2007-11-23 22:33:36 +01:00
|
|
|
Shorewall 4.1 Patch Release 2.
|
2007-09-21 18:55:28 +02:00
|
|
|
|
2007-04-09 23:40:30 +02:00
|
|
|
----------------------------------------------------------------------------
|
2007-11-19 22:15:36 +01:00
|
|
|
R E L E A S E 4 . 1 H I G H L I G H T S
|
2007-04-09 23:40:30 +02:00
|
|
|
----------------------------------------------------------------------------
|
2007-11-19 22:15:36 +01:00
|
|
|
1) Support is included for multiple internet providers through the same
|
|
|
|
ethernet interface.
|
2006-12-28 18:43:00 +01:00
|
|
|
|
2007-11-19 22:15:36 +01:00
|
|
|
2) Support for NFLOG has been added.
|
2006-10-31 20:01:23 +01:00
|
|
|
|
2007-11-23 22:33:36 +01:00
|
|
|
3) Enhanced operational logging
|
2007-11-20 17:01:27 +01:00
|
|
|
|
2007-11-23 22:33:36 +01:00
|
|
|
Problems corrected in Shorewall 4.1.2.
|
2007-11-20 17:01:27 +01:00
|
|
|
|
2007-12-01 18:09:38 +01:00
|
|
|
1) If any of the following files was missing, a harmless Perl warning
|
|
|
|
was issued:
|
|
|
|
|
|
|
|
accounting
|
|
|
|
maclist
|
|
|
|
masq
|
|
|
|
nat
|
|
|
|
netmap
|
|
|
|
rfc1918
|
|
|
|
routestopped
|
|
|
|
tunnels
|
|
|
|
|
|
|
|
This problem was experienced mostly by Debian users and users of
|
|
|
|
Debian derivatives such as Ubuntu.
|
|
|
|
|
|
|
|
2) The iptables utility doesn't retry operations that fail due to
|
2007-11-26 23:34:36 +01:00
|
|
|
resource shortage. Beginning with this release, Shorewall reruns
|
|
|
|
iptables when such a failure occurs.
|
2007-11-20 17:01:27 +01:00
|
|
|
|
2007-12-01 18:09:38 +01:00
|
|
|
3) Previously, Shorewall-perl did not accept log levels in upper case
|
|
|
|
(e.g., INFO). Log levels are treated in a case-insensitive manner
|
|
|
|
by Shorewall-perl.
|
|
|
|
|
|
|
|
4) The column headers in macro files were not aligned. This has been
|
|
|
|
corrected, along with some inaccuracies in the macro.template file.
|
|
|
|
|
|
|
|
5) The shorewall.conf files in the Samples did not contain some
|
|
|
|
recently-defined options. They are now up to date.
|
|
|
|
|
|
|
|
6) The names of the Jabber macros were shuffled. They are now named
|
|
|
|
correctly.
|
|
|
|
|
2007-11-23 22:33:36 +01:00
|
|
|
Other changes in Shorewall 4.1.2.
|
2007-11-20 17:01:27 +01:00
|
|
|
|
2007-11-23 22:33:36 +01:00
|
|
|
1) Shorewall 4.1.2 contains enhanced operational logging capabilities
|
|
|
|
through a set of related enhancements to Shorewall-common and
|
|
|
|
Shorewall-shell. The enhancements are not supported by
|
2007-11-23 22:49:06 +01:00
|
|
|
Shorewall-shell nor are they supported by Shorewall-lite except
|
|
|
|
when the script is compiled using Shorewall-perl.
|
2007-07-30 16:35:03 +02:00
|
|
|
|
2007-11-23 22:33:36 +01:00
|
|
|
a) The STARTUP_LOG option in /etc/shorewall/shorewall.conf gives
|
|
|
|
the name of the Shorewall operational log. The log will be
|
|
|
|
created if it does not exist.
|
|
|
|
|
|
|
|
b) The LOG_VERBOSITY option in /etc/shorewall/shorewall.conf gives
|
|
|
|
the verbosity at which logging will occur. It uses the same
|
|
|
|
value range as VERBOSITY:
|
|
|
|
|
|
|
|
-1 Do not log
|
|
|
|
0 Almost quiet
|
|
|
|
1 Only major steps
|
|
|
|
2 Verbose
|
|
|
|
|
|
|
|
c) An absolute VERBOSITY may be specified on the command line
|
|
|
|
using the -v option followed by -1,0,1 or 2.
|
|
|
|
|
|
|
|
Example:
|
|
|
|
|
|
|
|
shorewall -v2 check
|
|
|
|
|
|
|
|
d) The /etc/init.d/shorewall script supplied with the
|
|
|
|
shorewall.net packages sets '-v0' as the default. This may be
|
|
|
|
overridden with the OPTIONS setting in /etc/defaults/shorewall or
|
|
|
|
/etc/sysconfig/shorewall.
|
|
|
|
|
|
|
|
Logging occurs on both Shorewall-perl and the generated script when
|
|
|
|
the following commands are issued:
|
|
|
|
|
|
|
|
start
|
|
|
|
restart
|
|
|
|
refresh
|
|
|
|
|
|
|
|
Messages in the log are always timestamped.
|
2007-09-21 18:55:28 +02:00
|
|
|
|
2007-12-04 23:19:40 +01:00
|
|
|
This change implemented two new options to the Shorewall-perl
|
|
|
|
compiler (/usr/share/shorewall-perl/compiler.pl).
|
|
|
|
|
2007-12-05 01:14:30 +01:00
|
|
|
--log=<logfile>
|
|
|
|
--log_verbosity={-1|0-2}
|
2007-12-04 23:19:40 +01:00
|
|
|
|
|
|
|
The --log option is ignored when --log_verbosity is not supplied or
|
|
|
|
is supplied with value -1.
|
|
|
|
|
2007-12-05 01:14:30 +01:00
|
|
|
To avoid a proliferation of parameters to
|
|
|
|
Shorewall::Compiler::compile(), that function has been changed to
|
|
|
|
use named parameters. Parameter names are:
|
|
|
|
|
|
|
|
object Object file. If omitted or '', the
|
|
|
|
configuration is syntax checked.
|
|
|
|
directory Directory. If omitted or '', configuration
|
|
|
|
files are located using
|
|
|
|
CONFIG_PATH. Otherwise, the directory named by
|
|
|
|
this parameter is searched first.
|
|
|
|
verbosity Verbosity; range -1 to 2
|
|
|
|
timestamp 0|1 -- timestamp messages.
|
|
|
|
debug 0|1 -- include stack trace in warning/error
|
|
|
|
messages.
|
|
|
|
export 0|1 -- compile for export.
|
|
|
|
chains List of chains to be reloaded by 'refresh'.
|
|
|
|
log File to log compiler messages to.
|
|
|
|
log_verbosity Log Verbosity; range -1 to 2.
|
|
|
|
|
|
|
|
Those parameters that are supplied must have defined values.
|
|
|
|
|
|
|
|
Example:
|
|
|
|
|
|
|
|
use lib '/usr/share/shorewall-perl/';
|
|
|
|
use Shorewall::Compiler;
|
|
|
|
|
|
|
|
compiler( object => '/root/firewall',
|
|
|
|
log => '/root/compile.log',
|
|
|
|
log_verbosity => 2 );
|
|
|
|
|
2007-12-04 23:19:40 +01:00
|
|
|
2) Previously, when HIGH_ROUTE_MARKS=Yes, Shorewall allowed non-zero
|
|
|
|
mark values < 256 to be assigned in the OUTPUT chain. This has been
|
|
|
|
changed so that only high mark values may be assigned
|
|
|
|
there. Packet marking rules for traffic shaping of packets
|
|
|
|
originating on the firewall must be coded in the POSTROUTING table.
|
|
|
|
|
2007-12-04 01:02:35 +01:00
|
|
|
Migration Issues.
|
2007-11-19 22:15:36 +01:00
|
|
|
|
2007-12-04 23:19:40 +01:00
|
|
|
1) Previously, when HIGH_ROUTE_MARKS=Yes, Shorewall allowed non-zero
|
|
|
|
mark values < 256 to be assigned in the OUTPUT chain. This has been
|
2007-12-04 01:02:35 +01:00
|
|
|
changed so that only high mark values may be assigned
|
2007-12-04 23:19:40 +01:00
|
|
|
there. Packet marking rules for traffic shaping of packets
|
|
|
|
originating on the firewall must be coded in the POSTROUTING table.
|
2007-09-21 18:55:28 +02:00
|
|
|
|
2007-12-04 01:02:35 +01:00
|
|
|
New Features in Shorewall 4.1.
|
2007-09-21 18:55:28 +02:00
|
|
|
|
2007-12-04 01:02:35 +01:00
|
|
|
1) Shorewall 4.1 contains experimental support for multiple Internet
|
|
|
|
providers through a single ethernet interface. Configuring two
|
|
|
|
providers through a single interface differs from two providers
|
|
|
|
through two interfaces in several ways.
|
2007-09-21 18:55:28 +02:00
|
|
|
|
2007-12-04 01:02:35 +01:00
|
|
|
a) Only ethernet (or ethernet-like) interfaces can be used. For
|
|
|
|
inbound traffic, the MAC addresses of the gateway routers is used
|
|
|
|
to determine which provider a packet was received through. Note
|
|
|
|
that only routed traffic can be categorized using this technique.
|
2007-09-21 18:55:28 +02:00
|
|
|
|
2007-12-04 01:02:35 +01:00
|
|
|
b) You must specify the address on the interface that corresponds to
|
|
|
|
a particular provider in the INTERFACE column by following the
|
|
|
|
interface name with a colon (":") and the address.
|
|
|
|
|
|
|
|
c) Entries in /etc/shorewall/masq must be qualified by the provider
|
|
|
|
name (or number).
|
2007-09-21 18:55:28 +02:00
|
|
|
|
2007-12-04 01:02:35 +01:00
|
|
|
d) This feature requires Realm Match support in your kernel and
|
|
|
|
iptables. If you use a capabilities file, you need to regenerate
|
|
|
|
the file with Shorewall 4.0.6 or Shorewall-lite 4.0.6.
|
|
|
|
|
|
|
|
e) You must add route_rules entries for networks that are accessed
|
|
|
|
through a particular provider.
|
2007-11-21 17:28:36 +01:00
|
|
|
|
2007-12-04 01:02:35 +01:00
|
|
|
f) If you have additional IP addresses through either provider,
|
|
|
|
you must add route_rules to direct traffic FROM each of those
|
|
|
|
addresses through the appropriate provider.
|
2007-11-23 22:33:36 +01:00
|
|
|
|
2007-12-04 01:02:35 +01:00
|
|
|
Example:
|
2007-09-21 18:55:28 +02:00
|
|
|
|
2007-12-04 01:02:35 +01:00
|
|
|
Providers Blarg (1) and Avvanta (2) are both connected to
|
|
|
|
eth0. The firewall's IP address with Blarg is 206.124.146.176/24
|
|
|
|
(gateway 206.124.146.254) and the IP address from Avvanta is
|
|
|
|
130.252.144.8/24 (gateway 130.252.144.254). We have a second IP
|
|
|
|
address (206.124.146.177) from Blarg.
|
2007-09-21 18:55:28 +02:00
|
|
|
|
2007-12-04 01:02:35 +01:00
|
|
|
/etc/shorewall/providers:
|
2007-09-21 18:55:28 +02:00
|
|
|
|
2007-11-23 22:33:36 +01:00
|
|
|
#PROVIDER NUMBER MARK DUPLICATE INTERFACE GATEWAY
|
|
|
|
Blarg 1 1 main eth0:206.124.146.176 206.124.146.254 ...
|
|
|
|
Avvanta 2 2 main eth0:130.252.144.8 130.252.144.254 ...
|
2007-09-21 18:55:28 +02:00
|
|
|
|
2007-12-04 01:02:35 +01:00
|
|
|
/etc/shorewall/masq:
|
2007-09-21 18:55:28 +02:00
|
|
|
|
2007-11-19 22:15:36 +01:00
|
|
|
#INTERFACE SOURCE ADDRESS
|
2007-11-21 17:28:36 +01:00
|
|
|
eth0(Blarg) 130.252.144.8 206.124.146.176
|
|
|
|
eth0(Avvanta) 206.124.146.176 130.252.144.8
|
2007-11-19 22:15:36 +01:00
|
|
|
eth0(Blarg) eth1 206.124.146.176
|
2007-11-21 17:28:36 +01:00
|
|
|
eth0(Avvanta) eth1 130.252.144.8
|
|
|
|
|
2007-12-04 01:02:35 +01:00
|
|
|
/etc/shorewall/route_rules:
|
2007-11-21 17:28:36 +01:00
|
|
|
|
|
|
|
#SOURCE DEST PROVIDER PRIORITY
|
|
|
|
- 206.124.146.0/24 Blarg 1000
|
|
|
|
- 130.252.144.0/24 Avvanta 1000
|
2007-11-23 22:33:36 +01:00
|
|
|
206.124.146.177 - Blarg 26000
|
2007-04-09 23:40:30 +02:00
|
|
|
|
2007-11-19 22:15:36 +01:00
|
|
|
2) You may now include the name of a table (nat, mangle or filter) in
|
2007-12-04 23:19:40 +01:00
|
|
|
a 'shorewall refresh' command by following the table name with a
|
|
|
|
colon (e.g., mangle:). This causes all non-builtin chains in the
|
|
|
|
table to be reloaded.
|
2007-05-20 17:51:42 +02:00
|
|
|
|
|
|
|
Example:
|
|
|
|
|
2007-11-19 22:15:36 +01:00
|
|
|
shorewall refresh nat:
|
2007-05-20 17:51:42 +02:00
|
|
|
|
2007-11-19 22:15:36 +01:00
|
|
|
3) When no chain name is given to the 'shorewall refresh' command, the
|
|
|
|
mangle table is refreshed along with the blacklist chain (if
|
|
|
|
any). This allows you to modify /etc/shorewall/tcrules and install
|
|
|
|
the changes using 'shorewall refresh'.
|
2007-06-16 16:27:02 +02:00
|
|
|
|
2007-11-19 22:15:36 +01:00
|
|
|
4) Support for the NFLOG log target has been added. NFLOG is a
|
|
|
|
successor to ULOG. In addition, both ULOG and NFLOG may be followed
|
|
|
|
by a list of up to three numbers in parentheses.
|
2007-06-16 16:27:02 +02:00
|
|
|
|
2007-11-19 22:15:36 +01:00
|
|
|
The first number specifies the netlink group (1-32). If omitted
|
|
|
|
(e.g., NFLOG(,0,10)) then a value of 1 is assumed.
|
2007-06-16 16:27:02 +02:00
|
|
|
|
2007-11-19 22:15:36 +01:00
|
|
|
The second number specifies the maximum number of bytes to copy. If
|
|
|
|
omitted, 0 (no limit) is assumed.
|
2007-06-16 16:27:02 +02:00
|
|
|
|
2007-11-19 22:15:36 +01:00
|
|
|
The third number specifies the number of log messages that should
|
|
|
|
be buffered in the kernel before they are sent to user space. The
|
|
|
|
default is 1.
|
2007-06-16 16:27:02 +02:00
|
|
|
|
2007-11-19 22:15:36 +01:00
|
|
|
Examples:
|
2007-06-16 16:27:02 +02:00
|
|
|
|
2007-11-19 22:15:36 +01:00
|
|
|
/etc/shorewall/shorewall.conf:
|
2007-06-16 16:27:02 +02:00
|
|
|
|
2007-11-19 22:15:36 +01:00
|
|
|
MACLIST_LOG_LEVEL=NFLOG(1,0,1)
|
2007-06-23 23:12:48 +02:00
|
|
|
|
2007-11-19 22:15:36 +01:00
|
|
|
/etc/shorewall/rules:
|
2007-06-23 23:12:48 +02:00
|
|
|
|
2007-11-19 22:15:36 +01:00
|
|
|
ACCEPT:NFLOG(1,0,1) vpn fw tcp ssh,time,631,8080
|
2007-09-10 17:52:57 +02:00
|
|
|
|
2007-11-19 22:15:36 +01:00
|
|
|
5) Shorewall-perl 4.1.0 implements an alternative syntax for macro
|
|
|
|
parameters and for the NFQUEUE queue number. Rather than following
|
|
|
|
the macro name (or NFQUEUE) with a slash ("/") and the parameter,
|
|
|
|
the parameter may be enclosed in parentheses.
|
2007-09-10 17:52:57 +02:00
|
|
|
|
2007-11-19 22:15:36 +01:00
|
|
|
Examples -- each pair shown below are equivalent:
|
2007-06-16 16:27:02 +02:00
|
|
|
|
2007-11-19 22:15:36 +01:00
|
|
|
DNS/ACCEPT DNS(ACCEPT)
|
|
|
|
NFQUEUE/3 NFQUEUE(3)
|
2007-06-16 16:27:02 +02:00
|
|
|
|
2007-12-04 01:02:35 +01:00
|
|
|
The old syntax will still be accepted but will cease to be documented
|
2007-11-19 22:15:36 +01:00
|
|
|
in some future Shorewall release.
|