diff --git a/Lrp/etc/init.d/shorewall b/Lrp/etc/init.d/shorewall index 80a4adac3..70d6ff32e 100755 --- a/Lrp/etc/init.d/shorewall +++ b/Lrp/etc/init.d/shorewall @@ -1,8 +1,9 @@ #!/bin/sh +RCDLINKS="2,S41 3,S41 6,K41" # -# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V1.3 6/14/2002 +# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V1.4 3/14/2003 # -# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] +# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] # # (c) 1999,2000,2001,2002,2003 - Tom Eastep (teastep@shorewall.net) # @@ -12,7 +13,7 @@ # Complete documentation is available at http://shorewall.net # # This program is free software; you can redistribute it and/or modify -# it under the terms of Version 2 of the GNU General Public License +# it under the terms of Version 2 of the GNU General Public License # as published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, @@ -29,4853 +30,45 @@ # # Commands are: # -# shorewall start Starts the firewall +# shorewall start Starts the firewall # shorewall restart Restarts the firewall # shorewall stop Stops the firewall # shorewall status Displays firewall status -# shorewall reset Resets iptabless packet and -# byte counts -# shorewall clear Remove all Shorewall chains -# and rules/policies. -# shorewall refresh . Rebuild the common chain -# shorewall check Verify the more heavily-used -# configuration files. - -# -# Search a list looking for a match -- returns zero if a match found -# 1 otherwise -# -list_search() # $1 = element to search for , $2-$n = list -{ - local e=$1 - - while [ $# -gt 1 ]; do - shift - [ "x$e" = "x$1" ] && return 0 - done - - return 1 -} - -# -# Function to count list elements -# -list_count() { - arg_count() { - echo $# - } - - arg_count `separate_list $1` -} - -# -# Mutual exclusion -- These functions are jackets for the mutual exclusion -# routines in $FUNCTIONS. They invoke -# the corresponding function in that file if the user did -# not specify "nolock" on the runline. -# -my_mutex_on() { - [ -n "$nolock" ] || { mutex_on; have_mutex=Yes; } -} - -my_mutex_off() { - [ -n "$have_mutex" ] && { mutex_off; have_mutex=; } -} - -# -# Message to stderr -# -error_message() # $* = Error Message -{ - echo " $@" >&2 -} - -# -# Fatal error -- stops the firewall after issuing the error message -# -fatal_error() # $* = Error Message -{ - echo " $@" >&2 - stop_firewall - exit 2 -} - -# -# Fatal error during startup -- generate an error message and abend with -# altering the state of the firewall -# -startup_error() # $* = Error Message -{ - echo " $@" >&2 - my_mutex_off - [ -n "$TMP_DIR" ] && rm -rf $TMP_DIR - kill $$ - exit 2 -} - -# -# Send a message to STDOUT and the System Log -# -report () { # $* = message - echo "$@" - logger "$@" -} - -# -# Perform variable substitution on the passed argument and echo the result -# -expand() # $1 = contents of variable which may be the name of another variable -{ - eval echo \"$1\" -} - -# -# Perform variable substitition on the values of the passed list of variables -# -expandv() # $* = list of variable names -{ - local varval - - while [ $# -gt 0 ]; do - eval varval=\$${1} - eval $1=\"$varval\" - shift - done -} - -# -# Replace all leading "!" with "! " in the passed argument list -# - -fix_bang() { - local i; - - for i in $@; do - case $i in - !*) - echo "! ${i#!}" - ;; - *) - echo $i - ;; - esac - done -} - -# -# Run iptables and if an error occurs, stop the firewall and quit -# -run_iptables() { - - if ! iptables $@ ; then - [ -z "$stopping" ] && { stop_firewall; exit 2; } - fi -} - -# -# Version of 'run_iptables' that inserts white space after "!" in the arg list -# -run_iptables2() { - - if [ "x${*%!*}" = "x$*" ]; then - # - # No "!" in the command -- just execute it - # - run_iptables $@ - return - fi - # - # Need to insert white space before each "!" - # - run_iptables `fix_bang $@` -} - -# -# Run ip and if an error occurs, stop the firewall and quit -# -run_ip() { - if ! ip $@ ; then - [ -z "$stopping" ] && { stop_firewall; exit 2; } - fi -} - -# -# Run arp and if an error occurs, stop the firewall and quit -# -run_arp() { - if ! arp $@ ; then - [ -z "$stopping" ] && { stop_firewall; exit 2; } - fi -} - -# -# Run tc and if an error occurs, stop the firewall and quit -# -run_tc() { - if ! tc $@ ; then - [ -z "$stopping" ] && { stop_firewall; exit 2; } - fi -} - -# -# Create a filter chain -# -# If the chain isn't one of the common chains then add a rule to the chain -# allowing packets that are part of an established connection. Create a -# variable ${1}_exists and set its value to Yes to indicate that the chain now -# exists. -# -createchain() # $1 = chain name, $2 = If non-null, don't create default rules -{ - run_iptables -N $1 - - if [ $# -eq 1 ]; then - state="ESTABLISHED" - [ -n "$ALLOWRELATED" ] && state="$state,RELATED" - run_iptables -A $1 -m state --state $state -j ACCEPT - [ -z "$NEWNOTSYN" ] && \ - run_iptables -A $1 -m state --state NEW -p tcp ! --syn -j newnotsyn - fi - - eval ${1}_exists=Yes -} - -# -# Determine if a chain exists -# -# When we create a chain "chain", we create a variable named chain_exists and -# set its value to Yes. This function tests for the "_exists" variable -# corresponding to the passed chain having the value of "Yes". -# -havechain() # $1 = name of chain -{ - eval test \"\$${1}_exists\" = Yes -} - -# -# Query NetFilter about the existence of a filter chain -# -chain_exists() # $1 = chain name -{ - qt iptables -L $1 -n -} - -# -# Query NetFilter about the existence of a mangle chain -# -mangle_chain_exists() # $1 = chain name -{ - qt iptables -t mangle -L $1 -n -} - -# -# Ensure that a chain exists (create it if it doesn't) -# -ensurechain() # $1 = chain name -{ - havechain $1 || createchain $1 -} - -# -# Add a rule to a chain creating the chain if necessary -# -addrule() # $1 = chain name, remainder of arguments specify the rule -{ - ensurechain $1 - run_iptables -A $@ -} - -# -# Create a nat chain -# -# Create a variable ${1}_nat_exists and set its value to Yes to indicate that -# the chain now exists. -# -createnatchain() # $1 = chain name -{ - run_iptables -t nat -N $1 - - eval ${1}_nat_exists=Yes -} - -# -# Determine if a nat chain exists -# -# When we create a chain "chain", we create a variable named chain_nat_exists -# and set its value to Yes. This function tests for the "_exists" variable -# corresponding to the passed chain having the value of "Yes". -# -havenatchain() # $1 = name of chain -{ - eval test \"\$${1}_nat_exists\" = Yes -} - -# -# Ensure that a chain exists (create it if it doesn't) -# -ensurenatchain() # $1 = chain name -{ - havenatchain $1 || createnatchain $1 -} - -# -# Add a rule to a nat chain creating the chain if necessary -# -addnatrule() # $1 = chain name, remainder of arguments specify the rule -{ - ensurenatchain $1 - run_iptables2 -t nat -A $@ -} - -# -# Delete a chain if it exists -# -deletechain() # $1 = name of chain -{ - qt iptables -L $1 -n && qt iptables -F $1 && qt iptables -X $1 -} - -# -# Determine if a chain is a policy chain -# -is_policy_chain() # $1 = name of chain -{ - eval test \"\$${1}_is_policy\" = Yes -} - -# -# Set a standard chain's policy -# -setpolicy() # $1 = name of chain, $2 = policy -{ - run_iptables -P $1 $2 -} - -# -# Set a standard chain to enable established connections -# -setcontinue() # $1 = name of chain -{ - run_iptables -A $1 -m state --state ESTABLISHED -j ACCEPT -} - -# -# Flush one of the NAT table chains -# -flushnat() # $1 = name of chain -{ - run_iptables -t nat -F $1 -} - -# -# Chain name base for an interface -# -chain_base() #$1 = interface -{ - local c=${1%%+*} - - case $c in - *.*) - echo ${c%.*}_${c#*.} - ;; - *) - echo ${c:=common} - ;; - esac -} - -# -# Find interfaces to a given zone -# -# Search the variables representing the contents of the interfaces file and -# for each record matching the passed ZONE, echo the expanded contents of -# the "INTERFACE" column -# -find_interfaces() # $1 = interface zone -{ - local zne=$1 - local z - local interface - - for interface in $all_interfaces; do - eval z=\$`chain_base ${interface}`_zone - [ "x${z}" = x${zne} ] && echo $interface - done -} - -# -# Forward Chain for an interface -# -forward_chain() # $1 = interface -{ - echo `chain_base $1`_fwd -} - -# -# Input Chain for an interface -# -input_chain() # $1 = interface -{ - echo `chain_base $1`_in -} - -# -# Output Chain for an interface -# -output_chain() # $1 = interface -{ - echo `chain_base $1`_out -} - -# -# Masquerade Chain for an interface -# -masq_chain() # $1 = interface -{ - echo `chain_base $1`_masq -} - -# -# MAC Verification Chain for an interface -# -mac_chain() # $1 = interface -{ - echo `chain_base $1`_mac -} - -# -# DNAT Chain from a zone -# -dnat_chain() # $1 = zone -{ - echo ${1}_dnat -} - -# -# SNAT Chain to a zone -# -snat_chain() # $1 = zone -{ - echo ${1}_snat -} - -# -# First chains for an interface -# -first_chains() #$1 = interface -{ - local c=`chain_base $1` - - echo ${c}_fwd ${c}_in -} - -# -# Find hosts in a given zone -# -# Read hosts file and for each record matching the passed ZONE, -# echo the expanded contents of the "HOST(S)" column -# -find_hosts() # $1 = host zone -{ - local hosts - - while read z hosts options; do - [ "x`expand $z`" = "x$1" ] && expandv hosts && echo `separate_list $hosts` - done < $TMP_DIR/hosts -} - -# -# Determine the interfaces on the firewall -# -# For each zone, create a variable called ${zone}_interfaces. This -# variable contains a space-separated list of interfaces to the zone -# -determine_interfaces() { - for zone in $zones; do - interfaces=`find_interfaces $zone` - interfaces=`echo $interfaces` # Remove extra trash - eval ${zone}_interfaces="\$interfaces" - done -} - -# -# Determine the defined hosts in each zone and generate report -# -determine_hosts() { - do_a_zone() - { - eval interfaces=\$${zone}_interfaces - - for interface in $interfaces; do - if [ -z "$hosts" ]; then - hosts=$interface:0.0.0.0/0 - else - hosts="$hosts $interface:0.0.0.0/0" - fi - done - } - - recalculate_interfaces() - { - interfaces= - - for host in $hosts; do - interface=${host%:*} - if ! list_search $interface $interfaces; then - if [ -z "$interfaces" ]; then - interfaces=$interface - else - interfaces="$interfaces $interface" - fi - fi - done - - eval ${zone}_interfaces="\$interfaces" - } - - for zone in $zones; do - hosts=`find_hosts $zone` - hosts=`echo $hosts` # Remove extra trash - - if [ -n "MERGE_HOSTS" ]; then - # - # Zone will be the union of its host and interface definitions - # - do_a_zone - recalculate_interfaces - elif [ -n "$hosts" ]; then - # - # Zone is defined in terms of hosts -- derive the interface list - # from the host list - # - recalculate_interface - else - # - # If no hosts are defined for a zone then the zone consists of any - # host that can send us messages via the interfaces to the zone - # - do_a_zone - fi - - eval ${zone}_hosts="\$hosts" - - if [ -n "$hosts" ]; then - eval display=\$${zone}_display - display_list "$display Zone:" $hosts - else - error_message "Warning: Zone $zone is empty" - fi - done -} - -# -# Ensure that the passed zone is defined in the zones file or is the firewall -# -validate_zone() # $1 = zone -{ - list_search $1 $zones $FW -} - -# -# Validate the zone names and options in the interfaces file -# -validate_interfaces_file() { - while read z interface subnet options; do - expandv z interface subnet options - r="$z $interface $subnet $options" - - [ "x$z" = "x-" ] && z= - - if [ -n "$z" ]; then - validate_zone $z || startup_error "Invalid zone ($z) in record \"$r\"" - fi - - [ "x$interface" = "xlo" ] && \ - startup_error "Error: The loopback interface (lo) may not be defined in /etc/shorewall/interfaces" - - list_search $interface $all_interfaces && \ - startup_error "Error: Duplicate Interface $interface" - - all_interfaces="$all_interfaces $interface" - options=`separate_list $options` - interface=`chain_base $interface` - - eval ${interface}_broadcast="$subnet" - eval ${interface}_zone="$z" - eval ${interface}_options=\"$options\" - - for option in $options; do - case $option in - dhcp|routestopped|norfc1918|multi|tcpflags) - ;; - routefilter|dropunclean|logunclean|blacklist|proxyarp|maclist|-) - ;; - noping|filterping) - [ -n "$OLD_PING_HANDLING" ] || \ - startup_error "Option $option only allowed with old ping handling" - ;; - *) - error_message "Warning: Invalid option ($option) in record \"$r\"" - ;; - esac - done - - [ -z "$all_interfaces" ] && startup_error "Error: No Interfaces Defined" - - done < $TMP_DIR/interfaces -} - -# -# Validate the zone names and options in the hosts file -# -validate_hosts_file() { - while read z hosts options; do - expandv z hosts options - r="$z $hosts $options" - validate_zone $z || startup_error "Invalid zone ($z) in record \"$r\"" - - for host in `separate_list $hosts`; do - interface=${host%:*} - - list_search $interface $all_interfaces || \ - startup_error "Unknown interface ($interface) in record \"$r\"" - - for option in `separate_list $options`; do - case $option in - routestopped|maclist|-) - ;; - *) - error_message "Warning: Invalid option ($option) in record \"$r\"" - ;; - esac - done - done - done < $TMP_DIR/hosts -} - -# -# Format a match by the passed MAC address -# The passed address begins with "~" and uses "-" as a separator between bytes -# Example: ~01-02-03-04-05-06 -# -mac_match() # $1 = MAC address formated as described above -{ - echo "--match mac --mac-source `echo $1 | sed 's/~//;s/-/:/g'`" -} - -# -# validate a record from the rules file -# -# The caller has loaded the column contents from the record into the following -# variables: -# -# target clients servers protocol ports cports address -# -# and has loaded a space-separated list of their values in "rule". -# -validate_rule() { - # - # Ensure that the passed comma-separated list has 15 or fewer elements - # - validate_list() { - local temp="`separate_list $1`" - - [ `echo $temp | wc -w` -le 15 ] - } - - # - # validate one rule - # - validate_a_rule() { - # - # Determine the format of the client - # - cli= - - [ -n "$client" ] && case "$client" in - -) - ;; - *:*) - cli="-i ${client%:*} -s ${client#*:}" - ;; - ~*) - cli=`mac_match $client` - ;; - *.*.*) - # - # IP Address, address or subnet - # - cli="-s $client" - ;; - *) - # - # Assume that this is a device name - # - cli="-i $client" - ;; - esac - - dest_interface= - - [ -n "$server" ] && case "$server" in - -) - serv= - ;; - *.*.*) - serv=$server - ;; - ~*) - startup_error "Error: Rule \"$rule\" - Destination may not be specified by MAC Address" - ;; - *) - dest_interface="-o $server" - serv= - ;; - esac - # - # Setup PROTOCOL, PORT and STATE variables - # - sports="" - dports="" - state="-m state --state NEW" - proto=$protocol - addr=$address - servport=$serverport - - case $proto in - tcp|udp|TCP|UDP|6|17) - [ -n "$port" ] && [ "x${port}" != "x-" ] && \ - dports="--dport $port" - [ -n "$cport" ] && [ "x${cport}" != "x-" ] && \ - sports="--sport $cport" - ;; - icmp|ICMP|0) - [ -n "$port" ] && dports="--icmp-type $port" - state="" - ;; - related|RELATED) - proto= - state="-m state --state RELATED" - ;; - *) - state= - [ -n "$port" ] && [ "x${port}" != "x-" ] && \ - startup_error "Port number not allowed with protocol " \ - "\"$proto\"; rule: \"$rule\"" - ;; - esac - - proto="${proto:+-p $proto}" - - case "$logtarget" in - REJECT) - target=reject - [ -n "$servport" ] && \ - startup_error "Error: server port may not be specified in a REJECT rule;"\ - "rule: \"$rule\"" - ;; - ACCEPT) - [ -n "$servport" ] && \ - startup_error "Error: server port may not be specified in an ACCEPT rule;"\ - "rule: \"$rule\"" - ;; - REDIRECT) - [ -n "$serv" ] && startup_error "Error: REDIRECT rules cannot"\ - " specify a server IP; rule: \"$rule\"" - servport=${servport:=$port} - ;; - DNAT) - [ -n "$serv" ] || startup_error "Error: DNAT rules require a" \ - " server address; rule: \"$rule\"" - ;; - esac - - if [ -z "$proto" -a -z "$cli" -a -z "$serv" -a -z "$servport" ]; then - error_message "Warning -- Rule \"$rule\" is a POLICY" - error_message " -- and should be moved to the policy file" - fi - - if [ -n "${serv}${servport}" ]; then - # - # Destination is a Specific Server or we're redirecting a port - # - if [ -n "$addr" -a "$addr" != "$serv" ]; then - # - # Must use Prerouting DNAT - # - if [ -z "$NAT_ENABLED" ]; then - startup_error \ - "Error - Rule \"$rule\" requires NAT which is disabled" - fi - - if [ "$target" != "ACCEPT" ]; then - startup_error "Error - Only ACCEPT rules may specify " \ - "port mapping; rule \"$rule\"" - fi - fi - else - [ -n "$addr" ] && startup_error \ - "Error: An ADDRESS ($addr) is only allowed in" \ - " a DNAT or REDIRECT rule: \"$rule\"" - fi - } - # - # V a l i d a t e _ R u l e S t a r t s H e r e - # - # Parse the Target and Clients columns - # - if [ "$target" = "${target%:*}" ]; then - loglevel= - else - loglevel="${target#*:}" - target="${target%:*}" - expandv loglevel - fi - - logtarget="$target" - # - # DNAT and REDIRECT targets were implemented in version 1.3 to replace - # an older syntax. We simply map the new syntax into the old and proceed; - # that way, people who have files with the old syntax don't need to - # convert right away. - # - case $target in - DNAT) - target=ACCEPT - address=${address:=detect} - ;; - DNAT-) - target=ACCEPT - address=${address:=detect} - logtarget=DNAT - ;; - REDIRECT) - target=ACCEPT - address=${address:=all} - if [ "x-" = "x$servers" ]; then - servers=$FW - else - servers="fw::$servers" - fi - ;; - ACCEPT|DROP|REJECT) - ;; - *) - startup_error "Error: Invalid target;" \ - " rule: \"$rule\"" - - esac - - if [ "$clients" = "${clients%:*}" ]; then - clientzone="$clients" - clients= - else - clientzone="${clients%%:*}" - clients="${clients#*:}" - [ -z "$clientzone" -o -z "$clients" ] && \ - startup_error "Error: Empty source zone or qualifier: rule \"$rule\"" - fi - - if [ "$clientzone" = "${clientzone%\!*}" ]; then - excludezones= - else - excludezones="${clientzone#*\!}" - clientzone="${clientzone%\!*}" - - [ "$logtarget" = DNAT ] || [ "$logtarget" = REDIRECT ] ||\ - startup_error "Error: Exclude list only allowed with DNAT or REDIRECT" - fi - # - # Validate the Source Zone - # - if ! validate_zone $clientzone; then - [ "x$clientzone" = xall ] || startup_error "Error: Undefined Client Zone in rule \"$rule\"" - fi - - source=$clientzone - - [ $source = $FW ] && source_hosts= || eval source_hosts=\"\$${source}_hosts\" - - # - # Parse the servers column - # - if [ "$servers" = "${servers%:*}" ] ; then - serverzone="$servers" - servers= - serverport= - else - serverzone="${servers%%:*}" - servers="${servers#*:}" - if [ "$servers" != "${servers%:*}" ] ; then - serverport="${servers#*:}" - servers="${servers%:*}" - [ -z "$serverzone" -o -z "$serverport" ] && \ - startup_error "Error: Empty destination zone or server port: rule \"$rule\"" - else - serverport= - [ -z "$serverzone" -o -z "$servers" ] && \ - startup_error "Error: Empty destination zone or qualifier: rule \"$rule\"" - fi - fi - # - # Validate the destination zone - # - if ! validate_zone $serverzone; then - [ "x$serverzone" = xall ] || startup_error "Error: Undefined Server Zone in rule \"$rule\"" - fi - - dest=$serverzone - - chain=${source}2${dest} - - if [ "x$chain" = x${FW}2${FW} ]; then - case $logtarget in - REDIRECT) - ;; - *) - error_message "WARNING: fw -> fw rules are not supported; rule \"$rule\" ignored" - return - ;; - esac - fi - - # - # Check length of port lists if MULTIPORT set - # - if [ -n "$MULTIPORT" ]; then - validate_list $ports || - error_message "Warning: Too many destination ports: Rule \"$rule\"" - validate_list $cports || - error_message "Warning: Too many source ports: Rule \"$rule\"" - fi - - # - # Iterate through the various lists validating individual rules - # - for client in `separate_list ${clients:=-}`; do - for server in `separate_list ${servers:=-}`; do - for port in `separate_list ${ports:=-}`; do - for cport in `separate_list ${cports:=-}`; do - validate_a_rule - done - done - done - done - - echo " Rule \"$rule\" validated." -} - -# -# validate the rules file -# -validate_rules() # $1 = name of rules file -{ - strip_file rules - - while read target clients servers protocol ports cports address; do - expandv clients servers protocol ports cports address - case "$target" in - - ACCEPT*|DROP*|REJECT*|DNAT*|REDIRECT*) - rule="`echo $target $clients $servers $protocol $ports $cports $address`" - validate_rule - ;; - *) - rule="`echo $target $clients $servers $protocol $ports $cports $address`" - startup_error "Error: Invalid Target - rule \"$rule\" ignored" - ;; - esac - done < $TMP_DIR/rules -} - -# -# validate the policy file -# -validate_policy() -{ - local clientwild - local serverwild - local zone - local zone1 - local pc - local chain - local policy - local loglevel - local synparams - - print_policy() # $1 = source zone, $2 = destination zone - { - [ $command != check ] || \ - [ $1 = all ] || \ - [ $2 = all ] || \ - echo " Policy for $1 to $2 is $policy" - } - - all_policy_chains= - - strip_file policy $policy - - while read client server policy loglevel synparams; do - expandv client server policy loglevel synparams - - clientwild= - serverwild= - - case "$client" in - all|ALL) - clientwild=Yes - ;; - *) - if ! validate_zone $client; then - startup_error "Error: Undefined zone $client" - fi - esac - - case "$server" in - all|ALL) - serverwild=Yes - ;; - *) - if ! validate_zone $server; then - startup_error "Error: Undefined zone $server" - fi - esac - - case $policy in - ACCEPT|REJECT|DROP|CONTINUE) - ;; - *) - startup_error "Error: Invalid policy $policy" - ;; - esac - - chain=${client}2${server} - - [ "x$chain" = "x${FW}2${FW}" ] && \ - startup_error "Error: fw->fw policy not allowed: $policy" - - if is_policy_chain $chain ; then - startup_error "Error: Duplicate policy $policy" - fi - - [ "x$loglevel" = "x-" ] && loglevel= - - chain=${client}2${server} - - all_policy_chains="$all_policy_chains $chain" - - eval ${chain}_is_policy=Yes - eval ${chain}_policy=$policy - eval ${chain}_loglevel=$loglevel - eval ${chain}_synparams=$synparams - - if [ -n "${clientwild}" ]; then - if [ -n "${serverwild}" ]; then - for zone in $zones $FW all; do - for zone1 in $zones $FW all; do - eval pc=\$${zone}2${zone1}_policychain - - if [ -z "$pc" ]; then - eval ${zone}2${zone1}_policychain=$chain - print_policy $zone $zone1 - fi - done - done - else - for zone in $zones $FW all; do - eval pc=\$${zone}2${server}_policychain - - if [ -z "$pc" ]; then - eval ${zone}2${server}_policychain=$chain - print_policy $zone $server - fi - done - fi - elif [ -n "$serverwild" ]; then - for zone in $zones $FW all; do - eval pc=\$${client}2${zone}_policychain - - if [ -z "$pc" ]; then - eval ${client}2${zone}_policychain=$chain - print_policy $client $zone - fi - done - else - eval ${chain}_policychain=${chain} - print_policy $client $server - fi - - done < $TMP_DIR/policy -} - -# -# Find broadcast addresses -# -find_broadcasts() { - for interface in $all_interfaces; do - eval bcast=\$`chain_base $interface`_broadcast - if [ "x$bcast" = "xdetect" ]; then - addr="`ip addr show $interface 2> /dev/null`" - if [ -n "`echo "$addr" | grep 'inet.*brd '`" ]; then - addr="`echo "$addr" | \ - grep "inet " | sed 's/^.* inet.*brd //;s/scope.*//'`" - echo $addr | cut -d' ' -f 1 - fi - elif [ "x${bcast}" != "x-" ]; then - echo `separate_list $bcast` - fi - done -} - -# -# Find interface broadcast addresses -# -find_interface_broadcasts() # $1 = Interface name -{ - eval bcast=\$`chain_base ${1}`_broadcast - - if [ "x$bcast" = "xdetect" ]; then - addr="`ip addr show $interface 2> /dev/null`" - if [ -n "`echo "$addr" | grep 'inet.*brd '`" ]; then - addr="`echo "$addr" | \ - grep "inet " | sed 's/^.* inet.*brd //;s/scope.*//'`" - echo $addr | cut -d' ' -f 1 - fi - elif [ "x${bcast}" != "x-" ]; then - echo `separate_list $bcast` - fi - -} - -# -# Find interface address--returns the first IP address assigned to the passed -# device -# -find_interface_address() # $1 = interface -{ - # - # get the line of output containing the first IP address - # - addr=`ip addr show $1 2> /dev/null | grep inet | head -n1` - # - # If there wasn't one, bail out now - # - [ -n "$addr" ] || fatal_error "Can't determine the IP address of $1" - # - # Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link) - # along with everything else on the line - # - echo $addr | sed 's/inet //;s/\/.*//;s/ peer.*//' -} - -# -# Find interfaces that have the passed option specified -# -find_interfaces_by_option() # $1 = option -{ - for interface in $all_interfaces; do - eval options=\$`chain_base ${interface}`_options - list_search $1 $options && echo $interface - done -} - -# -# Find hosts with the passed option -# -find_hosts_by_option() # $1 = option -{ - while read ignore hosts options; do - expandv options - list_search $1 `separate_list $options` && \ - echo `expand $hosts` - done < $TMP_DIR/hosts - - for interface in $all_interfaces; do - eval options=\$`chain_base ${interface}`_options - list_search $1 $options && \ - echo ${interface}:0.0.0.0/0 - done -} - -# -# Determine if there are interfaces of the given zone and option -# -# Returns zero if any such interfaces are found and returns one otherwise. -# -have_interfaces_in_zone_with_option() # $1 = zone, $2 = option -{ - local zne=$1 - local z - local interface - - for interface in $all_interfaces; do - eval z=\$`chain_base ${interface}`_zone - - [ "x$z" = "x$zne" ] && \ - list_search $1 $options && \ - return 0 - done - - return 1 -} - -# -# Flush and delete all user-defined chains in the filter table -# -deleteallchains() { - run_iptables -F - run_iptables -X -} - -# -# Source a user exit file if it exists -# -run_user_exit() # $1 = file name -{ - local user_exit=`find_file $1` - - if [ -f $user_exit ]; then - echo "Processing $user_exit ..." - . $user_exit - fi -} - -# -# Stop the Firewall -# -stop_firewall() { - # - # Turn off trace unless we were tracing "stop" or "clear" - # - case $command in - stop|clear) - ;; - *) - set +x - ;; - esac - - stopping="Yes" - - deletechain shorewall - - run_user_exit stop - - [ -n "$MANGLE_ENABLED" ] && \ - run_iptables -t mangle -F && \ - run_iptables -t mangle -X - - [ -n "$NAT_ENABLED" ] && delete_nat - delete_proxy_arp - [ -n "$CLEAR_TC" ] && delete_tc - - setpolicy INPUT DROP - setpolicy OUTPUT DROP - setpolicy FORWARD DROP - - deleteallchains - - hosts="`find_hosts_by_option routestopped`" - - strip_file routestopped - - while read interface host; do - expandv interface host - [ "x$host" = "x-" ] && host= - hosts="$hosts $interface:${host:-0.0.0.0/0}" - done < $TMP_DIR/routestopped - - for host in $hosts; do - interface=${host%:*} - subnet=${host#*:} - iptables -A INPUT -i $interface -s $subnet -j ACCEPT - iptables -A OUTPUT -o $interface -d $subnet -j ACCEPT - - for host1 in $hosts; do - [ "$host" != "$host1" ] && \ - iptables -A FORWARD -i $interface -s $subnet \ - -o ${host1%:*} -d ${host1#*:} -j ACCEPT - done - done - - iptables -A INPUT -i lo -j ACCEPT - iptables -A OUTPUT -o lo -j ACCEPT - - for interface in `find_interfaces_by_option dhcp`; do - iptables -A INPUT -p udp -i $interface --dport 67:68 -j ACCEPT - iptables -A OUTPUT -p udp -o $interface --dport 67:68 -j ACCEPT - done - - case "$IP_FORWARDING" in - [Oo][Nn]) - echo 1 > /proc/sys/net/ipv4/ip_forward - ;; - [Oo][Ff][Ff]) - echo 0 > /proc/sys/net/ipv4/ip_forward - ;; - esac - - run_user_exit stopped - - logger "Shorewall Stopped" - - rm -rf $TMP_DIR - - case $command in - stop|clear) - ;; - *) - # - # The firewall is being stopped when we were trying to do something - # else. Remove the lock file and Kill the shell in case we're in a - # subshell - # - my_mutex_off - kill $$ - ;; - esac -} - -# -# Remove all rules and remove all user-defined chains -# -clear_firewall() { - stop_firewall - - run_iptables -F - - echo 1 > /proc/sys/net/ipv4/ip_forward - - setpolicy INPUT ACCEPT - setpolicy FORWARD ACCEPT - setpolicy OUTPUT ACCEPT - - run_user_exit clear - - logger "Shorewall Cleared" -} - -# -# Set up ipsec tunnels -# -setup_tunnels() # $1 = name of tunnels file -{ - local inchain - local outchain - - setup_one_ipsec() # $1 = gateway $2 = Tunnel Kind $3 = gateway zones - { - options="-m state --state NEW -j ACCEPT" - addrule $inchain -p 50 -s $1 -j ACCEPT - addrule $outchain -p 50 -d $1 -j ACCEPT - run_iptables -A $inchain -p 51 -s $1 -j ACCEPT - run_iptables -A $outchain -p 51 -d $1 -j ACCEPT - - run_iptables -A $outchain -p udp -d $1 --dport 500 --sport 500 $options - - if [ $2 = ipsec ]; then - run_iptables -A $inchain -p udp -s $1 --sport 500 --dport 500 $options - else - run_iptables -A $inchain -p udp -s $1 --dport 500 $options - run_iptables -A $inchain -p udp -s $1 --dport 4500 $options - fi - - for z in `separate_list $3`; do - if validate_zone $z; then - addrule ${FW}2${z} -p udp --sport 500 --dport 500 $options - if [ $2 = ipsec ]; then - addrule ${z}2${FW} -p udp --sport 500 --dport 500 $options - else - addrule ${z}2${FW} -p udp --dport 500 $options - addrule ${z}2${FW} -p udp --dport 4500 $options - fi - else - error_message "Warning: Invalid gateway zone ($z)" \ - " -- Tunnel \"$tunnel\" may encounter keying problems" - fi - done - - echo " IPSEC tunnel to $gateway defined." - } - - setup_one_other() # $1 = TYPE, $2 = gateway, $3 = protocol - { - addrule $inchain -p $3 -s $2 -j ACCEPT - addrule $outchain -p $3 -d $2 -j ACCEPT - - echo " $1 tunnel to $2 defined." - } - - setup_pptp_client() # $1 = gateway - { - addrule $outchain -p 47 -d $1 -j ACCEPT - addrule $inchain -p 47 -j ACCEPT - addrule $outchain -p tcp --dport 1723 -d $1 -j ACCEPT - - echo " PPTP tunnel to $1 defined." - } - - setup_pptp_server() - { - addrule $inchain -p 47 -j ACCEPT - addrule $outchain -p 47 -j ACCEPT - addrule $inchain -p tcp --dport 1723 -j ACCEPT - - echo " PPTP server defined." - } - - setup_one_openvpn() # $1 = gateway, $2 = kind[:port] - { - case $2 in - *:*) - p=${2#*:} - ;; - *) - p=5000 - ;; - esac - - addrule $inchain -p udp -s $1 --sport $p --dport $p -j ACCEPT - addrule $outchain -p udp -d $1 --sport $p --dport $p -j ACCEPT - - echo " OPENVPN tunnel to $1:$p defined." - } - - strip_file tunnels $1 - - while read kind z gateway z1; do - expandv kind z gateway z1 - tunnel="`echo $kind $z $gateway $z1`" - if validate_zone $z; then - inchain=${z}2${FW} - outchain=${FW}2${z} - case $kind in - ipsec|IPSEC) - setup_one_ipsec $gateway ipsec $z1 - ;; - ipsecnat|IPSECNAT) - setup_one_ipsec $gateway ipsecnat $z1 - ;; - ipip|IPIP) - setup_one_other IPIP $gateway 4 - ;; - gre|GRE) - setup_one_other GRE $gateway 47 - ;; - pptpclient|PPTPCLIENT) - setup_pptp_client $gateway - ;; - pptpserver|PPTPSERVER) - setup_pptp_server - ;; - openvpn|OPENVPN|openvpn:*|OPENVPN:*) - setup_one_openvpn $gateway $kind - ;; - *) - error_message "Tunnels of type $kind are not supported:" \ - "Tunnel \"$tunnel\" Ignored" - ;; - esac - else - error_message "Invalid gateway zone ($z)" \ - " -- Tunnel \"$tunnel\" Ignored" - fi - done < $TMP_DIR/tunnels -} - -# -# Setup Proxy ARP -# -setup_proxy_arp() { - - print_error() { - error_message "Invalid value for HAVEROUTE - ($haveroute)" - error_message "Entry \"$address $interface $external $haveroute\" ignored" - } - - setup_one_proxy_arp() { - case $haveroute in - [Nn][Oo]) - haveroute= - ;; - [Yy][Ee][Ss]) - ;; - *) - if [ -n "$haveroute" ]; then - print_error - return - fi - ;; - esac - - [ -z "$haveroute" ] && run_ip route add $address dev $interface - - run_arp -Ds $address $external pub - - echo 1 > /proc/sys/net/ipv4/conf/$interface/proxy_arp - echo 0 > /proc/sys/net/ipv4/conf/$external/proxy_arp - - echo $address $interface $external $haveroute >> ${STATEDIR}/proxyarp - - echo " Host $address connected to $interface added to ARP on $external" - } - - > ${STATEDIR}/proxyarp - - strip_file proxyarp - - while read address interface external haveroute; do - expandv address interface external haveroute - setup_one_proxy_arp - done < $TMP_DIR/proxyarp - - interfaces=`find_interfaces_by_option proxyarp` - - for interface in $interfaces; do - if echo 1 > /proc/sys/net/ipv4/conf/$interface/proxy_arp 2> /dev/null; then - echo " Enabled proxy ARP on $interface" - else - error_message "Warning: Unable to enable proxy ARP on $interface" - fi - done -} - -# -# Set up MAC Verification -# -setup_mac_lists() { - local interface - local mac - local addresses - local address - local chain - local logpart - local macpart - local blob - local hosts - # - # Generate the list of interfaces having MAC verification - # - maclist_interfaces= - - for hosts in $maclist_hosts; do - interface=${hosts%:*} - if ! list_search $interface $maclist_interfaces; then\ - if [ -z "$maclist_interfaces" ]; then - maclist_interfaces=$interface - else - maclist_interfaces="$maclist_interfaces $interface" - fi - fi - done - - echo "Setting up MAC Verification on $maclist_interfaces..." - # - # Be sure that they are all ethernet interfaces - # - for interface in $maclist_interfaces; do - case $interface in - eth*) - ;; - *) - fatal_error "Error: MAC verification is only supported on ethernet devices: $interface" - ;; - esac - - createchain `mac_chain $interface` no - done - # - # Process the maclist file producing the verification rules - # - strip_file maclist - - while read interface mac addresses; do - expandv interface mac addresses - - chain=`mac_chain $interface` - - if ! havechain $chain ; then - fatal_error "Error: No hosts on $interface have the maclist option specified" - fi - - macpart=`mac_match $mac` - - if [ -z "$addresses" ]; then - run_iptables -A $chain $macpart -j RETURN - else - for address in `separate_list $addresses` ; do - run_iptables2 -A $chain $macpart -s $address -j RETURN - done - fi - done < $TMP_DIR/maclist - # - # Setup Logging variables - # - if [ -n "$MACLIST_LOG_LEVEL" ]; then - if [ "$MACLIST_LOG_LEVEL" = ULOG ]; then - logpart="-j ULOG $LOGPARMS --ulog-prefix" - else - logpart="-j LOG $LOGPARMS --log-level $MACLIST_LOG_LEVEL --log-prefix" - fi - else - logpart= - fi - # - # Must take care of our own broadcasts and multicasts then terminate the verification - # chains - # - for interface in $maclist_interfaces; do - chain=`mac_chain $interface` - blob=`ip addr show $interface 2> /dev/null | grep inet | sed 's/inet //; s/brd //; s/scope.*//;'` - - [ -z "$blob" ] && \ - fatal_error "Error: Interface $interface must be up before Shorewall can start" - - set -- $blob - - while [ $# -gt 0 ]; do - address=${1%/*} - - case $1 in - */32) - ;; - *) - run_iptables -A $chain -s $address -d $2 -j RETURN - shift - ;; - esac - - run_iptables -A $chain -s $address -d 255.255.255.255 -j RETURN - run_iptables -A $chain -s $address -d 224.0.0.0/4 -j RETURN - shift - done - - [ -n "$logpart" ] && \ - run_iptables -A $chain $logpart "Shorewall:$chain:$MACLIST_DISPOSITION:" - - run_iptables -A $chain -j $maclist_target - done - # - # Generate jumps from the input and forward chains - # - for hosts in $maclist_hosts; do - interface=${hosts%:*} - hosts=${hosts#*:} - for chain in `first_chains $interface` ; do - run_iptables -A $chain -s $hosts -m state --state NEW \ - -j `mac_chain $interface` - done - done -} - -# -# Set up SYN flood protection -# -setup_syn_flood_chain () - # $1 = policy chain - # $2 = synparams -{ - local chain=$1 - local limit=${2%:*} - local limit_burst=${2#*:} - - run_iptables -N @$chain - run_iptables -A @$chain \ - -m limit --limit $limit --limit-burst $limit_burst \ - -j RETURN - run_iptables -A @$chain -j DROP -} - -# -# Enable SYN flood protection on a chain -# -# Insert a jump rule to the protection chain from the first chain. Inserted -# as the second rule and restrict the jump to SYN packets -# -enable_syn_flood_protection() # $1 = chain, $2 = protection chain -{ - run_iptables -I $1 2 -p tcp --syn -j @$2 - echo " Enabled SYN flood protection" -} - -# -# Delete existing Proxy ARP -# -delete_proxy_arp() { - if [ -f ${STATEDIR}/proxyarp ]; then - while read address interface external haveroute; do - qt arp -i $external -d $address pub - [ -z "$haveroute" ] && qt ip route del $address dev $interface - done < ${STATEDIR}/proxyarp - - rm -f ${STATEDIR}/proxyarp - fi - - [ -d ${STATEDIR} ] && touch ${STATEDIR}/proxyarp - - for f in `ls /proc/sys/net/ipv4/conf/*/proxy_arp`; do - echo 0 > $f - done -} - -# -# Setup Static Network Address Translation (NAT) -# -setup_nat() { - local allints - # - # At this point, we're just interested in the network translation - # - > ${STATEDIR}/nat - - strip_file nat - - echo "Setting up NAT..." - - while read external interface internal allints localnat; do - expandv external interface internal allints localnat - - iface=${interface%:*} - - if [ -n "$ADD_IP_ALIASES" ]; then - qt ip addr del $external dev $iface - fi - - if [ -z "$allints" -o "$allints" = "Yes" -o "$allints" = "yes" ] - then - addnatrule nat_in -d $external -j DNAT --to-destination $internal - addnatrule nat_out -s $internal -j SNAT --to-source $external - - if [ "$localnat" = "Yes" -o "$localnat" = "yes" ]; then - run_iptables2 -t nat -A OUTPUT -d $external \ - -j DNAT --to-destination $internal - fi - else - addnatrule `input_chain $iface` \ - -d $external -j DNAT --to-destination $internal - addnatrule `output_chain $iface` \ - -s $internal -j SNAT --to-source $external - fi - - if [ -n "$ADD_IP_ALIASES" ]; then - list_search $external $aliases_to_add || \ - aliases_to_add="$aliases_to_add $external $interface" - fi - - echo " Host $internal NAT $external on $interface" - done < $TMP_DIR/nat -} - -# -# Delete existing Static NAT -# -delete_nat() { - run_iptables -t nat -F - run_iptables -t nat -X - - if [ -f ${STATEDIR}/nat ]; then - while read external interface; do - qt ip addr del $external dev $interface - done < ${STATEDIR}/nat - - rm -f {$STATEDIR}/nat - fi - - [ -d ${STATEDIR} ] && touch ${STATEDIR}/nat -} - -# -# Process a TC Rule - $marking_chain is assumed to contain the name of the -# default marking chain -# -process_tc_rule() -{ - add_a_tc_rule() { - r= - chain=$marking_chain - - if [ "x$source" != "x-" ]; then - case $source in - *.*.*) - r="-s $source " - ;; - ~*) - r=`mac_match $source` - ;; - $FW) - chain=tcout - ;; - *) - if ! list_search $source $all_interfaces; then - fatal_error "Error: Unknown interface $source in rule \"$rule\"" - fi - - r="-i $source " - ;; - esac - fi - - if [ "$mark" != "${mark%:*}" ]; then - - [ "$chain" = tcout ] && \ - fatal_error "Chain designator not allowed when source is \$FW; rule \"$rule\"" - - case "${mark#*:}" in - p|P) - chain=tcpre - ;; - f|F) - chain=tcfor - ;; - *) - fatal_error "Invalid chain designator: (${mark#*:}) in rule \"$rule\"" - ;; - esac - - mark="${mark%:*}" - fi - - [ "x$dest" = "x-" ] || r="${r}-d $dest " - [ "$proto" = "all" ] || r="${r}-p $proto " - [ "x$port" = "x-" ] || r="${r}--dport $port " - [ "x$sport" = "x-" ] || r="${r}--sport $sport " - - run_iptables2 -t mangle -A $chain $r -j MARK --set-mark $mark - - } - - for source in `separate_list ${sources:=-}`; do - for dest in `separate_list ${dests:=-}`; do - for port in `separate_list ${ports:=-}`; do - for sport in `separate_list ${sports:=-}`; do - add_a_tc_rule - done - done - done - done - - echo " TC Rule \"$rule\" added" -} - -# -# Setup queuing and classes -# -setup_tc1() { - # - # Create the TC mangle chains - # - - run_iptables -t mangle -N tcpre - run_iptables -t mangle -N tcfor - run_iptables -t mangle -N tcout - # - # Process the TC Rules File - # - strip_file tcrules - - while read mark sources dests proto ports sports; do - expandv mark sources dests proto ports sports - rule=`echo "$mark $sources $dests $proto $ports $sports"` - process_tc_rule - done < $TMP_DIR/tcrules - # - # Link to the TC mangle chains from the main chains - # - - run_iptables -t mangle -A FORWARD -j tcfor - run_iptables -t mangle -A PREROUTING -j tcpre - run_iptables -t mangle -A OUTPUT -j tcout - - run_user_exit tcstart - -} - -setup_tc() { - - echo "Setting up Traffic Control Rules..." - - setup_tc1 -} - -# -# Clear Traffic Shaping -# -delete_tc() -{ - - clear_one_tc() { - tc qdisc del dev $1 root 2> /dev/null - tc qdisc del dev $1 ingress 2> /dev/null - } - - run_user_exit tcclear - - run_ip link list | \ - while read inx interface details; do - case $inx in - [0-9]*) - clear_one_tc ${interface%:} - ;; - *) - ;; - esac - done -} - -# -# Refresh queuing and classes -# -refresh_tc() { - - echo "Refreshing Traffic Control Rules..." - - [ -n "$CLEAR_TC" ] && delete_tc - - [ -n "$MARK_IN_FORWARD_CHAIN" ] && chain=tcfor || chain=tcpre - - if mangle_chain_exists $chain; then - # - # Flush the TC mangle chains - # - run_iptables -t mangle -F $chain - - run_iptables -t mangle -F tcout - # - # Process the TC Rules File - # - strip_file tcrules - - while read mark sources dests proto ports sports; do - expandv mark sources dests proto ports sports - rule=`echo "$mark $sources $dests $proto $ports $sports"` - process_tc_rule - done < $TMP_DIR/tcrules - - run_user_exit tcstart - else - setup_tc1 - fi - -} - -# -# Add a NAT rule - Helper function for the rules file processor -# -# The caller has established the following variables: -# cli = Source IP, interface or MAC Specification -# serv = Destination IP Specification -# servport = Port the server is listening on -# dest_interface = Destination Interface Specification -# proto = Protocol Specification -# addr = Original Destination Address -# dports = Destination Port Specification. 'dports' may be changed -# by this function -# cport = Source Port Specification -# multiport = String to invoke multiport match if appropriate -# -add_nat_rule() { - local chain - - # Be sure NAT is enabled - - if [ -z "$NAT_ENABLED" ]; then - fatal_error \ - "Error - Rule \"$rule\" requires NAT which is disabled" - fi - - # Onle ACCEPT (plus DNAT and REDIRECT) may result in NAT - - if [ "$target" != "ACCEPT" ]; then - fatal_error "Error - Only DNAT and REDIRECT rules may specify " \ - "port mapping; rule \"$rule\"" - fi - - # Parse SNAT address if any - - if [ "$addr" != "${addr%:*}" ]; then - snat="${addr#*:}" - addr="${addr%:*}" - else - snat="" - fi - - # Set original destination address - - case $addr in - all) - addr= - ;; - detect) - addr= - if [ -n "$DETECT_DNAT_IPADDRS" -a "$source" != "$FW" ]; then - eval interfaces=\$${source}_interfaces - for interface in $interfaces; do - addr="`find_interface_address $interface` $addr" - done - fi - ;; - esac - - addr=${addr:-0.0.0.0/0} - - # Select target - - if [ -n "$serv" ]; then - servport="${servport:+:$servport}" - target1="DNAT --to-destination ${serv}${servport}" - else - target1="REDIRECT --to-port $servport" - fi - - # Generate nat table rules - - if [ "$source" = "$FW" ]; then - run_iptables2 -t nat -A OUTPUT $proto $sports -d $addr \ - $multiport $dports -j $target1 - else - chain=`dnat_chain $source` - - if [ -n "$excludezones" ]; then - chain=nonat${nonat_seq} - nonat_seq=$(($nonat_seq + 1)) - createnatchain $chain - addnatrule `dnat_chain $source` -j $chain - for z in $excludezones; do - eval hosts=\$${z}_hosts - for host in $hosts; do - for adr in $addr; do - addnatrule $chain $proto -s ${host#*:} \ - $multiport $sports -d $adr $dports -j RETURN - done - done - done - fi - - for adr in $addr; do - addnatrule $chain $proto $cli $sports \ - -d $adr $multiport $dports -j $target1 - done - fi - - # Replace destination port by the new destination port - - if [ -n "$servport" ]; then - if [ -z "$multiport" ]; then - dports="--dport ${servport#*:}" - else - dports="--dports ${servport#*:}" - fi - fi - - # Handle SNAT - - if [ -n "$snat" ]; then - if [ -n "$cli" ]; then - addnatrule `snat_chain $dest` $proto $cli $multiport \ - $sports -d $serv $dports -j SNAT --to-source $snat - else - for source_host in $source_hosts; do - [ "x${source_host#*:}" = "x0.0.0.0/0" ] && \ - error_message "Warning: SNAT will occur on all connections to this server and port - rule \"$rule\"" - - addnatrule `snat_chain $dest` \ - -s ${source_host#*:} $proto $sports $multiport \ - -d $serv $dports -j SNAT --to-source $snat - done - fi - fi -} - -# -# Add one Filter Rule -- Helper function for the rules file processor -# -# The caller has established the following variables: -# client = SOURCE IP or MAC -# server = DESTINATION IP or interface -# protocol = Protocol -# address = Original Destination Address -# port = Destination Port -# cport = Source Port -# multioption = String to invoke multiport match if appropriate -# servport = Port the server listens on -# chain = The canonical chain for this rule -# -add_a_rule() -{ - # Set source variables - - cli= - - [ -n "$client" ] && case "$client" in - -) - ;; - *:*) - cli="-i ${client%:*} -s ${client#*:}" - ;; - *.*.*) - cli="-s $client" - ;; - ~*) - cli=`mac_match $client` - ;; - *) - cli="-i $client" - ;; - esac - - # Set destination variables - - dest_interface= - - [ -n "$server" ] && case "$server" in - -) - serv= - ;; - *.*.*) - serv=$server - ;; - ~*) - fatal_error "Error: Rule \"$rule\" - Destination may not be specified by MAC Address" - ;; - *) - dest_interface="-o $server" - serv= - ;; - esac - - # Setup protocol and port variables - - sports= - dports= - state="-m state --state NEW" - proto=$protocol - addr=$address - servport=$serverport - multiport= - - case $proto in - tcp|udp|TCP|UDP|6|17) - if [ -n "$port" -a "x${port}" != "x-" ]; then - dports="--dport" - if [ -n "$multioption" -a "$port" != "${port%,*}" ]; then - multiport="$multioption" - dports="--dports" - fi - dports="$dports $port" - fi - - if [ -n "$cport" -a "x${cport}" != "x-" ]; then - sports="--sport" - if [ -n "$multioption" -a "$cport" != "${cport%,*}" ]; then - multiport="$multioption" - sports="--sports" - fi - sports="$sports $cport" - fi - ;; - icmp|ICMP|1) - [ -n "$port" ] && [ "x${port}" != "x-" ] && \ - dports="--icmp-type $port" - state= - ;; - all|ALL) - [ -n "$port" ] && [ "x${port}" != "x-" ] && \ - fatal_error "Port number not allowed with \"all\";" \ - " rule: \"$rule\"" - proto= - ;; - related|RELATED) - proto= - state="-m state --state RELATED" - ;; - *) - state= - [ -n "$port" ] && [ "x${port}" != "x-" ] && \ - fatal_error "Port number not allowed with protocol " \ - "\"$proto\"; rule: \"$rule\"" - ;; - esac - - proto="${proto:+-p $proto}" - - # Some misc. setup - - case "$logtarget" in - REJECT) - target=reject - [ -n "$servport" ] && \ - fatal_error "Error: server port may not be specified in a REJECT rule;"\ - "rule: \"$rule\"" - ;; - REDIRECT) - [ -n "$serv" ] && startup_error "Error: REDIRECT rules cannot"\ - " specify a server IP; rule: \"$rule\"" - servport=${servport:=$port} - ;; - DNAT) - [ -n "$serv" ] || fatal_error "Error: DNAT rules require a" \ - " server address; rule: \"$rule\"" - ;; - esac - - # Complain if the rule is really a policy - - if [ -z "$proto" -a -z "$cli" -a -z "$serv" -a -z "$servport" ]; then - error_message "Warning -- Rule \"$rule\" is a POLICY" - error_message " -- and should be moved to the policy file" - fi - - if [ -n "${serv}${servport}" ]; then - - # A specific server or server port given - - if [ -n "$addr" -a "$addr" != "$serv" ]; then - add_nat_rule - elif [ -n "$servport" -a "$servport" != "$port" ]; then - add_nat_rule - fi - - if [ -z "$dnat_only" -a $chain != ${FW}2${FW} ]; then - serv="${serv:+-d $serv}" - - if [ -n "$loglevel" ]; then - if [ "$loglevel" = ULOG ]; then - run_iptables2 -A $chain $proto $multiport \ - $state $cli $sports $serv $dports -j ULOG $LOGPARMS \ - --ulog-prefix "Shorewall:$chain:$logtarget:" - else - run_iptables2 -A $chain $proto $multiport \ - $state $cli $sports $serv $dports -j LOG $LOGPARMS \ - --log-prefix "Shorewall:$chain:$logtarget:" \ - --log-level $loglevel - fi - fi - - - run_iptables2 -A $chain $proto $multiport $state $cli $sports \ - $serv $dports -j $target - fi - else - - # Destination is a simple zone - - [ -n "$addr" ] && fatal_error \ - "Error: An ORIGINAL DESTINATION ($addr) is only allowed in" \ - " a DNAT or REDIRECT: \"$rule\"" - - if [ -n "$loglevel" ]; then - if [ "$loglevel" = ULOG ]; then - run_iptables2 -A $chain $proto $multiport \ - $dest_interface $state $cli $sports $dports -j ULOG \ - $LOGPARMS --ulog-prefix "Shorewall:$chain:$logtarget:" - else - run_iptables2 -A $chain $proto $multiport \ - $dest_interface $state $cli $sports $dports -j LOG \ - $LOGPARMS --log-prefix "Shorewall:$chain:$logtarget:" \ - --log-level $loglevel - fi - fi - - run_iptables2 -A $chain $proto $multiport $dest_interface $state \ - $cli $sports $dports -j $target - fi -} - -# -# Process a record from the rules file -# -process_rule() # $1 = target - # $2 = clients - # $3 = servers - # $4 = protocol - # $5 = ports - # $6 = cports - # $7 = address -{ - local target="$1" - local clients="$2" - local servers="$3" - local protocol="$4" - local ports="$5" - local cports="$6" - local address="$7" - local rule="`echo $target $clients $servers $protocol $ports $cports $address`" - - # Function Body -- isolate log level - - if [ "$target" = "${target%:*}" ]; then - loglevel= - else - loglevel="${target#*:}" - target="${target%:*}" - expandv loglevel - fi - - logtarget="$target" - dnat_only= - - # Convert 1.3 Rule formats to 1.2 format - - [ "x$address" = "x-" ] && address= - - case $target in - DNAT) - target=ACCEPT - address=${address:=detect} - ;; - DNAT-) - target=ACCEPT - address=${address:=detect} - dnat_only=Yes - logtarget=DNAT - ;; - REDIRECT) - target=ACCEPT - address=${address:=all} - if [ "x-" = "x$servers" ]; then - servers=$FW - else - servers="$FW::$servers" - fi - ;; - esac - - # Parse and validate source - - if [ "$clients" = "${clients%:*}" ]; then - clientzone="$clients" - clients= - else - clientzone="${clients%%:*}" - clients="${clients#*:}" - [ -z "$clientzone" -o -z "$clients" ] && \ - fatal_error "Error: Empty source zone or qualifier: rule \"$rule\"" - fi - - if [ "$clientzone" = "${clientzone%\!*}" ]; then - excludezones= - else - excludezones="${clientzone#*\!}" - clientzone="${clientzone%\!*}" - - [ "$logtarget" = DNAT ] || [ "$logtarget" = REDIRECT ] ||\ - fatal_error "Error: Exclude list only allowed with DNAT or REDIRECT" - fi - - if ! validate_zone $clientzone; then - fatal_error "Error: Undefined Client Zone in rule \"$rule\"" - fi - - # Parse and validate destination - - source=$clientzone - - [ $source = $FW ] && source_hosts= || eval source_hosts=\"\$${source}_hosts\" - - if [ "$servers" = "${servers%:*}" ] ; then - serverzone="$servers" - servers= - serverport= - else - serverzone="${servers%%:*}" - servers="${servers#*:}" - if [ "$servers" != "${servers%:*}" ] ; then - serverport="${servers#*:}" - servers="${servers%:*}" - [ -z "$serverzone" -o -z "$serverport" ] && \ - fatal_error "Error: Empty destination zone or server port: rule \"$rule\"" - else - serverport= - [ -z "$serverzone" -o -z "$servers" ] && \ - startup_error "Error: Empty destination zone or qualifier: rule \"$rule\"" - fi - fi - - if ! validate_zone $serverzone; then - fatal_error "Error: Undefined Server Zone in rule \"$rule\"" - fi - - dest=$serverzone - - # Create canonical chain if necessary - - chain=${source}2${dest} - - ensurechain $chain - - if [ "x$chain" = x${FW}2${FW} ]; then - case $logtarget in - REDIRECT) - ;; - *) - error_message "WARNING: fw -> fw rules are not supported; rule \"$rule\" ignored" - return - ;; - esac - else - ensurechain $chain - fi - - # Generate Netfilter rule(s) - - if [ -n "$MULTIPORT" -a \ - "$ports" = "${ports%:*}" -a \ - "$cports" = "${cports%:*}" -a \ - `list_count $ports` -le 15 -a \ - `list_count $cports` -le 15 ] - then - multioption="-m multiport" - for client in `separate_list ${clients:=-}`; do - for server in `separate_list ${servers:=-}`; do - port=${ports:=-} - cport=${cports:=-} - add_a_rule - done - done - else - multioption= - for client in `separate_list ${clients:=-}`; do - for server in `separate_list ${servers:=-}`; do - for port in `separate_list ${ports:=-}`; do - for cport in `separate_list ${cports:=-}`; do - add_a_rule - done - done - done - done - fi - - echo " Rule \"$rule\" added." -} - -# -# Process the rules file -# -process_rules() # $1 = name of rules file -{ - # - # Process a rule where the source or destination is "all" - # - process_wildcard_rule() { - for yclients in $xclients; do - for yservers in $xservers; do - if [ "${yclients}" != "${yservers}" ] ; then - process_rule $xtarget $yclients $yservers $xprotocol $xports $xcports $xaddress - fi - done - done - } - - strip_file rules $1 - - while read xtarget xclients xservers xprotocol xports xcports xaddress; do - case "$xtarget" in - - ACCEPT|ACCEPT:*|DROP|DROP:*|REJECT|REJECT:*|DNAT|DNAT-|DNAT:*|DNAT-:*|REDIRECT|REDIRECT:*) - expandv xclients xservers xprotocol xports xcports xaddress - - if [ "x$xclients" = xall ]; then - xclients="$zones $FW" - if [ "x$xservers" = xall ]; then - xservers="$zones $FW" - fi - process_wildcard_rule - continue - fi - - if [ "x$xservers" = xall ]; then - xservers="$zones $FW" - process_wildcard_rule - continue - fi - - process_rule $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress - ;; - *) - rule="`echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress`" - fatal_error "Error: Invalid Target in rule \"$rule\"" - ;; - - esac - done < $TMP_DIR/rules -} - -# -# Process a record from the tos file -# -# The caller has loaded the column contents from the record into the following -# variables: -# -# src dst protocol sport dport tos -# -# and has loaded a space-separated list of their values in "rule". -# -process_tos_rule() { - # - # Parse the contents of the 'src' variable - # - if [ "$src" = "${src%:*}" ]; then - srczone="$src" - src= - else - srczone="${src%:*}" - src="${src#*:}" - fi - - source= - # - # Validate the source zone - # - if validate_zone $srczone; then - source=$srczone - elif [ "$srczone" = "all" ]; then - source="all" - else - error_message "Warning: Undefined Source Zone - rule \"$rule\" ignored" - return - fi - - [ -n "$src" ] && case "$src" in - *.*.*) - # - # IP Address or subnet - # - src="-s $src" - ;; - ~*) - src=`mac_match $src` - ;; - *) - # - # Assume that this is a device name - # - src="-i $src" - ;; - esac - - # - # Parse the contents of the 'dst' variable - # - if [ "$dst" = "${dst%:*}" ]; then - dstzone="$dst" - dst= - else - dstzone="${dst%:*}" - dst="${dst#*:}" - fi - - dest= - # - # Validate the destination zone - # - if validate_zone $dstzone; then - dest=$dstzone - elif [ "$dstzone" = "all" ]; then - dest="all" - else - error_message \ - "Warning: Undefined Destination Zone - rule \"$rule\" ignored" - return - fi - - [ -n "$dst" ] && case "$dst" in - *.*.*) - # - # IP Address or subnet - # - ;; - *) - # - # Assume that this is a device name - # - error_message \ - "Warning: Invalid Destination - rule \"$rule\" ignored" - return - ;; - esac - - # - # Setup PROTOCOL and PORT variables - # - sports="" - dports="" - - case $protocol in - tcp|udp|TCP|UDP|6|17) - [ -n "$sport" ] && [ "x${sport}" != "x-" ] && \ - sports="--sport $sport" - [ -n "$dport" ] && [ "x${dport}" != "x-" ] && \ - dports="--dport $dport" - ;; - icmp|ICMP|0) - [ -n "$dport" ] && [ "x${dport}" != "x-" ] && \ - dports="--icmp-type $dport" - ;; - all|ALL) - protocol= - ;; - *) - ;; - esac - - protocol="${protocol:+-p $protocol}" - - tos="-j TOS --set-tos $tos" - - case "$dstzone" in - all|ALL) - dst=0.0.0.0/0 - ;; - *) - [ -z "$dst" ] && eval dst=\$${dstzone}_hosts - ;; - esac - - for dest in $dst; do - dest="-d $dest" - - case $srczone in - $FW) - run_iptables2 -t mangle -A outtos \ - $protocol $dest $dports $sports $tos - ;; - all|ALL) - run_iptables2 -t mangle -A outtos \ - $protocol $dest $dports $sports $tos - run_iptables2 -t mangle -A pretos \ - $protocol $dest $dports $sports $tos - ;; - *) - if [ -n "$src" ]; then - run_iptables2 -t mangle -A pretos $src \ - $protocol $dest $dports $sports $tos - else - eval interfaces=\$${srczone}_interfaces - - for interface in $interfaces; do - run_iptables2 -t mangle -A pretos -i $interface \ - $protocol $dest $dports $sports $tos - done - fi - ;; - esac - done - - echo " Rule \"$rule\" added." -} - -# -# Process the tos file -# -process_tos() # $1 = name of tos file -{ - echo "Processing $1..." - - run_iptables -t mangle -N pretos - run_iptables -t mangle -N outtos - - strip_file tos $1 - - while read src dst protocol sport dport tos; do - expandv src dst protocol sport dport tos - rule="`echo $src $dst $protocol $sport $dport $tos`" - process_tos_rule - done < $TMP_DIR/tos - - run_iptables -t mangle -A PREROUTING -j pretos - run_iptables -t mangle -A OUTPUT -j outtos -} - -# -# Load a Kernel Module -# -loadmodule() # $1 = module name, $2 - * arguments -{ - local modulename=$1 - local modulefile - - if [ -z "`lsmod | grep $modulename`" ]; then - shift - modulefile=$MODULESDIR/${modulename}.o - - if [ -f $modulefile ]; then - insmod $modulefile $* - return - fi - # - # If the modules directory contains compressed modules then we'll - # assume that insmod can load them - # - modulefile=${modulefile}.gz - - if [ -f $modulefile ]; then - insmod $modulefile $* - fi - fi -} - -# -# Display elements of a list with leading white space -# -display_list() # $1 = List Title, rest of $* = list to display -{ - [ $# -gt 1 ] && echo " $*" -} - -# -# Add rules to the "common" chain to silently drop packets addressed to any of -# the passed addresses -# -drop_broadcasts() # $* = broadcast addresses -{ - while [ $# -gt 0 ]; do - run_iptables -A common -d $1 -j DROP - shift - done -} - -# -# Add policy rule ( and possibly logging rule) to the passed chain -# -policy_rules() # $1 = chain to add rules to - # $2 = policy - # $3 = loglevel -{ - local target="$2" - - case "$target" in - ACCEPT) - ;; - - DROP) - run_iptables -A $1 -j common - ;; - REJECT) - run_iptables -A $1 -j common - target=reject - ;; - CONTINUE) - target= - ;; - *) - fatal_error "Invalid policy ($policy) for $1" - ;; - - esac - - if [ $# -eq 3 -a "x${3}" != "x-" ]; then - if [ "$3" = ULOG ]; then - run_iptables -A $1 -j ULOG $LOGPARMS \ - --ulog-prefix "Shorewall:${1}:${2}:" - else - run_iptables -A $1 -j LOG $LOGPARMS \ - --log-prefix "Shorewall:${1}:${2}:" --log-level $3 - fi - fi - - [ -n "$target" ] && run_iptables -A $1 -j $target -} - -# -# Generate default policy & log level rules for the passed client & server -# zones -# -# This function is only called when the canonical chain for this client/server -# pair is known to exist. If the default policy for this pair specifies the -# same chain then we add the policy (and logging) rule to the canonical chain; -# otherwise add a rule to the canonical chain to jump to the appropriate -# policy chain. -# -default_policy() # $1 = client $2 = server -{ - local chain="${1}2${2}" - local policy= - local loglevel= - local chain1 - - jump_to_policy_chain() { - # - # Add a jump to from the canonical chain to the policy chain. On return, - # $chain is set to the name of the policy chain - # - run_iptables -A $chain -j $chain1 - chain=$chain1 - } - - apply_default() - { - # - # Generate policy file column values from the policy chain - # - eval policy=\$${chain1}_policy - eval loglevel=\$${chain1}_loglevel - eval synparams=\$${chain1}_synparams - # - # Add the appropriate rules to the canonical chain ($chain) to enforce - # the specified policy - - if [ "$chain" = "$chain1" ]; then - # - # The policy chain is the canonical chain; add policy rule to it - # The syn flood jump has already been added if required. - # - policy_rules $chain $policy $loglevel - else - # - # The policy chain is different from the canonical chain -- approach - # depends on the policy - # - case $policy in - ACCEPT) - if [ -n "$synparams" ]; then - # - # To avoid double-counting SYN packets, enforce the policy - # in this chain. - # - enable_syn_flood_protection $chain $chain1 - policy_rules $chain $policy $loglevel - else - # - # No problem with double-counting so just jump to the - # policy chain. - # - jump_to_policy_chain - fi - ;; - CONTINUE) - # - # Silly to jump to the policy chain -- add any logging - # rules and enable SYN flood protection if requested - # - [ -n "$synparams" ] && \ - enable_syn_flood_protection $chain $chain1 - policy_rules $chain $policy $loglevel - ;; - *) - # - # DROP or REJECT policy -- enforce in the policy chain and - # enable SYN flood protection if requested. - # - [ -n "$synparams" ] && \ - enable_syn_flood_protection $chain $chain1 - jump_to_policy_chain - ;; - esac - fi - - echo " Policy $policy for $1 to $2 using chain $chain" - } - - eval chain1=\$${1}2${2}_policychain - - if [ -n "$chain1" ]; then - apply_default $1 $2 - else - fatal_error "Error: No default policy for zone $1 to zone $2" - fi -} - -# -# Complete a standard chain -# -# - run any supplied user exit -# - search the policy file for an applicable policy and add rules as -# appropriate -# - If no applicable policy is found, add rules for an assummed -# policy of DROP INFO -# -complete_standard_chain() # $1 = chain, $2 = source zone, $3 = destination zone -{ - local policy= - local loglevel= - local policychain= - - run_user_exit $1 - - eval policychain=\$${2}2${3}_policychain - - if [ -n "$policychain" ]; then - eval policy=\$${policychain}_policy - eval loglevel=\$${policychain}_loglevel - - policy_rules $1 $policy $loglevel - else - policy_rules $1 DROP INFO - fi -} - -# -# Find the appropriate chain to pass packets from a source zone to a -# destination zone -# -# If the canonical chain for this zone pair exists, echo it's name; otherwise -# locate and echo the name of the appropriate policy chain -# -rules_chain() # $1 = source zone, $2 = destination zone -{ - local chain=${1}2${2} - - havechain $chain && { echo $chain; return; } - - eval chain=\$${chain}_policychain - - [ -n "$chain" ] && { echo $chain; return; } - - fatal_error "Error: No appropriate chain for zone $1 to zone $2" -} - -# -# echo the list of subnets routed out of a given interface -# -get_routed_subnets() # $1 = interface name -{ - local address - local rest - - ip route show dev $1 2> /dev/null | - while read address rest; do - [ "$address" = "${address%/*}" ] && address="${address}/32" - echo $address - done -} - -# -# Set up Source NAT (including masquerading) -# -setup_masq() -{ - setup_one() { - local using - - case $fullinterface in - *:*:*) - # Both alias name and subnet - destnet="${fullinterface##*:}" - fullinterface="${fullinterface%:*}" - ;; - *:*) - # Alias name OR subnet - case ${fullinterface#*:} in - *.*) - # It's a subnet - destnet="${fullinterface#*:}" - fullinterface="${fullinterface%:*}" - ;; - *) - #it's an alias name - destnet="0.0.0.0/0" - ;; - esac - ;; - *) - destnet="0.0.0.0/0" - ;; - esac - - interface=${fullinterface%:*} - - if ! list_search $interface $all_interfaces; then - fatal_error "Error: Unknown interface $interface" - fi - - if [ "$subnet" = "${subnet%!*}" ]; then - nomasq= - else - nomasq="${subnet#*!}" - subnet="${subnet%!*}" - fi - - chain=`masq_chain $interface` - iface= - - source="$subnet" - - case $subnet in - *.*.*) - ;; - -) - # - # Note: This only works if you have the LOCAL NAT patches in the - # kernel and in the iptables utility - # - chain=OUTPUT - subnet= - source=$FW - iface="-o $interface" - ;; - *) - subnets=`get_routed_subnets $subnet` - [ -z "$subnets" ] && startup_error "Unable to determine the routes through interface $subnet" - subnet="$subnets" - ;; - esac - - if [ -n "$address" -a -n "$ADD_SNAT_ALIASES" ]; then - list_search $address $aliases_to_add || \ - aliases_to_add="$aliases_to_add $address $fullinterface" - fi - - destination=$destnet - - if [ -n "$nomasq" ]; then - newchain=masq${masq_seq} - createnatchain $newchain - - if [ -n "$subnet" ]; then - for s in $subnet; do - addnatrule $chain -d $destnet $iface -s $s -j $newchain - done - else - addnatrule $chain -d $destnet $iface -j $newchain - fi - - masq_seq=$(($masq_seq + 1)) - chain=$newchain - subnet= - iface= - destnet= - - for addr in `separate_list $nomasq`; do - addnatrule $chain -s $addr -j RETURN - done - - source="$source except $nomasq" - else - destnet="-d $destnet" - fi - - if [ -n "$subnet" ]; then - for s in $subnet; do - if [ -n "$address" ]; then - addnatrule $chain -s $s $destnet $iface -j SNAT --to-source $address - echo " To $destination from $s through ${interface} using $address" - else - addnatrule $chain -s $s $destnet $iface -j MASQUERADE - echo " To $destination from $s through ${interface}" - fi - done - elif [ -n "$address" ]; then - addnatrule $chain $destnet $iface -j SNAT --to-source $address - echo " To $destination from $source through ${interface} using $address" - else - addnatrule $chain $destnet $iface -j MASQUERADE - echo " To $destination from $source through ${interface}" - fi - - } - - strip_file masq $1 - - [ -n "$NAT_ENABLED" ] && echo "Masqueraded Subnets and Hosts:" - - while read fullinterface subnet address; do - expandv fullinterface subnet address - [ -n "$NAT_ENABLED" ] && setup_one || \ - error_message "Warning: NAT disabled; masq rule ignored" - done < $TMP_DIR/masq -} - -# -# Setup Intrazone chain if appropriate -# -setup_intrazone() # $1 = zone -{ - eval hosts=\$${1}_hosts - - if [ "$hosts" != "${hosts% *}" ] || \ - have_interfaces_in_zone_with_option $1 multi - then - ensurechain ${1}2${1} - fi -} -# -# Add a record to the blacklst chain -# -# $source = address match -# $proto = protocol selector -# $dport = destination port selector -# -add_blacklist_rule() { - if [ -n "$BLACKLIST_LOGLEVEL" ]; then - if [ "$BLACKLIST_LOGLEVEL" = ULOG ]; then - run_iptables2 -A blacklst $source $proto $dport -j \ - ULOG $LOGPARMS --ulog-prefix \ - "Shorewall:blacklst:$BLACKLIST_DISPOSITION:" - else - run_iptables2 -A blacklst $source $proto $dport -j \ - LOG $LOGPARMS --log-prefix \ - "Shorewall:blacklst:$BLACKLIST_DISPOSITION:" \ - --log-level $BLACKLIST_LOGLEVEL - fi - fi - - run_iptables2 -A blacklst $source $proto $dport -j $disposition -} - -# -# Process a record from the blacklist file -# -# $subnet = address/subnet -# $protocol = Protocol Number/Name -# $port = Port Number/Name -# -process_blacklist_rec() { - local source - local addr - local proto - local dport - - for addr in `separate_list $subnet`; do - case $addr in - ~*) - addr=`echo $addr | sed 's/~//;s/-/:/g'` - source="--match mac --mac-source $addr" - ;; - *) - source="-s $addr" - ;; - esac - - if [ -n "$protocol" ]; then - proto=" -p $protocol " - - case $protocol in - tcp|TCP|6|udp|UDP|17) - if [ -n "$ports" ]; then - if [ -n "$MULTIPORT" -a \ - "$ports" != "${ports%,*}" -a \ - "$ports" = "${ports%:*}" -a \ - `list_count $ports` -le 15 ] - then - dport="-m multiport --dports $ports" - add_blacklist_rule - else - for dport in `separate_list $ports`; do - dport="--dport $dport" - add_blacklist_rule - done - fi - else - add_blacklist_rule - fi - ;; - icmp|ICMP|0) - if [ -n "$ports" ]; then - for dport in `separate_list $ports`; do - dport="--icmp-type $dport" - add_blacklist_rule - done - else - add_blacklist_rule - fi - ;; - *) - add_blacklist_rule - ;; - esac - else - add_blacklist_rule - fi - - if [ -n "$ports" ]; then - addr="$addr $protocol $ports" - elif [ -n "$protocol" ]; then - addr="$addr $protocol" - fi - - echo " $addr added to Black List" - done -} - -# -# Setup the Black List -# -setup_blacklist() { - local interfaces=`find_interfaces_by_option blacklist` - local f=`find_file blacklist` - local disposition=$BLACKLIST_DISPOSITION - - if [ -n "$interfaces" -a -f $f ]; then - echo "Setting up Blacklisting..." - - strip_file blacklist $f - - createchain blacklst no - - for interface in $interfaces; do - for chain in `first_chains $interface`; do - run_iptables -A $chain -j blacklst - done - - echo " Blacklisting enabled on $interface" - done - - [ "$disposition" = REJECT ] && disposition=reject - - while read subnet protocol ports; do - expandv subnet protocol ports - process_blacklist_rec - done < $TMP_DIR/blacklist - - fi -} - -# -# Refresh the Black List -# -refresh_blacklist() { - local f=`find_file blacklist` - local disposition=$BLACKLIST_DISPOSITION - - if qt iptables -L blacklst -n ; then - echo "Refreshing Black List..." - - strip_file blacklist $f - - [ "$disposition" = REJECT ] && disposition=reject - - run_iptables -F blacklst - - while read subnet protocol ports; do - expandv subnet protocol ports - process_blacklist_rec - done < $TMP_DIR/blacklist - fi -} - -# -# Verify that kernel has netfilter support -# -verify_os_version() { - - osversion=`uname -r` - - case $osversion in - 2.4.*|2.5.*) - ;; - *) - startup_error "Shorewall version $version does not work with kernel version $osversion" - ;; - esac -} - -# -# Add IP Aliases -# -add_ip_aliases() -{ - local external - local interface - local primary - - do_one() - { - # - # Folks feel uneasy if they don't see all of the same - # decoration on these IP addresses that they see when their - # distro's net config tool adds them. In an attempt to reduce - # the anxiety level, we have the following code which sets - # the VLSM and BRD from the primary address - # - # Get all of the lines that contain inet addresses with broadcast - # - val=`ip addr show $interface | grep 'inet.*brd '` 2> /dev/null - - if [ -n "$val" ] ; then - # - # Hack off the leading 'inet ' (actually cut off the - # "/" as well but add it back in). - # - val="/${val#*/}" - # - # Now get the VLSM, "brd" and the broadcast address - # - val=${val%% scope*} - fi - - run_ip addr add ${external}${val} dev $interface $label - echo "$external $interface" >> ${STATEDIR}/nat - [ -n "$label" ] && label="with $label" - echo " IP Address $external added to interface $interface $label" - } - - set -- $aliases_to_add - - while [ $# -gt 0 ]; do - external=$1 - interface=$2 - label= - - if [ "$interface" != "${interface%:*}" ]; then - label="${interface#*:}" - interface="${interface%:*}" - label="label $interface:$label" - fi - - primary=`find_interface_address $interface` - shift;shift - [ "x${primary}" = "x${external}" ] || do_one - done -} - -# -# Load kernel modules required for Shorewall -# -load_kernel_modules() { - - [ -z "$MODULESDIR" ] && \ - MODULESDIR=/lib/modules/$osversion/kernel/net/ipv4/netfilter - - modules=`find_file modules` - - if [ -f $modules -a -d $MODULESDIR ]; then - echo "Loading Modules..." - . $modules - fi -} - -# -# Perform Initialization -# - Delete all old rules -# - Delete all user chains -# - Set the POLICY on all standard chains and add a rule to allow packets -# that are part of established connections -# - Determine the zones -# -initialize_netfilter () { - - echo "Determining Zones..." - - determine_zones - - [ -z "$zones" ] && startup_error "ERROR: No Zones Defined" - - display_list "Zones:" $zones - - echo "Validating interfaces file..." - - validate_interfaces_file - - echo "Validating hosts file..." - - validate_hosts_file - - echo "Validating Policy file..." - - validate_policy - - echo "Determining Hosts in Zones..." - - determine_interfaces - determine_hosts - - deletechain shorewall - - [ -n "$NAT_ENABLED" ] && delete_nat - - delete_proxy_arp - - [ -n "$MANGLE_ENABLED" ] && \ - run_iptables -t mangle -F && \ - run_iptables -t mangle -X - - [ -n "$CLEAR_TC" ] && delete_tc - - run_user_exit init - - echo "Deleting user chains..." - - setpolicy INPUT DROP - setpolicy OUTPUT DROP - setpolicy FORWARD DROP - - deleteallchains - - setcontinue FORWARD - setcontinue INPUT - setcontinue OUTPUT - # - # Allow DNS lookups during startup for FQDNs - # - run_iptables -A INPUT -p udp --dport 53 -j ACCEPT # I suppose that there - # is an idiot somewhere - # who needs this - run_iptables -A OUTPUT -p udp --dport 53 -j ACCEPT - run_iptables -A FORWARD -p udp --dport 53 -j ACCEPT - - [ -n "$CLAMPMSS" ] && \ - run_iptables -A FORWARD -p tcp \ - --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu - - - if [ -z "$NEWNOTSYN" ]; then - createchain newnotsyn no - run_user_exit newnotsyn - if [ -n "$LOGNEWNOTSYN" ]; then - if [ "$LOGNEWNOTSYN" = ULOG ]; then - run_iptables -A newnotsyn -j ULOG - --ulog-prefix "Shorewall:newnotsyn:DROP:" - else - run_iptables -A newnotsyn -j LOG \ - --log-prefix "Shorewall:newnotsyn:DROP:" --log-level $LOGNEWNOTSYN - fi - fi - - run_iptables -A newnotsyn -j DROP - fi - - createchain icmpdef no - createchain common no - createchain reject no - createchain dynamic no - - if [ -f /var/lib/shorewall/save ]; then - echo "Restoring dynamic rules..." - - while read target ignore1 ignore2 address rest; do - case $target in - DROP|reject) - run_iptables2 -A dynamic -s $address -j $target - ;; - *) - ;; - esac - done < /var/lib/shorewall/save - fi - - echo "Creating input Chains..." - - for interface in $all_interfaces; do - createchain `forward_chain $interface` no - run_iptables -A `forward_chain $interface` -j dynamic - createchain `input_chain $interface` no - run_iptables -A `input_chain $interface` -j dynamic - done -} - -# -# Build the common chain -- called during [re]start and refresh -# -build_common_chain() { - - if [ -n "$OLD_PING_HANDLING" ]; then - # - # PING - # - [ -n "$FORWARDPING" ] && \ - run_iptables -A icmpdef -p icmp --icmp-type echo-request -j ACCEPT - fi - # - # Common ICMP rules - # - run_user_exit icmpdef - # - # Common rules in each chain - # - common=`find_file common` - - if [ -f $common ]; then - . $common - else - . `find_file common.def` - fi - # - # New Not Syn Stuff - # - if [ -n "$NEWNOTSYN" ]; then - run_iptables -A common -p tcp --tcp-flags ACK ACK -j ACCEPT - run_iptables -A common -p tcp --tcp-flags RST RST -j ACCEPT - fi - # - # BROADCASTS - # - drop_broadcasts `find_broadcasts` -} - -# -# Construct zone-independent rules -# -add_common_rules() { - logdisp() # $1 = Chain Name - { - if [ "$RFC1918_LOG_LEVEL" = ULOG ]; then - echo "ULOG --ulog-prefix Shorewall:${1}:DROP:" - else - echo "LOG --log-prefix Shorewall:${1}:DROP: --log-level $RFC1918_LOG_LEVEL" - fi - } - # - # Reject Rules - # - run_iptables -A reject -p tcp -j REJECT --reject-with tcp-reset - run_iptables -A reject -j REJECT - # - # dropunclean rules - # - interfaces="`find_interfaces_by_option dropunclean`" - - if [ -n "$interfaces" ]; then - createchain badpkt no - - if [ -n "$LOGUNCLEAN" ]; then - if [ "$LOGUNCLEAN" = ULOG ]; then - logoptions="-j ULOG $LOGPARAMS --ulog-prefix Shorewall:badpkt:DROP:" - logoptions="$logoptions --log-ip-options" - else - logoptions="-j LOG $LOGPARAMS --log-prefix Shorewall:badpkt:DROP:" - logoptions="$logoptions --log-level $LOGUNCLEAN --log-ip-options" - fi - - run_iptables -A badpkt -p tcp $logoptions --log-tcp-options - run_iptables -A badpkt -p ! tcp $logoptions - fi - - run_iptables -A badpkt -j DROP - echo "Mangled/Invalid Packet filtering enabled on:" - - for interface in $interfaces; do - for chain in `first_chains $interface`; do - run_iptables -A $chain --match unclean -j badpkt - done - echo " $interface" - done - fi - # - # logunclean rules - # - interfaces="`find_interfaces_by_option logunclean`" - - if [ -n "$interfaces" ]; then - createchain logpkt no - - [ -z"$LOGUNCLEAN" ] && LOGUNCLEAN=info - - if [ "$LOGUNCLEAN" = ULOG ]; then - logoptions="-j ULOG $LOGPARAMS --ulog-prefix Shorewall:logpkt:LOG:" - logoptions="$logoptions --log-ip-options" - else - logoptions="-j LOG $LOGPARAMS --log-prefix Shorewall:logpkt:LOG:" - logoptions="$logoptions --log-level $LOGUNCLEAN --log-ip-options" - fi - - run_iptables -A logpkt -p tcp $logoptions --log-tcp-options - run_iptables -A logpkt -p ! tcp $logoptions - - echo "Mangled/Invalid Packet Logging enabled on:" - - for interface in $interfaces; do - for chain in `first_chains $interface`; do - run_iptables -A $chain --match unclean -j logpkt - done - echo " $interface" - done - fi - - build_common_chain - - # - # DHCP - # - echo "Adding rules for DHCP" - - for interface in `find_interfaces_by_option dhcp`; do - run_iptables -A `input_chain $interface` -p udp --dport 67:68 -j ACCEPT - run_iptables -A OUTPUT -o $interface -p udp --dport 67:68 -j ACCEPT - done - - # - # RFC 1918 - # - norfc1918_interfaces="`find_interfaces_by_option norfc1918`" - - if [ -n "$norfc1918_interfaces" ]; then - echo "Enabling RFC1918 Filtering" - - strip_file rfc1918 - - createchain rfc1918 no - - createchain logdrop no - run_iptables -A logdrop -j `logdisp rfc1918` - run_iptables -A logdrop -j DROP - - if [ -n "$MANGLE_ENABLED" ]; then - # - # Mangling is enabled -- create a chain in the mangle table to - # filter RFC1918 destination addresses. This must be done in the - # mangle table before we apply any DNAT rules in the nat table - # - # Also add a chain to log and drop any RFC1918 packets that we find - # - run_iptables -t mangle -N man1918 - run_iptables -t mangle -N logdrop - run_iptables -t mangle -A logdrop -j `logdisp man1918` - run_iptables -t mangle -A logdrop -j DROP - fi - - while read subnet target; do - case $target in - logdrop|DROP|RETURN) - ;; - *) - fatal_error " Error:Illegal target ($target) for $subnet" - ;; - esac - - run_iptables2 -A rfc1918 -s $subnet -j $target - # - # If packet mangling is enabled, trap packets with an - # RFC1918 destination - # - if [ -n "$MANGLE_ENABLED" ]; then - run_iptables2 -t mangle -A man1918 -d $subnet -j $target - fi - done < $TMP_DIR/rfc1918 - - for interface in $norfc1918_interfaces; do - for chain in `first_chains $interface`; do - run_iptables -A $chain -j rfc1918 - done - - [ -n "$MANGLE_ENABLED" ] && \ - run_iptables -t mangle -A PREROUTING -i $interface -j man1918 - done - - fi - - interfaces=`find_interfaces_by_option tcpflags` - - if [ -n "$interfaces" ]; then - echo "Setting up TCP Flags checking..." - - createchain tcpflags no - - if [ -n "$TCP_FLAGS_LOG_LEVEL" ]; then - createchain logflags no - - if [ "$TCP_FLAGS_LOG_LEVEL" = ULOG ]; then - run_iptables -A logflags -j ULOG $LOGPARMS \ - --ulog-prefix "Shorewall:logflags:$TCP_FLAGS_DISPOSITION:" \ - --log-tcp-options --log-ip-options - else - run_iptables -A logflags -j LOG $LOGPARMS \ - --log-level $TCP_FLAGS_LOG_LEVEL \ - --log-prefix "Shorewall:logflags:$TCP_FLAGS_DISPOSITION:" \ - --log-tcp-options --log-ip-options - fi - case $TCP_FLAGS_DISPOSITION in - REJECT) - run_iptables -A logflags -j REJECT --reject-with tcp-reset - ;; - *) - run_iptables -A logflags -j $TCP_FLAGS_DISPOSITION - ;; - esac - - disposition="-j logflags" - else - disposition="-j $TCP_FLAGS_DISPOSITION" - fi - - run_iptables -A tcpflags -p tcp --tcp-flags ALL FIN,URG,PSH $disposition - run_iptables -A tcpflags -p tcp --tcp-flags ALL NONE $disposition - run_iptables -A tcpflags -p tcp --tcp-flags SYN,RST SYN,RST $disposition - run_iptables -A tcpflags -p tcp --tcp-flags SYN,FIN SYN,FIN $disposition - # - # There are a lot of probes to ports 80, 3128 and 8080 that use a source - # port of 0. This catches them even if they are directed at an IP that - # hosts a web server. - # - run_iptables -A tcpflags -p tcp --syn --sport 0 $disposition - - for interface in $interfaces; do - for chain in `first_chains $interface`; do - run_iptables -A $chain -p tcp -j tcpflags - done - done - fi - # - # Process Black List - # - setup_blacklist - - # - # Enable the Loopback interface - # - run_iptables -A INPUT -i lo -j ACCEPT - run_iptables -A OUTPUT -o lo -j ACCEPT - - # - # Enable icmp output - # - run_iptables -A OUTPUT -p icmp -j ACCEPT - # - # Route Filtering - # - for f in /proc/sys/net/ipv4/conf/*/rp_filter; do - echo 0 > $f - done - - interfaces="`find_interfaces_by_option routefilter`" - - if [ -n "$interfaces" -o -n "$ROUTE_FILTER" ]; then - echo "Setting up Kernel Route Filtering..." - - if [ -n "$ROUTE_FILTER" ]; then - echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter - else - echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter - - for interface in $interfaces; do - file=/proc/sys/net/ipv4/conf/$interface/rp_filter - if [ -f $file ]; then - echo 1 > $file - else - error_message \ - "Warning: Cannot set route filtering on $interface" - fi - done - fi - fi - # - # IP Forwarding - # - case "$IP_FORWARDING" in - [Oo][Nn]) - echo 1 > /proc/sys/net/ipv4/ip_forward - echo "IP Forwarding Enabled" - ;; - [Oo][Ff][Ff]) - echo 0 > /proc/sys/net/ipv4/ip_forward - echo "IP Forwarding Disabled!" - ;; - esac -} - -# -# Scan the policy file defining the necessary chains -# Add the appropriate policy rule(s) to the end of each canonical chain -# -apply_policy_rules() { - # - # Create policy chains - # - for chain in $all_policy_chains; do - eval policy=\$${chain}_policy - eval loglevel=\$${chain}_loglevel - eval synparams=\$${chain}_synparams - - [ -n "$synparams" ] && setup_syn_flood_chain $chain $synparams - - if havechain $chain; then - [ -n "$synparams" ] && \ - run_iptables -I $chain 2 -p tcp --syn -j @$chain - else - # - # The chain doesn't exist. Create the chain and add policy - # rules - # - # We must include the ESTABLISHED and RELATED state - # rule here to account for replys and reverse - # related sessions associated with sessions going - # in the other direction - # - createchain $chain - - # - # If either client or server is 'all' then this MUST be - # a policy chain and we must apply the appropriate policy rules - # - # Otherwise, this is a canonical chain which will be handled in - # the for loop below - # - case $chain in - all2*|*2all) - policy_rules $chain $policy $loglevel - ;; - esac - - [ -n "$synparams" ] && \ - [ $policy = ACCEPT -o $policy = CONTINUE ] && \ - run_iptables -I $chain 2 -p tcp --syn -j @$chain - fi - - done - # - # Add policy rules to canonical chains - # - for zone in $FW $zones; do - setup_intrazone $zone - for zone1 in $FW $zones; do - chain=${zone}2${zone1} - if havechain $chain; then - run_user_exit $chain - default_policy $zone $zone1 - fi - done - done -} - -# -# Activate the rules -# -activate_rules() -{ - local PREROUTING_rule=1 - local POSTROUTING_rule=1 - # - # Jump to a NAT chain from one of the builtin nat chains - # - addnatjump() # $1 = BUILTIN chain, $2 = user chain, $3 - * other arguments - { - local sourcechain=$1 destchain=$2 - shift - shift - - havenatchain $destchain && \ - run_iptables -t nat -A $sourcechain $@ -j $destchain - } - - # - # Jump to a RULES chain from one of the builtin nat chains - # - # If NAT_BEFORE_RULES then append the rule to the chain; otherwise, insert - # the jump near the front of the builtin chain - # - addrulejump() # $1 = BUILTIN chain, $2 = user chain, $3 - * other arguments - { - local sourcechain=$1 destchain=$2 - shift - shift - - if havenatchain $destchain; then - if [ -n "$NAT_BEFORE_RULES" ]; then - run_iptables -t nat -A $sourcechain $@ -j $destchain - else - eval run_iptables -t nat -I $sourcechain \ - \$${sourcechain}_rule $@ -j $destchain - eval ${sourcechain}_rule=\$\(\(\$${sourcechain}_rule + 1\)\) - fi - fi - } - - # - # Add jumps from the builtin chains to the nat chains - # - addnatjump PREROUTING nat_in - addnatjump POSTROUTING nat_out - - for interface in $all_interfaces; do - addnatjump PREROUTING `input_chain $interface` -i $interface - addnatjump POSTROUTING `output_chain $interface` -o $interface - done - - multi_interfaces=`find_interfaces_by_option multi` - - > ${STATEDIR}/chains - > ${STATEDIR}/zones - - for zone in $zones; do - eval source_hosts=\$${zone}_hosts - - echo $zone $source_hosts >> ${STATEDIR}/zones - - chain1=`rules_chain $FW $zone` - chain2=`rules_chain $zone $FW` - - echo "$FW $zone $chain1" >> ${STATEDIR}/chains - echo "$zone $FW $chain2" >> ${STATEDIR}/chains - - for host in $source_hosts; do - interface=${host%:*} - subnet=${host#*:} - - run_iptables -A OUTPUT -o $interface -d $subnet -j $chain1 - - # - # Add jumps from the builtin chains for DNAT and SNAT rules - # - addrulejump PREROUTING `dnat_chain $zone` -i $interface -s $subnet - addrulejump POSTROUTING `snat_chain $zone` -o $interface -d $subnet - - run_iptables -A `input_chain $interface` -s $subnet -j $chain2 - - done - - for zone1 in $zones; do - eval dest_hosts=\$${zone1}_hosts - - chain="`rules_chain $zone $zone1`" - - echo "$zone $zone1 $chain" >> ${STATEDIR}/chains - - if havechain ${zone}2${zone1} || havechain ${zone1}2${zone}; then - have_canonical=Yes - else - have_canonical= - fi - - for host in $source_hosts; do - interface=${host%:*} - subnet=${host#*:} - chain1=`forward_chain $interface` - - if [ -n "$have_canonical" ]; then - multi=yes - else - case $interface in - *+*) - multi=yes - ;; - *) - list_search $interface $multi_interfaces && multi=yes || multi= - ;; - esac - fi - - for host1 in $dest_hosts; do - interface1=${host1%:*} - subnet1=${host1#*:} - - if [ $interface != $interface1 -o -n "$multi" ]; then - run_iptables -A $chain1 -s $subnet \ - -o $interface1 -d $subnet1 -j $chain - fi - done - done - done - done - - for interface in $all_interfaces; do - run_iptables -A FORWARD -i $interface -j `forward_chain $interface` - run_iptables -A INPUT -i $interface -j `input_chain $interface` - addnatjump POSTROUTING `masq_chain $interface` -o $interface - done - - complete_standard_chain INPUT all $FW - complete_standard_chain OUTPUT $FW all - complete_standard_chain FORWARD all all - - run_iptables -D INPUT -m state --state ESTABLISHED -j ACCEPT - run_iptables -D OUTPUT -m state --state ESTABLISHED -j ACCEPT - run_iptables -D FORWARD -m state --state ESTABLISHED -j ACCEPT - - run_iptables -D INPUT -p udp --dport 53 -j ACCEPT - run_iptables -D OUTPUT -p udp --dport 53 -j ACCEPT - run_iptables -D FORWARD -p udp --dport 53 -j ACCEPT -} - -# -# Start/Restart the Firewall -# -define_firewall() # $1 = Command (Start or Restart) -{ - if [ -f /etc/shorewall/startup_disabled ]; then - echo " Shorewall Startup is disabled -- to enable startup" - echo " after you have completed Shorewall configuration," - echo " remove the file /etc/shorewall/startup_disabled" - - [ -n "$TMP_DIR" ] && rm -rf $TMP_DIR - my_mutex_off - exit 2 - fi - - echo "${1}ing Shorewall..." - - verify_os_version - - load_kernel_modules - - echo "Initializing..." - - initialize_netfilter - - echo "Configuring Proxy ARP" - - setup_proxy_arp - - setup_nat - - echo "Adding Common Rules" - - add_common_rules - - tunnels=`find_file tunnels` - - [ -f $tunnels ] && \ - echo "Processing $tunnels..." && setup_tunnels $tunnels - - maclist_hosts=`find_hosts_by_option maclist` - - if [ -n "$maclist_hosts" ] ; then - setup_mac_lists - fi - - rules=`find_file rules` - - echo "Processing $rules..." - - process_rules $rules - - if [ -n "$OLD_PING_HANDLING" ]; then - echo "Setting up ICMP Echo handling..." - - filterping_interfaces="`find_interfaces_by_option filterping`" - noping_interfaces="`find_interfaces_by_option noping`" - - for interface in $all_interfaces; do - if ! list_search $interface $filterping_interfaces; then - if list_search $interface $noping_interfaces; then - target=DROP - else - target=ACCEPT - fi - - run_iptables -A `input_chain $interface` \ - -p icmp --icmp-type echo-request -j $target - fi - done - fi - - policy=`find_file policy` - - echo "Processing $policy..." - - apply_policy_rules - - masq=`find_file masq` - - [ -f $masq ] && setup_masq $masq - - tos=`find_file tos` - - [ -f $tos ] && [ -n "$MANGLE_ENABLED" ] && process_tos $tos - - [ -n "$TC_ENABLED" ] && setup_tc - - echo "Activating Rules..." - - activate_rules - - [ -n "$aliases_to_add" ] && \ - echo "Adding IP Addresses..." && \ - add_ip_aliases - - run_user_exit start - - createchain shorewall no - - date > $STATEDIR/restarted - - report "Shorewall ${1}ed" - - rm -rf $TMP_DIR -} - -# -# Check the configuration -# -check_config() { - echo "Verifying Configuration..." - - verify_os_version - - load_kernel_modules - - echo "Determining Zones..." - - determine_zones - - [ -z "$zones" ] && startup_error "ERROR: No Zones Defined" - - display_list "Zones:" $zones - - echo "Validating interfaces file..." - - validate_interfaces_file - - echo "Validating hosts file..." - - validate_hosts_file - - echo "Determining Hosts in Zones..." - - determine_interfaces - determine_hosts - - echo "Validating rules file..." - - validate_rules - - echo "Validating policy file..." - - validate_policy - - rm -rf $TMP_DIR - - echo "Configuration Validated" -} - -# -# Rebuild the common chain -# -refresh_firewall() -{ - echo "Refreshing Shorewall..." - - echo "Determining Zones and Interfaces..." - - determine_zones - - validate_interfaces_file - - [ -z "$zones" ] && startup_error "ERROR: No Zones Defined" - - determine_interfaces - - run_user_exit refresh - - run_iptables -F common - - echo "Adding Common Rules" - - build_common_chain - - # - # Blacklist - # - refresh_blacklist - - # - # Refresh Traffic Control - # - [ -n "$TC_ENABLED" ] && refresh_tc - - report "Shorewall Refreshed" - - rm -rf $TMP_DIR -} - -# -# Add a host or subnet to a zone -# -add_to_zone() # $1 = [:] $2 = zone -{ - local base - - nat_chain_exists() # $1 = chain name - { - qt iptables -t nat -L $1 -n - } - - do_iptables() # $@ = command - { - if ! iptables $@ ; then - startup_error "Error: can't add $1 to zone $2" - fi - } - - output_rule_num() { - local num=`iptables -L OUTPUT -n --line-numbers | grep icmp | cut -d' ' -f1 | head -n1` - - [ -n "$num" ] && echo $(($num+1)) - } - # - # Isolate interface and host parts - # - interface=${1%:*} - host=${1#*:} - - [ -z "$host" ] && host="0.0.0.0/0" - # - # Load $zones - # - determine_zones - # - # Validate Zone - # - zone=$2 - - validate_zone $zone || startup_error "Error: Unknown zone: $zone" - - [ "$zone" = $FW ] && startup_error "Error: Can't add $1 to firewall zone" - # - # Be sure that Shorewall has been restarted using a DZ-aware version of the code - # - [ -f ${STATEDIR}/chains ] || startup_error "Error: ${STATEDIR}/chains -- file not found" - [ -f ${STATEDIR}/zones ] || startup_error "Error: ${STATEDIR}/zones -- file not found" - # - # Be sure that the interface was present at last [re]start - # - if ! chain_exists `input_chain $interface` ; then - startup_error "Error: Unknown interface $interface" - fi - # - # Build lists of interfaces with special rules - # - dhcp_interfaces=`find_interfaces_by_option dhcp` - blacklist_interfaces=`find_interfaces_by_option blacklist` - filterping_interfaces=`find_interfaces_by_option filterping` - maclist_interfaces=`find_interfaces_by_option maclist` - tcpflags_interfaces=`find_interfaces_by_option tcpflags` - # - # Normalize the first argument to this function - # - newhost="$interface:$host" - # - # Create a new Zone state file - # - > ${STATEDIR}/zones_$$ - # - # Add $1 to the Zone state file - # - while read z hosts; do - if [ "$z" = "$zone" ]; then - for h in $hosts; do - if [ "$h" = "$newhost" ]; then - rm -f ${STATEDIR}/zones_$$ - startup_error "Error: $1 already in zone $zone" - fi - done - - [ -z "$hosts" ] && hosts=$newhost || hosts="$hosts $newhost" - fi - - eval ${z}_hosts=\"$hosts\" - - echo "$z $hosts" >> ${STATEDIR}/zones_$$ - done < ${STATEDIR}/zones - - mv -f ${STATEDIR}/zones_$$ ${STATEDIR}/zones - # - # If the zone passed in the command has a dnat chain then insert a rule in - # the nat table PREROUTING chain to jump to that chain when the source - # matches the new host(s) - # - chain=${zone}_dnat - - if nat_chain_exists $chain; then - do_iptables -t nat -I PREROUTING -i $interface -s $host -j $chain - fi - # - # Insert new rules into the input chains for the passed interface - # - while read z1 z2 chain; do - if [ "$z1" = "$zone" ]; then - if [ "$z2" = "$FW" ]; then - # - # We will insert the rule right after the DHCP, 'ping' and - # MAC rules (if any) - # - if list_search $interface $dhcp_interfaces; then - rulenum=3 - else - rulenum=2 - fi - - if list_search $interface $filterping_interfaces; then - rulenum=$(($rulenum + 1)) - fi - - if list_search $interface $maclist_interfaces; then - rulenum=$(($rulenum + 1)) - fi - - if list_search $interface $tcpflags_interfaces; then - rulenum=$(($rulenum + 1)) - fi - - do_iptables -I `input_chain $interface` $rulenum -s $host -j $chain - else - # - # Insert rules into the passed interface's forward chain - # - # We insert them after any blacklist/MAC verification rules - # - source_chain=`forward_chain $interface` - eval dest_hosts=\"\$${z2}_hosts\" - - base=`chain_base $interface` - - eval rulenum=\$${base}_rulenum - - if [ -z "$rulenum" ]; then - if list_search $interface $blacklist_interfaces; then - rulenum=3 - else - rulenum=2 - fi - - if list_search $interface $maclist_interfaces; then - rulenum=$(($rulenum + 1)) - fi - - if list_search $interface $tcpflags_interfaces; then - rulenum=$(($rulenum + 1)) - fi - fi - - for h in $dest_hosts; do - iface=${h%:*} - hosts=${h#*:} - - if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then - do_iptables -I $source_chain $rulenum -s $host -o $iface -d $hosts -j $chain - rulenum=$(($rulenum + 1)) - fi - done - - eval ${base}_rulenum=$rulenum - - fi - elif [ "$z2" = "$zone" ]; then - if [ "$z1" = "$FW" ]; then - # - # Add a rule to the OUTPUT chain -- always after the icmp * ACCEPT rule - # - do_iptables -I OUTPUT `output_rule_num` -o $interface -d $host -j $chain - else - # - # Insert rules into the source interface's forward chain - # - # We insert them after any blacklist rules - # - eval source_hosts=\"\$${z1}_hosts\" - - for h in $source_hosts; do - iface=${h%:*} - hosts=${h#*:} - - base=`chain_base $iface` - - eval rulenum=\$${base}_rulenum - - if [ -z "$rulenum" ]; then - if list_search $iface $blacklist_interfaces; then - rulenum=3 - else - rulenum=2 - fi - fi - - if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then - do_iptables -I `forward_chain $iface` $rulenum -s $hosts -o $interface -d $host -j $chain - rulenum=$(($rulenum + 1)) - fi - - eval ${base}_rulenum=$rulenum - done - fi - fi - done < ${STATEDIR}/chains - - echo "$1 added to zone $2" -} - -# -# Delete a host or subnet from a zone -# -delete_from_zone() # $1 = [:] $2 = zone -{ - # - # Delete the subnect host(s) from the zone state file - # - delete_from_zones_file() - { - > ${STATEDIR}/zones_$$ - - while read z hosts; do - if [ "$z" = "$zone" ]; then - temp=$hosts - hosts= - - for h in $temp; do - if [ "$h" = "$delhost" ]; then - echo Yes - else - hosts="$hosts $h" - fi - done - fi - - echo "$z $hosts" >> ${STATEDIR}/zones_$$ - done < ${STATEDIR}/zones - - mv -f ${STATEDIR}/zones_$$ ${STATEDIR}/zones - } - # - # Isolate interface and host parts - # - interface=${1%:*} - host=${1#*:} - - [ -z "$host" ] && host="0.0.0.0/0" - # - # Load $zones - # - determine_zones - - zone=$2 - - validate_zone $zone || startup_error "Error: Unknown zone: $zone" - - [ "$zone" = $FW ] && startup_error "Error: Can't remove $1 from firewall zone" - # - # Be sure that Shorewall has been restarted using a DZ-aware version of the code - # - [ -f ${STATEDIR}/chains ] || startup_error "Error: ${STATEDIR}/chains -- file not found" - [ -f ${STATEDIR}/zones ] || startup_error "Error: ${STATEDIR}/zones -- file not found" - # - # Be sure that the interface was present at last [re]start - # - if ! chain_exists `input_chain $interface` ; then - startup_error "Error: Unknown interface $interface" - fi - # - # Normalize the first argument to this function - # - delhost="$interface:$host" - # - # Delete the passed hosts from the zone state file - # - [ -z "`delete_from_zones_file`" ] && \ - error_message "Warning: $1 does not appear to be in zone $2" - # - # Construct the zone host maps - # - while read z hosts; do - eval ${z}_hosts=\"$hosts\" - done < ${STATEDIR}/zones - # - # Delete any nat table entries for the host(s) - # - qt iptables -t nat -D PREROUTING -i $interface -s $host -j ${zone}_dnat - # - # Delete rules rules the input chains for the passed interface - # - while read z1 z2 chain; do - if [ "$z1" = "$zone" ]; then - if [ "$z2" = "$FW" ]; then - qt iptables -D `input_chain $interface` -s $host -j $chain - else - source_chain=`forward_chain $interface` - eval dest_hosts=\"\$${z2}_hosts\" - - for h in $dest_hosts $delhost; do - iface=${h%:*} - hosts=${h#*:} - - if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then - qt iptables -D $source_chain -s $host -o $iface -d $hosts -j $chain - fi - done - fi - elif [ "$z2" = "$zone" ]; then - if [ "$z1" = "$FW" ]; then - qt iptables -D OUTPUT -o $interface -d $host -j $chain - else - eval source_hosts=\"\$${z1}_hosts\" - - for h in $source_hosts; do - iface=${h%:*} - hosts=${h#*:} - - if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then - qt iptables -D `forward_chain $iface` -s $hosts -o $interface -d $host -j $chain - fi - done - fi - fi - done < ${STATEDIR}/chains - - echo "$1 removed from zone $2" -} - -# -# Determine the value for a parameter that defaults to Yes -# -added_param_value_yes() # $1 = Parameter Name, $2 = Parameter value -{ - local val="$2" - - if [ -z "$val" ]; then - echo "Yes" - else case $val in - [Yy][Ee][Ss]) - echo "Yes" - ;; - [Nn][Oo]) - echo "" - ;; - *) - startup_error "Invalid value ($val) for $1" - ;; - esac - fi -} - # -# Determine the value for a parameter that defaults to No -# -added_param_value_no() # $1 = Parameter Name, $2 = Parameter value -{ - local val="$2" - - if [ -z "$val" ]; then - echo "" - else case $val in - [Yy][Ee][Ss]) - echo "Yes" - ;; - [Nn][Oo]) - echo "" - ;; - *) - startup_error "Invalid value ($val) for $1" - ;; - esac - fi -} +#### BEGIN INIT INFO +# Provides: shorewall +# Required-Start: $network +# Required-Stop: +# Default-Start: 2 3 5 +# Default-Stop: 0 1 6 +# Description: starts and stops the shorewall firewall +### END INIT INFO +# chkconfig: 2345 25 90 +# description: Packet filtering firewall # -# Initialize this program -# -do_initialize() { - # Run all utility programs using the C locale - # - # Thanks to Vincent Planchenault for this tip # - - export LC_ALL=C - - PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin - # - # Clear all configuration variables - # - version= - FW= - SUBSYSLOCK= - STATEDIR= - ALLOWRELATED= - LOGRATE= - LOGBURST= - LOGPARMS= - NAT_ENABLED= - MANGLE_ENABLED= - ADD_IP_ALIASES= - ADD_SNAT_ALIASES= - TC_ENABLED= - LOGUNCLEAN= - BLACKLIST_DISPOSITION= - BLACKLIST_LOGLEVEL= - CLAMPMSS= - ROUTE_FILTER= - NAT_BEFORE_RULES= - MULTIPORT= - DETECT_DNAT_IPADDRS= - MERGE_HOSTS= - MUTEX_TIMEOUT= - NEWNOTSYN= - LOGNEWNOTSYN= - FORWARDPING= - MACLIST_DISPOSITION= - MACLIST_LOG_LEVEL= - TCP_FLAGS_DISPOSITION= - TCP_FLAGS_LOG_LEVEL= - RFC1918_LOG_LEVEL= - MARK_IN_FORWARD_CHAIN= - OLD_PING_HANDLING= - SHARED_DIR=/usr/lib/shorewall - FUNCTIONS= - VERSION_FILE= - - stopping= - have_mutex= - masq_seq=1 - nonat_seq=1 - aliases_to_add= - - TMP_DIR=/tmp/shorewall-$$ - rm -rf $TMP_DIR - mkdir -p $TMP_DIR && chmod 700 $TMP_DIR || \ - startup_error "Can't create $TMP_DIR" - - trap "rm -rf $TMP_DIR; my_mutex_off; exit 2" 1 2 3 4 5 6 9 - - if [ -n "$SHOREWALL_DIR" -a -f $SHOREWALL_DIR/shorewall.conf ]; then - config=$SHOREWALL_DIR/shorewall.conf - else - config=/etc/shorewall/shorewall.conf - fi - - if [ -f $config ]; then - . $config - else - echo "$config does not exist!" >&2 - exit 2 - fi - - FUNCTIONS=$SHARED_DIR/functions - - if [ -f $FUNCTIONS ]; then - . $FUNCTIONS - else - startup_error "$FUNCTIONS does not exist!" - fi - - VERSION_FILE=$SHARED_DIR/version - - [ -f $VERSION_FILE ] && version=`cat $VERSION_FILE` - - [ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall - [ -d $STATEDIR ] || mkdir -p $STATEDIR - - [ -z "$FW" ] && FW=fw - - ALLOWRELATED="`added_param_value_yes ALLOWRELATED $ALLOWRELATED`" - NAT_ENABLED="`added_param_value_yes NAT_ENABLED $NAT_ENABLED`" - MANGLE_ENABLED="`added_param_value_yes MANGLE_ENABLED $MANGLE_ENABLED`" - ADD_IP_ALIASES="`added_param_value_yes ADD_IP_ALIASES $ADD_IP_ALIASES`" - TC_ENABLED="`added_param_value_yes TC_ENABLED $TC_ENABLED`" - - if [ -n "${LOGRATE}${LOGBURST}" ]; then - LOGPARMS="--match limit" - [ -n "$LOGRATE" ] && LOGPARMS="$LOGPARMS --limit $LOGRATE" - [ -n "$LOGBURST" ] && LOGPARMS="$LOGPARMS --limit-burst $LOGBURST" - fi - - if [ -n "$IP_FORWARDING" ]; then - case "$IP_FORWARDING" in - [Oo][Nn]|[Oo][Ff][Ff]|[Kk][Ee][Ee][Pp]) - ;; - *) - startup_error "Invalid value ($IP_FORWARDING) for IP_FORWARDING" - ;; - esac - else - IP_FORWARDING=On - fi - - if [ -n "$TC_ENABLED" -a -z "$MANGLE_ENABLED" ]; then - startup_error "Traffic Control requires Mangle" - fi - - [ -z "$BLACKLIST_DISPOSITION" ] && BLACKLIST_DISPOSITION=DROP - - CLAMPMSS=`added_param_value_no CLAMPMSS $CLAMPMSS` - ADD_SNAT_ALIASES=`added_param_value_no ADD_SNAT_ALIASES $ADD_SNAT_ALIASES` - ROUTE_FILTER=`added_param_value_no ROUTE_FILTER $ROUTE_FILTER` - NAT_BEFORE_RULES=`added_param_value_yes NAT_BEFORE_RULES $NAT_BEFORE_RULES` - MULTIPORT=`added_param_value_no MULTIPORT $MULTIPORT` - DETECT_DNAT_IPADDRS=`added_param_value_no DETECT_DNAT_IPADDRS $DETECT_DNAT_IPADDRS` - MERGE_HOSTS=`added_param_value_no MERGE_HOSTS $MERGE_HOSTS` - FORWARDPING=`added_param_value_no FORWARDPING $FORWARDPING` - NEWNOTSYN=`added_param_value_yes NEWNOTSYN $NEWNOTSYN` - - maclist_target=reject - - if [ -n "$MACLIST_DISPOSITION" ] ; then - case $MACLIST_DISPOSITION in - REJECT) - ;; - ACCEPT|DROP) - maclist_target=$MACLIST_DISPOSITION - ;; - *) - startup_error "Invalid value ($MACLIST_DISPOSITION) for MACLIST_DISPOSITION" - ;; - esac - else - MACLIST_DISPOSITION=REJECT - fi - - if [ -n "$TCP_FLAGS_DISPOSITION" ] ; then - case $TCP_FLAGS_DISPOSITION in - REJECT|ACCEPT|DROP) - ;; - *) - startup_error "Invalid value ($TCP_FLAGS_DISPOSITION) for TCP_FLAGS_DISPOSITION" - ;; - esac - else - TCP_FLAGS_DISPOSITION=DROP - fi - - [ -z "$RFC1918_LOG_LEVEL" ] && RFC1918_LOG_LEVEL=info - MARK_IN_FORWARD_CHAIN=`added_param_value_no MARK_IN_FORWARD_CHAIN $MARK_IN_FORWARD_CHAIN` - [ -n "$MARK_IN_FORWARD_CHAIN" ] && marking_chain=tcfor || marking_chain=tcpre - if [ -n "$TC_ENABLED" ]; then - CLEAR_TC=`added_param_value_yes CLEAR_TC $CLEAR_TC` - else - CLEAR_TC= - fi - OLD_PING_HANDLING=`added_param_value_yes OLD_PING_HANDLING $OLD_PING_HANDLING` - - [ -z "$OLD_PING_HANDLING" -a -n "$FORWARDPING" ] && \ - startup_error "FORWARDPING=Yes is incompatible with OLD_PING_HANDLING=No" - - run_user_exit params - - # - # Strip the files that we use often - # - strip_file interfaces - strip_file hosts -} - -# -# Give Usage Information -# +################################################################################ +# Give Usage Information # +################################################################################ usage() { - echo "Usage: $0 [debug] {start|stop|reset|restart|status|refresh|clear|{add|delete} [:hosts] zone}}" + echo "Usage: $0 start|stop|restart|status" exit 1 } -# -# E X E C U T I O N B E G I N S H E R E -# -# -# Start trace if first arg is "debug" -# -[ $# -gt 1 ] && [ "$1" = "debug" ] && { set -x ; shift ; } - -nolock= - -[ $# -gt 1 ] && [ "$1" = "nolock" ] && { nolock=Yes; shift ; } - -trap "my_mutex_off; exit 2" 1 2 3 4 5 6 9 - +################################################################################ +# E X E C U T I O N B E G I N S H E R E # +################################################################################ command="$1" case "$command" in - stop) - [ $# -ne 1 ] && usage - do_initialize - my_mutex_on - echo -n "Stopping Shorewall..." - determine_zones - stop_firewall - [ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK - echo "done." - my_mutex_off - ;; - start) - [ $# -ne 1 ] && usage - do_initialize - my_mutex_on - if qt iptables -L shorewall -n ; then - [ -n "$SUBSYSLOCK" ] && touch $SUBSYSLOCK - echo "Shorewall Already Started" - [ -n "$TMP_DIR" ] && rm -rf $TMP_DIR - my_mutex_off - exit 0; - fi - define_firewall "Start" && [ -n "$SUBSYSLOCK" ] && touch $SUBSYSLOCK - my_mutex_off - ;; + stop|start|restart|status) - restart) - [ $# -ne 1 ] && usage - do_initialize - my_mutex_on - if qt iptables -L shorewall -n ; then - define_firewall "Restart" - else - echo "Shorewall Not Currently Running" - define_firewall "Start" - fi - - [ $? -eq 0 ] && [ -n "$SUBSYSLOCK" ] && touch $SUBSYSLOCK - my_mutex_off + exec /sbin/shorewall $@ ;; - - status) - [ $# -ne 1 ] && usage - echo "Shorewall-$version Status at $HOSTNAME - `date`" - echo - iptables -L -n -v - ;; - - reset) - [ $# -ne 1 ] && usage - do_initialize - my_mutex_on - if ! qt iptables -L shorewall -n ; then - echo "Shorewall Not Started" - [ -n "$TMP_DIR" ] && rm -rf $TMP_DIR - my_mutex_off - exit 2; - fi - iptables -Z - iptables -t nat -Z - iptables -t mangle -Z - report "Shorewall Counters Reset" - date > $STATEDIR/restarted - my_mutex_off - ;; - - refresh) - [ $# -ne 1 ] && usage - do_initialize - my_mutex_on - if ! qt iptables -L shorewall -n ; then - echo "Shorewall Not Started" - [ -n "$TMP_DIR" ] && rm -rf $TMP_DIR - my_mutex_off - exit 2; - fi - refresh_firewall; - my_mutex_off - ;; - - clear) - [ $# -ne 1 ] && usage - do_initialize - my_mutex_on - echo -n "Clearing Shorewall..." - determine_zones - clear_firewall - [ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK - echo "done." - my_mutex_off - ;; - - check) - [ $# -ne 1 ] && usage - do_initialize - check_config - ;; - - add) - [ $# -ne 3 ] && usage - do_initialize - my_mutex_on - if ! qt iptables -L shorewall -n ; then - echo "Shorewall Not Started" - [ -n "$TMP_DIR" ] && rm -rf $TMP_DIR - my_mutex_off - exit 2; - fi - add_to_zone $2 $3 - my_mutex_off - ;; - - delete) - [ $# -ne 3 ] && usage - do_initialize - my_mutex_on - if ! qt iptables -L shorewall -n ; then - echo "Shorewall Not Started" - [ -n "$TMP_DIR" ] && rm -rf $TMP_DIR - my_mutex_off - exit 2; - fi - delete_from_zone $2 $3 - my_mutex_off - ;; - *) + usage ;; diff --git a/Lrp/etc/shorewall/blacklist b/Lrp/etc/shorewall/blacklist index 33df1518c..66ca0d9e4 100644 --- a/Lrp/etc/shorewall/blacklist +++ b/Lrp/etc/shorewall/blacklist @@ -1,5 +1,5 @@ # -# Shorewall 1.3 -- Blacklist File +# Shorewall 1.4 -- Blacklist File # # /etc/shorewall/blacklist # @@ -9,7 +9,7 @@ # # ADDRESS/SUBNET - Host address, subnetwork or MAC address # -# MAC addresses must be prefixed with "~" and use "-" +# MAC addresses must be prefixed with "~" and use "-" # as a separator. # # Example: ~00-A0-C9-15-39-78 @@ -27,7 +27,7 @@ # /etc/shorewall/shorewall.conf # # If PROTOCOL or PROTOCOL and PORTS are supplied, only packets matching -# the protocol (and one of the ports if PORTS supplied) are blocked. +# the protocol (and one of the ports if PORTS supplied) are blocked. # # Example: # diff --git a/Lrp/etc/shorewall/common.def b/Lrp/etc/shorewall/common.def index cde58a555..7cf8676d7 100644 --- a/Lrp/etc/shorewall/common.def +++ b/Lrp/etc/shorewall/common.def @@ -1,7 +1,7 @@ ############################################################################ -# Shorewall 1.3 -- /etc/shorewall/common.def +# Shorewall 1.4 -- /etc/shorewall/common.def # -# This file defines the rules that are applied before a policy of +# This file defines the rules that are applied before a policy of # DROP or REJECT is applied. In addition to the rules defined in this file, # the firewall will also define a DROP rule for each subnet broadcast # address defined in /etc/shorewall/interfaces (including "detect"). @@ -14,14 +14,12 @@ # run_iptables -A common -p icmp -j icmpdef ############################################################################ -# Drop invalid state TCP packets -# -run_iptables -A common -m state -p tcp --state INVALID -j DROP -############################################################################ # NETBIOS chatter # run_iptables -A common -p udp --dport 137:139 -j REJECT run_iptables -A common -p udp --dport 445 -j REJECT +run_iptables -A common -p tcp --dport 139 -j REJECT +run_iptables -A common -p tcp --dport 445 -j REJECT run_iptables -A common -p tcp --dport 135 -j reject ############################################################################ # UPnP @@ -36,5 +34,9 @@ run_iptables -A common -d 224.0.0.0/4 -j DROP # AUTH -- Silently reject it so that connections don't get delayed. # run_iptables -A common -p tcp --dport 113 -j reject +############################################################################ +# DNS -- Silenty drop late replies +run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP + diff --git a/Lrp/etc/shorewall/hosts b/Lrp/etc/shorewall/hosts index 9ce4bc3ab..3a390cc58 100644 --- a/Lrp/etc/shorewall/hosts +++ b/Lrp/etc/shorewall/hosts @@ -1,5 +1,5 @@ # -# Shorewall 1.3 - /etc/shorewall/hosts +# Shorewall 1.4 - /etc/shorewall/hosts # # WARNING: 90% of Shorewall users don't need to add entries to this # file and 80% of those who try to add such entries get it @@ -18,23 +18,18 @@ # a) The IP address of a host # b) A subnetwork in the form # / -# +# # The interface must be defined in the # /etc/shorewall/interfaces file. # # Examples: # # eth1:192.168.1.3 -# eth2:192.168.2.0/24 +# eth2:192.168.2.0/24 # # OPTIONS - A comma-separated list of options. Currently-defined # options are: # -# routestopped - (Deprecated -- use -# /etc/shorewall/routestopped) -# route messages to and from this -# member when the firewall is in the -# stopped state # maclist - Connection requests from these hosts # are compared against the contents of # /etc/shorewall/maclist. If this option @@ -43,5 +38,5 @@ # Shorewall is started. # # -#ZONE HOST(S) OPTIONS +#ZONE HOST(S) OPTIONS #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE diff --git a/Lrp/etc/shorewall/init b/Lrp/etc/shorewall/init index d7bee1d0a..0d4564439 100644 --- a/Lrp/etc/shorewall/init +++ b/Lrp/etc/shorewall/init @@ -1,5 +1,5 @@ ############################################################################ -# Shorewall 1.3 -- /etc/shorewall/init +# Shorewall 1.4 -- /etc/shorewall/init # # Add commands below that you want to be executed at the beginning of # a "shorewall start" or "shorewall restart" command. diff --git a/Lrp/etc/shorewall/interfaces b/Lrp/etc/shorewall/interfaces index 070df08d1..cfc0e2b0e 100644 --- a/Lrp/etc/shorewall/interfaces +++ b/Lrp/etc/shorewall/interfaces @@ -1,5 +1,5 @@ # -# Shorewall 1.3 -- Interfaces File +# Shorewall 1.4 -- Interfaces File # # /etc/shorewall/interfaces # @@ -14,7 +14,7 @@ # If the interface serves multiple zones that will be # defined in the /etc/shorewall/hosts file, you should # place "-" in this column. -# +# # INTERFACE Name of interface. Each interface may be listed only # once in this file. You may NOT specify the name of # an alias (e.g., eth0:0) here; see @@ -27,14 +27,14 @@ # column is left black.If the interface has multiple # addresses on multiple subnets then list the broadcast # addresses as a comma-separated list. -# +# # If you use the special value "detect", the firewall # will detect the broadcast address for you. If you # select this option, the interface must be up before # the firewall is started, you must have iproute # installed and the interface must only be associated # with a single subnet. -# +# # If you don't want to give a value for this column but # you want to enter a value in the OPTIONS column, enter # "-" in this column. @@ -46,11 +46,6 @@ # a DHCP server running on the firewall or # you have a static IP but are on a LAN # segment with lots of Laptop DHCP clients. -# routestopped - (Deprecated -- use -# /etc/shorewall/routestopped) -# When the firewall is stopped, allow -# and route traffic to and from this -# interface. # norfc1918 - This interface should not receive # any packets whose source is in one # of the ranges reserved by RFC 1918 @@ -59,9 +54,6 @@ # enabled in shorewall.conf, packets # whose destination addresses are # reserved by RFC 1918 are also rejected. -# multi - This interface has multiple IP -# addresses and you want to be able to -# route between them. # routefilter - turn on kernel route filtering for this # interface (anti-spoofing measure). This # option can also be enabled globally in @@ -87,8 +79,8 @@ # TCP_FLAGS_DISPOSITION after having been # logged according to the setting of # TCP_FLAGS_LOG_LEVEL. -# proxyarp - -# Sets +# proxyarp - +# Sets # /proc/sys/net/ipv4/conf//proxy_arp. # Do NOT use this option if you are # employing Proxy ARP through entries in @@ -96,7 +88,7 @@ # intended soley for use with Proxy ARP # sub-networking as described at: # http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet -# +# # The order in which you list the options is not # significant but the list should have no embedded white # space. @@ -106,27 +98,25 @@ # local subnet is 192.168.1.0/24. The interface gets # it's IP address via DHCP from subnet # 206.191.149.192/27. You have a DMZ with subnet -# 192.168.2.0/24 using eth2. You want to be able to -# access the firewall from the local network when the -# firewall is stopped. +# 192.168.2.0/24 using eth2. # # Your entries for this setup would look like: # # net eth0 206.191.149.223 dhcp -# local eth1 192.168.1.255 routestopped +# local eth1 192.168.1.255 # dmz eth2 192.168.2.255 # # Example 2: The same configuration without specifying broadcast # addresses is: # -# net eth0 detect noping,dhcp -# loc eth1 detect routestopped +# net eth0 detect dhcp +# loc eth1 detect # dmz eth2 detect # # Example 3: You have a simple dial-in system with no ethernet -# connections and you want to ignore ping requests. +# connections. # -# net ppp0 - noping +# net ppp0 - ############################################################################## #ZONE INTERFACE BROADCAST OPTIONS #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Lrp/etc/shorewall/maclist b/Lrp/etc/shorewall/maclist index 37c61a38f..91b5e0f35 100644 --- a/Lrp/etc/shorewall/maclist +++ b/Lrp/etc/shorewall/maclist @@ -1,12 +1,12 @@ # -# Shorewall 1.3 - MAC list file +# Shorewall 1.4 - MAC list file # # /etc/shorewall/maclist # # Columns are: # # INTERFACE Network interface to a host -# +# # MAC MAC address of the host -- you do not need to use # the Shorewall format for MAC addresses here # diff --git a/Lrp/etc/shorewall/masq b/Lrp/etc/shorewall/masq index 0b8515619..27826945c 100644 --- a/Lrp/etc/shorewall/masq +++ b/Lrp/etc/shorewall/masq @@ -1,5 +1,5 @@ # -# Shorewall 1.3 - Masquerade file +# Shorewall 1.4 - Masquerade file # # /etc/shorewall/masq # @@ -13,8 +13,8 @@ # /etc/shorewall/shorewall.conf, you may add ":" and # a digit to indicate that you want the alias added with # that name (e.g., eth0:0). This will allow the alias to -# be displayed with ifconfig. THAT IS THE ONLY USE FOR -# THE ALIAS NAME AND IT MAY NOT APPEAR IN ANY OTHER +# be displayed with ifconfig. THAT IS THE ONLY USE FOR +# THE ALIAS NAME AND IT MAY NOT APPEAR IN ANY OTHER # PLACE IN YOUR SHOREWALL CONFIGURATION. # # This may be qualified by adding the character @@ -25,7 +25,7 @@ # a subnet or as an interface. If you give the name of an # interface, you must have iproute installed and the interface # must be up before you start the firewall. -# +# # In order to exclude a subset of the specified SUBNET, you # may append "!" and a comma-separated list of IP addresses # and/or subnets that you wish to exclude. @@ -37,17 +37,17 @@ # # ADDRESS -- (Optional). If you specify an address here, SNAT will be # used and this will be the source address. If -# ADD_SNAT_ALIASES is set to Yes or yes in +# ADD_SNAT_ALIASES is set to Yes or yes in # /etc/shorewall/shorewall.conf then Shorewall # will automatically add this address to the -# INTERFACE named in the first column. +# INTERFACE named in the first column. # # WARNING: Do NOT specify ADD_SNAT_ALIASES=Yes if # the address given in this column is the primary # IP address for the interface in the INTERFACE # column. # -# This column may not contain a DNS Name. +# This column may not contain a DNS Name. # # Example 1: # @@ -83,7 +83,7 @@ # # You want all outgoing traffic from 192.168.1.0/24 through # eth0 to use source address 206.124.146.176 which is NOT the -# primary address of eth0. You want 206.124.146.176 added to +# primary address of eth0. You want 206.124.146.176 added to # be added to eth0 with name eth0:0. # # eth0:0 192.168.1.0/24 206.124.146.176 diff --git a/Lrp/etc/shorewall/modules b/Lrp/etc/shorewall/modules index 5bc6278dd..25b62c9e4 100644 --- a/Lrp/etc/shorewall/modules +++ b/Lrp/etc/shorewall/modules @@ -1,7 +1,12 @@ ############################################################################## -# Shorewall 1.3 /etc/shorewall/modules +# Shorewall 1.4 /etc/shorewall/modules # # This file loads the modules needed by the firewall. +# +# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in +# dependency order. i.e., if M2 depends on M1 then you must load M1 before +# you load M2. +# loadmodule ip_tables loadmodule iptable_filter diff --git a/Lrp/etc/shorewall/nat b/Lrp/etc/shorewall/nat index e791a8052..4c0db0cf7 100644 --- a/Lrp/etc/shorewall/nat +++ b/Lrp/etc/shorewall/nat @@ -1,6 +1,6 @@ ############################################################################## # -# Shorewall 1.3 -- Network Address Translation Table +# Shorewall 1.4 -- Network Address Translation Table # # /etc/shorewall/nat # @@ -17,7 +17,7 @@ # column and must not be a DNS Name. # INTERFACE Interface that we want to EXTERNAL address to appear # on. If ADD_IP_ALIASES=Yes in shorewall.conf, you may -# follow the interface name with ":" and a digit to +# follow the interface name with ":" and a digit to # indicate that you want Shorewall to add the alias # with this name (e.g., "eth0:0"). That allows you to # see the alias with ifconfig. THAT IS THE ONLY THING diff --git a/Lrp/etc/shorewall/params b/Lrp/etc/shorewall/params index fbea82388..ba53d6446 100644 --- a/Lrp/etc/shorewall/params +++ b/Lrp/etc/shorewall/params @@ -1,5 +1,5 @@ # -# Shorewall 1.3 /etc/shorewall/params +# Shorewall 1.4 /etc/shorewall/params # # Assign any variables that you need here. # @@ -11,7 +11,7 @@ # # NET_IF=eth0 # NET_BCAST=130.252.100.255 -# NET_OPTIONS=noping,norfc1918 +# NET_OPTIONS=routefilter,norfc1918 # # Example (/etc/shorewall/interfaces record): # @@ -19,25 +19,7 @@ # # The result will be the same as if the record had been written # -# net eth0 130.252.100.255 noping,norfc1918 +# net eth0 130.252.100.255 routefilter,norfc1918 # -# Variables can be used in the following places in the other configuration -# files: -# -# /etc/shorewall/interfaces: -# /etc/shorewall/hosts -# -# All except the first column. -# -# /etc/shorewall/rules -# -# First column after ":". -# All remaining columns -# -# /etc/shorewall/tunnels -# /etc/shorewall/proxyarp -# /etc/shorewall/nat -# -# All columns ############################################################################## #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE diff --git a/Lrp/etc/shorewall/policy b/Lrp/etc/shorewall/policy index 421d05c78..c90d1cdc1 100644 --- a/Lrp/etc/shorewall/policy +++ b/Lrp/etc/shorewall/policy @@ -1,5 +1,5 @@ # -# Shorewall 1.3 -- Policy File +# Shorewall 1.4 -- Policy File # # /etc/shorewall/policy # diff --git a/Lrp/etc/shorewall/proxyarp b/Lrp/etc/shorewall/proxyarp index f7261543a..81c88a512 100644 --- a/Lrp/etc/shorewall/proxyarp +++ b/Lrp/etc/shorewall/proxyarp @@ -1,10 +1,10 @@ ############################################################################## # -# Shorewall 1.3 -- Proxy ARP +# Shorewall 1.4 -- Proxy ARP # # /etc/shorewall/proxyarp # -# This file is used to define Proxy ARP. +# This file is used to define Proxy ARP. # # Columns must be separated by white space and are: # diff --git a/Lrp/etc/shorewall/rfc1918 b/Lrp/etc/shorewall/rfc1918 index eae549722..fdfd1b45c 100644 --- a/Lrp/etc/shorewall/rfc1918 +++ b/Lrp/etc/shorewall/rfc1918 @@ -1,5 +1,5 @@ # -# Shorewall 1.3 -- RFC1918 File +# Shorewall 1.4 -- RFC1918 File # # /etc/shorewall/rfc1918 # @@ -25,7 +25,7 @@ 192.0.2.0/24 logdrop # Example addresses 192.168.0.0/16 logdrop # RFC 1918 # -# The following are generated using the Python program found at: +# The following are generated with the help of the Python program found at: # # http://www.shorewall.net/pub/shorewall/contrib/iana_reserved/ # @@ -43,6 +43,8 @@ 39.0.0.0/8 logdrop # Reserved 41.0.0.0/8 logdrop # Reserved 42.0.0.0/8 logdrop # Reserved +49.0.0.0/8 logdrop # JTC - Returned to IANA Mar 98 +50.0.0.0/8 logdrop # JTC - Returned to IANA Mar 98 58.0.0.0/7 logdrop # Reserved 60.0.0.0/8 logdrop # Reserved 70.0.0.0/7 logdrop # Reserved @@ -53,7 +55,8 @@ 96.0.0.0/3 logdrop # Reserved 127.0.0.0/8 logdrop # Loopback 197.0.0.0/8 logdrop # Reserved -222.0.0.0/7 logdrop # Reserved +198.18.0.0/15 logdrop # Reserved +201.0.0.0/8 logdrop # Reserved - Central & South America 240.0.0.0/4 logdrop # Reserved # # End of generated entries diff --git a/Lrp/etc/shorewall/routestopped b/Lrp/etc/shorewall/routestopped index db1459080..55698c986 100644 --- a/Lrp/etc/shorewall/routestopped +++ b/Lrp/etc/shorewall/routestopped @@ -1,10 +1,10 @@ ############################################################################## # -# Shorewall 1.3 -- Hosts Accessible when the Firewall is Stopped +# Shorewall 1.4 -- Hosts Accessible when the Firewall is Stopped # # /etc/shorewall/routestopped # -# This file is used to define the hosts that are accessible when the +# This file is used to define the hosts that are accessible when the # firewall is stopped # # Columns must be separated by white space and are: @@ -12,7 +12,7 @@ # INTERFACE - Interface through which host(s) communicate with # the firewall # HOST(S) - (Optional) Comma-separated list of IP/subnet -# addresses. If left empty or supplied as "-", +# If left empty or supplied as "-", # 0.0.0.0/0 is assumed. # # Example: diff --git a/Lrp/etc/shorewall/rules b/Lrp/etc/shorewall/rules index 8a6244f55..53bae816c 100644 --- a/Lrp/etc/shorewall/rules +++ b/Lrp/etc/shorewall/rules @@ -1,5 +1,5 @@ # -# Shorewall version 1.3 - Rules File +# Shorewall version 1.4 - Rules File # # /etc/shorewall/rules # @@ -24,24 +24,31 @@ # DNAT -- Forward the request to another # system (and optionally another # port). -# DNAT- -- Advanced users only. +# DNAT- -- Advanced users only. # Like DNAT but only generates the # DNAT iptables rule and not # the companion ACCEPT rule. # REDIRECT -- Redirect the request to a local # port on the firewall. +# CONTINUE -- (For experts only). Do not process +# any of the following rules for this +# (source zone,destination zone). If +# The source and/or destination IP +# address falls into a zone defined +# later in /etc/shorewall/zones, this +# connection request will be passed +# to the rules defined for that +# (those) zone(s). # # May optionally be followed by ":" and a syslog log # level (e.g, REJECT:info). This causes the packet to be # logged at the specified level. # -# Beginning with Shorewall version 1.3.12, you may -# also specify ULOG (must be in upper case) as a log level.\ -# This will log to the ULOG target and sent to a separate log -# through use of ulogd +# You may also specify ULOG (must be in upper case) as a +# log level.This will log to the ULOG target for routing +# to a separate log through use of ulogd # (http://www.gnumonks.org/projects/ulogd). # -# # SOURCE Source hosts to which the rule applies. May be a zone # defined in /etc/shorewall/zones, $FW to indicate the # firewall itself, or "all" If the ACTION is DNAT or @@ -90,6 +97,8 @@ # 2. In DNAT rules, only IP addresses are # allowed; no FQDNs or subnet addresses # are permitted. +# 3. You may not specify both an interface and +# an address. # # The port that the server is listening on may be # included and separated from the server's IP address by @@ -106,10 +115,8 @@ # contain the port number on the firewall that the # request should be redirected to. # -# PROTO Protocol - Must be "tcp", "udp", "icmp", a number, -# "all" or "related". If "related", the remainder of the -# entry must be omitted and connection requests that are -# related to existing requests will be accepted. +# PROTO Protocol - Must be "tcp", "udp", "icmp", a number, or +# "all". # # DEST PORT(S) Destination Ports. A comma-separated list of Port # names (from /etc/services), port numbers or port @@ -117,7 +124,7 @@ # interpreted as the destination icmp-type(s). # # A port range is expressed as :. -# +# # This column is ignored if PROTOCOL = all but must be # entered if any of the following ields are supplied. # In that case, it is suggested that this field contain @@ -148,7 +155,7 @@ # Otherwise, a separate rule will be generated for each # port. # -# ORIGINAL DEST (0ptional -- only allowed if ACTION is DNAT or +# ORIGINAL DEST (0ptional -- only allowed if ACTION is DNAT or # REDIRECT) If included and different from the IP # address given in the SERVER column, this is an address # on some interface on the firewall and connections to diff --git a/Lrp/etc/shorewall/shorewall.conf b/Lrp/etc/shorewall/shorewall.conf index 24c048975..1b8c05819 100644 --- a/Lrp/etc/shorewall/shorewall.conf +++ b/Lrp/etc/shorewall/shorewall.conf @@ -1,22 +1,17 @@ ############################################################################## -# /etc/shorewall/shorewall.conf V1.3 - Change the following variables to +# /etc/shorewall/shorewall.conf V1.4 - Change the following variables to # match your setup # -# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] +# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] # # This file should be placed in /etc/shorewall # -# (c) 1999,2000,2001,2002 - Tom Eastep (teastep@shorewall.net) +# (c) 1999,2000,2001,2002,2003 - Tom Eastep (teastep@shorewall.net) +############################################################################## +# L O G G I N G ############################################################################## # -# You should not have to change the variables in this section -- they are set -# by the packager of your Shorewall distribution -# -SHARED_DIR=/usr/lib/shorewall -# -############################################################################## -# -# General note about log levels. Log levels are a method of describing +# General note about log levels. Log levels are a method of describing # to syslog (8) the importance of a message and a number of parameters # in this file have log levels as their value. # @@ -32,72 +27,32 @@ SHARED_DIR=/usr/lib/shorewall # 0 emerg # # For most Shorewall logging, a level of 6 (info) is appropriate. Shorewall -# log messages are generated by NetFilter and are logged using facility +# log messages are generated by NetFilter and are logged using facility # 'kern' and the level that you specifify. If you are unsure of the level # to choose, 6 (info) is a safe bet. You may specify levels by name or by # number. # -# If you have build your kernel with ULOG target support, you may also +# If you have build your kernel with ULOG target support, you may also # specify a log level of ULOG (must be all caps). Rather than log its # messages to syslogd, Shorewall will direct netfilter to log the messages # via the ULOG target which will send them to a process called 'ulogd'. -# ulogd is available from http://www.gnumonks.org/projects/ulogd and can be +# ulogd is available from http://www.gnumonks.org/projects/ulogd and can be # configured to log all Shorewall message to their own log file ################################################################################ # -# PATH - Change this if you want to change the order in which Shorewall -# searches directories for executable files. +# LOG FILE LOCATION # -PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin +# This variable tells the /sbin/shorewall program where to look for Shorewall +# log messages. If not set or set to an empty string (e.g., LOGFILE="") then +# /var/log/messages is assumed. +# +# WARNING: The LOGFILE variable simply tells the 'shorewall' program where to +# look for Shorewall messages.It does NOT control the destination for +# these messages. For information about how to do that, see +# +# http://www.shorewall.net/shorewall_logging.html -# -# NAME OF THE FIREWALL ZONE -# -# Name of the firewall zone -- if not set or if set to an empty string, "fw" -# is assumed. -# -FW=fw - -# -# SUBSYSTEM LOCK FILE -# -# Set this to the name of the lock file expected by your init scripts. For -# RedHat, this should be /var/lock/subsys/shorewall. On Debian, it -# should be /var/state/shorewall. If your init scripts don't use lock files, -# set this to "". -# - -SUBSYSLOCK=/var/run/shorewall - -# -# SHOREWALL TEMPORARY STATE DIRECTORY -# -# This is the directory where the firewall maintains state information while -# it is running -# - -STATEDIR=/tmp/shorewall - -# -# ALLOW RELATED CONNECTIONS -# -# Set this to "yes" or "Yes" if you want to accept all connection requests -# that are related to already established connections. For example, you want -# to accept FTP data connections. If you say "no" here, then to accept -# these connections between particular zones or hosts, you must include -# explicit "related" rules in /etc/shorewall/rules. -# - -ALLOWRELATED=yes - -# -# KERNEL MODULE DIRECTORY -# -# If your netfilter kernel modules are in a directory other than -# /lib/modules/`uname -r`/kernel/net/ipv4/netfilter then specify that -# directory in this variable. Example: MODULESDIR=/etc/modules. - -MODULESDIR= +LOGFILE=/var/log/messages # # LOG RATE LIMITING @@ -132,25 +87,122 @@ LOGBURST= # packets are logged under the 'logunclean' interface option. If the variable # is empty, these packets will still be logged at the 'info' level. # -# See the comment at the top of this file for a description of log levels +# See the comment at the top of this section for a description of log levels # LOGUNCLEAN=info # -# LOG FILE LOCATION +# BLACKLIST LOG LEVEL # -# This variable tells the /sbin/shorewall program where to look for Shorewall -# log messages. If not set or set to an empty string (e.g., LOGFILE="") then -# /var/log/messages is assumed. +# Set this variable to the syslogd level that you want blacklist packets logged +# (beware of DOS attacks resulting from such logging). If not set, no logging +# of blacklist packets occurs. # -# WARNING: The LOGFILE variable simply tells the 'shorewall' program where to -# look for Shorewall messages.It does NOT control the destination for -# these messages. For information about how to do that, see +# See the comment at the top of this section for a description of log levels # -# http://www.shorewall.net/FAQ.htm#faq6 +BLACKLIST_LOGLEVEL= -LOGFILE=/var/log/messages +# +# LOGGING 'New not SYN' rejects +# +# This variable only has an effect when NEWNOTSYN=No (see below). +# +# When a TCP packet that does not have the SYN flag set and the ACK and RST +# flags clear then unless the packet is part of an established connection, +# it will be rejected by the firewall. If you want these rejects logged, +# then set LOGNEWNOTSYN to the syslog log level at which you want them logged. +# +# See the comment at the top of this section for a description of log levels +# +# Example: LOGNEWNOTSYN=debug + + +LOGNEWNOTSYN= + +# +# MAC List Log Level +# +# Specifies the logging level for connection requests that fail MAC +# verification. If set to the empty value (MACLIST_LOG_LEVEL="") then +# such connection requests will not be logged. +# +# See the comment at the top of this section for a description of log levels +# + +MACLIST_LOG_LEVEL=info + +# +# TCP FLAGS Log Level +# +# Specifies the logging level for packets that fail TCP Flags +# verification. If set to the empty value (TCP_FLAGS_LOG_LEVEL="") then +# such packets will not be logged. +# +# See the comment at the top of this section for a description of log levels +# + +TCP_FLAGS_LOG_LEVEL=info + +# +# RFC1918 Log Level +# +# Specifies the logging level for packets that fail RFC 1918 +# verification. If set to the empty value (RFC1918_LOG_LEVEL="") then +# RFC1918_LOG_LEVEL=info is assumed. +# +# See the comment at the top of this section for a description of log levels +# + +RFC1918_LOG_LEVEL=info + +################################################################################ +# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S +################################################################################ +# +# PATH - Change this if you want to change the order in which Shorewall +# searches directories for executable files. +# +PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin + +# SUBSYSTEM LOCK FILE +# +# Set this to the name of the lock file expected by your init scripts. For +# RedHat, this should be /var/lock/subsys/shorewall. On Debian, it +# should be /var/state/shorewall. If your init scripts don't use lock files, +# set this to "". +# + +SUBSYSLOCK=/var/run/shorewall + +# +# SHOREWALL TEMPORARY STATE DIRECTORY +# +# This is the directory where the firewall maintains state information while +# it is running +# + +STATEDIR=/tmp/shorewall + +# +# KERNEL MODULE DIRECTORY +# +# If your netfilter kernel modules are in a directory other than +# /lib/modules/`uname -r`/kernel/net/ipv4/netfilter then specify that +# directory in this variable. Example: MODULESDIR=/etc/modules. + +MODULESDIR= + +################################################################################ +# F I R E W A L L O P T I O N S +################################################################################ + +# NAME OF THE FIREWALL ZONE +# +# Name of the firewall zone -- if not set or if set to an empty string, "fw" +# is assumed. +# +FW=fw # # ENABLE NAT SUPPORT @@ -214,24 +266,40 @@ ADD_SNAT_ALIASES=No TC_ENABLED=No # -# BLACKLIST DISPOSITION +# Clear Traffic Shapping/Control # -# Set this variable to the action that you want to perform on packets from -# Blacklisted systems. Must be DROP or REJECT. If not set or set to empty, -# DROP is assumed. +# If this option is set to 'No' then Shorewall won't clear the current +# traffic control rules during [re]start. This setting is intended +# for use by people that prefer to configure traffic shaping when +# the network interfaces come up rather than when the firewall +# is started. If that is what you want to do, set TC_ENABLED=Yes and +# CLEAR_TC=No and do not supply an /etc/shorewall/tcstart file. That +# way, your traffic shaping rules can still use the 'fwmark' +# classifier based on packet marking defined in /etc/shorewall/tcrules. # -BLACKLIST_DISPOSITION=DROP +# If omitted, CLEAR_TC=Yes is assumed. + +CLEAR_TC=Yes # -# BLACKLIST LOG LEVEL +# Mark Packets in the forward chain # -# Set this variable to the syslogd level that you want blacklist packets logged -# (beward of DOS attacks resulting from such logging). If not set, no logging -# of blacklist packets occurs. +# When processing the tcrules file, Shorewall normally marks packets in the +# PREROUTING chain. To cause Shorewall to use the FORWARD chain instead, set +# this to "Yes". If not specified or if set to the empty value (e.g., +# MARK_IN_FORWARD_CHAIN="") then MARK_IN_FORWARD_CHAIN=No is assumed. # -# See the comment at the top of this file for a description of log levels +# Marking packets in the FORWARD chain has the advantage that inbound +# packets destined for Masqueraded/SNATed local hosts have had their destination +# address rewritten so they can be marked based on their destination. When +# packets are marked in the PREROUTING chain, packets destined for +# Masqueraded/SNATed local hosts still have a destination address corresponding +# to the firewall's external interface. # -BLACKLIST_LOGLEVEL= +# Note: Older kernels do not support marking packets in the FORWARD chain and +# setting this variable to Yes may cause startup problems. + +MARK_IN_FORWARD_CHAIN=No # # MSS CLAMPING @@ -311,63 +379,30 @@ MULTIPORT=No # DNAT net loc:192.168.1.3 tcp 80 # # it will forward TCP port 80 connections from the net to 192.168.1.3 -# REGARDLESS OF THE ORIGINAL DESTINATION ADDRESS. This behavior is +# REGARDLESS OF THE ORIGINAL DESTINATION ADDRESS. This behavior is # convenient for two reasons: # # a) If the the network interface has a dynamic IP address, the # firewall configuration will work even when the address # changes. # -# b) It saves having to configure the IP address in the rule +# b) It saves having to configure the IP address in the rule # while still allowing the firewall to be started before the # internet interface is brought up. # # This default behavior can also have a negative effect. If the -# internet interface has more than one IP address then the above -# rule will forward connection requests on all of these addresses; +# internet interface has more than one IP address then the above +# rule will forward connection requests on all of these addresses; # that may not be what is desired. # # By setting DETECT_DNAT_IPADDRS=Yes, rules such as the above will apply # only if the original destination address is the primary IP address of # one of the interfaces associated with the source zone. Note that this # requires all interfaces to the source zone to be up when the firewall -# is [re]started. +# is [re]started. DETECT_DNAT_IPADDRS=No -# -# MERGE HOSTS FILE -# -# The traditional behavior of the /etc/shorewall/hosts file has been that -# if that file has ANY entry for a zone then the zone must be defined -# entirely in the hosts file. This is counter-intuitive and has caused -# people some problems. -# -# By setting MERGE_HOSTS=Yes, a more intuitive behavior of the hosts file -# is enabled. With MERGE_HOSTS=Yes, the zone contents in the hosts file -# are added to the contents described in the /etc/shorewall/interfaces file. -# -# Example: Suppose that we have the following interfaces and hosts files: -# -# Interfaces: -# -# net eth0 -# loc eth1 -# - ppp+ -# -# Hosts: -# -# loc ppp+:192.168.1.0/24 -# wrk ppp+:!192.168.1.0/24 -# -# With MERGE_HOSTS=No, the contents of the 'loc' zone would be just -# ppp+:192.168.1.0/24. With MERGE_HOSTS=Yes, the contents would be -# ppp+:192.168.1.0 and eth1:0.0.0.0/0 -# -# If this variable is not set or is set to the empty value, "No" is assumed. - -MERGE_HOSTS=Yes - # # MUTEX TIMEOUT # @@ -383,36 +418,6 @@ MERGE_HOSTS=Yes MUTEX_TIMEOUT=60 -# -# LOGGING 'New not SYN' rejects -# -# This variable only has an effect when NEWNOTSYN=No (see below). -# -# When a TCP packet that does not have the SYN flag set and the ACK and RST -# flags clear then unless the packet is part of an established connection, -# it will be rejected by the firewall. If you want these rejects logged, -# then set LOGNEWNOTSYN to the syslog log level at which you want them logged. -# -# See the comment at the top of this file for a description of log levels -# -# Example: LOGNEWNOTSYN=debug - - -LOGNEWNOTSYN= - -# -# Old Ping Handling -# -# If this option is set to "Yes" then Shorewall will use its old ping handling -# facility including the FORWARDPING option in this file and the 'noping' and -# 'filterping' interface options. If this option is set to 'No' then ping -# is handled via policy and rules just like any other connection request. -# -# If you are a new Shorewall user DON'T CHANGE THE VALUE OF THIS OPTION AND -# DON'T DELETE IT!!!!!! -# -OLD_PING_HANDLING=No - # # NEWNOTSYN # @@ -427,9 +432,21 @@ OLD_PING_HANDLING=No # Users with a High-availability setup with two firewall's and one acting # as a backup should set NEWNOTSYN=Yes. Users with asymmetric routing may # also need to select NEWNOTSYN=Yes. - + NEWNOTSYN=No +################################################################################ +# P A C K E T D I S P O S I T I O N +################################################################################ +# +# BLACKLIST DISPOSITION +# +# Set this variable to the action that you want to perform on packets from +# Blacklisted systems. Must be DROP or REJECT. If not set or set to empty, +# DROP is assumed. +# +BLACKLIST_DISPOSITION=DROP + # # MAC List Disposition # @@ -441,86 +458,14 @@ NEWNOTSYN=No MACLIST_DISPOSITION=REJECT -# -# MAC List Log Level -# -# Specifies the logging level for connection requests that fail MAC -# verification. If set to the empty value (MACLIST_LOG_LEVEL="") then -# such connection requests will not be logged. -# -# See the comment at the top of this file for a description of log levels -# - -MACLIST_LOG_LEVEL=info - # # TCP FLAGS Disposition # -# This variable determins the disposition of packets having an invalid +# This variable determins the disposition of packets having an invalid # combination of TCP flags that are received on interfaces having the # 'tcpflags' option specified in /etc/shorewall/interfaces. If not specified # or specified as empty (TCP_FLAGS_DISPOSITION="") then DROP is assumed. TCP_FLAGS_DISPOSITION=DROP -# -# TCP FLAGS Log Level -# -# Specifies the logging level for packets that fail TCP Flags -# verification. If set to the empty value (TCP_FLAGS_LOG_LEVEL="") then -# such packets will not be logged. -# -# See the comment at the top of this file for a description of log levels -# - -TCP_FLAGS_LOG_LEVEL=info - -# -# RFC1918 Log Level -# -# Specifies the logging level for packets that fail RFC 1918 -# verification. If set to the empty value (RFC1918_LOG_LEVEL="") then -# RFC1918_LOG_LEVEL=info is assumed. -# -# See the comment at the top of this file for a description of log levels -# - -RFC1918_LOG_LEVEL=info - -# -# Mark Packets in the forward chain -# -# When processing the tcrules file, Shorewall normally marks packets in the -# PREROUTING chain. To cause Shorewall to use the FORWARD chain instead, set -# this to "Yes". If not specified or if set to the empty value (e.g., -# MARK_IN_FORWARD_CHAIN="") then MARK_IN_FORWARD_CHAIN=No is assumed. -# -# Marking packets in the FORWARD chain has the advantage that inbound -# packets destined for Masqueraded/SNATed local hosts have had their destination -# address rewritten so they can be marked based on their destination. When -# packets are marked in the PREROUTING chain, packets destined for -# Masqueraded/SNATed local hosts still have a destination address corresponding -# to the firewall's external interface. -# -# Note: Older kernels do not support marking packets in the FORWARD chain and -# setting this variable to Yes may cause startup problems. - -MARK_IN_FORWARD_CHAIN=No - -# -# Clear Traffic Shapping/Control -# -# If this option is set to 'No' then Shorewall won't clear the current -# traffic control rules during [re]start. This setting is intended -# for use by people that prefer to configure traffic shaping when -# the network interfaces come up rather than when the firewall -# is started. If that is what you want to do, set TC_ENABLED=Yes and -# CLEAR_TC=No and do not supply an /etc/shorewall/tcstart file. That -# way, your traffic shaping rules can still use the 'fwmark' -# classifier based on packet marking defined in /etc/shorewall/tcrules. -# -# If omitted, CLEAR_TC=Yes is assumed. - -CLEAR_TC=Yes - #LAST LINE -- DO NOT REMOVE diff --git a/Lrp/etc/shorewall/start b/Lrp/etc/shorewall/start index bd36e8544..7b46073f8 100644 --- a/Lrp/etc/shorewall/start +++ b/Lrp/etc/shorewall/start @@ -1,6 +1,6 @@ ############################################################################ -# Shorewall 1.3 -- /etc/shorewall/start +# Shorewall 1.4 -- /etc/shorewall/start # -# Add commands below that you want to be executed after shorewall has +# Add commands below that you want to be executed after shorewall has # been started or restarted. # diff --git a/Lrp/etc/shorewall/stop b/Lrp/etc/shorewall/stop index 5f097b037..6f402cfa6 100644 --- a/Lrp/etc/shorewall/stop +++ b/Lrp/etc/shorewall/stop @@ -1,5 +1,5 @@ ############################################################################ -# Shorewall 1.3 -- /etc/shorewall/stop +# Shorewall 1.4 -- /etc/shorewall/stop # # Add commands below that you want to be executed at the beginning of a # "shorewall stop" command. diff --git a/Lrp/etc/shorewall/stopped b/Lrp/etc/shorewall/stopped index 90afeb3ac..2b5840691 100644 --- a/Lrp/etc/shorewall/stopped +++ b/Lrp/etc/shorewall/stopped @@ -1,5 +1,5 @@ ############################################################################ -# Shorewall 1.3 -- /etc/shorewall/stopped +# Shorewall 1.4 -- /etc/shorewall/stopped # # Add commands below that you want to be executed at the completion of a # "shorewall stop" command. diff --git a/Lrp/etc/shorewall/tcrules b/Lrp/etc/shorewall/tcrules index 41d23120b..32215538c 100644 --- a/Lrp/etc/shorewall/tcrules +++ b/Lrp/etc/shorewall/tcrules @@ -1,5 +1,5 @@ # -# Shorewall version 1.3 - Traffic Control Rules File +# Shorewall version 1.4 - Traffic Control Rules File # # /etc/shorewall/tcrules # @@ -26,10 +26,10 @@ # /etc/shorewall/shorewall.conf. # # SOURCE Source of the packet. A comma-separated list of -# interface names, IP addresses, MAC addresses +# interface names, IP addresses, MAC addresses # and/or subnets. Use $FW if the packet originates on # the firewall in which case the MARK column may NOT -# specify either ":P" or ":F" (marking always occurs +# specify either ":P" or ":F" (marking always occurs # in the OUTPUT chain). # # MAC addresses must be prefixed with "~" and use diff --git a/Lrp/etc/shorewall/tos b/Lrp/etc/shorewall/tos index 0254fcdff..60245554e 100644 --- a/Lrp/etc/shorewall/tos +++ b/Lrp/etc/shorewall/tos @@ -1,5 +1,5 @@ # -# Shorewall 1.3 -- /etc/shorewall/tos +# Shorewall 1.4 -- /etc/shorewall/tos # # This file defines rules for setting Type Of Service (TOS) # diff --git a/Lrp/etc/shorewall/tunnels b/Lrp/etc/shorewall/tunnels index 86747729b..ee45c54b3 100644 --- a/Lrp/etc/shorewall/tunnels +++ b/Lrp/etc/shorewall/tunnels @@ -1,5 +1,5 @@ # -# Shorewall 1.3 - /etc/shorewall/tunnels +# Shorewall 1.4 - /etc/shorewall/tunnels # # This file defines IPSEC, GRE, IPIP and OPENVPN tunnels. # @@ -25,7 +25,7 @@ # remote getway has no fixed address (Road Warrior) # then specify the gateway as 0.0.0.0/0. # -# GATEWAY +# GATEWAY # ZONES -- Optional. If the gateway system specified in the third # column is a standalone host then this column should # contain a comma-separated list of the names of the diff --git a/Lrp/etc/shorewall/zones b/Lrp/etc/shorewall/zones index 45f103b73..e9b882473 100644 --- a/Lrp/etc/shorewall/zones +++ b/Lrp/etc/shorewall/zones @@ -1,14 +1,14 @@ # -# Shorewall 1.3 /etc/shorewall/zones +# Shorewall 1.4 /etc/shorewall/zones # # This file determines your network zones. Columns are: # -# ZONE Short name of the zone +# ZONE Short name of the zone # DISPLAY Display name of the zone # COMMENTS Comments about the zone # #ZONE DISPLAY COMMENTS -net Net Internet +net Net Internet loc Local Local networks dmz DMZ Demilitarized zone #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE diff --git a/Lrp/sbin/shorewall b/Lrp/sbin/shorewall index 3a2da0b91..27e60db9b 100755 --- a/Lrp/sbin/shorewall +++ b/Lrp/sbin/shorewall @@ -1,8 +1,8 @@ #!/bin/sh # -# Shorewall Packet Filtering Firewall Control Program - V1.3 - 6/14/2002 +# Shorewall Packet Filtering Firewall Control Program - V1.4 - 3/14/2003 # -# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] +# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] # # (c) 1999,2000,2001,2002,2003 - Tom Eastep (teastep@shorewall.net) # @@ -12,7 +12,7 @@ # Shorewall documentation is available at http://shorewall.sourceforge.net # # This program is free software; you can redistribute it and/or modify -# it under the terms of Version 2 of the GNU General Public License +# it under the terms of Version 2 of the GNU General Public License # as published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, @@ -23,7 +23,7 @@ # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA -# +# # If an error occurs while starting or restarting the firewall, the # firewall is automatically stopped. # @@ -34,13 +34,13 @@ # # shorewall add [:] zone Adds a host or subnet to a zone # shorewall delete [:] zone Deletes a host or subnet from a zone -# shorewall start Starts the firewall +# shorewall start Starts the firewall # shorewall restart Restarts the firewall # shorewall stop Stops the firewall # shorewall monitor [ refresh-interval ] Repeatedly Displays firewall status # plus the last 20 "interesting" # packets -# shorewall status Displays firewall status +# shorewall status Displays firewall status # shorewall reset Resets iptables packet and # byte counts # shorewall clear Open the floodgates by @@ -75,7 +75,7 @@ # listed address(es) # shorewall reject
... Temporarily reject all packets from the # listed address(es) -# shorewall allow
... Reenable address(es) previously +# shorewall allow
... Reenable address(es) previously # disabled with "drop" or "reject" # shorewall save Save the list of "rejected" and # "dropped" addresses so that it will @@ -84,6 +84,7 @@ # # Display a chain if it exists # + showfirstchain() # $1 = name of chain { awk \ @@ -142,7 +143,7 @@ get_config() { display_chains() { trap "rm -f /tmp/chains-$$; exit 1" 1 2 3 4 5 6 9 - + if [ "$haveawk" = "Yes" ]; then # # Send the output to a temporary file since ash craps if we try to store @@ -170,11 +171,11 @@ display_chains() echo chains=`grep '^Chain.*_[in|fwd]' /tmp/chains-$$ | cut -d' ' -f 2` - + for chain in $chains; do showchain $chain done - + timed_read for zone in $zones; do @@ -242,7 +243,7 @@ display_chains() # Delay $timeout seconds -- if we're running on a recent bash2 then allow # to terminate the delay # -timed_read () +timed_read () { read -t $timeout foo 2> /dev/null @@ -252,7 +253,7 @@ timed_read () # # Display the last $1 packets logged # -packet_log() # $1 = number of messages +packet_log() # $1 = number of messages { local options @@ -334,7 +335,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that get_config host=`echo $HOSTNAME | sed 's/\..*$//'` oldrejects=`iptables -L -v -n | grep 'LOG'` - + if [ $1 -lt 0 ]; then let "timeout=- $1" pause="Yes" @@ -347,7 +348,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that while true; do display_chains - + clear echo "$banner `date`" echo @@ -361,7 +362,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that if [ "$rejects" != "$oldrejects" ]; then oldrejects="$rejects" - + $RING_BELL packet_log 20 @@ -435,7 +436,7 @@ logwatch() # $1 = timeout -- if negative, prompt each time that get_config host=`echo $HOSTNAME | sed 's/\..*$//'` oldrejects=`iptables -L -v -n | grep 'LOG'` - + if [ $1 -lt 0 ]; then timeout=$((- $1)) pause="Yes" @@ -570,24 +571,11 @@ fi [ -n "$SHOREWALL_DIR" ] && export SHOREWALL_DIR PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin -SHARED_DIR=/usr/lib/shorewall MUTEX_TIMEOUT= -if [ -n "$SHOREWALL_DIR" -a -f $SHOREWALL_DIR/shorewall.conf ]; then - config=$SHOREWALL_DIR/shorewall.conf -else - config=/etc/shorewall/shorewall.conf -fi - -if [ -f $config ]; then - . $config -else - echo "$config does not exist!" >&2 - exit 2 -fi - [ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall +SHARED_DIR=/usr/share/shorewall FIREWALL=$SHARED_DIR/firewall FUNCTIONS=$SHARED_DIR/functions VERSION_FILE=$SHARED_DIR/version @@ -599,6 +587,15 @@ else exit 2 fi +config=`find_file shorewall.conf` + +if [ -f $config ]; then + . $config +else + echo "$config does not exist!" >&2 + exit 2 +fi + if [ ! -f $FIREWALL ]; then echo "ERROR: Shorewall is not properly installed" if [ -L $FIREWALL ]; then @@ -754,7 +751,7 @@ case "$1" in echo "" echo " HITS PORT SERVICE(S)" - echo " ---- ----- ----------" + echo " ---- ----- ----------" grep 'Shorewall:.*DPT' $LOGFILE | sed 's/\(.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2/' | sort | uniq -c | sort -rn | \ while read count port ; do # List all services defined for the given port @@ -853,4 +850,4 @@ case "$1" in *) usage 1 ;; -esac +esac diff --git a/Lrp/var/lib/lrpkg/shorwall.list b/Lrp/var/lib/lrpkg/shorwall.list index 005f677aa..48a0731ed 100644 --- a/Lrp/var/lib/lrpkg/shorwall.list +++ b/Lrp/var/lib/lrpkg/shorwall.list @@ -1,5 +1,5 @@ etc/init.d/shorewall etc/shorewall sbin/shorewall -usr/lib/shorewall +usr/share/shorewall var/lib/lrpkg/shorwall.* diff --git a/Lrp/var/lib/lrpkg/shorwall.version b/Lrp/var/lib/lrpkg/shorwall.version index 085c0f266..88c5fb891 100644 --- a/Lrp/var/lib/lrpkg/shorwall.version +++ b/Lrp/var/lib/lrpkg/shorwall.version @@ -1 +1 @@ -1.3.14 +1.4.0 diff --git a/Shorewall-docs/FAQ.htm b/Shorewall-docs/FAQ.htm index 0eb54e969..93634625a 100644 --- a/Shorewall-docs/FAQ.htm +++ b/Shorewall-docs/FAQ.htm @@ -3,1232 +3,1270 @@ - + - + - + - + Shorewall FAQ - + - + - - - + + - + + - - + +
+
- +

Shorewall FAQs

-
- +

1. I want to forward UDP - port 7777 to my my personal PC with IP address -192.168.1.5. I've looked everywhere and can't find how -to do it.

+ port 7777 to my my personal PC with IP address + 192.168.1.5. I've looked everywhere and can't find how + to do it.

- +

1a. Ok -- I followed those instructions - but it doesn't work.
-

+ but it doesn't work.
+

- +

1b. I'm still having problems with - port forwarding

- + port forwarding

+ +

2. I port forward www requests - to www.mydomain.com (IP 130.151.100.69) to system 192.168.1.5 - in my local network. External clients can browse - http://www.mydomain.com but internal clients can't.

+ to www.mydomain.com (IP 130.151.100.69) to system 192.168.1.5 + in my local network. External clients can browse + http://www.mydomain.com but internal clients can't.

- +

2a. I have a zone "Z" with an RFC1918 - subnet and I use static NAT to assign non-RFC1918 - addresses to hosts in Z. Hosts in Z cannot communicate - with each other using their external (non-RFC1918 addresses) - so they can't access each other using their DNS names.

+ subnet and I use static NAT to assign non-RFC1918 + addresses to hosts in Z. Hosts in Z cannot communicate + with each other using their external (non-RFC1918 addresses) + so they can't access each other using their DNS names.

- +

3. I want to use Netmeeting - or MSN Instant Messenger with Shorewall. What - do I do?

+ or MSN Instant Messenger with Shorewall. What + do I do?

- +

4. I just used an online port scanner - to check my firewall and it shows some ports as -'closed' rather than 'blocked'. Why?

+ to check my firewall and it shows some ports as + 'closed' rather than 'blocked'. Why?

- +

4a. I just ran an nmap UDP scan - of my firewall and it showed 100s of ports as open!!!!

+ of my firewall and it showed 100s of ports as open!!!!

- +

5. I've installed Shorewall and now - I can't ping through the firewall

+ I can't ping through the firewall

- +

6. Where are the log messages - written and how do I change the destination?

+ written and how do I change the destination?

- +

6a. Are there any log parsers - that work with Shorewall?

- + that work with Shorewall?

+

6b. DROP messages on port 10619 are flooding the logs with their connect - requests. Can i exclude these error messages for this port temporarily - from logging in Shorewall?
-

- + requests. Can i exclude these error messages for this port temporarily + from logging in Shorewall?
+

+

6c. All day long I get a steady flow - of these DROP messages from port 53 to some high numbered - port. They get dropped, but what the heck are they?
-

- + of these DROP messages from port 53 to some high numbered + port. They get dropped, but what the heck are they?
+

+

6d. Why is the MAC address - in Shorewall log messages so long? I thought MAC addresses were - only 6 bytes in length.
-

- + in Shorewall log messages so long? I thought MAC addresses were + only 6 bytes in length.
+

+

7. When I stop Shorewall using 'shorewall stop', I can't connect to anything. Why doesn't that command - work?

+ work?

- +

8. When I try to start Shorewall - on RedHat I get messages about insmod failing -- - what's wrong?

+ on RedHat I get messages about insmod failing -- + what's wrong?
+

- + +

8a. When I try to start Shorewall +on RedHat I get a message referring me to FAQ #8
+

+

9. Why can't Shorewall detect - my interfaces properly?

+ my interfaces properly?

- +

10. What distributions does - it work with?

+ it work with?

- +

11. What features does it support?

- +

12. Is there a GUI?

- +

13. Why do you call it "Shorewall"?

- +

14. I'm connected via a cable modem - and it has an internel web server that allows me to - configure/monitor it but as expected if I enable rfc1918 - blocking for my eth0 interface, it also blocks the cable - modems web server.

+ and it has an internel web server that allows me to + configure/monitor it but as expected if I enable +rfc1918 blocking for my eth0 interface, it also blocks +the cable modems web server.

- +

14a. Even though it assigns public - IP addresses, my ISP's DHCP server has an RFC 1918 -address. If I enable RFC 1918 filtering on my external interface, - my DHCP client cannot renew its lease.

+ IP addresses, my ISP's DHCP server has an RFC 1918 + address. If I enable RFC 1918 filtering on my external +interface, my DHCP client cannot renew its lease.

- +

15. My local systems can't see - out to the net

+ out to the net

- +

16. Shorewall is writing log messages - all over my console making it unusable!
-

- 17. making it unusable!
+

+ 17. How do I find out why this traffic is getting logged?
-
- 18. Is there -any way to use aliased ip addresses with Shorewall, -and maintain separate rulesets for different IPs?
-
- 19. I have added -entries to /etc/shorewall/tcrules but they don't seem -to do anything. Why?
-
- 20. I have just set - up a server. Do I have to change Shorewall to allow access -to my server from the internet?
+
+ 18. Is there + any way to use aliased ip addresses with Shorewall, + and maintain separate rulesets for different IPs?
+
+ 19. I have added + entries to /etc/shorewall/tcrules but they don't +seem to do anything. Why?
+
+ 20. I have just +set up a server. Do I have to change Shorewall to allow access + to my server from the internet?
+
+ 21. I see these strange + log entries occasionally; what are they?
+
+ 22. I have some iptables + commands that I want to run when Shorewall starts. Which + file do I put them in?

- 21. I see these strange - log entries occasionally; what are they?
-
- 22. I have some iptables -commands that I want to run when Shorewall starts. Which -file do I put them in?
-
- 23. Why do you use such ugly - fonts on your web site?
-
- 24. How can I allow conections - to let's say the ssh port only from specific IP Addresses + 23. Why do you use such ugly + fonts on your web site?
+
+ 24. How can I allow conections + to let's say the ssh port only from specific IP Addresses on the internet?
-
- 25. How to I tell which version of Shorewall - I am running?
-
- -
+
+ 25. How to I tell which version of Shorewall + I am running?
+
+ +

1. I want to forward UDP port 7777 to - my my personal PC with IP address 192.168.1.5. I've -looked everywhere and can't find how to do it.

+ my my personal PC with IP address 192.168.1.5. I've + looked everywhere and can't find how to do it. - +

Answer: The first example in the rules file documentation shows how to - do port forwarding under Shorewall. The format of a -port-forwarding rule to a local system is as follows:

+ do port forwarding under Shorewall. The format of a + port-forwarding rule to a local system is as follows:

- +
- + - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + - + +
ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIG. DEST.
DNATnetloc:<local -IP address>[:<local port>]<protocol><port #>
-
-
ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIG. DEST.
DNATnetloc:<local + IP address>[:<local port>]<protocol><port #>
+
+
-
+ - +

So to forward UDP port 7777 to internal system 192.168.1.5, - the rule is:

+ the rule is:

- +
- + - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + - + +
ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIG. DEST.
DNATnetloc:192.168.1.5udp7777
-
-
ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIG. DEST.
DNATnetloc:192.168.1.5udp7777
+
+
-
+ - +
If - you want to forward requests directed to a particular address -( <external IP> ) on your firewall to an internal + you want to forward requests directed to a particular address + ( <external IP> ) on your firewall to an internal system:
- +
- + - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + - + +
ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIG. DEST.
DNATnetloc:<local -IP address>[:<local port>]<protocol><port #>-<external IP>
ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIG. DEST.
DNATnetloc:<local + IP address>[:<local port>]<protocol><port #>-<external +IP>
-
+ - Finally, if you need to forward a range of ports, in the PORT column - specify the range as low-port:high-port.
- + Finally, if you need to forward a range of ports, in the PORT +column specify the range as low-port:high-port.
+

1a. Ok -- I followed those instructions - but it doesn't work

+ but it doesn't work - +

Answer: That is usually the result of one of two things:

- +
    -
  • You are trying to test - from inside your firewall (no, that won't work -- see - FAQ #2).
    • -
  • You have a more basic -problem with your local system such as an incorrect default -gateway configured (it should be set to the IP address of -your firewall's internal interface).
    • +
  • You are trying to test + from inside your firewall (no, that won't work -- see + FAQ #2).
    • +
  • You have a more basic + problem with your local system such as an incorrect default + gateway configured (it should be set to the IP address +of your firewall's internal interface).
    • - +
- +

1b. I'm still having problems with port - forwarding

- Answer: To further diagnose this - problem:
- + forwarding + Answer: To further diagnose +this problem:
+ +
    -
  • As root, type "iptables -t nat --Z". This clears the NetFilter counters in the nat table.
    • -
  • Try to connect to the redirected - port from an external host.
    • -
  • As root type "shorewall show nat"
    • -
  • Locate the appropriate DNAT rule. - It will be in a chain called <source zone>_dnat - ('net_dnat' in the above examples).
    • -
  • Is the packet count in the first - column non-zero? If so, the connection request is reaching - the firewall and is being redirected to the server. In this - case, the problem is usually a missing or incorrect default +
  • As root, type "iptables -t nat + -Z". This clears the NetFilter counters in the nat table.
    • +
  • Try to connect to the redirected + port from an external host.
    • +
  • As root type "shorewall show +nat"
    • +
  • Locate the appropriate DNAT rule. + It will be in a chain called <source zone>_dnat + ('net_dnat' in the above examples).
    • +
  • Is the packet count in the first + column non-zero? If so, the connection request is reaching + the firewall and is being redirected to the server. In this + case, the problem is usually a missing or incorrect default gateway setting on the server (the server's default gateway should be the IP address of the firewall's interface to the server).
    • -
  • If the packet count is zero:
    • +
  • If the packet count is zero:
    • - + +
      -
    • the connection request is not -reaching your server (possibly it is being blocked by your -ISP); or
      • -
    • you are trying to connect to -a secondary IP address on your firewall and your rule is +
    • the connection request is not + reaching your server (possibly it is being blocked by your + ISP); or
      • +
    • you are trying to connect to + a secondary IP address on your firewall and your rule is only redirecting the primary IP address (You need to specify the secondary IP address in the "ORIG. DEST." column in your DNAT rule); or
      • -
    • your DNAT rule doesn't match -the connection request in some other way. In that case, you -may have to use a packet sniffer such as tcpdump or ethereal +
    • your DNAT rule doesn't match + the connection request in some other way. In that case, +you may have to use a packet sniffer such as tcpdump or ethereal to further diagnose the problem.
      -
      • + - + +
    - -
- -

2. I port forward www requests to www.mydomain.com - (IP 130.151.100.69) to system 192.168.1.5 in my local - network. External clients can browse http://www.mydomain.com - but internal clients can't.

- + + + + +

2. I port forward www requests to www.mydomain.com + (IP 130.151.100.69) to system 192.168.1.5 in my local + network. External clients can browse http://www.mydomain.com + but internal clients can't.

+ +

Answer: I have two objections to this setup.

- + - +

If you insist on an IP solution to the accessibility problem - rather than a DNS solution, then assuming that your - external interface is eth0 and your internal interface - is eth1 and that eth1 has IP address 192.168.1.254 with subnet - 192.168.1.0/24, in /etc/shorewall/rules, add:

+ rather than a DNS solution, then assuming that your + external interface is eth0 and your internal interface + is eth1 and that eth1 has IP address 192.168.1.254 with subnet + 192.168.1.0/24, in /etc/shorewall/rules, add:

- +
- -
+ +
- + - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + - + +
ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIG. DEST.
DNATloc:192.168.1.0/24loc:192.168.1.5tcpwww-130.151.100.69:192.168.1.254
ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIG. DEST.
DNATloc:192.168.1.0/24loc:192.168.1.5tcpwww-130.151.100.69:192.168.1.254
-
-
+ +
- -
+ +

That rule only works of course if you have a static external - IP address. If you have a dynamic IP address and are - running Shorewall 1.3.4 or later then include this in - /etc/shorewall/init:

-
+ IP address. If you have a dynamic IP address and +are running Shorewall 1.3.4 or later then include this +in /etc/shorewall/init:

+
- -
+ +
     ETH0_IP=`find_interface_address eth0`
-
+
- -
+ +

and make your DNAT rule:

-
+
- -
+ +
- + - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + - + +
ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIG. DEST.
DNATloc:192.168.1.0/24loc:192.168.1.5tcpwww-$ETH0_IP:192.168.1.254
ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIG. DEST.
DNATloc:192.168.1.0/24loc:192.168.1.5tcpwww-$ETH0_IP:192.168.1.254
-
-
+ +
- -
+ +

Using this technique, you will want to configure your DHCP/PPPoE - client to automatically restart Shorewall each time - that you get a new IP address.

-
+ client to automatically restart Shorewall each time + that you get a new IP address.

+
- +

2a. I have a zone "Z" with an RFC1918 - subnet and I use static NAT to assign non-RFC1918 addresses - to hosts in Z. Hosts in Z cannot communicate with each other - using their external (non-RFC1918 addresses) so they can't - access each other using their DNS names.

+ subnet and I use static NAT to assign non-RFC1918 addresses + to hosts in Z. Hosts in Z cannot communicate with each +other using their external (non-RFC1918 addresses) so they +can't access each other using their DNS names. - +

Answer: This is another problem that is best solved - using Bind Version 9 "views". It allows both external - and internal clients to access a NATed host using the host's - DNS name.

+ using Bind Version 9 "views". It allows both external + and internal clients to access a NATed host using the +host's DNS name.

- +

Another good way to approach this problem is to switch from - static NAT to Proxy ARP. That way, the hosts in Z + static NAT to Proxy ARP. That way, the hosts in Z have non-RFC1918 addresses and can be accessed externally and internally using the same address.

- +

If you don't like those solutions and prefer routing all Z->Z traffic through your firewall then:

- +

a) Set the Z->Z policy to ACCEPT.
- b) Masquerade Z to itself.
-
- Example:

+ b) Masquerade Z to itself.
+
+ Example:

- +

Zone: dmz
- Interface: eth2
- Subnet: 192.168.2.0/24

+ Interface: eth2
+ Subnet: 192.168.2.0/24

- +

In /etc/shorewall/interfaces:

- +
- + - - - - - - - - - - - - - + + + + + + + + + + + + + - + +
ZONEINTERFACEBROADCASTOPTIONS
dmzeth2192.168.2.255
-
ZONEINTERFACEBROADCASTOPTIONS
dmzeth2192.168.2.255
+
-
+ - +

In /etc/shorewall/policy:

- +
- + - - - - - - - - - - - - - + + + + + + + + + + + + + - + +
SOURCE DESTINATIONPOLICYLIMIT:BURST
dmzdmzACCEPT
-
SOURCE DESTINATIONPOLICYLIMIT:BURST
dmzdmzACCEPT
+
-
+ - +

In /etc/shorewall/masq:

- +
- + - - - - - - - - - - - + + + + + + + + + + + - + +
INTERFACE - SUBNETADDRESS
eth2192.168.2.0/24
-
INTERFACE + SUBNETADDRESS
eth2192.168.2.0/24
+
-
+ - +

3. I want to use Netmeeting or MSN Instant - Messenger with Shorewall. What do I do?

+ Messenger with Shorewall. What do I do? - +

Answer: There is an H.323 connection - tracking/NAT module that may help with Netmeeting. - Look here for a solution - for MSN IM but be aware that there are significant security risks involved - with this solution. Also check the Netfilter mailing list - archives at http://www.netfilter.org. -

+ tracking/NAT module that may help with Netmeeting. + Look here for a solution + for MSN IM but be aware that there are significant security risks involved + with this solution. Also check the Netfilter mailing list + archives at http://www.netfilter.org. +

- +

4. I just used an online port scanner - to check my firewall and it shows some ports as 'closed' - rather than 'blocked'. Why?

+ to check my firewall and it shows some ports as +'closed' rather than 'blocked'. Why? - +

Answer: The common.def included with version 1.3.x - always rejects connection requests on TCP port 113 - rather than dropping them. This is necessary to prevent - outgoing connection problems to services that use the -'Auth' mechanism for identifying requesting users. Shorewall - also rejects TCP ports 135, 137 and 139 as well as UDP ports - 137-139. These are ports that are used by Windows (Windows can - be configured to use the DCE cell locator on port 135). Rejecting - these connection requests rather than dropping them cuts down -slightly on the amount of Windows chatter on LAN segments connected - to the Firewall.

+ always rejects connection requests on TCP port 113 + rather than dropping them. This is necessary to prevent + outgoing connection problems to services that use the + 'Auth' mechanism for identifying requesting users. Shorewall + also rejects TCP ports 135, 137 and 139 as well as UDP ports + 137-139. These are ports that are used by Windows (Windows can + be configured to use the DCE cell locator on port 135). Rejecting + these connection requests rather than dropping them cuts down + slightly on the amount of Windows chatter on LAN segments connected + to the Firewall.

- +

If you are seeing port 80 being 'closed', that's probably - your ISP preventing you from running a web server - in violation of your Service Agreement.

+ your ISP preventing you from running a web server + in violation of your Service Agreement.

- +

4a. I just ran an nmap UDP scan of my - firewall and it showed 100s of ports as open!!!!

+ firewall and it showed 100s of ports as open!!!! - +

Answer: Take a deep breath and read the nmap man page - section about UDP scans. If nmap gets nothing - back from your firewall then it reports the port as open. - If you want to see which UDP ports are really open, temporarily - change your net->all policy to REJECT, restart Shorewall - and do the nmap UDP scan again.

+ section about UDP scans. If nmap gets nothing + back from your firewall then it reports the port as +open. If you want to see which UDP ports are really open, + temporarily change your net->all policy to REJECT, restart + Shorewall and do the nmap UDP scan again.

- +

5. I've installed Shorewall and now I - can't ping through the firewall

+ can't ping through the firewall - +

Answer: If you want your firewall to be totally open - for "ping",

+ for "ping",

- +

a) Create /etc/shorewall/common if it doesn't already exist. -
- b) Be sure that the first command - in the file is ". /etc/shorewall/common.def"
- c) Add the following to /etc/shorewall/common -

+
+ b) Be sure that the first +command in the file is ". /etc/shorewall/common.def"
+ c) Add the following to /etc/shorewall/common +

- +
+

run_iptables -A icmpdef -p ICMP --icmp-type echo-request - -j ACCEPT
-

-
- For a complete description of Shorewall 'ping' management, - see this page. - + -j ACCEPT
+

+ + For a complete description of Shorewall 'ping' management, + see this page. +

6. Where are the log messages written - and how do I change the destination?

+ and how do I change the destination? - +

Answer: NetFilter uses the kernel's equivalent of syslog (see "man syslog") to log messages. It always uses the LOG_KERN (kern) facility (see "man openlog") and you get to choose the log level (again, see "man syslog") in your policies and rules. The destination for messaged logged by syslog is controlled by /etc/syslog.conf (see "man syslog.conf"). - When you have changed /etc/syslog.conf, be sure to restart - syslogd (on a RedHat system, "service syslog restart").

+ When you have changed /etc/syslog.conf, be sure to restart + syslogd (on a RedHat system, "service syslog restart"). +

- +

By default, older versions of Shorewall ratelimited log messages - through settings - in /etc/shorewall/shorewall.conf -- If you want to log - all messages, set:

+ through settings + in /etc/shorewall/shorewall.conf -- If you want to log + all messages, set:

- -
-
     LOGLIMIT=""
     LOGBURST=""

Beginning with Shorewall version 1.3.12, you can set up Shorewall to log all of its messages to a separate file.
-
+ +
+
     LOGLIMIT=""
     LOGBURST=""
+Beginning with Shorewall version 1.3.12, you can set up Shorewall to log all of its messages +to a separate file.
+
- +

6a. Are there any log parsers that work - with Shorewall?

+ with Shorewall? - +

Answer: Here are several links that may be helpful: -

+

- +
+

http://www.shorewall.net/pub/shorewall/parsefw/
- http://www.fireparse.com
- http://cert.uni-stuttgart.de/projects/fwlogwatch
- http://www.logwatch.org
- http://gege.org/iptables
-

-
- I personnaly use Logwatch. It emails me a report - each day from my various systems with each report summarizing the - logged activity on the corresponding system. - + http://www.logwatch.org
+ http://gege.org/iptables
+

+ + I personnaly use Logwatch. It emails me a report + each day from my various systems with each report summarizing +the logged activity on the corresponding system. +

6b. DROP messages on port 10619 - are flooding the logs with their connect requests. Can i exclude - these error messages for this port temporarily from logging in Shorewall?

- Temporarily add the following rule:
- + are flooding the logs with their connect requests. Can i exclude + these error messages for this port temporarily from logging in Shorewall? + Temporarily add the following rule:
+ 
	DROP    net    fw    udp    10619
- +

6c. All day long I get a steady flow - of these DROP messages from port 53 to some high numbered port. They - get dropped, but what the heck are they?

- + of these DROP messages from port 53 to some high numbered port. +They get dropped, but what the heck are they? + 
Jan  8 15:50:48 norcomix kernel: Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:40:c7:2e:09:c0:00:01:64:4a:70:00:08:00
                                                        SRC=208.138.130.16 DST=24.237.22.45 LEN=53 TOS=0x00 PREC=0x00
                                                        TTL=251 ID=8288 DF PROTO=UDP SPT=53 DPT=40275 LEN=33
- Answer: There are two possibilities:
- + Answer: There are two possibilities:
+
    -
  1. They are late-arriving replies to DNS queries.
    2. -
  2. They are corrupted reply packets.
    3. - +
  3. They are late-arriving replies to DNS queries.
    4. +
  4. They are corrupted reply packets.
    5. +
- You can distinguish the difference by setting the logunclean - option (/etc/shorewall/interfaces) - on your external interface (eth0 in the above example). If they get - logged twice, they are corrupted. I solve this problem by using an /etc/shorewall/common - file like this:
- -
+ You can distinguish the difference by setting the logunclean + option (/etc/shorewall/interfaces) + on your external interface (eth0 in the above example). If they get + logged twice, they are corrupted. I solve this problem by using an +/etc/shorewall/common file like this:
+ +
#
# Include the standard common.def file
#
. /etc/shorewall/common.def
#
# The following rule is non-standard and compensates for tardy
# DNS replies
#
run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP
-
- The above file is also include in all of my sample configurations - available in the Quick Start - Guides and in the common.def file in Shorewall 1.4.0 and later.
- +
+ The above file is also include in all of my sample configurations + available in the Quick Start + Guides and in the common.def file in Shorewall 1.4.0 and later.
+

6d. Why is the MAC address in - Shorewall log messages so long? I thought MAC addresses were only 6 bytes - in length.

- What is labeled as the MAC address in a Shorewall log message is actually -the Ethernet frame header. IT contains:
- + Shorewall log messages so long? I thought MAC addresses were only 6 +bytes in length. + What is labeled as the MAC address in a Shorewall log message is actually + the Ethernet frame header. IT contains:
+
    -
  • the destination MAC address (6 bytes)
    • -
  • the source MAC address (6 bytes)
    • -
  • the ethernet frame type (2 bytes)
    • - +
  • the destination MAC address (6 bytes)
    • +
  • the source MAC address (6 bytes)
    • +
  • the ethernet frame type (2 bytes)
    • +
- Example:
-
- MAC=00:04:4c:dc:e2:28:00:b0:8e:cf:3c:4c:08:00
- + Example:
+
+ MAC=00:04:4c:dc:e2:28:00:b0:8e:cf:3c:4c:08:00
+
    -
  • Destination MAC address = 00:04:4c:dc:e2:28
    • -
  • Source MAC address = 00:b0:8e:cf:3c:4c
    • -
  • Ethernet Frame Type = 08:00 (IP Version 4)
    • - +
  • Destination MAC address = 00:04:4c:dc:e2:28
    • +
  • Source MAC address = 00:b0:8e:cf:3c:4c
    • +
  • Ethernet Frame Type = 08:00 (IP Version 4)
    • +
- +

7. When I stop Shorewall using 'shorewall - stop', I can't connect to anything. Why doesn't that - command work?

+ stop', I can't connect to anything. Why doesn't that + command work? - +

The 'stop' command is intended to place your firewall into - a safe state whereby only those hosts listed in /etc/shorewall/routestopped' - are activated. If you want to totally open up your firewall, - you must use the 'shorewall clear' command.

+ a safe state whereby only those hosts listed in /etc/shorewall/routestopped' + are activated. If you want to totally open up your firewall, + you must use the 'shorewall clear' command.

- +

8. When I try to start Shorewall on RedHat, - I get messages about insmod failing -- what's wrong?

+ I get messages about insmod failing -- what's wrong? - +

Answer: The output you will see looks something like - this:

+ this:

- + 
     /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: init_module: Device or resource busy
     Hint: insmod errors can be caused by incorrect module parameters, including invalid IO or IRQ parameters
     /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: insmod
     /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o failed
     /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: insmod ip_tables failed
     iptables v1.2.3: can't initialize iptables table `nat': iptables who? (do you need to insmod?)
     Perhaps iptables or your kernel needs to be upgraded.
- +

This is usually cured by the following sequence of commands: -

+

- -
-
     service ipchains stop
     chkconfig --delete ipchains
     rmmod ipchains
-
+ +
+
     service ipchains stop
     chkconfig --delete ipchains
     rmmod ipchains
+
- -
+ +

Also, be sure to check the errata - for problems concerning the version of iptables (v1.2.3) - shipped with RH7.2.

-
+ for problems concerning the version of iptables (v1.2.3) + shipped with RH7.2.
+

+ +

8a. When I try to start Shorewall on RedHat +I get a message referring me to FAQ #8

+ Answer: This is usually cured by the sequence of commands shown above +in FAQ #8 + +

+
- +

- +

9. Why can't Shorewall detect my interfaces - properly?

+ properly? - +

I just installed Shorewall and when I issue the start command, - I see the following:

+ I see the following:

- -
+ +
     Processing /etc/shorewall/shorewall.conf ...
     Processing /etc/shorewall/params ...
     Starting Shorewall...
     Loading Modules...
     Initializing...
     Determining Zones...
     Zones: net loc
     Validating interfaces file...
     Validating hosts file...
     Determining Hosts in Zones...
     Net Zone: eth0:0.0.0.0/0
     Local Zone: eth1:0.0.0.0/0
     Deleting user chains...
     Creating input Chains...
     ...
-
+
- -
+ +

Why can't Shorewall detect my interfaces properly?

-
+
- -
+ +

Answer: The above output is perfectly normal. The Net zone is defined as all hosts that are connected through eth0 and the local zone is defined as all hosts connected through eth1

-
+
- +

10. What Distributions does it work with?

- +

Shorewall works with any GNU/Linux distribution that includes - the proper - prerequisites.

+ the proper + prerequisites.

- +

11. What Features does it have?

- +

Answer: See the Shorewall - Feature List.

+ Feature List.

- +

12. Is there a GUI?

- +

Answer: Yes. Shorewall support is included in Webmin - 1.060 and later versions. See http://www.webmin.com -

+ 1.060 and later versions. See http://www.webmin.com +

- +

13. Why do you call it "Shorewall"?

- +

Answer: Shorewall is a concatenation of "Shoreline" - (the city - where I live) and "Firewall". The full name -of the product is actually "Shoreline Firewall" but "Shorewall" is -must more commonly used.

+ (the +city where I live) and "Firewall". The full +name of the product is actually "Shoreline Firewall" but "Shorewall" +is must more commonly used.

- +

14. I'm connected via a cable modem - and it has an internal web server that allows me to - configure/monitor it but as expected if I enable rfc1918 - blocking for my eth0 interface (the internet one), it also - blocks the cable modems web server.

+ and it has an internal web server that allows me to + configure/monitor it but as expected if I enable rfc1918 + blocking for my eth0 interface (the internet one), it also + blocks the cable modems web server. - +

Is there any way it can add a rule before the rfc1918 blocking - that will let all traffic to and from the 192.168.100.1 - address of the modem in/out but still block all other rfc1918 - addresses?

+ that will let all traffic to and from the 192.168.100.1 + address of the modem in/out but still block all other rfc1918 + addresses?

- +

Answer: If you are running a version of Shorewall earlier than 1.3.1, create /etc/shorewall/start and in it, place the following:

- -
+ +
     run_iptables -I rfc1918 -s 192.168.100.1 -j ACCEPT
-
+
- -
+ +

If you are running version 1.3.1 or later, simply add the - following to -/etc/shorewall/rfc1918:

-
+ following to /etc/shorewall/rfc1918:

+
- -
+ +
- + - - - - - - - - - + + + + + + + + + - + +
SUBNET TARGET
192.168.100.1RETURN
SUBNET + TARGET
192.168.100.1RETURN
-
-
+ +
- -
+ +

Be sure that you add the entry ABOVE the entry for 192.168.0.0/16.
-

+

- +

Note: If you add a second IP address to your external firewall - interface to correspond to the modem address, you must - also make an entry in /etc/shorewall/rfc1918 for that address. - For example, if you configure the address 192.168.100.2 on -your firewall, then you would add two entries to /etc/shorewall/rfc1918: -
-

+ interface to correspond to the modem address, you must + also make an entry in /etc/shorewall/rfc1918 for that address. + For example, if you configure the address 192.168.100.2 on + your firewall, then you would add two entries to /etc/shorewall/rfc1918: +
+

- +
- + - - - - - - - - - - - - - + + + + + + + + + + + + + - + - -
SUBNET
- 		TARGET
-
192.168.100.1
- 		RETURN
-
192.168.100.2
- 		RETURN
-
SUBNET
+ 		TARGET
+
192.168.100.1
+ 		RETURN
+
192.168.100.2
+ 		RETURN
+
-
-
- -
+ + +
+ + +

14a. Even though it assigns public IP addresses, my ISP's DHCP server has an RFC 1918 address. If I enable RFC 1918 filtering on my external interface, my DHCP client cannot renew its lease.

-
+
- -
+ +

The solution is the same as FAQ 14 above. Simply substitute - the IP address of your ISPs DHCP server.

-
+ the IP address of your ISPs DHCP server.

+
- +

15. My local systems can't see out to - the net

+ the net - +

Answer: Every time I read "systems can't see out to - the net", I wonder where the poster bought computers - with eyes and what those computers will "see" when things - are working properly. That aside, the most common causes -of this problem are:

+ the net", I wonder where the poster bought computers + with eyes and what those computers will "see" when things + are working properly. That aside, the most common causes + of this problem are:

- +
    -
  1. +
  2. - +

    The default gateway on each local system isn't set to - the IP address of the local firewall interface.

    -
    3. -
  3. + the IP address of the local firewall interface.

    +
    4. +
  4. - +

    The entry for the local network in the /etc/shorewall/masq - file is wrong or missing.

    -
    5. -
  5. + file is wrong or missing.

    +
    6. +
  6. - +

    The DNS settings on the local systems are wrong or the - user is running a DNS server on the firewall and -hasn't enabled UDP and TCP port 53 from the firewall -to the internet.

    -
    7. + user is running a DNS server on the firewall and + hasn't enabled UDP and TCP port 53 from the firewall + to the internet.

    + - +
- +

16. Shorewall is writing log messages - all over my console making it unusable!

+ all over my console making it unusable! - +

Answer: "man dmesg" -- add a suitable 'dmesg' command - to your startup scripts or place it in /etc/shorewall/start. - Under RedHat, the max log level that is sent to the - console is specified in /etc/sysconfig/init in the LOGLEVEL - variable.
-

+ to your startup scripts or place it in /etc/shorewall/start. + Under RedHat, the max log level that is sent to the + console is specified in /etc/sysconfig/init in the LOGLEVEL + variable.
+

- +

17. How do I find out why this traffic is getting - logged?

- Answer: Logging occurs out - of a number of chains (as indicated in the log message) -in Shorewall:
+ logged? + Answer: Logging occurs +out of a number of chains (as indicated in the log message) + in Shorewall:
- +
    -
  1. man1918 - The destination - address is listed in /etc/shorewall/rfc1918 with a logdrop - target -- see /etc/shorewall/rfc1918.
    2. -
  2. rfc1918 - The source - address is listed in /etc/shorewall/rfc1918 with a logdrop - target -- see /etc/shorewall/rfc1918.
    3. -
  3. all2<zone>, <zone>2all - or all2all - You have a policy that specifies a log level - and this packet is being logged under that policy. If you -intend to ACCEPT this traffic then you need a man1918 - The destination + address is listed in /etc/shorewall/rfc1918 with a logdrop + target -- see /etc/shorewall/rfc1918.
    4. +
  4. rfc1918 - The source + address is listed in /etc/shorewall/rfc1918 with a logdrop + target -- see /etc/shorewall/rfc1918.
    5. +
  5. all2<zone>, + <zone>2all or all2all - + You have a policy that specifies +a log level and this packet is being logged under that policy. + If you intend to ACCEPT this traffic then you need a rule to that effect.
    -
    6. -
  6. <zone1>2<zone2> - - Either you have a +
  7. <zone1>2<zone2> + - Either you have a policy for <zone1> to <zone2> that specifies a log level and this packet is being logged under that policy or this packet -matches a rule that includes -a log level.
    8. -
  8. <interface>_mac - The - packet is being logged under the maclist rule that includes + a log level.
    9. +
  9. <interface>_mac - +The packet is being logged under the maclist interface option.
    -
    10. -
  10. logpkt - The packet -is being logged under the logunclean +
  11. logpkt - The packet + is being logged under the logunclean interface option.
    12. -
  12. badpkt - The packet -is being logged under the dropunclean interface option as specified - in the LOGUNCLEAN setting in /etc/shorewall/shorewall.conf.
    13. -
  13. blacklst - The packet - is being logged because the source IP is blacklisted in -the /etc/shorewall/blacklist - file.
    14. -
  14. newnotsyn - The packet - is being logged because it is a TCP packet that is not +
  15. badpkt - The packet + is being logged under the dropunclean + interface option as specified + in the LOGUNCLEAN setting in /etc/shorewall/shorewall.conf.
    16. +
  16. blacklst - The packet + is being logged because the source IP is blacklisted in + the /etc/shorewall/blacklist + file.
    17. +
  17. newnotsyn - The packet + is being logged because it is a TCP packet that is not part of any current connection yet it is not a syn packet. Options affecting the logging of such packets include NEWNOTSYN - and LOGNEWNOTSYN in and LOGNEWNOTSYN in /etc/shorewall/shorewall.conf.
    18. -
  18. INPUT or FORWARD - - The packet has a source IP address that isn't in any +
  19. INPUT or FORWARD + - The packet has a source IP address that isn't in any of your defined zones ("shorewall check" and look at the printed zone definitions) or the chain is FORWARD and the destination IP isn't in any of your defined zones.
    20. -
  20. logflags - The packet is being - logged because it failed the checks implemented by the tcpflags - interface option.
    -
    21. +
  21. logflags - The packet is being + logged because it failed the checks implemented by the tcpflags + interface option.
    +
    22. - +
- + +

18. Is there any way to use aliased ip addresses - with Shorewall, and maintain separate rulesets for different - IPs?

- Answer: Yes. See + Answer: Yes. See Shorewall and Aliased Interfaces. - +

19. I have added entries to /etc/shorewall/tcrules - but they don't seem to do anything. Why?

- You probably haven't set TC_ENABLED=Yes -in /etc/shorewall/shorewall.conf so the contents of the tcrules - file are simply being ignored.
- + but they don't seem to do anything. Why? + You probably haven't set TC_ENABLED=Yes + in /etc/shorewall/shorewall.conf so the contents of the +tcrules file are simply being ignored.
+

20. I have just set up a server. Do I have - to change Shorewall to allow access to my server from the -internet?
-

- Yes. Consult the
+ + Yes. Consult the QuickStart guide that you used during your initial setup for information about how to set up rules for your server.
- +

21. I see these strange log entries occasionally; - what are they?
-

- + what are they?
+ +
- + 
Nov 25 18:58:52 linux kernel: Shorewall:net2all:DROP:IN=eth1 OUT= MAC=00:60:1d:f0:a6:f9:00:60:1d:f6:35:50:08:00
     SRC=206.124.146.179 DST=192.0.2.3 LEN=56 TOS=0x00 PREC=0x00 TTL=110 ID=18558 PROTO=ICMP TYPE=3 CODE=3 
     [SRC=192.0.2.3 DST=172.16.1.10 LEN=128 TOS=0x00 PREC=0x00 TTL=47 ID=0 DF PROTO=UDP SPT=53 DPT=2857 LEN=108 ]
-
- 192.0.2.3 is external on my firewall... 172.16.0.0/24 - is my internal LAN
-
- Answer: While most people associate -the Internet Control Message Protocol (ICMP) with 'ping', ICMP -is a key piece of the internet. ICMP is used to report problems -back to the sender of a packet; this is what is happening here. -Unfortunately, where NAT is involved (including SNAT, DNAT and Masquerade), - there are a lot of broken implementations. That is what you are seeing -with these messages.
-
- Here is my interpretation of what is happening - -- to confirm this analysis, one would have to have packet sniffers - placed a both ends of the connection.
-
- Host 172.16.1.10 behind NAT gateway 206.124.146.179 - sent a UDP DNS query to 192.0.2.3 and your DNS server tried -to send a response (the response information is in the brackets -- -note source port 53 which marks this as a DNS reply). When the response - was returned to to 206.124.146.179, it rewrote the destination IP -TO 172.16.1.10 and forwarded the packet to 172.16.1.10 who no longer -had a connection on UDP port 2857. This causes a port unreachable -(type 3, code 3) to be generated back to 192.0.2.3. As this packet is -sent back through 206.124.146.179, that box correctly changes the + + 192.0.2.3 is external on my firewall... 172.16.0.0/24 + is my internal LAN
+
+ Answer: While most people associate + the Internet Control Message Protocol (ICMP) with 'ping', +ICMP is a key piece of the internet. ICMP is used to report +problems back to the sender of a packet; this is what is happening + here. Unfortunately, where NAT is involved (including SNAT, DNAT +and Masquerade), there are a lot of broken implementations. That is + what you are seeing with these messages.
+
+ Here is my interpretation of what is happening + -- to confirm this analysis, one would have to have packet sniffers + placed a both ends of the connection.
+
+ Host 172.16.1.10 behind NAT gateway 206.124.146.179 + sent a UDP DNS query to 192.0.2.3 and your DNS server tried + to send a response (the response information is in the brackets +-- note source port 53 which marks this as a DNS reply). When the +response was returned to to 206.124.146.179, it rewrote the destination + IP TO 172.16.1.10 and forwarded the packet to 172.16.1.10 who no longer + had a connection on UDP port 2857. This causes a port unreachable + (type 3, code 3) to be generated back to 192.0.2.3. As this packet +is sent back through 206.124.146.179, that box correctly changes the source address in the packet to 206.124.146.179 but doesn't reset the DST IP in the original DNS response similarly. When the ICMP reaches your firewall (192.0.2.3), your firewall has no record of having @@ -1239,59 +1277,54 @@ where the source IP in the ICMP itself isn't set back to the external IP of the remote NAT gateway; that causes your firewall to log and drop the packet out of the rfc1918 chain because the source IP is reserved by RFC 1918.
- +

22. I have some iptables commands that - I want to run when Shorewall starts. Which file do I put - them in?

- You can place these commands in one of the -Shorewall Extension Scripts. -Be sure that you look at the contents of the chain(s) that you will be modifying - with your commands to be sure that the commands will do what they - are intended. Many iptables commands published in HOWTOs and other - instructional material use the -A command which adds the rules to -the end of the chain. Most chains that Shorewall constructs end with -an unconditional DROP, ACCEPT or REJECT rule and any rules that you -add after that will be ignored. Check "man iptables" and look at the --I (--insert) command.
- + I want to run when Shorewall starts. Which file do I put + them in? + You can place these commands in one of the + Shorewall Extension Scripts. + Be sure that you look at the contents of the chain(s) that you will be modifying + with your commands to be sure that the commands will do what +they are intended. Many iptables commands published in HOWTOs and +other instructional material use the -A command which adds the rules +to the end of the chain. Most chains that Shorewall constructs end +with an unconditional DROP, ACCEPT or REJECT rule and any rules that +you add after that will be ignored. Check "man iptables" and look at +the -I (--insert) command.
+

23. Why do you use such ugly fonts on your - web site?

- The Shorewall web site is almost font neutral (it doesn't - explicitly specify fonts except on a few pages) so the fonts you see - are largely the default fonts configured in your browser. If you don't - like them then reconfigure your browser.
- + web site? + The Shorewall web site is almost font neutral (it doesn't + explicitly specify fonts except on a few pages) so the fonts you +see are largely the default fonts configured in your browser. If you +don't like them then reconfigure your browser.
+

24. How can I allow conections to let's say - the ssh port only from specific IP Addresses on the internet?

- In the SOURCE column of the rule, follow "net" by a colon - and a list of the host/subnet addresses as a comma-separated list.
- + the ssh port only from specific IP Addresses on the internet? + In the SOURCE column of the rule, follow "net" by a colon + and a list of the host/subnet addresses as a comma-separated list.
+ 
    net:<ip1>,<ip2>,...
- Example:
- + Example:
+ 
    ACCEPT	net:192.0.2.16/28,192.0.2.44	fw	tcp	22
- +
- +

25. How to I tell which version of Shorewall - I am running?
-

- At the shell prompt, type:
-
-     /sbin/shorewall version
-
- Last updated 3/6/2003 - Tom Eastep - + I am running?
+ + At the shell prompt, type:
+
+     /sbin/shorewall version
+
+ Last updated 3/11/2003 - Tom + Eastep +

Copyright © 2001, 2002, 2003 Thomas M. Eastep.
-

-
-
-
-
-
-
+


diff --git a/Shorewall-docs/News.htm b/Shorewall-docs/News.htm index 012d38b88..9e62e68e9 100644 --- a/Shorewall-docs/News.htm +++ b/Shorewall-docs/News.htm @@ -3,7 +3,7 @@ - + Shorewall News @@ -11,659 +11,633 @@ - + - + - + - - - + + - + + - - + +
- +
- + +

Shorewall News Archive

-
- -

3/14/2003 - Shorewall 1.4.0

- Shorewall 1.4 represents the - next step in the evolution of Shorewall. The main thrust of the initial -release is simply to remove the cruft that has accumulated in Shorewall over -time.
-
- IMPORTANT: Shorewall 1.4.0 requires the iproute package ('ip' -utility).
-
- Function from 1.3 that has been omitted from this version include:
- + +

3/17/2003 - Shorewall 1.4.0

+ Shorewall 1.4 represents +the next step in the evolution of Shorewall. The main thrust of the initial + release is simply to remove the cruft that has accumulated in Shorewall +over time.
+
+ IMPORTANT: Shorewall 1.4.0 requires the iproute package ('ip' + utility).
+
+ Function from 1.3 that has been omitted from this version include:
+
    -
  1. The MERGE_HOSTS variable in shorewall.conf is no longer supported. - Shorewall 1.4 behavior is the same as 1.3 with MERGE_HOSTS=Yes.
    -
    -
    2. -
  2. Interface names of the form <device>:<integer> in -/etc/shorewall/interfaces now generate an error.
    -
    -
    3. -
  3. Shorewall 1.4 implements behavior consistent with OLD_PING_HANDLING=No. - OLD_PING_HANDLING=Yes will generate an error at startup as will specification - of the 'noping' or 'filterping' interface options.
    -
    -
    4. -
  4. The 'routestopped' option in the /etc/shorewall/interfaces and - /etc/shorewall/hosts files is no longer supported and will generate an -error at startup if specified.
    -
    -
    5. -
  5. The Shorewall 1.2 syntax for DNAT and REDIRECT rules is no longer - accepted.
    -
    -
    6. -
  6. The ALLOWRELATED variable in shorewall.conf is no longer supported. - Shorewall 1.4 behavior is the same as 1.3 with ALLOWRELATED=Yes.
    -
    -
    7. -
  7. The icmp.def file has been removed.
    -
    8. - -
- Changes for 1.4 include:
- -
    -
  1. The /etc/shorewall/shorewall.conf file has been completely reorganized - into logical sections.
    -
    -
    2. -
  2. LOG is now a valid action for a rule (/etc/shorewall/rules).
    -
    -
    3. -
  3. The firewall script and version file are now installed in /usr/share/shorewall.
    -
    -
    4. -
  4. Late arriving DNS replies are now silently dropped in the common - chain by default.
    -
    -
    5. -
  5. In addition to behaving like OLD_PING_HANDLING=No, Shorewall -1.4 no longer unconditionally accepts outbound ICMP packets. So if you -want to 'ping' from the firewall, you will need the appropriate rule or -policy.
    -
    -
    6. -
  6. CONTINUE is now a valid action for a rule (/etc/shorewall/rules).
    -
    -
    7. -
  7. 802.11b devices with names of the form wlan<n> now support the -'maclist' option.
    -
    -
    8. -
  8. Explicit Congestion Notification (ECN - RFC 3168) may now be turned -off on a host or network basis using the new /etc/shorewall/ecn file. To -use this facility:
    -
    -   a) You must be running kernel 2.4.20
    -   b) You must have applied the patch in
    -   http://www.shorewall/net/pub/shorewall/ecn/patch.
    -   c) You must have iptables 1.2.7a installed.
    -
    -
    9. -
  9. The /etc/shorewall/params file is now processed first so that variables -may be used in the /etc/shorewall/shorewall.conf file.
    -
    10. - -
- -

2/8/2003 - Shoreawall 1.3.14

- -

New features include

- -
    -
  1. An OLD_PING_HANDLING option has been added to shorewall.conf. - When set to Yes, Shorewall ping handling is as it has always been (see - http://www.shorewall.net/ping.html).
    -
    - When OLD_PING_HANDLING=No, icmp echo (ping) is handled via -rules and policies just like any other connection request. The FORWARDPING=Yes - option in shorewall.conf and the 'noping' and 'filterping' options -in /etc/shorewall/interfaces will all generate an error.
    -
    -
    2. -
  2. It is now possible to direct Shorewall to create a "label" - such as  "eth0:0" for IP addresses that it creates under ADD_IP_ALIASES=Yes - and ADD_SNAT_ALIASES=Yes. This is done by specifying the label instead - of just the interface name:
    -  
    -    a) In the INTERFACE column of /etc/shorewall/masq
    -    b) In the INTERFACE column of /etc/shorewall/nat
    -  
    3. -
  3. Support for OpenVPN Tunnels.
    -
    -
    4. -
  4. Support for VLAN devices with names of the form $DEV.$VID -(e.g., eth0.0)
    +
  5. The MERGE_HOSTS variable in shorewall.conf is no longer supported. + Shorewall 1.4 behavior is the same as 1.3 with MERGE_HOSTS=Yes.

    6. -
  6. In /etc/shorewall/tcrules, the MARK value may be optionally -followed by ":" and either 'F' or 'P' to designate that the marking will -occur in the FORWARD or PREROUTING chains respectively. If this additional -specification is omitted, the chain used to mark packets will be determined -by the setting of the MARK_IN_FORWARD_CHAIN option in shorewall.conf.
    -
    -
    7. -
  7. When an interface name is entered in the SUBNET column of -the /etc/shorewall/masq file, Shorewall previously masqueraded traffic -from only the first subnet defined on that interface. It did not masquerade - traffic from:
    -  
    -    a) The subnets associated with other addresses on the interface.
    -    b) Subnets accessed through local routers.
    -  
    - Beginning with Shorewall 1.3.14, if you enter an interface -name in the SUBNET column, shorewall will use the firewall's routing -table to construct the masquerading/SNAT rules.
    -  
    - Example 1 -- This is how it works in 1.3.14.
    -   
    - - - 
       [root@gateway test]# cat /etc/shorewall/masq
       #INTERFACE              SUBNET                  ADDRESS
       eth0                    eth2                    206.124.146.176
       #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
    - - - 
       [root@gateway test]# ip route show dev eth2
       192.168.1.0/24  scope link
       192.168.10.0/24  proto kernel  scope link  src 192.168.10.254
    - - - 
       [root@gateway test]# shorewall start
       ...
       Masqueraded Subnets and Hosts:
           To 0.0.0.0/0 from 192.168.1.0/24 through eth0 using 206.124.146.176
           To 0.0.0.0/0 from 192.168.10.0/24 through eth0 using 206.124.146.176
       Processing /etc/shorewall/tos...
    -  
    - When upgrading to Shorewall 1.3.14, if you have multiple local - subnets connected to an interface that is specified in the SUBNET column - of an /etc/shorewall/masq entry, your /etc/shorewall/masq file will -need changing. In most cases, you will simply be able to remove redundant -entries. In some cases though, you might want to change from using the -interface name to listing specific subnetworks if the change described -above will cause masquerading to occur on subnetworks that you don't wish -to masquerade.
    -  
    - Example 2 -- Suppose that your current config is as follows:
    -   
    - - - 
       [root@gateway test]# cat /etc/shorewall/masq
       #INTERFACE              SUBNET                  ADDRESS
       eth0                    eth2                    206.124.146.176
       eth0                    192.168.10.0/24         206.124.146.176
       #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
    - - - 
       [root@gateway test]# ip route show dev eth2
       192.168.1.0/24  scope link
       192.168.10.0/24  proto kernel  scope link  src 192.168.10.254
       [root@gateway test]#
    -  
    -    In this case, the second entry in /etc/shorewall/masq is - no longer required.
    -  
    - Example 3 -- What if your current configuration is like this?
    -  
    - - - 
       [root@gateway test]# cat /etc/shorewall/masq
       #INTERFACE              SUBNET                  ADDRESS
       eth0                    eth2                    206.124.146.176
       #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
    - - - 
       [root@gateway test]# ip route show dev eth2
       192.168.1.0/24  scope link
       192.168.10.0/24  proto kernel  scope link  src 192.168.10.254
       [root@gateway test]#
    -  
    -    In this case, you would want to change the entry in  /etc/shorewall/masq - to:
    - - - 
       #INTERFACE              SUBNET                  ADDRESS
       eth0                    192.168.1.0/24          206.124.146.176
       #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
    -
    8. - +
  8. Interface names of the form <device>:<integer> in + /etc/shorewall/interfaces now generate an error.
    +
    +
    9. +
  9. Shorewall 1.4 implements behavior consistent with OLD_PING_HANDLING=No. + OLD_PING_HANDLING=Yes will generate an error at startup as will specification + of the 'noping' or 'filterping' interface options.
    +
    +
    10. +
  10. The 'routestopped' option in the /etc/shorewall/interfaces and + /etc/shorewall/hosts files is no longer supported and will generate an +error at startup if specified.
    +
    +
    11. +
  11. The Shorewall 1.2 syntax for DNAT and REDIRECT rules is no longer + accepted.
    +
    +
    12. +
  12. The ALLOWRELATED variable in shorewall.conf is no longer supported. + Shorewall 1.4 behavior is the same as 1.3 with ALLOWRELATED=Yes.
    +
    +
    13. +
  13. The icmp.def file has been removed.
    +
    14. +
- -


- 2/5/2003 - Shorewall Support included in Webmin 1.060

- -

Webmin version 1.060 now has Shorewall support included as standard. See - http://www.webmin.com.
-
- 2/4/2003 - Shorewall 1.3.14-RC1

- -

Includes the Beta 2 content plus support for OpenVPN tunnels.

- -

1/28/2003 - Shorewall 1.3.14-Beta2

- -

Includes the Beta 1 content plus restores VLAN device names of the form - $dev.$vid (e.g., eth0.1)

- -

1/25/2003 - Shorewall 1.3.14-Beta1
-

- -

The Beta includes the following changes:
-

- + Changes for 1.4 include:
+
    -
  1. An OLD_PING_HANDLING option has been added to shorewall.conf. - When set to Yes, Shorewall ping handling is as it has always been -(see http://www.shorewall.net/ping.html).
    -
    - When OLD_PING_HANDLING=No, icmp echo (ping) is handled via -rules and policies just like any other connection request. The FORWARDPING=Yes - option in shorewall.conf and the 'noping' and 'filterping' options -in /etc/shorewall/interfaces will all generate an error.
    -
    -
    2. -
  2. It is now possible to direct Shorewall to create a "label" - such as  "eth0:0" for IP addresses that it creates under ADD_IP_ALIASES=Yes - and ADD_SNAT_ALIASES=Yes. This is done by specifying the label instead +
  3. The /etc/shorewall/shorewall.conf file has been completely reorganized + into logical sections.
    +
    +
    4. +
  4. LOG is now a valid action for a rule (/etc/shorewall/rules).
    +
    +
    5. +
  5. The firewall script and version file are now installed in /usr/share/shorewall.
    +
    +
    6. +
  6. Late arriving DNS replies are now silently dropped in the common + chain by default.
    +
    +
    7. +
  7. In addition to behaving like OLD_PING_HANDLING=No, Shorewall +1.4 no longer unconditionally accepts outbound ICMP packets. So if you +want to 'ping' from the firewall, you will need the appropriate rule or +policy.
    +
    +
    8. +
  8. CONTINUE is now a valid action for a rule (/etc/shorewall/rules).
    +
    +
    9. +
  9. 802.11b devices with names of the form wlan<n> now support the +'maclist' option.
    +
    +
    10. +
  10. Explicit Congestion Notification (ECN - RFC 3168) may now be turned +off on a host or network basis using the new /etc/shorewall/ecn file. To use +this facility:
    +
    +    a) You must be running kernel 2.4.20
    +    b) You must have applied the patch in
    +    http://www.shorewall/net/pub/shorewall/ecn/patch.
    +    c) You must have iptables 1.2.7a installed.
    +
    +
    11. +
  11. The /etc/shorewall/params file is now processed first so that variables +may be used in the /etc/shorewall/shorewall.conf file.
    +
    +
    12. +
  12. Shorewall now gives a more helpful diagnostic when the +'ipchains' compatibility kernel module is loaded and a 'shorewall start' + command is issued.
    +
    +
    13. +
  13. The SHARED_DIR variable has been removed from shorewall.conf. This +variable was for use by package maintainers and was not documented for general +use.
    +
    +
    14. +
  14. Shorewall now ignores 'default' routes when detecting masq'd networks.
    15. + +
+ +

2/8/2003 - Shoreawall 1.3.14

+ +

New features include

+ +
    +
  1. An OLD_PING_HANDLING option has been added to shorewall.conf. + When set to Yes, Shorewall ping handling is as it has always been +(see http://www.shorewall.net/ping.html).
    +
    + When OLD_PING_HANDLING=No, icmp echo (ping) is handled via + rules and policies just like any other connection request. The FORWARDPING=Yes + option in shorewall.conf and the 'noping' and 'filterping' options + in /etc/shorewall/interfaces will all generate an error.
    +
    +
    2. +
  2. It is now possible to direct Shorewall to create a "label" + such as  "eth0:0" for IP addresses that it creates under ADD_IP_ALIASES=Yes + and ADD_SNAT_ALIASES=Yes. This is done by specifying the label instead of just the interface name:
    -  
    -    a) In the INTERFACE column of /etc/shorewall/masq
    -    b) In the INTERFACE column of /etc/shorewall/nat
    -  
    3. -
  3. When an interface name is entered in the SUBNET column - of the /etc/shorewall/masq file, Shorewall previously masqueraded traffic - from only the first subnet defined on that interface. It did not masquerade - traffic from:
    -  
    -    a) The subnets associated with other addresses on the interface.
    -    b) Subnets accessed through local routers.
    -  
    - Beginning with Shorewall 1.3.14, if you enter an interface -name in the SUBNET column, shorewall will use the firewall's routing -table to construct the masquerading/SNAT rules.
    -  
    - Example 1 -- This is how it works in 1.3.14.
    -   
    +  
    +    a) In the INTERFACE column of /etc/shorewall/masq
    +    b) In the INTERFACE column of /etc/shorewall/nat
    +  
    4. +
  4. Support for OpenVPN Tunnels.
    +
    +
    5. +
  5. Support for VLAN devices with names of the form $DEV.$VID + (e.g., eth0.0)
    +
    +
    6. +
  6. In /etc/shorewall/tcrules, the MARK value may be optionally + followed by ":" and either 'F' or 'P' to designate that the marking will + occur in the FORWARD or PREROUTING chains respectively. If this additional + specification is omitted, the chain used to mark packets will be determined + by the setting of the MARK_IN_FORWARD_CHAIN option in shorewall.conf.
    +
    +
    7. +
  7. When an interface name is entered in the SUBNET column of + the /etc/shorewall/masq file, Shorewall previously masqueraded traffic + from only the first subnet defined on that interface. It did not masquerade + traffic from:
    +  
    +    a) The subnets associated with other addresses on the +interface.
    +    b) Subnets accessed through local routers.
    +  
    + Beginning with Shorewall 1.3.14, if you enter an interface + name in the SUBNET column, shorewall will use the firewall's routing + table to construct the masquerading/SNAT rules.
    +  
    + Example 1 -- This is how it works in 1.3.14.
    +   
    - + 
       [root@gateway test]# cat /etc/shorewall/masq
       #INTERFACE              SUBNET                  ADDRESS
       eth0                    eth2                    206.124.146.176
       #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
    - + 
       [root@gateway test]# ip route show dev eth2
       192.168.1.0/24  scope link
       192.168.10.0/24  proto kernel  scope link  src 192.168.10.254
    - + 
       [root@gateway test]# shorewall start
       ...
       Masqueraded Subnets and Hosts:
           To 0.0.0.0/0 from 192.168.1.0/24 through eth0 using 206.124.146.176
           To 0.0.0.0/0 from 192.168.10.0/24 through eth0 using 206.124.146.176
       Processing /etc/shorewall/tos...
    -  
    - When upgrading to Shorewall 1.3.14, if you have multiple local - subnets connected to an interface that is specified in the SUBNET column - of an /etc/shorewall/masq entry, your /etc/shorewall/masq file will -need changing. In most cases, you will simply be able to remove redundant -entries. In some cases though, you might want to change from using the -interface name to listing specific subnetworks if the change described -above will cause masquerading to occur on subnetworks that you don't wish -to masquerade.
    -  
    - Example 2 -- Suppose that your current config is as follows:
    -   
    +  
    + When upgrading to Shorewall 1.3.14, if you have multiple +local subnets connected to an interface that is specified in the +SUBNET column of an /etc/shorewall/masq entry, your /etc/shorewall/masq +file will need changing. In most cases, you will simply be able to remove +redundant entries. In some cases though, you might want to change from +using the interface name to listing specific subnetworks if the change +described above will cause masquerading to occur on subnetworks that you +don't wish to masquerade.
    +  
    + Example 2 -- Suppose that your current config is as follows:
    +   
    - + 
       [root@gateway test]# cat /etc/shorewall/masq
       #INTERFACE              SUBNET                  ADDRESS
       eth0                    eth2                    206.124.146.176
       eth0                    192.168.10.0/24         206.124.146.176
       #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
    - + 
       [root@gateway test]# ip route show dev eth2
       192.168.1.0/24  scope link
       192.168.10.0/24  proto kernel  scope link  src 192.168.10.254
       [root@gateway test]#
    -  
    -    In this case, the second entry in /etc/shorewall/masq is - no longer required.
    -  
    - Example 3 -- What if your current configuration is like this?
    -  
    +  
    +    In this case, the second entry in /etc/shorewall/masq +is no longer required.
    +  
    + Example 3 -- What if your current configuration is like this?
    +  
    - + 
       [root@gateway test]# cat /etc/shorewall/masq
       #INTERFACE              SUBNET                  ADDRESS
       eth0                    eth2                    206.124.146.176
       #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
    - + 
       [root@gateway test]# ip route show dev eth2
       192.168.1.0/24  scope link
       192.168.10.0/24  proto kernel  scope link  src 192.168.10.254
       [root@gateway test]#
    -  
    -    In this case, you would want to change the entry in  /etc/shorewall/masq - to:
    +  
    +    In this case, you would want to change the entry in  /etc/shorewall/masq + to:
    - + 
       #INTERFACE              SUBNET                  ADDRESS
       eth0                    192.168.1.0/24          206.124.146.176
       #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
    -
    8. - + +
+ +


+ 2/5/2003 - Shorewall Support included in Webmin 1.060

+ +

Webmin version 1.060 now has Shorewall support included as standard. See + http://www.webmin.com.
+
+ 2/4/2003 - Shorewall 1.3.14-RC1

+ +

Includes the Beta 2 content plus support for OpenVPN tunnels.

+ +

1/28/2003 - Shorewall 1.3.14-Beta2

+

Includes the Beta 1 content plus restores VLAN device names of the form + $dev.$vid (e.g., eth0.1)

+ +

1/25/2003 - Shorewall 1.3.14-Beta1
+

+ +

The Beta includes the following changes:
+

+ +
    +
  1. An OLD_PING_HANDLING option has been added to shorewall.conf. + When set to Yes, Shorewall ping handling is as it has always been (see + http://www.shorewall.net/ping.html).
    +
    + When OLD_PING_HANDLING=No, icmp echo (ping) is handled via + rules and policies just like any other connection request. The FORWARDPING=Yes + option in shorewall.conf and the 'noping' and 'filterping' options + in /etc/shorewall/interfaces will all generate an error.
    +
    +
    2. +
  2. It is now possible to direct Shorewall to create a +"label" such as  "eth0:0" for IP addresses that it creates under ADD_IP_ALIASES=Yes + and ADD_SNAT_ALIASES=Yes. This is done by specifying the label instead + of just the interface name:
    +  
    +    a) In the INTERFACE column of /etc/shorewall/masq
    +    b) In the INTERFACE column of /etc/shorewall/nat
    +  
    3. +
  3. When an interface name is entered in the SUBNET column + of the /etc/shorewall/masq file, Shorewall previously masqueraded +traffic from only the first subnet defined on that interface. It did +not masquerade traffic from:
    +  
    +    a) The subnets associated with other addresses on the +interface.
    +    b) Subnets accessed through local routers.
    +  
    + Beginning with Shorewall 1.3.14, if you enter an interface + name in the SUBNET column, shorewall will use the firewall's routing + table to construct the masquerading/SNAT rules.
    +  
    + Example 1 -- This is how it works in 1.3.14.
    +   
    + + + 
       [root@gateway test]# cat /etc/shorewall/masq
       #INTERFACE              SUBNET                  ADDRESS
       eth0                    eth2                    206.124.146.176
       #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
    + + + 
       [root@gateway test]# ip route show dev eth2
       192.168.1.0/24  scope link
       192.168.10.0/24  proto kernel  scope link  src 192.168.10.254
    + + + 
       [root@gateway test]# shorewall start
       ...
       Masqueraded Subnets and Hosts:
           To 0.0.0.0/0 from 192.168.1.0/24 through eth0 using 206.124.146.176
           To 0.0.0.0/0 from 192.168.10.0/24 through eth0 using 206.124.146.176
       Processing /etc/shorewall/tos...
    +  
    + When upgrading to Shorewall 1.3.14, if you have multiple +local subnets connected to an interface that is specified in the +SUBNET column of an /etc/shorewall/masq entry, your /etc/shorewall/masq +file will need changing. In most cases, you will simply be able to remove +redundant entries. In some cases though, you might want to change from +using the interface name to listing specific subnetworks if the change +described above will cause masquerading to occur on subnetworks that you +don't wish to masquerade.
    +  
    + Example 2 -- Suppose that your current config is as follows:
    +   
    + + + 
       [root@gateway test]# cat /etc/shorewall/masq
       #INTERFACE              SUBNET                  ADDRESS
       eth0                    eth2                    206.124.146.176
       eth0                    192.168.10.0/24         206.124.146.176
       #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
    + + + 
       [root@gateway test]# ip route show dev eth2
       192.168.1.0/24  scope link
       192.168.10.0/24  proto kernel  scope link  src 192.168.10.254
       [root@gateway test]#
    +  
    +    In this case, the second entry in /etc/shorewall/masq +is no longer required.
    +  
    + Example 3 -- What if your current configuration is like this?
    +  
    + + + 
       [root@gateway test]# cat /etc/shorewall/masq
       #INTERFACE              SUBNET                  ADDRESS
       eth0                    eth2                    206.124.146.176
       #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
    + + + 
       [root@gateway test]# ip route show dev eth2
       192.168.1.0/24  scope link
       192.168.10.0/24  proto kernel  scope link  src 192.168.10.254
       [root@gateway test]#
    +  
    +    In this case, you would want to change the entry in  /etc/shorewall/masq + to:
    + + + 
       #INTERFACE              SUBNET                  ADDRESS
       eth0                    192.168.1.0/24          206.124.146.176
       #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
    +
    4. + +
+

1/18/2003 - Shorewall 1.3.13 Documentation in PDF Format

- -

Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.13 documenation. - the PDF may be downloaded from

-     Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.13 documenation. + the PDF may be downloaded from

+     ftp://slovakia.shorewall.net/mirror/shorewall/pdf/
-     http://slovakia.shorewall.net/pub/shorewall/pdf/ - +     http://slovakia.shorewall.net/pub/shorewall/pdf/ +

1/17/2003 - shorewall.net has MOVED 

- +

Thanks to the generosity of Alex Martin and Rett Consulting, www.shorewall.net and -ftp.shorewall.net are now hosted on a system in Bellevue, Washington. A -big thanks to Alex for making this happen.
-

- + href="http://www.rettc.com">Rett Consulting, www.shorewall.net and ftp.shorewall.net +are now hosted on a system in Bellevue, Washington. A big thanks to Alex +for making this happen.
+

+

1/13/2003 - Shorewall 1.3.13
-

- +

+

Just includes a few things that I had on the burner:
-

- +

+
    -
  1. A new 'DNAT-' action has been added for entries -in the /etc/shorewall/rules file. DNAT- is intended for advanced -users who wish to minimize the number of rules that connection requests -must traverse.
    -
    - A Shorewall DNAT rule actually generates two iptables -rules: a header rewriting rule in the 'nat' table and an ACCEPT rule -in the 'filter' table. A DNAT- rule only generates the first of these -rules. This is handy when you have several DNAT rules that would generate -the same ACCEPT rule.
    -
    -    Here are three rules from my previous rules file:
    -
    -         DNAT   net  dmz:206.124.146.177 tcp smtp - 206.124.146.178
    -         DNAT   net  dmz:206.124.146.177 tcp smtp - 206.124.146.179
    -         ACCEPT net  dmz:206.124.146.177 tcp www,smtp,ftp,...
    -
    -    These three rules ended up generating _three_ copies +
  2. A new 'DNAT-' action has been added for entries +in the /etc/shorewall/rules file. DNAT- is intended for advanced +users who wish to minimize the number of rules that connection requests + must traverse.
    +
    + A Shorewall DNAT rule actually generates two iptables +rules: a header rewriting rule in the 'nat' table and an ACCEPT rule +in the 'filter' table. A DNAT- rule only generates the first of these + rules. This is handy when you have several DNAT rules that would +generate the same ACCEPT rule.
    +
    +    Here are three rules from my previous rules file:
    +
    +         DNAT   net  dmz:206.124.146.177 tcp smtp - 206.124.146.178
    +         DNAT   net  dmz:206.124.146.177 tcp smtp - 206.124.146.179
    +         ACCEPT net  dmz:206.124.146.177 tcp www,smtp,ftp,...
    +
    +    These three rules ended up generating _three_ copies of
    -
    -          ACCEPT net  dmz:206.124.146.177 tcp smtp
    -
    -    By writing the rules this way, I end up with only one - copy of the ACCEPT rule.
    -
    -         DNAT-  net  dmz:206.124.146.177 tcp smtp -  206.124.146.178
    -         DNAT-  net  dmz:206.124.146.177 tcp smtp -  206.124.146.179
    -         ACCEPT net  dmz:206.124.146.177 tcp www,smtp,ftp,....
    -
    -
    3. -
  3. The 'shorewall check' command now prints out the -applicable policy between each pair of zones.
    -
    -
    4. -
  4. A new CLEAR_TC option has been added to shorewall.conf. - If this option is set to 'No' then Shorewall won't clear the current - traffic control rules during [re]start. This setting is intended for - use by people that prefer to configure traffic shaping when the network - interfaces come up rather than when the firewall is started. If that -is what you want to do, set TC_ENABLED=Yes and CLEAR_TC=No and do not -supply an /etc/shorewall/tcstart file. That way, your traffic shaping -rules can still use the 'fwmark' classifier based on packet marking defined +
    +          ACCEPT net  dmz:206.124.146.177 tcp smtp
    +
    +    By writing the rules this way, I end up with only +one copy of the ACCEPT rule.
    +
    +         DNAT-  net  dmz:206.124.146.177 tcp smtp -  206.124.146.178
    +         DNAT-  net  dmz:206.124.146.177 tcp smtp -  206.124.146.179
    +         ACCEPT net  dmz:206.124.146.177 tcp www,smtp,ftp,....
    +
    +
    5. +
  5. The 'shorewall check' command now prints out the + applicable policy between each pair of zones.
    +
    +
    6. +
  6. A new CLEAR_TC option has been added to shorewall.conf. + If this option is set to 'No' then Shorewall won't clear the current + traffic control rules during [re]start. This setting is intended for + use by people that prefer to configure traffic shaping when the network + interfaces come up rather than when the firewall is started. If that +is what you want to do, set TC_ENABLED=Yes and CLEAR_TC=No and do not +supply an /etc/shorewall/tcstart file. That way, your traffic shaping +rules can still use the 'fwmark' classifier based on packet marking defined in /etc/shorewall/tcrules.
    -
    -
    7. -
  7. A new SHARED_DIR variable has been added that allows - distribution packagers to easily move the shared directory (default - /usr/lib/shorewall). Users should never have a need to change the -value of this shorewall.conf setting.
    -
    8. - +
    + +
  8. A new SHARED_DIR variable has been added that allows + distribution packagers to easily move the shared directory (default + /usr/lib/shorewall). Users should never have a need to change the + value of this shorewall.conf setting.
    +
    9. +
- -

1/6/2003 - BURNOUT -

- -

Until further notice, I will not be involved in either Shorewall Development + +

1/6/2003 - BURNOUT +

+ +

Until further notice, I will not be involved in either Shorewall Development or Shorewall Support

- +

-Tom Eastep
-

- +

+

12/30/2002 - Shorewall Documentation in PDF Format

- -

Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.12 documenation. - the PDF may be downloaded from

- + +

Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.12 documenation. + the PDF may be downloaded from

+

    ftp://slovakia.shorewall.net/mirror/shorewall/pdf/
-     http://slovakia.shorewall.net/pub/shorewall/pdf/
-

- +

+

12/27/2002 - Shorewall 1.3.12 Released

- +

Features include:
-

- +

+
    -
  1. "shorewall refresh" now reloads the traffic shaping - rules (tcrules and tcstart).
    2. -
  2. "shorewall debug [re]start" now turns off debugging - after an error occurs. This places the point of the failure near - the end of the trace rather than up in the middle of it.
    3. -
  3. "shorewall [re]start" has been speeded up by +
  4. "shorewall refresh" now reloads the traffic +shaping rules (tcrules and tcstart).
    5. +
  5. "shorewall debug [re]start" now turns off debugging + after an error occurs. This places the point of the failure near + the end of the trace rather than up in the middle of it.
    6. +
  6. "shorewall [re]start" has been speeded up by more than 40% with my configuration. Your milage may vary.
    7. -
  7. A "shorewall show classifiers" command has been - added which shows the current packet classification filters. The - output from this command is also added as a separate page in -"shorewall monitor"
    8. -
  8. ULOG (must be all caps) is now accepted as a -valid syslog level and causes the subject packets to be logged -using the ULOG target rather than the LOG target. This allows you +
  9. A "shorewall show classifiers" command has been + added which shows the current packet classification filters. +The output from this command is also added as a separate page +in "shorewall monitor"
    10. +
  10. ULOG (must be all caps) is now accepted as a +valid syslog level and causes the subject packets to be logged +using the ULOG target rather than the LOG target. This allows you to run ulogd (available from http://www.gnumonks.org/projects/ulogd) - and log all Shorewall messages http://www.gnumonks.org/projects/ulogd) + and log all Shorewall messages to a separate log file.
    11. -
  11. If you are running a kernel that has a FORWARD - chain in the mangle table ("shorewall show mangle" will show -you the chains in the mangle table), you can set MARK_IN_FORWARD_CHAIN=Yes - in shorewall.conf. This allows -for marking input packets based on their destination even when -you are using Masquerading or SNAT.
    12. -
  12. I have cluttered up the /etc/shorewall directory - with empty 'init', 'start', 'stop' and 'stopped' files. If you - already have a file with one of these names, don't worry -- the -upgrade process won't overwrite your file.
    13. -
  13. I have added a new RFC1918_LOG_LEVEL variable -to shorewall.conf. This variable -specifies the syslog level at which packets are logged as a result -of entries in the /etc/shorewall/rfc1918 file. Previously, these packets -were always logged at the 'info' level.
    -
    14. - +
  14. If you are running a kernel that has a FORWARD + chain in the mangle table ("shorewall show mangle" will show you + the chains in the mangle table), you can set MARK_IN_FORWARD_CHAIN=Yes + in shorewall.conf. This allows for + marking input packets based on their destination even when you + are using Masquerading or SNAT.
    15. +
  15. I have cluttered up the /etc/shorewall directory + with empty 'init', 'start', 'stop' and 'stopped' files. If you + already have a file with one of these names, don't worry -- the upgrade + process won't overwrite your file.
    16. +
  16. I have added a new RFC1918_LOG_LEVEL variable + to shorewall.conf. This variable + specifies the syslog level at which packets are logged as a result + of entries in the /etc/shorewall/rfc1918 file. Previously, these +packets were always logged at the 'info' level.
    +
    17. +
- +

12/20/2002 - Shorewall 1.3.12 Beta 3
-

- This version corrects a problem with Blacklist logging. - In Beta 2, if BLACKLIST_LOG_LEVEL was set to anything but ULOG, -the firewall would fail to start and "shorewall refresh" would also -fail.
- +

+ This version corrects a problem with Blacklist logging. + In Beta 2, if BLACKLIST_LOG_LEVEL was set to anything but ULOG, the + firewall would fail to start and "shorewall refresh" would also fail.
+

12/20/2002 - Shorewall 1.3.12 Beta 2

- -

The first public Beta version of Shorewall 1.3.12 is now available (Beta + +

The first public Beta version of Shorewall 1.3.12 is now available (Beta 1 was made available only to a limited audience).
-

- Features include:
- +

+ Features include:
+
    -
  1. "shorewall refresh" now reloads the traffic +
  2. "shorewall refresh" now reloads the traffic shaping rules (tcrules and tcstart).
    3. -
  3. "shorewall debug [re]start" now turns off - debugging after an error occurs. This places the point of the - failure near the end of the trace rather than up in the middle -of it.
    4. -
  4. "shorewall [re]start" has been speeded up - by more than 40% with my configuration. Your milage may vary.
    5. -
  5. A "shorewall show classifiers" command has - been added which shows the current packet classification filters. - The output from this command is also added as a separate page in -"shorewall monitor"
    6. -
  6. ULOG (must be all caps) is now accepted -as a valid syslog level and causes the subject packets to be -logged using the ULOG target rather than the LOG target. This -allows you to run ulogd (available from http://www.gnumonks.org/projects/ulogd) - and log all Shorewall messages "shorewall debug [re]start" now turns off + debugging after an error occurs. This places the point of the + failure near the end of the trace rather than up in the middle of + it.
    7. +
  7. "shorewall [re]start" has been speeded +up by more than 40% with my configuration. Your milage may vary.
    8. +
  8. A "shorewall show classifiers" command +has been added which shows the current packet classification +filters. The output from this command is also added as a separate +page in "shorewall monitor"
    9. +
  9. ULOG (must be all caps) is now accepted +as a valid syslog level and causes the subject packets to be logged + using the ULOG target rather than the LOG target. This allows +you to run ulogd (available from http://www.gnumonks.org/projects/ulogd) + and log all Shorewall messages to a separate log file.
    10. -
  10. If you are running a kernel that has a FORWARD - chain in the mangle table ("shorewall show mangle" will show you - the chains in the mangle table), you can set MARK_IN_FORWARD_CHAIN=Yes - in shorewall.conf. This allows for marking input packets based on - their destination even when you are using Masquerading or SNAT.
    11. -
  11. I have cluttered up the /etc/shorewall directory - with empty 'init', 'start', 'stop' and 'stopped' files. If you - already have a file with one of these names, don't worry -- the upgrade - process won't overwrite your file.
    12. - +
  12. If you are running a kernel that has a +FORWARD chain in the mangle table ("shorewall show mangle" will +show you the chains in the mangle table), you can set MARK_IN_FORWARD_CHAIN=Yes + in shorewall.conf. This allows for marking input packets based +on their destination even when you are using Masquerading or SNAT.
    13. +
  13. I have cluttered up the /etc/shorewall +directory with empty 'init', 'start', 'stop' and 'stopped' files. +If you already have a file with one of these names, don't worry +-- the upgrade process won't overwrite your file.
    14. +
- You may download the Beta from:
- + You may download the Beta from:
+
http://www.shorewall.net/pub/shorewall/Beta
- ftp://ftp.shorewall.net/pub/shorewall/Beta
-
- + +

12/12/2002 - Mandrake Multi Network Firewall Powered by Mandrake Linux -

- Shorewall is at the center of MandrakeSoft's +

+ Shorewall is at the center of MandrakeSoft's recently-announced Multi + href="http://www.mandrakestore.com/mdkinc/index.php?PAGE=tab_0/menu_0.php&id_art=250&LANG_=en#GOTO_250">Multi Network Firewall (MNF) product. Here is the press - release.
- + href="http://www.mandrakesoft.com/company/press/pr?n=/pr/products/2403">press + release.
+

12/7/2002 - Shorewall Support for Mandrake 9.0

- -

Two months and 3 days after I ordered Mandrake 9.0, it was finally delivered. - I have installed 9.0 on one of my systems and I am now in a - position to support Shorewall users who run Mandrake 9.0.

- + +

Two months and 3 days after I ordered Mandrake 9.0, it was finally delivered. + I have installed 9.0 on one of my systems and I am now in +a position to support Shorewall users who run Mandrake 9.0.

+

12/6/2002 - Debian 1.3.11a Packages Available
-

+

- +

Apt-get sources listed at http://security.dsi.unimi.it/~lorenzo/debian.html.

- +

12/3/2002 - Shorewall 1.3.11a

- -

This is a bug-fix roll up which includes Roger Aich's fix for DNAT with - excluded subnets (e.g., "DNAT foo!bar ..."). Current 1.3.11 - users who don't need rules of this type need not upgrade to 1.3.11.

- + +

This is a bug-fix roll up which includes Roger Aich's fix for DNAT with + excluded subnets (e.g., "DNAT foo!bar ..."). Current 1.3.11 + users who don't need rules of this type need not upgrade to +1.3.11.

+

11/24/2002 - Shorewall 1.3.11

- +

In this version:

- +
    -
  • A 'tcpflags' option has been added - to entries in /etc/shorewall/interfaces. - This option causes Shorewall to make a set of sanity check on TCP +
  • A 'tcpflags' option has been added + to entries in /etc/shorewall/interfaces. + This option causes Shorewall to make a set of sanity check on TCP packet header flags.
    • -
  • It is now allowed to use 'all' in -the SOURCE or DEST column in a rule. When used, 'all' must appear - by itself (in may not be qualified) and it does not enable intra-zone - traffic. For example, the rule
    -
    -     ACCEPT loc all tcp 80
    -
    - does not enable http traffic from 'loc' -to 'loc'.
    • -
  • Shorewall's use of the 'echo' command - is now compatible with bash clones such as ash and dash.
    • -
  • fw->fw policies now generate a -startup error. fw->fw rules generate a warning and are -ignored
    • - +
  • It is now allowed to use 'all' in + the SOURCE or DEST column in a rule. When used, 'all' must +appear by itself (in may not be qualified) and it does not enable + intra-zone traffic. For example, the rule
    +
    +     ACCEPT loc all tcp 80
    +
    + does not enable http traffic from 'loc' + to 'loc'.
    • +
  • Shorewall's use of the 'echo' command + is now compatible with bash clones such as ash and dash.
    • +
  • fw->fw policies now generate +a startup error. fw->fw rules generate a warning and +are ignored
    • +
- +

11/14/2002 - Shorewall Documentation in PDF Format

- -

Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.10 documenation. - the PDF may be downloaded from

- + +

Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.10 documenation. + the PDF may be downloaded from

+

    ftp://slovakia.shorewall.net/mirror/shorewall/pdf/
-     http://slovakia.shorewall.net/pub/shorewall/pdf/
-

- -

11/09/2002 - Shorewall is Back at SourceForge -

+

+ +

11/09/2002 - Shorewall is Back at SourceForge +

- +

The main Shorewall 1.3 web site is now back at SourceForge at http://shorewall.sf.net.
-

+

- +

11/09/2002 - Shorewall 1.3.10

- + +

In this version:

- - - -

10/24/2002 - Shorewall is now in Gentoo Linux
-

- Alexandru Hartmann reports that his - Shorewall package is now a part of the Gentoo Linux distribution. - Thanks Alex!
- -

10/23/2002 - Shorewall 1.3.10 Beta 1

- In this version:
- - +
  • You may now define the contents of a zone dynamically - with the "shorewall add" - and "shorewall delete" commands. These commands are -expected to be used primarily within FreeS/Wan updown -scripts.
    • + href="IPSEC.htm#Dynamic">define the contents of a zone dynamically + with the "shorewall add" + and "shorewall delete" commands. These commands are +expected to be used primarily within FreeS/Wan updown scripts.
  • Shorewall can now do MAC verification on ethernet segments. - You can specify the set of allowed MAC addresses on the -segment and you can optionally tie each MAC address to one or -more IP addresses.
    • + href="MAC_Validation.html"> MAC verification on ethernet +segments. You can specify the set of allowed MAC addresses on the +segment and you can optionally tie each MAC address to one or more +IP addresses.
  • PPTP Servers and Clients running on the firewall system may now be defined in the /etc/shorewall/tunnels file.
    • @@ -673,101 +647,169 @@ is supported for use when the The PATH used by Shorewall may now be specified in /etc/shorewall/shorewall.conf.
  • The main firewall script is now - /usr/lib/shorewall/firewall. The script in /etc/init.d/shorewall - is very small and uses /sbin/shorewall to do the real work. - This change makes custom distributions such as for Debian and - for Gentoo easier to manage since it is /etc/init.d/shorewall - that tends to have distribution-dependent code.
    • + /usr/lib/shorewall/firewall. The script in /etc/init.d/shorewall + is very small and uses /sbin/shorewall to do the real work. + This change makes custom distributions such as for Debian and + for Gentoo easier to manage since it is /etc/init.d/shorewall + that tends to have distribution-dependent code
- You may download the Beta from:
- + +

10/24/2002 - Shorewall is now in Gentoo Linux
+

+ Alexandru Hartmann reports that his + Shorewall package is now a part of the Gentoo Linux distribution. + Thanks Alex!
+ + +

10/23/2002 - Shorewall 1.3.10 Beta 1

+ In this version:
+ + + You may download the Beta from:
+ + + - +

10/10/2002 -  Debian 1.3.9b Packages Available
-

+

- +

Apt-get sources listed at http://security.dsi.unimi.it/~lorenzo/debian.html.

- +

10/9/2002 - Shorewall 1.3.9b

- This release rolls up fixes to the + This release rolls up fixes to the installer and to the firewall script.
- +

10/6/2002 - Shorewall.net now running on RH8.0
-
- The firewall and server here at -shorewall.net are now running RedHat release 8.0.
-
- 9/30/2002 - Shorewall 1.3.9a

- Roles up the fix for broken tunnels.
- - -

9/30/2002 - TUNNELS Broken in 1.3.9!!!

- There is an updated firewall script - at ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall - -- copy that file to /usr/lib/shorewall/firewall.
+
+ The firewall and server here at + shorewall.net are now running RedHat release 8.0.
+
+ 9/30/2002 - Shorewall 1.3.9a

+ Roles up the fix for broken tunnels.
+

9/30/2002 - TUNNELS Broken in 1.3.9!!!

+ There is an updated firewall script + at ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall + -- copy that file to /usr/lib/shorewall/firewall.
+ +

9/28/2002 - Shorewall 1.3.9

- +

In this version:
-

+

- +
    -
  • DNS Names are - now allowed in Shorewall config files (although I recommend against - using them).
    • -
  • The connection SOURCE - may now be qualified by both interface and IP address +
  • DNS Names are +now allowed in Shorewall config files (although I recommend against + using them).
    • +
  • The connection SOURCE + may now be qualified by both interface and IP address in a Shorewall rule.
    • -
  • Shorewall startup is -now disabled after initial installation until the file -/etc/shorewall/startup_disabled is removed. This avoids -nasty surprises during reboot for users who install Shorewall -but don't configure it.
    • -
  • The 'functions' and 'version' - files and the 'firewall' symbolic link have been moved - from /var/lib/shorewall to /usr/lib/shorewall to appease - the LFS police at Debian.
    -
    • +
  • Shorewall startup is + now disabled after initial installation until the +file /etc/shorewall/startup_disabled is removed. This avoids + nasty surprises during reboot for users who install Shorewall + but don't configure it.
    • +
  • The 'functions' and 'version' + files and the 'firewall' symbolic link have been moved + from /var/lib/shorewall to /usr/lib/shorewall to appease + the LFS police at Debian.
    +
    • - +
- -

9/23/2002 - Full Shorewall Site/Mailing List Archive Search Capability + +

9/23/2002 - Full Shorewall Site/Mailing List Archive Search Capability Restored
-

- + Brown Paper Bag - A couple of recent configuration + A couple of recent configuration changes at www.shorewall.net broke the Search facility:
- -
+ +
- +
    +
  1. Mailing List Archive + Search was not available.
    2. +
  2. The Site Search index + was incomplete
    3. +
  3. Only one page of +matches was presented.
    4. + + + +
+
+ Hopefully these problems + are now corrected. + +

9/23/2002 - Full Shorewall Site/Mailing List Archive Search Capability + Restored
+

+ A couple of recent configuration + changes at www.shorewall.net had the negative effect + of breaking the Search facility:
+ + +
  1. Mailing List Archive Search was not available.
  2. The Site Search index @@ -775,1833 +817,1817 @@ but don't configure it.
  3. Only one page of matches was presented.
    4. - - -
-
- Hopefully these problems - are now corrected. - -

9/23/2002 - Full Shorewall Site/Mailing List Archive Search Capability - Restored
-

- A couple of recent configuration - changes at www.shorewall.net had the negative effect - of breaking the Search facility:
- - -
    -
  1. Mailing List Archive - Search was not available.
    2. -
  2. The Site Search index - was incomplete
    3. -
  3. Only one page of matches - was presented.
    4. - - +
- Hopefully these problems + Hopefully these problems are now corrected.
- -

9/18/2002 -  Debian 1.3.8 Packages Available
-

- +

9/18/2002 -  Debian 1.3.8 Packages Available
+

+ +

Apt-get sources listed at http://security.dsi.unimi.it/~lorenzo/debian.html.

- +

9/16/2002 - Shorewall 1.3.8

- +

In this version:
-

+

- +
    -
  • A NEWNOTSYN option has been - added to shorewall.conf. This option determines whether Shorewall - accepts TCP packets which are not part of an established - connection and that are not 'SYN' packets (SYN flag on and +
  • A NEWNOTSYN option has been + added to shorewall.conf. This option determines whether Shorewall + accepts TCP packets which are not part of an established + connection and that are not 'SYN' packets (SYN flag on and ACK flag off).
    • -
  • The need for the -'multi' option to communicate between zones za and -zb on the same interface is removed in the case where the chain - 'za2zb' and/or 'zb2za' exists. 'za2zb' will exist if:
    • +
  • The need for the + 'multi' option to communicate between zones za and + zb on the same interface is removed in the case where the +chain 'za2zb' and/or 'zb2za' exists. 'za2zb' will exist if:
    • + + + +
      +
    • There +is a policy for za to zb; or
      • +
    • There is at + least one rule for za to zb.
      • -
        -
      • There is - a policy for za to zb; or
        • -
      • There is at -least one rule for za to zb.
        • - - -
      - +
    - +
      -
    • The /etc/shorewall/blacklist - file now contains three columns. In addition to the - SUBNET/ADDRESS column, there are optional PROTOCOL and PORT - columns to block only certain applications from the blacklisted - addresses.
      -
      • +
    • The /etc/shorewall/blacklist + file now contains three columns. In addition to the + SUBNET/ADDRESS column, there are optional PROTOCOL and + PORT columns to block only certain applications from the + blacklisted addresses.
      +
      • - +
    - +

    9/11/2002 - Debian 1.3.7c Packages Available

    - +

    Apt-get sources listed at http://security.dsi.unimi.it/~lorenzo/debian.html.

    - +

    9/2/2002 - Shorewall 1.3.7c

    - -

    This is a role up of a fix for "DNAT" rules where the source zone is $FW - (fw).

    + +

    This is a role up of a fix for "DNAT" rules where the source zone is $FW + (fw).

    - +

    8/31/2002 - I'm not available

    - -

    I'm currently on vacation  -- please respect my need for a couple of - weeks free of Shorewall problem reports.

    + +

    I'm currently on vacation  -- please respect my need for a couple of +weeks free of Shorewall problem reports.

    - +

    -Tom

    - +

    8/26/2002 - Shorewall 1.3.7b

    - -

    This is a role up of the "shorewall refresh" bug fix and the change which - reverses the order of "dhcp" and "norfc1918" checking.

    + +

    This is a role up of the "shorewall refresh" bug fix and the change which + reverses the order of "dhcp" and "norfc1918" +checking.

    - +

    8/26/2002 - French FTP Mirror is Operational

    - +

    ftp://france.shorewall.net/pub/mirrors/shorewall - is now available.

    + href="ftp://france.shorewall.net/pub/mirrors/shorewall">ftp://france.shorewall.net/pub/mirrors/shorewall + is now available.

    - +

    8/25/2002 - Shorewall Mirror in France

    - -

    Thanks to a Shorewall user in Paris, the Shorewall web site is now mirrored - at Thanks to a Shorewall user in Paris, the Shorewall web site is now mirrored + at http://france.shorewall.net.

    - +

    8/25/2002 - Shorewall 1.3.7a Debian Packages Available

    - -

    Lorenzo Martignoni reports that the packages for version 1.3.7a are available - at Lorenzo Martignoni reports that the packages for version 1.3.7a are available + at http://security.dsi.unimi.it/~lorenzo/debian.html.

    - -

    8/22/2002 - Shorewall 1.3.7 Wins a Brown Paper Bag Award for its Author - -- Shorewall 1.3.7a released8/22/2002 - Shorewall 1.3.7 Wins a Brown Paper Bag Award for its Author + -- Shorewall 1.3.7a released -

    +

    - -

    1.3.7a corrects problems occurring in rules file processing when starting - Shorewall 1.3.7.

    + +

    1.3.7a corrects problems occurring in rules file processing when starting + Shorewall 1.3.7.

    - +

    8/22/2002 - Shorewall 1.3.7 Released 8/13/2002

    - +

    Features in this release include:

    - +
      -
    • The 'icmp.def' -file is now empty! The rules in that file were required - in ipchains firewalls but are not required in Shorewall. - Users who have ALLOWRELATED=No in shorewall.conf should see the - Upgrade Issues.
      • -
    • A 'FORWARDPING' +
    • The 'icmp.def' + file is now empty! The rules in that file were required + in ipchains firewalls but are not required in Shorewall. + Users who have ALLOWRELATED=No in shorewall.conf should see +the Upgrade Issues.
      • +
    • A 'FORWARDPING' option has been added to shorewall.conf. The effect - of setting this variable to Yes is the same as - the effect of adding an ACCEPT rule for ICMP echo-request - in /etc/shorewall/icmpdef. - Users who have such a rule in icmpdef are encouraged + href="Documentation.htm#Conf"> shorewall.conf. The effect + of setting this variable to Yes is the same as +the effect of adding an ACCEPT rule for ICMP echo-request + in /etc/shorewall/icmpdef. + Users who have such a rule in icmpdef are encouraged to switch to FORWARDPING=Yes.
      • -
    • The loopback CLASS - A Network (127.0.0.0/8) has been added to the rfc1918 - file.
      • -
    • Shorewall now +
    • The loopback +CLASS A Network (127.0.0.0/8) has been added to the + rfc1918 file.
      • +
    • Shorewall now works with iptables 1.2.7
      • -
    • The documentation +
    • The documentation and web site no longer uses FrontPage themes.
      • - +
    - -

    I would like to thank John Distler for his valuable input regarding TCP - SYN and ICMP treatment in Shorewall. That input - has led to marked improvement in Shorewall in the last - two releases.

    + +

    I would like to thank John Distler for his valuable input regarding TCP + SYN and ICMP treatment in Shorewall. That input + has led to marked improvement in Shorewall in the +last two releases.

    - +

    8/13/2002 - Documentation in the CVS Repository

    - -

    The Shorewall-docs project now contains just the HTML and image files - -the Frontpage files have been removed.

    + +

    The Shorewall-docs project now contains just the HTML and image files +- the Frontpage files have been removed.

    - +

    8/7/2002 - STABLE branch added to CVS Repository

    - -

    This branch will only be updated after I release a new version of Shorewall - so you can always update from this branch to get - the latest stable tree.

    + +

    This branch will only be updated after I release a new version of Shorewall + so you can always update from this branch to +get the latest stable tree.

    - -

    8/7/2002 - Upgrade Issues section added - to the Errata Page

    + +

    8/7/2002 - Upgrade Issues section +added to the Errata Page

    - -

    Now there is one place to go to look for issues involved with upgrading - to recent versions of Shorewall.

    + +

    Now there is one place to go to look for issues involved with upgrading + to recent versions of Shorewall.

    - +

    8/7/2002 - Shorewall 1.3.6

    - +

    This is primarily a bug-fix rollup with a couple of new features:

    - + +
  • The processing + of "New not SYN" packets may be extended by commands + in the new newnotsyn + extension script.
    • +
+ +

7/30/2002 - Shorewall 1.3.5b Released

- +

This interim release:

- +
    -
  • Causes the firewall +
  • Causes the firewall script to remove the lock file if it is killed.
    • -
  • Once again allows +
  • Once again allows lists in the second column of the /etc/shorewall/hosts file.
    • -
  • Includes the latest - QuickStart Guides.
    • - - -
+
  • Includes the +latest QuickStart Guides.
    • + + +

    7/29/2002 - New Shorewall Setup Guide Available

    - +

    The first draft of this guide is available at http://www.shorewall.net/shorewall_setup_guide.htm. - The guide is intended for use by people who are - setting up Shorewall to manage multiple public IP addresses - and by people who want to learn more about Shorewall than - is described in the single-address guides. Feedback on -the new guide is welcome.

    + href="http://www.shorewall.net/shorewall_setup_guide.htm"> http://www.shorewall.net/shorewall_setup_guide.htm. + The guide is intended for use by people who are + setting up Shorewall to manage multiple public IP + addresses and by people who want to learn more about Shorewall +than is described in the single-address guides. Feedback + on the new guide is welcome.

    - +

    7/28/2002 - Shorewall 1.3.5 Debian Package Available

    - -

    Lorenzo Martignoni reports that the packages are version 1.3.5a and are - available at Lorenzo Martignoni reports that the packages are version 1.3.5a and are + available at http://security.dsi.unimi.it/~lorenzo/debian.html.

    - +

    7/27/2002 - Shorewall 1.3.5a Released

    - +

    This interim release restores correct handling of REDIRECT rules.

    - +

    7/26/2002 - Shorewall 1.3.5 Released

    - -

    This will be the last Shorewall release for a while. I'm going to be - focusing on rewriting a lot of the documentation.

    + +

    This will be the last Shorewall release for a while. I'm going to be +focusing on rewriting a lot of the documentation.

    - +

     In this version:

    - +
      -
    • Empty and invalid - source and destination qualifiers are now detected - in the rules file. It is a good idea to use the 'shorewall - check' command before you issue a 'shorewall restart' - command be be sure that you don't have any configuration problems +
    • Empty and invalid + source and destination qualifiers are now detected + in the rules file. It is a good idea to use the 'shorewall + check' command before you issue a 'shorewall restart' + command be be sure that you don't have any configuration problems that will prevent a successful restart.
      • -
    • Added MERGE_HOSTS - variable in shorewall.conf - to provide saner behavior of the /etc/shorewall/hosts - file.
      • -
    • The time that -the counters were last reset is now displayed in the +
    • Added MERGE_HOSTS + variable in shorewall.conf + to provide saner behavior of the /etc/shorewall/hosts + file.
      • +
    • The time that +the counters were last reset is now displayed in the heading of the 'status' and 'show' commands.
      • -
    • A proxyarp +
    • A proxyarp option has been added for entries in /etc/shorewall/interfaces. - This option facilitates Proxy ARP sub-netting as described in - the Proxy ARP subnetting mini-HOWTO (http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/). - Specifying the proxyarp option for an interface - causes Shorewall to set /proc/sys/net/ipv4/conf/<interface>/proxy_arp.
      • -
    • The Samples have - been updated to reflect the new capabilities in this - release.
      • - - -
    + href="Documentation.htm#Interfaces">/etc/shorewall/interfaces. + This option facilitates Proxy ARP sub-netting as described in + the Proxy ARP subnetting mini-HOWTO (http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/). + Specifying the proxyarp option for an interface + causes Shorewall to set /proc/sys/net/ipv4/conf/<interface>/proxy_arp. +
  • The Samples have + been updated to reflect the new capabilities in this + release.
    • + + +

    7/16/2002 - New Mirror in Argentina

    - -

    Thanks to Arturo "Buanzo" Busleiman, there is now a Shorewall mirror in - Argentina. Thanks Buanzo!!!

    + +

    Thanks to Arturo "Buanzo" Busleiman, there is now a Shorewall mirror in + Argentina. Thanks Buanzo!!!

    - +

    7/16/2002 - Shorewall 1.3.4 Released

    - +

    In this version:

    - +
      -
    • A new /etc/shorewall/routestopped - file has been added. This file is intended to - eventually replace the routestopped option - in the /etc/shorewall/interface and /etc/shorewall/hosts - files. This new file makes remote firewall administration -easier by allowing any IP or subnet to be enabled while - Shorewall is stopped.
      • -
    • An /etc/shorewall/stopped - extension script -has been added. This script is invoked after Shorewall -has stopped.
      • -
    • A DETECT_DNAT_ADDRS - option has been added to /etc/shoreall/shorewall.conf. - When this option is selected, DNAT rules only apply when - the destination address is the external interface's - primary IP address.
      • -
    • The QuickStart Guide has - been broken into three guides and has been almost -entirely rewritten.
      • -
    • The Samples have - been updated to reflect the new capabilities in this - release.
      • - - -
    +
  • A new /etc/shorewall/routestopped + file has been added. This file is intended to +eventually replace the routestopped option + in the /etc/shorewall/interface and /etc/shorewall/hosts + files. This new file makes remote firewall administration +easier by allowing any IP or subnet to be enabled while +Shorewall is stopped.
    • +
  • An /etc/shorewall/stopped + extension script has + been added. This script is invoked after Shorewall has + stopped.
    • +
  • A DETECT_DNAT_ADDRS + option has been added to /etc/shoreall/shorewall.conf. + When this option is selected, DNAT rules only apply when + the destination address is the external interface's + primary IP address.
    • +
  • The QuickStart Guide has + been broken into three guides and has been almost entirely + rewritten.
    • +
  • The Samples have + been updated to reflect the new capabilities in this + release.
    • + + +

    7/8/2002 - Shorewall 1.3.3 Debian Package Available

    - +

    Lorenzo Marignoni reports that the packages are available at http://security.dsi.unimi.it/~lorenzo/debian.html.

    - +

    7/6/2002 - Shorewall 1.3.3 Released

    - +

    In this version:

    - +
      -
    • Entries in /etc/shorewall/interface - that use the wildcard character ("+") now have +
    • Entries in /etc/shorewall/interface + that use the wildcard character ("+") now have the "multi" option assumed.
      • -
    • The 'rfc1918' -chain in the mangle table has been renamed 'man1918' - to make log messages generated from that chain distinguishable - from those generated by the 'rfc1918' chain in the +
    • The 'rfc1918' +chain in the mangle table has been renamed 'man1918' + to make log messages generated from that chain distinguishable + from those generated by the 'rfc1918' chain in the filter table.
      • -
    • Interface names - appearing in the hosts file are now validated against +
    • Interface names + appearing in the hosts file are now validated against the interfaces file.
      • -
    • The TARGET column +
    • The TARGET column in the rfc1918 file is now checked for correctness.
      • -
    • The chain structure - in the nat table has been changed to reduce the - number of rules that a packet must traverse and to correct - problems with NAT_BEFORE_RULES=No
      • -
    • The "hits" command - has been enhanced.
      • - - -
    +
  • The chain structure + in the nat table has been changed to reduce the + number of rules that a packet must traverse and to correct +problems with NAT_BEFORE_RULES=No
    • +
  • The "hits" command + has been enhanced.
    • + + +

    6/25/2002 - Samples Updated for 1.3.2

    - -

    The comments in the sample configuration files have been updated to reflect - new features introduced in Shorewall 1.3.2.

    + +

    The comments in the sample configuration files have been updated to reflect + new features introduced in Shorewall 1.3.2.

    - +

    6/25/2002 - Shorewall 1.3.1 Debian Package Available

    - +

    Lorenzo Marignoni reports that the package is available at http://security.dsi.unimi.it/~lorenzo/debian.html.

    - +

    6/19/2002 - Documentation Available in PDF Format

    - -

    Thanks to Mike Martinez, the Shorewall Documentation is now available for - download in Adobe - PDF format.

    + +

    Thanks to Mike Martinez, the Shorewall Documentation is now available +for download in Adobe PDF format.

    - +

    6/16/2002 - Shorewall 1.3.2 Released

    - +

    In this version:

    - + +
  • The files firewall, + functions and version have been + moved from /etc/shorewall to /var/lib/shorewall.
    • + + +

    6/6/2002 - Why CVS Web access is Password Protected

    - -

    Last weekend, I installed the CVS Web package to provide brower-based access - to the Shorewall CVS repository. Since then, I have had several instances -where my server was almost unusable due to the high load generated by website -copying tools like HTTrack and WebStripper. These mindless tools:

    + +

    Last weekend, I installed the CVS Web package to provide brower-based +access to the Shorewall CVS repository. Since then, I have had several +instances where my server was almost unusable due to the high load generated +by website copying tools like HTTrack and WebStripper. These mindless tools:

    - +
      -
    • Ignore robot.txt - files.
      • -
    • Recursively copy - everything that they find.
      • -
    • Should be classified - as weapons rather than tools.
      • - - -
    +
  • Ignore robot.txt + files.
    • +
  • Recursively copy + everything that they find.
    • +
  • Should be classified + as weapons rather than tools.
    • -

    These tools/weapons are particularly damaging when combined with CVS Web - because they doggedly follow every link in the -cgi-generated HTML resulting in 1000s of executions -of the cvsweb.cgi script. Yesterday, I spend several hours - implementing measures to block these tools but unfortunately, - these measures resulted in my server OOM-ing under even - moderate load.

    + - -

    Until I have the time to understand the cause of the OOM (or until I buy - more RAM if that is what is required), CVS Web -access will remain Password Protected.

    + +

    These tools/weapons are particularly damaging when combined with CVS Web + because they doggedly follow every link in the + cgi-generated HTML resulting in 1000s of executions + of the cvsweb.cgi script. Yesterday, I spend several + hours implementing measures to block these tools but unfortunately, + these measures resulted in my server OOM-ing under even + moderate load.

    - + +

    Until I have the time to understand the cause of the OOM (or until I buy + more RAM if that is what is required), CVS Web + access will remain Password Protected.

    + +

    6/5/2002 - Shorewall 1.3.1 Debian Package Available

    - +

    Lorenzo Marignoni reports that the package is available at http://security.dsi.unimi.it/~lorenzo/debian.html.

    - +

    6/2/2002 - Samples Corrected

    - -

    The 1.3.0 samples configurations had several serious problems that prevented - DNS and SSH from working properly. These problems - have been corrected in the The 1.3.0 samples configurations had several serious problems that prevented + DNS and SSH from working properly. These problems + have been corrected in the 1.3.1 samples.

    - +

    6/1/2002 - Shorewall 1.3.1 Released

    - +

    Hot on the heels of 1.3.0, this release:

    - + - +

    5/29/2002 - Shorewall 1.3.0 Released

    - -

    In addition to the changes in Beta 1, Beta 2 and RC1, Shorewall 1.3.0 - includes:

    + +

    In addition to the changes in Beta 1, Beta 2 and RC1, Shorewall 1.3.0 + includes:

    - +
      -
    • A 'filterping' -interface option that allows ICMP echo-request (ping) - requests addressed to the firewall to be handled by entries - in /etc/shorewall/rules and /etc/shorewall/policy.
      • - - -
    +
  • A 'filterping' + interface option that allows ICMP echo-request (ping) + requests addressed to the firewall to be handled by entries + in /etc/shorewall/rules and /etc/shorewall/policy.
    • + + +

    5/23/2002 - Shorewall 1.3 RC1 Available

    - -

    In addition to the changes in Beta 1 and Beta 2, RC1 (Version 1.2.92) - incorporates the following:

    + +

    In addition to the changes in Beta 1 and Beta 2, RC1 (Version 1.2.92) + incorporates the following:

    - + - +

    5/19/2002 - Shorewall 1.3 Beta 2 Available

    - -

    In addition to the changes in Beta 1, this release which carries the - designation 1.2.91 adds:

    + +

    In addition to the changes in Beta 1, this release which carries the +designation 1.2.91 adds:

    - +
      -
    • The structure -of the firewall is changed markedly. There is now -an INPUT and a FORWARD chain for each interface; this reduces - the number of rules that a packet must traverse, especially - in complicated setups.
      • -
    • Sub-zones may now be excluded - from DNAT and REDIRECT rules.
      • -
    • The names of the - columns in a number of the configuration files have - been changed to be more consistent and self-explanatory - and the documentation has been updated accordingly.
      • -
    • The sample configurations +
    • The structure +of the firewall is changed markedly. There is now an +INPUT and a FORWARD chain for each interface; this reduces + the number of rules that a packet must traverse, especially + in complicated setups.
      • +
    • Sub-zones may now be excluded + from DNAT and REDIRECT rules.
      • +
    • The names of +the columns in a number of the configuration files + have been changed to be more consistent and self-explanatory + and the documentation has been updated accordingly.
      • +
    • The sample configurations have been updated for 1.3.
      • - +
    - +

    5/17/2002 - Shorewall 1.3 Beta 1 Available

    - -

    Beta 1 carries the version designation 1.2.90 and implements the following - features:

    + +

    Beta 1 carries the version designation 1.2.90 and implements the following + features:

    - +
      -
    • Simplified rule - syntax which makes the intent of each rule clearer - and hopefully makes Shorewall easier to learn.
      • -
    • Upward compatibility - with 1.2 configuration files has been maintained so - that current users can migrate to the new syntax at - their convenience.
      • -
    • WARNING:  Compatibility with the old - parameterized sample configurations has NOT been maintained. - Users still running those configurations should migrate - to the new sample configurations before upgrading to +
    • Simplified rule + syntax which makes the intent of each rule clearer +and hopefully makes Shorewall easier to learn.
      • +
    • Upward compatibility + with 1.2 configuration files has been maintained + so that current users can migrate to the new syntax + at their convenience.
      • +
    • WARNING:  Compatibility with the old + parameterized sample configurations has NOT been maintained. + Users still running those configurations should migrate + to the new sample configurations before upgrading to 1.3 Beta 1.
      • - +
    - +

    5/4/2002 - Shorewall 1.2.13 is Available

    - +

    In this version:

    - + - +

    4/30/2002 - Shorewall Debian News

    - -

    Lorenzo Marignoni reports that Shorewall 1.2.12 is now in both the Debian -Testing Branch and the Debian -Unstable Branch.

    + +

    Lorenzo Marignoni reports that Shorewall 1.2.12 is now in both the +Debian + Testing Branch and the Debian + Unstable Branch.

    - +

    4/20/2002 - Shorewall 1.2.12 is Available

    - +
      -
    • The 'try' command +
    • The 'try' command works again
      • -
    • There is now a -single RPM that also works with SuSE.
      • - - -
    +
  • There is now +a single RPM that also works with SuSE.
    • + + +

    4/17/2002 - Shorewall Debian News

    - +

    Lorenzo Marignoni reports that:

    - + +
  • Shorewall 1.2.10 + is in the Debian + Testing Branch
    • +
  • Shorewall 1.2.11 + is in the Debian + Unstable Branch
    • + + +

    Thanks, Lorenzo!

    - +

    4/16/2002 - Shorewall 1.2.11 RPM Available for SuSE

    - -

    Thanks to Stefan Mohr, there - is now a Shorewall 1.2.11 + +

    Thanks to Stefan Mohr, there + is now a Shorewall 1.2.11 SuSE RPM available.

    - +

    4/13/2002 - Shorewall 1.2.11 Available

    - +

    In this version:

    - +
      -
    • The 'try' command - now accepts an optional timeout. If the timeout is - given in the command, the standard configuration will -automatically be restarted after the new configuration -has been running for that length of time. This prevents - a remote admin from being locked out of the firewall in the -case where the new configuration starts but prevents access.
      • -
    • Kernel route filtering - may now be enabled globally using the new ROUTE_FILTER - parameter in /etc/shorewall/shorewall.conf.
      • -
    • Individual IP -source addresses and/or subnets may now be excluded - from masquerading/SNAT.
      • -
    • Simple "Yes/No" - and "On/Off" values are now case-insensitive in - /etc/shorewall/shorewall.conf.
      • +
    • The 'try' command + now accepts an optional timeout. If the timeout is + given in the command, the standard configuration will automatically + be restarted after the new configuration has been running + for that length of time. This prevents a remote admin from + being locked out of the firewall in the case where the new configuration + starts but prevents access.
      • +
    • Kernel route +filtering may now be enabled globally using the new + ROUTE_FILTER parameter in /etc/shorewall/shorewall.conf.
      • +
    • Individual IP +source addresses and/or subnets may now be excluded + from masquerading/SNAT.
      • +
    • Simple "Yes/No" + and "On/Off" values are now case-insensitive in + /etc/shorewall/shorewall.conf.
      • - +
    - +

    4/13/2002 - Hamburg Mirror now has FTP

    - +

    Stefan now has an FTP mirror at ftp://germany.shorewall.net/pub/shorewall.  - Thanks Stefan!

    + href="ftp://germany.shorewall.net/pub/shorewall"> ftp://germany.shorewall.net/pub/shorewall.  + Thanks Stefan!

    - +

    4/12/2002 - New Mirror in Hamburg

    - -

    Thanks to Stefan Mohr, there - is now a mirror of the Shorewall website at http://germany.shorewall.net. -

    + +

    Thanks to Stefan Mohr, there + is now a mirror of the Shorewall website at + http://germany.shorewall.net. +

    - +

    4/10/2002 - Shorewall QuickStart Guide Version 1.1 Available

    - -

    Version 1.1 of the QuickStart - Guide is now available. Thanks to those who - have read version 1.0 and offered their suggestions. - Corrections have also been made to the sample scripts.

    + +

    Version 1.1 of the QuickStart + Guide is now available. Thanks to those who + have read version 1.0 and offered their suggestions. + Corrections have also been made to the sample scripts.

    - +

    4/9/2002 - Shorewall QuickStart Guide Version 1.0 Available

    - -

    Version 1.0 of the QuickStart - Guide is now available. This Guide and its -accompanying sample configurations are expected to -provide a replacement for the recently withdrawn parameterized - samples.

    + +

    Version 1.0 of the QuickStart + Guide is now available. This Guide and its + accompanying sample configurations are expected +to provide a replacement for the recently withdrawn parameterized + samples.

    - +

    4/8/2002 - Parameterized Samples Withdrawn

    - +

    Although the parameterized - samples have allowed people to get a firewall - up and running quickly, they have unfortunately set - the wrong level of expectation among those who have used - them. I am therefore withdrawing support for the samples - and I am recommending that they not be used in new Shorewall -installations.

    + href="http://www.shorewall.net/pub/shorewall/samples-1.2.1/">parameterized + samples have allowed people to get a firewall + up and running quickly, they have unfortunately set + the wrong level of expectation among those who have used + them. I am therefore withdrawing support for the samples + and I am recommending that they not be used in new Shorewall + installations.

    - +

    4/2/2002 - Updated Log Parser

    - -

    John Lodge has provided an updated - version of his CGI-based log parser - with corrected date handling.

    + +

    John Lodge has provided an updated + version of his CGI-based log parser + with corrected date handling.

    - +

    3/30/2002 - Shorewall Website Search Improvements

    - -

    The quick search on the home page now excludes the mailing list archives. - The Extended Search - allows excluding the archives or restricting the search - to just the archives. An archive search form is also -available on the mailing list information - page.

    + +

    The quick search on the home page now excludes the mailing list archives. + The Extended Search + allows excluding the archives or restricting the +search to just the archives. An archive search form +is also available on the mailing list information + page.

    - +

    3/28/2002 - Debian Shorewall News (From Lorenzo Martignoni)

    - + + href="http://packages.debian.org/unstable/net/shorewall.html">Debian + Unstable Distribution. + + +

    3/25/2002 - Log Parser Available

    - +

    John Lodge has provided a CGI-based log parser for Shorewall. Thanks - John.

    + href="pub/shorewall/parsefw/">CGI-based log parser for Shorewall. Thanks + John.

    - +

    3/20/2002 - Shorewall 1.2.10 Released

    - +

    In this version:

    - +
      -
    • A "shorewall try" - command has been added (syntax: shorewall try - <configuration directory>). This command - attempts "shorewall -c <configuration directory> - start" and if that results in the firewall being stopped - due to an error, a "shorewall start" command is executed. The +
    • A "shorewall +try" command has been added (syntax: shorewall try + <configuration directory>). This + command attempts "shorewall -c <configuration directory> + start" and if that results in the firewall being stopped + due to an error, a "shorewall start" command is executed. The 'try' command allows you to create a new configuration and attempt - to start it; if there is an error that leaves your firewall - in the stopped state, it will automatically be restarted using + href="Documentation.htm#Configs"> configuration and attempt + to start it; if there is an error that leaves your firewall + in the stopped state, it will automatically be restarted using the default configuration (in /etc/shorewall).
      • -
    • A new variable -ADD_SNAT_ALIASES has been added to /etc/shorewall/shorewall.conf. - If this variable is set to "Yes", Shorewall will -automatically add IP addresses listed in the third - column of the /etc/shorewall/masq - file.
      • -
    • Copyright notices +
    • A new variable + ADD_SNAT_ALIASES has been added to /etc/shorewall/shorewall.conf. + If this variable is set to "Yes", Shorewall will automatically + add IP addresses listed in the third column of +the /etc/shorewall/masq +file.
      • +
    • Copyright notices have been added to the documenation.
      • - +
    - +

    3/11/2002 - Shorewall 1.2.9 Released

    - +

    In this version:

    - + - +

    3/1/2002 - 1.2.8 Debian Package is Available

    - +

    See http://security.dsi.unimi.it/~lorenzo/debian.html

    - +

    2/25/2002 - New Two-interface Sample

    - -

    I've enhanced the two interface sample to allow access from the firewall - to servers in the local zone - + +

    I've enhanced the two interface sample to allow access from the firewall + to servers in the local zone - http://www.shorewall.net/pub/shorewall/LATEST.samples/two-interfaces.tgz

    - +

    2/23/2002 - Shorewall 1.2.8 Released

    - -

    Do to a serious problem with 1.2.7, I am releasing 1.2.8. It corrects - problems associated with the lock file used to prevent multiple state-changing - operations from occuring simultaneously. My apologies - for any inconvenience my carelessness may have caused.

    + +

    Do to a serious problem with 1.2.7, I am releasing 1.2.8. It corrects + problems associated with the lock file used to prevent multiple state-changing + operations from occuring simultaneously. My apologies + for any inconvenience my carelessness may have caused.

    - +

    2/22/2002 - Shorewall 1.2.7 Released

    - +

    In this version:

    - +
      -
    • UPnP probes (UDP - destination port 1900) are now silently dropped in - the common chain
      • -
    • RFC 1918 checking - in the mangle table has been streamlined to no longer - require packet marking. RFC 1918 checking in the filter - table has been changed to require half as many rules as -previously.
      • -
    • A 'shorewall check' - command has been added that does a cursory validation - of the zones, interfaces, hosts, rules and policy files.
      • +
    • UPnP probes (UDP + destination port 1900) are now silently dropped +in the common chain
      • +
    • RFC 1918 checking + in the mangle table has been streamlined to no longer + require packet marking. RFC 1918 checking in the filter + table has been changed to require half as many rules as previously.
      • +
    • A 'shorewall +check' command has been added that does a cursory +validation of the zones, interfaces, hosts, rules and + policy files.
      • - +
    - +

    2/18/2002 - 1.2.6 Debian Package is Available

    - +

    See http://security.dsi.unimi.it/~lorenzo/debian.html

    - +

    2/8/2002 - Shorewall 1.2.6 Released

    - +

    In this version:

    - +
      -
    • $-variables may - now be used anywhere in the configuration files except +
    • $-variables may + now be used anywhere in the configuration files except /etc/shorewall/zones.
      • -
    • The interfaces -and hosts files now have their contents validated -before any changes are made to the existing Netfilter - configuration. The appearance of a zone name that isn't - defined in /etc/shorewall/zones causes "shorewall start" -and "shorewall restart" to abort without changing the Shorewall - state. Unknown options in either file cause a warning to be -issued.
      • -
    • A problem occurring - when BLACKLIST_LOGLEVEL was not set has been -corrected.
      • - - -
    +
  • The interfaces + and hosts files now have their contents validated + before any changes are made to the existing Netfilter + configuration. The appearance of a zone name that isn't + defined in /etc/shorewall/zones causes "shorewall start" + and "shorewall restart" to abort without changing the Shorewall + state. Unknown options in either file cause a warning to be + issued.
    • +
  • A problem occurring + when BLACKLIST_LOGLEVEL was not set has been corrected.
    • + + +

    2/4/2002 - Shorewall 1.2.5 Debian Package Available

    - +

    see http://security.dsi.unimi.it/~lorenzo/debian.html

    - +

    2/1/2002 - Shorewall 1.2.5 Released

    - -

    Due to installation problems with Shorewall 1.2.4, I have released Shorewall + +

    Due to installation problems with Shorewall 1.2.4, I have released Shorewall 1.2.5. Sorry for the rapid-fire development.

    - +

    In version 1.2.5:

    - +
      -
    • The installation +
    • The installation problems have been corrected.
      • -
    • SNAT is now supported.
      • -
    • A "shorewall version" - command has been added
      • -
    • The default value - of the STATEDIR variable in /etc/shorewall/shorewall.conf - has been changed to /var/lib/shorewall in order -to conform to the GNU/Linux File Hierarchy Standard, Version +
    • A "shorewall version" + command has been added
      • +
    • The default value + of the STATEDIR variable in /etc/shorewall/shorewall.conf + has been changed to /var/lib/shorewall in order + to conform to the GNU/Linux File Hierarchy Standard, Version 2.2.
      • - +
    - +

    1/28/2002 - Shorewall 1.2.4 Released

    - +
      -
    • The "fw" zone may now be given a different name.
      • -
    • You may now place - end-of-line comments (preceded by '#') in any of the - configuration files
      • -
    • There is now protection - against against two state changing operations - occuring concurrently. This is implemented using the 'lockfile' - utility if it is available (lockfile is part of procmail); - otherwise, a less robust technique is used. The lockfile - is created in the STATEDIR defined in /etc/shorewall/shorewall.conf - and has the name "lock".
      • -
    • "shorewall start" - no longer fails if "detect" is specified in /etc/shorewall/interfaces - for an interface with subnet mask 255.255.255.255.
      • +
    • The "fw" zone + may now be given a different +name.
      • +
    • You may now place + end-of-line comments (preceded by '#') in any of +the configuration files
      • +
    • There is now protection + against against two state changing operations + occuring concurrently. This is implemented using the 'lockfile' + utility if it is available (lockfile is part of procmail); + otherwise, a less robust technique is used. The lockfile + is created in the STATEDIR defined in /etc/shorewall/shorewall.conf + and has the name "lock".
      • +
    • "shorewall start" + no longer fails if "detect" is specified in + /etc/shorewall/interfaces + for an interface with subnet mask 255.255.255.255.
      • - +
    - +

    1/27/2002 - Shorewall 1.2.3 Debian Package Available -- see http://security.dsi.unimi.it/~lorenzo/debian.html

    - +

    1/20/2002 - Corrected firewall script available 

    - -

    Corrects a problem with BLACKLIST_LOGLEVEL. See the + +

    Corrects a problem with BLACKLIST_LOGLEVEL. See the errata for details.

    - +

    1/19/2002 - Shorewall 1.2.3 Released

    - +

    This is a minor feature and bugfix release. The single new feature is:

    - +
      -
    • Support for TCP -MSS Clamp to PMTU -- This support is usually required - when the internet connection is via PPPoE or PPTP and -may be enabled using the CLAMPMSS - option in /etc/shorewall/shorewall.conf.
      • +
    • Support for TCP + MSS Clamp to PMTU -- This support is usually required + when the internet connection is via PPPoE or PPTP and + may be enabled using the CLAMPMSS option in /etc/shorewall/shorewall.conf.
      • - +
    - +

    The following problems were corrected:

    - +
      -
    • The "shorewall +
    • The "shorewall status" command no longer hangs.
      • -
    • The "shorewall +
    • The "shorewall monitor" command now displays the icmpdef chain
      • -
    • The CLIENT PORT(S) +
    • The CLIENT PORT(S) column in tcrules is no longer ignored
      • - +
    - +

    1/18/2002 - Shorewall 1.2.2 packaged with new LEAF release

    - -

    Jacques Nilo and Eric Wolzak have released a kernel 2.4.16 LEAF distribution + +

    Jacques Nilo and Eric Wolzak have released a kernel 2.4.16 LEAF distribution that includes Shorewall 1.2.2. See http://leaf.sourceforge.net/devel/jnilo + href="http://leaf.sourceforge.net/devel/jnilo">http://leaf.sourceforge.net/devel/jnilo for details.

    - +

    1/11/2002 - Debian Package (.deb) Now Available - Thanks to Lorenzo Martignoni, a 1.2.2 - Shorewall Debian package is now available. There -is a link to Lorenzo's site from the Lorenzo Martignoni, a 1.2.2 + Shorewall Debian package is now available. There + is a link to Lorenzo's site from the Shorewall download page.

    - +

    1/9/2002 - Updated 1.2.2 /sbin/shorewall available - This corrected version restores - the "shorewall status" command to health.

    + href="/pub/shorewall/errata/1.2.2/shorewall">This corrected version restores + the "shorewall status" command to health.

    - +

    1/8/2002 - Shorewall 1.2.2 Released

    - +

    In version 1.2.2

    - +
      -
    • Support for IP -blacklisting has been added +
    • Support for IP +blacklisting has been added - +
        -
      • You specify whether - you want packets from blacklisted hosts dropped or - rejected using the BLACKLIST_DISPOSITION - setting in /etc/shorewall/shorewall.conf
        • -
      • You specify whether - you want packets from blacklisted hosts logged and - at what syslog level using the BLACKLIST_LOGLEVEL -setting in /etc/shorewall/shorewall.conf
        • -
      • You list the -IP addresses/subnets that you wish to blacklist in - /etc/shorewall/blacklist
        • -
      • You specify the - interfaces you want checked against the blacklist - using the new "blacklist" - option in /etc/shorewall/interfaces.
        • -
      • The black list - is refreshed from /etc/shorewall/blacklist by the - "shorewall refresh" command.
        • +
      • You specify +whether you want packets from blacklisted hosts dropped + or rejected using the BLACKLIST_DISPOSITION + setting in /etc/shorewall/shorewall.conf
        • +
      • You specify +whether you want packets from blacklisted hosts logged + and at what syslog level using the BLACKLIST_LOGLEVEL + setting in /etc/shorewall/shorewall.conf
        • +
      • You list the +IP addresses/subnets that you wish to blacklist in + /etc/shorewall/blacklist
        • +
      • You specify +the interfaces you want checked against the blacklist + using the new "blacklist" + option in /etc/shorewall/interfaces.
        • +
      • The black list + is refreshed from /etc/shorewall/blacklist by the + "shorewall refresh" command.
        • - +
      -
      • -
    • Use of TCP RST -replies has been expanded  +
      • +
    • Use of TCP RST +replies has been expanded  - +
        -
      • TCP connection - requests rejected because of a REJECT policy are now +
      • TCP connection + requests rejected because of a REJECT policy are now replied with a TCP RST packet.
        • -
      • TCP connection - requests rejected because of a protocol=all rule in - /etc/shorewall/rules are now replied with a TCP RST +
      • TCP connection + requests rejected because of a protocol=all rule in + /etc/shorewall/rules are now replied with a TCP RST packet.
        • - +
      -
      • -
    • A LOGFILE specification -has been added to /etc/shorewall/shorewall.conf. LOGFILE is used - to tell the /sbin/shorewall program where to look for Shorewall +
      • +
    • A LOGFILE specification has + been added to /etc/shorewall/shorewall.conf. LOGFILE is used + to tell the /sbin/shorewall program where to look for Shorewall messages.
      • - +
    - +

    1/5/2002 - New Parameterized Samples (version 1.2.0) released. These are minor updates - to the previously-released samples. There are two - new rules added:

    + target="_blank">version 1.2.0) released.     These are minor updates + to the previously-released samples. There are two + new rules added:

    - +
      -
    • Unless you have -explicitly enabled Auth connections (tcp port 113) -to your firewall, these connections will be REJECTED rather - than DROPPED. This speeds up connection establishment to - some servers.
      • -
    • Orphan DNS replies +
    • Unless you have + explicitly enabled Auth connections (tcp port 113) + to your firewall, these connections will be REJECTED +rather than DROPPED. This speeds up connection establishment + to some servers.
      • +
    • Orphan DNS replies are now silently dropped.
      • - +
    - +

    See the README file for upgrade instructions.

    - +

    1/1/2002 - Shorewall Mailing List Moving

    - -

    The Shorewall mailing list hosted at - Sourceforge is moving to Shorewall.net. If you - are a current subscriber to the list at Sourceforge, -please see these instructions. - If you would like to subscribe to the new list, visit - http://www.shorewall.net/mailman/listinfo/shorewall-users.

    + +

    The Shorewall mailing list hosted at + Sourceforge is moving to Shorewall.net. If +you are a current subscriber to the list at Sourceforge, + please see these instructions. + If you would like to subscribe to the new list, +visit http://www.shorewall.net/mailman/listinfo/shorewall-users.

    - +

    12/31/2001 - Shorewall 1.2.1 Released

    - +

    In version 1.2.1:

    - + +
  • 'shorewall show + tc' now correctly handles tunnels.
    • -

    12/21/2001 - Shorewall 1.2.0 Released! - I couldn't resist releasing -1.2 on 12/21/2001

    - - -

    Version 1.2 contains the following new features:

    - - - - -

    For the next month or so, I will continue to provide corrections to version - 1.1.18 as necessary so that current version 1.1.x - users will not be forced into a quick upgrade to 1.2.0 + +

    12/21/2001 - Shorewall 1.2.0 Released! - I couldn't resist +releasing 1.2 on 12/21/2001

    + + +

    Version 1.2 contains the following new features:

    + + + + + +

    For the next month or so, I will continue to provide corrections to version + 1.1.18 as necessary so that current version 1.1.x + users will not be forced into a quick upgrade to 1.2.0 just to have access to bug fixes.

    - -

    For those of you who have installed one of the Beta RPMS, you will need - to use the "--oldpackage" option when upgrading -to 1.2.0:

    + +

    For those of you who have installed one of the Beta RPMS, you will need + to use the "--oldpackage" option when upgrading + to 1.2.0:

    - -
    + +
    - +

    rpm -Uvh --oldpackage shorewall-1.2-0.noarch.rpm

    -
    +
    - -

    12/19/2001 - Thanks to Steve - Cowles, there is now a Shorewall mirror in -Texas. This web site is mirrored at http://www.infohiiway.com/shorewall + +

    12/19/2001 - Thanks to Steve + Cowles, there is now a Shorewall mirror in Texas. + This web site is mirrored at http://www.infohiiway.com/shorewall and the ftp site is at ftp://ftp.infohiiway.com/pub/mirrors/shorewall. 

    - +

    11/30/2001 - A new set of the parameterized Sample -Configurations has been released. In this version:

    + href="ftp://ftp.shorewall.net/pub/shorewall/samples-1.1.18">Sample + Configurations has been released    . In this version:

    - +
      -
    • Ping is now allowed - between the zones.
      • -
    • In the three-interface - configuration, it is now possible to configure the - internet services that are to be available to servers in +
    • Ping is now allowed + between the zones.
      • +
    • In the three-interface + configuration, it is now possible to configure the + internet services that are to be available to servers in the DMZ. 
      • - +
    - +

    11/20/2001 - The current version of Shorewall is 1.1.18. 

    - +

    In this version:

    - +
      -
    • The spelling of -ADD_IP_ALIASES has been corrected in the shorewall.conf - file
      • -
    • The logic for deleting - user-defined chains has been simplified so that it - avoids a bug in the LRP version of the 'cut' utility.
      • -
    • The /var/lib/lrpkg/shorwall.conf - file has been corrected to properly display the +
    • The spelling of + ADD_IP_ALIASES has been corrected in the shorewall.conf + file
      • +
    • The logic for +deleting user-defined chains has been simplified so + that it avoids a bug in the LRP version of the 'cut' utility.
      • +
    • The /var/lib/lrpkg/shorwall.conf + file has been corrected to properly display the NAT entry in that file.
      • - +
    - -

    11/19/2001 - Thanks to Juraj - Ontkanin, there is now a Shorewall mirror - in the Slovak Republic. The website is now mirrored - at http://www.nrg.sk/mirror/shorewall + +

    11/19/2001 - Thanks to Juraj + Ontkanin, there is now a Shorewall mirror + in the Slovak Republic. The website is now mirrored + at http://www.nrg.sk/mirror/shorewall and the FTP site is mirrored at ftp://ftp.nrg.sk/mirror/shorewall.

    - -

    11/2/2001 - Announcing Shorewall Parameter-driven Sample Configurations. + +

    11/2/2001 - Announcing Shorewall Parameter-driven Sample Configurations. There are three sample configurations:

    - +
      -
    • One Interface -- - for a standalone system.
      • -
    • Two Interfaces +
    • One Interface +-- for a standalone system.
      • +
    • Two Interfaces -- A masquerading firewall.
      • -
    • Three Interfaces +
    • Three Interfaces -- A masquerading firewall with DMZ.
      • - +
    - +

    Samples may be downloaded from ftp://ftp.shorewall.net/pub/shorewall/samples-1.1.17 + href="ftp://ftp.shorewall.net/pub/shorewall/samples-1.1.17"> ftp://ftp.shorewall.net/pub/shorewall/samples-1.1.17 . See the README file for instructions.

    - -

    11/1/2001 - The current version of Shorewall is 1.1.17.  I intend - this to be the last of the 1.1 Shorewall + +

    11/1/2001 - The current version of Shorewall is 1.1.17.  I intend + this to be the last of the 1.1 Shorewall releases.

    - +

    In this version:

    - + - -

    10/22/2001 - The current version of Shorewall is 1.1.16. In this + +

    10/22/2001 - The current version of Shorewall is 1.1.16. In this version:

    - +
      -
    • A new "shorewall +
    • A new "shorewall show connections" command has been added.
      • -
    • In the "shorewall - monitor" output, the currently tracked connections - are now shown on a separate page.
      • -
    • Prior to this release, - Shorewall unconditionally added the external IP - adddress(es) specified in /etc/shorewall/nat. Beginning - with version 1.1.16, a new parameter (ADD_IP_ALIASES) may be - set to "no" (or "No") to inhibit this behavior. - This allows IP aliases created using your distribution's - network configuration tools to be used in static +
    • In the "shorewall + monitor" output, the currently tracked connections + are now shown on a separate page.
      • +
    • Prior to this +release, Shorewall unconditionally added the external + IP adddress(es) specified in /etc/shorewall/nat. Beginning + with version 1.1.16, a new parameter (ADD_IP_ALIASES) may be + set to "no" (or "No") to inhibit this behavior. + This allows IP aliases created using your distribution's + network configuration tools to be used in static NAT. 
      • - +
    - -

    10/15/2001 - The current version of Shorewall is 1.1.15. In this + +

    10/15/2001 - The current version of Shorewall is 1.1.15. In this version:

    + +
      +
    • Support for nested + zones has been improved. See the documentation for details
      • +
    • Shorewall now +correctly checks the alternate configuration directory + for the 'zones' file.
      • + + +
    + + +

    10/4/2001 - The current version of Shorewall is 1.1.14. In this + version

    +
      -
    • Support for nested - zones has been improved. See the documentation for -details
      • -
    • Shorewall now correctly - checks the alternate configuration directory for - the 'zones' file.
      • - - -
    - - -

    10/4/2001 - The current version of Shorewall is 1.1.14. In this - version

    - - -
      -
    • Shorewall now supports - alternate configuration directories. When an - alternate directory is specified when starting or restarting - Shorewall (e.g., "shorewall -c /etc/testconf restart"), - Shorewall will first look for configuration files in the alternate - directory then in /etc/shorewall. To create an alternate -configuration simply:
      - 1. Create a New Directory
      - 2. Copy to that directory - any of your configuration files that you want to - change.
      - 3. Modify the copied +
    • Shorewall now +supports alternate configuration directories. When + an alternate directory is specified when starting or +restarting Shorewall (e.g., "shorewall -c /etc/testconf + restart"), Shorewall will first look for configuration files + in the alternate directory then in /etc/shorewall. To +create an alternate configuration simply:
      + 1. Create a New +Directory
      + 2. Copy to that +directory any of your configuration files that you + want to change.
      + 3. Modify the copied files as needed.
      - 4. Restart Shorewall + 4. Restart Shorewall specifying the new directory.
      • -
    • The rules for allowing/disallowing - icmp echo-requests (pings) are now moved after - rules created when processing the rules file. This allows - you to add rules that selectively allow/deny ping based - on source or destination address.
      • -
    • Rules that specify - multiple client ip addresses or subnets no longer -cause startup failures.
      • -
    • Zone names in the - policy file are now validated against the zones file.
      • -
    • If you have packet mangling support - enabled, the "norfc1918" - interface option now logs and drops any incoming -packets on the interface that have an RFC 1918 -destination address.
      • +
    • The rules for +allowing/disallowing icmp echo-requests (pings) are + now moved after rules created when processing the rules + file. This allows you to add rules that selectively allow/deny + ping based on source or destination address.
      • +
    • Rules that specify + multiple client ip addresses or subnets no longer cause + startup failures.
      • +
    • Zone names in +the policy file are now validated against the zones + file.
      • +
    • If you have packet mangling support + enabled, the "norfc1918" + interface option now logs and drops any incoming packets + on the interface that have an RFC 1918 destination + address.
      • - +
    - -

    9/12/2001 - The current version of Shorewall is 1.1.13. In this - version

    + +

    9/12/2001 - The current version of Shorewall is 1.1.13. In this + version

    - +
      -
    • Shell variables -can now be used to parameterize Shorewall rules.
      • -
    • The second column - in the hosts file may now contain a comma-separated - list.
      -
      - Example:
      -     sea    eth0:130.252.100.0/24,206.191.149.0/24
      • -
    • Handling of multi-zone +
    • Shell variables + can now be used to parameterize Shorewall rules.
      • +
    • The second column + in the hosts file may now contain a comma-separated + list.
      +
      + Example:
      +     sea    eth0:130.252.100.0/24,206.191.149.0/24
      • +
    • Handling of multi-zone interfaces has been improved. See the documentation for the /etc/shorewall/interfaces - file.
      • + href="Documentation.htm#Interfaces">documentation for the /etc/shorewall/interfaces + file. - +
    - -

    8/28/2001 - The current version of Shorewall is 1.1.12. In this - version

    + +

    8/28/2001 - The current version of Shorewall is 1.1.12. In this + version

    - +
      -
    • Several columns -in the rules file may now contain comma-separated -lists.
      • -
    • Shorewall is now +
    • Several columns + in the rules file may now contain comma-separated + lists.
      • +
    • Shorewall is now more rigorous in parsing the options in /etc/shorewall/interfaces.
      • -
    • Complementation -using "!" is now supported in rules.
      • +
    • Complementation + using "!" is now supported in rules.
      • - +
    - -

    7/28/2001 - The current version of Shorewall is 1.1.11. In this - version

    + +

    7/28/2001 - The current version of Shorewall is 1.1.11. In this + version

    - +
      -
    • A "shorewall refresh" - command has been added to allow for refreshing the - rules associated with the broadcast address on a dynamic - interface. This command should be used in place of "shorewall - restart" when the internet interface's IP address changes.
      • -
    • The /etc/shorewall/start - file (if any) is now processed after all temporary - rules have been deleted. This change prevents the accidental - removal of rules added during the processing of that +
    • A "shorewall refresh" + command has been added to allow for refreshing + the rules associated with the broadcast address on a dynamic + interface. This command should be used in place of "shorewall + restart" when the internet interface's IP address changes.
      • +
    • The /etc/shorewall/start + file (if any) is now processed after all temporary + rules have been deleted. This change prevents the accidental + removal of rules added during the processing of that file.
      • -
    • The "dhcp" interface - option is now applicable to firewall interfaces -used by a DHCP server running on the firewall.
      • -
    • The RPM can now -be built from the .tgz file using "rpm -tb" 
      • +
    • The "dhcp" interface + option is now applicable to firewall interfaces used + by a DHCP server running on the firewall.
      • +
    • The RPM can now + be built from the .tgz file using "rpm -tb" 
      • - +
    - -

    7/6/2001 - The current version of Shorewall is 1.1.10. In this version

    + +

    7/6/2001 - The current version of Shorewall is 1.1.10. In this +version

    - +
      -
    • Shorewall now enables - Ipv4 Packet Forwarding by default. Packet forwarding - may be disabled by specifying IP_FORWARD=Off in /etc/shorewall/shorewall.conf. - If you don't want Shorewall to enable or disable -packet forwarding, add IP_FORWARDING=Keep to your /etc/shorewall/shorewall.conf +
    • Shorewall now +enables Ipv4 Packet Forwarding by default. Packet forwarding + may be disabled by specifying IP_FORWARD=Off in /etc/shorewall/shorewall.conf. + If you don't want Shorewall to enable or disable + packet forwarding, add IP_FORWARDING=Keep to your /etc/shorewall/shorewall.conf file.
      • -
    • The "shorewall -hits" command no longer lists extraneous service - names in its last report.
      • -
    • Erroneous instructions - in the comments at the head of the firewall script +
    • The "shorewall +hits" command no longer lists extraneous service + names in its last report.
      • +
    • Erroneous instructions + in the comments at the head of the firewall script have been corrected.
      • - +
    - -

    6/23/2001 - The current version of Shorewall is 1.1.9. In this version

    + +

    6/23/2001 - The current version of Shorewall is 1.1.9. In this +version

    - + - -

    6/18/2001 - The current version of Shorewall is 1.1.8. In this version

    + +

    6/18/2001 - The current version of Shorewall is 1.1.8. In this +version

    - + - +

    6/2/2001 - The current version of Shorewall is 1.1.7. In this version

    - +
      -
    • The TOS rules are - now deleted when the firewall is stopped.
      • -
    • The .rpm will now - install regardless of which version of iptables is - installed.
      • -
    • The .rpm will now - install without iproute2 being installed.
      • -
    • The documentation - has been cleaned up.
      • -
    • The sample configuration - files included in Shorewall have been formatted - to 80 columns for ease of editing on a VGA console.
      • +
    • The TOS rules +are now deleted when the firewall is stopped.
      • +
    • The .rpm will +now install regardless of which version of iptables + is installed.
      • +
    • The .rpm will +now install without iproute2 being installed.
      • +
    • The documentation + has been cleaned up.
      • +
    • The sample configuration + files included in Shorewall have been formatted + to 80 columns for ease of editing on a VGA console.
      • - +
    - -

    5/25/2001 - The current version of Shorewall is 1.1.6. In this version

    + +

    5/25/2001 - The current version of Shorewall is 1.1.6. In this +version

    - +
      -
    • You may now rate-limit the - packet log.
      • -
    • Previous - versions of Shorewall have an implementation of Static NAT -which violates the principle of least surprise.  NAT -only occurs for packets arriving at (DNAT) or send from -(SNAT) the interface named in the INTERFACE column of /etc/shorewall/nat. -Beginning with version 1.1.6, NAT effective regardless of -which interface packets come from or are destined to. To get -compatibility with prior versions, I have added a new "ALL "ALL INTERFACES"  column to /etc/shorewall/nat. - By placing "no" or "No" in the new column, the NAT behavior - of prior versions may be retained. 
      • -
    • The treatment of - IPSEC Tunnels where the remote - gateway is a standalone system has been improved. Previously, - it was necessary to include an additional rule allowing UDP port - 500 traffic to pass through the tunnel. Shorewall will now create - this rule automatically when you place the name of the remote peer's - zone in a new GATEWAY ZONE column in /etc/shorewall/tunnels. 
      • +
    • You may now rate-limit the +packet log.
      • +
    • Previous + versions of Shorewall have an implementation of Static NAT + which violates the principle of least surprise.  +NAT only occurs for packets arriving at (DNAT) or send +from (SNAT) the interface named in the INTERFACE column of + /etc/shorewall/nat. Beginning with version 1.1.6, NAT effective + regardless of which interface packets come from or are destined +to. To get compatibility with prior versions, I have added + a new "ALL "ALL INTERFACES"  column + to /etc/shorewall/nat. By placing "no" or "No" in +the new column, the NAT behavior of prior versions may be +retained. 
      • +
    • The treatment +of IPSEC Tunnels where the remote + gateway is a standalone system has been improved. Previously, + it was necessary to include an additional rule allowing UDP +port 500 traffic to pass through the tunnel. Shorewall will now + create this rule automatically when you place the name of the +remote peer's zone in a new GATEWAY ZONE column in /etc/shorewall/tunnels. 
      • - +
    - -

    5/20/2001 - The current version of Shorewall is 1.1.5. In this version

    + +

    5/20/2001 - The current version of Shorewall is 1.1.5. In this +version

    - + - -

    5/10/2001 - The current version of Shorewall is 1.1.4. In this version

    + +

    5/10/2001 - The current version of Shorewall is 1.1.4. In this +version

    - +
      -
    • Accepting RELATED connections - is now optional.
      • -
    • Corrected problem - where if "shorewall start" aborted early (due to - kernel configuration errors for example), superfluous 'sed' - error messages were reported.
      • -
    • Corrected rules -generated for port redirection.
      • -
    • The order in which - iptables kernel modules are loaded has been corrected +
    • Accepting RELATED connections + is now optional.
      • +
    • Corrected problem + where if "shorewall start" aborted early (due +to kernel configuration errors for example), superfluous +'sed' error messages were reported.
      • +
    • Corrected rules + generated for port redirection.
      • +
    • The order in which + iptables kernel modules are loaded has been corrected (Thanks to Mark Pavlidis). 
      • - +
    - -

    4/28/2001 - The current version of Shorewall is 1.1.3. In this version

    + +

    4/28/2001 - The current version of Shorewall is 1.1.3. In this +version

    - +
      -
    • Correct message -issued when Proxy ARP address added (Thanks to Jason - Kirtland).
      • -
    • /tmp/shorewallpolicy-$$ - is now removed if there is an error while starting - the firewall.
      • -
    • /etc/shorewall/icmp.def - and /etc/shorewall/common.def are now used to define - the icmpdef and common chains unless overridden by the - presence of /etc/shorewall/icmpdef or /etc/shorewall/common.
      • -
    • In the .lrp, the - file /var/lib/lrpkg/shorwall.conf has been corrected. - An extra space after "/etc/shorwall/policy" has been - removed and "/etc/shorwall/rules" has been added.
      • -
    • When a sub-shell - encounters a fatal error and has stopped the firewall, - it now kills the main shell so that the main shell will - not continue.
      • -
    • A problem has been - corrected where a sub-shell stopped the firewall - and main shell continued resulting in a perplexing error +
    • Correct message + issued when Proxy ARP address added (Thanks to Jason + Kirtland).
      • +
    • /tmp/shorewallpolicy-$$ + is now removed if there is an error while starting + the firewall.
      • +
    • /etc/shorewall/icmp.def + and /etc/shorewall/common.def are now used to +define the icmpdef and common chains unless overridden +by the presence of /etc/shorewall/icmpdef or /etc/shorewall/common.
      • +
    • In the .lrp, the + file /var/lib/lrpkg/shorwall.conf has been corrected. + An extra space after "/etc/shorwall/policy" has been + removed and "/etc/shorwall/rules" has been added.
      • +
    • When a sub-shell + encounters a fatal error and has stopped the firewall, + it now kills the main shell so that the main shell will + not continue.
      • +
    • A problem has +been corrected where a sub-shell stopped the firewall + and main shell continued resulting in a perplexing error message referring to "common.so" resulted.
      • -
    • Previously, placing - "-" in the PORT(S) column in /etc/shorewall/rules -resulted in an error message during start. This has been corrected.
      • -
    • The first line -of "install.sh" has been corrected -- I had inadvertently - deleted the initial "#".
      • - - -
    +
  • Previously, placing + "-" in the PORT(S) column in /etc/shorewall/rules + resulted in an error message during start. This has been +corrected.
    • +
  • The first line +of "install.sh" has been corrected -- I had inadvertently + deleted the initial "#".
    • -

    4/12/2001 - The current version of Shorewall is 1.1.2. In this version

    + - + +

    4/12/2001 - The current version of Shorewall is 1.1.2. In this +version

    + +
      -
    • Port redirection +
    • Port redirection now works again.
      • -
    • The icmpdef and -common chains may now -be user-defined.
      • -
    • The firewall no -longer fails to start if "routefilter" is specified - for an interface that isn't started. A warning message is - now issued in this case.
      • -
    • The LRP Version -is renamed "shorwall" for 8,3 MSDOS file system -compatibility.
      • -
    • A couple of LRP-specific +
    • The icmpdef and + common chains may now + be user-defined.
      • +
    • The firewall no + longer fails to start if "routefilter" is specified + for an interface that isn't started. A warning message +is now issued in this case.
      • +
    • The LRP Version + is renamed "shorwall" for 8,3 MSDOS file system + compatibility.
      • +
    • A couple of LRP-specific problems were corrected.
      • - +
    - +

    4/8/2001 - Shorewall is now affiliated with the Leaf Project -

    +

    - +

    4/5/2001 - The current version of Shorewall is 1.1.1. In this version:

    - +
      -
    • The common chain - is traversed from INPUT, OUTPUT and FORWARD before - logging occurs
      • -
    • The source has +
    • The common chain + is traversed from INPUT, OUTPUT and FORWARD before + logging occurs
      • +
    • The source has been cleaned up dramatically
      • -
    • DHCP DISCOVER packets - with RFC1918 source addresses no longer generate - log messages. Linux DHCP clients generate such packets and - it's annoying to see them logged. 
      • - - -
    +
  • DHCP DISCOVER +packets with RFC1918 source addresses no longer + generate log messages. Linux DHCP clients generate such + packets and it's annoying to see them logged. 
    • + + +

    3/25/2001 - The current version of Shorewall is 1.1.0. In this version:

    - +
      -
    • Log messages now +
    • Log messages now indicate the packet disposition.
      • -
    • Error messages +
    • Error messages have been improved.
      • -
    • The ability to -define zones consisting of an enumerated set of hosts +
    • The ability to +define zones consisting of an enumerated set of hosts and/or subnetworks has been added.
      • -
    • The zone-to-zone - chain matrix is now sparse so that only those chains +
    • The zone-to-zone + chain matrix is now sparse so that only those chains that contain meaningful rules are defined.
      • -
    • 240.0.0.0/4 and -169.254.0.0/16 have been added to the source subnetworks -whose packets are dropped under the norfc1918 interface - option.
      • -
    • Exits are now provided - for executing an user-defined script when a - chain is defined, when the firewall is initialized, when - the firewall is started, when the firewall is stopped - and when the firewall is cleared.
      • -
    • The Linux kernel's - route filtering facility can now be specified - selectively on network interfaces.
      • - - -
    +
  • 240.0.0.0/4 and + 169.254.0.0/16 have been added to the source subnetworks + whose packets are dropped under the norfc1918 +interface option.
    • +
  • Exits are now +provided for executing an user-defined script when + a chain is defined, when the firewall is initialized, + when the firewall is started, when the firewall is +stopped and when the firewall is cleared.
    • +
  • The Linux kernel's + route filtering facility can now be specified + selectively on network interfaces.
    • + + +

    3/19/2001 - The current version of Shorewall is 1.0.4. This version:

    - +
      -
    • Allows user-defined - zones. Shorewall now has only one pre-defined - zone (fw) with the remaining zones being defined in the new - configuration file /etc/shorewall/zones. The /etc/shorewall/zones - file released in this version provides behavior that - is compatible with Shorewall 1.0.3. 
      • -
    • Adds the ability - to specify logging in entries in the /etc/shorewall/rules - file.
      • -
    • Correct handling - of the icmp-def chain so that only ICMP packets are +
    • Allows user-defined + zones. Shorewall now has only one pre-defined + zone (fw) with the remaining zones being defined in the +new configuration file /etc/shorewall/zones. The +/etc/shorewall/zones file released in this version provides + behavior that is compatible with Shorewall 1.0.3. 
      • +
    • Adds the ability + to specify logging in entries in the /etc/shorewall/rules + file.
      • +
    • Correct handling + of the icmp-def chain so that only ICMP packets are sent through the chain.
      • -
    • Compresses the -output of "shorewall monitor" if awk is installed. - Allows the command to work if awk isn't installed (although - it's not pretty).
      • - - -
    +
  • Compresses the +output of "shorewall monitor" if awk is installed. + Allows the command to work if awk isn't installed (although + it's not pretty).
    • -

    3/13/2001 - The current version of Shorewall is 1.0.3. This is a bug-fix + + + +

    3/13/2001 - The current version of Shorewall is 1.0.3. This is a bug-fix release with no new features.

    - +
      -
    • The PATH variable - in the firewall script now includes /usr/local/bin - and /usr/local/sbin.
      • -
    • DMZ-related chains +
    • The PATH variable + in the firewall script now includes /usr/local/bin + and /usr/local/sbin.
      • +
    • DMZ-related chains are now correctly deleted if the DMZ is deleted.
      • -
    • The interface OPTIONS - for "gw" interfaces are no longer ignored.
      • - - -
    +
  • The interface +OPTIONS for "gw" interfaces are no longer ignored.
    • -

    3/8/2001 - The current version of Shorewall is 1.0.2. It supports an - additional "gw" (gateway) zone for tunnels and - it supports IPSEC tunnels with end-points on the firewall. + + + +

    3/8/2001 - The current version of Shorewall is 1.0.2. It supports an + additional "gw" (gateway) zone for tunnels and + it supports IPSEC tunnels with end-points on the firewall. There is also a .lrp available now.

    - -

    Updated 3/5/2003 - Tom Eastep -

    + +

    Updated 3/17/2003 - Tom Eastep +

    - +

    Copyright © 2001, 2002 Thomas M. Eastep.
    -

    -
    -
    -
    -
    -
    -
    -
    +

    diff --git a/Shorewall-docs/Shorewall_index_frame.htm b/Shorewall-docs/Shorewall_index_frame.htm index d560d4d9d..ddb2bd735 100644 --- a/Shorewall-docs/Shorewall_index_frame.htm +++ b/Shorewall-docs/Shorewall_index_frame.htm @@ -2,170 +2,162 @@ - + - + - + - + Shorewall Index - - + - + - - - + + - - - + + + - + + - - + +
    +
    - +

    Shorewall

    -
    - - - - -
    + - + -
    - +
    -
    - Note:     Search is unavailable -Daily 0200-0330 GMT.
    - - +
    + Note:     Search is unavailable + Daily 0200-0330 GMT.
    + +

    Quick Search
    -

    -
    - +

    Extended Search

    - +

    Copyright © 2001-2003 Thomas M. Eastep.

    - -

    -
    -

    -
    -
    -
    -
    + size="2">2001-2003 Thomas M. Eastep.

    + diff --git a/Shorewall-docs/Shorewall_sfindex_frame.htm b/Shorewall-docs/Shorewall_sfindex_frame.htm index 0ba7e887a..c3693715a 100644 --- a/Shorewall-docs/Shorewall_sfindex_frame.htm +++ b/Shorewall-docs/Shorewall_sfindex_frame.htm @@ -2,165 +2,166 @@ - + - + - + - + Shorewall Index - - + + + - + - - - + + - - - + + - - - + + + + + + +
    +
    - +

    Shorewall

    -
    +
    - -
    - + +
    -
    - Note:     Search is unavailable - Daily 0200-0330 GMT.
    - - +
    + Note:     Search is unavailable + Daily 0200-0330 GMT.
    + +

    Quick Search
    - + +

    -
    - +

    Extended Search

    - + +

    Copyright © 2001-2003 Thomas M. Eastep.

    -
    -
    -
    -
    + size="2">2001-2003 Thomas M. Eastep.
    +

    diff --git a/Shorewall-docs/errata_3.html b/Shorewall-docs/errata_3.html index 9a4083d0e..92b98f31d 100755 --- a/Shorewall-docs/errata_3.html +++ b/Shorewall-docs/errata_3.html @@ -2,62 +2,65 @@ - + Shorewall 1.3 Errata - + - + - + - + - - - + + - + + + + + +
    +
    - +

    Shorewall Errata/Upgrade Issues

    -
    + +

    IMPORTANT

    + +
      +
    1. - - - -

      IMPORTANT

      - -
        -
      1. -

        If you use a Windows system to download - a corrected script, be sure to run the script through - + dos2unix after you have moved - it to your Linux system.

        -
        2. -
      2. - + it to your Linux system.

        +
        3. +
      3. + +

        If you are installing Shorewall for the first time and plan to use the .tgz and install.sh script, you can untar the archive, replace the 'firewall' script in the untarred directory - with the one you downloaded below, and then run install.sh.

        -
        4. -
      4. - + with the one you downloaded below, and then run install.sh.

        +
        5. +
      5. + +

        If you are running a Shorewall version earlier - than 1.3.11, when the instructions say to install a corrected firewall - script in /etc/shorewall/firewall, /usr/lib/shorewall/firewall + than 1.3.11, when the instructions say to install a corrected +firewall script in /etc/shorewall/firewall, /usr/lib/shorewall/firewall or /var/lib/shorewall/firewall, use the 'cp' (or 'scp') utility to overwrite the existing file. DO NOT REMOVE OR RENAME THE OLD /etc/shorewall/firewall or /var/lib/shorewall/firewall before @@ -67,240 +70,250 @@ your system initialization scripts to start Shorewall during boot. It is that file that must be overwritten with the corrected script. Beginning with Shorewall 1.3.11, you may rename the existing file before copying in the new file.

        -
        6. -
      6. - +
        7. +
      7. +

        DO NOT INSTALL CORRECTED COMPONENTS - ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW. - For example, do NOT install the 1.3.9a firewall script if you are running - 1.3.7c.
        -

        -
        8. - + ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW. + For example, do NOT install the 1.3.9a firewall script if you are running + 1.3.7c.
        +

        + +
      - + - -
      + +

      Problems in Version 1.3

      - +

      Version 1.3.14

      - +
        -
      • There is an updated - rfc1918 file that reflects the resent allocation of 222.0.0.0/8 and +
      • There is an updated + rfc1918 file that reflects the resent allocation of 222.0.0.0/8 and 223.0.0.0/8.
        • -
      • The documentation for the routestopped file claimed that a comma-separated - list could appear in the second column while the code only supported a single - host or network address. This has been corrected in this - firewall script which may be installed in /usr/lib/shorewall as described - above.
        • -
      • Log messages produced by 'logunclean' and 'dropunclean' were not rate-limited. - This has been corrected in this - firewall script (contains a fix for the preceding problem as well) which -may be installed in /usr/lib/shorewall as described above.
        + +
      + +
        +
      • The documentation for the routestopped file claimed that a comma-separated + list could appear in the second column while the code only supported a single + host or network address.
        • +
      • Log messages produced by 'logunclean' and 'dropunclean' were not rate-limited.
        • +
      • 802.11b devices with names of the form wlan<n> don't +support the 'maclist' interface option.
        • +
      • Log messages generated by RFC 1918 filtering are not rate limited.
        • +
      • The firewall fails to start in the case where you have "eth0 eth1" +in /etc/shorewall/masq and the default route is through eth1.
        • +
      - + These problems have been corrected in this + firewall script which may be installed in /usr/lib/shorewall as described + above.
      +

      Version 1.3.13

      - +
        -
      • The 'shorewall add' command produces an error message referring - to 'find_interfaces_by_maclist'.
        • -
      • The 'shorewall delete' command can leave behind undeleted rules.
        • -
      • The 'shorewall add' command can fail with "iptables: Index of insertion - too big".
        -
        • - -
      - All three problems are corrected by this - firewall script which may be installed in /usr/lib/shorewall as described - above.
      - -
        -
      • VLAN interface names of the form "ethn.m" (e.g., eth0.1) - are not supported in this version or in 1.3.12. If you need such support, - post on the users list and I can provide you with a patched version.
        -
        • - -
      - -

      Version 1.3.12

      - -
        -
      • If RFC_1918_LOG_LEVEL is set to anything but ULOG, the effect -is the same as if RFC_1918_LOG_LEVEL=info had been specified. The problem - is corrected by this - firewall script which may be installed in /usr/lib/shorewall as described - above.
        • -
      • VLAN interface names of the form "ethn.m" (e.g., eth0.1) - are not supported in this version or in 1.3.13. If you need such support, - post on the users list and I can provide you with a patched version.
        +
      • The 'shorewall add' command produces an error message referring + to 'find_interfaces_by_maclist'.
        • +
      • The 'shorewall delete' command can leave behind undeleted rules.
        • +
      • The 'shorewall add' command can fail with "iptables: Index of insertion + too big".
        • - +
      - + All three problems are corrected by this + firewall script which may be installed in /usr/lib/shorewall as described + above.
      + +
        +
      • VLAN interface names of the form "ethn.m" (e.g., +eth0.1) are not supported in this version or in 1.3.12. If you need such +support, post on the users list and I can provide you with a patched version.
        +
        • + +
      + +

      Version 1.3.12

      + +
        +
      • If RFC_1918_LOG_LEVEL is set to anything but ULOG, the effect + is the same as if RFC_1918_LOG_LEVEL=info had been specified. The problem + is corrected by this + firewall script which may be installed in /usr/lib/shorewall as described + above.
        • +
      • VLAN interface names of the form "ethn.m" (e.g., +eth0.1) are not supported in this version or in 1.3.13. If you need such +support, post on the users list and I can provide you with a patched version.
        +
        • + +
      +

      Version 1.3.12 LRP

      - +
        -
      • The .lrp was missing the /etc/shorewall/routestopped file -- -a new lrp (shorwall-1.3.12a.lrp) has been released which corrects this -problem.
        -
        • - +
      • The .lrp was missing the /etc/shorewall/routestopped file +-- a new lrp (shorwall-1.3.12a.lrp) has been released which corrects +this problem.
        +
        • +
      - +

      Version 1.3.11a

      - + - +

      Version 1.3.11

      - + - +

      Version 1.3.10

      - + - -

      Version 1.3.9a

      - -
        -
      • If entries are used in /etc/shorewall/hosts and MERGE_HOSTS=No - then the following message appears during "shorewall [re]start":
        • - + version of the firewall script may help. Please report any cases + where installing this script in /usr/lib/shorewall/firewall solved +your connection problems. Beginning with version 1.3.10, it is safe +to save the old version of /usr/lib/shorewall/firewall before copying +in the new one since /usr/lib/shorewall/firewall is the real script +now and not just a symbolic link to the real script.
        + +
      +

      Version 1.3.9a

      + +
        +
      • If entries are used in /etc/shorewall/hosts and MERGE_HOSTS=No + then the following message appears during "shorewall [re]start":
        • + +
      + 
                recalculate_interfacess: command not found
      - +
      The updated firewall script at ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall - corrects this problem.Copy the script to /usr/lib/shorewall/firewall - as described above.
      -
      - + corrects this problem.Copy the script to /usr/lib/shorewall/firewall + as described above.
      + +
      Alternatively, edit /usr/lob/shorewall/firewall and change the - single occurence (line 483 in version 1.3.9a) of 'recalculate_interefacess' - to 'recalculate_interface'.
      -
      - + single occurence (line 483 in version 1.3.9a) of 'recalculate_interefacess' + to 'recalculate_interface'.
      + + - +

      Version 1.3.9

      - TUNNELS Broken in 1.3.9!!! There is an updated firewall - script at TUNNELS Broken in 1.3.9!!!       There is an updated +firewall script at ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall - -- copy that file to /usr/lib/shorewall/firewall as described above.
      -
      - Version 1.3.8 + -- copy that file to /usr/lib/shorewall/firewall as described above.
      +
      + Version 1.3.8
        -
      • Use of shell variables in the LOG LEVEL or SYNPARMS - columns of the policy file doesn't work.
        • -
      • A DNAT rule with the same original and new IP addresses - but with different port numbers doesn't work (e.g., "DNAT loc dmz:10.1.1.1:24 - tcp 25 - 10.1.1.1")
        -
        • - +
      • Use of shell variables in the LOG LEVEL or SYNPARMS + columns of the policy file doesn't work.
        • +
      • A DNAT rule with the same original and new IP +addresses but with different port numbers doesn't work (e.g., "DNAT +loc dmz:10.1.1.1:24 tcp 25 - 10.1.1.1")
        +
        • +
      - Installing this corrected firewall script in /var/lib/shorewall/firewall - as described above corrects these - problems. + as described above corrects these + problems.

      Version 1.3.7b

      +

      DNAT rules where the source zone is 'fw' ($FW) result in an error message. Installing this corrected firewall script in /var/lib/shorewall/firewall - as described above corrects this -problem.

      + as described above corrects this + problem.

      +

      Version 1.3.7a

      +

      "shorewall refresh" is not creating the proper rule for FORWARDPING=Yes. Consequently, after "shorewall refresh", the firewall will not forward @@ -308,371 +321,385 @@ problem.

      this corrected firewall script in /var/lib/shorewall/firewall - as described above corrects this -problem.

      + as described above corrects this + problem.

      +

      Version <= 1.3.7a

      +

      If "norfc1918" and "dhcp" are both specified as options on a given interface then RFC 1918 checking is occurring before DHCP checking. This means that if a DHCP client broadcasts using an RFC 1918 source address, then the firewall will reject the broadcast (usually logging it). This - has two problems:

      + has two problems:

      +
        -
      1. If the firewall -is running a DHCP server, the client - won't be able to obtain an IP address - lease from that server.
        2. -
      2. With this order -of checking, the "dhcp" option +
      3. If the firewall + is running a DHCP server, the +client won't be able to obtain an IP address + lease from that server.
        4. +
      4. With this order + of checking, the "dhcp" option cannot be used as a noise-reduction measure where there are both dynamic and static clients on a LAN segment.
        5. - +
      - +

      This version of the 1.3.7a firewall script - corrects the problem. It must be installed - in /var/lib/shorewall as described - above.

      + corrects the problem. It must be +installed in /var/lib/shorewall as +described above.

      +

      Version 1.3.7

      +

      Version 1.3.7 dead on arrival -- please use version 1.3.7a and check your version against these md5sums -- if there's a difference, please download again.

      + 
      	d2fffb7fb99bcc6cb047ea34db1df10 shorewall-1.3.7a.tgz
      	6a7fd284c8685b2b471a2f47b469fb94 shorewall-1.3.7a-1.noarch.rpm
      	3decd14296effcff16853106771f7035 shorwall-1.3.7a.lrp
      - +

      In other words, type "md5sum <whatever package you downloaded> - and compare the result with what you see above.

      - + and compare the result with what you see above.

      +

      I'm embarrassed to report that 1.2.7 was also DOA -- maybe I'll skip the - .7 version in each sequence from now on.

      - + .7 version in each sequence from now on.

      +

      Version 1.3.6

      - +
        -
      • +
      • - +

        If ADD_SNAT_ALIASES=Yes is specified in /etc/shorewall/shorewall.conf, - an error occurs when the firewall script attempts to -add an SNAT alias.

        -
        • -
      • + an error occurs when the firewall script attempts to + add an SNAT alias.

        +
        • +
      • - +

        The logunclean and dropunclean options cause errors during startup when Shorewall is run with iptables - 1.2.7.

        -
        • - + 1.2.7.

        + +
      - +

      These problems are fixed in this correct firewall script which must be installed in /var/lib/shorewall/ as described above. These problems are also corrected in version 1.3.7.

      - +

      Two-interface Samples 1.3.6 (file two-interfaces.tgz)

      - +

      A line was inadvertently deleted from the "interfaces file" -- this line should be added back in if the version that you - downloaded is missing it:

      - + downloaded is missing it:

      +

      net    eth0    detect    routefilter,dhcp,norfc1918

      - +

      If you downloaded two-interfaces-a.tgz then the above line should already be in the file.

      - +

      Version 1.3.5-1.3.5b

      - +

      The new 'proxyarp' interface option doesn't work :-( This is fixed in this corrected firewall script which must be installed in /var/lib/shorewall/ as described above.

      - +

      Versions 1.3.4-1.3.5a

      - +

      Prior to version 1.3.4, host file entries such as the following were allowed:

      - -
      + +
      	adm	eth0:1.2.4.5,eth0:5.6.7.8
      -
      - -
      +
      + +

      That capability was lost in version 1.3.4 so that it is only - possible to  include a single host specification on each line. - This problem is corrected by this - modified 1.3.5a firewall script. Install the script in + modified 1.3.5a firewall script. Install the script in /var/lib/pub/shorewall/firewall as instructed above.

      -
      - -
      +
      + +

      This problem is corrected in version 1.3.5b.

      -
      - +
      +

      Version 1.3.5

      - +

      REDIRECT rules are broken in this version. Install this corrected firewall script in /var/lib/pub/shorewall/firewall - as instructed above. This problem is corrected in version - 1.3.5a.

      - + as instructed above. This problem is corrected in version + 1.3.5a.

      +

      Version 1.3.n, n < 4

      - +

      The "shorewall start" and "shorewall restart" commands to not verify that the zones named in the /etc/shorewall/policy file have been previously defined in the /etc/shorewall/zones file. The "shorewall check" command does perform this verification so it's a good idea to run that command after you have made configuration - changes.

      - + changes.

      +

      Version 1.3.n, n < 3

      - +

      If you have upgraded from Shorewall 1.2 and after "Activating rules..." you see the message: "iptables: No chains/target/match - by that name" then you probably have an entry in /etc/shorewall/hosts - that specifies an interface that you didn't include + by that name" then you probably have an entry in /etc/shorewall/hosts + that specifies an interface that you didn't include in /etc/shorewall/interfaces. To correct this problem, you must add an entry to /etc/shorewall/interfaces. Shorewall 1.3.3 -and later versions produce a clearer error message in this -case.

      - + and later versions produce a clearer error message in +this case.

      +

      Version 1.3.2

      - +

      Until approximately 2130 GMT on 17 June 2002, the download sites contained an incorrect version of the .lrp file. That file can be identified by its size (56284 bytes). The correct version has a size of 38126 bytes.

      - +
        -
      • The code to detect a duplicate interface - entry in /etc/shorewall/interfaces contained a typo that -prevented it from working correctly.
        • -
      • "NAT_BEFORE_RULES=No" was broken; it -behaved just like "NAT_BEFORE_RULES=Yes".
        • - +
      • The code to detect a duplicate interface + entry in /etc/shorewall/interfaces contained a typo that + prevented it from working correctly.
        • +
      • "NAT_BEFORE_RULES=No" was broken; +it behaved just like "NAT_BEFORE_RULES=Yes".
        • +
      - +

      Both problems are corrected in this script which should be installed in /var/lib/shorewall - as described above.

      - -
        -
      • + as described above.

        - +
          +
        • + +

          The IANA have just announced the allocation of subnet - 221.0.0.0/8. This updated rfc1918 file reflects that allocation.

          -
          • - + +
        - +

        Version 1.3.1

        - +
          -
        • TCP SYN packets may be double counted - when LIMIT:BURST is included in a CONTINUE or ACCEPT policy - (i.e., each packet is sent through the limit chain twice).
          • -
        • An unnecessary jump to the policy chain - is sometimes generated for a CONTINUE policy.
          • -
        • When an option is given for more than - one interface in /etc/shorewall/interfaces then depending - on the option, Shorewall may ignore all but the first - appearence of the option. For example:
          -
          - net    eth0    dhcp
          - loc    eth1    dhcp
          -
          - Shorewall will ignore the 'dhcp' on eth1.
          • -
        • Update 17 June 2002 - The bug described - in the prior bullet affects the following options: +
        • TCP SYN packets may be double counted + when LIMIT:BURST is included in a CONTINUE or ACCEPT policy + (i.e., each packet is sent through the limit chain twice).
          • +
        • An unnecessary jump to the policy +chain is sometimes generated for a CONTINUE policy.
          • +
        • When an option is given for more than + one interface in /etc/shorewall/interfaces then depending + on the option, Shorewall may ignore all but the first + appearence of the option. For example:
          +
          + net    eth0    dhcp
          + loc    eth1    dhcp
          +
          + Shorewall will ignore the 'dhcp' on eth1.
          • +
        • Update 17 June 2002 - The bug described + in the prior bullet affects the following options: dhcp, dropunclean, logunclean, norfc1918, routefilter, multi, filterping and noping. An additional bug has been found that affects only the 'routestopped' option.
          -
          - Users who downloaded the corrected script - prior to 1850 GMT today should download and install -the corrected script again to ensure that this second -problem is corrected.
          • - +
          + Users who downloaded the corrected script + prior to 1850 GMT today should download and install + the corrected script again to ensure that this second + problem is corrected. +
        - +

        These problems are corrected in this firewall script which should be installed in /etc/shorewall/firewall - as described above.

        - + as described above.

        +

        Version 1.3.0

        - + - -
        + +

        Upgrade Issues

        - +

        The upgrade issues have moved to a separate page.

        - -
        + +

        Problem with - iptables version 1.2.3

        - + iptables version 1.2.3         +
        - +

        There are a couple of serious bugs in iptables 1.2.3 that - prevent it from working with Shorewall. Regrettably, RedHat - released this buggy iptables in RedHat 7.2. 

        + prevent it from working with Shorewall. Regrettably, RedHat + released this buggy iptables in RedHat 7.2. 

        - +

        I have built a - corrected 1.2.3 rpm which you can download here  and I have - also built an   and I have + also built an iptables-1.2.4 rpm which you can download here. If you are currently - running RedHat 7.1, you can install either of these RPMs - before you upgrade to RedHat 7.2.

        - - -

        Update 11/9/2001: RedHat - has released an iptables-1.2.4 RPM of their own which you can -download from http://www.redhat.com/support/errata/RHSA-2001-144.html. - I have installed this RPM on my firewall and it works - fine.

        - - -

        If you would like to patch iptables 1.2.3 yourself, - the patches are available for download. This patch - which corrects a problem with parsing of the --log-level specification - while this patch - corrects a problem in handling the  TOS target.

        + running RedHat 7.1, you can install either of these RPMs + before you upgrade to RedHat 7.2.

        +

        Update 11/9/2001: RedHat + has released an iptables-1.2.4 RPM of their own which you can + download from http://www.redhat.com/support/errata/RHSA-2001-144.html. + I have installed this RPM on my firewall and it works + fine.

        + + +

        If you would like to patch iptables 1.2.3 yourself, + the patches are available for download. This patch + which corrects a problem with parsing of the --log-level specification + while this patch + corrects a problem in handling the  TOS target.

        + +

        To install one of the above patches:

        - +
          -
        • cd iptables-1.2.3/extensions
          • -
        • patch -p0 < the-patch-file
          • +
        • cd iptables-1.2.3/extensions
          • +
        • patch -p0 < the-patch-file
          • + + +
        +
        -
      - - -

      Problems with kernels >= 2.4.18 and RedHat iptables

      - -
      - -

      Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18/19 - may experience the following:

      - - -
      - 
      # shorewall start
      Processing /etc/shorewall/shorewall.conf ...
      Processing /etc/shorewall/params ...
      Starting Shorewall...
      Loading Modules...
      Initializing...
      Determining Zones...
      Zones: net
      Validating interfaces file...
      Validating hosts file...
      Determining Hosts in Zones...
      Net Zone: eth0:0.0.0.0/0
      iptables: libiptc/libip4tc.c:380: do_check: Assertion
      `h->info.valid_hooks == (1 << 0 | 1 << 3)' failed.
      Aborted (core dumped)
      iptables: libiptc/libip4tc.c:380: do_check: Assertion
      `h->info.valid_hooks == (1 << 0 | 1 << 3)' failed.
      Aborted (core dumped)
      -
      +
      + +

      Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18/19 + may experience the following:

      - + +
      + + 
      # shorewall start
      Processing /etc/shorewall/shorewall.conf ...
      Processing /etc/shorewall/params ...
      Starting Shorewall...
      Loading Modules...
      Initializing...
      Determining Zones...
      Zones: net
      Validating interfaces file...
      Validating hosts file...
      Determining Hosts in Zones...
      Net Zone: eth0:0.0.0.0/0
      iptables: libiptc/libip4tc.c:380: do_check: Assertion
      `h->info.valid_hooks == (1 << 0 | 1 << 3)' failed.
      Aborted (core dumped)
      iptables: libiptc/libip4tc.c:380: do_check: Assertion
      `h->info.valid_hooks == (1 << 0 | 1 << 3)' failed.
      Aborted (core dumped)
      +
      + +

      The RedHat iptables RPM is compiled with debugging enabled but the user-space debugging code was not updated to reflect recent changes in - the Netfilter 'mangle' table. You can correct the problem by - installing - this iptables RPM. If you are already running a 1.2.5 version - of iptables, you will need to specify the --oldpackage option to - rpm (e.g., "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").

      -
      + this iptables RPM. If you are already running a 1.2.5 version + of iptables, you will need to specify the --oldpackage option +to rpm (e.g., "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").

      +
      - +

      Problems installing/upgrading - RPM on SuSE

      + RPM on SuSE +

      If you find that rpm complains about a conflict with kernel <= 2.2 yet you have a 2.4 kernel installed, simply use the "--nodeps" option to rpm.

      +

      Installing: rpm -ivh --nodeps <shorewall rpm>

      +

      Upgrading: rpm -Uvh --nodeps <shorewall rpm>

      +

      Problems with iptables version 1.2.7 and MULTIPORT=Yes

      +

      The iptables 1.2.7 release of iptables has made an incompatible change to the syntax used to specify multiport match rules; as a consequence, if you install iptables 1.2.7 you must be running Shorewall 1.3.7a or later or:

      + - +

      Problems with RH Kernel 2.4.18-10 and NAT
      -

      - /etc/shorewall/nat entries of the following form will result - in Shorewall being unable to start:
      -
      - + + /etc/shorewall/nat entries of the following form will result + in Shorewall being unable to start:
      +
      + 
      #EXTERNAL       INTERFACE       INTERNAL        ALL INTERFACES          LOCAL
      192.0.2.22      eth0            192.168.9.22    yes                     yes
      #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
      - Error message is:
      - + Error message is:
      + 
      Setting up NAT...
      iptables: Invalid argument
      Terminated

      - The solution is to put "no" in the LOCAL column. Kernel support - for LOCAL=yes has never worked properly and 2.4.18-10 has disabled -it. The 2.4.19 kernel contains corrected support under a new kernel configuraiton - option; see http://www.shorewall.net/Documentation.htm#NAT
      - -

      Last updated 2/18/2003 - - Tom Eastep

      - + The solution is to put "no" in the LOCAL column. Kernel +support for LOCAL=yes has never worked properly and 2.4.18-10 has +disabled it. The 2.4.19 kernel contains corrected support under a new +kernel configuraiton option; see http://www.shorewall.net/Documentation.htm#NAT
      + +

      Last updated 3/8/2003 - +Tom Eastep

      +

      Copyright © 2001, 2002, 2003 Thomas M. Eastep.
      -

      +

      +
      +



      diff --git a/Shorewall-docs/images/Thumbs.db b/Shorewall-docs/images/Thumbs.db index 4d064dedc..b25eb9fe7 100644 Binary files a/Shorewall-docs/images/Thumbs.db and b/Shorewall-docs/images/Thumbs.db differ diff --git a/Shorewall-docs/seattlefirewall_index.htm b/Shorewall-docs/seattlefirewall_index.htm index b36a5f046..7f3b37a5e 100644 --- a/Shorewall-docs/seattlefirewall_index.htm +++ b/Shorewall-docs/seattlefirewall_index.htm @@ -6,7 +6,8 @@ - + + Shoreline Firewall (Shorewall) 1.4 @@ -15,25 +16,24 @@ - - + + - + - + - + - - - - + - - - + + +
      + @@ -43,14 +43,28 @@ +

      Shorwall Logo - Shorewall 1.4 - "iptables - made easy"

      + (Shorewall Logo) + + + +
      +

      Shorewall 1.4 "iptables made easy" 

      +
      + + +

      +

      @@ -61,43 +75,42 @@ - - + + +
      Shorewall 1.3 Site is here                   +           
      -
      +
      +
      - -
      - -
      - + +
      + +
      + - + - + - + - - + - - - + + +
      + @@ -108,7 +121,7 @@ - +

      What is it?

      @@ -121,11 +134,12 @@ - -

      The Shoreline Firewall, more commonly known as "Shorewall", is a - Netfilter (iptables) based firewall - that can be used on a dedicated firewall system, a multi-function - gateway/router/server or on a standalone GNU/Linux system.

      + + +

      The Shoreline Firewall, more commonly known as "Shorewall", is +a Netfilter (iptables) based +firewall that can be used on a dedicated firewall system, a multi-function + gateway/router/server or on a standalone GNU/Linux system.

      @@ -137,29 +151,30 @@ - -

      This program is free software; you can redistribute it and/or modify - it under the terms - of Version - 2 of the GNU General Public License as published by the Free Software - Foundation.
      -
      + +

      This program is free software; you can redistribute it and/or modify + it under the +terms of Version + 2 of the GNU General Public License as published by the Free +Software Foundation.
      - This program is distributed - in the hope that it will be useful, but - WITHOUT ANY WARRANTY; without even the implied - warranty of MERCHANTABILITY or FITNESS FOR A - PARTICULAR PURPOSE. See the GNU General Public License - for more details.
      +
      -
      + This program is distributed + in the hope that it will be useful, but + WITHOUT ANY WARRANTY; without even the implied + warranty of MERCHANTABILITY or FITNESS FOR +A PARTICULAR PURPOSE. See the GNU General Public License + for more details.
      - You should have received - a copy of the GNU General Public License - along with this program; if not, write to - the Free Software Foundation, Inc., 675 Mass - Ave, Cambridge, MA 02139, USA

      +
      + + You should have received + a copy of the GNU General Public License + along with this program; if not, write +to the Free Software Foundation, Inc., 675 + Mass Ave, Cambridge, MA 02139, USA

      @@ -171,7 +186,8 @@ - + +

      Copyright 2001, 2002, 2003 Thomas M. Eastep

      @@ -184,253 +200,338 @@ - + +

      - Jacques Nilo and - Eric Wolzak have a LEAF (router/firewall/gateway - on a floppy, CD or compact flash) distribution called - Bering that features Shorewall-1.3.14 - and Kernel-2.4.20. You can find their work at: - http://leaf.sourceforge.net/devel/jnilo
      -

      - -

      Congratulations to Jacques and Eric on the recent release of Bering -1.1!!!
      + Jacques Nilo + and Eric Wolzak have a LEAF (router/firewall/gateway + on a floppy, CD or compact flash) distribution + called Bering that features + Shorewall-1.3.14 and Kernel-2.4.20. You can find + their work at: http://leaf.sourceforge.net/devel/jnilo
      +

      + + + + + + +

      Congratulations to Jacques and Eric on the recent release of +Bering 1.1!!!

      - - - - - - - - - - -

      This is a mirror of the main Shorewall web site at SourceForge (http://shorewall.sf.net)

      - - - - - - - - - - - - - - - -

      News

      - - - - - - - - - - - - -

      - - - - - - - - - -

      3/14/2003 - Shorewall 1.4.0 (New) -

      - -

      - Shorewall 1.4 represents the next step in the evolution of Shorewall. - The main thrust of the initial release is simply to remove the cruft that - has accumulated in Shorewall over time.
      -  
      - IMPORTANT: Shorewall 1.4.0 requires the iproute package - ('ip' utility).
      -
      - Function from 1.3 that has been omitted from this version include:
      - +

      This is a mirror of the main Shorewall web site at SourceForge +(http://shorewall.sf.net)

      + +

      News

      + +

      3/17/2003 - Shorewall 1.4.0 (New) +

      + Shorewall 1.4 represents + the next step in the evolution of Shorewall. The main thrust of the + initial release is simply to remove the cruft that has accumulated in + Shorewall over time.
      +
      + IMPORTANT: Shorewall 1.4.0 requires the iproute package + ('ip' utility).
      +
      + Function from 1.3 that has been omitted from this version + include:
      + +
        -
      1. The MERGE_HOSTS variable in shorewall.conf is -no longer supported. Shorewall 1.4 behavior is the same as 1.3 with MERGE_HOSTS=Yes.
        -
        -
        2. -
      2. Interface names of the form <device>:<integer> - in /etc/shorewall/interfaces now generate an error.
        -
        -
        3. -
      3. Shorewall 1.4 implements behavior consistent with OLD_PING_HANDLING=No. - OLD_PING_HANDLING=Yes will generate an error at startup as will specification - of the 'noping' or 'filterping' interface options.
        -
        -
        4. -
      4. The 'routestopped' option in the /etc/shorewall/interfaces - and /etc/shorewall/hosts files is no longer supported and will generate - an error at startup if specified.
        -
        -
        5. -
      5. The Shorewall 1.2 syntax for DNAT and REDIRECT rules -is no longer accepted.
        -
        -
        6. -
      6. The ALLOWRELATED variable in shorewall.conf is no longer - supported. Shorewall 1.4 behavior is the same as 1.3 with ALLOWRELATED=Yes.
        -
        -
        7. -
      7. The icmp.def file has been removed.
        +
      8. The MERGE_HOSTS variable in shorewall.conf is no longer supported. + Shorewall 1.4 behavior is the same as 1.3 with MERGE_HOSTS=Yes.
        +
        +
        9. +
      9. Interface names of the form <device>:<integer> + in /etc/shorewall/interfaces now generate an error.
        +
        +
        10. +
      10. Shorewall 1.4 implements behavior consistent with OLD_PING_HANDLING=No. + OLD_PING_HANDLING=Yes will generate an error at startup as will specification + of the 'noping' or 'filterping' interface options.
        +
        +
        11. +
      11. The 'routestopped' option in the /etc/shorewall/interfaces + and /etc/shorewall/hosts files is no longer supported and will generate + an error at startup if specified.
        +
        +
        12. +
      12. The Shorewall 1.2 syntax for DNAT and REDIRECT rules is no + longer accepted.
        +
        +
        13. +
      13. The ALLOWRELATED variable in shorewall.conf is no longer +supported. Shorewall 1.4 behavior is the same as 1.3 with ALLOWRELATED=Yes.
        +
        +
        14. +
      14. The icmp.def file has been removed.
        +
        15. + +
      + Changes for 1.4 include:
      + + +
        +
      1. The /etc/shorewall/shorewall.conf file has been completely + reorganized into logical sections.
        +
        +
        2. +
      2. LOG is now a valid action for a rule (/etc/shorewall/rules).
        +
        +
        3. +
      3. The firewall script, common functions file and version file + are now installed in /usr/share/shorewall.
        +
        +
        4. +
      4. Late arriving DNS replies are now silently dropped in the + common chain by default.
        +
        +
        5. +
      5. In addition to behaving like OLD_PING_HANDLING=No, Shorewall + 1.4 no longer unconditionally accepts outbound ICMP packets. So if +you want to 'ping' from the firewall, you will need the appropriate rule +or policy.
        +
        +
        6. +
      6. CONTINUE is now a valid action for a rule (/etc/shorewall/rules).
        +
        +
        7. +
      7. 802.11b devices with names of the form wlan<n> + now support the 'maclist' option.
        +
        +
        8. +
      8. Explicit Congestion Notification (ECN - RFC 3168) + may now be turned off on a host or network basis using the new /etc/shorewall/ecn + file. To use this facility:
        +
        + a) You must be running kernel 2.4.20
        + b) You must have applied the patch in
        + http://www.shorewall/net/pub/shorewall/ecn/patch.
        + c) You must have iptables 1.2.7a installed.

        9. -
      9. The 'multi' interface option is no longer supported. -  Shorewall will generate rules for sending packets back out the same interface - that they arrived on in two cases:
        10. - -
      - -
        -
      • There is an explicit policy for the source zone to - or from the destination zone. An explicit policy names both zones and does - not use the 'all' reserved word.
        • -
      • There are one or more rules for traffic for the source zone - to or from the destination zone including rules that use the 'all' reserved - word. Exception: if the source zone and destination zone are the same then - the rule must be explicit - it must name the zone in both the SOURCE and - DESTINATION columns.
        -
        • - -
      - -
        - -
      - Changes for 1.4 include:
      - -
        -
      1. The /etc/shorewall/shorewall.conf file has been completely - reorganized into logical sections.
        -
        -
        2. -
      2. LOG is now a valid action for a rule (/etc/shorewall/rules).
        -
        -
        3. -
      3. The firewall script and version file are now installed - in /usr/share/shorewall.
        -
        -
        4. -
      4. Late arriving DNS replies are now silently dropped in -the common chain by default.
        -
        -
        5. -
      5. In addition to behaving like OLD_PING_HANDLING=No, Shorewall - 1.4 no longer unconditionally accepts outbound ICMP packets. So if you -want to 'ping' from the firewall, you will need the appropriate rule or -policy.
        +
      6. The /etc/shorewall/params file is now processed first so that + variables may be used in the /etc/shorewall/shorewall.conf file.

        7. -
      7. CONTINUE is now a valid action for a rule (/etc/shorewall/rules).
        +
      8. Shorewall now gives a more helpful diagnostic when + the 'ipchains' compatibility kernel module is loaded and a 'shorewall start' + command is issued.

        9. -
      9. 802.11b devices with names of the form wlan<n> -now support the 'maclist' option.
        +
      10. The SHARED_DIR variable has been removed from shorewall.conf. + This variable was for use by package maintainers and was not documented +for general use.

        11. -
      11. Explicit Congestion Notification (ECN - RFC 3168) may -now be turned off on a host or network basis using the new /etc/shorewall/ecn -file. To use this facility:
        -
        -    a) You must be running kernel 2.4.20
        -    b) You must have applied the patch in
        -    http://www.shorewall/net/pub/shorewall/ecn/patch.
        -    c) You must have iptables 1.2.7a installed.
        -
        -
        12. -
      12. The /etc/shorewall/params file is now processed first so that -variables may be used in the /etc/shorewall/shorewall.conf file.
        -
        13. - +
      13. Shorewall now ignores 'default' routes when detecting masq'd + networks.
        +
        14. +
      + +

      3/11/2003 - Shoreall 1.3.14a (New) +

      + +

      A roleup of the following bug fixes and other updates:

      - -
        - - - - - - +
      • There is an updated rfc1918 file that reflects the resent + allocation of 222.0.0.0/8 and 223.0.0.0/8.
        • +
      • The documentation for the routestopped file claimed that a +comma-separated list could appear in the second column while the code +only supported a single host or network address.
        • +
      • Log messages produced by 'logunclean' and 'dropunclean' were + not rate-limited. 802.11b devices with names of the form wlan<n> + don't support the 'maclist' interface option.
        • +
      • Log messages generated by RFC 1918 filtering are not rate +limited.
        • +
      • The firewall fails to start in the case +where you have "eth0 eth1" in /etc/shorewall/masq and the default route +is through eth1.
        • +
      + +

      2/8/2003 - Shorewall 1.3.14

      + + +

      New features include

      + + +
        +
      1. An OLD_PING_HANDLING option has been added +to shorewall.conf. When set to Yes, Shorewall ping handling is +as it has always been (see http://www.shorewall.net/ping.html).
        +
        + When OLD_PING_HANDLING=No, icmp echo (ping) is handled + via rules and policies just like any other connection request. +The FORWARDPING=Yes option in shorewall.conf and the 'noping' and +'filterping' options in /etc/shorewall/interfaces will all generate +an error.
        +
        +
        2. +
      2. It is now possible to direct Shorewall to create + a "label" such as "eth0:0" for IP addresses that it creates under + ADD_IP_ALIASES=Yes and ADD_SNAT_ALIASES=Yes. This is done by specifying + the label instead of just the interface name:
        +
        + a) In the INTERFACE column of /etc/shorewall/masq
        + b) In the INTERFACE column of /etc/shorewall/nat
        +
        3. +
      3. Support for OpenVPN Tunnels.
        +
        +
        4. +
      4. Support for VLAN devices with names of the +form $DEV.$VID (e.g., eth0.0)
        +
        +
        5. +
      5. In /etc/shorewall/tcrules, the MARK value may +be optionally followed by ":" and either 'F' or 'P' to designate that +the marking will occur in the FORWARD or PREROUTING chains respectively. +If this additional specification is omitted, the chain used to mark packets + will be determined by the setting of the MARK_IN_FORWARD_CHAIN option + in shorewall.conf.
        +
        +
        6. +
      6. When an interface name is entered in the SUBNET + column of the /etc/shorewall/masq file, Shorewall previously masqueraded + traffic from only the first subnet defined on that interface. It + did not masquerade traffic from:
        +
        + a) The subnets associated with other addresses +on the interface.
        + b) Subnets accessed through local routers.
        +
        + Beginning with Shorewall 1.3.14, if you enter an interface + name in the SUBNET column, shorewall will use the firewall's routing + table to construct the masquerading/SNAT rules.
        +
        + Example 1 -- This is how it works in 1.3.14.
        +
        + + 
           [root@gateway test]# cat /etc/shorewall/masq
           #INTERFACE              SUBNET                  ADDRESS
           eth0                    eth2                    206.124.146.176
           #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
        - -

        More News

        + + 
           [root@gateway test]# ip route show dev eth2
           192.168.1.0/24  scope link
           192.168.10.0/24  proto kernel  scope link  src 192.168.10.254
        + + 
           [root@gateway test]# shorewall start
           ...
           Masqueraded Subnets and Hosts:
               To 0.0.0.0/0 from 192.168.1.0/24 through eth0 using 206.124.146.176
               To 0.0.0.0/0 from 192.168.10.0/24 through eth0 using 206.124.146.176
           Processing /etc/shorewall/tos...
        +
        + When upgrading to Shorewall 1.3.14, if you have multiple + local subnets connected to an interface that is specified in the + SUBNET column of an /etc/shorewall/masq entry, your /etc/shorewall/masq + file will need changing. In most cases, you will simply be able to remove + redundant entries. In some cases though, you might want to change from + using the interface name to listing specific subnetworks if the change + described above will cause masquerading to occur on subnetworks that you + don't wish to masquerade.
        +
        + Example 2 -- Suppose that your current config is as + follows:
        +
        + + 
           [root@gateway test]# cat /etc/shorewall/masq
           #INTERFACE              SUBNET                  ADDRESS
           eth0                    eth2                    206.124.146.176
           eth0                    192.168.10.0/24         206.124.146.176
           #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
        + + 
           [root@gateway test]# ip route show dev eth2
           192.168.1.0/24  scope link
           192.168.10.0/24  proto kernel  scope link  src 192.168.10.254
           [root@gateway test]#
        +
        + In this case, the second entry in /etc/shorewall/masq + is no longer required.
        +
        + Example 3 -- What if your current configuration is +like this?
        +
        - + + + 
           [root@gateway test]# cat /etc/shorewall/masq
           #INTERFACE              SUBNET                  ADDRESS
           eth0                    eth2                    206.124.146.176
           #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
        + + + + + 
           [root@gateway test]# ip route show dev eth2
           192.168.1.0/24  scope link
           192.168.10.0/24  proto kernel  scope link  src 192.168.10.254
           [root@gateway test]#
        +
        + In this case, you would want to change the entry + in /etc/shorewall/masq to:
        + + + + + 
           #INTERFACE              SUBNET                  ADDRESS
           eth0                    192.168.1.0/24          206.124.146.176
           #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
        +
        7. + + +
      +
      + + +

      2/5/2003 - Shorewall Support included in Webmin 1.060 +

      + Webmin version 1.060 now has Shorewall support included + as standard. See http://www.webmin.com. + + +

      More News

      +

      Donations

      -       		M
      -
      +
      -
      + - + - + - + - + - + - - - + + +
      + @@ -440,12 +541,12 @@ variables may be used in the /etc/shorewall/shorewall.conf file.
      - +

      -  

      +

      @@ -457,33 +558,32 @@ variables may be used in the /etc/shorewall/shorewall.conf file.
      - -

      Shorewall is free but -if you try it and find it useful, please consider making a donation - to Starlight Children's -Foundation. Thanks!

      + +

      Shorewall is free +but if you try it and find it useful, please consider making a donation + to Starlight +Children's Foundation. Thanks!

      -
      - -

      Updated 3/5/2003 - Tom Eastep - -
      -

      -
      + +

      Updated 3/17/2003 - Tom Eastep + +
      +

      diff --git a/Shorewall-docs/shorewall_quickstart_guide.htm b/Shorewall-docs/shorewall_quickstart_guide.htm index 7ae0e70a6..06c5478f9 100644 --- a/Shorewall-docs/shorewall_quickstart_guide.htm +++ b/Shorewall-docs/shorewall_quickstart_guide.htm @@ -2,313 +2,320 @@ - + - + - + - + Shorewall QuickStart Guide - + - + - - - + + - - - - -
      +
      - -

      Shorewall QuickStart Guides - (HOWTO's)
      - Version 4.0

      -
      - -

      With thanks to Richard who reminded me once again that we -must all first walk before we can run.
      - The French Translations are courtesy of Patrice Vetsel
      -

      - -

      The Guides

      - -

      These guides provide step-by-step instructions for configuring Shorewall - in common firewall setups.

      - -

      The following guides are for users who have a single public IP address:

      - - - -

      The above guides are designed to get your first firewall up and running - quickly in the three most common Shorewall configurations.

      - -

      The Shorewall Setup Guide outlines - the steps necessary to set up a firewall where there are multiple - public IP addresses involved or if you want to learn more about -Shorewall than is explained in the single-address guides above.

      - - - -

      Documentation Index

      - -

      The following documentation covers a variety of topics and supplements - the QuickStart Guides - described above. Please review the appropriate guide before trying - to use this documentation directly.

      - -
        -
      • Aliased (virtual) Interfaces -(e.g., eth0:0)
        -
        • -
      • Blacklisting - - -
          -
        • Static Blacklisting using /etc/shorewall/blacklist
          • -
        • Dynamic Blacklisting using /sbin/shorewall
          • - - -
        -
        • -
      • Common - configuration file features - - -
        • -
      • Configuration File - Reference Manual - - -
        • -
      • DHCP
        • -
      • Extension Scripts -(How to extend Shorewall without modifying Shorewall code)
        • -
      • Fallback/Uninstall
        • -
      • Firewall - Structure
        • -
      • Kernel - Configuration
        • -
      • Logging
        -
        • -
      • MAC Verification
        -
        • -
      • My Shorewall Configuration - (How I personally use Shorewall)
        -
        • -
      • 'Ping' Management
        -
        • -
      • Port Information + +

        Shorewall QuickStart Guides + (HOWTO's)
        + Version 4.0

        + + + + + +

        With thanks to Richard who reminded me once again that +we must all first walk before we can run.
        + The French Translations are courtesy of Patrice Vetsel
        +

        + +

        The Guides

        + +

        These guides provide step-by-step instructions for configuring Shorewall + in common firewall setups.

        + +

        The following guides are for users who have a single public IP address:

        + + + +

        The above guides are designed to get your first firewall up and running + quickly in the three most common Shorewall configurations.

        + +

        The Shorewall Setup Guide outlines + the steps necessary to set up a firewall where there are multiple + public IP addresses involved or if you want to learn more about + Shorewall than is explained in the single-address guides above.

        + + + +

        Documentation Index

        + +

        The following documentation covers a variety of topics and supplements + the QuickStart Guides + described above. Please review the appropriate guide before +trying to use this documentation directly.

        + + - +

        If you use one of these guides and have a suggestion for improvement please let me know.

        - -

        Last modified 3/5/2003 - Tom Eastep

        - -

        Copyright 2002, 2003 Thomas M. + +

        Last modified 3/12/2003 - Tom Eastep

        + +

        Copyright 2002, 2003 Thomas M. Eastep
        -

        +

        +
        diff --git a/Shorewall-docs/sourceforge_index.htm b/Shorewall-docs/sourceforge_index.htm index 26c4ea96b..cf7699c5a 100644 --- a/Shorewall-docs/sourceforge_index.htm +++ b/Shorewall-docs/sourceforge_index.htm @@ -7,34 +7,33 @@ - + - Shoreline Firewall (Shorewall) 1.4 + Shoreline Firewall (Shorewall) 1.3 - - + - + - + - + - - + + - - - + + + +
        + @@ -44,15 +43,15 @@ - +

        Shorwall Logo - Shorewall 1.4 - "iptables - made easy"Shorewall 1.4 - "iptables made easy"

        @@ -64,35 +63,37 @@ - + + -
        - -
        - -
        - + +
        + +
        + - + - + - + - + - + - - - + + + +
        + @@ -103,7 +104,8 @@ - + +

        What is it?

        @@ -117,12 +119,12 @@ - -

        The Shoreline Firewall, more commonly known as  "Shorewall", is - a Netfilter (iptables) - based firewall that can be used on a dedicated firewall system, - a multi-function gateway/router/server or on a standalone -GNU/Linux system.

        + +

        The Shoreline Firewall, more commonly known as  "Shorewall", is + a Netfilter (iptables) + based firewall that can be used on a dedicated firewall system, + a multi-function gateway/router/server or on a standalone + GNU/Linux system.

        @@ -135,29 +137,29 @@ GNU/Linux system.

        - -

        This program is free software; you can redistribute it and/or modify - it under the -terms of Version - 2 of the GNU General Public License as published by the Free -Software Foundation.
        + +

        This program is free software; you can redistribute it and/or modify + it under the +terms of Version + 2 of the GNU General Public License as published by the Free Software + Foundation.
        -
        +
        - This program is distributed - in the hope that it will be useful, but - WITHOUT ANY WARRANTY; without even the implied - warranty of MERCHANTABILITY or FITNESS FOR -A PARTICULAR PURPOSE. See the GNU General Public License - for more details.
        + This program is distributed + in the hope that it will be useful, but + WITHOUT ANY WARRANTY; without even the implied + warranty of MERCHANTABILITY or FITNESS FOR +A PARTICULAR PURPOSE. See the GNU General Public License + for more details.
        -
        +
        - You should have received - a copy of the GNU General Public License - along with this program; if not, write -to the Free Software Foundation, Inc., 675 - Mass Ave, Cambridge, MA 02139, USA

        + You should have received + a copy of the GNU General Public License + along with this program; if not, write +to the Free Software Foundation, Inc., 675 + Mass Ave, Cambridge, MA 02139, USA

        @@ -170,7 +172,7 @@ to the Free Software Foundation, Inc., 675 - +

        Copyright 2001, 2002, 2003 Thomas M. Eastep

        @@ -184,25 +186,26 @@ to the Free Software Foundation, Inc., 675 - +

        - Jacques Nilo - and Eric Wolzak have a LEAF (router/firewall/gateway - on a floppy, CD or compact flash) distribution - called Bering that features - Shorewall-1.3.14 and Kernel-2.4.20. You can find - their work at: Jacques +Nilo and Eric Wolzak have a LEAF (router/firewall/gateway + on a floppy, CD or compact flash) distribution + called Bering that features + Shorewall-1.3.14 and Kernel-2.4.20. You can find + their work at: http://leaf.sourceforge.net/devel/jnilo

        - - + Congratulations + to Jacques and Eric on the recent release of Bering + 1.1!!!
        +         - Congratulations to Jacques and -Eric on the recent release of Bering 1.1!!!
        - + +

        News

        @@ -218,128 +221,267 @@ Eric on the recent release of Bering 1.1!!!
        - -

        3/14/2003 - Shorewall 1.4.0 3/17/2003 - Shorewall 1.4.0  (New) -

        - Shorewall 1.4 represents -the next step in the evolution of Shorewall. The main thrust of the initial - release is simply to remove the cruft that has accumulated in Shorewall -over time.
        -
        - IMPORTANT: Shorewall 1.4.0 requires the iproute package - ('ip' utility).
        -
        - Function from 1.3 that has been omitted from this version include:
        - +  

        + Shorewall 1.4 represents + the next step in the evolution of Shorewall. The main thrust of the +initial release is simply to remove the cruft that has accumulated in +Shorewall over time.
        +
        + IMPORTANT: Shorewall 1.4.0 requires the iproute package + ('ip' utility).
        +
        + Function from 1.3 that has been omitted from this version +include:
        + +
          -
        1. The MERGE_HOSTS variable in shorewall.conf is -no longer supported. Shorewall 1.4 behavior is the same as 1.3 with MERGE_HOSTS=Yes.
          -
          -
          2. -
        2. Interface names of the form <device>:<integer> - in /etc/shorewall/interfaces now generate an error.
          -
          -
          3. -
        3. Shorewall 1.4 implements behavior consistent with OLD_PING_HANDLING=No. - OLD_PING_HANDLING=Yes will generate an error at startup as will specification - of the 'noping' or 'filterping' interface options.
          -
          -
          4. -
        4. The 'routestopped' option in the /etc/shorewall/interfaces - and /etc/shorewall/hosts files is no longer supported and will generate - an error at startup if specified.
          -
          -
          5. -
        5. The Shorewall 1.2 syntax for DNAT and REDIRECT rules is - no longer accepted.
          -
          -
          6. -
        6. The ALLOWRELATED variable in shorewall.conf is no longer - supported. Shorewall 1.4 behavior is the same as 1.3 with ALLOWRELATED=Yes.
          -
          -
          7. -
        7. The icmp.def file has been removed.
          -
          -
          8. -
        8. The 'multi' interface option is no longer supported. -  Shorewall will generate rules for sending packets back out the same interface - that they arrived on in two cases:
          9. - +
        9. The MERGE_HOSTS variable in shorewall.conf is no longer supported. + Shorewall 1.4 behavior is the same as 1.3 with MERGE_HOSTS=Yes.
          +
          +
          10. +
        10. Interface names of the form <device>:<integer> + in /etc/shorewall/interfaces now generate an error.
          +
          +
          11. +
        11. Shorewall 1.4 implements behavior consistent with OLD_PING_HANDLING=No. + OLD_PING_HANDLING=Yes will generate an error at startup as will specification + of the 'noping' or 'filterping' interface options.
          +
          +
          12. +
        12. The 'routestopped' option in the /etc/shorewall/interfaces + and /etc/shorewall/hosts files is no longer supported and will generate + an error at startup if specified.
          +
          +
          13. +
        13. The Shorewall 1.2 syntax for DNAT and REDIRECT rules is no +longer accepted.
          +
          +
          14. +
        14. The ALLOWRELATED variable in shorewall.conf is no longer supported. + Shorewall 1.4 behavior is the same as 1.3 with ALLOWRELATED=Yes.
          +
          +
          15. +
        15. The icmp.def file has been removed.
          +
        - -
          -
        • There is an explicit policy for the source zone to -or from the destination zone. An explicit policy names both zones and does - not use the 'all' reserved word.
          • -
        • There are one or more rules for traffic for the source zone - to or from the destination zone including rules that use the 'all' reserved - word. Exception: if the source zone and destination zone are the same then - the rule must be explicit - it must name the zone in both the SOURCE and - DESTINATION columns.
          • - -
        - -
          - -
        - Changes for 1.4 include:
        - + Changes for 1.4 include:
        + +
          -
        1. The /etc/shorewall/shorewall.conf file has been completely - reorganized into logical sections.
          -
          -
          2. -
        2. LOG and CONTINUE are now a valid actions for a rule (/etc/shorewall/rules).
          -
          -
          3. -
        3. The firewall script and version file are now installed -in /usr/share/shorewall.
          -
          -
          4. -
        4. Late arriving DNS replies are now silently dropped in -the common chain by default.
          -
          -
          5. -
        5. In addition to behaving like OLD_PING_HANDLING=No, Shorewall - 1.4 no longer unconditionally accepts outbound ICMP packets. So if you want - to 'ping' from the firewall, you will need the appropriate rule or policy.
          -
          -
          6. -
        6. CONTINUE is now a valid action for a rule (/etc/shorewall/rules).
          -
          -
          7. +
        7. The /etc/shorewall/shorewall.conf file has been completely + reorganized into logical sections.
          +
          +
          8. +
        8. LOG is now a valid action for a rule (/etc/shorewall/rules).
          +
          +
          9. +
        9. The firewall script, common functions file and version file + are now installed in /usr/share/shorewall.
          +
          +
          10. +
        10. Late arriving DNS replies are now silently dropped in the +common chain by default.
          +
          +
          11. +
        11. In addition to behaving like OLD_PING_HANDLING=No, Shorewall + 1.4 no longer unconditionally accepts outbound ICMP packets. So if you + want to 'ping' from the firewall, you will need the appropriate rule or + policy.
          +
          +
          12. +
        12. CONTINUE is now a valid action for a rule (/etc/shorewall/rules).
          +
          +
        13. 802.11b devices with names of the form wlan<n> -now support the 'maclist' option.
          -
          -
          14. -
        14. Explicit Congestion Notification (ECN - RFC 3168) may -now be turned off on a host or network basis using the new /etc/shorewall/ecn -file. To use this facility:
          -
          -    a) You must be running kernel 2.4.20
          -    b) You must have applied the patch in
          -    http://www.shorewall/net/pub/shorewall/ecn/patch.
          -    c) You must have iptables 1.2.7a installed.
          -
          -
          15. -
        15. The /etc/shorewall/params file is now processed first so that -variables may be used in the /etc/shorewall/shorewall.conf file.
          16. - + now support the 'maclist' option.
          +
          + +
        16. Explicit Congestion Notification (ECN - RFC 3168) + may now be turned off on a host or network basis using the new /etc/shorewall/ecn + file. To use this facility:
          +
          +    a) You must be running kernel 2.4.20
          +    b) You must have applied the patch in
          +    http://www.shorewall/net/pub/shorewall/ecn/patch.
          +    c) You must have iptables 1.2.7a installed.
          +
          +
          17. +
        17. The /etc/shorewall/params file is now processed first so that + variables may be used in the /etc/shorewall/shorewall.conf file.
          +
          +
          18. +
        18. Shorewall now gives a more helpful diagnostic when + the 'ipchains' compatibility kernel module is loaded and a 'shorewall start' + command is issued.
          +
          +
          19. +
        19. The SHARED_DIR variable has been removed from shorewall.conf. + This variable was for use by package maintainers and was not documented +for general use.
          +
          +
          20. +
        20. Shorewall now ignores 'default' routes when detecting masq'd + networks.
          +
        - - -

        - - - - - - - - + +

        3/11/2003 - Shoreall 1.3.14a (New) +  

        + +

        A roleup of the following bug fixes and other updates:

        + +
          +
        • There is an updated rfc1918 file that reflects the resent +allocation of 222.0.0.0/8 and 223.0.0.0/8. 
          • +
        • The documentation for the routestopped file claimed that a comma-separated + list could appear in the second column while the code only supported a + single host or network address. 
          • +
        • Log messages produced by 'logunclean' and 'dropunclean' were + not rate-limited. 
          • +
        • 802.11b devices with names of the form wlan<n> +don't support the 'maclist' interface option. 
          • +
        • Log messages generated by RFC 1918 filtering are not rate limited. 
          • +
        • The firewall fails to start in the case where you have "eth0 + eth1" in /etc/shorewall/masq and the default route is through eth1 +
          • + +
        +

        2/8/2003 - Shorewall 1.3.14

        + + +

        New features include

        + + +
          +
        1. An OLD_PING_HANDLING option has been added to shorewall.conf. + When set to Yes, Shorewall ping handling is as it has always been + (see http://www.shorewall.net/ping.html).
          +
          + When OLD_PING_HANDLING=No, icmp echo (ping) is handled +via rules and policies just like any other connection request. The +FORWARDPING=Yes option in shorewall.conf and the 'noping' and 'filterping' +options in /etc/shorewall/interfaces will all generate an error.
          +
          +
          2. +
        2. It is now possible to direct Shorewall to create + a "label" such as  "eth0:0" for IP addresses that it creates under + ADD_IP_ALIASES=Yes and ADD_SNAT_ALIASES=Yes. This is done by specifying + the label instead of just the interface name:
          +  
          +    a) In the INTERFACE column of /etc/shorewall/masq
          +    b) In the INTERFACE column of /etc/shorewall/nat
          +  
          3. +
        3. Support for OpenVPN Tunnels.
          +
          +
          4. +
        4. Support for VLAN devices with names of the form +$DEV.$VID (e.g., eth0.0)
          +
          +
          5. +
        5. In /etc/shorewall/tcrules, the MARK value may be +optionally followed by ":" and either 'F' or 'P' to designate that the +marking will occur in the FORWARD or PREROUTING chains respectively. +If this additional specification is omitted, the chain used to mark packets +will be determined by the setting of the MARK_IN_FORWARD_CHAIN option +in shorewall.conf.
          +
          +
          6. +
        6. When an interface name is entered in the SUBNET +column of the /etc/shorewall/masq file, Shorewall previously masqueraded + traffic from only the first subnet defined on that interface. It +did not masquerade traffic from:
          +  
          +    a) The subnets associated with other addresses on the + interface.
          +    b) Subnets accessed through local routers.
          +  
          + Beginning with Shorewall 1.3.14, if you enter an interface + name in the SUBNET column, shorewall will use the firewall's routing + table to construct the masquerading/SNAT rules.
          +  
          + Example 1 -- This is how it works in 1.3.14.
          +   
          + + + + 
             [root@gateway test]# cat /etc/shorewall/masq
             #INTERFACE              SUBNET                  ADDRESS
             eth0                    eth2                    206.124.146.176
             #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
          + + + + 
             [root@gateway test]# ip route show dev eth2
             192.168.1.0/24  scope link
             192.168.10.0/24  proto kernel  scope link  src 192.168.10.254
          + + + + 
             [root@gateway test]# shorewall start
             ...
             Masqueraded Subnets and Hosts:
                 To 0.0.0.0/0 from 192.168.1.0/24 through eth0 using 206.124.146.176
                 To 0.0.0.0/0 from 192.168.10.0/24 through eth0 using 206.124.146.176
             Processing /etc/shorewall/tos...
          +  
          + When upgrading to Shorewall 1.3.14, if you have multiple + local subnets connected to an interface that is specified in the +SUBNET column of an /etc/shorewall/masq entry, your /etc/shorewall/masq +file will need changing. In most cases, you will simply be able to remove +redundant entries. In some cases though, you might want to change from +using the interface name to listing specific subnetworks if the change described +above will cause masquerading to occur on subnetworks that you don't wish +to masquerade.
          +  
          + Example 2 -- Suppose that your current config is as follows:
          +   
          + + + + 
             [root@gateway test]# cat /etc/shorewall/masq
             #INTERFACE              SUBNET                  ADDRESS
             eth0                    eth2                    206.124.146.176
             eth0                    192.168.10.0/24         206.124.146.176
             #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
          + + + + 
             [root@gateway test]# ip route show dev eth2
             192.168.1.0/24  scope link
             192.168.10.0/24  proto kernel  scope link  src 192.168.10.254
             [root@gateway test]#
          +  
          +    In this case, the second entry in /etc/shorewall/masq + is no longer required.
          +  
          + Example 3 -- What if your current configuration is like + this?
          +  
          + + + + 
             [root@gateway test]# cat /etc/shorewall/masq
             #INTERFACE              SUBNET                  ADDRESS
             eth0                    eth2                    206.124.146.176
             #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
          + + + + 
             [root@gateway test]# ip route show dev eth2
             192.168.1.0/24  scope link
             192.168.10.0/24  proto kernel  scope link  src 192.168.10.254
             [root@gateway test]#
          +  
          +    In this case, you would want to change the entry in  + /etc/shorewall/masq to:
          + + + + 
             #INTERFACE              SUBNET                  ADDRESS
             eth0                    192.168.1.0/24          206.124.146.176
             #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
          +
          7. + + +
        + + +

        2/5/2003 - Shorewall Support included in Webmin 1.060 +

        + Webmin version 1.060 now has Shorewall support included +as standard. See http://www.webmin.com + + + + + + + + + + +
          @@ -348,7 +490,8 @@ variables may be used in the /etc/shorewall/shorewall.conf file. - + +
        @@ -357,8 +500,8 @@ variables may be used in the /etc/shorewall/shorewall.conf file. - - + +

        More News

        @@ -372,7 +515,7 @@ variables may be used in the /etc/shorewall/shorewall.conf file. - +

        @@ -380,18 +523,18 @@ variables may be used in the /etc/shorewall/shorewall.conf file. - +

        SourceForge Logo -

        + - +

        @@ -399,7 +542,7 @@ variables may be used in the /etc/shorewall/shorewall.conf file. - +

        This site is hosted by the generous folks at SourceForge.net

        @@ -408,44 +551,45 @@ variables may be used in the /etc/shorewall/shorewall.conf file. - +

        Donations

        -
        -
        -
        +
        -
        + - + - + - + - + +

        Shorewall is free but +if you try it and find it useful, please consider making a donation + to Starlight Children's +Foundation. Thanks!

        - + + + - - - + + +
        + @@ -455,12 +599,12 @@ variables may be used in the /etc/shorewall/shorewall.conf file. - +

        -

        +

        @@ -472,32 +616,33 @@ variables may be used in the /etc/shorewall/shorewall.conf file. - -

        Shorewall is free -but if you try it and find it useful, please consider making a donation - to Starlight -Children's Foundation. Thanks!

        -
        - -

        Updated 3/5/2003 - Tom Eastep - -
        + +

        Updated 3/17/2003 - Tom Eastep + +


        diff --git a/Shorewall-docs/support.htm b/Shorewall-docs/support.htm index 0e024958b..0f85ded95 100644 --- a/Shorewall-docs/support.htm +++ b/Shorewall-docs/support.htm @@ -3,406 +3,337 @@ - + - + - - - - - - - - Shorewall Support Guide - - - - - - + - - - + + - + + + - - + +
        +
        - + +

        Shorewall Support Guide -

        -
        - -

        While I don't answer Shorewall  questions - emailed directly to me, I try to spend some time each day answering questions - on the Shorewall Users Mailing List and on the Support Forum.

        - -

        -Tom Eastep

        - -

        Before Reporting a Problem

        - "Well at least you tried to read the documentation, which is a lot - more than some people on this list appear to do."
        -
        - -
        - Wietse Venema - On the Postfix mailing list
        -
        -
        - There are a number of sources - for problem solution information. Please try these before you -post. -

        - -

        - + +

        Before Reporting a Problem or Asking a Question
        +

        + There are a number +of sources of Shorewall information. Please try these before you post. + + - -

        - - - -

        - -
          -
        • The Errata has links to download updated - components.
          • - -
        - -

        - -
          -
        • The Mailing -List Archives search facility can locate posts about similar - problems:
          • - -
        - -

        - -

        Mailing List Archive Search

        - -
        + a number of tips to help you solve common problems. +
        • - -

        Match: - - - Format: +

      • The Errata has links to download updated + components.
        • - - - Sort by: - - - -
        - Search: -

        - - -

        Problem Reporting Guidelines

        - "Let me see if I can translate your message into a -real-world example. It would be like saying that you have three -rooms at home, and when you walk into one of the rooms, you detect -this strange smell. Can anyone tell you what that strange smell is?
        -
        - Now, all of us could do some wonderful guessing as to -the smell and even what's causing it. You would be absolutely amazed - at the range and variety of smells we could come up with. Even more - amazing is that all of the explanations for the smells would be completely - plausible."
        -
        - -
        - Russell Mosemann on the Postfix mailing list
        -
        -
        - - -

        - -
          -
        • Please remember we only know what is posted in your message. - Do not leave out any information that appears to be correct, or was - mentioned in a previous post. There have been countless posts by people - who were sure that some part of their configuration was correct when - it actually contained a small error. We tend to be skeptics where detail - is lacking.
          -
          -
          • -
        • Please keep in mind that you're asking for free - technical support. Any help we offer is an act of generosity, not -an obligation. Try to make it easy for us to help you. Follow good, -courteous practices in writing and formatting your e-mail. Provide -details that we need if you expect good answers. Exact quoting -of error messages, log entries, command output, and other output is better -than a paraphrase or summary.
          -
          -
          • -
        • Please don't describe - your environment and then ask us to send you custom - configuration files. We're here to answer your questions but - we can't do your job for you.
          -
          -
          • -
        • When reporting a problem, ALWAYS include - this information:
          • - +
        • The Site and Mailing + List Archives search facility can locate documents and posts + about similar problems:
          • +
        - + + +

        Site and Mailing List Archive Search

        + +
        +
        Match: + + + Format: + + Sort by: + + Include Mailing + List Archives: + +
        + Search:
        +
        +
        + +

        Problem Reporting Guidelines
        +

        + +
          - +
        • Please remember we only know what is posted +in your message. Do not leave out any information that appears to +be correct, or was mentioned in a previous post. There have been +countless posts by people who were sure that some part of their + configuration was correct when it actually contained a small error. + We tend to be skeptics where detail is lacking.
          +
          +
          • +
        • Please keep in mind that you're asking for + free technical support. Any help we offer +is an act of generosity, not an obligation. Try to make it easy +for us to help you. Follow good, courteous practices in writing +and formatting your e-mail. Provide details that we need if you expect +good answers. Exact quoting of error messages, log entries, + command output, and other output is better than a paraphrase or summary.
          +
          +
          • +
        • Please don't + describe your environment and then ask us to send you + custom configuration files. We're here to answer your +questions but we can't do your job for you.
          +
          +
          • +
        • When reporting a problem, ALWAYS + include this information:
          • + +
        + +
          + +
            -
          • the exact version of Shorewall you are running.
            -
            - shorewall version
            -
            -
            • - +
          • the exact version of Shorewall you are running.
            +
            + shorewall version
            +
            +
            • + +
          - + +
            -
          • the exact kernel version you are running
            -
            - uname -a
            -
            -
            • - +
          • the exact kernel version you are running
            +
            + uname -a
            +
            +
            • + +
          - + +
            -
          • the complete, exact output of
            -
            - ip addr show
            -
            -
            • - +
          • the complete, exact output of
            +
            + ip addr show
            +
            +
            • + +
          - + +
            -
          • the complete, exact output of
            -
            - ip route show
            -
            -
            • - +
          • the complete, exact output of
            +
            + ip route show
            +
            +
            • + +
          - + +
            -
          • If your kernel is modularized, the exact output from
            -
            - lsmod
            -
            -
            • -
          • the exact wording of any If your kernel is modularized, the exact +output from
            +
            + lsmod
            +
            +
            • +
          • the exact wording of any ping failure responses
            -
            -
            • -
          • If you installed Shorewall using one of the QuickStart Guides, - please indicate which one.
            -
            -
            • -
          • If you are running Shorewall under Mandrake using the Mandrake - installation of Shorewall, please say so.
            -
            -
            • - +
            + +
          • If you installed Shorewall using one of the QuickStart + Guides, please indicate which one.
            +
            +
            • +
          • If you are running Shorewall under Mandrake using + the Mandrake installation of Shorewall, please say so.
            +
            +
            • + +
          - +
        - +
          -
        • NEVER include the output of "NEVER include the output of "iptables -L". Instead, if you are having connection problems of - any kind then:
          -
          - 1. /sbin/shorewall/reset
          -
          - 2. Try the connection that is failing.
          -
          - 3. /sbin/shorewall status > /tmp/status.txt
          -
          - 4. Post the /tmp/status.txt file as an attachment.
          -
          -
          • -
        • As a general matter, please do not edit the diagnostic - information in an attempt to conceal your IP address, netmask, - nameserver addresses, domain name, etc. These aren't secrets, and concealing - them often misleads us (and 80% of the time, a hacker could derive -them anyway from information contained in the SMTP headers of your post).
          • - + any kind then:
          +
          + 1. /sbin/shorewall/reset
          +
          + 2. Try the connection that is failing.
          +
          + 3. /sbin/shorewall status > /tmp/status.txt
          +
          + 4. Post the /tmp/status.txt file as an attachment.
          +
          + +
        • As a general + matter, please do not edit the diagnostic information + in an attempt to conceal your IP address, netmask, nameserver addresses, + domain name, etc. These aren't secrets, and concealing them often + misleads us (and 80% of the time, a hacker could derive them anyway + from information contained in the SMTP headers of your post).
          +
          +
          • +
        • Do you see any "Shorewall" messages ("/sbin/shorewall show log") when + you exercise the function that is giving you problems? If so, include + the message(s) in your post along with a copy of your /etc/shorewall/interfaces + file.
          +
          +
          • +
        • Please include any of the Shorewall configuration files + (especially the /etc/shorewall/hosts file if you have + modified that file) that you think are relevant. If you + include /etc/shorewall/rules, please include /etc/shorewall/policy + as well (rules are meaningless unless one also knows the policies).
          +
          +
          • +
        • If an error occurs when you try to "shorewall start", include a + trace (See the Troubleshooting + section for instructions).
          +
          +
          • +
        • The list server limits posts to 120kb so don't post GIFs + of your network layout, etc. to the Mailing +List -- your post will be rejected.
          • +
        - -
          - -
        - -

        - -
          - -
        - -

        - -
          -
        • Do you see -any "Shorewall" messages ("/sbin/shorewall -show log") when you exercise the function that -is giving you problems? If so, include the message(s) in your post -along with a copy of your /etc/shorewall/interfaces file.
          -
          -
          • -
        • Please include any of the Shorewall configuration files - (especially the /etc/shorewall/hosts file if you have -modified that file) that you think are relevant. If you -include /etc/shorewall/rules, please include /etc/shorewall/policy -as well (rules are meaningless unless one also knows the policies). -
          • - -
        - -

        - -
          - -
        - -

        - -
          -
        • If an error occurs - when you try to "shorewall start", - include a trace (See the Troubleshooting - section for instructions).
          • - -
        - -

        - -
          -
        • - -

          The list server limits posts to 120kb so don't post GIFs of - your network layout, etc. to the Mailing List -- your - post will be rejected.

          -
          • - -
        - The author gratefully acknowleges that the above list was heavily - plagiarized from the excellent LEAF document by Ray Olszewski - found at http://leaf-project.org/pub/doc/docmanager/docid_1891.html.
        - -

        Please post in plain text

        - -
        - A growing number of MTAs serving list subscribers are rejecting - all HTML traffic. At least one MTA has gone so far as to blacklist -shorewall.net "for continuous abuse" because it has been my policy to -allow HTML in list posts!!
        -
        - I think that blocking all HTML is a Draconian way to control - spam and that the ultimate losers here are not the spammers but the - list subscribers whose MTAs are bouncing all shorewall.net mail. As - one list subscriber wrote to me privately "These e-mail admin's need -to get a (expletive deleted) life instead of trying to rid the planet -of HTML based e-mail". Nevertheless, to allow subscribers to receive list -posts as must as possible, I have now configured the list server at shorewall.net -to strip all HTML from outgoing posts.
        - -

        Where to Send your Problem Report or to Ask for Help

        -
        - + + + +The author gratefully acknowleges that the above list was heavily +plagiarized from the excellent LEAF document by Ray Olszewski + found at http://leaf-project.org/pub/doc/docmanager/docid_1891.html.
        +
        + +

        When using the mailing list, please post in plain text

        + +
        + A growing number of MTAs serving list subscribers are rejecting + all HTML traffic. At least one MTA has gone so far as to blacklist + shorewall.net "for continuous abuse" because it has been my policy + to allow HTML in list posts!!
        +
        + I think that blocking all HTML is a Draconian + way to control spam and that the ultimate losers here are not +the spammers but the list subscribers whose MTAs are bouncing +all shorewall.net mail. As one list subscriber wrote to me privately + "These e-mail admin's need to get a (expletive deleted) life + instead of trying to rid the planet of HTML based e-mail". Nevertheless, + to allow subscribers to receive list posts as must as possible, I have + now configured the list server at shorewall.net to strip all HTML +from outgoing posts.
        +
        + + +

        Where to Send your Problem Report or to Ask for Help

        + + +
        +

        If you run Shorewall under Bering -- please post your question or problem - to the LEAF Users - mailing list.

        - If you run Shorewall under MandrakeSoft Multi Network - Firewall (MNF) and you have not purchased an MNF license from MandrakeSoft - then you can post non MNF-specific Shorewall questions to the Shorewall users mailing - list or to the Shorewall Support -Forum. Do not expect to get free MNF support on the list or forum.
        + to the LEAF + Users mailing list. + If you run Shorewall under MandrakeSoft Multi + Network Firewall (MNF) and you have not purchased an MNF license + from MandrakeSoft then you can post non MNF-specific Shorewall questions + to the Shorewall + users mailing list. Do not expect to get free MNF support +on the list or forum.
        - +

        Otherwise, please post your question or problem to the Shorewall users mailing - list or to the Shorewall Support -Forum.

        -
        + list.

        + +

        To Subscribe to the mailing list go to http://lists.shorewall.net/mailman/listinfo/shorewall-users - .

        + .
        +

        + +

        For information on other Shorewall mailing lists, go to http://lists.shorewall.net/mailing_list.htm
        +

        - -

        Last Updated 3/4/2003 - Tom Eastep

        + +

        Last Updated 3/14/2003 - Tom Eastep

        - +

        Copyright © 2001, 2002, 2003 Thomas M. Eastep.

        -
        +

        diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index f9a7c15f7..64be1589b 100755 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -60,3 +60,7 @@ Changes since 1.3.14 27. Remove stale comments in the params file. 28. Silently drop INVALID state packets + +29. Ignore the 'default' route when detecting masq'd networks. + +30. REALLY process the params file first now (honest). diff --git a/Shorewall/fallback.sh b/Shorewall/fallback.sh index 9558bb7bc..40cac8cd8 100755 --- a/Shorewall/fallback.sh +++ b/Shorewall/fallback.sh @@ -28,7 +28,7 @@ # shown below. Simply run this script to revert to your prior version of # Shoreline Firewall. -VERSION=1.4.0-RC2 +VERSION=1.4.0 usage() # $1 = exit status { diff --git a/Shorewall/install.sh b/Shorewall/install.sh index 65ddb9003..deb3dec18 100755 --- a/Shorewall/install.sh +++ b/Shorewall/install.sh @@ -54,7 +54,7 @@ # /etc/rc.d/rc.local file is modified to start the firewall. # -VERSION=1.4.0-RC2 +VERSION=1.4.0 usage() # $1 = exit status { diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 122c28d62..b6e048be7 100755 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -77,6 +77,18 @@ Changes for 1.4 include: 10) The /etc/shorewall/params file is now processed first so that variables may be used in the /etc/shorewall/shorewall.conf file. +11) Packets with state INVALID are now silently dropped. + +12) Shorewall now gives a more helpful diagnostic when the 'ipchains' + compatibility kernel module is loaded and a 'shorewall start' + command is issued. + +13) The SHARED_DIR variable has been removed from shorewall.conf. This + variable was for use by package maintainers and was not documented + for general use. + +14) Shorewall now ignores 'default' routes when detecting masq'd + networks. diff --git a/Shorewall/shorewall.spec b/Shorewall/shorewall.spec index 7095e33a0..ea1f9c4ed 100644 --- a/Shorewall/shorewall.spec +++ b/Shorewall/shorewall.spec @@ -1,6 +1,6 @@ %define name shorewall %define version 1.4.0 -%define release 0RC2 +%define release 1 %define prefix /usr Summary: Shoreline Firewall is an iptables-based firewall for Linux systems. @@ -105,6 +105,8 @@ fi %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel %changelog +* Mon Mar 17 2003 Tom Eastep +- Changed version to 1.4.0-1 * Fri Mar 07 2003 Tom Eastep - Changed version to 1.4.0-0RC2 * Wed Mar 05 2003 Tom Eastep diff --git a/Shorewall/uninstall.sh b/Shorewall/uninstall.sh index 4b3569c23..b544cfd98 100755 --- a/Shorewall/uninstall.sh +++ b/Shorewall/uninstall.sh @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Seattle Firewall -VERSION=1.4.0-RC2 +VERSION=1.4.0 usage() # $1 = exit status {