diff --git a/STABLE2/action.template b/STABLE2/action.template index 75307117f..b20af0e09 100644 --- a/STABLE2/action.template +++ b/STABLE2/action.template @@ -42,6 +42,15 @@ # to a separate log through use of ulogd # (http://www.gnumonks.org/projects/ulogd). # +# Actions specifying logging may be followed by a +# log tag (a string of alphanumeric characters) +# are appended to the string generated by the +# LOGPREFIX (in /etc/shorewall/shorewall.conf). +# +# Example: ACCEPT:info:ftp would include 'ftp ' +# at the end of the log prefix generated by the +# LOGPREFIX setting. +# # SOURCE Source hosts to which the rule applies. # A comma-separated list of subnets # and/or hosts. Hosts may be specified by IP or MAC diff --git a/STABLE2/bogons b/STABLE2/bogons index a628499bd..6d65a1846 100644 --- a/STABLE2/bogons +++ b/STABLE2/bogons @@ -46,13 +46,19 @@ 49.0.0.0/8 logdrop # JTC - Returned to IANA Mar 98 50.0.0.0/8 logdrop # JTC - Returned to IANA Mar 98 58.0.0.0/7 logdrop # Reserved -70.0.0.0/7 logdrop # Reserved +71.0.0.0/8 logdrop # Reserved 72.0.0.0/5 logdrop # Reserved -85.0.0.0/8 logdrop # Reserved -86.0.0.0/7 logdrop # Reserved -88.0.0.0/5 logdrop # Reserved +89.0.0.0/8 logdrop # Reserved +90.0.0.0/7 logdrop # Reserved +92.0.0.0/6 logdrop # Reserved 96.0.0.0/3 logdrop # Reserved 127.0.0.0/8 logdrop # Loopback +173.0.0.0/8 logdrop # Reserved +174.0.0.0/7 logdrop # Reserved +176.0.0.0/5 logdrop # Reserved +184.0.0.0/6 logdrop # Reserved +189.0.0.0/8 logdrop # Reserved +190.0.0.0/8 logdrop # Reserved 197.0.0.0/8 logdrop # Reserved 198.18.0.0/15 logdrop # Reserved 223.0.0.0/8 logdrop # Reserved - Returned by APNIC in 2003 diff --git a/STABLE2/changelog.txt b/STABLE2/changelog.txt index d2bce5a48..7d9d10013 100644 --- a/STABLE2/changelog.txt +++ b/STABLE2/changelog.txt @@ -1,52 +1,61 @@ -Changes since 2.0.0 +Changes since 2.0.1 -1) Eliminate Warning about Policy as rule when using actions. +1) Reformat the code in define_firewall(). -2) Add bridging Code. +2) Reimplement dynamic zones. -3) Cleanup Warning elimination. +3) Tweak new dynamic zone implementation. -4) Add 'nobogons' +4) Implement CONFIG_PATH. -5) Add 'netmap' +5) Apply Stijn Jonker's fix for CONFIG_PATH. -6) Fix another _frwd problem. +6) Restore logic to make 'find_file' check for SHOREWALL_DIR separately. -7) Add -x option to /sbin/shorewall. +7) Allow CONFIG_PATH to be inherited. -8) Implement Sean Mathews's fix fix Proxy ARP and IPSEC. +8) Fix ensure_config_path call. -9) Improve zone-definition checking. +9) Make LOCAL and ALL INTERFACES independent in the nat file. -10) Add additional options to hosts file +10) Add "ko.gz" to the vast list of module suffixes that distributions + have invented. -11) Replace 'subnet' with 'network' in the code +11) Update the bogons file -12) Fix item 10 above :-( +12) Added example for log rate limiting knobs in shorewall.conf. -13) Replace good code with crap to satisfy 'ash'. +13) Fix init.debian.sh. -14) Fix if_match to only do wild-card matches on patterns ending in - "+". +14) Implement the -q option. -15) Tighten edits on bridge port names. +15) Add saved configuration support (iptables-save/iptables-restore + integration). -16) Make 'routeback' on interfaces work again. +16) Use modprobe if it is available. -17) Reduce useless intra-zone rules on bridges. +17) Lots of fixes to 'save' -18) Make 'routeback' on hosts work again. +18) 'shorewall forget' -19) Fix display of ICMP packets. +19) SNAT/MASQUERADE by proto/port(s) -20) Fix init.debian.sh +20) Shorewall 2.0.2 Beta 1 changes. -21) Eliminate meaningless warning out of proxyarp processing. +21) Fix ALL INTERFACES column parsing. -22) Fix module loading on Mandrake. +22) Correct "shorewall delete" processing. -23) Eliminate confusing IPV6 warnings. +23) Apply Alex Wilms's patch for install.sh -24) Apply Stefan Engel's fix for "shorewall delete" +24) Add ACCEPT+ and NONAT targets. -25) Apply the install.sh fix from Alex Wilms \ No newline at end of file +25) Added 'initialized' extension script. + +26) Renamed 'initialized' to 'initdone' + +27) Applied Stijn Jonker's fix for "shorewall add" + +28) Correct typo that broke "shorewall delete" + +29) Apply Stijn Jonker's -q fix. diff --git a/STABLE2/fallback.sh b/STABLE2/fallback.sh index d3a8ab1e7..3b6886011 100755 --- a/STABLE2/fallback.sh +++ b/STABLE2/fallback.sh @@ -28,7 +28,7 @@ # shown below. Simply run this script to revert to your prior version of # Shoreline Firewall. -VERSION=2.0.1 +VERSION=2.0.2 usage() # $1 = exit status { @@ -120,8 +120,12 @@ restore_file /usr/share/shorewall/rfc1918 restore_file /usr/share/shorewall/bogons +restore_file /usr/share/shorewall/configpath + restore_file /etc/shorewall/init +restore_file /etc/shorewall/initdone + restore_file /etc/shorewall/start restore_file /etc/shorewall/stop diff --git a/STABLE2/firewall b/STABLE2/firewall index 07f8b4e54..469074252 100755 --- a/STABLE2/firewall +++ b/STABLE2/firewall @@ -51,6 +51,11 @@ my_mutex_off() { [ -n "$have_mutex" ] && { mutex_off; have_mutex=; } } +progress_message() # $* = Message +{ + [ -n "$QUIET" ] || echo "$@" +} + # # Message to stderr # @@ -94,6 +99,47 @@ report () { # $* = message logger "$@" } +# +# Write the passed args to /var/lib/shorewall/restore-$$ +# +save_command() +{ + echo "$@" >> /var/lib/shorewall/restore-$$ +} + +# +# Save the passed command in the restore script then run it -- returns the status of the command +# If the command involves file redirection then it must be enclosed in quotes as in: +# +# run_and_save_command "echo 1 > /proc/sys/net/ipv4/ip_forward" +# +run_and_save_command() +{ + echo "$@" >> /var/lib/shorewall/restore-$$ + eval $* +} + +# +# Run the passed command and if it succeeds, save it in the restore script. If it fails, stop the firewall and die +# +ensure_and_save_command() +{ + if eval $* ; then + echo "$@" >> /var/lib/shorewall/restore-$$ + else + [ -z "$stopping" ] && { stop_firewall; exit 2; } + fi +} + +# +# Append a file to /var/lib/shorewall/restore-$$ +# +append_file() { + save_command "cat > $STATEDIR/$1 << EOF" + cat $STATEDIR/$1 >> /var/lib/shorewall/restore-$$ + save_command EOF +} + # # Run iptables and if an error occurs, stop the firewall and quit # @@ -391,6 +437,31 @@ mac_chain() # $1 = interface echo $(chain_base $1)_mac } +# +# Functions for creating dynamic zone rules +# +dynamic_fwd() # $1 = interface +{ + echo $(chain_base $1)_dynf +} + +dynamic_in() # $1 = interface +{ + echo $(chain_base $1)_dyni +} + +dynamic_out() # $1 = interface +{ + echo $(chain_base $1)_dyno +} + +dynamic_chains() #$1 = interface +{ + local c=$(chain_base $1) + + echo ${c}_dyni ${c}_dynf ${c}_dyno +} + # # DNAT Chain from a zone # @@ -479,6 +550,7 @@ match_dest_hosts() echo -d $1 fi } + # # Similarly, the source or destination in a rule can be qualified by a device name. If # the device is defined in /etc/shorewall/interfaces then a normal interface match is @@ -815,7 +887,7 @@ validate_policy() [ $1 = $2 ] || \ [ $1 = all ] || \ [ $2 = all ] || \ - echo " Policy for $1 to $2 is $policy using chain $chain" + progress_message " Policy for $1 to $2 is $policy using chain $chain" } all_policy_chains= @@ -1038,7 +1110,7 @@ run_user_exit() # $1 = file name local user_exit=$(find_file $1) if [ -f $user_exit ]; then - echo "Processing $user_exit ..." + progress_message "Processing $user_exit ..." . $user_exit fi } @@ -1046,52 +1118,47 @@ run_user_exit() # $1 = file name # # Add a logging rule. # -log_rule_limit() # $1 = log level, $2 = chain, $3 = disposition , $4 = rate limit $... = predicates for the rule +log_rule_limit() # $1 = log level, $2 = chain, $3 = disposition , $4 = rate limit $5=log tag $... = predicates for the rule { local level=$1 local chain=$2 local disposition=$3 local rulenum= local limit="${4:-$LOGLIMIT}" + local tag=${5:+$5 } + local prefix - shift;shift;shift;shift + shift;shift;shift;shift;shift if [ -n "$LOGRULENUMBERS" ]; then eval rulenum=\$${chain}_logrules [ -z "$rulenum" ] && rulenum=1 - case $level in - ULOG) - eval iptables -A $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix '"$(printf "$LOGFORMAT" $chain $rulenum $disposition)"' - ;; - *) - eval iptables -A $chain $@ $limit -j LOG $LOGPARMS --log-level $level \ - --log-prefix '"$(printf "$LOGFORMAT" $chain $rulenum $disposition)"' - ;; - esac - - if [ $? -ne 0 ] ; then - [ -z "$stopping" ] && { stop_firewall; exit 2; } - fi + prefix="$(printf "$LOGFORMAT" $chain $rulenum $disposition)${tag}" rulenum=$(($rulenum + 1)) - eval ${chain}_logrules=$rulenum else - case $level in - ULOG) - eval iptables -A $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix '"$(printf "$LOGFORMAT" $chain $disposition)"' - ;; - *) - eval iptables -A $chain $@ $limit -j LOG $LOGPARMS --log-level $level \ - --log-prefix '"$(printf "$LOGFORMAT" $chain $disposition)"' - ;; - esac + prefix="$(printf "$LOGFORMAT" $chain $disposition)${tag}" + fi + + if [ ${#prefix} -gt 29 ]; then + prefix="$(echo $prefix | cut -b -29)" + error_message "Warning: Log Prefix shortened to \"$prefix\"" + fi + + case $level in + ULOG) + iptables -A $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix "$prefix" + ;; + *) + iptables -A $chain $@ $limit -j LOG $LOGPARMS --log-level $level --log-prefix "$prefix" + ;; + esac - if [ $? -ne 0 ] ; then - [ -z "$stopping" ] && { stop_firewall; exit 2; } - fi + if [ $? -ne 0 ] ; then + [ -z "$stopping" ] && { stop_firewall; exit 2; } fi } @@ -1103,7 +1170,7 @@ log_rule() # $1 = log level, $2 = chain, $3 = disposition , $... = predicates fo shift;shift;shift - log_rule_limit $level $chain $disposition "$LOGLIMIT" $@ + log_rule_limit $level $chain $disposition "$LOGLIMIT" "" $@ } # @@ -1112,11 +1179,11 @@ log_rule() # $1 = log level, $2 = chain, $3 = disposition , $... = predicates fo setup_forwarding() { case "$IP_FORWARDING" in [Oo][Nn]) - echo 1 > /proc/sys/net/ipv4/ip_forward + run_and_save_command "echo 1 > /proc/sys/net/ipv4/ip_forward" echo "IP Forwarding Enabled" ;; [Oo][Ff][Ff]) - echo 0 > /proc/sys/net/ipv4/ip_forward + run_and_save_command "echo 0 > /proc/sys/net/ipv4/ip_forward" echo "IP Forwarding Disabled!" ;; esac @@ -1155,6 +1222,16 @@ stop_firewall() { ;; *) set +x + rm -f /var/lib/shorewall/restore-$$ + + if [ -f /var/lib/shorewall/restore ]; then + echo Restoring Shorewall... + . /var/lib/shorewall/restore + echo Shorewall restored + my_mutex_off + kill $$ + exit 2 + fi ;; esac @@ -1274,6 +1351,8 @@ stop_firewall() { # else. Remove the lock file and Kill the shell in case we're in a # subshell # + rm -f /var/lib/shorewall/restore-$$ + my_mutex_off kill $$ ;; @@ -1294,9 +1373,11 @@ clear_firewall() { setpolicy FORWARD ACCEPT setpolicy OUTPUT ACCEPT - ip6tables -P INPUT ACCEPT 2> /dev/null - ip6tables -P OUTPUT ACCEPT 2> /dev/null - ip6tables -P FORWARD ACCEPT 2> /dev/null + if qt which ip6tables; then + ip6tables -P INPUT ACCEPT 2> /dev/null + ip6tables -P OUTPUT ACCEPT 2> /dev/null + ip6tables -P FORWARD ACCEPT 2> /dev/null + fi run_user_exit clear @@ -1357,7 +1438,7 @@ setup_tunnels() # $1 = name of tunnels file fi done - echo " IPSEC tunnel to $gateway defined." + progress_message " IPSEC tunnel to $gateway defined." } setup_one_other() # $1 = TYPE, $2 = gateway, $3 = protocol @@ -1365,7 +1446,7 @@ setup_tunnels() # $1 = name of tunnels file addrule $inchain -p $3 -s $2 -j ACCEPT addrule $outchain -p $3 -d $2 -j ACCEPT - echo " $1 tunnel to $2 defined." + progress_message " $1 tunnel to $2 defined." } setup_pptp_client() # $1 = gateway @@ -1374,7 +1455,7 @@ setup_tunnels() # $1 = name of tunnels file addrule $inchain -p 47 -j ACCEPT addrule $outchain -p tcp --dport 1723 -d $1 -j ACCEPT - echo " PPTP tunnel to $1 defined." + progress_message " PPTP tunnel to $1 defined." } setup_pptp_server() @@ -1383,7 +1464,7 @@ setup_tunnels() # $1 = name of tunnels file addrule $outchain -p 47 -j ACCEPT addrule $inchain -p tcp --dport 1723 -j ACCEPT - echo " PPTP server defined." + progress_message " PPTP server defined." } setup_one_openvpn() # $1 = gateway, $2 = kind[:port] @@ -1400,7 +1481,7 @@ setup_tunnels() # $1 = name of tunnels file addrule $inchain -p udp -s $1 --sport $p --dport $p -j ACCEPT addrule $outchain -p udp -d $1 --sport $p --dport $p -j ACCEPT - echo " OPENVPN tunnel to $1:$p defined." + progress_message " OPENVPN tunnel to $1:$p defined." } setup_one_generic() # $1 = gateway, $2 = kind:protocol[:port], $3 = Gateway Zone @@ -1438,7 +1519,7 @@ setup_tunnels() # $1 = name of tunnels file fi done - echo " GENERIC tunnel to $1:$p defined." + progress_message " GENERIC tunnel to $1:$p defined." } strip_file tunnels $1 @@ -1541,18 +1622,18 @@ setup_proxy_arp() { esac if [ -z "$haveroute" ]; then - run_ip route replace $address dev $interface + ensure_and_save_command ip route replace $address dev $interface [ -n "$persistent" ] && haveroute=yes fi - run_arp -i $external -Ds $address $external pub + ensure_and_save_command arp -i $external -Ds $address $external pub - echo 1 > /proc/sys/net/ipv4/conf/$interface/proxy_arp - echo 0 > /proc/sys/net/ipv4/conf/$external/proxy_arp + run_and_save_command "echo 1 > /proc/sys/net/ipv4/conf/$interface/proxy_arp" + run_and_save_command "echo 0 > /proc/sys/net/ipv4/conf/$external/proxy_arp" echo $address $interface $external $haveroute >> ${STATEDIR}/proxyarp - echo " Host $address connected to $interface added to ARP on $external" + progress_message " Host $address connected to $interface added to ARP on $external" } > ${STATEDIR}/proxyarp @@ -1566,7 +1647,8 @@ setup_proxy_arp() { for interface in $interfaces; do if echo 1 > /proc/sys/net/ipv4/conf/$interface/proxy_arp 2> /dev/null; then - echo " Enabled proxy ARP on $interface" + progress_message " Enabled proxy ARP on $interface" + save_command "echo 1 > /proc/sys/net/ipv4/conf/$interface/proxy_arp" else error_message "Warning: Unable to enable proxy ARP on $interface" fi @@ -1602,7 +1684,7 @@ setup_mac_lists() { fi done - echo "Setting up MAC Verification on $maclist_interfaces..." + progress_message "Setting up MAC Verification on $maclist_interfaces..." # # Be sure that they are all ethernet interfaces # @@ -1723,7 +1805,7 @@ setup_syn_flood_chain () enable_syn_flood_protection() # $1 = chain, $2 = protection chain { run_iptables -I $1 2 -p tcp --syn -j @$2 - echo " Enabled SYN flood protection" + progress_message " Enabled SYN flood protection" } # @@ -1762,32 +1844,35 @@ setup_nat() { iface=${interface%:*} if [ -n "$ADD_IP_ALIASES" ]; then - qt ip addr del $external dev $iface + run_and_save_command qt ip addr del $external dev $iface fi - if [ "$allints" = "Yes" -o "$allints" = "yes" ]; then + if [ "x$allints" = "xYes" -o "x$allints" = "xyes" ]; then addnatrule nat_in -d $external -j DNAT --to-destination $internal addnatrule nat_out -s $internal -j SNAT --to-source $external - if [ "$localnat" = "Yes" -o "$localnat" = "yes" ]; then - run_iptables2 -t nat -A OUTPUT -d $external \ - -j DNAT --to-destination $internal - fi - elif [ -z "$allints" -o "$allints" = "No" -o "$allints" = "no" ]; then + elif [ -z "$allints" -o "x$allints" = "x-" -o "x$allints" = "xNo" -o "x$allints" = "xno" ]; then addnatrule $(input_chain $iface) \ -d $external -j DNAT --to-destination $internal addnatrule $(output_chain $iface) \ -s $internal -j SNAT --to-source $external else - fatal_error "Invalid value ($allints) for ALL INTERFACES in entry \"$external $interface $internal $allints $localnet\"" + fatal_error "Invalid value ($allints) for ALL INTERFACES in entry \"$external $interface $internal $allints $localnat\"" fi + if [ "x$localnat" = "xYes" -o "x$localnat" = "xyes" ]; then + run_iptables2 -t nat -A OUTPUT -d $external -j DNAT --to-destination $internal + elif [ "x$localnat" != "x-" -a -n "$localnat" -a "x$localnat" != "xNo" -a "x$localnat" != "xno" ]; then + fatal_error "Invalid value ($allints) for LOCAL in entry \"$external $interface $internal $allints $localnat\"" + fi + + if [ -n "$ADD_IP_ALIASES" ]; then list_search $external $aliases_to_add || \ aliases_to_add="$aliases_to_add $external $interface" fi - echo " Host $internal NAT $external on $interface" + progress_message " Host $internal NAT $external on $interface" done < $TMP_DIR/nat } @@ -1832,7 +1917,7 @@ setup_netmap() { ;; esac - echo " Network $net1 on $interface mapped to $net2 ($type)" + progress_message " Network $net1 on $interface mapped to $net2 ($type)" done < $TMP_DIR/netmap } @@ -1863,7 +1948,7 @@ setup_ecn() # $1 = file name done < $TMP_DIR/ecn if [ -n "$interfaces" ]; then - echo "Setting up ECN control on${interfaces}..." + progress_message "Setting up ECN control on${interfaces}..." for interface in $interfaces; do chain=$(ecn_chain $interface) @@ -1880,7 +1965,7 @@ setup_ecn() # $1 = file name interface=${host%:*} h=${host#*:} run_iptables -t mangle -A $(ecn_chain $interface) -p tcp -d $h -j ECN --ecn-tcp-remove - echo " ECN Disabled to $h through $interface" + progress_message " ECN Disabled to $h through $interface" done fi } @@ -1975,7 +2060,7 @@ process_tc_rule() done done - echo " TC Rule \"$rule\" added" + progress_message " TC Rule \"$rule\" added" } # @@ -2008,6 +2093,7 @@ setup_tc1() { run_iptables -t mangle -A OUTPUT -j tcout run_user_exit tcstart + save_command . $(find_file tcstart) } @@ -2025,8 +2111,9 @@ delete_tc() { clear_one_tc() { - tc qdisc del dev $1 root 2> /dev/null - tc qdisc del dev $1 ingress 2> /dev/null + run_and_save_command "tc qdisc del dev $1 root 2> /dev/null" + run_and_save_command "tc qdisc del dev $1 ingress 2> /dev/null" + } run_user_exit tcclear @@ -2146,7 +2233,7 @@ process_accounting_rule() { if iptables -A $chain $rule ; then [ "x$rule2" != x ] && run_iptables -A $jumpchain $rule2 - echo " Accounting rule" $action $chain $source $dest $proto $port $sport Added + progress_message " Accounting rule" $action $chain $source $dest $proto $port $sport Added else accounting_error fi @@ -2297,6 +2384,7 @@ refresh_tc() { # action = The chain for this rule # ratelimit = Optional rate limiting clause # userandgroup = owner match clause +# logtag = Log tag # add_an_action() { @@ -2403,7 +2491,7 @@ add_an_action() for serv1 in $(separate_list $serv); do for srv in $(ip_range $serv1); do if [ -n "$loglevel" ]; then - log_rule_limit $loglevel $action $logtarget "$ratelimit" $userandgroup \ + log_rule_limit $loglevel $action $logtarget "$ratelimit" "$logtag" $userandgroup \ $(fix_bang $proto $sports $multiport $cli -d $srv $dports) fi @@ -2413,7 +2501,7 @@ add_an_action() done else if [ -n "$loglevel" ]; then - log_rule_limit $loglevel $action $logtarget "$ratelimit" $userandgroup \ + log_rule_limit $loglevel $action $logtarget "$ratelimit" "$logtag" $userandgroup \ $(fix_bang $proto $sports $multiport $cli $dports) fi @@ -2447,6 +2535,7 @@ process_action() # $1 = action local userspec="$9" local rule="$(echo $target $clients $servers $protocol $ports $cports $ratelimit)" local userandgroup= + local logtag= if [ -n "$ratelimit" ]; then case $ratelimit in @@ -2500,10 +2589,16 @@ process_action() # $1 = action loglevel= else loglevel="${target#*:}" - target="${target%:*}" + target="${target%%:*}" expandv loglevel + if [ "$loglevel" != "${loglevel%:*}" ]; then + logtag="${loglevel#*:}" + loglevel="${loglevel%:*}" + expandv logtag + fi + fi - + logtarget="$target" case $target in @@ -2562,9 +2657,9 @@ process_action() # $1 = action # Report Result # if [ $COMMAND = check ]; then - echo " Rule \"$rule\" checked." + progress_message " Rule \"$rule\" checked." else - echo " Rule \"$rule\" added." + progress_message " Rule \"$rule\" added." fi } @@ -2653,7 +2748,7 @@ process_actions1() { strip_file $f $fn while read xtarget xclients xservers xprotocol xports xcports xratelimit $xuserspec; do expandv xtarget - temp="${xtarget%:*}" + temp="${xtarget%%:*}" case "${temp%<*}" in ACCEPT|DROP|REJECT|LOG|QUEUE|CONTINUE) ;; @@ -2779,6 +2874,7 @@ process_actions2() { # multiport = String to invoke multiport match if appropriate # ratelimit = Optional rate limiting clause # userandgroup = -m owner match to limit the rule to a particular user and/or group +# logtag = Log tag # add_nat_rule() { local chain @@ -2866,7 +2962,7 @@ add_nat_rule() { else for adr in $(separate_list $addr); do if [ -n "$loglevel" ]; then - log_rule_limit $loglevel $OUTPUT $logtarget "$ratelimit" -t nat \ + log_rule_limit $loglevel $OUTPUT $logtarget "$ratelimit" "$logtag" -t nat \ $(fix_bang $proto $cli $sports $userandgroup -d $adr $multiport $dports) fi @@ -2905,7 +3001,7 @@ add_nat_rule() { for adr in $(separate_list $addr); do if [ -n "$loglevel" ]; then ensurenatchain $chain - log_rule_limit $loglevel $chain $logtarget "$ratelimit" -t nat \ + log_rule_limit $loglevel $chain $logtarget "$ratelimit" "$logtag" -t nat \ $(fix_bang $proto $cli $sports -d $adr $multiport $dports) fi @@ -2965,7 +3061,8 @@ add_nat_rule() { # chain = The canonical chain for this rule # ratelimit = Optional rate limiting clause # userandgroup= -m owner clause -# userspec = User name +# userspec = User name +# logtag = Log tag # add_a_rule() { @@ -3027,7 +3124,10 @@ add_a_rule() fatal_error "Rule \"$rule\" - Destination may not be specified by MAC Address" ;; *) - [ -n "$server" ] && dest_interface="$(match_dest_dev $server)" + if [ -n "$server" ]; then + [ -n "$nonat" ] && fatal_error "Destination interface not allowe with $logtarget" + dest_interface="$(match_dest_dev $server)" + fi ;; esac @@ -3071,7 +3171,6 @@ add_a_rule() case "$logtarget" in ACCEPT|DROP|REJECT|CONTINUE) - [ "$logtarget" = REJECT -a -n "$servport" ] && \ fatal_error "Server port may not be specified in a REJECT rule; rule: \"$rule\"" if [ -z "$proto" -a -z "$cli" -a -z "$serv" -a -z "$servport" -a -z "$userspec" ] ; then @@ -3113,7 +3212,7 @@ add_a_rule() if [ -n "$addr" -a -n "$CONNTRACK_MATCH" ]; then for adr in $(separate_list $addr); do if [ -n "$loglevel" -a -z "$natrule" ]; then - log_rule_limit $loglevel $chain $logtarget "$ratelimit" -m conntrack --ctorigdst $adr \ + log_rule_limit $loglevel $chain $logtarget "$ratelimit" "$logtag" -m conntrack --ctorigdst $adr \ $userandgroup $(fix_bang $proto $sports $multiport $cli -d $srv $dports) fi @@ -3122,23 +3221,33 @@ add_a_rule() done else if [ -n "$loglevel" -a -z "$natrule" ]; then - log_rule_limit $loglevel $chain $logtarget "$ratelimit" $userandgroup \ + log_rule_limit $loglevel $chain $logtarget "$ratelimit" "$logtag" $userandgroup \ $(fix_bang $proto $sports $multiport $cli -d $srv $dports) fi + + [ -n "$nonat" ] && \ + addnatrule $(dnat_chain $source) $proto $multiport \ + $cli $sports -d $srv $dports $ratelimit $userandgroup -j RETURN - run_iptables2 -A $chain $proto $multiport $cli $sports \ - -d $srv $dports $ratelimit $userandgroup -j $target + [ "$logtarget" != NONAT ] && \ + run_iptables2 -A $chain $proto $multiport $cli $sports \ + -d $srv $dports $ratelimit $userandgroup -j $target fi done done else if [ -n "$loglevel" -a -z "$natrule" ]; then - log_rule_limit $loglevel $chain $logtarget "$ratelimit" $userandgroup \ + log_rule_limit $loglevel $chain $logtarget "$ratelimit" "$logtag" $userandgroup \ $(fix_bang $proto $sports $multiport $cli $dports) fi - run_iptables2 -A $chain $proto $multiport $cli $sports \ - $dports $ratelimit $userandgroup -j $target + [ -n "$nonat" ] && \ + addnatrule $(dnat_chain $source) $proto $multiport \ + $cli $sports $dports $ratelimit $userandgroup -j RETURN + + [ "$logtarget" != NONAT ] && \ + run_iptables2 -A $chain $proto $multiport $cli $sports \ + $dports $ratelimit $userandgroup -j $target fi fi fi @@ -3152,13 +3261,18 @@ add_a_rule() if [ $COMMAND != check ]; then if [ -n "$loglevel" ]; then - log_rule_limit $loglevel $chain $logtarget "$ratelimit" $userandgroup \ + log_rule_limit $loglevel $chain $logtarget "$ratelimit" "$logtag" $userandgroup \ $(fix_bang $proto $multiport $dest_interface $cli $sports $dports) fi - if [ $logtarget != LOG ]; then - run_iptables2 -A $chain $proto $multiport $dest_interface \ - $cli $sports $dports $ratelimit $userandgroup -j $target + if [ "$logtarget" != LOG ]; then + [ -n "$nonat" ] && \ + addnatrule $(dnat_chain $source) $proto $multiport \ + $cli $sports $dports $ratelimit $userandgroup -j RETURN + + [ "$logtarget" != NONAT ] && \ + run_iptables2 -A $chain $proto $multiport $dest_interface \ + $cli $sports $dports $ratelimit $userandgroup -j $target fi fi fi @@ -3188,6 +3302,8 @@ process_rule() # $1 = target local userspec="$9" local userandgroup= local rule="$(echo $target $clients $servers $protocol $ports $cports $address $ratelimit $userspec)" + local logtag= + local nonat= # Function Body - isolate rate limit @@ -3210,8 +3326,14 @@ process_rule() # $1 = target loglevel= else loglevel="${target#*:}" - target="${target%:*}" + target="${target%%:*}" expandv loglevel + if [ "$loglevel" != "${loglevel%:*}" ]; then + logtag="${loglevel#*:}" + loglevel="${loglevel%:*}" + expandv logtag + fi + fi # # Save the original target in 'logtarget' for logging rules @@ -3264,6 +3386,10 @@ process_rule() # $1 = target fi case $target in + ACCEPT+|NONAT) + nonat=Yes + target=ACCEPT + ;; ACCEPT|LOG) ;; DROP) @@ -3454,9 +3580,9 @@ process_rule() # $1 = target # Report Result # if [ $COMMAND = check ]; then - echo " Rule \"$rule\" checked." + progress_message " Rule \"$rule\" checked." else - echo " Rule \"$rule\" added." + progress_message " Rule \"$rule\" added." fi } @@ -3507,9 +3633,9 @@ process_rules() } while read xtarget xclients xservers xprotocol xports xcports xaddress xratelimit xuserspec; do - temp="${xtarget%:*}" + temp="${xtarget%%:*}" case "${temp%<*}" in - ACCEPT|DROP|REJECT|DNAT|DNAT-|REDIRECT|REDIRECT-|LOG|CONTINUE|QUEUE) + ACCEPT|ACCEPT+|NONAT|DROP|REJECT|DNAT|DNAT-|REDIRECT|REDIRECT-|LOG|CONTINUE|QUEUE) do_it ;; *) @@ -3691,7 +3817,7 @@ process_tos_rule() { esac done - echo " Rule \"$rule\" added." + progress_message " Rule \"$rule\" added." } # @@ -3882,7 +4008,7 @@ default_policy() # $1 = client $2 = server esac fi - echo " Policy $policy for $1 to $2 using chain $chain" + progress_message " Policy $policy for $1 to $2 using chain $chain" } eval chain1=\$${1}2${2}_policychain @@ -4023,12 +4149,15 @@ setup_masq() ;; esac + [ "x$addresses" = x- ] && addresses= + if [ -n "$addresses" -a -n "$ADD_SNAT_ALIASES" ]; then for address in $(separate_list $addresses); do for addr in $(ip_range_explicit $address) ; do if ! list_search $addr $aliases_to_add; then + save_command qt ip addr del $addr dev $interface aliases_to_add="$aliases_to_add $addr $fullinterface" - case $fullinterface in + case $fullinterface in *:*) fullinterface=${fullinterface%:*}:$((${fullinterface#*:} + 1 )) ;; @@ -4038,6 +4167,50 @@ setup_masq() done fi + [ "x$proto" = x- ] && proto= + [ "x$ports" = x- ] && ports= + + if [ -n "$proto" ]; then + + displayproto="($proto)" + + case $proto in + tcp|TCP|udp|UDP|6|17) + if [ -n "$ports" ]; then + displayproto="($proto $ports)" + + listcount=$(list_count $ports) + + if [ $listcount -gt 1 ]; then + case $ports in + *:*) + fatal_error "Port Range not allowed in list ($ports)" + ;; + *) + if [ -n "$MULTIPORT" ]; then + [ $listcount -gt 15 ] && fatal_error "Too many entries in port list ($ports)" + ports="-m multiport --dports $ports" + else + fatal_error "Port Ranges require multiport match support in your kernel ($ports)" + fi + ;; + esac + else + ports="--dport $ports" + fi + fi + ;; + *) + [ -n "$ports" ] && fatal_error "Ports only allowed with UDP or TCP ($ports)" + ;; + esac + + proto="-p $proto" + else + displayproto="(all)" + [ -n "$ports" ] && fatal_error "Ports only allowed with UDP or TCP ($ports)" + fi + destination=$destnets chain=$(masq_chain $interface) @@ -4054,7 +4227,7 @@ setup_masq() if [ -n "$networks" ]; then for s in $networks; do - addnatrule $chain -s $s -j $newchain + addnatrule $chain -s $s $proto $ports -j $newchain done networks= else @@ -4064,6 +4237,8 @@ setup_masq() masq_seq=$(($masq_seq + 1)) chain=$newchain destnets=0.0.0.0/0 + proto= + ports= if [ -n "$nomasq" ]; then for addr in $(separate_list $nomasq); do @@ -4080,12 +4255,12 @@ setup_masq() if [ -n "$networks" ]; then for s in $networks; do for destnet in $(separate_list $destnets); do - addnatrule $chain -d $destnet -s $s -j $newchain + addnatrule $chain -d $destnet -s $s $proto $ports -j $newchain done done else for destnet in $(separate_list $destnets); do - addnatrule $chain -d $destnet -j $newchain + addnatrule $chain -d $destnet $proto $ports -j $newchain done fi @@ -4093,6 +4268,8 @@ setup_masq() chain=$newchain networks= destnets=0.0.0.0/0 + proto= + ports= for addr in $(separate_list $nomasq); do addnatrule $chain -s $addr -j RETURN @@ -4104,6 +4281,7 @@ setup_masq() esac addrlist= + if [ -n "$addresses" ]; then for address in $(separate_list $addresses); do addrlist="$addrlist --to-source $address" @@ -4114,26 +4292,26 @@ setup_masq() for s in $networks; do if [ -n "$addresses" ]; then for destnet in $(separate_list $destnets); do - addnatrule $chain -s $s -d $destnet -j SNAT $addrlist + addnatrule $chain -s $s -d $destnet $proto $ports -j SNAT $addrlist done - echo " To $destination from $s through ${interface} using $addresses" + progress_message " To $destination $displayproto from $s through ${interface} using $addresses" else for destnet in $(separate_list $destnets); do - addnatrule $chain -s $s -d $destnet -j MASQUERADE + addnatrule $chain -s $s -d $destnet $proto $ports -j MASQUERADE done - echo " To $destination from $s through ${interface}" + progress_message " To $destination $displayproto from $s through ${interface}" fi done elif [ -n "$addresses" ]; then for destnet in $(separate_list $destnets); do - addnatrule $chain -d $destnet -j SNAT $addrlist + addnatrule $chain -d $destnet $proto $ports -j SNAT $addrlist done - echo " To $destination from $source through ${interface} using $addresses" + echo " To $destination $displayproto from $source through ${interface} using $addresses" else for destnet in $(separate_list $destnets); do - addnatrule $chain -d $destnet -j MASQUERADE + addnatrule $chain -d $destnet $proto $ports -j MASQUERADE done - echo " To $destination from $source through ${interface}" + progress_message " To $destination $displayproto from $source through ${interface}" fi } @@ -4142,8 +4320,8 @@ setup_masq() [ -n "$NAT_ENABLED" ] && echo "Masqueraded Networks and Hosts:" - while read fullinterface networks addresses; do - expandv fullinterface networks addresses + while read fullinterface networks addresses proto ports; do + expandv fullinterface networks addresses proto ports [ -n "$NAT_ENABLED" ] && setup_one || \ error_message "Warning: NAT disabled; masq rule ignored" done < $TMP_DIR/masq @@ -4235,7 +4413,7 @@ process_blacklist_rec() { addr="$addr $protocol" fi - echo " $addr added to Black List" + progress_message " $addr added to Black List" done } @@ -4266,7 +4444,7 @@ setup_blacklist() { [ $network = 0/0.0.0.0 ] && network= || network=":$network" - echo " Blacklisting enabled on ${interface}${network}" + progress_message " Blacklisting enabled on ${interface}${network}" done [ "$disposition" = REJECT ] && disposition=reject @@ -4354,10 +4532,10 @@ add_ip_aliases() do_one() { val=$(address_details) - run_ip addr add ${external}${val} dev $interface $label + ensure_and_save_command ip addr add ${external}${val} dev $interface $label echo "$external $interface" >> ${STATEDIR}/nat [ -n "$label" ] && label="with $label" - echo " IP Address $external added to interface $interface $label" + progress_message " IP Address $external added to interface $interface $label" } set -- $aliases_to_add @@ -4638,6 +4816,8 @@ add_common_rules() { run_iptables -A reject -j REJECT fi + run_user_exit initdone + # # Process Black List # @@ -4854,7 +5034,7 @@ add_common_rules() { # ARP Filtering # for f in /proc/sys/net/ipv4/conf/*/arp_filter; do - echo 0 > $f + run_and_save_command "echo 0 > $f" done interfaces=$(find_interfaces_by_option arp_filter) @@ -4865,7 +5045,7 @@ add_common_rules() { for interface in $interfaces; do file=/proc/sys/net/ipv4/conf/$interface/arp_filter if [ -f $file ]; then - echo 1 > $file + run_and_save_command "echo 1 > $file" else error_message \ "Warning: Cannot set ARP filtering on $interface" @@ -4881,22 +5061,43 @@ add_common_rules() { echo "Setting up Kernel Route Filtering..." for f in /proc/sys/net/ipv4/conf/*/rp_filter; do - echo 0 > $f + run_and_save_command "echo 0 > $f" done for interface in $interfaces; do file=/proc/sys/net/ipv4/conf/$interface/rp_filter if [ -f $file ]; then - echo 1 > $file + run_and_save_command "echo 1 > $file" else error_message \ "Warning: Cannot set route filtering on $interface" fi done - echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter - [ -n "$ROUTE_FILTER" ] && echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter - run_ip route flush cache + run_and_save_command "echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter" + + if [ -n "$ROUTE_FILTER" ]; then + run_and_save_command "echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter" + fi + + run_and_save_command ip route flush cache + fi + + if [ -n "$DYNAMIC_ZONES" ]; then + echo "Setting up Dynamic Zone Chains..." + + for interface in $all_interfaces; do + for chain in $(dynamic_chains $interface); do + createchain $chain no + done + + chain=$(dynamic_in $interface) + createnatchain $chain + + run_iptables -A $(input_chain $interface) -j $chain + run_iptables -A $(forward_chain $interface) -j $(dynamic_fwd $interface) + run_iptables -A OUTPUT -j $(dynamic_out $interface) + done fi setup_forwarding @@ -5008,6 +5209,12 @@ activate_rules() fi } + # + # Add jumps for dynamic nat chains + # + [ -n "$DYNAMIC_ZONES" ] && for interface in $all_interfaces ; do + addrulejump PREROUTING $(dynamic_in $interface) + done # # Add jumps from the builtin chains to the nat chains # @@ -5025,8 +5232,6 @@ activate_rules() for zone in $zones; do eval source_hosts=\$${zone}_hosts - echo $zone $source_hosts >> ${STATEDIR}/zones - chain1=$(rules_chain $FW $zone) chain2=$(rules_chain $zone $FW) @@ -5037,8 +5242,11 @@ activate_rules() createchain $frwd_chain No fi - echo "$FW $zone $chain1" >> ${STATEDIR}/chains - echo "$zone $FW $chain2" >> ${STATEDIR}/chains + if [ -n "$DYNAMIC_ZONES" ]; then + echo $zone $source_hosts >> ${STATEDIR}/zones + echo "$FW $zone $chain1" >> ${STATEDIR}/chains + echo "$zone $FW $chain2" >> ${STATEDIR}/chains + fi need_broadcast= @@ -5086,7 +5294,7 @@ activate_rules() chain="$(rules_chain $zone $zone1)" - echo "$zone $zone1 $chain" >> ${STATEDIR}/chains + [ -n "$DYNAMIC_ZONES" ] && echo "$zone $zone1 $chain" >> ${STATEDIR}/chains if [ $zone = $zone1 ]; then # @@ -5146,7 +5354,6 @@ activate_rules() done for interface in $all_interfaces ; do - run_iptables -A FORWARD -i $interface -j $(forward_chain $interface) run_iptables -A INPUT -i $interface -j $(input_chain $interface) addnatjump POSTROUTING $(masq_chain $interface) -o $interface @@ -5212,83 +5419,42 @@ define_firewall() # $1 = Command (Start or Restart) echo "${1}ing Shorewall..." verify_os_version - verify_ip - load_kernel_modules - echo "Initializing..." - - initialize_netfilter - - echo "Configuring Proxy ARP" - - setup_proxy_arp - - echo "Setting up NAT..." - - setup_nat - - echo "Setting up NETMAP..." - - setup_netmap - - echo "Adding Common Rules" - - add_common_rules + echo "Initializing..."; initialize_netfilter + echo "Configuring Proxy ARP"; setup_proxy_arp + echo "Setting up NAT..."; setup_nat + echo "Setting up NETMAP..."; setup_netmap + echo "Adding Common Rules"; add_common_rules tunnels=$(find_file tunnels) - [ -f $tunnels ] && \ - echo "Processing $tunnels..." && setup_tunnels $tunnels + echo "Processing $tunnels..." && setup_tunnels $tunnels maclist_hosts=$(find_hosts_by_option maclist) + [ -n "$maclist_hosts" ] && setup_mac_lists - if [ -n "$maclist_hosts" ] ; then - setup_mac_lists - fi - - rules=$(find_file rules) - - echo "Pre-processing Actions..." - - process_actions1 - - echo "Processing $rules..." - - process_rules - - echo "Processing Actions..." - - process_actions2 - - policy=$(find_file policy) - - echo "Processing $policy..." - - apply_policy_rules + echo "Pre-processing Actions..."; process_actions1 + echo "Processing $(find_file rules)..."; process_rules + echo "Processing Actions..."; process_actions2 + echo "Processing $(find_file policy)..."; apply_policy_rules masq=$(find_file masq) - - [ -f $masq ] && setup_masq $masq + [ -f $masq ] && setup_masq $masq tos=$(find_file tos) - [ -f $tos ] && [ -n "$MANGLE_ENABLED" ] && process_tos $tos ecn=$(find_file ecn) - [ -f $ecn ] && [ -n "$MANGLE_ENABLED" ] && setup_ecn $ecn - [ -n "$TC_ENABLED" ] && setup_tc + [ -n "$TC_ENABLED" ] && setup_tc - echo "Activating Rules..." - - activate_rules + echo "Activating Rules..."; activate_rules [ -n "$aliases_to_add" ] && \ - echo "Adding IP Addresses..." && \ - add_ip_aliases + echo "Adding IP Addresses..." && add_ip_aliases run_user_exit start @@ -5299,6 +5465,19 @@ define_firewall() # $1 = Command (Start or Restart) report "Shorewall ${1}ed" rm -rf $TMP_DIR + + for file in chains nat proxyarp zones; do + append_file $file + done + + save_command "date > $STATEDIR/restarted" + + save_command 'iptables-restore << EOF' + + # 'shorewall save' appends the iptables-save output and 'EOF' + + mv -f /var/lib/shorewall/restore-$$ /var/lib/shorewall/restore-base + } # @@ -5359,11 +5538,6 @@ add_to_zone() # $1 = [:] $2 = zone fi } - output_rule_num() { - local num=$(iptables -L OUTPUT -n --line-numbers | grep icmp | cut -d' ' -f1 | head -n1) - - [ -n "$num" ] && echo $(($num+1)) - } # # Isolate interface and host parts # @@ -5387,24 +5561,22 @@ add_to_zone() # $1 = [:] $2 = zone validate_zone $zone || startup_error "Unknown zone: $zone" [ "$zone" = $FW ] && startup_error "Can't add $1 to firewall zone" + # # Be sure that Shorewall has been restarted using a DZ-aware version of the code # [ -f ${STATEDIR}/chains ] || startup_error "${STATEDIR}/chains -- file not found" [ -f ${STATEDIR}/zones ] || startup_error "${STATEDIR}/zones -- file not found" # - # Be sure that the interface was present at last [re]start + # Be sure that the interface was dynamic at last [re]start # if ! chain_exists $(input_chain $interface) ; then startup_error "Unknown interface $interface" fi - # - # Build lists of interfaces with special rules - # - dhcp_interfaces=$(find_interfaces_by_option dhcp) - blacklist_interfaces=$(find_interfaces_by_option blacklist) - maclist_interfaces=$(find_interfaces_by_option maclist) - tcpflags_interfaces=$(find_interfaces_by_option tcpflags) + + if ! chain_exists $(dynamic_in $interface) ; then + startup_error "At last Shorewall [re]start, DYNAMIC_ZONES=No in shorewall.conf" + fi # # Normalize the first argument to this function # @@ -5444,111 +5616,44 @@ add_to_zone() # $1 = [:] $2 = zone chain=${zone}_dnat if nat_chain_exists $chain; then - do_iptables -t nat -I PREROUTING -i $interface -s $host -j $chain + do_iptables -t nat -A $(dynamic_in $interface) -s $host -j $chain fi # - # Insert new rules into the input chains for the passed interface + # Insert new rules into the filter table for the passed interface # while read z1 z2 chain; do if [ "$z1" = "$zone" ]; then if [ "$z2" = "$FW" ]; then - # - # We will insert the rule right after the DHCP, 'ping' and - # MAC rules (if any) - # - if list_search $interface $dhcp_interfaces; then - rulenum=3 - else - rulenum=2 - fi - - if list_search $interface $maclist_interfaces; then - rulenum=$(($rulenum + 1)) - fi - - if list_search $interface $tcpflags_interfaces; then - rulenum=$(($rulenum + 1)) - fi - - do_iptables -I $(input_chain $interface) $rulenum -s $host -j $chain + do_iptables -A $(dynamic_in $interface) -s $host -j $chain else - # - # Insert rules into the passed interface's forward chain - # - # We insert them after any blacklist/MAC verification rules - # - source_chain=$(forward_chain $interface) + source_chain=$(dynamic_fwd $interface) eval dest_hosts=\"\$${z2}_hosts\" - base=$(chain_base $interface) - - eval rulenum=\$${base}_rulenum - - if [ -z "$rulenum" ]; then - if list_search $interface $blacklist_interfaces; then - rulenum=3 - else - rulenum=2 - fi - - if list_search $interface $maclist_interfaces; then - rulenum=$(($rulenum + 1)) - fi - - if list_search $interface $tcpflags_interfaces; then - rulenum=$(($rulenum + 1)) - fi - fi - for h in $dest_hosts; do iface=${h%%:*} hosts=${h#*:} if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then - do_iptables -I $source_chain $rulenum -s $host -o $iface $(match_dest_hosts $hosts) -j $chain - rulenum=$(($rulenum + 1)) + do_iptables -A $source_chain -s $host -o $iface $(match_dest_hosts $hosts) -j $chain fi done - - eval ${base}_rulenum=$rulenum - fi elif [ "$z2" = "$zone" ]; then if [ "$z1" = "$FW" ]; then # - # Add a rule to the OUTPUT chain -- always after the icmp * ACCEPT rule + # Add a rule to the dynamic out chain for the interface # - do_iptables -I OUTPUT $(output_rule_num) -o $interface -d $host -j $chain + do_iptables -A $(dynamic_out $interface) -d $host -j $chain else - # - # Insert rules into the source interface's forward chain - # - # We insert them after any blacklist rules - # eval source_hosts=\"\$${z1}_hosts\" for h in $source_hosts; do iface=${h%%:*} hosts=${h#*:} - base=$(chain_base $iface) - - eval rulenum=\$${base}_rulenum - - if [ -z "$rulenum" ]; then - if list_search $iface $blacklist_interfaces; then - rulenum=3 - else - rulenum=2 - fi - fi - if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then - do_iptables -I $(forward_chain $iface) $rulenum $(match_source_hosts $hosts) -o $interface -d $host -j $chain - rulenum=$(($rulenum + 1)) + do_iptables -A $(dynamic_fwd $iface) $rulenum $(match_source_hosts $hosts) -o $interface -d $host -j $chain fi - - eval ${base}_rulenum=$rulenum done fi fi @@ -5556,7 +5661,7 @@ add_to_zone() # $1 = [:] $2 = zone rm -rf $TMP_DIR - echo "$1 added to zone $2" + progress_message "$1 added to zone $2" } # @@ -5618,6 +5723,10 @@ delete_from_zone() # $1 = [:] $2 = zone if ! chain_exists $(input_chain $interface) ; then startup_error "Unknown interface $interface" fi + + if ! chain_exists $(dynamic_in $interface) ; then + startup_error "Interface $interface is not dynamic" + fi # # Normalize the first argument to this function # @@ -5638,16 +5747,16 @@ delete_from_zone() # $1 = [:] $2 = zone # # Delete any nat table entries for the host(s) # - qt iptables -t nat -D PREROUTING -i $interface -s $host -j ${zone}_dnat + qt iptables -t nat -D $(dynamic_in $interface) -s $host -j ${zone}_dnat # # Delete rules rules the input chains for the passed interface # while read z1 z2 chain; do if [ "$z1" = "$zone" ]; then if [ "$z2" = "$FW" ]; then - qt iptables -D $(input_chain $interface) -s $host -j $chain + qt iptables -D $(dynamic_in $interface) -s $host -j $chain else - source_chain=$(forward_chain $interface) + source_chain=$(dynamic_fwd $interface) eval dest_hosts=\"\$${z2}_hosts\" for h in $dest_hosts $delhost; do @@ -5661,7 +5770,7 @@ delete_from_zone() # $1 = [:] $2 = zone fi elif [ "$z2" = "$zone" ]; then if [ "$z1" = "$FW" ]; then - qt iptables -D OUTPUT -o $interface -d $host -j $chain + qt iptables -D $(dynamic_out $interface) -d $host -j $chain else eval source_hosts=\"\$${z1}_hosts\" @@ -5670,7 +5779,7 @@ delete_from_zone() # $1 = [:] $2 = zone hosts=${h#*:} if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then - qt iptables -D $(forward_chain $iface) $(match_source_hosts $hosts) -o $interface -d $host -j $chain + qt iptables -D $(dynamic_fwd $iface) $(match_source_hosts $hosts) -o $interface -d $host -j $chain fi done fi @@ -5679,7 +5788,7 @@ delete_from_zone() # $1 = [:] $2 = zone rm -rf $TMP_DIR - echo "$1 removed from zone $2" + progress_message "$1 removed from zone $2" } # @@ -5788,6 +5897,7 @@ do_initialize() { SMURF_LOG_LEVEL= DISABLE_IPV6= BRIDGING= + DYNAMIC_ZONES= stopping= have_mutex= @@ -5805,12 +5915,14 @@ do_initialize() { FUNCTIONS=$SHARED_DIR/functions if [ -f $FUNCTIONS ]; then - echo "Loading $FUNCTIONS..." + [ -n "$QUIET" ] || echo "Loading $FUNCTIONS..." . $FUNCTIONS else startup_error "$FUNCTIONS does not exist!" fi + ensure_config_path + VERSION_FILE=$SHARED_DIR/version [ -f $VERSION_FILE ] && version=$(cat $VERSION_FILE) @@ -5820,13 +5932,17 @@ do_initialize() { config=$(find_file shorewall.conf) if [ -f $config ]; then - echo "Processing $config..." + [ -n "$QUIET" ] || echo "Processing $config..." . $config else echo "$config does not exist!" >&2 exit 2 fi # + # Restore CONFIG_PATH if the shorewall.conf file cleared it + # + ensure_config_path + # # Determine the capabilities of the installed iptables/netfilter # determine_capabilities @@ -5941,6 +6057,8 @@ do_initialize() { BLACKLISTNEWONLY=$(added_param_value_no BLACKLISTNEWONLY $BLACKLISTNEWONLY) DISABLE_IPV6=$(added_param_value_no DISABLE_IPV6 $DISABLE_IPV6) BRIDGING=$(added_param_value_no BRIDGING $BRIDGING) + DYNAMIC_ZONES=$(added_param_value_no DYNAMIC_ZONES $DYNAMIC_ZONES) + [ -n "$MODULE_SUFFIX" ] || MODULE_SUFFIX="o gz ko o.gz ko.gz" # @@ -5959,6 +6077,9 @@ do_initialize() { fi rm -f $TMP_DIR/physdev + + echo '#bin/sh' > /var/lib/shorewall/restore-$$ + echo ". /usr/share/shorewall/functions" >> /var/lib/shorewall/restore-$$ } # diff --git a/STABLE2/functions b/STABLE2/functions index c96f9c5bd..a856a3d32 100755 --- a/STABLE2/functions +++ b/STABLE2/functions @@ -82,11 +82,24 @@ fix_bang() { done } +# +# Set default config path +# +ensure_config_path() { + local F=/usr/share/shorewall/configpath + if [ -z "$CONFIG_PATH" ]; then + [ -f $F ] || { echo " ERROR: $F does not exist"; exit 2; } + . $F + fi +} + # # Find a File -- For relative file name, look first in $SHOREWALL_DIR then in /etc/shorewall # find_file() { + local saveifs= directory + case $1 in /*) echo $1 @@ -94,11 +107,19 @@ find_file() *) if [ -n "$SHOREWALL_DIR" -a -f $SHOREWALL_DIR/$1 ]; then echo $SHOREWALL_DIR/$1 - elif [ -f /etc/shorewall/$1 ]; then - echo /etc/shorewall/$1 - elif [ -f /usr/share/shorewall/$1 ]; then - echo /usr/share/shorewall/$1 else + saveifs=$IFS + IFS=: + for directory in $CONFIG_PATH; do + if [ -f $directory/$1 ]; then + echo $directory/$1 + IFS=$saveifs + return + fi + done + + IFS=$saveifs + echo /etc/shorewall/$1 fi ;; @@ -485,14 +506,14 @@ in_network() # $1 = IP address, $2 = CIDR network ip_vlsm() { local mask=$(decodeaddr $1) local vlsm=0 - local x=$(( 128 $LEFTSHIFT 24 )) + local x=$(( 128 $LEFTSHIFT 24 )) # 0x80000000 while [ $(( $x & $mask )) -ne 0 ]; do - [ $mask -eq $x ] && mask=0 || mask=$(( $mask $LEFTSHIFT 1 )) # Don't Ask... + [ $mask -eq $x ] && mask=0 || mask=$(( $mask $LEFTSHIFT 1 )) # Not all shells shift 0x80000000 left properly. vlsm=$(($vlsm + 1)) done - if [ $(( $mask & 2147483647)) -ne 0 ]; then + if [ $(( $mask & 2147483647 )) -ne 0 ]; then # 2147483647 = 0x7fffffff echo "Invalid net mask: $1" >&2 else echo $vlsm diff --git a/STABLE2/help b/STABLE2/help index 8a052a9ee..af39ec8e7 100644 --- a/STABLE2/help +++ b/STABLE2/help @@ -116,6 +116,14 @@ drop) See also \"help address\"" ;; +forget) + echo "forget: forget + Deletes /var/lib/shorewall/save and /var/lib/shorewall/restore. Those + files are created by the 'shorewall save' command + + See also \"help save\"" + ;; + help) echo "help: help [ | host | address ] Display helpful information about the shorewall commands." @@ -157,10 +165,11 @@ monitor) ;; refresh) - echo "refresh: refresh + echo "refresh: [ -q ] refresh The rules involving the broadcast addresses of firewall interfaces, the black list, traffic control rules and ECN control rules are recreated - to reflect any changes made. Existing connections are untouched" + to reflect any changes made. Existing connections are untouched + If \"-q\" is specified, less detain is displayed making it easier to spot warnings" ;; reject) @@ -178,15 +187,29 @@ reset) ;; restart) - echo "restart: restart [ -c ] + echo "restart: restart [ -q ] [ -c ] Restart is the same as a shorewall stop && shorewall start. - Existing connections are dropped." + Existing connections are maintained. + If \"-q\" is specified, less detain is displayed making it easier to spot warnings" + ;; + +restore) + echo "restore: restore + Restore Shorewall to its last state saved using the 'save' command + Existing connections are maintained. + + See also \"help save\" and \"help forget\"" ;; save) echo "save: save - The dynamic data is stored in /var/lib/shorewall/save - Shorewall allow, drop, rejct and save implement dynamic blacklisting." + The dynamic data is stored in /var/lib/shorewall/save. The state of the + firewall is stored in /var/lib/shorewall/restore for use by the 'shorewall restore' + and 'shorewall -f start' commands. + + Shorewall allow, drop, rejct and save implement dynamic blacklisting. + + See also \"help restore\" and \"help forget\"" ;; show) @@ -213,10 +236,12 @@ show) ;; start) - echo "start: start [ -c ] + echo "start: [ -q ] [ -f ] [ -c ] start Start shorewall. Existing connections through shorewall managed interfaces are untouched. New connections will be allowed only - if they are allowed by the firewall rules or policies." + if they are allowed by the firewall rules or policies. + If \"-q\" is specified, less detain is displayed making it easier to spot warnings + If \"-f\" is specified, the last saved configuraton if any will be restored" ;; stop) diff --git a/STABLE2/hosts b/STABLE2/hosts index 2aaf93a97..49e322adb 100644 --- a/STABLE2/hosts +++ b/STABLE2/hosts @@ -14,6 +14,11 @@ # individual IP addresses. Most simple setups don't need to # (should not) place anything in this file. # +# The order of entries in this file is not significant in +# determining zone composition. Rather, the order that the zones +# are defined in /etc/shorewall/zones determines the order in +# which the records in this file are interpreted. +# # ZONE - The name of a zone defined in /etc/shorewall/zones # # HOST(S) - The name of an interface defined in the @@ -49,10 +54,10 @@ # an ethernet NIC and must be up before # Shorewall is started. # -# routeback - Shorewall show set up the infrastructure +# routeback - Shorewall should set up the infrastructure # to pass packets from this/these # address(es) back to themselves. This is -# necessary of hosts in this group use the +# necessary if hosts in this group use the # services of a transparent proxy that is # a member of the group or if DNAT is used # to send requests originating from this diff --git a/STABLE2/init.debian.sh b/STABLE2/init.debian.sh index 423e3b8c6..a0a9f18d5 100755 --- a/STABLE2/init.debian.sh +++ b/STABLE2/init.debian.sh @@ -83,7 +83,7 @@ wait_for_pppd () { shorewall_start () { echo -n "Starting \"Shorewall firewall\": " wait_for_pppd - $SRWL start >> $INITLOG 2>&1 && echo "done." || echo_notdone + $SRWL -f start >> $INITLOG 2>&1 && echo "done." || echo_notdone return 0 } diff --git a/STABLE2/init.sh b/STABLE2/init.sh index dc6cdd5aa..c5ef93d27 100644 --- a/STABLE2/init.sh +++ b/STABLE2/init.sh @@ -62,7 +62,12 @@ command="$1" case "$command" in - stop|start|restart|status) + start) + + exec /sbin/shorewall -f start + ;; + + stop|restart|status) exec /sbin/shorewall $@ ;; diff --git a/STABLE2/install.sh b/STABLE2/install.sh index 5964ba191..e87fd8e70 100755 --- a/STABLE2/install.sh +++ b/STABLE2/install.sh @@ -22,7 +22,7 @@ # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA # -VERSION=2.0.1 +VERSION=2.0.2 usage() # $1 = exit status { @@ -83,10 +83,12 @@ install_file_with_backup() # $1 = source $2 = target $3 = mode # Parse the run line # # DEST is the SysVInit script directory +# INIT is the name of the script in the $DEST directory # RUNLEVELS is the chkconfig parmeters for firewall # ARGS is "yes" if we've already parsed an argument # -DEST="" +DEST="/etc/init.d" +INIT="shorewall" RUNLEVELS="" ARGS="" @@ -117,10 +119,6 @@ done PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin -if [ -z "$DEST" ]; then - DEST=/etc/init.d -fi - # # Determine where to install the firewall script # @@ -160,11 +158,11 @@ echo "shorewall control program installed in ${PREFIX}/sbin/shorewall" if [ -n "$DEBIAN" ]; then install_file_with_backup init.debian.sh /etc/init.d/shorewall 0544 else - install_file_with_backup init.sh ${PREFIX}${DEST}/shorewall 0544 + install_file_with_backup init.sh ${PREFIX}${DEST}/$INIT 0544 fi echo -echo "Shorewall script installed in ${PREFIX}${DEST}/shorewall" +echo "Shorewall script installed in ${PREFIX}${DEST}/$INIT" # # Create /etc/shorewall, /usr/share/shorewall and /var/shorewall if needed @@ -392,13 +390,19 @@ fi # install_file_with_backup rfc1918 ${PREFIX}/usr/share/shorewall/rfc1918 0600 echo -echo "RFC 1918 file installed as ${PREFIX}/etc/shorewall/rfc1918" +echo "RFC 1918 file installed as ${PREFIX}/usr/share/shorewall/rfc1918" # # Install the bogons file # install_file_with_backup bogons ${PREFIX}/usr/share/shorewall/bogons 0600 echo -echo "Bogon file installed as ${PREFIX}/etc/shorewall/bogons" +echo "Bogon file installed as ${PREFIX}/usr/share/shorewall/bogons" +# +# Install the default config path file +# +install_file_with_backup configpath ${PREFIX}/usr/share/shorewall/configpath 0600 +echo +echo " Default config path file installed as ${PREFIX}/etc/shorewall/configpath" # # Install the init file # @@ -410,6 +414,16 @@ else echo "Init file installed as ${PREFIX}/etc/shorewall/init" fi # +# Install the initdone file +# +if [ -f ${PREFIX}/etc/shorewall/initdone ]; then + backup_file /etc/shorewall/initdone +else + run_install -o $OWNER -g $GROUP -m 0600 initdone ${PREFIX}/etc/shorewall/initdone + echo + echo "Initdone file installed as ${PREFIX}/etc/shorewall/initdone" +fi +# # Install the start file # if [ -f ${PREFIX}/etc/shorewall/start ]; then @@ -508,7 +522,7 @@ chmod 644 ${PREFIX}/usr/share/shorewall/version if [ -z "$PREFIX" ]; then rm -f /usr/share/shorewall/init - ln -s ${DEST}/shorewall /usr/share/shorewall/init + ln -s ${DEST}/${INIT} /usr/share/shorewall/init fi # @@ -549,7 +563,7 @@ if [ -z "$PREFIX" -a -n "$first_install" ]; then else cant_autostart fi - else + elif [ "$INIT" != rc.firewall ]; then #Slackware starts this automatically cant_autostart fi diff --git a/STABLE2/interfaces b/STABLE2/interfaces index 9a9642362..64c02ee22 100644 --- a/STABLE2/interfaces +++ b/STABLE2/interfaces @@ -115,11 +115,21 @@ # established connection will be accepted # from this interface, even if # NEWNOTSYN=No has been specified in -# /etc/shorewall/shorewall.conf. +# /etc/shorewall/shorewall.conf. In other +# words, packets coming in on this interface +# are processed as if NEWNOTSYN=Yes had been +# specified in /etc/shorewall/shorewall.conf. # # This option has no effect if # NEWNOTSYN=Yes. # +# It is the opinion of the author that +# NEWNOTSYN=No creates more problems than +# it solves and I recommend against using +# that setting in shorewall.conf (hence +# making the use of the 'newnotsyn' +# interface option unnecessary). +# # routeback - If specified, indicates that Shorewall # should include rules that allow filtering # traffic arriving on this interface back diff --git a/STABLE2/masq b/STABLE2/masq index c7b4534a7..109c198ad 100644 --- a/STABLE2/masq +++ b/STABLE2/masq @@ -55,6 +55,27 @@ # # This column may not contain DNS Names. # +# If you want to leave this column empty +# but you need to specify the next column then +# place a hyphen ("-") here. +# +# PROTO -- (Optional) If you wish to restrict this entry to a +# particular protocol then enter the protocol +# name (from /etc/protocols) or number here. +# +# PORT(S) -- (Optional) If the PROTO column specifies TCP (protocol 6) +# or UDP (protocol 17) then you may list one +# or more port numbers (or names from +# /etc/services) separated by commas or you +# may list a single port range +# (:). +# +# Where a comma-separated list is given, your +# kernel and iptables must have multiport match +# support and a maximum of 15 ports may be +# listed. +# +# # Example 1: # # You have a simple masquerading setup where eth0 connects to @@ -94,6 +115,19 @@ # # eth0:0 192.168.1.0/24 206.124.146.176 # -############################################################################## -#INTERFACE SUBNET ADDRESS +# Example 5: +# +# You want all outgoing SMTP traffic entering the firewall +# on eth1 to be sent from eth0 with source IP address +# 206.124.146.177. You want all other outgoing traffic +# from eth1 to be sent from eth0 with source IP address +# 206.124.146.176. +# +# eth0 eth1 206.124.146.177 tcp smtp +# eth0 eth1 206.124.146.176 +# +# THE ORDER OF THE ABOVE TWO RULES IS SIGNIFICANT!!!!! +# +############################################################################### +#INTERFACE SUBNET ADDRESS PROTO PORT(S) #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE diff --git a/STABLE2/nat b/STABLE2/nat index 7d3afb532..dbd44c4f0 100644 --- a/STABLE2/nat +++ b/STABLE2/nat @@ -29,8 +29,7 @@ # If No or no (or left empty) then NAT will be effective # only through the interface named in the INTERFACE # column -# LOCAL If Yes or yes and the ALL INTERFACES column contains -# Yes or yes, NAT will be effective from the firewall +# LOCAL If Yes or yes, NAT will be effective from the firewall # system ############################################################################## #EXTERNAL INTERFACE INTERNAL ALL LOCAL diff --git a/STABLE2/releasenotes.txt b/STABLE2/releasenotes.txt index e65c7a185..49dda9546 100644 --- a/STABLE2/releasenotes.txt +++ b/STABLE2/releasenotes.txt @@ -1,114 +1,227 @@ -Shorewall 2.0.1 +Shorewall 2.0.2 ---------------------------------------------------------------------- -Problems Corrected since 2.0.0 +Problems Corrected since 2.0.1 -1) Using actions in the manner recommended in the documentation - results in a Warning that the rule is a policy. +1) The /etc/init.d/shorewall script installed on Debian by install.sh + failed silently due to a missing file + (/usr/share/shorewall/wait4ifup). That file is not part of the + normal Shorewall distribution and is provided by the Debian + maintainer. -2) When a zone on a single interface is defined using - /etc/shorewall/hosts, superfluous rules are generated in the - _frwd chain. +2) A meaningless warning message out of the proxyarp file processing + has been eliminated. -3) Thanks to Sean Mathews, a long-standing problem with Proxy ARP and - IPSEC has been corrected. Thanks Sean!!! - -4) The "shorewall show log" and "shorewall logwatch" commands - incorrectly displayed type 3 ICMP packets. - -5) On Debian systems, an install using the tarball results in an - inability to start Shorewall at system boot. - -6) Confusing warning messages regarding IPV6 occur during startup. - -7) Modules listed in /etc/shorewall/modules don't load on Mandrake - 10.0 final. - -8) "shorewall delete" now correctly deletes dynamic rules from - the ruleset. Thanks to Stefan Engel for this fix. - -9) The install.sh script now works correctly on SuSE. Thanks to Alex - Wilms for this correction. +3) The "shorewall delete" command now correctly removes all dynamic + rules pertaining to the host(s) being deleted. Thanks to Stefan + Engel for this correction. ----------------------------------------------------------------------- Issues when migrating from Shorewall 2.0.0 to Shorewall 2.0.1: -1) The function of 'norfc1918' is now split between that option and a - new 'nobogons' option. +1) Extension Scripts - The rfc1918 file released with Shorewall now contains entries for - only those three address ranges reserved by RFC 1918. A 'nobogons' - interface option has been added which handles bogon source - addresses (those which are reserved by the IANA, those reserved for - DHCP auto-configuration and the class C test-net reserved for - testing and documentation examples). This will allow users to - perform RFC 1918 filtering without having to deal with out - of date data from IANA. Those who are willing to update their - /usr/share/shorewall/bogons file regularly can specify the - 'nobogons' option in addition to 'norfc1918'. + In order for extension scripts to work properly with the new + iptables-save/restore integration (see New Feature 1 below), some + change may be required to your extension scripts. - The level at which bogon packets are logged is specified in the new - BOGON_LOG_LEVEL variable in shorewall.conf. If that option is not - specified or is specified as empty (e.g, BOGON_LOG_LEVEL="") then - bogon packets whose TARGET is 'logdrop' in - /usr/share/shorewall/bogons are logged at the 'info' level. + If your extension scripts are executing commands other than iptables + then those commands must also be written to the restore file (a + temporary file in /var/lib/shorewall that is renamed + /var/lib/shorewall/restore-base at the end of the operation). + + The following functions should be of help: + + A. save_command() -- saves the passed command to the restore file. + + Example: + + save_command echo Operation Complete + + That command would simply write "echo Operation Complete" to the + restore file. + + B. run_and_save_command() -- saves the passed command to the restore + file then executes it. The return value is the exit status of the + command. + + Example: + + run_and_save_command "echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all" + + Note that as in this example, when the command involves file + redirection then the entire command must be enclosed in quotes. This + applies to all of the functions described here. + + C. ensure_and_save_command() -- runs the passed command. If the + command fails, the firewall is restored to it's prior saved state + and the operation is terminated. If the command succeeds, the + command is written to the restore file. + +2) Dynamic Zone support. + + If you don't need to use the "shorewall add" and "shorewall delete" + commands, you should set DYNAMIC_ZONES=No in + /etc/shorewall/shorewall.conf. New Features: -1) Support for Bridging Firewalls has been added. For details, see +1) Shorewall has now been integrated with + iptables-save/iptables-restore to provide very fast start and + restart. The elements of this integration are as follows: - http://shorewall.net/bridge.html + a) The 'shorewall save' command now saves the current configuration + in addition to the current dynamic blacklist. If you have + dynamic zones, you will want to issue 'shorewall save' when the + zones are empty or the current contents of the zones will be + restored by the 'shorewall restore' and 'shorewall -f start' + commands. -2) Support for NETMAP has been added. NETMAP allows NAT to be defined - between two network: + b) The 'shorewall restore' command has been added. This command + restores the configuration at the time of the last 'save'. - a.b.c.1 -> x.y.z.1 - a.b.c.2 -> x.y.z.2 - a.b.c.3 -> x.y.z.3 - ... + c) The -f (fast) option has been added to 'shorewall start'. When + specified (e.g. 'shorewall -f start'), shorewall will perform a + 'shorewall restore' if there is a saved configuration. If there + is no saved configuration, a normal 'shorewall start' is + performed. - http://shorewall.net/netmap.html + d) The /etc/init.d/shorewall script now translates the 'start' + command into 'shorewall -f start' so that fast restart is + possible. -3) The /sbin/shorewall program now accepts a "-x" option to cause - iptables to print out the actual packet and byte counts rather than - abbreviated counts such as "13MB". + e) When a state-changing command encounters an error and there is a + current saved configuration, that configuration will be restored + (currently, the firewall is placed in the 'stopped' state). - Commands affected by this are: + f) If you have previously saved the running configuration and want + Shorewall to discard it, use the 'shorewall forget' command. - shorewall -x show [ [ ...] ] - shorewall -x show tos|mangle - shorewall -x show nat - shorewall -x status - shorewall -x monitor [ ] + WARNING: iptables 1.2.9 is broken with respect to iptables-save; + If your kernel has connection tracking match support, you must + patch iptables 1.2.9 with the iptables patch availale from + the Shorewall errata page. -4) Shorewall now traps two common zone definition errors: +2) The previous implementation of dynamic zones was difficult to + maintain. I have changed the code to make dynamic zones optional + under the control of the DYNAMIC_ZONES option in + /etc/shorewall/shorewall.conf. - - Including the firewall zone in a /etc/shorewall/hosts record. - - Defining an interface for a zone in both /etc/shorewall/interfaces - and /etc/shorewall/hosts. +3) In earlier Shorewall 2.0 releases, Shorewall searches in order the + following directories for configuration files. - In the second case, the following will appear during "shorewall - [re]start" or "shorewall check": + a) The directory specified in a 'try' command or specified using + the -c option. - Determining Hosts in Zones... - ... - Error: Invalid zone definition for zone - Terminated + b) /etc/shorewall -5) To support bridging, the following options have been added to - entries in /etc/shorewall/hosts: + c) /usr/share/shorewall - norfc1918 - nobogons - blacklist - tcpflags - nosmurfs - newnotsyn + In this release, the CONFIG_PATH option is added to shorewall.conf. + CONFIG_PATH contains a list of directory names separated by colons + (":"). If not set or set to a null value (e.g., CONFIG_PATH="") then + "CONFIG_PATH=/etc/shorewall:/usr/share/shorewall" is assumed. - With the exception of 'newnotsyn', these options are only - useful when the entry refers to a bridge port. + Now Shorewall searches for shorewall.conf according to the old + rules and for other configuration files as follows: + + a) The directory specified in a 'try' command or specified using + the -c option. + + b) Each directory in $CONFIG_PATH is searched in sequence. + + In case it is not obvious, your CONFIG_PATH should include + /usr/share/shorewall and your shorewall.conf file must be in the + directory specified via -c or in a try command, in /etc/shorewall + or in /usr/share/shorewall. + + For distribution packagers, the default CONFIG_PATH is set in + /usr/share/shorewall/configpath. You can customize this file to + have a default that differs from mine. + +4) Previously, in /etc/shorewall/nat a Yes (or yes) in the LOCAL column + would only take effect if the ALL INTERFACES column also contained + Yes or yes. Now, the LOCAL columns contents are treated + independently of the contents of the ALL INTERFACES column. + +5) The folks at Mandrake have created yet another kernel module + naming convention (module names end in "ko.gz"). As a consequence, + beginning with this release, if MODULE_SUFFIX isn't specified in + shorewall.conf, then the default value is "o gz ko o.gz ko.gz". + +6) An updated bogons file is included in this release. + +7) In /etc/shorewall/rules and in action files generated from + /usr/share/shorewall/action.template, rules that perform logging can + specify an optional "log tag". A log tag is a string of alphanumeric + characters and is specified by following the log level with ":" and + the log tag. Example: - - #ZONE HOST(S) OPTIONS - net br0:eth0 norfc1918,nobogons,blacklist,tcpflags,nosmurfs + + ACCEPT:info:ftp net dmz tcp 21 + + The log tag is appended to the log prefix generated by the LOGPREFIX + variable in /etc/shorewall/conf. If "ACCEPT:info" generates the log + prefix "Shorewall:net2dmz:ACCEPT:" then "ACCEPT:info:ftp" will + generate "Shorewall:net2dmz:ACCEPT:ftp " (note the trailing blank). + The maximum length of a log prefix supported by iptables is 29 + characters; if a larger prefix is generated, Shorewall will issue a + warning message and will truncate the prefix to 29 characters. + +8) A new "-q" option has been added to /sbin/shorewall commands. It + causes the start, restart, check and refresh commands to produce + much less output so that warning messages are more visible (when + testing this change, I discovered a bug where a bogus warning + message was being generated). + +9) Shorewall now uses 'modprobe' to load kernel modules if that utility + is available in the PATH; otherwise, 'insmod' is used. + +10) It is now possible to restrict entries in the /etc/shorewall/masq + file to particular protocols and destination port(s). Two new + columns (PROTO and PORT(S)) have been added to the file. + + Example: + + You want all outgoing SMTP traffic entering the firewall + on eth1 to be sent from eth0 with source IP address + 206.124.146.177. You want all other outgoing traffic + from eth1 to be sent from eth0 with source IP address + 206.124.146.176. + + eth0 eth1 206.124.146.177 tcp 25 + eth0 eth1 206.124.146.176 + + THE ORDER OF THE ABOVE TWO RULES IS SIGNIFICANT!!!!! + + Assuming that 10.0.0.0/8 is the only host/network connected + to eth1, the progress message at "shorewall start" would be: + + Masqueraded Networks and Hosts: + To 0.0.0.0/0 (tcp 25) from 10.0.0.0/8 through eth0 using 206.124.146.177 + To 0.0.0.0/0 (all) from 10.0.0.0/8 through eth0 using 206.124.146.176 + +11) Two new actions are available in the /etc/shorewall/rules file. + + ACCEPT+ -- Behaves like ACCEPT with the exception that it exempts + matching connections from subsequent DNAT[-] and + REDIRECT[-] rules. + + NONAT -- Exempts matching connections from subsequent DNAT[-] + and REDIRECT[-] rules. + +12) A new extension script 'initdone' has been added. This script is invoked + at the same point as the 'common' script was previously and is useful for + users who mis-used that script under Shorewall 1.x (the script was intended + for adding rules to the 'common' chain but many users treated it as a script + for adding rules before Shorewall's). + +13) Installing/Upgrading Shorewall on Slackware has been + improved. Slackware users must use the tarball and must modify + settings in the install.sh script before running it as follows: + + DEST="/etc/rc.d" + INIT="rc.firewall" + + Thanks to Alex Wilms for helping with this change. diff --git a/STABLE2/rules b/STABLE2/rules index 3d4adb7c5..4df78481b 100644 --- a/STABLE2/rules +++ b/STABLE2/rules @@ -25,6 +25,13 @@ # LOG, QUEUE or an . # # ACCEPT -- allow the connection request +# ACCEPT+ -- like ACCEPT but also excludes the +# connection from any subsequent +# DNAT[-] or REDIRECT[-] rules +# NONAT -- Excludes the connection from any +# subsequent DNAT[-] or REDIRECT[-] +# rules but doesn't generate a rule +# to accept the traffic. # DROP -- ignore the request # REJECT -- disallow the request and return an # icmp-unreachable or an RST packet. @@ -70,6 +77,15 @@ # to a separate log through use of ulogd # (http://www.gnumonks.org/projects/ulogd). # +# Actions specifying logging may be followed by a +# log tag (a string of alphanumeric characters) +# are appended to the string generated by the +# LOGPREFIX (in /etc/shorewall/shorewall.conf). +# +# Example: ACCEPT:info:ftp would include 'ftp ' +# at the end of the log prefix generated by the +# LOGPREFIX setting. +# # SOURCE Source hosts to which the rule applies. May be a zone # defined in /etc/shorewall/zones, $FW to indicate the # firewall itself, or "all" If the ACTION is DNAT or diff --git a/STABLE2/shorewall b/STABLE2/shorewall index 90185f2d9..0883fce27 100755 --- a/STABLE2/shorewall +++ b/STABLE2/shorewall @@ -80,6 +80,10 @@ # "dropped" addresses so that it will # be automatically reinstated the # next time that Shorewall starts. +# Save the current state so that 'shorewall +# restore' can be used. +# +# shorewall forget Discard the data saved by 'shorewall save' # # shorewall ipaddr [
/ |
] # @@ -160,6 +164,7 @@ get_config() { exit 2 fi fi + } # @@ -530,7 +535,7 @@ help() # usage() # $1 = exit status { - echo "Usage: $(basename $0) [debug|trace] [nolock] [-c ] [ -x ] " + echo "Usage: $(basename $0) [debug|trace] [nolock] [-c ] [ -x ] [ -q ] " echo "where is one of:" echo " add [:] " echo " allow
..." @@ -538,6 +543,7 @@ usage() # $1 = exit status echo " clear" echo " delete [:] " echo " drop
..." + echo " forget" echo " help [ | host | address ]" echo " hits" echo " ipcalc [
/ |
]" @@ -548,6 +554,7 @@ usage() # $1 = exit status echo " reject
..." echo " reset" echo " restart" + echo " restore" echo " save" echo " show [ [ ... ]|classifiers|connections|log|nat|tc|tos]" echo " start" @@ -585,34 +592,60 @@ if [ $# -gt 0 ] && [ "$1" = "nolock" ]; then fi SHOREWALL_DIR= +QUIET= IPT_OPTIONS="-nv" +FAST= + done=0 while [ $done -eq 0 ]; do [ $# -eq 0 ] && usage 1 - case $1 in - -c) - [ $# -eq 1 ] && usage 1 + option=$1 + case $option in + -*) + option=${option#-} - if [ ! -d $2 ]; then - if [ -e $2 ]; then - echo "$2 is not a directory" >&2 && exit 2 - else - echo "Directory $2 does not exist" >&2 && exit 2 - fi - fi + [ -z "$option" ] && usage 1 + + while [ -n "$option" ]; do + case $option in + c) + [ $# -eq 1 ] && usage 1 - SHOREWALL_DIR=$2 - shift - shift - ;; - -x) - IPT_OPTIONS="-xnv" - shift - ;; - *) - done=1 - ;; + if [ ! -d $2 ]; then + if [ -e $2 ]; then + echo "$2 is not a directory" >&2 && exit 2 + else + echo "Directory $2 does not exist" >&2 && exit 2 + fi + fi + + SHOREWALL_DIR=$2 + option= + shift + ;; + x*) + IPT_OPTIONS="-xnv" + option=${option#x} + ;; + q*) + QUIET=Yes + option=${option#q} + ;; + f*) + FAST=Yes + option=${option#f} + ;; + *) + usage 1 + ;; + esac + done + shift + ;; + *) + done=1 + ;; esac done @@ -621,6 +654,7 @@ if [ $# -eq 0 ]; then fi [ -n "$SHOREWALL_DIR" ] && export SHOREWALL_DIR +[ -n "$QUIET" ] && export QUIET PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin MUTEX_TIMEOUT= @@ -638,6 +672,8 @@ else exit 2 fi +ensure_config_path + config=$(find_file shorewall.conf) if [ -f $config ]; then @@ -647,6 +683,10 @@ else exit 2 fi +ensure_config_path + +export CONFIG_PATH + [ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall if [ ! -f $FIREWALL ]; then @@ -691,7 +731,23 @@ case $(echo -n "Testing") in esac case "$1" in - start|stop|restart|reset|clear|refresh|check) + start) + [ $# -ne 1 ] && usage 1 + get_config + if [ -n "$FAST" ]; then + if [ -f /var/lib/shorewall/restore ]; then + echo Restoring Shorewall... + . /var/lib/shorewall/restore + date > $STATEDIR/restarted + echo Shorewall restored + else + exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock start + fi + else + exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock start + fi + ;; + stop|restart|reset|clear|refresh|check) [ $# -ne 1 ] && usage 1 get_config exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $1 @@ -909,11 +965,24 @@ case "$1" in [ -n "$debugging" ] && set -x [ $# -ne 1 ] && usage 1 mutex_on + if qt iptables -L shorewall -n; then [ -d /var/lib/shorewall ] || mkdir /var/lib/shorewall if iptables -L dynamic -n > /var/lib/shorewall/save; then - echo "Dynamic Rules Saved" + echo " Dynamic Rules Saved" + if [ -f /var/lib/shorewall/restore-base ]; then + cp -f /var/lib/shorewall/restore-base /var/lib/shorewall/restore-$$ + if iptables-save >> /var/lib/shorewall/restore-$$ ; then + echo EOF >> /var/lib/shorewall/restore-$$ + mv -f /var/lib/shorewall/restore-$$ /var/lib/shorewall/restore + chmod +x /var/lib/shorewall/restore + echo " Currently-running Configuration Saved" + else + rm -f /var/lib/shorewall/restore-$$ + echo " ERROR: Currently-running Configuration Not Saved" + fi + fi else echo "Error Saving the Dynamic Rules" fi @@ -922,6 +991,11 @@ case "$1" in fi mutex_off ;; + forget) + rm -f /var/lib/shorewall/restore + rm -f /var/lib/shorewall/save + echo " Previously saved information discarded" + ;; ipcalc) [ -n "$debugging" ] && set -x if [ $# -eq 2 ]; then @@ -957,6 +1031,16 @@ case "$1" in ;; esac ;; + restore) + if [ -f /var/lib/shorewall/restore ]; then + echo Restoring Shorewall... + . /var/lib/shorewall/restore + echo Shorewall restored + else + echo "File /var/lib/shorewall/restore: file not found" + exit 2 + fi + ;; call) [ -n "$debugging" ] && set -x # diff --git a/STABLE2/shorewall.conf b/STABLE2/shorewall.conf index 2530f0485..e99a0e4ba 100644 --- a/STABLE2/shorewall.conf +++ b/STABLE2/shorewall.conf @@ -90,12 +90,21 @@ LOGFORMAT="Shorewall:%s:%s:" # maximum initial burst size that will be logged. If set empty, the default # value of 5 will be used. # +# If BOTH variables are set empty then logging will not be rate-limited. +# # Example: # # LOGRATE=10/minute # LOGBURST=5 # -# If BOTH variables are set empty then logging will not be rate-limited. +# For each logging rule, the first time the rule is reached, the packet +# will be logged; in fact, since the burst is 5, the first five packets +# will be logged. After this, it will be 6 seconds (1 minute divided by +# the rate of 10) before a message will be logged from the rule, regardless +# of how many packets reach it. Also, every 6 seconds which passes without +# matching a packet, one of the bursts will be regained; if no packets hit +# the rule for 30 seconds, the burst will be fully recharged; back where +# we started. # LOGRATE= @@ -236,6 +245,19 @@ STATEDIR=/var/lib/shorewall MODULESDIR= +# +# CONFIGURATION SEARCH PATH +# +# This option holds a list of directory names separated by colons +# (":"). Shorewall will search each directory in turn when looking for a +# configuration file. When processing a 'try' command or a command +# containing the "-c" option, Shorewall will automatically add the +# directory specified in the command to the front of this list. +# +# If not specified or specified as null ("CONFIG_PATH=""), +# CONFIG_PATH=/etc/shorewall:/usr/share/shorewall is assumed. + +CONFIG_PATH=/etc/shorewall:/usr/share/shorewall ################################################################################ # F I R E W A L L O P T I O N S ################################################################################ @@ -515,9 +537,9 @@ BLACKLISTNEWONLY=Yes # # When loading a module named in /etc/shorewall/modules, Shorewall normally # looks in the MODULES DIRECTORY (see MODULESDIR above) for files whose names -# end in ".o", ".ko", ".gz" or "o.gz". If your distribution uses a different -# naming convention then you can specify the suffix (extension) for module -# names in this variable. +# end in ".o", ".ko", ".gz", "o.gz" or "ko.gz" . If your distribution uses a +# different naming convention then you can specify the suffix (extension) for +# module names in this variable. # # To see what suffix is used by your distribution: # @@ -556,6 +578,14 @@ DISABLE_IPV6=Yes # BRIDGING=No + +# +# DYNAMIC ZONES +# +# If you need to be able to add and delete hosts from zones dynamically then +# set DYNAMIC_ZONES=Yes. Otherwise, set DYNAMIC_ZONES=No. + +DYNAMIC_ZONES=No ################################################################################ # P A C K E T D I S P O S I T I O N ################################################################################ diff --git a/STABLE2/shorewall.spec b/STABLE2/shorewall.spec index dbf66a6bb..b69ba0778 100644 --- a/STABLE2/shorewall.spec +++ b/STABLE2/shorewall.spec @@ -1,5 +1,5 @@ %define name shorewall -%define version 2.0.1 +%define version 2.0.2 %define release 1 %define prefix /usr @@ -91,6 +91,7 @@ fi %attr(0600,root,root) %config(noreplace) /etc/shorewall/hosts %attr(0600,root,root) %config(noreplace) /etc/shorewall/blacklist %attr(0600,root,root) %config(noreplace) /etc/shorewall/init +%attr(0600,root,root) %config(noreplace) /etc/shorewall/initdone %attr(0600,root,root) %config(noreplace) /etc/shorewall/start %attr(0600,root,root) %config(noreplace) /etc/shorewall/stop %attr(0600,root,root) %config(noreplace) /etc/shorewall/stopped @@ -135,10 +136,21 @@ fi %attr(0544,root,root) /usr/share/shorewall/help %attr(0600,root,root) /usr/share/shorewall/rfc1918 %attr(0600,root,root) /usr/share/shorewall/bogons +%attr(0600,root,root) /usr/share/shorewall/configpath %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel %changelog +* Thu May 13 2004 Tom Eastep tom@shorewall.net +- Updated for 2.0.2-1 +* Mon May 10 2004 Tom Eastep tom@shorewall.net +- Add /etc/shorewall/initdone +* Fri May 07 2004 Tom Eastep tom@shorewall.net +- Shorewall 2.0.2-RC1 +* Tue May 04 2004 Tom Eastep tom@shorewall.net +- Shorewall 2.0.2-Beta2 +* Tue Apr 13 2004 Tom Eastep tom@shorewall.net +- Add /usr/share/shorewall/configpath * Mon Apr 05 2004 Tom Eastep tom@shorewall.net - Updated for 2.0.1-1 * Thu Apr 02 2004 Tom Eastep tom@shorewall.net diff --git a/STABLE2/uninstall.sh b/STABLE2/uninstall.sh index a7a06e9cd..e09e75742 100755 --- a/STABLE2/uninstall.sh +++ b/STABLE2/uninstall.sh @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Seattle Firewall -VERSION=2.0.1 +VERSION=2.0.2 usage() # $1 = exit status { diff --git a/Shorewall-Website/News.htm b/Shorewall-Website/News.htm index 2196e304a..2d5d59430 100644 --- a/Shorewall-Website/News.htm +++ b/Shorewall-Website/News.htm @@ -18,10 +18,130 @@ Texts. A copy of the license is included in the section entitled “GNU Free Documentation License”.

-

2004-04-05
+

2004-05-13

-

3/14/2004 - Shorewall 2.0.0b 

+

4/5/2004 - Shorewall 2.0.1
+

+Problems Corrected since 2.0.0
+
+
    +
  1. Using actions in the manner recommended in the +documentation results in a Warning that the rule is a policy.
    2. +
  2. When a zone on a single interface is defined using +/etc/shorewall/hosts, superfluous rules are generated in the +<zone>_frwd chain.
    3. +
  3. Thanks to Sean Mathews, a long-standing problem with Proxy +ARP and IPSEC has been corrected. Thanks Sean!!!
    4. +
  4. The "shorewall show log" and "shorewall logwatch" commands +incorrectly displayed type 3 ICMP packets.
    +
    5. +
+Issues when migrating from Shorewall 2.0.0 to Shorewall 2.0.1:
+
+
    +
  1. The function of 'norfc1918' is now split between that +option and a new 'nobogons' option.
    +
    +The rfc1918 file released with Shorewall now contains entries for only +those three address ranges reserved by RFC 1918. A 'nobogons' interface +option has been added which handles bogon source addresses (those which +are reserved by the IANA, those reserved for DHCP auto-configuration +and the class C test-net reserved for testing and documentation +examples). This will allow users to perform RFC 1918 filtering without +having to deal with out of date data from IANA. Those who are willing +to update their /usr/share/shorewall/bogons file regularly can specify +the 'nobogons' option in addition to 'norfc1918'.
    +
    +The level at which bogon packets are logged is specified in the new +BOGON_LOG_LEVEL variable in shorewall.conf. If that option is not +specified or is specified as empty (e.g, BOGON_LOG_LEVEL="") then bogon +packets whose TARGET is 'logdrop' in /usr/share/shorewall/bogons are +logged at the 'info' level.
    2. +
+New Features:
+
+
    +
  1. Support for Bridging Firewalls has been added. For details, +see
    +
    + http://shorewall.net/bridge.html
    +
    +
    2. +
  2. Support for NETMAP has been added. NETMAP allows NAT to be +defined between two network:
    +
    +           +a.b.c.1    -> x.y.z.1
    +           +a.b.c.2    -> x.y.z.2
    +           +a.b.c.3    -> x.y.z.3
    +           ...
    +
    http://shorewall.net/netmap.htm
    +
    +
    3. +
  3. The /sbin/shorewall program now accepts a "-x" option to +cause iptables to print out the actual packet and byte counts rather +than abbreviated counts such as "13MB".
    +
    +Commands affected by this are:
    +
    +            +shorewall -x show [ <chain>[ <chain> ...] ]
    +            +shorewall -x show tos|mangle
    +            +shorewall -x show nat
    +            +shorewall -x status
    +            +shorewall -x monitor [ <interval> ]
    +
    +
    4. +
  4. Shorewall now traps two common zone definition errors:
    +
      +
    • Including the firewall zone in a /etc/shorewall/hosts +record.
      • +
    • Defining an interface for a zone in both +/etc/shorewall/interfaces and /etc/shorewall/hosts.
      +
      +
      • +
    +
    5. +
  5. In the second case, the following will appear during +"shorewall [re]start" or "shorewall check":
    +
    +   Determining Hosts in Zones...
    +      ...
    +      Error: Invalid zone definition for zone +<name of zone>
    +   Terminated
    +
    +
    6. +
  6. To support bridging, the following options have been added +to entries in /etc/shorewall/hosts:
    +
    +           norfc1918
    +           nobogons
    +           blacklist
    +           tcpflags
    +           nosmurfs
    +           newnotsyn
    +
    +With the exception of 'newnotsyn', these options are only useful when +the entry refers to a bridge port.
    +
    +   Example:
    +
    +   #ZONE   HOST(S)      +OPTIONS
    +   net     +br0:eth0     +norfc1918,nobogons,blacklist,tcpflags,nosmurfs
    7. +
+

3/14/2004 - Shorewall 2.0.0b 

Corrects two problems:
  1. Thanks to Sean Mathews, the long-standing problem with diff --git a/Shorewall-Website/Shorewall_index_frame.htm b/Shorewall-Website/Shorewall_index_frame.htm index 0aba4cb76..bab7f204e 100644 --- a/Shorewall-Website/Shorewall_index_frame.htm +++ b/Shorewall-Website/Shorewall_index_frame.htm @@ -21,10 +21,6 @@
  2. Support
    3. -
    (Protected by Shorewall)

    Copyright © 2001-2004 Thomas M. Eastep.

    +
    + target="_top">(Protected by Shorewall)
    +


    diff --git a/Shorewall-Website/shorewall_index.htm b/Shorewall-Website/shorewall_index.htm index 41a179579..b23d7d0ae 100644 --- a/Shorewall-Website/shorewall_index.htm +++ b/Shorewall-Website/shorewall_index.htm @@ -47,7 +47,7 @@ compatibility mode).

    What is Shorewall?

    The Shoreline Firewall, more commonly known as "Shorewall", is -high-level tool for configuring Netfilter. You describe your +a high-level tool for configuring Netfilter. You describe your firewall/gateway requirements using entries in a set of configuration files. Shorewall reads those configuration files and with the help of the iptables utility, Shorewall configures Netfilter to match your @@ -118,129 +118,251 @@ Documentation License".

    Copyright © 2001-2004 Thomas M. Eastep

    News

    -

    4/5/2004 - Shorewall 2.0.1 (New)
    -

    -Problems Corrected since 2.0.0
    -
    +

    5/13/2004 - Shorewall 2.0.2 (New)

    +

    Problems Corrected since 2.0.1
    +

      -
    1. Using actions in the manner recommended in the -documentation results in a Warning that the rule is a policy.
      2. -
    2. When a zone on a single interface is defined using -/etc/shorewall/hosts, superfluous rules are generated in the -<zone>_frwd chain.
      3. -
    3. Thanks to Sean Mathews, a long-standing problem with Proxy -ARP and IPSEC has been corrected. Thanks Sean!!!
      4. -
    4. The "shorewall show log" and "shorewall logwatch" commands -incorrectly displayed type 3 ICMP packets.
      -
      5. +
    5. The /etc/init.d/shorewall script installed on Debian by +install.sh failed silently due to a missing file +(/usr/share/shorewall/wait4ifup). That file is not part of the normal +Shorewall distribution and is provided by the Debian maintainer.
      6. +
    6. A meaningless warning message out of the proxyarp file +processing has been eliminated.
      7. +
    7. The "shorewall delete" command now correctly removes all +dynamic rules pertaining to the host(s) being deleted. Thanks to Stefan +Engel for this correction.
    Issues when migrating from Shorewall 2.0.0 to Shorewall 2.0.1:
    -
      -
    1. The function of 'norfc1918' is now split between that -option and a new 'nobogons' option.
      +
    2. Extension Scripts -- In order for extension scripts to work +properly with the new iptables-save/restore integration (see New +Feature 1 below), some change may be required to your extension +scripts. If your extension scripts are executing commands other than +iptables then those commands must also be written to the restore file +(a temporary file in /var/lib/shorewall that is renamed +/var/lib/shorewall/restore-base at the end of the operation).

      -The rfc1918 file released with Shorewall now contains entries for only -those three address ranges reserved by RFC 1918. A 'nobogons' interface -option has been added which handles bogon source addresses (those which -are reserved by the IANA, those reserved for DHCP auto-configuration -and the class C test-net reserved for testing and documentation -examples). This will allow users to perform RFC 1918 filtering without -having to deal with out of date data from IANA. Those who are willing -to update their /usr/share/shorewall/bogons file regularly can specify -the 'nobogons' option in addition to 'norfc1918'.
      +The following functions should be of help:

      -The level at which bogon packets are logged is specified in the new -BOGON_LOG_LEVEL variable in shorewall.conf. If that option is not -specified or is specified as empty (e.g, BOGON_LOG_LEVEL="") then bogon -packets whose TARGET is 'logdrop' in /usr/share/shorewall/bogons are -logged at the 'info' level.
      3. +A. save_command() -- saves the passed command to the restore file.
      +
      +    Example:
      +
      +        save_command echo Operation +Complete
      +
      +   That command would simply write "echo Operation Complete" +to the restore file.
      +
      +B. run_and_save_command() -- saves the passed command to the restore +file then executes it. The return value is the exit status of the +command.
      +
      +    Example:
      +
      +       run_and_save_command "echo 1 > +/proc/sys/net/ipv4/icmp_echo_ignore_all"
      +
      +    Note that as in this example, when the command +involves file redirection then the entire command must be enclosed in +quotes. This applies to all of the functions described here.
      +
      +C. ensure_and_save_command() -- runs the passed command. If the command +fails, the firewall is restored to it's prior saved state and the +operation is terminated. If the command succeeds, the command is +written to the restore file.
      +
      + +
    3. Dynamic Zone support -- If you don't need to use the +"shorewall add" and "shorewall delete commands, you should set +DYNAMIC_ZONES=No in /etc/shorewall/shorewall.conf.
    New Features:
    -
      -
    1. Support for Bridging Firewalls has been added. For details, -see
      +
    2. Shorewall has now been integrated with +iptables-save/iptables-restore to provide very fast start and restart. +The elements of this integration are as follows:

      - http://shorewall.net/bridge.html
      +a) The 'shorewall save' command now saves the current configuration in +addition to the current dynamic blacklist. If you have dynamic zones, +you will want to issue 'shorewall save' when the zones are empty or the +current contents of the zones will be restored by the 'shorewall +restore' and 'shorewall -f start' commands.
      +
      +b) The 'shorewall restore' command has been added. This command +restores the configuration at the time of the last 'save'.
      +
      +c) The -f (fast) option has been added to 'shorewall start'. When +specified (e.g. 'shorewall -f start'), shorewall will perform a +'shorewall restore' if there is a saved configuration. If there is no +saved configuration, a normal 'shorewall start' is performed.
      +
      +d) The /etc/init.d/shorewall script now translates the 'start' command +into 'shorewall -f start' so that fast restart is possible.
      +
      +e) When a state-changing command encounters an error and there is +current saved configuration, that configuration will be restored +(currently, the firewall is placed in the 'stopped' state).
      +
      +f) If you have previously saved the running configuration and want +Shorewall to discard it, use the 'shorewall forget' command. WARNING: +iptables 1.2.9 is broken with respect to iptables-save; if your kernel +has connection tracking match support, you must patch iptables 1.2.9 +with the iptables patch availale from the Shorewall errata page.

      3. -
    3. Support for NETMAP has been added. NETMAP allows NAT to be -defined between two network:
      -
      -           -a.b.c.1    -> x.y.z.1
      -           -a.b.c.2    -> x.y.z.2
      -           -a.b.c.3    -> x.y.z.3
      -           ...
      -
      http://shorewall.net/netmap.htm
      +
    4. The previous implementation of dynamic zones was difficult +to maintain. I have changed the code to make dynamic zones optional +under the control of the DYNAMIC_ZONES option in +/etc/shorewall/shorewall.conf.

      5. -
    5. The /sbin/shorewall program now accepts a "-x" option to -cause iptables to print out the actual packet and byte counts rather -than abbreviated counts such as "13MB".
      +
    6. In earlier Shorewall 2.0 releases, Shorewall searches in +order the following directories for configuration files.

      -Commands affected by this are:
      +a) The directory specified in a 'try' command or specified using the -c +option.
      +b) /etc/shorewall
      +c) /usr/share/shorewall

      -            -shorewall -x show [ <chain>[ <chain> ...] ]
      -            -shorewall -x show tos|mangle
      -            -shorewall -x show nat
      -            -shorewall -x status
      -            -shorewall -x monitor [ <interval> ]
      +In this release, the CONFIG_PATH option is added to shorewall.conf. +CONFIG_PATH contains a list of directory names separated by colons +(":"). If not set or set to a null value (e.g., CONFIG_PATH="") then +"CONFIG_PATH=/etc/shorewall:/usr/share/shorewall" is assumed. Now +Shorewall searches for shorewall.conf according to the old rules and +for other configuration files as follows:
      +
      +a) The directory specified in a 'try' command or specified using the -c +option.
      +b) Each directory in $CONFIG_PATH is searched in sequence.
      +
      +In case it is not obvious, your CONFIG_PATH should include +/usr/share/shorewall and your shorewall.conf file must be in the +directory specified via -c or in a try command, in /etc/shorewall or in +/usr/share/shorewall.
      +
      +For distribution packagers, the default CONFIG_PATH is set in +/usr/share/shorewall/configpath. You can customize this file to have a +default that differs from mine.

      7. -
    7. Shorewall now traps two common zone definition errors:
      -
        -
      • Including the firewall zone in a /etc/shorewall/hosts -record.
        • -
      • Defining an interface for a zone in both -/etc/shorewall/interfaces and /etc/shorewall/hosts.
        -
        -
        • -
      -
      8. -
    8. In the second case, the following will appear during -"shorewall [re]start" or "shorewall check":
      -
      -   Determining Hosts in Zones...
      -      ...
      -      Error: Invalid zone definition for zone -<name of zone>
      -   Terminated
      +
    9. Previously, in /etc/shorewall/nat a Yes (or yes) in the +LOCAL column would only take effect if the ALL INTERFACES column also +contained Yes or yes. Now, the LOCAL columns contents are treated +independently of the contents of the ALL INTERFACES column.

      10. -
    10. To support bridging, the following options have been added -to entries in /etc/shorewall/hosts:
      -
      -           norfc1918
      -           nobogons
      -           blacklist
      -           tcpflags
      -           nosmurfs
      -           newnotsyn
      -
      -With the exception of 'newnotsyn', these options are only useful when -the entry refers to a bridge port.
      -
      -   Example:
      -
      -   #ZONE   HOST(S)      -OPTIONS
      -   net     -br0:eth0     -norfc1918,nobogons,blacklist,tcpflags,nosmurfs
      +
    11. The folks at Mandrake have created yet another kernel +module naming convention (module names end in "ko.gz"). As a +consequence, beginning with this release, if MODULE_SUFFIX isn't +specified in shorewall.conf, then the default value is "o gz ko o.gz +ko.gz".

      12. +
    12. An updated bogons file is included in this release.
      +
      +
      13. +
    13. In /etc/shorewall/rules and in action files generated from +/usr/share/shorewall/action.template, rules that perform logging can +specify an optional "log tag". A log tag is a string of alphanumeric +characters and is specified by following the log level with ":" and the +log tag.
      +
      +Example:
      +
      +        ACCEPT:info:ftp +net     dmz     +tcp     21
      +
      +The log tag is appended to the log prefix generated by the LOGPREFIX +variable in /etc/shorewall/conf. If "ACCEPT:info" generates the log +prefix "Shorewall:net2dmz:ACCEPT:" then "ACCEPT:info:ftp" will generate +"Shorewall:net2dmz:ACCEPT:ftp " (note the trailing blank). The maximum +length of a log prefix supported by iptables is 29 characters; if a +larger prefix is generated, Shorewall will issue a warning message and +will truncate the prefix to 29 characters.
      +
      +
      14. +
    14. A new "-q" option has been added to /sbin/shorewall +commands. It causes the start, restart, check and refresh commands to +produce much less output so that warning messages are more visible +(when testing this change, I discovered a bug where a bogus warning +message was being generated).
      +
      +
      15. +
    15. Shorewall now uses 'modprobe' to load kernel modules if +that utility is available in the PATH; otherwise, 'insmod' is used.
      +
      +
      16. +
    16. It is now possible to restrict entries in the +/etc/shorewall/masq file to particular protocols and destination +port(s). Two new columns (PROTO and PORT(S)) have been added to the +file.
      +
      +Example:
      +
      +You want all outgoing SMTP traffic entering the firewall on eth1 to be +sent from eth0 with source IP address 206.124.146.177. You want all +other outgoing traffic from eth1 to be sent from eth0 with source IP +address 206.124.146.176.
      +
      +        eth0    +eth1    206.124.146.177 tcp     25
      +        eth0    +eth1    206.124.146.176
      +
      +THE ORDER OF THE ABOVE TWO RULES IS SIGNIFICANT!!!!!
      +
      +Assuming that 10.0.0.0/8 is the only host/network connected to eth1, +the progress message at "shorewall start" would be:
      +
      +    Masqueraded Networks and Hosts:
      +       To 0.0.0.0/0 (tcp 25) from +10.0.0.0/8 through eth0 using 206.124.146.177
      +       To 0.0.0.0/0 (all) from 10.0.0.0/8 +through eth0 using 206.124.146.176
      +
      +
      17. +
    17. Two new actions are available in the /etc/shorewall/rules +file.
      +
      +    ACCEPT+    -- Behaves like ACCEPT +with the exception that it exempts matching connections from subsequent +DNAT[-] and REDIRECT[-] rules.
      +    NONAT      -- Exempts +matching connections from subsequent DNAT[-] and REDIRECT[-] rules.
      +
      +
      18. +
    18. A new extension script 'initdone' has been added. This +script is invoked at the same point as the 'common' script was +previously and is useful for users who mis-used that script under +Shorewall 1.x (the script was intended for adding rules to the 'common' +chain but many users treated it as a script for adding rules before +Shorewall's).
      +
      +
      19. +
    19. Installing/Upgrading Shorewall on Slackware has been +improved. Slackware users must use the tarball and must modify settings +in the install.sh script before running it as follows:
      +
      +    DEST="/etc/rc.d"
      +    INIT="rc.firewall"
      +
      +Thanks to Alex Wilms for helping with this change.
      +
      20. +
    +

    4/17/2004 - Presentation at LinuxFest NW
    +

    +

    Today I gave a presentation at LinuxFest NW in Bellingham. The +presentation was entitled "Shorewall +and the Enterprise" and described the history of Shorewall and gave +an overview of its features.
    +

    +

    More News

    @@ -276,7 +398,7 @@ please consider making a donation to the -

    Updated 04/12/2004 - Tom Eastep
    +

    Updated 05/10/2004 - Tom Eastep

    diff --git a/Shorewall-docs2/Install.xml b/Shorewall-docs2/Install.xml index 659c588c0..eba86f739 100644 --- a/Shorewall-docs2/Install.xml +++ b/Shorewall-docs2/Install.xml @@ -15,7 +15,7 @@ - 2004-05-07 + 2004-05-09 2001 @@ -35,8 +35,7 @@ 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled - GNU Free Documentation - License. + GNU Free Documentation License. @@ -45,9 +44,9 @@ Before attempting installation, I strongly urge you to read and - print a copy of the Shorewall QuickStart Guide - for the configuration that most closely matches your own. + print a copy of the Shorewall + QuickStart Guide for the configuration that most closely matches + your own. @@ -65,15 +64,14 @@ Install the RPM - rpm -ivh <shorewall rpm> + rpm -ivh <shorewall rpm> Some SuSE users have encountered a problem whereby rpm reports - a conflict with kernel <= 2.2 even though a 2.4 kernel is - installed. If this happens, simply use the --nodeps option to - rpm. + a conflict with kernel <= 2.2 even though a 2.4 kernel is + installed. If this happens, simply use the --nodeps option to rpm. - rpm -ivh --nodeps <shorewall rpm> + rpm -ivh --nodeps <shorewall rpm> @@ -84,10 +82,9 @@ error: failed dependencies:iproute is needed by shorewall-1.4.x-1 - This may be worked around by using the --nodeps option of - rpm. + This may be worked around by using the --nodeps option of rpm. - rpm -ivh --nodeps <shorewall rpm> + rpm -ivh --nodeps <shorewall rpm> @@ -119,9 +116,9 @@ Before attempting installation, I strongly urge you to read and - print a copy of the Shorewall QuickStart Guide - for the configuration that most closely matches your own. + print a copy of the Shorewall + QuickStart Guide for the configuration that most closely matches + your own. To install Shorewall using the tarball and install script: @@ -137,15 +134,17 @@ - If you are running Slackware, edit the install.sh - file and change the line + If you are running Slackware, + you need Shorewall 2.0.2 RC1 or later. You must also edit the + install.sh file and change the lines - DEST="" + DEST="/etc/init.d" +INIT="shorewall" to - DEST="/etc/rc.d" + DEST="/etc/rc.d" +INIT="rc.firewall" @@ -160,10 +159,9 @@ - Enable Startup by removing - /etc/shorewall/startup_disabled (Debian users - will edit /etc/default/shorewall and set - startup=1). + Enable Startup by removing /etc/shorewall/startup_disabled + (Debian users will edit /etc/default/shorewall + and set startup=1). @@ -175,8 +173,7 @@ If the install script was unable to configure Shorewall to be started automatically at boot, see these - instructions. + url="starting_and_stopping_shorewall.htm">these instructions. @@ -186,16 +183,15 @@ Before attempting installation, I strongly urge you to read and - print a copy of the Shorewall QuickStart Guide - for the configuration that most closely matches your own. + print a copy of the Shorewall + QuickStart Guide for the configuration that most closely matches + your own. To install my version of Shorewall on a fresh Bering disk, simply replace the shorwall.lrp file on the image with the file that you downloaded. See the two-interface - QuickStart Guide for information about further steps - required. + QuickStart Guide for information about further steps required.
    @@ -215,23 +211,22 @@ please check your /etc/shorewall/interfaces file to be sure that it contains an entry for each interface mentioned in the hosts file. Also, there are certain 1.2 rule forms that are no longer supported under 1.4 - (you must use the new 1.4 syntax). See the upgrade issues for details. + (you must use the new 1.4 syntax). See the + upgrade issues for details. Upgrade the RPM - rpm -Uvh <shorewall rpm file> + rpm -Uvh <shorewall rpm file> Some SuSE users have encountered a problem whereby rpm reports - a conflict with kernel <= 2.2 even though a 2.4 kernel is - installed. If this happens, simply use the --nodeps option to - rpm. + a conflict with kernel <= 2.2 even though a 2.4 kernel is + installed. If this happens, simply use the --nodeps option to rpm. - rpm -Uvh --nodeps <shorewall rpm> + rpm -Uvh --nodeps <shorewall rpm> @@ -242,17 +237,15 @@ error: failed dependencies:iproute is needed by shorewall-1.4.0-1 - This may be worked around by using the --nodeps option of - rpm. + This may be worked around by using the --nodeps option of rpm. - rpm -Uvh --nodeps <shorewall rpm> + rpm -Uvh --nodeps <shorewall rpm> See if there are any incompatibilities between your - configuration and the new Shorewall version and correct as - necessary. + configuration and the new Shorewall version and correct as necessary. shorewall check @@ -282,8 +275,8 @@ please check your /etc/shorewall/interfaces file to be sure that it contains an entry for each interface mentioned in the hosts file. Also, there are certain 1.2 rule forms that are no longer supported under 1.4 - (you must use the new 1.4 syntax). See the upgrade issues for details. + (you must use the new 1.4 syntax). See the + upgrade issues for details. @@ -299,15 +292,17 @@ - If you are running Slackware, edit the install.sh - file and change the line + If you are running Slackware, + you should use Shorewall 2.0.2 RC1 or later. You must also edit the + install.sh file and change the lines - DEST="" + DEST="/etc/init.d" +INIT="shorewall" to - DEST="/etc/rc.d" + DEST="/etc/rc.d" +INIT="rc.firewall" @@ -318,8 +313,7 @@ See if there are any incompatibilities between your - configuration and the new Shorewall version and correct as - necessary. + configuration and the new Shorewall version and correct as necessary. shorewall check @@ -333,8 +327,7 @@ If the install script was unable to configure Shorewall to be started automatically at boot, see these - instructions. + url="starting_and_stopping_shorewall.htm">these instructions.
    @@ -363,7 +356,6 @@
    Uninstall/Fallback - See Fallback and - Uninstall. + See Fallback and Uninstall.
    \ No newline at end of file diff --git a/Shorewall-docs2/errata.xml b/Shorewall-docs2/errata.xml index 524d5b0a5..3c525d0ff 100644 --- a/Shorewall-docs2/errata.xml +++ b/Shorewall-docs2/errata.xml @@ -13,7 +13,7 @@ - 2004-05-03 + 2004-05-10 2001-2004 @@ -27,8 +27,7 @@ 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled - GNU Free Documentation - License. + GNU Free Documentation License. @@ -56,9 +55,9 @@ DO NOT INSTALL CORRECTED COMPONENTS ON A - RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER - BELOW. For example, do NOT install the 1.3.9a firewall - script if you are running 1.3.7c. + RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW. + For example, do NOT install the 1.3.9a firewall script if you are + running 1.3.7c. @@ -80,8 +79,7 @@
    Bogons File - Here + Here is the most up to date version of the bogons file.
    @@ -98,22 +96,20 @@     - Modules listed in /etc/shorewall/modules don't load or produce - errors on Mandrake 10.0 Final. + Modules listed in /etc/shorewall/modules don't load or + produce errors on Mandrake 10.0 Final. The shorewall delete command does not - remove all dynamic rules pertaining to the host(s) being - deleted. + remove all dynamic rules pertaining to the host(s) being deleted. These problems are corrected in this - firewall script which may be installed in - /usr/share/shorewall/firewall as described - above. + firewall script which may be installed in /usr/share/shorewall/firewall + as described above. @@ -137,11 +133,10 @@ url="http://shorewall.net/pub/shorewall/errata/2.0.1/init.debian.sh">this file as /etc/init.d/shorewall (replacing the existing file with that name). If you are just installing or upgrading to - Shorewall 2.0.0 or 2.0.1, then replace the - init.debian.sh file in the Shorewall - distribution directory (shorewall-2.0.x) with the updated file - before running install.sh from that - directory. + Shorewall 2.0.0 or 2.0.1, then replace the init.debian.sh + file in the Shorewall distribution directory (shorewall-2.0.x) with + the updated file before running install.sh from + that directory. @@ -163,13 +158,11 @@ - The first problem has been corrected in Shorewall update - 2.0.0a. + The first problem has been corrected in Shorewall update 2.0.0a. All of these problems may be corrected by installing this - firewall script in /usr/share/shorewall as described - above. + firewall script in /usr/share/shorewall as described above. @@ -186,7 +179,8 @@ If you want to use the new features in Shorewall 2.0.2 (Betas, RCs, Final) or later then you need to patch your iptables 1.2.9 with this - patch. + patch or you need to use the CVS version of iptables.
    @@ -197,151 +191,30 @@ --reject-with tcp-reset is broken. The symptom most commonly seen is that REJECT rules act just like DROP rules when dealing with TCP. A kernel patch and precompiled modules to fix this problem are available at - ftp://ftp1.shorewall.net/pub/shorewall/errata/kernel + ftp://ftp1.shorewall.net/pub/shorewall/errata/kernel - RedHat have corrected this problem in their 2.4.20-27.x - kernels. + RedHat have corrected this problem in their 2.4.20-27.x kernels.
    Revision History - - - 1.12 - - 2004-05-04 - - TE - - Add Alex Wilms's "install.sh" fix. - - - - 1.11 - - 2004-05-03 - - TE - - Add Stefan Engel's "shorewall delete" fix. - - - - 1.10 - - 2004-04-28 - - TE - - Add iptables 1.2.9 iptables-save bug notice. - - - - 1.9 - - 2004-04-21 - - TE - - Debian initialization script problem. Deleted obsolete - sections. - - - - 1.8 - - 2004-04-20 - - TE - - Updated RFC1918 and BOGONS files. - - - - 1.7 - - 2004-03-20 - - TE - - Proxy ARP/IPSEC fix. - - - - 1.6 - - 2004-03-17 - - TE - - Action rules are reported as policies. - - - - 1.5 - - 2004-02-03 - - TE - - Update for Shorewall 2.0.0. - - - - 1.4 - - 2004-01-19 - - TE - - IPV6 address problems. Make RFC1918 file section more - prominent. - - - - 1.3 - - 2004-01-14 - - TE - - Confusing template file in 1.4.9 - - - - 1.3 - - 2004-01-03 - - TE - - Added note about REJECT RedHat Kernal problem being - corrected. - - - - 1.2 - - 2003-12-29 - - TE - - Updated RFC1918 file - - - - 1.1 - - 2003-12-17 - - TE - - Initial Conversion to Docbook XML - - + 1.142004-05-10TEAdd + link to Netfilter CVS1.132004-05-04TEAdd + Alex Wilms's "install.sh" fix.1.122004-05-03TEAdd + Stefan Engel's "shorewall delete" fix.1.112004-04-28TEAdd + iptables 1.2.9 iptables-save bug notice.1.102004-04-21TEDebian + initialization script problem. Deleted obsolete sections.1.92004-04-20TEUpdated + RFC1918 and BOGONS files.1.82004-03-20TEProxy + ARP/IPSEC fix.1.72004-03-17TEAction + rules are reported as policies.1.62004-02-03TEUpdate + for Shorewall 2.0.0.1.52004-01-19TEIPV6 + address problems. Make RFC1918 file section more prominent.1.42004-01-14TEConfusing + template file in 1.4.91.32004-01-03TEAdded + note about REJECT RedHat Kernal problem being corrected.1.22003-12-29TEUpdated + RFC1918 file1.12003-12-17TEInitial + Conversion to Docbook XML \ No newline at end of file diff --git a/Shorewall-docs2/ports.xml b/Shorewall-docs2/ports.xml index 8a6b0cffc..d7701d808 100644 --- a/Shorewall-docs2/ports.xml +++ b/Shorewall-docs2/ports.xml @@ -13,7 +13,7 @@ - 2004-04-24 + 2004-05-09 2001-2002 @@ -223,6 +223,22 @@ ACCEPT <source> <destination> ACCEPT <source> <destination> tcp 23 +
    + TFTP + + You must have TFTP connection tracking support in your kernel. If + modularized, the modules are ip_conntrack_tftp + (and ip_nat_tftp if any form of NAT is + involved) These modules may be loaded using entries in + /etc/shorewall/modules. The ip_conntrack_tftp + module must be loaded first. Note that the /etc/shorewall/modules + file released with recent Shorewall versions contains entries for these + modules. + + #ACTION SOURCE DESTINATION PROTO DEST PORT(S) +ACCEPT <source> <destination> udp 69 +
    +
    Traceroute @@ -280,7 +296,8 @@ ACCEPT <source> <destination> Revision History - 1.82004-04-24TERevised + 1.102004-05-09TEAdded + TFTP.1.92004-04-24TERevised ICQ/AIM.1.82004-04-23TEAdded SNMP.1.72004-02-18TEMake NFS work for everyone.1.62004-02-14TEAdd diff --git a/Shorewall-docs2/shorewall_extension_scripts.xml b/Shorewall-docs2/shorewall_extension_scripts.xml index 99a10f6a2..e15ce7433 100644 --- a/Shorewall-docs2/shorewall_extension_scripts.xml +++ b/Shorewall-docs2/shorewall_extension_scripts.xml @@ -15,7 +15,7 @@ - 2004-05-04 + 2004-05-10 2001-2004 @@ -29,8 +29,7 @@ 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled - GNU Free Documentation - License. + GNU Free Documentation License. @@ -65,8 +64,13 @@ - start -- invoked after the firewall has been started or - restarted. + initdone (added in Shorewall 2.0.2 RC1) -- invoked after Shorewall + has flushed all existing rules but before any rules have been added to + the builtin chains. + + + + start -- invoked after the firewall has been started or restarted. @@ -94,8 +98,8 @@ - If your version of Shorewall doesn't have the - file that you want to use from the above list, you can simply create the + If your version of Shorewall doesn't have + the file that you want to use from the above list, you can simply create the file yourself. You can also supply a script with the same name as any of the filter chains in the firewall and the script will be invoked after the /etc/shorewall/rules file has been processed but before the @@ -110,10 +114,10 @@ run_iptables instead. run_iptables will run the iptables utility passing the arguments to run_iptables and if the command fails, the firewall - will be stopped (Shorewall version < 2.0.2 Beta 1 or there is no + will be stopped (Shorewall version < 2.0.2 Beta 1 or there is no /var/lib/shorewall/restore file) or restored - (Shorewall version >= 2.0.2 Beta 1 and - /var/lib/shorewall/restore exists). + (Shorewall version >= 2.0.2 Beta 1 and /var/lib/shorewall/restore + exists). @@ -121,13 +125,11 @@ commands other than iptables that must be re-run in order to restore the firewall to its current state then you must save the commands to the restore file. The restore - file is a temporary file in /var/lib/shorewall that will be renamed - /var/lib/shorewall/restore-base at the successful - completion of the Shorewall command. The shorewall - save command combines - /var/lib/shorewall/restore-base with the output of - iptables-save to produce the + file is a temporary file in /var/lib/shorewall + that will be renamed /var/lib/shorewall/restore-base + at the successful completion of the Shorewall command. The + shorewall save command combines /var/lib/shorewall/restore-base + with the output of iptables-save to produce the /var/lib/shorewall/restore script. Here are three functions that are useful when running commands @@ -140,15 +142,15 @@ Example: save_command echo Operation Complete - That command would simply write "echo Operation Complete" to - the restore file. + That command would simply write "echo Operation + Complete" to the restore file. run_and_save_command() -- saves the passed command to the restore file then executes it. The return value is the exit status of the command. Example: - run_and_save_command "echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all" + run_and_save_command "echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all" Note that as in this example, when the command involves file redirection then the entire command must be enclosed in quotes. This @@ -158,21 +160,21 @@ ensure_and_save_command() -- runs the passed command. If the command fails, the firewall is - restored to it's prior saved state and the operation is terminated. - If the command succeeds, the command is written to the restore - file + restored to it's prior saved state and the operation is + terminated. If the command succeeds, the command is written to the + restore file - Beginning with Shorewall 2.0.0, you can also define a common - action to be performed immediately before a policy of ACCEPT, - DROP or REJECT is applied. Separate Beginning with Shorewall 2.0.0, you can also define a + common action to be performed immediately before a + policy of ACCEPT, DROP or REJECT is applied. Separate actions can be assigned to each policy type so for example you can have a different common action for DROP and REJECT policies. The most common usage of common actions is to silently - drop traffic that you don't wish to have logged by the policy. + drop traffic that you don't wish to have logged by the policy. As released, Shorewall defines a number of actions which are cataloged in the /usr/share/shorewall/actions.std file. That file @@ -195,10 +197,10 @@ Reject:REJECT One final note. The chain created to perform an action has the same name as the action. You can use an extension script by that name to add - rules to the action's chain in the same way as you can any other chain. So - if you create the new action Dagger and define it in + rules to the action's chain in the same way as you can any other chain. + So if you create the new action Dagger and define it in /etc/shorewall/action.Dagger, you can also have an extension script named /etc/shorewall/Dagger that can - add rules to the Dagger chain that can't be created using + add rules to the Dagger chain that can't be created using /etc/shorewall/action.Dagger. \ No newline at end of file diff --git a/Shorewall-docs2/upgrade_issues.xml b/Shorewall-docs2/upgrade_issues.xml index 70d93d1d8..9732c79a4 100644 --- a/Shorewall-docs2/upgrade_issues.xml +++ b/Shorewall-docs2/upgrade_issues.xml @@ -30,8 +30,7 @@ 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled - GNU Free Documentation - License. + GNU Free Documentation License. @@ -42,10 +41,10 @@ the version number mentioned in the section title is later than what you are currently running. - In the descriptions that follows, the term - group refers to a particular network or subnetwork - (which may be 0.0.0.0/0 or it may be a host address) - accessed through a particular interface. + In the descriptions that follows, the term group + refers to a particular network or subnetwork (which may be + 0.0.0.0/0 or it may be a host address) accessed through + a particular interface. Examples: @@ -62,7 +61,20 @@
    - Version >= 2.0.2 Beta 1 + Version >= 2.0.2 RC1 + + + + If you are upgrading from Shorewall 1.4.x and you have commands + in your /etc/shorewall/common file that are not + directly related to the common chain + then you will want to move those commands to /etc/shorewall/initdone. + + +
    + +
    + Version >= 2.0.2 Beta 1 @@ -72,12 +84,11 @@ scripts. If your extension scripts are executing commands other than - iptables then those commands must also be written to the restore file - (a temporary file in /var/lib/shorewall that is renamed - /var/lib/shorewall/restore-base at the - completeion of the /sbin/shorewall command). The - following functions should be of help: + iptables then those commands must also be written + to the restore file (a temporary file in /var/lib/shorewall + that is renamed /var/lib/shorewall/restore-base + at the completeion of the /sbin/shorewall + command). The following functions should be of help: @@ -86,14 +97,14 @@ Example: save_command echo Operation Complete - That command would simply write "echo Operation Complete" to - the restore file. + That command would simply write "echo Operation + Complete" to the restore file. - run_and_save_command() -- saves the passed command to the + run_and_save_command() -- saves the passed command to the restore file then executes it. The return value is the exit status - of the command. Example: run_and_save_command "echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all" + of the command. Example: run_and_save_command "echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all" Note that as in this example, when the command involves file redirection then the entire command must be enclosed in quotes. @@ -102,55 +113,54 @@ ensure_and_save_command() -- runs the passed command. If the - command fails, the firewall is restored to it's prior saved state - and the operation is terminated. If the command succeeds, the - command is written to the restore file + command fails, the firewall is restored to it's prior saved + state and the operation is terminated. If the command succeeds, + the command is written to the restore file - Dynamic Zone support. - If you don't need to use the - shorewall add and shorewall - delete commands, you should set DYNAMIC_ZONES=No in - /etc/shorewall/shorewall.conf. + Dynamic Zone support. - If you don't need to use the + shorewall add and shorewall delete + commands, you should set DYNAMIC_ZONES=No in /etc/shorewall/shorewall.conf.
    - Version >= 2.0.1 + Version >= 2.0.1 - The function of 'norfc1918' is now split between that option and - a new 'nobogons' option. The rfc1918 file released with Shorewall now - contains entries for only those three address ranges reserved by RFC - 1918. A 'nobogons' interface option has been added which handles bogon - source addresses (those which are reserved by the IANA, those reserved - for DHCP auto-configuration and the class C test-net reserved for - testing and documentation examples). This will allow users to perform - RFC 1918 filtering without having to deal with out of date data from - IANA. Those who are willing to update their - /usr/share/shorewall/bogons file regularly can - specify the 'nobogons' option in addition to 'norfc1918'. The level at - which bogon packets are logged is specified in the new BOGON_LOG_LEVEL - variable in shorewall.conf. If that option is not specified or is - specified as empty (e.g, BOGON_LOG_LEVEL="") then bogon packets whose - TARGET is 'logdrop' in - /usr/share/shorewall/bogons are logged at the - 'info' level. + The function of 'norfc1918' is now split between that + option and a new 'nobogons' option. The rfc1918 file released + with Shorewall now contains entries for only those three address + ranges reserved by RFC 1918. A 'nobogons' interface option has + been added which handles bogon source addresses (those which are + reserved by the IANA, those reserved for DHCP auto-configuration and + the class C test-net reserved for testing and documentation examples). + This will allow users to perform RFC 1918 filtering without having to + deal with out of date data from IANA. Those who are willing to update + their /usr/share/shorewall/bogons file regularly + can specify the 'nobogons' option in addition to + 'norfc1918'. The level at which bogon packets are logged is + specified in the new BOGON_LOG_LEVEL variable in shorewall.conf. If + that option is not specified or is specified as empty (e.g, + BOGON_LOG_LEVEL="") then bogon packets whose TARGET is + 'logdrop' in /usr/share/shorewall/bogons + are logged at the 'info' level.
    - VERSION >= 2.0.0-Beta1 + VERSION >= 2.0.0-Beta1 - The 'dropunclean' and 'logunclean' interface options are no - longer supported. If either option is specified in + The 'dropunclean' and 'logunclean' interface + options are no longer supported. If either option is specified in /etc/shorewall/interfaces, a threatening message will be generated. @@ -159,19 +169,18 @@ The NAT_BEFORE_RULES option has been removed from shorewall.conf. The behavior of Shorewall 2.0 is as if NAT_BEFORE_RULES=No had been specified. In other words, DNAT - rules now always take precidence over one-to-one NAT - specifications. + rules now always take precidence over one-to-one NAT specifications. The default value for the ALL INTERFACES column in /etc/shorewall/nat has changed. In Shorewall 1.*, - if the column was left empty, a value of "Yes" was assumed. This has - been changed so that a value of "No" is now assumed. + if the column was left empty, a value of "Yes" was assumed. + This has been changed so that a value of "No" is now assumed. - The following files don't exist in Shorewall 2.0: + The following files don't exist in Shorewall 2.0: /etc/shorewall/common.def @@ -181,14 +190,13 @@ /etc/shorewall/icmpdef /etc/shorewall/action.template (moved - to - /usr/share/shorewall/action.template) + to /usr/share/shorewall/action.template) The /etc/shorewall/action file now allows - an action to be designated as the "common" action for a particular - policy type by following the action name with ":" and the policy - (DROP, REJECT or ACCEPT). + an action to be designated as the "common" action for a + particular policy type by following the action name with ":" + and the policy (DROP, REJECT or ACCEPT). The file /usr/share/shorewall/actions.std has been added to define those actions that are released as part of Shorewall 2.0 In @@ -204,29 +212,28 @@ policies while the Reject action is the default action for REJECT policies. These actions will be performed on packets prior to applying the DROP or REJECT policy respectively. In the first - release, the difference between "Reject" and "Drop" is that "Reject" - REJECTs SMB traffic while "Drop" silently drops such traffic. + release, the difference between "Reject" and "Drop" is + that "Reject" REJECTs SMB traffic while "Drop" + silently drops such traffic. As described above, Shorewall allows a common action for ACCEPT policies but does not specify such an action in the default configuration. For more information see the User-defined Action - Page. + url="User_defined_Actions.html">User-defined Action Page. The /etc/shorewall directory no longer - contains users file or a - usersets file. Similar functionality is now - available using user-defined actions. + contains users file or a usersets + file. Similar functionality is now available using user-defined + actions. - Now, action files created by copying - /usr/share/shorewall/action.template may now - specify a USER and or GROUP name/id in the final column just like in - the rules file (see below). It is thus possible to create actions that - control traffic from a list of users and/or groups. + Now, action files created by copying /usr/share/shorewall/action.template + may now specify a USER and or GROUP name/id in the final column just + like in the rules file (see below). It is thus possible to create + actions that control traffic from a list of users and/or groups. @@ -234,69 +241,64 @@ now labeled USER/GROUP and may contain: - [!]<user number>[:] + [!]<user number>[:] - [!]<user name>[:] + [!]<user name>[:] - [!]:<group number> + [!]:<group number> - [!]:<group name> + [!]:<group name> - [!]<user - number>:<group - number> + [!]<user number>:<group + number> - [!]<user - name>:<group - number> + [!]<user name>:<group + number> - [!]<user - inumber>:<group - name> + [!]<user inumber>:<group + name> - [!]<user - name>:<group name> + [!]<user name>:<group + name> - If your kernel has IPV6 support (recent - SuSe for example), and you don't use IPV6 then - you will probably want to set DISABLE_IPV6=Yes in /etc/shorewall/shorewall.conf. + If your kernel has IPV6 support (recent SuSe + for example), and you don't use IPV6 then you will probably want + to set DISABLE_IPV6=Yes in /etc/shorewall/shorewall.conf. You must have ipv6tables installed.
    - Version >= 1.4.8 + Version >= 1.4.8 The meaning of ROUTE_FILTER=Yes has changed. Previously this setting was documented as causing route filtering to - occur on all network interfaces; this didn't work. Beginning with this - release, ROUTE_FILTER=Yes causes route filtering to - occur on all interfaces brought up while Shorewall is running. This - means that it may be appropriate to set + occur on all network interfaces; this didn't work. Beginning with + this release, ROUTE_FILTER=Yes causes route + filtering to occur on all interfaces brought up while Shorewall is + running. This means that it may be appropriate to set ROUTE_FILTER=Yes and use the routefilter option in - /etc/shorewall/interfaces + /etc/shorewall/interfaces entries.
    - Version >= 1.4.6 + Version >= 1.4.6 - The NAT_ENABLED, - MANGLE_ENABLED and MULTIPORT - options have been removed from shorewall.conf. - These capabilities are now automatically detected by Shorewall. + The NAT_ENABLED, MANGLE_ENABLED + and MULTIPORT options have been removed from + shorewall.conf. These capabilities are now + automatically detected by Shorewall. @@ -312,48 +314,39 @@ zone eth1:192.168.1.0/24,192.168.2.0/24
    - Version >= 1.4.4 + Version >= 1.4.4 - If you are upgrading from 1.4.3 and have set the - LOGMARKER variable in /etc/shorewall/shorewall.conf, + If you are upgrading from 1.4.3 and have set the LOGMARKER + variable in /etc/shorewall/shorewall.conf, then you must set the new LOGFORMAT variable - appropriately and remove your setting of - LOGMARKER. + appropriately and remove your setting of LOGMARKER.
    Version 1.4.4 If you have zone names that are 5 characters long, you may - experience problems starting Shorewall because the - in a logging rule is too long. Upgrade to - Version 1.4.4a to fix this problem. + experience problems starting Shorewall because the + in a logging rule is too long. Upgrade to Version 1.4.4a to fix this + problem.
    - Version >= 1.4.2 + Version >= 1.4.2 There are some cases where you may want to handle traffic from a particular group to itself. While I personally think that such a setups are ridiculous, there are two cases covered in this documentation where it - can occur: - - In FAQ #2 - - - - When running - Squid as a transparent proxy in your - local zone. - - If you have either of these cases, you will want to - review the current documentation and change your configuration - accordingly. + can occur: In FAQ + #2When running Squid + as a transparent proxy in your local zone. + If you have either of these cases, you will want to review the current + documentation and change your configuration accordingly.
    - Version >= 1.4.1 + Version >= 1.4.1 @@ -362,10 +355,11 @@ zone eth1:192.168.1.0/24,192.168.2.0/24 was treated just like any other traffic; any matching rules were applied followed by enforcement of the appropriate policy. With 1.4.1 and later versions, unless you have explicit rules for traffic from Z - to Z or you have an explicit Z to Z policy (where "Z" is some zone) - then traffic between the groups in zone Z will be accepted. If you do - have one or more explicit rules for Z to Z or if you have an explicit - Z to Z policy then the behavior is as it was in prior versions. + to Z or you have an explicit Z to Z policy (where "Z" is some + zone) then traffic between the groups in zone Z will be accepted. If + you do have one or more explicit rules for Z to Z or if you have an + explicit Z to Z policy then the behavior is as it was in prior + versions. @@ -377,29 +371,26 @@ zone eth1:192.168.1.0/24,192.168.2.0/24 If you have a Z Z DROP or Z Z REJECT policy or you have - Z->Z rules then your configuration should not require any + Z->Z rules then your configuration should not require any change. If you are currently relying on a implicit policy (one that - has "all" in either the SOURCE or DESTINATION column) to prevent - traffic between two interfaces to a zone Z and you have no rules - for Z->Z then you should add an explicit DROP or REJECT policy - for Z to Z. + has "all" in either the SOURCE or DESTINATION column) to + prevent traffic between two interfaces to a zone Z and you have no + rules for Z->Z then you should add an explicit DROP or REJECT + policy for Z to Z. Sometimes, you want two separate zones on one interface but you - don't want Shorewall to set up any infrastructure to handle traffic - between them. - The <filename>zones</filename>, - <filename>interfaces</filename> and, <filename>hosts</filename> - file contents - - + don't want Shorewall to set up any infrastructure to handle + traffic between them. The <filename>zones</filename>, + <filename>interfaces</filename> and, <filename>hosts</filename> file + contents /etc/shorewall/zones z1 Zone1 The first Zone z2 Zone2 The second Zone @@ -409,21 +400,17 @@ z2 eth1 192.168.1.255 /etc/shorewall/hosts z1 eth1:192.168.1.3 - - Here, zone z1 is nested in zone z2 and the firewall is - not going to be involved in any traffic between these two zones. - Beginning with Shorewall 1.4.1, you can prevent Shorewall from setting - up any infrastructure to handle traffic between z1 and z2 by using the - new NONE policy: - The contents of <filename>policy</filename> - - + Here, zone z1 is nested in zone z2 and the + firewall is not going to be involved in any traffic between these two + zones. Beginning with Shorewall 1.4.1, you can prevent Shorewall from + setting up any infrastructure to handle traffic between z1 and z2 by + using the new NONE policy: The contents of + <filename>policy</filename> /etc/shorewall/policy z1 z2 NONE z2 z1 NONE - - Note that NONE policies are generally used in pairs - unless there is asymetric routing where only the traffic on one + Note that NONE policies are generally used in + pairs unless there is asymetric routing where only the traffic on one direction flows through the firewall and you are using a NONE polciy in the other direction. @@ -436,21 +423,21 @@ z2 z1 NONE In Version 1.4.1, Shorewall will never create rules to deal with - traffic from a given group back to itself. The - multi interface option is no longer available so if - you want to route traffic between two subnetworks on the same - interface then I recommend that you upgrade to Version 1.4.2 and use - the routeback interface or host option. + traffic from a given group back to itself. The multi + interface option is no longer available so if you want to route + traffic between two subnetworks on the same interface then I recommend + that you upgrade to Version 1.4.2 and use the routeback + interface or host option.
    - Version >= 1.4.0 + Version >= 1.4.0 - Shorewall >=1.4.0 requires the iproute - package ('ip' utility). + Shorewall >=1.4.0 requires the iproute + package ('ip' utility). @@ -458,89 +445,46 @@ z2 z1 NONE iproute2 which will cause the upgrade of Shorewall to fail with the diagnostic: error: failed dependencies:iproute is needed by shorewall-1.4.0-1 - This may be worked around by using the - option of rpm (rpm - -Uvh --nodeps + This may be worked around by using the + option of rpm (rpm -Uvh --nodeps your_shorewall_rpm.rpm). - If you are upgrading from a version < 1.4.0, then: - - The noping and - forwardping interface options are no longer - supported nor is the FORWARDPING option in - shorewall.conf. ICMP echo-request (ping) - packets are treated just like any other connection request and are - subject to rules and policies. - - - - Interface names of the form - <device>:<integer> in /etc/shorewall/interfaces - now generate a Shorewall error at startup (they always have produced - warnings in iptables). - - - - The MERGE_HOSTS variable has been removed - from shorewall.conf. Shorewall 1.4 behaves like - 1.3 did when MERGE_HOSTS=Yes; that is zone - contents are determined by BOTH the interfaces - and hosts files when there are entries for the zone in both - files. - - - - The routestopped option in the interfaces - and hosts file has been eliminated; use entries in the - routestopped file instead. - - - - The Shorewall 1.2 syntax for DNAT and - REDIRECT rules is no longer accepted; you must - convert to using the new syntax. - - - - The ALLOWRELATED variable in - shorewall.conf is no longer supported. - Shorewall 1.4 behavior is the same as 1.3 with - ALLOWRELATED=Yes. - - - - Late-arriving DNS replies are now dropped by default; there is - no need for your own /etc/shorewall/common - file simply to avoid logging these packets. - - - - The firewall, - functions and version - files have been moved to /usr/share/shorewall. - - - - The icmp.def file has been removed. If - you include it from /etc/shorewall/icmpdef, - you will need to modify that file. - - - - If you followed the advice in FAQ #2 and call - find_interface_address in /etc/shorewall/params, - that code should be moved to /etc/shorewall/init. - - + If you are upgrading from a version < 1.4.0, then: The noping and + forwardping interface options are no longer supported + nor is the FORWARDPING option in shorewall.conf. + ICMP echo-request (ping) packets are treated just like any other + connection request and are subject to rules and policies.Interface + names of the form <device>:<integer> in + /etc/shorewall/interfaces + now generate a Shorewall error at startup (they always have produced + warnings in iptables).The + MERGE_HOSTS variable has been removed from + shorewall.conf. Shorewall 1.4 behaves like 1.3 did + when MERGE_HOSTS=Yes; that is zone contents are + determined by BOTH the interfaces and hosts files + when there are entries for the zone in both files.The + routestopped option in the interfaces and hosts file + has been eliminated; use entries in the routestopped + file instead.The Shorewall 1.2 syntax + for DNAT and REDIRECT rules is no + longer accepted; you must convert to using the new syntax.The + ALLOWRELATED variable in shorewall.conf + is no longer supported. Shorewall 1.4 behavior is the same as 1.3 with + ALLOWRELATED=Yes.Late-arriving + DNS replies are now dropped by default; there is no need for your own + /etc/shorewall/common + file simply to avoid logging these packets.The + firewall, functions and + version files have been moved to /usr/share/shorewall.The + icmp.def file has been removed. If you include it + from /etc/shorewall/icmpdef, + you will need to modify that file.If you + followed the advice in FAQ #2 and call find_interface_address + in /etc/shorewall/params, + that code should be moved to /etc/shorewall/init.
    @@ -551,69 +495,44 @@ error: failed dependencies:iproute is needed by shorewall-1.4.0-1 The multi interface option is no longer supported. Shorewall will generate rules for sending packets back out the same interface that they arrived on in two cases: - - There is an explicit policy for the - source zone to or from the destination zone. An explicit policy - names both zones and does not use the all - reserved word. - - - - There are one or more rules for traffic for the source - zone to or from the destination zone including rules that use - the all reserved word. Exception: if the - source zone and destination zone are the same then the rule must - be explicit - it must name the zone in both the - SOURCE and DESTINATION - columns. - - + mark="hollow">There is an explicit + policy for the source zone to or from the destination zone. An + explicit policy names both zones and does not use the + all reserved word.There + are one or more rules for traffic for the source zone to or from the + destination zone including rules that use the all + reserved word. Exception: if the source zone and destination zone are + the same then the rule must be explicit - it must name the zone in + both the SOURCE and DESTINATION + columns.
    - Version >= 1.3.14 + Version >= 1.3.14 Beginning in version 1.3.14, Shorewall treats entries in /etc/shorewall/masq - differently. The change involves entries with an interface name in the SUBNET - (second) column: - - Prior to 1.3.14, Shorewall would detect the FIRST subnet on - the interface (as shown by ip addr show interface) - and would masquerade traffic from that subnet. Any other subnets - that routed through eth1 needed their own entry - in /etc/shorewall/masq - to be masqueraded or to have SNAT applied. - - - - Beginning with Shorewall 1.3.14, Shorewall uses the firewall's - routing table to determine ALL subnets routed through the named - interface. Traffic originating in ANY of those subnets is - masqueraded or has SNAT applied. - - You will need to make a change to your configuration if: - - - You have one or more entries in /etc/shorewall/masq - with an interface name in the SUBNET (second) - column; and - - - - That interface connects to more than one subnetwork. - - Two examples: - Suppose that your current config is as follows: - - + differently. The change involves entries with an interface + name in the SUBNET (second) column: Prior + to 1.3.14, Shorewall would detect the FIRST subnet on the interface (as + shown by ip addr show interface) and would masquerade + traffic from that subnet. Any other subnets that routed through + eth1 needed their own entry in /etc/shorewall/masq to + be masqueraded or to have SNAT applied.Beginning + with Shorewall 1.3.14, Shorewall uses the firewall's routing table to + determine ALL subnets routed through the named interface. Traffic + originating in ANY of those subnets is masqueraded or has SNAT applied. + You will need to make a change to your configuration if: You have one or more entries in + /etc/shorewall/masq + with an interface name in the SUBNET (second) column; + andThat interface connects to more than + one subnetwork. Two examples: Suppose that your current config is as follows: [root@gateway test]# cat /etc/shorewall/masq #INTERFACE SUBNET ADDRESS @@ -625,13 +544,10 @@ eth0 192.168.10.0/24 206.124.146.176 192.168.1.0/24 scope link 192.168.10.0/24 proto kernel scope link src 192.168.10.254 [root@gateway test]# - - In this case, the second entry in In this case, the second entry in /etc/shorewall/masq is - no longer required. - What if your current configuration is like this? - - + no longer required. What if your current + configuration is like this? [root@gateway test]# cat /etc/shorewall/masq #INTERFACE SUBNET ADDRESS eth0 eth2 206.124.146.176 @@ -641,23 +557,20 @@ eth0 eth2 206.124.146.176 192.168.1.0/24 scope link 192.168.10.0/24 proto kernel scope link src 192.168.10.254 [root@gateway test]# - - In this case, you would want to change the entry in - /etc/shorewall/masq to: + In this case, you would want to change the + entry in /etc/shorewall/masq to: #INTERFACE SUBNET ADDRESS eth0 192.168.1.0/24 206.124.146.176 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE Version 1.3.14 also introduced simplified ICMP - echo-request (ping) handling. The option - OLD_PING_HANDLING=Yes in /etc/shorewall/shorewall.conf + echo-request (ping) handling. The option OLD_PING_HANDLING=Yes + in /etc/shorewall/shorewall.conf is used to specify that the old (pre-1.3.14) ping handling is to be used - (If the option is not set in your /etc/shorewall/shorewall.conf then - OLD_PING_HANDLING=Yes is assumed). I don't plan on - supporting the old handling indefinitely so I urge current users to - migrate to using the new handling as soon as possible. See the 'Ping' - handling documentation for details. + (If the option is not set in your /etc/shorewall/shorewall.conf + then OLD_PING_HANDLING=Yes is assumed). I don't + plan on supporting the old handling indefinitely so I urge current users + to migrate to using the new handling as soon as possible. See the + 'Ping' handling documentation for details.
    @@ -675,7 +588,7 @@ rpm -Uvh --force shorewall-1.3.10-1.noarch.rpm
    - Version >= 1.3.9 + Version >= 1.3.9 @@ -689,23 +602,22 @@ rpm -Uvh --force shorewall-1.3.10-1.noarch.rpm
    - Version >= 1.3.8 + Version >= 1.3.8 If you have a pair of firewall systems configured for failover or if you have asymmetric routing, you will need to modify your - firewall setup slightly under Shorewall versions >= 1.3.8. - Beginning with version 1.3.8, you must set - NEWNOTSYN=Yes in your /etc/shorewall/shorewall.conf + firewall setup slightly under Shorewall versions >= 1.3.8. + Beginning with version 1.3.8, you must set NEWNOTSYN=Yes + in your /etc/shorewall/shorewall.conf file.
    - Version >= 1.3.7 + Version >= 1.3.7 @@ -713,14 +625,14 @@ rpm -Uvh --force shorewall-1.3.10-1.noarch.rpm class="directory">/etc/shorewall.conf will need to include the following rules in their /etc/shorewall/icmpdef - file (creating this file if necessary): + file (creating this file if necessary): + run_iptables -A icmpdef -p ICMP --icmp-type echo-reply -j ACCEPT run_iptables -A icmpdef -p ICMP --icmp-type source-quench -j ACCEPT run_iptables -A icmpdef -p ICMP --icmp-type destination-unreachable -j ACCEPT run_iptables -A icmpdef -p ICMP --icmp-type time-exceeded -j ACCEPT run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem -j ACCEPT - Users having an /etc/shorewall/icmpdef + Users having an /etc/shorewall/icmpdef file may remove the ./etc/shorewall/icmp.def command from that file since the icmp.def file is now empty. @@ -729,37 +641,24 @@ run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem -j ACCEPT
    - Upgrading Bering to Shorewall >= 1.3.3 + Upgrading Bering to Shorewall >= 1.3.3 To properly upgrade with Shorewall version 1.3.3 and later: - - - Be sure you have a backup -- you will need to transcribe - any Shorewall configuration changes that you have made to the - new configuration. - - - - Replace the shorwall.lrp package - provided on the Bering floppy with the later one. If you did not - obtain the later version from Jacques's site, see additional - instructions below. - - - - Edit the /var/lib/lrpkg/root.exclude.list - file and remove the /var/lib/shorewall - entry if present. Then do not forget to backup - root.lrp! - - The .lrp that I release isn't set up for a - two-interface firewall like Jacques's. You need to follow the - instructions for setting up a two-interface firewall plus you also - need to add the following two Bering-specific rules to /etc/shorewall/rules: + Be sure you have a + backup -- you will need to transcribe any Shorewall configuration + changes that you have made to the new configuration.Replace + the shorwall.lrp package provided on the Bering + floppy with the later one. If you did not obtain the later version + from Jacques's site, see additional instructions below.Edit + the /var/lib/lrpkg/root.exclude.list + file and remove the /var/lib/shorewall entry if + present. Then do not forget to backup root.lrp! + The .lrp that I release isn't set up for a two-interface firewall + like Jacques's. You need to follow the instructions for setting up + a two-interface firewall plus you also need to add the following two + Bering-specific rules to /etc/shorewall/rules: # Bering specific rules: # allow loc to fw udp/53 for dnscache to work @@ -780,55 +679,41 @@ ACCEPT loc fw tcp 80 If you have a pair of firewall systems configured for failover or if you have asymmetric routing, you will need to modify your firewall setup slightly under Shorewall versions 1.3.6 and 1.3.7 - - - Create the file /etc/shorewall/newnotsyn - and in it add the following rule: - + Create the file /etc/shorewall/newnotsyn + and in it add the following rule: + # So that the connection tracking table can be rebuilt # from non-SYN packets after takeover. run_iptables -A newnotsyn -j RETURN - - - - - Create /etc/shorewall/common - (if you don't already have that file) and include the following: - + Create /etc/shorewall/common + (if you don't already have that file) and include the following: + #Accept Acks to rebuild connection tracking table. run_iptables -A common -p tcp --tcp-flags ACK,FIN,RST ACK -j ACCEPT ./etc/shorewall/common.def - - - +
    - Versions >= 1.3.5 + Versions >= 1.3.5 Some forms of pre-1.3.0 rules file syntax are no longer - supported. - - - + supported. ACCEPT net loc:192.168.1.12:22 tcp 11111 - all - - Must be replaced with: + Must be replaced with: + DNAT net loc:192.168.1.12:22 tcp 11111 - - - - + ACCEPT loc fw::3128 tcp 80 - all - - Must be replaced with: + Must be replaced with: + REDIRECT loc 3128 tcp 80 @@ -836,7 +721,7 @@ REDIRECT loc 3128 tcp 80
    - Version >= 1.3.2 + Version >= 1.3.2