must proceed
|
|
|
|
|
carefully.
|
|
|
|
|
|
2005-12-10 00:49:54 +01:00
|
|
|
|
While you are at it, if you have a file named /etc/shorewall/rfc1918 then
|
|
|
|
|
please check that file. If it has addresses listed that are NOT in one of
|
2006-01-26 00:58:12 +01:00
|
|
|
|
these three ranges, then please rename the file to
|
|
|
|
|
/etc/shorewall/rfc1918.old.
|
2005-12-10 00:49:54 +01:00
|
|
|
|
|
|
|
|
|
10.0.0.0 - 10.255.255.255
|
|
|
|
|
172.16.0.0 - 172.31.255.255
|
|
|
|
|
192.168.0.0 - 192.168.255.255
|
|
|
|
|
|
2005-12-07 17:35:28 +01:00
|
|
|
|
Please see the "Migration Considerations" below for additional upgrade
|
|
|
|
|
information.
|
|
|
|
|
|
2006-02-04 18:14:46 +01:00
|
|
|
|
Problems Corrected in 3.1.6
|
2005-12-10 00:40:22 +01:00
|
|
|
|
|
2006-02-04 18:14:46 +01:00
|
|
|
|
1) Syntax errors reported in response to "shorewall help <command>" have
|
|
|
|
|
been eliminated.
|
2006-01-21 17:35:18 +01:00
|
|
|
|
|
2006-02-04 18:14:46 +01:00
|
|
|
|
2) The 'allow', 'drop' and 'reject' commands no longer produce iptables
|
|
|
|
|
errors when executed while Shorewall is not started.
|
2006-01-29 19:02:42 +01:00
|
|
|
|
|
2006-02-08 23:33:13 +01:00
|
|
|
|
3) Shorewall now correctly handles devices in /etc/shorewall/tcdevices that
|
|
|
|
|
are actually bridge ports.
|
|
|
|
|
|
2006-02-04 18:14:46 +01:00
|
|
|
|
Other changes in 3.1.6
|
2006-01-29 19:02:42 +01:00
|
|
|
|
|
2006-02-04 21:57:38 +01:00
|
|
|
|
1) In macro files, you can now use the reserved words SOURCE and DEST
|
|
|
|
|
in the columns of the same names. When Shorewall expands the
|
|
|
|
|
macro, it will substitute the SOURCE from the macro invocation for
|
|
|
|
|
SOURCE and the DEST from the invocation for DEST. This allows you
|
|
|
|
|
to write macros that act in both directions (from source to destination
|
|
|
|
|
and from destination to source).
|
|
|
|
|
|
|
|
|
|
Example:
|
|
|
|
|
|
|
|
|
|
macro.FOO:
|
|
|
|
|
|
|
|
|
|
PARAM SOURCE DEST udp 500
|
|
|
|
|
PARAM DEST SOURCE udp 500
|
|
|
|
|
|
|
|
|
|
/etc/shorewall/rules:
|
|
|
|
|
|
|
|
|
|
FOO/ACCEPT fw net
|
|
|
|
|
|
|
|
|
|
Resulting rules:
|
|
|
|
|
|
|
|
|
|
ACCEPT fw net udp 500
|
|
|
|
|
ACCEPT net fw udp 500
|
|
|
|
|
|
|
|
|
|
This new feature has been used to implement the SMBBI macro.
|
|
|
|
|
SMBBI is the same as the SMB macro with the exception that
|
|
|
|
|
it passes SMB traffic in both directions whereas SMB only
|
|
|
|
|
passes that traffic in one direction.
|
2006-02-04 00:16:34 +01:00
|
|
|
|
|
2006-02-10 19:45:05 +01:00
|
|
|
|
2) "shorewall check -e" is now supported and uses the
|
|
|
|
|
/etc/shorewall/capabilities file to determine the capabilities of
|
|
|
|
|
the target system.
|
|
|
|
|
|
2006-02-10 20:33:31 +01:00
|
|
|
|
3) When "shorewall check" or "shorewall compile" is run by a user other
|
|
|
|
|
than root, Shorewall now automatically uses the /etc/shorewall/capabilities
|
|
|
|
|
file to determine the capabilities of the target system.
|
|
|
|
|
|
|
|
|
|
4) Shorewall now includes a 'shorecap' program. The RPM installs the
|
|
|
|
|
program in the documentation directory. The install.sh script does
|
|
|
|
|
not install the program.
|
|
|
|
|
|
|
|
|
|
The shorecap program can be used to create an /etc/shorewall/capabilities
|
|
|
|
|
file on a remote system. The file can then be copied to the local
|
|
|
|
|
system where it can be used when compiling firewall programs targeted for
|
|
|
|
|
the remote system.
|
|
|
|
|
|
|
|
|
|
For instructions about running shorecap, see the comments at the top
|
|
|
|
|
of the program file (it's a simple shell script).
|
|
|
|
|
|
2006-01-07 18:33:10 +01:00
|
|
|
|
Migration Considerations:
|
2005-12-10 00:40:22 +01:00
|
|
|
|
|
2006-01-30 07:33:16 +01:00
|
|
|
|
1) A number of macros have been split into two. The macros affected are:
|
|
|
|
|
IMAP LDAP NNTP POP3 SMTP
|
|
|
|
|
Each of these macros now handles only traffic on the native (plaintext)
|
|
|
|
|
port. There is a corresponding macro with S added to the end of the
|
|
|
|
|
name for the SSL version of the same protocol. Thus each macro results
|
|
|
|
|
in the insertion of only one port per invocation.
|
|
|
|
|
|
|
|
|
|
The Web macro has not been split, but two new macros, HTTP and HTTPS have
|
|
|
|
|
been created. The Web macro is deprecated in favour of these new macros,
|
|
|
|
|
and may be removed from future Shorewall releases.
|
|
|
|
|
|
|
|
|
|
These changes have been made to ensure no unexpected ports are opened due
|
|
|
|
|
to the use of macros.
|
2005-12-10 00:40:22 +01:00
|
|
|
|
|
2006-02-02 18:35:28 +01:00
|
|
|
|
2) In previous Shorewall releases, DNAT and REDIRECT rules supported a
|
|
|
|
|
special syntax for exclusion of a subnet from the effect of the rule.
|
|
|
|
|
|
|
|
|
|
Example:
|
|
|
|
|
|
|
|
|
|
Z2 is a subzone of Z1:
|
|
|
|
|
|
|
|
|
|
DNAT Z1!Z2 loc:192.168.1.4 ...
|
|
|
|
|
|
|
|
|
|
That syntax has never worked correctly when Z2 is a dynamic zone.
|
2006-02-03 18:08:37 +01:00
|
|
|
|
Furthermore, now that Shorewall supports exclusion lists, the capability
|
2006-02-02 18:35:28 +01:00
|
|
|
|
is redundant since the above rule can now be written in the form:
|
|
|
|
|
|
|
|
|
|
DNAT Z1:!<list of exclusions> loc:192.168.1.4 ...
|
|
|
|
|
|
|
|
|
|
Beginning with Shorewall 3.2.0, the special exclusion syntax will no
|
|
|
|
|
longer be supported.
|
|
|
|
|
|
2006-01-07 18:33:10 +01:00
|
|
|
|
New Features:
|
2005-12-10 00:40:22 +01:00
|
|
|
|
|
2006-02-03 16:10:46 +01:00
|
|
|
|
1) A new 'shorewall compile' command has been added.
|
2005-12-10 00:40:22 +01:00
|
|
|
|
|
2006-02-03 18:08:37 +01:00
|
|
|
|
shorewall compile [ -e ] [ -d <distro> ] [ <config directory> ] <script
|
2006-01-26 00:58:12 +01:00
|
|
|
|
file>
|
2005-12-10 00:40:22 +01:00
|
|
|
|
|
2006-01-07 20:22:58 +01:00
|
|
|
|
where:
|
2005-12-14 17:18:38 +01:00
|
|
|
|
|
2006-01-25 23:33:50 +01:00
|
|
|
|
-e Generates an error if the configuration uses
|
2006-01-13 00:26:37 +01:00
|
|
|
|
an option that would prevent the generated
|
|
|
|
|
script from running on a system other than
|
2006-02-03 16:10:46 +01:00
|
|
|
|
where the 'compile' command is running (see
|
2006-01-13 00:26:37 +01:00
|
|
|
|
additional consideration a) below).
|
2006-01-14 02:35:25 +01:00
|
|
|
|
Also allows the generated script to run
|
|
|
|
|
on a system without Shorewall installed.
|
2006-02-04 17:04:07 +01:00
|
|
|
|
-d <distro> Compile the script for execution on the
|
2006-02-03 18:08:37 +01:00
|
|
|
|
distribution specified by <distro>. Currently,
|
|
|
|
|
'suse' is the only valid <distro>.
|
|
|
|
|
|
|
|
|
|
Note that specifying a distribution should
|
|
|
|
|
only be required if you intend to install
|
|
|
|
|
the compiled script in /etc/init.d on the
|
|
|
|
|
target system.
|
|
|
|
|
|
|
|
|
|
Example:
|
|
|
|
|
|
|
|
|
|
shorewall compile -d suse foo
|
|
|
|
|
|
|
|
|
|
Additional distributions are expected to be
|
|
|
|
|
supported shortly.
|
|
|
|
|
|
2006-01-07 18:33:10 +01:00
|
|
|
|
<config directory> Is an optional directory to be searched for
|
|
|
|
|
configuration files prior to those listed
|
2006-01-26 00:58:12 +01:00
|
|
|
|
in CONFIG_DIR in
|
|
|
|
|
/etc/shorewall/shorewall.conf.
|
2006-01-13 18:08:23 +01:00
|
|
|
|
<script file> Is the name of the output file.
|
2005-12-14 17:18:38 +01:00
|
|
|
|
|
2006-02-03 16:10:46 +01:00
|
|
|
|
The 'compile' command processes the configuration and generates a
|
|
|
|
|
script file which may then be executed (either directly or using the
|
2006-01-26 00:58:12 +01:00
|
|
|
|
'shorewall restore' command) to configure the firewall.
|
2005-12-14 17:18:38 +01:00
|
|
|
|
|
2006-01-14 19:35:50 +01:00
|
|
|
|
The generated script contains error checking and will terminate if an
|
|
|
|
|
important command fails. Before terminating:
|
2005-12-14 17:18:38 +01:00
|
|
|
|
|
2006-01-26 00:58:12 +01:00
|
|
|
|
a) The script will check for the existence of the restore script
|
|
|
|
|
specified by the RESTOREFILE variable in shorewall.conf. If that
|
|
|
|
|
restore script exists, it is executed.
|
2006-01-14 19:35:50 +01:00
|
|
|
|
|
2006-01-26 00:58:12 +01:00
|
|
|
|
b) If the restore script doesn't exist but Shorewall appears to be
|
|
|
|
|
installed on the system, an "/sbin/shorewall stop" command is executed.
|
2005-12-14 17:18:38 +01:00
|
|
|
|
|
2006-01-07 20:22:58 +01:00
|
|
|
|
Some additional considerations:
|
2005-12-14 17:18:38 +01:00
|
|
|
|
|
2006-02-03 16:10:46 +01:00
|
|
|
|
a) It is possible to run 'compile' on one system and then run the
|
|
|
|
|
generated script on another system but there are certain
|
2006-01-14 02:38:50 +01:00
|
|
|
|
limitations.
|
2006-01-13 00:26:37 +01:00
|
|
|
|
|
|
|
|
|
1) The same version of Shorewall must be running on the remote system
|
2006-01-14 19:35:50 +01:00
|
|
|
|
unless you use the "-e" option when you compile the script.
|
2006-01-13 00:26:37 +01:00
|
|
|
|
2) The 'detectnets' interface option is not allowed.
|
2006-02-03 18:08:37 +01:00
|
|
|
|
3) You must supply the file /etc/shorewall/capabilities to provide
|
|
|
|
|
the compiler with knowledge of the capabilities of the system
|
|
|
|
|
where the script is to be run. The /etc/shorewall/capabilities
|
|
|
|
|
file included in this release includes instructions for its
|
|
|
|
|
use.
|
2005-12-14 17:18:38 +01:00
|
|
|
|
|
2006-01-25 23:33:50 +01:00
|
|
|
|
b) If you have extension scripts, they may need modification. Some of
|
2006-01-26 00:58:12 +01:00
|
|
|
|
the scripts will be run at compile time, rather than when the
|
|
|
|
|
generated script is executed. The standard functions like
|
|
|
|
|
'run_iptables' and 'log_rule_limit' will write the iptables command
|
|
|
|
|
to the script file rather than executing the command. As always, you
|
|
|
|
|
can check $COMMAND to determine which shorewall command is being
|
|
|
|
|
executed.
|
2005-12-14 17:18:38 +01:00
|
|
|
|
|
2006-01-26 00:58:12 +01:00
|
|
|
|
Extension Scripts that are run at compile time rather than at
|
|
|
|
|
run-time are:
|
2006-01-25 23:33:50 +01:00
|
|
|
|
|
|
|
|
|
- params
|
|
|
|
|
- init
|
|
|
|
|
- continue
|
|
|
|
|
- initdone
|
|
|
|
|
- start
|
|
|
|
|
- started
|
2006-01-26 00:58:12 +01:00
|
|
|
|
- All scripts associated with a given chain such as Action
|
|
|
|
|
chains
|
2006-01-25 23:33:50 +01:00
|
|
|
|
|
2006-01-28 06:46:27 +01:00
|
|
|
|
If you need to interject run-time code into the generated script then
|
|
|
|
|
you need to write it to file descriptor 3. Here is an example of creating
|
|
|
|
|
tap device tap0 and adding it to bridge xenbr0; the text will be indented
|
|
|
|
|
to line up with the surrounding text:
|
|
|
|
|
|
|
|
|
|
cat >&3 << __EOF__
|
|
|
|
|
${INDENT}if ! qt /sbin/ip link ls dev tap0; then
|
|
|
|
|
${INDENT} /usr/sbin/openvpn --mktun --dev tap0
|
|
|
|
|
${INDENT} /sbin/ip link set dev tap0 up
|
|
|
|
|
${INDENT} /sbin/brctl addif xenbr0 tap0
|
|
|
|
|
${INDENT}fi
|
|
|
|
|
|
|
|
|
|
__EOF__
|
|
|
|
|
|
|
|
|
|
This results in the following code in the script:
|
|
|
|
|
|
|
|
|
|
if ! qt /sbin/ip link ls dev tap0; then
|
|
|
|
|
/usr/sbin/openvpn --mktun --dev tap0
|
|
|
|
|
/sbin/ip link set dev tap0 up
|
|
|
|
|
/sbin/brctl addif xenbr0 tap0
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
(Yes -- there is an extra blank line at the end)
|
|
|
|
|
|
|
|
|
|
If you need to expand variables in the generated text, be sure to escape
|
|
|
|
|
the '$' symbol.
|
|
|
|
|
|
|
|
|
|
Example:
|
|
|
|
|
|
|
|
|
|
cat >&3 << __EOF__
|
|
|
|
|
|
|
|
|
|
${INDENT}addr=\$(ip -f inet addr show $interface 2> /dev/null | grep inet | head -n1)
|
|
|
|
|
${INDENT}if [ -n "\$addr" ]; then
|
|
|
|
|
${INDENT} addr=\$(echo \$addr | sed 's/inet //;s/\/.*//;s/ peer.*//')
|
|
|
|
|
${INDENT} for network in 10.0.0.0/8 176.16.0.0/12 192.168.0.0/16; do
|
|
|
|
|
${INDENT} if in_network \$addr \$network; then
|
|
|
|
|
${INDENT} startup_error "The 'norfc1918' option has been specified on an interface with an RFC 1918 address. Interface:$interface"
|
|
|
|
|
${INDENT} fi
|
|
|
|
|
${INDENT} done
|
|
|
|
|
${INDENT}fi
|
|
|
|
|
|
|
|
|
|
__EOF__
|
|
|
|
|
|
2006-02-03 16:10:46 +01:00
|
|
|
|
Compilation generates a complete program. This program is suitable for
|
|
|
|
|
installation into /etc/init.d and, when generated with the "-e" option,
|
|
|
|
|
can serve as your firewall on a system that doesn't even have Shorewall
|
|
|
|
|
installed.
|
2005-12-14 17:18:38 +01:00
|
|
|
|
|
2006-02-03 16:10:46 +01:00
|
|
|
|
The generated program supports the following commands:
|
2005-12-14 17:18:38 +01:00
|
|
|
|
|
2006-02-03 16:10:46 +01:00
|
|
|
|
<program> [ -q ] [ -v ] [ -n ] start
|
|
|
|
|
<program> [ -q ] [ -v ] [ -n ] stop
|
|
|
|
|
<program> [ -q ] [ -v ] [ -n ] clear
|
2006-02-03 16:27:54 +01:00
|
|
|
|
<program> [ -q ] [ -v ] [ -n ] restart
|
2006-02-03 16:10:46 +01:00
|
|
|
|
<program> [ -q ] [ -v ] [ -n ] status
|
|
|
|
|
<program> [ -q ] [ -v ] [ -n ] version
|
2005-12-14 17:18:38 +01:00
|
|
|
|
|
2006-02-03 16:10:46 +01:00
|
|
|
|
The "shorewall start" and "shorewall restart" commands have been
|
|
|
|
|
rewritten to use compilation. They both compile a temporary program
|
|
|
|
|
then run it. This results in a slightly longer elapsed time than the
|
|
|
|
|
similar commands required under earlier versions of Shorewall but new
|
|
|
|
|
connections are blocked for a much smaller percentage of that time.
|
2005-12-14 17:18:38 +01:00
|
|
|
|
|
2006-02-03 16:10:46 +01:00
|
|
|
|
Under Shorewall 3.1.5, "shorewall restart" takes roughly 16.5 seconds
|
|
|
|
|
on my firewall:
|
2006-01-07 20:22:58 +01:00
|
|
|
|
|
2006-02-03 16:10:46 +01:00
|
|
|
|
real 0m16.599s
|
|
|
|
|
user 0m6.292s
|
|
|
|
|
sys 0m9.885s
|
|
|
|
|
|
|
|
|
|
Of the elapsed 16.5 seconds, new connections are disabled less than
|
|
|
|
|
3.5 seconds. Here are some numbers for comparison:
|
2006-01-07 20:22:58 +01:00
|
|
|
|
|
2006-01-25 23:33:50 +01:00
|
|
|
|
A) shorewall restart (Shorewall 3.0.4)
|
2006-01-07 20:22:58 +01:00
|
|
|
|
|
|
|
|
|
real 0m17.540s
|
|
|
|
|
user 0m5.956s
|
|
|
|
|
sys 0m10.737s
|
|
|
|
|
|
2006-01-25 23:33:50 +01:00
|
|
|
|
B) ./foo restart # foo created using "shorewall compile"
|
2006-01-07 20:22:58 +01:00
|
|
|
|
|
2006-02-03 16:10:46 +01:00
|
|
|
|
real 0m3.297s
|
|
|
|
|
user 0m1.444s
|
|
|
|
|
sys 0m1.728s
|
2006-01-07 20:22:58 +01:00
|
|
|
|
|
2006-01-25 23:33:50 +01:00
|
|
|
|
C) shorewall restore (Shorewall 3.0.4) # Restores from file generated by
|
|
|
|
|
# "shorewall save"
|
2006-01-07 20:22:58 +01:00
|
|
|
|
|
|
|
|
|
real 0m1.164s
|
|
|
|
|
user 0m0.556s
|
|
|
|
|
sys 0m0.608s
|
|
|
|
|
|
2006-02-03 16:10:46 +01:00
|
|
|
|
D) shorewall restore (shorewall 3.1.5)
|
2006-01-25 23:33:50 +01:00
|
|
|
|
|
2006-02-03 16:10:46 +01:00
|
|
|
|
real 0m1.637s
|
|
|
|
|
user 0m0.728s
|
|
|
|
|
sys 0m0.584s
|
2006-01-25 23:33:50 +01:00
|
|
|
|
|
2006-02-03 16:10:46 +01:00
|
|
|
|
The time difference between B and C reflects the difference between
|
|
|
|
|
"iptables-restore" and multiple executions of "iptables". The time
|
|
|
|
|
difference between C and D results from the fact that the "restore"
|
|
|
|
|
command in Shorewall 3.1 runs the compiled program in a way that
|
|
|
|
|
turns all iptables commands into no-ops then invokes
|
|
|
|
|
iptables-restore. The system is a 1.4Ghz Celeron with 512MB RAM.
|
2006-01-26 00:58:12 +01:00
|
|
|
|
|
|
|
|
|
As a final part of this change, the "check" command now compiles the
|
|
|
|
|
current configuration then discards the generated script. So "check"
|
|
|
|
|
performs all of the same checks that compile does. Note that there is
|
|
|
|
|
still no guarantee that the generated script won't encounter run-time
|
|
|
|
|
errors.
|
2006-02-02 00:43:12 +01:00
|
|
|
|
|
|
|
|
|
2) The /etc/shorewall/maclist file has a new column layout. The first column
|
|
|
|
|
is now DISPOSITION. This column determines what to do with matching
|
|
|
|
|
packets and can have the value ACCEPT or DROP (if MACLIST_TABLE=filter, it
|
|
|
|
|
can also contain REJECT). This change is upward compatible so your existing
|
|
|
|
|
maclist file can still be used.
|
|
|
|
|
|
|
|
|
|
ACCEPT, DROP and REJECT may be optionally followed by a log level to
|
|
|
|
|
cause the packet to be logged.
|
|
|
|
|
|
|
|
|
|
3) Shorewall has always been very noisy (lots of messages). No more.
|
|
|
|
|
|
|
|
|
|
You set the default level of verbosity using the VERBOSITY option in
|
|
|
|
|
shorewall.conf. If you don't set it (as would be the case of you use your
|
|
|
|
|
old shorewall.conf file) then VERBOSITY defaults to a value of 2 which is
|
|
|
|
|
the old default. A value of 1 suppresses some of the output (like the old
|
2006-02-03 22:39:00 +01:00
|
|
|
|
-q option did) while a value of 0 makes Shorewall almost silent. A value
|
|
|
|
|
of -1 suppresses all output except warning and error messages.
|
2006-02-02 00:43:12 +01:00
|
|
|
|
|
|
|
|
|
The value specified in the 3.2 shorewall.conf is 1. So you can make
|
|
|
|
|
Shorewall as verbose as previously using a single -v and you can make it
|
|
|
|
|
silent by using a single -q.
|
|
|
|
|
|
|
|
|
|
If the default is set at 2, you can still make a command silent by using
|
|
|
|
|
two "q"s (e.g., shorewall -qq restart).
|
|
|
|
|
|
|
|
|
|
In summary, each "q" subtracts one from VERBOSITY while each "v" adds one
|
|
|
|
|
to VERBOSITY.
|
|
|
|
|
|
|
|
|
|
The "shorewall show log", "shorewall logwatch" and "shorewall dump"
|
2006-02-03 22:39:00 +01:00
|
|
|
|
commands require VERBOSITY to be greater than or equal to 3 to display MAC
|
2006-02-02 00:43:12 +01:00
|
|
|
|
addresses.This is consistent with the previous implementation which
|
|
|
|
|
required a single -v to enable MAC display but means that if you set
|
|
|
|
|
VERBOSITY=0 in shorewall.conf, then you will need to include -vvv in
|
|
|
|
|
commands that display log records in order to have MACs displayed.
|
|
|
|
|
|