diff --git a/docs/Actions.xml b/docs/Actions.xml
index f65b6157a..7fe3fe23f 100644
--- a/docs/Actions.xml
+++ b/docs/Actions.xml
@@ -414,7 +414,7 @@ Reject:REJECT #Default Action for REJECT policy
If you don’t want to define a test but need to specify anything
in the following columns, place a "-" in this field.
- ! — Inverts the test (not equal)
+ ! — Inverts the test (not equal)
<value> — Value of the packet
or connection mark.
@@ -554,8 +554,27 @@ acton:info:test $FW net
- For an example of how to use these variables, see this article.
+ Shorewall-perl sets lexical variables as follows:
+
+
+
+ $chainref is a reference to the chain-table entry for the chain
+ where your rules are to be placed.
+
+
+
+ $level is the log level. If false, no logging was
+ specified.
+
+
+
+ $tag is the log tag.
+
+
+
+ For an example of how to use these variables in both Shorewall-shell
+ and Shorewall-perl, see this
+ article.
@@ -583,7 +602,9 @@ acton:info:test $FW net
When using Shorewall-Perl:
/etc/shorewall/DropBcastsuse Shorewall::Chains;
-add_rule( $chainref, '-m pkttype --pkttype broadcast -j DROP' );
+add_rule( $chainref, '-m pkttype --pkttype broadcast -j DROP' );
+
+1;
diff --git a/docs/FTP.xml b/docs/FTP.xml
index d29fd712e..535ae99fa 100644
--- a/docs/FTP.xml
+++ b/docs/FTP.xml
@@ -293,6 +293,15 @@ xt_tcpudp 3328 0
FTP on Non-standard Ports
+
+ If you are running kernel 2.6.20 or
+ later, replace ip_conntrack_ftp with nf_conntrack_ftp in the following instructions.
+ Similarly, replace ip_nat_ftp with
+ nf_nat_ftp.
+
+
The above discussion about commands and responses makes it clear
that the FTP connection-tracking and NAT helpers must scan the traffic on
the control connection looking for PASV and PORT commands as well as PASV
diff --git a/docs/Install.xml b/docs/Install.xml
index cf84d0932..5c15769cd 100644
--- a/docs/Install.xml
+++ b/docs/Install.xml
@@ -91,13 +91,27 @@
page.
If you try to install the wrong package, it probably won't
- work.
+ work.
+ If you are installing Shorewall 4.0.0 or later then you need
+ to install at least two packages.
+
+ Shorewall
+
+
+
+ Either Shorewall-shell (the classic shell-based
+ configuration compiler) and/or Shorewall-perl (the newer and
+ faster compiler written in Perl).
+
+ If you are installing Shorewall for the first
+ time, we strongly suggest that you install Shorewall-perl.
+
Install the RPM
- rpm -ivh <shorewall rpm>
+ rpm -ivh <shorewall rpm> <compiler rpm> ...
Some users are in the habit of using the rpm
@@ -115,7 +129,7 @@
though a 2.4 kernel is installed. If this happens, simply use the
--nodeps option to rpm.
- rpm -ivh --nodeps <shorewall rpm>
+ rpm -ivh --nodeps <rpms>
@@ -129,7 +143,7 @@
package (see 1., above) but may be worked around by using the
--nodeps option of rpm.
- rpm -ivh --nodeps <shorewall rpm>
+ rpm -ivh --nodeps <rpms>
@@ -165,6 +179,43 @@
Install using tarball
+
+ If you are installing Shorewall 4.0.0 or later, then you need to
+ install one of the configuration compilers before you install Shorewall itself. You can
+ choose to install one or both compilers:
+
+ Shorewall-shell - the classic configuration compiler written
+ in Bourne Shell.
+
+
+
+ Shorewall-perl - a newer and faster compiler written in
+ Perl.
+
+ If you are installing Shorewall for the first time, we
+ strongly suggest that you install Shorewall-perl.
+
+ To install Shorewall-perl:
+
+ unpack the tarball (tar -zxf
+ shorewall-perl-x.y.z.tgz).
+
+
+
+ cd to the shorewall-perl directory (the version is encoded
+ in the directory name as in
+ shorewall-perl-4.0.0
).
+
+
+
+ Type:
+
+ ./install.sh
+
+ Installing Shorewall-shell is similar.
+
+
To install Shorewall using the tarball and install script:
@@ -312,7 +363,7 @@ Pin-Priority: 700Then
Upgrade the RPM
- rpm -Uvh <shorewall rpm file>
+ rpm -Uvh <shorewall rpm file> <compiler rpm file> ...
Some SUSE users have encountered a
@@ -320,7 +371,7 @@ Pin-Priority: 700Then
though a 2.4 kernel is installed. If this happens, simply use the
--nodeps option to rpm.
- rpm -Uvh --nodeps <shorewall rpm>
+ rpm -Uvh --nodeps <shorewall rpm> <compiler rpm> ...
@@ -333,7 +384,7 @@ Pin-Priority: 700Then
This may be worked around by using the --nodeps option of
rpm.
- rpm -Uvh --nodeps <shorewall rpm>
+ rpm -Uvh --nodeps <shorewall rpm> <compiler-rpm> ...
@@ -530,7 +581,7 @@ tar -xzvf /mnt/package2.lrp
For information on other LEAF/Bering upgrade tools, check out this
+ url="http://leaf.cvs.sourceforge.net/*checkout*/leaf/devel/alexrh/lck/README.html">this
article by Alex Rhomberg.
diff --git a/docs/PortKnocking.xml b/docs/PortKnocking.xml
index 19f4e85e2..511233099 100644
--- a/docs/PortKnocking.xml
+++ b/docs/PortKnocking.xml
@@ -40,7 +40,7 @@
The feature described in this article require 'Recent Match' in
your iptables and kernel. See the output of shorewall show
- capabilities to see if you have that match.
+ capabilities to see if you have that match.
@@ -88,7 +88,9 @@
Create /etc/shorewall/SSHKnock with the following
- contents:
+ contents.
+
+ If using Shorewall-shell:
if [ -n "$LEVEL" ]; then
log_rule_limit $LEVEL $CHAIN SSHKnock ACCEPT "" "$TAG" -A -p tcp --dport 22 -m recent --rcheck --name SSH
@@ -98,6 +100,35 @@ run_iptables -A $CHAIN -p tcp --dport 22 -m recent --rcheck --seconds 60 --nam
run_iptables -A $CHAIN -p tcp --dport 1599 -m recent --name SSH --remove -j DROP
run_iptables -A $CHAIN -p tcp --dport 1600 -m recent --name SSH --set -j DROP
run_iptables -A $CHAIN -p tcp --dport 1601 -m recent --name SSH --remove -j DROP
+
+ If using Shorewall-perl:use Shorewall::Chains;
+
+if ( $level ) {
+ log_rule_limit( $level,
+ $chainref,
+ 'SSHKnock',
+ 'ACCEPT',
+ '',
+ $tag,
+ 'add',
+ '-p tcp --dport 22 -m recent --rcheck --name SSH );
+
+ log_rule_limit( $level,
+ $chainref,
+ 'SSHKnock'
+ 'DROP'
+ '',
+ $tag,
+ 'add',
+ '-p tcp --dport ! 22' );
+}
+
+add_rule( $chainref, '-p tcp --dport 22 -m recent --rcheck --seconds 60 --name SSH -j ACCEPT' );
+add_rule( $chainref, '-p tcp --dport 1599 -m recent --name SSH --remove -j DROP' );
+add_rule( $chainref, '-p tcp --dport 1600 -m recent --name SSH --set -j DROP' );
+add_rule( $chainref, '-p tcp --dport 1601 -m recent --name SSH --remove -j DROP' );
+
+1;
@@ -240,14 +271,45 @@ else
run_iptables -A $CHAIN -m recent --update --name $1 --seconds $3 --hitcount $(( $2 + 1 )) -j DROP
fi
-run_iptables -A $CHAIN -j ACCEPT
-
+run_iptables -A $CHAIN -j ACCEPT
In Shorewall 3.3, Limit is made into a built-in action; basically
that means that the above code now lives inside of Shorewall rather than
in a separate file.
+
+ For completeness, here's the above
+ /usr/share/shorewall/Limit for use with
+ Shorewall-perl:
+
+ my @tag = split /,/, $tag;
+
+fatal_error 'Limit rules must include <set name>,<max connections>,<interval> as the log tag (' . join( ':', 'Limit', $level eq '' ? 'none' : $level , $tag ) . ')'
+ unless @tag == 3;
+
+my $set = $tag[0];
+
+for ( @tag[1,2] ) {
+ fatal_error 'Max connections and interval in Limit rules must be numeric (' . join( ':', 'Limit', $level eq '' ? 'none' : $level, $tag ) . ')' unless /^\d+$/
+}
+
+my $count = $tag[1] + 1;
+
+add_rule $chainref, "-m recent --name $set --set";
+
+if ( $level ) {
+ my $xchainref = new_chain 'filter' , "$chainref->{name}%";
+ log_rule_limit $level, $xchainref, $tag[0], 'DROP', '', '', 'add', '';
+ add_rule $xchainref, '-j DROP';
+ add_rule $chainref, "-m recent --name $set --update --seconds $tag[2] --hitcount $count -j $xchainref->{name}";
+} else {
+ add_rule $chainref, "-m recent --update --name $set --seconds $tag[2] --hitcount $count -j DROP";
+}
+
+add_rule $chainref, '-j ACCEPT';
+
+1;
\ No newline at end of file
diff --git a/docs/configuration_file_basics.xml b/docs/configuration_file_basics.xml
index 1683dc821..79c459bc6 100644
--- a/docs/configuration_file_basics.xml
+++ b/docs/configuration_file_basics.xml
@@ -614,10 +614,25 @@ Shorewall has detected the following iptables/netfilter capabilities:
- Port Numbers/Service Names
+ Protocol Number/Names and Port Numbers/Service Names
- Unless otherwise specified, when giving a port number you can use
- either an integer or a service name from /etc/services.
+ Unless otherwise specified, when giving a protocol number you can
+ use either an integer or a protocol name from
+ /etc/protocols. Similarly, when giving a port number
+ you can use either an integer or a service name from
+ /etc/services.
+ Shorewall-perl translates protocol names to protocol numbers and
+ service names to port numbers itself. The mapping that it uses is
+ contained in the Perl module
+ /usr/share/shorewall-perl/Shorewall/Ports.pm.
+ That module is built when Shorewall is installed or upgraded using the
+ current /etc/protocols and
+ /etc/services files as input (if the build
+ program fails, a fallback version of the module is installed).
+
+ To generate a new Ports.pm module:cp /usr/share/shorewall-perl/Shorewall/Ports.pm /usr/share/shorewall-perl/Shorewall/Ports.pm.backup
+/usr/share/shorewall/buildports.pm > /usr/share/shorewall-perl/Shorewall/Ports.pm
+
@@ -661,6 +676,17 @@ DNAT net loc:192.168.1.3 tcp 4000:4100
15.
+
+
+ Shorewall-perl requires multiport
+ match in order to accept port lists in Shorewall configuration files. It
+ further requires Extended multiport
+ match in order to accept port ranges in port lists. Shorewall-perl will
+ never break a list longer than 15 ports (with each range counting as two
+ ports) into smaller lists. So you must be sure that your port lists can
+ be handled directly by the Netfilter/iptables capabilities
+ available.
+