From 708d58da2139fc02b1571a5eecedc1c4295294f6 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Thu, 13 Feb 2014 08:23:34 -0800 Subject: [PATCH 1/6] Revert "Replace SECTION with ?SECTION in the rules file." This reverts commit 34207fef1a2258d634beb587a9db8115dfab9a43. --- Shorewall/configfiles/rules | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/Shorewall/configfiles/rules b/Shorewall/configfiles/rules index fd618eaa4..2ae67a390 100644 --- a/Shorewall/configfiles/rules +++ b/Shorewall/configfiles/rules @@ -9,9 +9,9 @@ ###################################################################################################################################################################################################### #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER # PORT PORT(S) DEST LIMIT GROUP -#?SECTION ALL -#?SECTION ESTABLISHED -#?SECTION RELATED -#?SECTION INVALID -#?SECTION UNTRACKED -?SECTION NEW +#SECTION ALL +#SECTION ESTABLISHED +#SECTION RELATED +#SECTION INVALID +#SECTION UNTRACKED +SECTION NEW From ded747a51a6403628eaa8beac6ceab2c82d57892 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Fri, 28 Feb 2014 10:14:08 -0800 Subject: [PATCH 2/6] Correct the behavior of ADMINISABSENTMINDED Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Misc.pm | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm index c64369b1d..879f76d7c 100644 --- a/Shorewall/Perl/Shorewall/Misc.pm +++ b/Shorewall/Perl/Shorewall/Misc.pm @@ -2512,9 +2512,9 @@ EOF "restore_default_route $config{USE_DEFAULT_RT}" ); - my @chains = $config{ADMINISABSENTMINDED} ? qw/INPUT FORWARD/ : qw/INPUT OUTPUT FORWARD/; - - add_ijump $filter_table ->{$_}, j => 'ACCEPT', state_imatch 'ESTABLISHED,RELATED' for @chains; + if ( $config{ADMINISABSENTMINDED} ) { + add_ijump $filter_table ->{$_}, j => 'ACCEPT', state_imatch 'ESTABLISHED,RELATED' for qw/INPUT FORWARD/; + } if ( $family == F_IPV6 ) { add_ijump $input, j => 'ACCEPT', s => IPv6_LINKLOCAL; From 4eadec234a4534a7f8ec26c2d8bbb62eb81d5957 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sun, 2 Mar 2014 08:25:05 -0800 Subject: [PATCH 3/6] Revert "Correct the behavior of ADMINISABSENTMINDED" This reverts commit ded747a51a6403628eaa8beac6ceab2c82d57892. --- Shorewall/Perl/Shorewall/Misc.pm | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm index 879f76d7c..c64369b1d 100644 --- a/Shorewall/Perl/Shorewall/Misc.pm +++ b/Shorewall/Perl/Shorewall/Misc.pm @@ -2512,9 +2512,9 @@ EOF "restore_default_route $config{USE_DEFAULT_RT}" ); - if ( $config{ADMINISABSENTMINDED} ) { - add_ijump $filter_table ->{$_}, j => 'ACCEPT', state_imatch 'ESTABLISHED,RELATED' for qw/INPUT FORWARD/; - } + my @chains = $config{ADMINISABSENTMINDED} ? qw/INPUT FORWARD/ : qw/INPUT OUTPUT FORWARD/; + + add_ijump $filter_table ->{$_}, j => 'ACCEPT', state_imatch 'ESTABLISHED,RELATED' for @chains; if ( $family == F_IPV6 ) { add_ijump $input, j => 'ACCEPT', s => IPv6_LINKLOCAL; From caa72fb7d28f03cb10bb9fbe5bdadbf412268fb4 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sun, 2 Mar 2014 10:39:12 -0800 Subject: [PATCH 4/6] Correct routestopped files. Signed-off-by: Tom Eastep --- Shorewall/manpages/shorewall-routestopped.xml | 9 ++++++- .../manpages/shorewall6-routestopped.xml | 25 +++---------------- 2 files changed, 11 insertions(+), 23 deletions(-) diff --git a/Shorewall/manpages/shorewall-routestopped.xml b/Shorewall/manpages/shorewall-routestopped.xml index 745f5eae8..3d46d5f4a 100644 --- a/Shorewall/manpages/shorewall-routestopped.xml +++ b/Shorewall/manpages/shorewall-routestopped.xml @@ -118,7 +118,7 @@ - notrack + notrack The traffic will be exempted from connection @@ -126,6 +126,13 @@ + + + The source and dest options work best when used in + conjunction with ADMINISABSENTMINDED=Yes in shorewall6.conf(5). + diff --git a/Shorewall6/manpages/shorewall6-routestopped.xml b/Shorewall6/manpages/shorewall6-routestopped.xml index a9f89dd9e..a5ea911d5 100644 --- a/Shorewall6/manpages/shorewall6-routestopped.xml +++ b/Shorewall6/manpages/shorewall6-routestopped.xml @@ -114,30 +114,11 @@ - critical + notrack - Allow traffic between the firewall and these hosts - throughout '[re]start', 'stop' and 'clear'. Specifying - critical on one or more - entries will cause your firewall to be "totally open" for a - brief window during each of those operations. Examples of - where you might want to use this are: - - - - 'Ping' nodes with heartbeat. - - - - LDAP server(s) if you use LDAP Authentication - - - - NFS Server if you have an NFS-mounted root - filesystem. - - + The traffic will be exempted from connection + tracking. From 8b4d8bfa167946a99ecde7790a10975de54883a9 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Wed, 5 Mar 2014 08:57:03 -0800 Subject: [PATCH 5/6] Finish ADMINISABSENDMINDED change Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Misc.pm | 14 +++++-- Shorewall/manpages/shorewall.conf.xml | 49 ++++++++++++++++++---- Shorewall6/manpages/shorewall6.conf.xml | 56 +++++++++++++++++++------ 3 files changed, 95 insertions(+), 24 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm index c64369b1d..21ed51f2d 100644 --- a/Shorewall/Perl/Shorewall/Misc.pm +++ b/Shorewall/Perl/Shorewall/Misc.pm @@ -679,7 +679,13 @@ sub process_stoppedrules() { my $result; if ( my $fn = open_file 'stoppedrules' , 1, 1 ) { - first_entry "$doing $fn..."; + first_entry sub() { + progress_message2("$doing $fn..."); + unless ( $config{ADMINISABSENTMINDED} ) { + warning_message("Entries in the routestopped file are processed as if ADMINISABSENTMINDED=Yes"); + $config{ADMINISABSENTMINDED} = 'Yes'; + } + }; while ( read_a_line( NORMAL_READ ) ) { @@ -2512,9 +2518,9 @@ EOF "restore_default_route $config{USE_DEFAULT_RT}" ); - my @chains = $config{ADMINISABSENTMINDED} ? qw/INPUT FORWARD/ : qw/INPUT OUTPUT FORWARD/; - - add_ijump $filter_table ->{$_}, j => 'ACCEPT', state_imatch 'ESTABLISHED,RELATED' for @chains; + if ( $config{ADMINISABSENTMINDED} ) { + add_ijump $filter_table ->{$_}, j => 'ACCEPT', state_imatch 'ESTABLISHED,RELATED' for qw/INPUT FORWARD/; + } if ( $family == F_IPV6 ) { add_ijump $input, j => 'ACCEPT', s => IPv6_LINKLOCAL; diff --git a/Shorewall/manpages/shorewall.conf.xml b/Shorewall/manpages/shorewall.conf.xml index 7ea1541a3..1ccaca148 100644 --- a/Shorewall/manpages/shorewall.conf.xml +++ b/Shorewall/manpages/shorewall.conf.xml @@ -281,15 +281,48 @@ The value of this variable affects Shorewall's stopped state. - When ADMINISABSENTMINDED=No, only traffic to/from those addresses - listed in shorewall-routestopped(5) - is accepted when Shorewall is stopped. When ADMINISABSENTMINDED=Yes, - in addition to traffic to/from addresses in shorewall-routestopped(5), - connections that were active when Shorewall stopped continue to work - and all new connections from the firewall system itself are allowed. - If this variable is not set or is given the empty value then + or shorewall-stoppedrules(5) + is used: + + + + routestopped + + + When ADMINISABSENTMINDED=No, only traffic to/from those + addresses listed in routestopped is + accepted when Shorewall is stopped. When + ADMINISABSENTMINDED=Yes, in addition to traffic to/from + addresses in routestopped, connections + that were active when Shorewall stopped continue to work and + all new connections from the firewall system itself are + allowed. + + + + + stoppedrules + + + If ADMINISABSENTMINDED=No, a warning message is issued + and the setting is ignored. + + In addition to connections matching entries in + stoppedrules, existing connections + continue to work and all new connections from the firewall + system itself are allowed. To sever all existing connections + when the firewall is stopped, install the conntrack utility + and place the command conntrack -F in the + stopped user exit + (/etc/shorewall/stopped). + + + + + If this variable is not set or is given the empty value then ADMINISABSENTMINDED=No is assumed. diff --git a/Shorewall6/manpages/shorewall6.conf.xml b/Shorewall6/manpages/shorewall6.conf.xml index f10ebf973..0515bcaa4 100644 --- a/Shorewall6/manpages/shorewall6.conf.xml +++ b/Shorewall6/manpages/shorewall6.conf.xml @@ -216,18 +216,50 @@ role="bold">Yes|No] - The value of this variable affects Shorewall6's stopped state. - When ADMINISABSENTMINDED=No, only traffic to/from those addresses - listed in shorewall6-routestopped(5) - is accepted when Shorewall6 is stopped. When - ADMINISABSENTMINDED=Yes, in addition to traffic to/from addresses in - shorewall6-routestopped(5), - connections that were active when Shorewall6 stopped continue to - work and all new connections from the firewall system itself are - allowed. If this variable is not set or is given the empty value - then ADMINISABSENTMINDED=No is assumed. + The value of this variable affects Shorewall's stopped state. + The behavior differs depending on whether shorewall6-routestopped(5) + or shorewall6-stoppedrules(5) + is used: + + + + routestopped + + + When ADMINISABSENTMINDED=No, only traffic to/from those + addresses listed in routestopped is + accepted when Shorewall is stopped. When + ADMINISABSENTMINDED=Yes, in addition to traffic to/from + addresses in routestopped, connections + that were active when Shorewall stopped continue to work and + all new connections from the firewall system itself are + allowed. + + + + + stoppedrules + + + If ADMINISABSENTMINDED=No, a warning message is issued + and the setting is ignored. + + In addition to connections matching entries in + stoppedrules, existing connections + continue to work and all new connections from the firewall + system itself are allowed. To sever all existing connections + when the firewall is stopped, install the conntrack utility + and place the command conntrack -F in the + stopped user exit + (/etc/shorewall6/stopped). + + + + + If this variable is not set or is given the empty value then + ADMINISABSENTMINDED=No is assumed. From 3cfee0e43cfc0c56e5fb21f4be7b8076e57d7c00 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Wed, 5 Mar 2014 08:57:21 -0800 Subject: [PATCH 6/6] Updates/corrections to beginner articles Signed-off-by: Tom Eastep --- docs/standalone.xml | 40 ++++++++++++++++++++++---------- docs/three-interface.xml | 49 ++++++++++++++++++++++++---------------- docs/two-interface.xml | 34 ++++++++++++++++++++-------- 3 files changed, 82 insertions(+), 41 deletions(-) diff --git a/docs/standalone.xml b/docs/standalone.xml index 34d6da9c5..c7bb78967 100644 --- a/docs/standalone.xml +++ b/docs/standalone.xml @@ -515,15 +515,16 @@ root@lists:~# If you wish to enable connections from the Internet to your firewall and you find an appropriate macro in - /etc/shorewall/macro.*, the general format of a rule - in /etc/shorewall/rules is: + /usr/share/shorewall/macro.*, the general format of a + rule in /etc/shorewall/rules is: #ACTION SOURCE DESTINATION PROTO DEST PORT(S) <macro>(ACCEPT) net $FW Be sure to add your rules after the line that reads SECTION NEW. + role="bold">SECTION NEW (?SECTION NEW in Shorewall 4.6.0 and + later). @@ -605,19 +606,34 @@ SSH(ACCEPT) net $FW shorewall stop. When the firewall is stopped, routing is enabled on those hosts that have an entry in /etc/shorewall/routestopped. - A running firewall may be restarted using the shorewall - restart command. If you want to totally remove any trace - of Shorewall from your Netfilter configuration, use - shorewall clear. + url="manpages/shorewall-stoppedrules.html">/etc/shorewall/stoppedrules + (/etc/shorewall/routestopped + in Shorewall 4.5.7 and earlier). A running firewall may be restarted using + the shorewall restart command. If you + want to totally remove any trace of Shorewall from your Netfilter + configuration, use shorewall + clear. If you are connected to your firewall from the Internet, do not issue a shorewall stop command unless - you have added an entry for the IP address that you are connected from - to /etc/shorewall/routestopped. - Also, I don't recommend using shorewall + you have either: + + + + Used ADMINISABSENTMINDED=Yes in + /etc/shorewall/shorewall.conf or + + + + added an entry for the IP address that you are connected from + to /etc/shorewall/routestopped. + + + + Also, I don't recommend using shorewall restart; it is better to create an alternate configuration and test it using the @@ -954,8 +953,8 @@ DNS(ACCEPT) $FW dmz:10.10.11.1 a defined macro. Shorewall includes a number of defined macros and you can add your own. To see the list of macros included with your version of Shorewall, run the - command ls - /usr/share/shorewall/macro.*. + command shorewall show + macros. You don't have to use defined macros when coding a rule in /etc/shorewall/rules. The first example above (name @@ -1128,12 +1127,14 @@ ACCEPT net $FW tcp 80 The firewall is started using the shorewall start command and stopped using shorewall stop. When the firewall is stopped, routing is enabled on those hosts that have an entry - in /etc/shorewall/routestopped. - A running firewall may be restarted using the shorewall - restart command. If you want to totally remove any trace of - Shorewall from your Netfilter configuration, use shorewall - clear. + in /etc/shorewall/stoppedrules + (/etc/shorewall/routestopped + on Shorewall 4.5.7 and earlier). A running firewall may be restarted using + the shorewall restart command. If you want to totally + remove any trace of Shorewall from your Netfilter configuration, use + shorewall clear. @@ -1144,16 +1145,26 @@ ACCEPT net $FW tcp 80 /etc/shorewall/routestopped accordingly. If you are connected to your firewall from the Internet, do not - issue a shorewall stop command unless you have - added an entry for the IP address that you are connected from to - /etc/shorewall/routestopped. - Also, I don't recommend using shorewall restart; it - is better to create an alternate - configuration and test it using the shorewall - try command. + issue a shorewall stop command + unless you have either: + + + + Used ADMINISABSENTMINDED=Yes in + /etc/shorewall/shorewall.conf; or + + + + added an entry for the IP address that + you are connected from to /etc/shorewall/routestopped. + + + + Also, I don't recommend using shorewall + restart; it is better to create an alternate + configuration and test it using the shorewall + try command. The firewall will start after your network interfaces have been diff --git a/docs/two-interface.xml b/docs/two-interface.xml index 870b05b91..5026414a6 100644 --- a/docs/two-interface.xml +++ b/docs/two-interface.xml @@ -171,7 +171,6 @@ /usr/share/doc/packages/shorewall/Samples/two-interfaces/interfaces /usr/share/doc/packages/shorewall/Samples/two-interfaces/masq /usr/share/doc/packages/shorewall/Samples/two-interfaces/policy -/usr/share/doc/packages/shorewall/Samples/two-interfaces/routestopped /usr/share/doc/packages/shorewall/Samples/two-interfaces/rules /usr/share/doc/packages/shorewall/Samples/two-interfaces/zones ~# @@ -203,8 +202,9 @@ If you install using the .deb, you will find that your /etc/shorewall directory - is empty. This is intentional. The released configuration file - skeletons may be found on your system in the directory /usr/share/doc/shorewall/default-config. Simply copy the files you need from that directory to /etc/shorewall and modify the @@ -910,8 +910,8 @@ DNS(ACCEPT) $FW netThis rule allows In the rule shown above, DNS(ACCEPT)is an example of a macro invocation. Shorewall includes a number of - macros (see /usr/share/shorewall/macro.*) and you can add your own. + macros (command shorewall show macros) + and you can add your own. You don't have to use defined macros when coding a rule in /etc/shorewall/rules; Shorewall will start slightly @@ -1046,7 +1046,9 @@ ACCEPT loc $FW tcp 80 #Allow Weblet to workshorewall stop. When the firewall is stopped, routing is enabled on those hosts that have an entry in /etc/shorewall/routestopped. + url="manpages/shorewall-routestopped.html">routestopped + (Shorewall 4.5.7 and earlier) or in /etc/shorewall/stoppedrules. A running firewall may be restarted using the shorewall restart command. If you want to totally remove any trace of Shorewall from your Netfilter configuration, use @@ -1063,10 +1065,22 @@ ACCEPT loc $FW tcp 80 #Allow Weblet to work If you are connected to your firewall from the Internet, do not issue a shorewall stop command - unless you have added an entry for the IP address - that you are connected from to /etc/shorewall/routestopped. - Also, I don't recommend using shorewall + unless you have either: + + + + Used ADMINISABSENTMINDED=Yes in + /etc/shorewall/shorewall.conf; or + + + + added an entry for the IP address that + you are connected from to /etc/shorewall/routestopped. + + + + Also, I don't recommend using shorewall restart; it is better to create an alternate configuration and test it using the shorewall try command.