From c8209f4ce22b514c92781dddf866ee5d90cab881 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sun, 22 Nov 2009 08:18:23 -0800 Subject: [PATCH 1/9] Apply bridge fix to 4.4 --- Shorewall/Perl/Shorewall/Rules.pm | 4 ++-- Shorewall/changelog.txt | 4 +++- Shorewall/releasenotes.txt | 10 +++++++++- 3 files changed, 14 insertions(+), 4 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index 631462d92..65798b7b3 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -322,7 +322,7 @@ sub process_routestopped() { $seq++; - my $rule = do_proto( $proto, $ports, $sports, 1 ); + my $rule = do_proto( $proto, $ports, $sports, 0 ); for my $host ( split /,/, $hosts ) { validate_host $host, 1; @@ -2316,7 +2316,7 @@ EOF } } else { for my $interface ( all_bridges ) { - emit "do_iptables -A FORWARD -p 58 " . match_source_interface( $interface ) . match_dest_interface( $interface ) . "-j ACCEPT"; + emit "do_iptables -A FORWARD -p 58 " . match_source_dev( $interface ) . match_dest_dev( $interface ) . "-j ACCEPT"; } if ( $config{IP_FORWARDING} eq 'on' ) { diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index d3b7d0abb..f72126a6f 100644 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -1,6 +1,8 @@ Changes in Shorewall 4.4.5 -None. +1) Fix 15-port limit removal change. + +2) Fix handling of interfaces with the 'bridge' option. Changes in Shorewall 4.4.4 diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index d14f06602..d618d9fb4 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -177,7 +177,15 @@ Shorewall 4.4.5 P R O B L E M S C O R R E C T E D I N 4 . 4 . 5 ---------------------------------------------------------------------------- -None. +1) The change which removed the 15 port limitation on + /etc/shorewall/routestopped was incomplete. The result was that if + more than 15 ports are listed, an error was generated. + +2) If any interfaces have the 'bridge' option specified, compilation + fails with the error: + + Undefined subroutine &Shorewall::Rules::match_source_interface called + at /usr/share/shorewall/Shorewall/Rules.pm line 2319. ---------------------------------------------------------------------------- K N O W N P R O B L E M S R E M A I N I N G From 76e7dea8581655b5542a00e6f9f90e3fba782967 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sun, 22 Nov 2009 08:36:40 -0800 Subject: [PATCH 2/9] Generate error on port == 0 --- Shorewall/Perl/Shorewall/IPAddrs.pm | 3 ++- Shorewall/Perl/Shorewall/Rules.pm | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/Shorewall/Perl/Shorewall/IPAddrs.pm b/Shorewall/Perl/Shorewall/IPAddrs.pm index d17fc112b..47342de4b 100644 --- a/Shorewall/Perl/Shorewall/IPAddrs.pm +++ b/Shorewall/Perl/Shorewall/IPAddrs.pm @@ -72,7 +72,7 @@ our @EXPORT = qw( ALLIPv4 validate_icmp6 ); our @EXPORT_OK = qw( ); -our $VERSION = '4.4_1'; +our $VERSION = '4.4_5'; # # Some IPv4/6 useful stuff @@ -302,6 +302,7 @@ sub validate_port( $$ ) { my $value; if ( $port =~ /^(\d+)$/ ) { + fatal_error "Invalid Port Number (0)" unless $port; return $port if $port <= 65535; } else { $proto = proto_name $proto if $proto =~ /^(\d+)$/; diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index 65798b7b3..3b3990816 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -46,7 +46,7 @@ our @EXPORT = qw( process_tos compile_stop_firewall ); our @EXPORT_OK = qw( process_rule process_rule1 initialize ); -our $VERSION = '4.4_4'; +our $VERSION = '4.4_5'; # # Set to one if we find a SECTION From bd9c0ac2855e8581fe36d389a159d4c340661e3b Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sun, 22 Nov 2009 08:39:03 -0800 Subject: [PATCH 3/9] Generate error on port == 0 --- Shorewall/changelog.txt | 2 ++ Shorewall/releasenotes.txt | 4 ++++ 2 files changed, 6 insertions(+) diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index f72126a6f..7203c62fd 100644 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -4,6 +4,8 @@ Changes in Shorewall 4.4.5 2) Fix handling of interfaces with the 'bridge' option. +3) Generate error for port number 0 + Changes in Shorewall 4.4.4 1) Change STARTUP_LOG and LOG_VERBOSITY in default shorewall6.conf. diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index d618d9fb4..4c418c735 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -187,6 +187,10 @@ Shorewall 4.4.5 Undefined subroutine &Shorewall::Rules::match_source_interface called at /usr/share/shorewall/Shorewall/Rules.pm line 2319. +3) The compiler now flags port number 0 as an error. Previously, port + 0 was allowed with the result that invalid iptables-restore input + could be generated. + ---------------------------------------------------------------------------- K N O W N P R O B L E M S R E M A I N I N G ---------------------------------------------------------------------------- From d43ba935d13848cbc80edc531d88b377f577063b Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sun, 22 Nov 2009 09:03:01 -0800 Subject: [PATCH 4/9] Simplify port == 0 test --- Shorewall/Perl/Shorewall/IPAddrs.pm | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/Shorewall/Perl/Shorewall/IPAddrs.pm b/Shorewall/Perl/Shorewall/IPAddrs.pm index 47342de4b..15d4744fa 100644 --- a/Shorewall/Perl/Shorewall/IPAddrs.pm +++ b/Shorewall/Perl/Shorewall/IPAddrs.pm @@ -302,8 +302,7 @@ sub validate_port( $$ ) { my $value; if ( $port =~ /^(\d+)$/ ) { - fatal_error "Invalid Port Number (0)" unless $port; - return $port if $port <= 65535; + return $port if $port && $port <= 65535; } else { $proto = proto_name $proto if $proto =~ /^(\d+)$/; $value = getservbyname( $port, $proto ); From 617fddf1bd1263e1d8cb9b503dc1800461a61ebe Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sun, 22 Nov 2009 09:28:45 -0800 Subject: [PATCH 5/9] Add warning about default routes to multi-interface HOWTOs --- docs/three-interface.xml | 8 +++++++- docs/two-interface.xml | 6 +++++- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/docs/three-interface.xml b/docs/three-interface.xml index c870cf498..6fc9d169c 100644 --- a/docs/three-interface.xml +++ b/docs/three-interface.xml @@ -460,6 +460,12 @@ root@lists:~# against. + + Do not configure a default route on your + internal and DMZ interfaces. Your firewall should have + exactly one default route via your ISP's Router. + + The Shorewall three-interface sample configuration assumes that the @@ -1135,4 +1141,4 @@ ACCEPT net $FW tcp 80 Operating Shorewall and Shorewall Lite contains a lot of useful operational hints. - \ No newline at end of file + diff --git a/docs/two-interface.xml b/docs/two-interface.xml index a419d9daf..978b41475 100644 --- a/docs/two-interface.xml +++ b/docs/two-interface.xml @@ -418,6 +418,10 @@ root@lists:~# for all interfaces connected to the common hub/switch. Using such a setup with a production firewall is strongly recommended against. + + Do not configure a default route on your + internal interface. Your firewall should have exactly one + default route via your ISP's Router. @@ -1142,4 +1146,4 @@ eth0 wlan0 requires the rules listed in the Shorewall/Samba documentation. - \ No newline at end of file + From ba4db1dd41fa7903b28c17da314cd22cf164e0c7 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sun, 22 Nov 2009 09:52:13 -0800 Subject: [PATCH 6/9] Move Logging section forward in the HOWTOs --- docs/three-interface.xml | 102 +++++++++++++++++++-------------------- docs/two-interface.xml | 102 +++++++++++++++++++-------------------- 2 files changed, 102 insertions(+), 102 deletions(-) diff --git a/docs/three-interface.xml b/docs/three-interface.xml index 6fc9d169c..10086d34c 100644 --- a/docs/three-interface.xml +++ b/docs/three-interface.xml @@ -689,6 +689,57 @@ root@lists:~# +
+ Logging + + Shorewall does not maintain a log itself but rather relies on your + system's logging configuration. + The following commands rely + on knowing where Netfilter messages are logged: + + + + shorewall show log (Displays the last 20 + Netfilter log messages) + + + + shorewall logwatch (Polls the log at a + settable interval + + + + shorewall dump (Produces an extensive report + for inclusion in Shorewall problem reports) + + + + It is important that these commands work properly because when you + encounter connection problems when Shorewall is running, the first thing + that you should do is to look at the Netfilter log; with the help of + Shorewall FAQ 17, you can usually + resolve the problem quickly. + + Most commonly, Netfilter messages are logged to + /var/log/messages. Recent + SuSE/OpenSuSE releases come preconfigured with + syslog-ng and log netfilter messages to + /var/log/firewall. + + + + If you are running a distribution that logs netfilter messages to a + log other than /var/log/messages, then modify the + LOGFILE setting in /etc/shorewall/shorewall.conf to + specify the name of your log. + + + The LOGFILE setting does not control where the Netfilter log is + maintained -- it simply tells the /sbin/shorewall + utility where to find the log. + +
+
Port Forwarding (DNAT) @@ -945,57 +996,6 @@ ACCEPT net $FW tcp 80
-
- Logging - - Shorewall does not maintain a log itself but rather relies on your - system's logging configuration. - The following commands rely - on knowing where Netfilter messages are logged: - - - - shorewall show log (Displays the last 20 - Netfilter log messages) - - - - shorewall logwatch (Polls the log at a - settable interval - - - - shorewall dump (Produces an extensive report - for inclusion in Shorewall problem reports) - - - - It is important that these commands work properly because when you - encounter connection problems when Shorewall is running, the first thing - that you should do is to look at the Netfilter log; with the help of - Shorewall FAQ 17, you can usually - resolve the problem quickly. - - Most commonly, Netfilter messages are logged to - /var/log/messages. Recent - SuSE/OpenSuSE releases come preconfigured with - syslog-ng and log netfilter messages to - /var/log/firewall. - - - - If you are running a distribution that logs netfilter messages to a - log other than /var/log/messages, then modify the - LOGFILE setting in /etc/shorewall/shorewall.conf to - specify the name of your log. - - - The LOGFILE setting does not control where the Netfilter log is - maintained -- it simply tells the /sbin/shorewall - utility where to find the log. - -
-
Some Things to Keep in Mind diff --git a/docs/two-interface.xml b/docs/two-interface.xml index 978b41475..18a47771e 100644 --- a/docs/two-interface.xml +++ b/docs/two-interface.xml @@ -640,6 +640,57 @@ root@lists:~#
+
+ Logging + + Shorewall does not maintain a log itself but rather relies on your + system's logging configuration. + The following commands rely + on knowing where Netfilter messages are logged: + + + + shorewall show log (Displays the last 20 + netfilter log messages) + + + + shorewall logwatch (Polls the log at a + settable interval + + + + shorewall dump (Produces an extensive report + for inclusion in Shorewall problem reports) + + + + It is important that these commands work properly because when you + encounter connection problems when Shorewall is running, the first thing + that you should do is to look at the Netfilter log; with the help of + Shorewall FAQ 17, you can usually + resolve the problem quickly. + + Most commonly, Netfilter messages are logged to + /var/log/messages. Recent + SuSE/OpenSuSE releases come preconfigured with + syslog-ng and log netfilter messages to + /var/log/firewall. + + + + If you are running a distribution that logs netfilter messages to a + log other than /var/log/messages, then modify the + LOGFILE setting in /etc/shorewall/shorewall.conf to + specify the name of your log. + + + The LOGFILE setting does not control where the Netfilter log is + maintained -- it simply tells the /sbin/shorewall + utility where to find the log. + +
+
Port Forwarding (DNAT) @@ -864,57 +915,6 @@ ACCEPT loc $FW tcp 80 #Allow Weblet to work
-
- Logging - - Shorewall does not maintain a log itself but rather relies on your - system's logging configuration. - The following commands rely - on knowing where Netfilter messages are logged: - - - - shorewall show log (Displays the last 20 - netfilter log messages) - - - - shorewall logwatch (Polls the log at a - settable interval - - - - shorewall dump (Produces an extensive report - for inclusion in Shorewall problem reports) - - - - It is important that these commands work properly because when you - encounter connection problems when Shorewall is running, the first thing - that you should do is to look at the Netfilter log; with the help of - Shorewall FAQ 17, you can usually - resolve the problem quickly. - - Most commonly, Netfilter messages are logged to - /var/log/messages. Recent - SuSE/OpenSuSE releases come preconfigured with - syslog-ng and log netfilter messages to - /var/log/firewall. - - - - If you are running a distribution that logs netfilter messages to a - log other than /var/log/messages, then modify the - LOGFILE setting in /etc/shorewall/shorewall.conf to - specify the name of your log. - - - The LOGFILE setting does not control where the Netfilter log is - maintained -- it simply tells the /sbin/shorewall - utility where to find the log. - -
-
Some Things to Keep in Mind From 2eaf396f5ad86ab340fd317df298c8efe894abce Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sun, 22 Nov 2009 10:11:50 -0800 Subject: [PATCH 7/9] Revise Logging section of beginner HOWTOs --- docs/standalone.xml | 24 +++++++++++++++++++----- docs/three-interface.xml | 24 +++++++++++++++++++----- docs/two-interface.xml | 24 +++++++++++++++++++----- 3 files changed, 57 insertions(+), 15 deletions(-) diff --git a/docs/standalone.xml b/docs/standalone.xml index f599e3561..2c5e12e8b 100644 --- a/docs/standalone.xml +++ b/docs/standalone.xml @@ -447,11 +447,25 @@ root@lists:~# Shorewall FAQ 17, you can usually resolve the problem quickly. - Most commonly, Netfilter messages are logged to - /var/log/messages. Recent - SuSE/OpenSuSE releases come preconfigured with - syslog-ng and log Netfilter messages to - /var/log/firewall. + The Netfilter log location is distribution-dependent: + + + + Debian and its derivatives log Netfilter messages to + /var/log/daemon.log. + + + + Recent SuSE/OpenSuSE releases come + preconfigured with syslog-ng and log netfilter messages to + /var/log/firewall. + + + + For other distributions, Netfilter messages are most commonly + logged to /var/log/messages. + + diff --git a/docs/three-interface.xml b/docs/three-interface.xml index 10086d34c..87d0de675 100644 --- a/docs/three-interface.xml +++ b/docs/three-interface.xml @@ -720,11 +720,25 @@ root@lists:~# Shorewall FAQ 17, you can usually resolve the problem quickly. - Most commonly, Netfilter messages are logged to - /var/log/messages. Recent - SuSE/OpenSuSE releases come preconfigured with - syslog-ng and log netfilter messages to - /var/log/firewall. + The Netfilter log location is distribution-dependent: + + + + Debian and its derivatives log Netfilter messages to + /var/log/daemon.log. + + + + Recent SuSE/OpenSuSE releases come + preconfigured with syslog-ng and log netfilter messages to + /var/log/firewall. + + + + For other distributions, Netfilter messages are most commonly + logged to /var/log/messages. + + diff --git a/docs/two-interface.xml b/docs/two-interface.xml index 18a47771e..83d18b168 100644 --- a/docs/two-interface.xml +++ b/docs/two-interface.xml @@ -671,11 +671,25 @@ root@lists:~# Shorewall FAQ 17, you can usually resolve the problem quickly. - Most commonly, Netfilter messages are logged to - /var/log/messages. Recent - SuSE/OpenSuSE releases come preconfigured with - syslog-ng and log netfilter messages to - /var/log/firewall. + The Netfilter log location is distribution-dependent: + + + + Debian and its derivatives log Netfilter messages to + /var/log/daemon.log. + + + + Recent SuSE/OpenSuSE releases come + preconfigured with syslog-ng and log netfilter messages to + /var/log/firewall. + + + + For other distributions, Netfilter messages are most commonly + logged to /var/log/messages. + + From b30cae89e38e9f69a2119c7ef70c99a08f6fc85a Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Mon, 23 Nov 2009 09:56:15 -0800 Subject: [PATCH 8/9] Allow :: in the rules file DEST column --- Shorewall/Perl/Shorewall/Rules.pm | 18 +++++++++++------- Shorewall/changelog.txt | 2 ++ Shorewall/releasenotes.txt | 14 +++++++++++++- 3 files changed, 26 insertions(+), 8 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index 3b3990816..ad85061b1 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -1237,10 +1237,10 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) { $origdest = ALLIP; } } - } else { - fatal_error "A server must be specified in the DEST column in $action rules" if $server eq ''; - - if ( $server =~ /^(.+)-(.+)$/ ) { + } else { + if ( $server eq '' ) { + fatal_error "A server and/or port must be specified in the DEST column in $action rules" unless $serverport; + } elsif ( $server =~ /^(.+)-(.+)$/ ) { validate_range( $1, $2 ); } else { my @servers = validate_address $server, 1; @@ -1249,9 +1249,13 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) { if ( $action eq 'DNAT' ) { $target = '-j DNAT '; - $serverport = ":$serverport" if $serverport; - for my $serv ( split /,/, $server ) { - $target .= "--to-destination ${serv}${serverport} "; + if ( $server ) { + $serverport = ":$serverport" if $serverport; + for my $serv ( split /,/, $server ) { + $target .= "--to-destination ${serv}${serverport} "; + } + } else { + $target .= "--to-destination :$serverport "; } } diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index 7203c62fd..9622e834f 100644 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -6,6 +6,8 @@ Changes in Shorewall 4.4.5 3) Generate error for port number 0 +4) Allow zone::serverport in rules DEST column. + Changes in Shorewall 4.4.4 1) Change STARTUP_LOG and LOG_VERBOSITY in default shorewall6.conf. diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 4c418c735..4ce694568 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -201,7 +201,19 @@ None. N E W F E A T U R E S I N 4 . 4 . 5 ---------------------------------------------------------------------------- -None. +1) Shorewall now allows DNAT rules that change only the destination + port. + + Example: + + DNAT loc net::456 udp 234 + + That rule will modify the destination port in UDP packets received + from the 'loc' zone from 456 to 234. Note that if the destination + is the firewall itself, then the destination port will be rewritten + but that no ACCEPT rule from the loc zone to the $FW zone will have + been created to handle the request. So such rules should probably + exclude the firewall's IP addresses in the ORIGINAL DEST column. ---------------------------------------------------------------------------- N E W F E A T U R E S I N 4 . 4 . 0 From 532105ec391800fe4583b1c3d3f9d0138eec1043 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Mon, 23 Nov 2009 10:02:04 -0800 Subject: [PATCH 9/9] Allow specific policy to supersede a wildcard policy --- Shorewall/Perl/Shorewall/Policy.pm | 12 +++++++++++- Shorewall/changelog.txt | 2 ++ Shorewall/releasenotes.txt | 12 ++++++++++++ 3 files changed, 25 insertions(+), 1 deletion(-) diff --git a/Shorewall/Perl/Shorewall/Policy.pm b/Shorewall/Perl/Shorewall/Policy.pm index b0273f215..054b6500a 100644 --- a/Shorewall/Perl/Shorewall/Policy.pm +++ b/Shorewall/Perl/Shorewall/Policy.pm @@ -107,6 +107,7 @@ sub set_policy_chain($$$$$) $chainref1->{policychain} = $chainref->{name}; } + $chainref1->{expanded} = 1; $chainref1->{policy} = $policy; $chainref1->{policypair} = [ $source, $dest ]; } @@ -221,11 +222,20 @@ sub process_a_policy() { if ( $chainref->{provisional} ) { $chainref->{provisional} = 0; $chainref->{policy} = $policy; + } elsif ( $chainref->{expanded} ) { + $chainref->{expanded} = 0; + $chainref->{policy} = $policy; } else { fatal_error qq(Policy "$client $server $policy" duplicates earlier policy "@{$chainref->{policypair}} $chainref->{policy}"); } } elsif ( $chainref->{policy} ) { - fatal_error qq(Policy "$client $server $policy" duplicates earlier policy "@{$chainref->{policypair}} $chainref->{policy}"); + if ( $chainref->{expanded} ) { + $chainref->{expanded} = 0; + convert_to_policy_chain( $chainref, $client, $server, $policy, 0 ); + push @policy_chains, ( $chainref ) unless $config{EXPAND_POLICIES} && ( $clientwild || $serverwild ); + } else { + fatal_error qq(Policy "$client $server $policy" duplicates earlier policy "@{$chainref->{policypair}} $chainref->{policy}"); + } } else { convert_to_policy_chain( $chainref, $client, $server, $policy, 0 ); push @policy_chains, ( $chainref ) unless $config{EXPAND_POLICIES} && ( $clientwild || $serverwild ); diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index 9622e834f..f9bff4ff2 100644 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -8,6 +8,8 @@ Changes in Shorewall 4.4.5 4) Allow zone::serverport in rules DEST column. +5) Allow specific policy to supersede a wildcard policy. + Changes in Shorewall 4.4.4 1) Change STARTUP_LOG and LOG_VERBOSITY in default shorewall6.conf. diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 4ce694568..372788ed3 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -215,6 +215,18 @@ None. been created to handle the request. So such rules should probably exclude the firewall's IP addresses in the ORIGINAL DEST column. +2) Previously, the following sequence of policies would produce a + 'Duplicate Policy' error: + + $FW all ACCEPT + $FW dmz REJECT info + + Begining with 4.4.5, this sequence produces the same result as this + one: + + $FW dmz REJECT info + $FW all ACCEPT + ---------------------------------------------------------------------------- N E W F E A T U R E S I N 4 . 4 . 0 ----------------------------------------------------------------------------