diff --git a/STABLE/changelog.txt b/STABLE/changelog.txt index 0be0ccc5a..bcdda6917 100644 --- a/STABLE/changelog.txt +++ b/STABLE/changelog.txt @@ -1,101 +1,5 @@ -Changes since 1.4.6 +Changes since 1.4.7 -1) Added Smart Blacklisting. +1) Applied patch from Tuomo Soini that fixes syntax error occuring with + some versions of 'ash'. -2) Move determine_capabilities call to do_initialize to ensure that - MANGLE_ENABLED is set before it is tested. - -3) Fixed MAC address handling in the SOURCE column of tcrules. - -4) Merged and corrected Steve Herber's command-specific help patch. - -5) Removed some undocumented/braindead code from setup_masq() - -6) Don't allow 'stop' when startup is disabled - -7) Added ADMINISABSENTMINDED option. - -8) Fixed adding addresses to ppp interfaces. - -9) Added generic tunnel support. - -10) Added support for Address Range Lists in /etc/shorewall/masq. - -11) Simplify ip_broadcast() - -12) Add 'arp_filter' interface option. - -13) Added accounting file support - -14) Fixed bug where an interface name alone appears in the DESTINATION - column of the accounting file. - -15) Add ACTION column to accounting file. - -16) Add CHAIN declarations to accounting file. - -17) Replace calls to chain_exists with calls to havechain in - accounting code. - -18) Allow degenerate DONE and COUNT rules. - -19) Interface-specific dynamic blacklisting chains are now displayed by - "shorewall monitor". - -20) Bridge interfaces (br[0-9]) can now be used in /etc/shorewall/maclist. - -21) Rate-limited rules added. - -22) Make burst optional in rate limited rules and policies. - -23) Allow display of multiple chains in one "shorewall show" command. - -24) Add "RATE LIMIT" column for those who prefer their config files to - be wide but normalized. - -25) Redesign the accounting facility to make it simpler and more - flexible. - -26) Add Henry Wang's fix for LOGRATE/LOGBURST and enhance to resolve - conflict between that facility and rate-limited logging rules. - -27) Add User Set capability. - -28) Deimplement Smart Blacklisting and fix problem with multiple - 'drop'/'reject' commands for the same address. - -29) Update for 1.4.7 Beta 1. - -30) Fix ADD_SNAT_ALIASES interaction with ip ranges used for - load-balancing. - -31) Fix IPV6 address confusion. - -32) Add "o.gz" to the list of module extensions. - -33) Replace existing route to PROXY ARP host rather than adding another - one. - -34) Update of rfc1918 file. - -35) Correct rules file comment. - -36) Extend USER SET column in /etc/shorewall/rules to allow user:group. - -37) Reword error message to avoid the word 'illegal'. - -38) Avoid shell error when there is no policy corresponding to a rule. - -39) Fatal error if /etc/shorewall/common or /etc/shoreall/common.def do - not exist. - -40) Process blacklist before DHCP. - -41) Fix 'logunclean' log message disposition. - -42) Update rfc1918. - -43) Remove Conflict specification from shorewall.rpm to appease the - SuSE crowd. - -44) Removed a fly-speck at the beginning of the 'masq' file. diff --git a/STABLE/firewall b/STABLE/firewall index e6b432736..8aa168c8d 100755 --- a/STABLE/firewall +++ b/STABLE/firewall @@ -960,7 +960,7 @@ log_rule_limit() # $1 = log level, $2 = chain, $3 = disposition , $4 = rate limi local chain=$2 local disposition=$3 local rulenum= - local limit=${4:-$LOGLIMIT} + local limit="${4:-$LOGLIMIT}" shift;shift;shift;shift diff --git a/STABLE/releasenotes.txt b/STABLE/releasenotes.txt index 39e3be0b8..e1ab0173d 100644 --- a/STABLE/releasenotes.txt +++ b/STABLE/releasenotes.txt @@ -2,343 +2,19 @@ This is a minor release of Shorewall. Problems Corrected since version 1.4.6: -1) Corrected problem in 1.4.6 where the MANGLE_ENABLED variable was - being tested before it was set. +1) Tuomo Soini has supplied a correction to a problem that occurs using + some versions of 'ash'. The symptom is that "shorewall start" fails + with: -2) Corrected handling of MAC addresses in the SOURCE column of the - tcrules file. Previously, these addresses resulted in an invalid - iptables command. - -3) The "shorewall stop" command is now disabled when - /etc/shorewall/startup_disabled exists. This prevents people from - shooting themselves in the foot prior to having configured - Shorewall. - -4) A change introduced in version 1.4.6 caused error messages during - "shorewall [re]start" when ADD_IP_ALIASES=Yes and ip addresses were - being added to a PPP interface; the addresses were successfully - added in spite of the messages. - - The firewall script has been modified to eliminate the error - messages. - -5) Interface-specific dynamic blacklisting chains are now displayed by - "shorewall monitor" on the "Dynamic Chains" page (previously named - "Dynamic Chain"). - -6) Thanks to Henry Yang, LOGRATE and LOGBURST now work again. - -7) The 'shorewall reject' and 'shorewall drop' commands now delete any - existing rules for the subject IP address before adding a new DROP - or REJECT rule. Previously, there could be many rules for the same - IP address in the dynamic chain so that multiple 'allow' commands - were required to re-enable traffic to/from the address. - -8) When ADD_SNAT_ALIASES=Yes in shorewall.conf, the following entry in - /etc/shorewall/masq resulted in a startup error: - - eth0 eth1 206.124.146.20-206.124.146.24 - -9) Shorewall previously choked over IPV6 addresses configured on - interfaces in contexts where Shorewall needed to detect something - about the interface (such as when "detect" appears in the BROADCAST - column of the /etc/shorewall/interfaces file). - -10) Shorewall will now load module files that are formed from the - module name by appending ".o.gz". - -11) When Shorewall adds a route to a proxy ARP host and such a route - already exists, two routes resulted previously. This has been - corrected so that the existing route is replaced if it already - exists. - -12) The rfc1918 file has been updated to reflect recent allocations. - -13) The documentation of the USERSETS column in the rules file has been - corrected. - -14) If there is no policy defined for the zones specified in a rule, - the firewall script previously encountered a shell syntax error: - - [: NONE: unexpected operator - - Now, the absence of a policy generates an error message and the - firewall is stopped: - - No policy defined from zone to zone - -15) Previously, if neither /etc/shorewall/common nor - /etc/shorewall/common.def existed, Shorewall would fail to start - and would not remove the lock file. Failure to remove the lock file - resulted in the following during subsequent attempts to start: - - Loading /usr/share/shorewall/functions... - Processing /etc/shorewall/params ... - Processing /etc/shorewall/shorewall.conf... - Giving up on lock file /var/lib/shorewall/lock - Shorewall Not Started - - Shorewall now reports a fatal error if neither of these two files - exist and correctly removes the lock file. - -16) The order of processing the various options has been changed such - that blacklist entries now take precedence over the 'dhcp' - interface setting. - -17) The log message generated from the 'logunclean' interface option - has been changed to reflect a disposition of LOG rather than DROP. - -18) When a user name and/or a group name was specified in the USER SET - column and the destination zone was qualified with a IP address, - the user and/or group name was not being used to qualify the rule. - - Example: - - ACCEPT fw net:192.0.2.12 tcp 23 - - - vladimir: - -19) The /etc/shorewall/masq file has had the spurious "/" character at - the front removed. + local: --limit: bad variable name + iptables v1.2.8: Couldn't load match `-j':/lib/iptables/libipt_-j.so: + cannot open shared object file: No such file or directory + Try `iptables -h' or 'iptables --help' for more information. Migration Issues: -1) IP Traffic Accounting is changed from Snapshot 20030813. - -2) The Uset Set capability introduced in SnapShot 20030821 has - changed -- see the User Set page for details. - -3) The per-interface dynamic blacklisting facility from previous 1.4.6 - Snapshots has been removed. The implications of the facility for - users with dial-up internet connections were too complicated to - document adaquately. My apologies for unleashing this half-baked - idea on the user base. +None. New Features: -1) The 2.6 series of Linux kernels will not support the 'unclean' - match extension except in Patch-O-Matic. In keeping with the - Shorewall policy of not supporting netfilter extensions that are - only available in Patch-O-Matic, the 'dropunclean' and - 'logunclean' interface options will be removed in a future - release. In the 1.4.7 release, they are flagged with a warning. - -2) Thanks to Steve Herber, the help command can now give - command-specific help. - -3) A new option "ADMINISABSENTMINDED" has been added to - /etc/shorewall/shorewall.conf. This option has a default value of - "No" for existing Shorewall users who are upgrading to this release. - With this setting, Shorewall's 'stopped' state continues as it has - been; namely, in the stopped state only traffic to/from hosts listed - in /etc/shorewall/routestopped is accepted. - - The default for new users installing Shorewall for the first time is - ADMINISABSENTMINDED=Yes.With that setting, in addition to traffic - to/from the hosts listed in /etc/shorewall/routestopped, Shorewall - will allow: - - a) All traffic originating from the firewall itself; and - b) All traffic that is part of or related to an already-existing - connection. - - In particular, with ADMINISABSENTMINDED=Yes, a "shorewall stop" - entered through an ssh session will not kill the session. - - Note though that it is still possible for people to shoot themselves - in the foot. - - Example: - - /etc/shorewall/nat: - - 206.124.146.178 eth0:0 192.168.1.5 - - /etc/shorewall/rules: - - ACCEPT net loc:192.168.1.5 tcp 22 - ACCEPT loc fw tcp 22 - - I ssh into 206.124.146.178 which establishes an SSH connection with - 192.168.1.5. I then create a second SSH connection from that - computer to the firewall and confidently type "shorewall - stop". As part of stopping, Shorewall removes eth0:0 which kills my - SSH connection to 192.168.1.5!!! - -4) Given the wide range of VPN software, I can never hope to add - specific support for all of it. I have therefore decided to add - "generic" tunnel support. - - Generic tunnels work pretty much like any of the other tunnel - types. You usually add a zone to represent the systems at the other - end of the tunnel and you add the appropriate rules/policies to - implement your security policy regarding traffic to/from those - systems. - - In the /etc/shorewall/tunnels file, you can have entries of the - form: - - # TYPE ZONE GATEWAY GATEWAY ZONE - generic:[:] - - where: - - is the protocol used by the tunnel - if the protocol is 'udp' or 'tcp' then this - is the destination port number used by the - tunnel. - is the zone of the remote tunnel gateway - is the IP address of the remote tunnel - gateway. - Optional. A comma-separated list of zone names. - If specified, the remote gateway is to be - considered part of these zones. - -5) An 'arp_filter' option has been added to the - /etc/shorewall/interfaces file. This option causes - /proc/sys/net/ipv4/conf//arp_filter to be set with the - result that this interface will only answer ARP 'who-has' requests - from hosts that are routed out of that interface. Setting this - option facilitates testing of your firewall where multiple firewall - interfaces are connected to the same HUB/Switch (all interfaces - connected to the single HUB/Switch should have this option - specified). Note that using such a configuration in a production - environment is strongly recommended against. - -6) The ADDRESS column in /etc/shorewall/masq may now include a - comma-separated list of addresses and/or address ranges. Netfilter - will use all listed addresses/ranges in round-robin fashion. - -7) An /etc/shorewall/accounting file has been added to allow for - traffic accounting.. - - The accounting rules are placed in a chain called "accounting" and - can thus be displayed using "shorewall show accounting". - - The file has the following columns: - - ACTION - What to do when a match is found. Possible - values are: - - COUNT - Simply count the match and continue - trying to match the packet with the - following accounting rules. - - DONE - Count the match and don't attempt to - match any following accounting rules. - - - The name of a chain to jump to. - Shorewall will create the chain - automatically. If the name of the - chain is followed by ":COUNT" then - a COUNT rule matching this rule - will automatically be added to - - - CHAIN - The name of the chain where the accounting - rule is to be added. If empty or "-" then - the "accounting" chain is assumed. - - SOURCE - Packet Source - - The name of an interface, an address (host or - net) or an interface name followed by ":" - and a host or net address. - - DESTINATION - Packet Destination - - Format the same as the SOURCE column. - - PROTOCOL A protocol name (from /etc/protocols), a - protocol number. - - DEST PORT Destination Port number - - Service name from /etc/services or port - number. May only be specified if the protocol - is TCP or UDP (6 or 17). - - SOURCE PORT Source Port number - - Service name from /etc/services or port - number. May only be specified if the protocol - is TCP or UDP (6 or 17). - - In all columns except ACTION and CHAIN, the values "-","any" and - "all" are treated as wild-cards. - - The accounting rules are evaluated in the Netfilter 'filter' - table. This is the same environment where the 'rules' file rules are - evaluated and in this environment, DNAT has already occurred in - inbound packets and SNAT has not yet occurred on outbound ones. - - The accounting rules are placed in a chain called "accounting" and - can thus be displayed using "shorewall show accounting". - - See http://shorewall.net/Accounting.html for examples. - -8) Bridge interfaces (br[0-9]) may now be used in /etc/shorewall/maclist. - -9) ACCEPT, DNAT[-], REDIRECT[-] and LOG rules defined in - /etc/shorewall/rules may now be rate-limited. For DNAT and - REDIRECT rules, rate limiting occurs in the nat table DNAT rule; the - corresponding ACCEPT rule in the filter table is not rate - limited. If you want to limit the filter table rule, you will need - to create two rules; a DNAT- rule and an ACCEPT rule which can be - rate-limited separately. - - To specify a rate limit, you can follow one of two approaches: - - a) You may follow ACCEPT, DNAT[-], REDIRECT[-] or LOG with - - < /[:] > - - where - - is the sustained rate per - is "sec" or "min" - is the largest burst accepted within an - . If not given, the default of 5 is - assumed. - - There may be no white space between the ACTION and "<" nor there - may be any white space within the burst specification. If you want - to specify logging of a rate-limited rule, the ":" and log level - comes after the ">" (e.g., ACCEPT<2/sec:4>:info ). - - b) There is a new RATE LIMIT column at the far right of the - file (beyond column 80). You may place the rate limit there in - the format: - - /[:] - - where , and are as above. - - You may not place a rate limit in both the ACTION and RATE LIMIT - columns. - - Let's take an example: - - ACCEPT<2/sec:4> net dmz tcp 80 - - The first time this rule is reached, the packet will be accepted; in - fact, since the burst is 4, the first four packets will be - accepted. After this, it will be 500ms (1 second divided by the rate - of 2) before a packet will be accepted from this rule, regardless of - how many packets reach it. Also, every 500ms which passes without - matching a packet, one of the bursts will be regained; if no packets - hit the rule for 2 second, the burst will be fully recharged; - back where we started. - - Warning: When rate limiting is specified on a rule with "all" in the - SOURCE or DEST fields, the limit will apply to each pair of - zones individually rather than as a single limit for all pairs of - zones covered by the rule. - -10) Multiple chains may now be displayed in one "shorewall show" - command (e.g., shorewall show INPUT FORWARD OUTPUT). - -11) Output rules (those with $FW as the SOURCE) may now be limited to - a set of local users and/or groups. See - http://shorewall.net/UserSets.html for details. - -12) The RPM has been modified so that it no longer conflicts with - SuSE's bizarre kernel RPMs. +None. diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index 0be0ccc5a..bcdda6917 100755 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -1,101 +1,5 @@ -Changes since 1.4.6 +Changes since 1.4.7 -1) Added Smart Blacklisting. +1) Applied patch from Tuomo Soini that fixes syntax error occuring with + some versions of 'ash'. -2) Move determine_capabilities call to do_initialize to ensure that - MANGLE_ENABLED is set before it is tested. - -3) Fixed MAC address handling in the SOURCE column of tcrules. - -4) Merged and corrected Steve Herber's command-specific help patch. - -5) Removed some undocumented/braindead code from setup_masq() - -6) Don't allow 'stop' when startup is disabled - -7) Added ADMINISABSENTMINDED option. - -8) Fixed adding addresses to ppp interfaces. - -9) Added generic tunnel support. - -10) Added support for Address Range Lists in /etc/shorewall/masq. - -11) Simplify ip_broadcast() - -12) Add 'arp_filter' interface option. - -13) Added accounting file support - -14) Fixed bug where an interface name alone appears in the DESTINATION - column of the accounting file. - -15) Add ACTION column to accounting file. - -16) Add CHAIN declarations to accounting file. - -17) Replace calls to chain_exists with calls to havechain in - accounting code. - -18) Allow degenerate DONE and COUNT rules. - -19) Interface-specific dynamic blacklisting chains are now displayed by - "shorewall monitor". - -20) Bridge interfaces (br[0-9]) can now be used in /etc/shorewall/maclist. - -21) Rate-limited rules added. - -22) Make burst optional in rate limited rules and policies. - -23) Allow display of multiple chains in one "shorewall show" command. - -24) Add "RATE LIMIT" column for those who prefer their config files to - be wide but normalized. - -25) Redesign the accounting facility to make it simpler and more - flexible. - -26) Add Henry Wang's fix for LOGRATE/LOGBURST and enhance to resolve - conflict between that facility and rate-limited logging rules. - -27) Add User Set capability. - -28) Deimplement Smart Blacklisting and fix problem with multiple - 'drop'/'reject' commands for the same address. - -29) Update for 1.4.7 Beta 1. - -30) Fix ADD_SNAT_ALIASES interaction with ip ranges used for - load-balancing. - -31) Fix IPV6 address confusion. - -32) Add "o.gz" to the list of module extensions. - -33) Replace existing route to PROXY ARP host rather than adding another - one. - -34) Update of rfc1918 file. - -35) Correct rules file comment. - -36) Extend USER SET column in /etc/shorewall/rules to allow user:group. - -37) Reword error message to avoid the word 'illegal'. - -38) Avoid shell error when there is no policy corresponding to a rule. - -39) Fatal error if /etc/shorewall/common or /etc/shoreall/common.def do - not exist. - -40) Process blacklist before DHCP. - -41) Fix 'logunclean' log message disposition. - -42) Update rfc1918. - -43) Remove Conflict specification from shorewall.rpm to appease the - SuSE crowd. - -44) Removed a fly-speck at the beginning of the 'masq' file. diff --git a/Shorewall/firewall b/Shorewall/firewall index e6b432736..8aa168c8d 100755 --- a/Shorewall/firewall +++ b/Shorewall/firewall @@ -960,7 +960,7 @@ log_rule_limit() # $1 = log level, $2 = chain, $3 = disposition , $4 = rate limi local chain=$2 local disposition=$3 local rulenum= - local limit=${4:-$LOGLIMIT} + local limit="${4:-$LOGLIMIT}" shift;shift;shift;shift diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 39e3be0b8..e1ab0173d 100755 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -2,343 +2,19 @@ This is a minor release of Shorewall. Problems Corrected since version 1.4.6: -1) Corrected problem in 1.4.6 where the MANGLE_ENABLED variable was - being tested before it was set. +1) Tuomo Soini has supplied a correction to a problem that occurs using + some versions of 'ash'. The symptom is that "shorewall start" fails + with: -2) Corrected handling of MAC addresses in the SOURCE column of the - tcrules file. Previously, these addresses resulted in an invalid - iptables command. - -3) The "shorewall stop" command is now disabled when - /etc/shorewall/startup_disabled exists. This prevents people from - shooting themselves in the foot prior to having configured - Shorewall. - -4) A change introduced in version 1.4.6 caused error messages during - "shorewall [re]start" when ADD_IP_ALIASES=Yes and ip addresses were - being added to a PPP interface; the addresses were successfully - added in spite of the messages. - - The firewall script has been modified to eliminate the error - messages. - -5) Interface-specific dynamic blacklisting chains are now displayed by - "shorewall monitor" on the "Dynamic Chains" page (previously named - "Dynamic Chain"). - -6) Thanks to Henry Yang, LOGRATE and LOGBURST now work again. - -7) The 'shorewall reject' and 'shorewall drop' commands now delete any - existing rules for the subject IP address before adding a new DROP - or REJECT rule. Previously, there could be many rules for the same - IP address in the dynamic chain so that multiple 'allow' commands - were required to re-enable traffic to/from the address. - -8) When ADD_SNAT_ALIASES=Yes in shorewall.conf, the following entry in - /etc/shorewall/masq resulted in a startup error: - - eth0 eth1 206.124.146.20-206.124.146.24 - -9) Shorewall previously choked over IPV6 addresses configured on - interfaces in contexts where Shorewall needed to detect something - about the interface (such as when "detect" appears in the BROADCAST - column of the /etc/shorewall/interfaces file). - -10) Shorewall will now load module files that are formed from the - module name by appending ".o.gz". - -11) When Shorewall adds a route to a proxy ARP host and such a route - already exists, two routes resulted previously. This has been - corrected so that the existing route is replaced if it already - exists. - -12) The rfc1918 file has been updated to reflect recent allocations. - -13) The documentation of the USERSETS column in the rules file has been - corrected. - -14) If there is no policy defined for the zones specified in a rule, - the firewall script previously encountered a shell syntax error: - - [: NONE: unexpected operator - - Now, the absence of a policy generates an error message and the - firewall is stopped: - - No policy defined from zone to zone - -15) Previously, if neither /etc/shorewall/common nor - /etc/shorewall/common.def existed, Shorewall would fail to start - and would not remove the lock file. Failure to remove the lock file - resulted in the following during subsequent attempts to start: - - Loading /usr/share/shorewall/functions... - Processing /etc/shorewall/params ... - Processing /etc/shorewall/shorewall.conf... - Giving up on lock file /var/lib/shorewall/lock - Shorewall Not Started - - Shorewall now reports a fatal error if neither of these two files - exist and correctly removes the lock file. - -16) The order of processing the various options has been changed such - that blacklist entries now take precedence over the 'dhcp' - interface setting. - -17) The log message generated from the 'logunclean' interface option - has been changed to reflect a disposition of LOG rather than DROP. - -18) When a user name and/or a group name was specified in the USER SET - column and the destination zone was qualified with a IP address, - the user and/or group name was not being used to qualify the rule. - - Example: - - ACCEPT fw net:192.0.2.12 tcp 23 - - - vladimir: - -19) The /etc/shorewall/masq file has had the spurious "/" character at - the front removed. + local: --limit: bad variable name + iptables v1.2.8: Couldn't load match `-j':/lib/iptables/libipt_-j.so: + cannot open shared object file: No such file or directory + Try `iptables -h' or 'iptables --help' for more information. Migration Issues: -1) IP Traffic Accounting is changed from Snapshot 20030813. - -2) The Uset Set capability introduced in SnapShot 20030821 has - changed -- see the User Set page for details. - -3) The per-interface dynamic blacklisting facility from previous 1.4.6 - Snapshots has been removed. The implications of the facility for - users with dial-up internet connections were too complicated to - document adaquately. My apologies for unleashing this half-baked - idea on the user base. +None. New Features: -1) The 2.6 series of Linux kernels will not support the 'unclean' - match extension except in Patch-O-Matic. In keeping with the - Shorewall policy of not supporting netfilter extensions that are - only available in Patch-O-Matic, the 'dropunclean' and - 'logunclean' interface options will be removed in a future - release. In the 1.4.7 release, they are flagged with a warning. - -2) Thanks to Steve Herber, the help command can now give - command-specific help. - -3) A new option "ADMINISABSENTMINDED" has been added to - /etc/shorewall/shorewall.conf. This option has a default value of - "No" for existing Shorewall users who are upgrading to this release. - With this setting, Shorewall's 'stopped' state continues as it has - been; namely, in the stopped state only traffic to/from hosts listed - in /etc/shorewall/routestopped is accepted. - - The default for new users installing Shorewall for the first time is - ADMINISABSENTMINDED=Yes.With that setting, in addition to traffic - to/from the hosts listed in /etc/shorewall/routestopped, Shorewall - will allow: - - a) All traffic originating from the firewall itself; and - b) All traffic that is part of or related to an already-existing - connection. - - In particular, with ADMINISABSENTMINDED=Yes, a "shorewall stop" - entered through an ssh session will not kill the session. - - Note though that it is still possible for people to shoot themselves - in the foot. - - Example: - - /etc/shorewall/nat: - - 206.124.146.178 eth0:0 192.168.1.5 - - /etc/shorewall/rules: - - ACCEPT net loc:192.168.1.5 tcp 22 - ACCEPT loc fw tcp 22 - - I ssh into 206.124.146.178 which establishes an SSH connection with - 192.168.1.5. I then create a second SSH connection from that - computer to the firewall and confidently type "shorewall - stop". As part of stopping, Shorewall removes eth0:0 which kills my - SSH connection to 192.168.1.5!!! - -4) Given the wide range of VPN software, I can never hope to add - specific support for all of it. I have therefore decided to add - "generic" tunnel support. - - Generic tunnels work pretty much like any of the other tunnel - types. You usually add a zone to represent the systems at the other - end of the tunnel and you add the appropriate rules/policies to - implement your security policy regarding traffic to/from those - systems. - - In the /etc/shorewall/tunnels file, you can have entries of the - form: - - # TYPE ZONE GATEWAY GATEWAY ZONE - generic:[:] - - where: - - is the protocol used by the tunnel - if the protocol is 'udp' or 'tcp' then this - is the destination port number used by the - tunnel. - is the zone of the remote tunnel gateway - is the IP address of the remote tunnel - gateway. - Optional. A comma-separated list of zone names. - If specified, the remote gateway is to be - considered part of these zones. - -5) An 'arp_filter' option has been added to the - /etc/shorewall/interfaces file. This option causes - /proc/sys/net/ipv4/conf//arp_filter to be set with the - result that this interface will only answer ARP 'who-has' requests - from hosts that are routed out of that interface. Setting this - option facilitates testing of your firewall where multiple firewall - interfaces are connected to the same HUB/Switch (all interfaces - connected to the single HUB/Switch should have this option - specified). Note that using such a configuration in a production - environment is strongly recommended against. - -6) The ADDRESS column in /etc/shorewall/masq may now include a - comma-separated list of addresses and/or address ranges. Netfilter - will use all listed addresses/ranges in round-robin fashion. - -7) An /etc/shorewall/accounting file has been added to allow for - traffic accounting.. - - The accounting rules are placed in a chain called "accounting" and - can thus be displayed using "shorewall show accounting". - - The file has the following columns: - - ACTION - What to do when a match is found. Possible - values are: - - COUNT - Simply count the match and continue - trying to match the packet with the - following accounting rules. - - DONE - Count the match and don't attempt to - match any following accounting rules. - - - The name of a chain to jump to. - Shorewall will create the chain - automatically. If the name of the - chain is followed by ":COUNT" then - a COUNT rule matching this rule - will automatically be added to - - - CHAIN - The name of the chain where the accounting - rule is to be added. If empty or "-" then - the "accounting" chain is assumed. - - SOURCE - Packet Source - - The name of an interface, an address (host or - net) or an interface name followed by ":" - and a host or net address. - - DESTINATION - Packet Destination - - Format the same as the SOURCE column. - - PROTOCOL A protocol name (from /etc/protocols), a - protocol number. - - DEST PORT Destination Port number - - Service name from /etc/services or port - number. May only be specified if the protocol - is TCP or UDP (6 or 17). - - SOURCE PORT Source Port number - - Service name from /etc/services or port - number. May only be specified if the protocol - is TCP or UDP (6 or 17). - - In all columns except ACTION and CHAIN, the values "-","any" and - "all" are treated as wild-cards. - - The accounting rules are evaluated in the Netfilter 'filter' - table. This is the same environment where the 'rules' file rules are - evaluated and in this environment, DNAT has already occurred in - inbound packets and SNAT has not yet occurred on outbound ones. - - The accounting rules are placed in a chain called "accounting" and - can thus be displayed using "shorewall show accounting". - - See http://shorewall.net/Accounting.html for examples. - -8) Bridge interfaces (br[0-9]) may now be used in /etc/shorewall/maclist. - -9) ACCEPT, DNAT[-], REDIRECT[-] and LOG rules defined in - /etc/shorewall/rules may now be rate-limited. For DNAT and - REDIRECT rules, rate limiting occurs in the nat table DNAT rule; the - corresponding ACCEPT rule in the filter table is not rate - limited. If you want to limit the filter table rule, you will need - to create two rules; a DNAT- rule and an ACCEPT rule which can be - rate-limited separately. - - To specify a rate limit, you can follow one of two approaches: - - a) You may follow ACCEPT, DNAT[-], REDIRECT[-] or LOG with - - < /[:] > - - where - - is the sustained rate per - is "sec" or "min" - is the largest burst accepted within an - . If not given, the default of 5 is - assumed. - - There may be no white space between the ACTION and "<" nor there - may be any white space within the burst specification. If you want - to specify logging of a rate-limited rule, the ":" and log level - comes after the ">" (e.g., ACCEPT<2/sec:4>:info ). - - b) There is a new RATE LIMIT column at the far right of the - file (beyond column 80). You may place the rate limit there in - the format: - - /[:] - - where , and are as above. - - You may not place a rate limit in both the ACTION and RATE LIMIT - columns. - - Let's take an example: - - ACCEPT<2/sec:4> net dmz tcp 80 - - The first time this rule is reached, the packet will be accepted; in - fact, since the burst is 4, the first four packets will be - accepted. After this, it will be 500ms (1 second divided by the rate - of 2) before a packet will be accepted from this rule, regardless of - how many packets reach it. Also, every 500ms which passes without - matching a packet, one of the bursts will be regained; if no packets - hit the rule for 2 second, the burst will be fully recharged; - back where we started. - - Warning: When rate limiting is specified on a rule with "all" in the - SOURCE or DEST fields, the limit will apply to each pair of - zones individually rather than as a single limit for all pairs of - zones covered by the rule. - -10) Multiple chains may now be displayed in one "shorewall show" - command (e.g., shorewall show INPUT FORWARD OUTPUT). - -11) Output rules (those with $FW as the SOURCE) may now be limited to - a set of local users and/or groups. See - http://shorewall.net/UserSets.html for details. - -12) The RPM has been modified so that it no longer conflicts with - SuSE's bizarre kernel RPMs. +None.