Shorewall 2.2.4 ----------------------------------------------------------------------- Problems corrected in version 2.2.4 1) The error message: Error: No appropriate chain for zone to zone has been changed to one that is more self-explanatory: Error: No policy defined for zone to zone ----------------------------------------------------------------------- New Features in version 2.2.4 1) Support has been added for UPnP using linux-igd (http://linux-idg.sourceforge.net). UPnP is required by a number of popular applications including MSN IM. WARNING: From a security architecture viewpoint, UPnP is a disaster. It assumes that: a) All local systems and their users are completely trustworthy. b) No local system is infected with any worm or trojan. If either of these assumptions are not true then UPnP can be used to totally defeat you firewall and to allow incoming connections to arbitrary local systems on any port whatsoever. In short: USE UPnP AT YOUR OWN RISK. WARNING: The linux-igd project appears to be inactive and the web site does not display correctly on any open source browser that I've tried. Building and installing linux-igd is not for the faint of heart. You must download the source from the CVS and be prepared to do quite a bit of fiddling with the include files from libupnp (which is required to build and/or run linux-igd). linux-idg Configuration: In /etc/upnpd.conf, you will want: insert_forward_rules = yes prerouting_chain_name = UPnP forward_chain_name = forwardUPnP Shorewall Configuration: In /etc/shorewall/interfaces, you need the 'upnp' option on your external interface. If your fw->loc policy is not ACCEPT then you need this rule: allowoutUPnP fw loc Note: To use 'allowoutUPnP', your iptables and kernel must support the 'owner match' feature (see the output of "shorewall check"). If your loc->fw policy is not ACCEPT then you need this rule: allowinUPnP loc fw You MUST have this rule: forwardUPnP net loc You must also ensure that you have a route to 224.0.0.0/4 on your internal (local) interface. 2) A new 'started' extension script has been added. The difference between this extension script and /etc/shorewall/start is that this one is invoked after delayed loading of the blacklist (DELAYBLACKLISTLOAD=Yes) and after the 'shorewall' chain has been created (thus signaling that the firewall is completely up. /etc/shorewall/started should not change the firewall configuration directly but may do so indirectly by running /sbin/shorewall with the 'nolock' option. 3) By default, shorewall is started with the "-f" (fast) option when your system boots. You can override that setting by setting the OPTIONS variable in /etc/sysconfig/shorewall (SuSE/Redhat) or /etc/default/shorewall (Debian/Bering). If neither file exists, feel free to create one. Example: If you want Shorewall to always use the config files even if there is a saved configuration, then specify: OPTIONS="" 4) Shorewall now has support for the SAME target. This change affects the /etc/shorewall/masq and /etc/shorewall/rules file. SAME is useful when you specify multiple target IP addresses (in the ADDRESSES column of /etc/shorewall/masq or in the DEST column of /etc/shorewall/rules). If you use normal SNAT then multiple connections from a given local host to hosts on the internet can be assigned different source IP addresses. This confuses some applications that use multiple connections. To correct this problem, prefix the list of address ranges in the ADDRESS column with "SAME:" Example: SAME:206.124.146.176-206.124.146.180 If you want each internal system to use the same IP address from the list regardless of which internet host it is talking to then prefix the rages with "SAME:nodst:". Example: SAME:nodst:206.124.146.176-206.124.146.180 Note that it is not possible to map port numbers when using SAME. In the rules file, when multiple connections from an internet host match a SAME rule then all of the connections will be sent to the same internal server. SAME rules are very similar to DNAT rules with the keyword SAME replacing DNAT. As in the masq file, changing the port number is not supported. 5) A "shorewall show capabilities" command has been added to report the capabilities of your kernel and iptables. Example: gateway:~# shorewall show capabilities Loading /usr/share/shorewall/functions... Processing /etc/shorewall/params ... Processing /etc/shorewall/shorewall.conf... Loading Modules... Shorewall has detected the following iptables/netfilter capabilities: NAT: Available Packet Mangling: Available Multi-port Match: Available Extended Multi-port Match: Available Connection Tracking Match: Available Packet Type Match: Not available Policy Match: Available Physdev Match: Available IP range Match: Available Recent Match: Available Owner Match: Available gateway:~# 6) A "-v" option has been added to /sbin/shorewall. Currently, this option only affects the "show log" command (e.g., "shorewall -v show log") and the "monitor" command. In these commands, it causes the MAC address in the log message (if any) to be displayed. As previously, when "-v" is omitted, the MAC address is suppressed. 7) In /etc/shorewall/rules, a value of 'none' in either the SOURCE or DEST columns now causes the rule to be ignored. This is most useful when used with shell variables: Example: /etc/shorewall/rules: AllowFTP $FTP_CLIENTS fw When FTP_CLIENTS is set to 'none', the above rule is ignored. Otherwise, the rule is evaluated and generates iptables rules. ----------------------------------------------------------------------- Problems corrected in version 2.2.3 1) If a zone is defined in /etc/shorewall/hosts using :! in the HOSTS column then startup errors occur on "shorewall [re]start". 2) Previously, if "shorewall status" was run on a system whose kernel lacked advanced routing support (CONFIG_IP_ADVANCED_ROUTER), then no routing information was displayed. ----------------------------------------------------------------------- New Features in version 2.2.3 1) A new extension script "continue" has been added. This script is invoked after Shorewall has set the built-in filter chains' policy to DROP, deleted any existing Netfilter rules and user chains and has enabled existing connections. It is useful for enabling certain communication while Shorewall is being [re]started. Be sure to delete any rules that you add here in your /etc/shorewall/start file. 2) There has been ongoing confusion about how the /etc/shorewall/routestopped file works. People understand how it works with the 'shorewall stop' command but when they read that 'shorewall restart' is logically equivalent to 'shorewall stop' followed by 'shorewall start' then they erroneously conclude that /etc/shorewall/routestopped can be used to enable new connections during 'shorewall restart'. Up to now, it cannot -- that file is not processed during either 'shorewall start' or 'shorewall restart'. Beginning with Shorewall version 2.2.3, /etc/shorewall/routestopped will be processed TWICE during 'shorewall start' and during 'shorewall restart'. It will be processed early in the command execution to add rules allowing new connections while the command is running and it will be processed again when the command is complete to remove the rules added earlier. The result of this change will be that during most of [re]start, new connections will be allowed in accordance with the contents of /etc/shorewall/routestopped. 3) The performance of configurations with a large numbers of entries in /etc/shorewall/maclist can be improved by setting the new MACLIST_TTL variable in /etc/shorewall/shorewall.conf. If your iptables and kernel support the "Recent Match" (see the output of "shorewall check" near the top), you can cache the results of a 'maclist' file lookup and thus reduce the overhead associated with MAC Verification. When a new connection arrives from a 'maclist' interface, the packet passes through then list of entries for that interface in /etc/shorewall/maclist. If there is a match then the source IP address is added to the 'Recent' set for that interface. Subsequent connection attempts from that IP address occuring within $MACLIST_TTL seconds will be accepted without having to scan all of the entries. After $MACLIST_TTL from the first accepted connection request from an IP address, the next connection request from that IP address will be checked against the entire list. If MACLIST_TTL is not specified or is specified as empty (e.g, MACLIST_TTL="" or is specified as zero then 'maclist' lookups will not be cached. 4) You can now specify QUEUE as a policy and you can designate a common action for QUEUE policies in /etc/shorewall/actions. This is useful for sending packets to something like Snort Inline. ----------------------------------------------------------------------- Problems corrected in version 2.2.2 1) The SOURCE column in the /etc/shorewall/tcrules file now allows IP ranges (assuming that your iptables and kernel support ranges). 2) If A is a user-defined action and you have file /etc/shorewall/A then when that file is invoked, the $TAG value may be incorrect. 3) Previously, if an iptables command generating a logging rule failed, the Shorewall [re]start was still successful. This error is now considered fatal and Shorewall will be either restored from the last save (if any) or it will be stopped. 4) The port numbers for UDP and TCP were previously reversed in the /usr/share/shorewall/action.AllowPCA file. 5) Previously, the 'install.sh' script did not update the /usr/share/shorewall/action.* files. 6) Previously, when an interface name appeared in the DEST column of /etc/shorewall/tcrules, the name was not validated against the set of defined interfaces and bridge ports. ----------------------------------------------------------------------- New Features in version 2.2.2 1) The SOURCE column in the /etc/shorewall/tcrules file now allows $FW to be optionally followed by ":" and a host/network address or address range. 2) Shorewall now clears the output device only if it is a terminal. This avoids ugly control sequences being placed in files when /sbin/shorewall output is redirected. 3) The output from 'arp -na' has been added to the 'shorewall status' display. 4) The 2.6.11 Linux kernel and iptables 1.3.0 now allow port ranges to appear in port lists handled by "multiport match". If Shorewall detects this capability, it will use "multiport match" for port lists containing port ranges. Be cautioned that each port range counts for TWO ports and a port list handled with "multiport match" can still specify a maximum of 15 ports. As always, if a port list in /etc/shorewall/rules is incompatible with "multiport match", a separate iptables rule will be generated for each element in the list. 5) Traditionally, the RETURN target in the 'rfc1918' file has caused 'norfc1918' processing to cease for a packet if the packet's source IP address matches the rule. Thus, if you have: SUBNETS TARGET 192.168.1.0/24 RETURN then traffic from 192.168.1.4 to 10.0.3.9 will be accepted even though you also have: SUBNETS TARGET 10.0.0.0/8 logdrop Setting RFC1918_STRICT=Yes in shorewall.conf will cause such traffic to be logged and dropped since while the packet's source matches the RETURN rule, the packet's destination matches the 'logdrop' rule. If not specified or specified as empty (e.g., RFC1918_STRICT="") then RFC1918_STRICT=No is assumed. WARNING: RFC1918_STRICT=Yes requires that your kernel and iptables support 'Connection Tracking' match. ----------------------------------------------------------------------- Problems corrected in version 2.2.1 1) The /etc/shorewall/policy file contained a misleading comment and both that file and the /etc/shorewall/zones file lacked examples. 2) Shorewall previously used root's default umask which could cause files in /var/lib/shorewall to be world-readable. Shorewall now uses umask 0177. 3) In log messages produced by logging a built-in action, the packet disposition was displayed incorrectly. Example: rejNotSyn:ULOG all all tcp produces the log message: Feb 12 23:57:08 server Shorewall:rejNotSyn:ULOG: ... rather than Feb 12 23:57:08 server Shorewall:rejNotSyn:REJECT: ... 3) The comments regarding built-in actions in /usr/share/shorewall/actions.std have been corrected. 4) The /etc/shorewall/policy file in the LRP package was missing the 'all->all' policy. ----------------------------------------------------------------------- Issues when migrating from Shorewall 2.0 to Shorewall 2.2: 1) Shorewall configuration files except shorewall.conf are now empty (they contain only comments). If you wish to retain the defaults in any of the following files, you should copy these files before upgrading them then restore them after the upgrade: /etc/shorewall/zones /etc/shorewall/policy /etc/shorewall/tos 2) The following builtin actions have been removed and have been replaced by the new action logging implementation described in the new features below. logNotSyn rLogNotSyn dLogNotSyn 3) If shorewall.conf is upgraded to the latest version, it needs to be modified to set STARTUP_ENABLED=Yes 4) The Leaf/Bering version of Shorewall was previously named: shorwall-.lrp Beginning with 2.2, that file will now be named: shorewall-lrp-.tgz Simply rename that file to 'shorwall.lrp' when installing it on your LEAF/Bering system. 5) The ORIGINAL DEST column of the /etc/shorewall/rules file may no longer contain a second (SNAT) address. You must use an entry in /etc/shorewall/masq instead. Example from Shorewall FAQ #1: Prior to Shorewall 2.2: /etc/shorewall/interfaces loc eth1 detect routeback,... /etc/shorewall/rules DNAT loc loc:192.168.1.12 tcp 80 \ - 130.252.100.69:192.168.1.254 Shorewall 2.2 and Later: /etc/shorewall/interfaces loc eth1 detect routeback,... /etc/shorewall/masq: eth1 eth1 192.168.1.254 tcp 80 /etc/shorewall/rules: DNAT loc loc:192.168.1.12 tcp 80 \ - 130.252.100.69 6) The 'logunclean' and 'dropunclean' options that were deprecated in Shorewall 2.0 have now been removed completely. 7) A new IPTABLES variable has been added to shorewall.conf. This variable names the iptables executable that Shorewall will use. The variable is set to "/sbin/iptables". If you use the new shorewall.conf, you may need to change this setting to maintain compabibility with your current setup (if you use your existing shorewall.conf that does not set IPTABLES then you should experience no change in behavior). 8) The default port for OpenVPN tunnels has been changed from 5000 to 1194 to reflect the recent IANA allocation of that port for OpenVPN. ----------------------------------------------------------------------- New Features in Shorewall 2.2.0: 1) ICMP packets that are in the INVALID state are now dropped by the Reject and Drop default actions. They do so using the new 'dropInvalid' builtin action. An 'allowInvalid' builtin action is also provided which accepts packets in that state. 2) The /etc/shorewall/masq file INTERFACE column now allows additional options. Normally MASQUERADE/SNAT rules are evaluated after one-to-one NAT rules defined in the /etc/shorewall/nat file. If you preceed the interface name with a plus sign ("+") then the rule will be evaluated before one-to-one NAT. Examples: +eth0 +eth1:192.0.2.32/27 Also, the effect of ADD_SNAT_ALIASES=Yes can be negated for an entry by following the interface name by ":" but no digit. Examples: eth0: eth1::192.0.2.32/27 +eth3: 3) Similar to 2), the /etc/shorewall/nat file INTERFACE column now allows you to override the setting of ADD_IP_ALIASES=Yes by following the interface name with ":" but no digit. 4) All configuration files in the Shorewall distribution with the exception of shorewall.conf are now empty. In particular, the /etc/shorewall/zones, /etc/shorewall/policy and /etc/shorewall/tos files now have no active entries. Hopefully this will stop the questions on the support and development lists regarding why the default entries are the way they are. 5) Previously, including a log level (and optionally a log tag) on a rule that specified a user-defined (or Shorewall-defined) action would log all traffic passed to the action. Beginning with this release, specifying a log level in a rule that specifies a user- or Shorewall-defined action will cause each rule in the action to be logged with the specified level (and tag). The extent to which logging of action rules occurs is goverend by the following: a) When you invoke an action and specify a log level, only those rules in the action that have no log level will be changed to log at the level specified at the action invocation. Example: /etc/shorewall/action.foo: ACCEPT - - tcp 22 bar:info /etc/shorewall/rules: foo:debug fw net Logging in the invoked 'foo' action will be: ACCEPT:debug - - tcp 22 bar:info b) If you follow the log level with "!" then logging will be at that level for all rules recursively invoked by the action Example: /etc/shorewall/action.foo: ACCEPT - - tcp 22 bar:info /etc/shorewall/rules: foo:debug! fw net Logging in the invoke 'foo' action will be: ACCEPT:debug - - tcp 22 bar:debug! This change has an effect on extension scripts used with user-defined actions. If you define an action 'acton' and you have an /etc/shorewall/acton script then when that script is invoked, the following three variables will be set for use by the script: $CHAIN = the name of the chain where your rules are to be placed. When logging is used on an action invocation, Shorewall creates a chain with a slightly different name from the action itself. $LEVEL = Log level. If empty, no logging was specified. $TAG = Log Tag. Example: /etc/shorewall/rules: acton:info:test Your /etc/shorewall/acton file will be run with: $CHAIN="%acton1" $LEVEL="info" $TAG="test" 6) The /etc/shorewall/startup_disabled file is no longer created when Shorewall is first installed. Rather, the variable STARTUP_ENABLED is set to 'No' in /etc/shorewall/shorewall.conf. In order to get Shorewall to start, that variable's value must be set to 'Yes'. This change accomplishes two things: a) It prevents Shorewall from being started prematurely by the user's initialization scripts. b) It causes /etc/shorewall/shorewall.conf to be modified so that it won't be replaced by upgrades using RPM. 7) Some additional support has been added for the 2.6 Kernel IPSEC implementation. To use this support, you must have installed the IPSEC policy match patch and the four IPSEC/Netfilter patches from Patch-0-Matic-ng. The policy match patch affects both your kernel and iptables. There are two ways to specify that IPSEC is to be used when communicating with a set of hosts; both methods involve the new /etc/shorewall/ipsec file: a) If encrypted communication is used with all hosts in a zone, then you can designate the zone as an "ipsec" zone by placing 'Yes" in the IPSEC ONLY column in the /etc/shorewall/ipsec: #ZONE IPSEC OPTIONS ... # ONLY vpn Yes The hosts in the zone (if any) must be specified in /etc/shorewall/hosts but you do not need to specify the 'ipsec' option on the entries in that file (see below). Dynamic zones involving IPSEC must use that technique. Example: Under 2.4 Kernel FreeS/Wan: /etc/shorewall/zones: net Net The big bad Internet vpn VPN Remote Network /etc/shorewall/interfaces: net eth0 ... vpn ipsec0 ... Under 2.6 Kernel with this new support: /etc/shorewall/zones: net Net The big bad Internet vpn VPN Remote Network /etc/shorewall/interfaces: net eth0 ... /etc/shorewall/hosts: vpn eth0:0.0.0.0/0 /etc/shorewall/ipsec vpn Yes b) If only part of the hosts in a zone require encrypted communication, you may use of the new 'ipsec' option in /etc/shorewall/hosts to designate those hosts. Example: Under 2.4 Kernel FreeS/Wan: /etc/shorewall/zones: net Net The big bad Internet loc Local Extended local zone /etc/shorewall/interfaces: net eth0 ... loc eth1 ... loc ipsec0 ... Under 2.6 Kernel with this new support: /etc/shorewall/zones: net Net The big bad Internet vpn VPN Remote Network /etc/shorewall/interfaces: net eth0 ... loc eth1 ... /etc/shorewall/hosts: vpn eth0:0.0.0.0/0 ipsec,... Regardless of which technique you choose, you can specify additional SA options for the zone in the /etc/shorewall/ipsec entry. The OPTIONS, IN OPTIONS and OUT OPTIONS columns specify the input-output, input and output characteristics of the security associations to be used to decrypt (input) or encrypt (output) traffic to/from the zone. The available options are: reqid[!]= where is specified using setkey(8) using the 'unique:' option for the SPD level. spi[!]= where is the SPI of the SA. Since different SAs are used to encrypt and decrypt traffic, this option should only be listed in the IN OPTIONS and OUT OPTIONS columns. proto[!]=ah|esp|ipcomp mss= (sets the MSS value in TCP SYN packets and is not related to policy matching) mode[!]=transport|tunnel tunnel-src[!]=
[/] (only available with mode=tunnel) tunnel-dst[!]=
[/] (only available with mode=tunnel). Because tunnel source and destination are dependent on the direction of the traffic, these options should only appear in the IN OPTIONS and OUT OPTIONS columns. strict (if specified, packets must match all policies; policies are delimited by 'next'). next (only available with strict) Examples: #ZONE IPSEC OPTIONS IN OUT... # ONLY OPTIONS OPTIONS vpn Yes mode=tunnel,proto=esp spi=1000 spi=1001 loc No reqid=44,mode=transport The /etc/shorewall/masq file has a new IPSEC column added. If you specify Yes or yes in that column then the unencrypted packets will have their source address changed. Otherwise, the unencrypted packets will not have their source addresses changed. This column may also contain a comma-separated list of the options specified above in which case only those packets that will be encrypted by an SA matching the given options will have their source address changed. 8) To improve interoperability, tunnels of type 'ipsec' no longer enforce the use of source port 500 for ISAKMP and OpenVPN tunnels no longer enforce use of the specified port as both the source and destination ports. 9) A new 'allowBcast' builtin action has been added -- it silently allows broadcasts and multicasts. 10) The -c option in /sbin/shorewall commands is now deprecated. The commands where -c was previously allowed now permit you to specify a configuration directory after the command: shorewall check [ ] shorewall restart [ ] shorewall start [ ] 11) Normally, when SNAT or MASQUERADE is applied to a tcp or udp connection, Netfilter attempts to retain the source port number. If it has to change to port number to avoid , conflicts, it tries to do so within port ranges ( < 512, 512-1023, and > 1023). You may now specify an explicit range of source ports to be used by following the address or address range (if any) in the ADDRESS column with ":" and a port range in the format -. You must specify either "tcp" or "udp" in the PROTO column. Examples 1 -- MASQUERADE with tcp source ports 4000-5000: #INTERFACE SUBNET ADDRESS PROTO eth0 192.168.1.0/24 :4000-5000 tcp Example 2 -- SNAT with udp source ports 7000-8000: #INTERFACE SUBNET ADDRESS PROTO eth0 10.0.0.0/8 192.0.2.44:7000-8000 udp 12) You may now account by user/group ID for outbound traffic from the firewall itself with entries in /etc/shorewall/accounting. Such accounting rules must be placed in the OUTPUT chain. See the comments at the top of /etc/shorewall/accounting for details. 13) Shorewall now verifies that your kernel and iptables have physdev match support if BRIDGING=Yes in shorewall.conf. 14) Beginning with this release, if your kernel and iptables have iprange match support (see the output from "shorewall check"), then with the exception of the /etc/shorewall/netmap file, anywhere that a network address may appear an IP address range of the form - may also appear. 15) Support has been added for the iptables CLASSIFY target. That target allows you to classify packets for traffic shaping directly rather than indirectly through fwmark. Simply enter the : classification in the first column of /etc/shorewall/tcrules: Example: #MARK/ SOURCE DEST PROTO PORT(S) #CLASSIFY 1:30 - eth0 tcp 25 Note that when using this form of rule, it is acceptable to include the name of an interface in the DEST column. Marking using the CLASSIFY target always occurs in the POSTROUTING chain of the mangle table and is not affected by the setting of MARK_IN_FORWARD_CHAIN in shorewall.conf. 16) During "shorewall start", IP addresses to be added as a consequence of ADD_IP_ALIASES=Yes and ADD_SNAT_ALIASES=Yes are quietly deleted when /etc/shorewall/nat and /etc/shorewall/masq are processed then the are re-added later. This is done to help ensure that the addresses can be added with the specified labels but can have the undesirable side effect of causing routes to be quietly deleted. A new RETAIN_ALIASES option has been added to shorewall.conf; when this option is set to Yes, existing addresses will not be deleted. Regardless of the setting of RETAIN_ALIASES, addresses added during "shorewall start" are still deleted at a subsequent "shorewall stop" or "shorewall restart". 17) Users with a large black list (from /etc/shorewall/blacklist) may want to set the new DELAYBLACKLISTLOAD option in shorewall.conf. When DELAYBLACKLISTLOAD=Yes, Shorewall will enable new connections before loading the blacklist rules. While this may allow connections from blacklisted hosts to slip by during construction of the blacklist, it can substantially reduce the time that all new connections are disabled during "shorewall [re]start". 18) Using the default LOGFORMAT, chain names longer than 11 characters (such as in user-defined actions) may result in log prefix truncation. A new shorewall.conf action LOGTAGONLY has been added to deal with this problem. When LOGTAGONLY=Yes, logging rules that specify a log tag will substitute the tag for the chain name in the log prefix. Example -- file /etc/shorewall/action.thisisaverylogactionname: Rule: DROP:info:ftp 0.0.0.0/0 0.0.0.0/0 tcp 21 Log prefix with LOGTAGONLY=No: Shorewall:thisisaverylongacti Log prefix with LOGTAGONLY=Yes: Shorewall:ftp:DROP 19) Shorewall now resets the 'accept_source_route' flag for all interfaces. If you wish to accept source routing on an interface, you must specify the new 'sourceroute' interface option in /etc/shorewall/interfaces. 20) The default Drop and Reject actions now invoke the new standard action 'AllowICMPs'. This new action accepts critical ICMP types: Type 3 code 4 (fragmentation needed) Type 11 (TTL exceeded) 21) Explicit control over the kernel's Martian logging is now provided using the new 'logmartians' interface option. If you include 'logmartians' in the interface option list then logging of Martian packets on will be enabled on the specified interface. If you wish to globally enable martian logging, you can set LOG_MARTIANS=Yes in shorewall.conf. 22) You may now cause Shorewall to use the '--set-mss' option of the TCPMSS target. In other words, you can cause Shorewall to set the MSS field of SYN packets passing through the firewall to the value you specify. This feature extends the existing CLAMPMSS option in /etc/shorewall/shorewall.conf by allowing that option to have a numeric value as well as the values "Yes" and "No". Example: CLAMPMSS=1400 23) Shorewall now includes support for the ipp2p match facility. This is a departure from my usual policy in that the ipp2p match facility is included in Patch-O-Matic-NG and is unlikely to ever be included in the kernel.org source tree. Questions about how to install the patch or how to build your kernel and/or iptables should not be posted on the Shorewall mailing lists. In the following files, the "PROTO" or "PROTOCOL" column may contain "ipp2p": /etc/shorewall/rules /etc/shorewall/tcrules /etc/shorewall/accounting When the PROTO or PROTOCOL column contains "ipp2p" then the DEST PORT(S) or PORT(S) column may contain a recognized ipp2p option; for a list of the options and their meaning, at a root prompt: iptables -m ipp2p --help You must not include the leading "--" on the option; Shorewall will supply those characters for you. If you do not include an option then "ipp2p" is assumed (Shorewall will generate "-m ipp2p --ipp2p"). 24) Shorewall now has support for the CONNMARK target from iptables. See the /etc/shorewall/tcrules file for details. 25) A new debugging option LOGALLNEW has been added to shorewall.conf. When set to a log level, this option causes Shorewall to generaate a logging rule as the first rule in each builtin chain. - The table name is used as the chain name in the log prefix. - The chain name is used as the target in the log prefix. Example: Using the default LOGFORMAT, the log prefix for logging from the nat table's PREROUTING chain is: Shorewall:nat:PREROUTING IMPORTANT: There is no rate limiting on these logging rules so use LOGALLNEW at your own risk; it may cause high CPU and disk utilization and you may not be able to control your firewall after you enable this option. DANGER: DO NOT USE THIS OPTION IF THE RESULTING LOG MESSAGES WILL BE SENT TO ANOTHER SYSTEM. 26) The SUBNET column in /etc/shorewall/rfc1918 has been renamed SUBNETS and it is now possible to specify a list of addresses in that column. 27) The AllowNNTP action now also allows NNTP over SSL/TLS (NNTPS). 28) For consistency, the CLIENT PORT(S) column in the tcrules file has been renamed SOURCE PORT(S). 29) The contents of /proc/sys/net/ip4/icmp_echo_ignore_all is now shown in the output of "shorewall status". 30) A new IPTABLES option has been added to shorewall.conf. IPTABLES can be used to designate the iptables executable to be used by Shorewall. If not specified, the iptables executable determined by the PATH setting is used. 31) You can now use the "shorewall show zones" command to display the current contents of the zones. This is particularly useful if you use dynamic zones (DYNAMIC_ZONES=Yes in shorewall.conf). Example: ursa:/etc/shorewall # shorewall show zones Shorewall-2.2.0-Beta7 Zones at ursa - Sat Nov 27 11:18:25 PST 2004 loc eth0:192.168.1.0/24 eth1:1.2.3.4 net eth0:0.0.0.0/0 WiFi eth1:0.0.0.0/0 sec eth1:0.0.0.0/0 ursa:/etc/shorewall # 32) Variable expansion may now be used with the INCLUDE directive. Example: /etc/shorewall/params FILE=/etc/foo/bar Any other config file: INCLUDE $FILE 33) The output of "shorewall status" now includes the results of "ip -stat link ls". This helps diagnose performance problems caused by link errors. 34) Previously, when rate-limiting was specified in /etc/shorewall/policy (LIMIT:BURST column), any traffic which exceeded the specified rate was silently dropped. Now, if a log level is given in the entry (LEVEL column) then drops are logged at that level at a rate of 5/min with a burst of 5. 35) Recent 2.6 kernels include code that evaluates TCP packets based on TCP Window analysis. This can cause packets that were previously classified as NEW or ESTABLISHED to be classified as INVALID. The new kernel code can be disabled by including this command in your /etc/shorewall/init file: echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal Additional kernel logging about INVALID TCP packets may be obtained by adding this command to /etc/shorewall/init: echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_log_invalid Traditionally, Shorewall has dropped INVALID TCP packets early. The new DROPINVALID option allows INVALID packets to be passed through the normal rules chains by setting DROPINVALID=No. If not specified or if specified as empty (e.g., DROPINVALID="") then DROPINVALID=Yes is assumed. 36) The "shorewall add" and "shorewall delete" commands now accept a list of hosts to add or delete. Examples: shorewall add eth1:1.2.3.4 eth1:2.3.4.5 z12 shorewall delete eth1:1.2.3.4 eth1:2.3.4.5 z12 The above commands may also be written: shorewall add eth1:1.2.3.4,2.3.4.5 z12 shorewall delete eth1:1.2.3.4,2.3.4.5 z12 37) TCP OpenVPN tunnels are now supported using the 'openvpn' tunnel type. OpenVPN entries in /etc/shorewall/tunnels have this format: openvpn[:{tcp|udp}][:] Examples: openvpn:tcp net 1.2.3.4 # TCP tunnel on port 1194 openvpn:3344 net 1.2.3.4 # UDP on port 3344 openvpn:tcp:4455 net 1.2.3.4 # TCP on port 4455 38) A new 'ipsecvpn' script is included in the tarball and in the RPM. The RPM installs the file in the Documentation directory (/usr/share/doc/packages/shorewall-2.2.0-0RC1). This script is intended for use on Roadwarrior laptops for establishing an IPSEC SA to/from remote networks. The script has some limitations: - Only one instance of the script may be used at a time. - Only the first SPD accessed will be instantiated at the remote gateway. So while the script creates SPDs to/from the remote gateway and each network listed in the NETWORKS setting at the front of the script, only one of these may be used at a time. 39) The IANA has recently registered port 1194 for use by OpenVPN. In previous versions of Shorewall (and OpenVPN), the default port was 5000 but has been changed to 1194 to conform to the new OpenVPN default. 40) The output of "shorewall status" now lists the loaded netfilter kernel modules. 41) The range of UDP ports opened by the AllowTrcrt action has been increased to 33434:33524.